OKM 2.4 Security Guide
Contents
1. X4170 M2 server Accessing the BIOS Setup Utility via the Embedded Lights Out Manager ELOM of a KMA that is a Sun Fire X2100 or X2200 M2 server The BIOS settings of interest in this procedure are the same on all three server types 1 Bring up a web browser Log into the ILOM using its web based interface Refer to the Oracle Integrated Lights Out Manager ILOM 3 0 Web Interface Procedure Guide for more information about using the ILOM web interface Oracle Key Manager Security Guide Page 10 2 Newly manufactured KMAs have a default password for the root user This password should be changed and retained 3 To access the BIOS Setup Utility follow Remote Control gt Redirection and click Launch Redirection to launch the Remote Console Click through the dialogs that appear under the Remote Console appears Then following Remote Control gt Remote Power Control select Power Up and click SAVE Watch bootup messages in the Remote Console Press the F2 key when the American Megatrends screen appears near the beginning of the reboot In the BIOS Setup Utility do the following steps 1 Go to the Security tab navigate to the Change Supervisor Password field press the Enter Key and specify a password Retain this password 2 After specifying the supervisor password the User Access Level field should appear Navigate to the User Access Level field and change the setting from Full Access to Limited2. Lights Out Manager ILOM 3 0 Web Interface Procedure Guide for more information about using the ILOM web interface Newly manufactured KMAs have a default password for the root user This password should be changed and retained Navigate to Configuration gt System Management Access gt SNMP Management For Settings the use of SNMPv3 is recommended v1 and v2c can be disabled Disable Set Requests in order to prevent configuration changes from being made via SNMP Navigate to Configuration gt System Management Access gt IPMI If the Auto Service Request ASR feature introduced in OKM 2 4 then enable IPMI Otherwise disable IPMI if there are no plans to use it Leaving this interface open exposes this KMA to reboot Navigate to Configuration gt System Management Access gt CLI Configure the session timeout as the default setting allows CLI sessions to remain open indefinitely Navigate to Configuration gt System Management Access gt WS Man Disable this service if there are no plans to use WS Management and CIM Leaving this interface open exposes the KMA to attackers knowledgeable of the WS Management protocol Navigate to Configuration gt Clock The ILOM clock is not synchronized with the host clock on a Sun Fire X4170 M2 server So that ILOM event can be correlated with server events the ILOM date and time should be set manually to UTC GMT time or configured to synchronize with an external
3. NTP server preferably the same NTP server that is used by the KMAs in this OKM Cluster See the Oracle Key Manager Administration Guide Navigate to Configuration gt Timezone The ILOM timezone should be set to GMT Navigate to User Management gt User Accounts Use of user accounts and roles is recommended over using just the default root account See the User Account Oracle Key Manager Security Guide Page 12 Management section of the Oracle Integrated Lights Out Manager ILOM 3 0 Concepts Guide 10 Navigate to Remote Control gt Host Control The Next Boot Device value should be set to Default User BIOS Settings 11 Navigate to Maintenance gt Firmware Upgrade The ILOM firmware should be kept up to date and updated as described in the Oracle Integrated Lights Out Manager ILOM 3 0 Web Interface Procedure Guide As a precaution the KMA should be shut down from the OKM Console prior to upgrading ILOM firmware If you suspect that ILOM configuration changes are causing problems then you can restore ILOM settings to default values by following the instructions in the Troubleshooting The Server and Restoring ILOM Defaults section of the Sun Fire X4170 X4270 and X4275 Servers Service Manual Configuring the First KMA in an OKM Cluster Before configuring the first KMA first identify key split credentials and user IDs and passphrases to be defined in this OKM Cluster Useful workshee
4. executed on a workstation and communicates with the KMA over an IP network to configure and manage the OKM The Oracle Key Manager GUI must be installed on a customer provided workstation Oracle Key Manager CLIs Two Command Line Interfaces that are executed on a workstation and communicate with the KMA over an IP network to automate commonly issued administrative operations The Oracle Key Manager CLIs must be installed on a customer provided workstation OKM Cluster The full set of KMAs in the system All of these KMA are aware of each other and replicate information to each other Agent A device or software that performs encryption using keys managed by the OKM Cluster A StorageTek encrypting tape drive is an example of an agent Agents communicate with KMAs via the Agent API The Agent API is a set of software interfaces that are incorporated into the agent hardware or software The OKM uses TCP IP networking for the connections between KMAs Agents and workstations where the Oracle Key Manager GUI and CLIs are running In order to provide flexible network connections three interfaces are provided for network connections on each KMA The management connection Intended for connection to the customer network The service connection Intended for connection to the agents The ILOM ELOM connection Intended for connection to the ILOM or ELOM on the KMA See the example in the following image Oracle Key Mana
5. not produce core files e The standard Solaris login 1 utility has been replaced with the OKM Console Thus users cannot log into the Solaris console e The ssh service is disabled by default For customer support purposes the Security Officer can enable the ssh service and define a support account for a limited amount of time This support account is the only available account and has limited access and permissions Solaris auditing tracks commands that the support account invokes e The root account is disabled e Solaris single user mode is disabled e KMAs are not equipped with a DVD drive Oracle Key Manager Security Guide Page 14 Part 3 Security Features In this section outline the specific security mechanisms offered by the product Potential Threats Customers having encryption enabled agents are primarily concerned with e Disclosure of information in violation of policy e Loss or destruction of data e Unacceptable delay in restoring data in case of catastrophic failure for example in a business continuity site e Undetected modification of data Objectives of the Security Features The objective of the security features of Oracle Key Manager are to e Protect encrypted data from disclosure e Minimize exposure to attacks e Provide sufficiently high reliability and availability The Security Model This section of the security guide should give a high level overview of the threats that the system is designed
6. they are created stored on the KMA transmitted to agents or within key transfer files Key Replication When the first KMA of an OKM Cluster is initialized the KMA generates a large pool of keys When additional KMAs are added to the Cluster the keys are replicated to the new KMAs and are then ready to be used to encrypt data Each KMA that is added to the Cluster Oracle Key Manager Security Guide Page 20 generates a pool of keys and replicates them to peer KMAs in the Cluster All KMAs will generate new keys as needed to maintain the key pool size so that ready keys are always available for agents When an agent accesses a new data unit that is one that does not yet have a protect and process key associated with it the agent contacts a KMA in the Cluster and requests a new key The KMA draws a ready key from its key pool and assigns this key to the agent s default key group and to the data unit The KMA then replicates these database updates across the network to the other KMAs in the Cluster Later the agent can contact another KMA in the Cluster in order to retrieve the key At no time is any clear text key material transmitted across the network Oracle Key Manager Security Guide Part 4 Security Considerations for Developers Since KMAs are hardened appliances dedicated to key management developers cannot use them to produce applications using the product as a platform Oracle Key Manager Security Guide Page 22 Part 5 Ap
7. to counter and how the individual security features combine to prevent the attacks The critical security features that provide these protections are e Authentication Ensuring that only authorized individuals get access to the system and data e Authorization Access control to system privileges and data this access control builds on authentication to ensure that individuals only get appropriate access e Audit Allows administrators to detect attempted breaches of the authentication mechanism and attempted or successful breaches of access control Oracle Key Manager Security Guide Refer to the Oracle Key Manager Version 2 X Security and Authentication White Paper for more information about the security and authentication aspect of the Oracle Key Manager Authentication The Oracle Key Manager architecture provides for mutual authentication between all element of the system KMA to KMA agent to KMA and the Oracle Key Manager GUI or CLI to KMA for user operations Each element of the system for example a new encryption agent is enrolled in the system by creating an ID and a passphrase in the OKM that is then entered into the element to be added For example when a tape drive is added to the system the agent and KMA automatically run a challenge response protocol based on the shared passphrase that results in the agent obtaining the Root Certificate Authority CA certificate and a new key pair and signed certificate fo
8. 0000 Tape Drive Figure 1 2 Typical Deployment of OKM Solution Oracle Key Manager Security Guide Installing a Key Management Appliance This section describes how to install and configure an OKM Key Management Appliance securely KMAs are manufactured as hardened appliances with Oracle Key Manager functionality already available on them Installing and configuring KMAs in an OKM Cluster include the following steps 1 For each KMA install it in a rack 2 For each KMA secure its BIOS and its ILOM 3 Configure the first KMA in the OKM Cluster 4 Add additional KMAs to the OKM Cluster More information about planning the deployment of an OKM Cluster appears in the Oracle Key Manager Systems Assurance Guide Installing a KMA in a Rack An Oracle Customer Service Engineer installs a KMA in a rack according to procedures outlined in the Oracle Key Manager Installation and Service Manual Securing the BIOS of a KMA Oracle Key Manager KMAs are manufactured with recent ILOM and BIOS firmware The BIOS of a KMA should be secured by either an Oracle Customer Service Engineer or by the customer The BIOS should also be secured after the ILOM or ELOM firmware is upgraded Securing the BIOS consists of setting particular BIOS settings in order to prevent changes to the BIOS that may compromise security The following procedure includes accessing the BIOS Setup Utility via the Integrated Lights Out Manager ILOM of a KMA that is a Sun Fire
9. 3 Go to the Boot tab Navigate to Boot Device Priority and make the following changes Tab Field Name Value Boot 1 Boot Device HDD P0 SEAGATE under Boot Device Priority ST95000NSSUN500G 101 Boot 2 Boot Device Disabled under Boot Device Priority Boot 3rd Boot Device Disabled under Boot Device Priority 4 Press the F10 key to save these changes and select Ok to confirm Let the system boot up Now that you have defined a supervisor password in the BIOS the system will prompt for this password when someone accesses the BIOS Setup Utility For more information about navigating around the BIOS Setup Utility refer to the Configuring BIOS Settings section of the Sun Fire X4170 X4270 and X4275 Servers Service Manual Oracle Key Manager Security Guide Securing the ILOM of a KMA Oracle Key Manager KMAs are manufactured with recent ILOM and BIOS firmware The ILOM of a KMA should be secured by either an Oracle Customer Service Engineer or by the customer The ILOM should also be secured after the ILOM firmware is upgraded Securing the ILOM consists of setting particular ILOM settings in order to prevent changes to the ILOM that may compromise security The following procedure includes accessing the Integrated Lights Out Manager ILOM of a KMA that is a Sun Fire X4170 M2 server 1 Bring up a web browser Log into the ILOM using its web based interface Refer to the Oracle Integrated
10. Oracle Key Manager Security Guide Version 2 4 E23812 01 July 2011 Oracle Key Manager Security Guide Version 2 4 E23812 01 Copyright 2011 Oracle and or its affiliates All rights reserved Primary Author OKM Development Team Contributors Contributors This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws Except as expressly permitted in your license agreement or allowed by law you may not use copy reproduce translate broadcast modify license transmit distribute exhibit perform publish or display any part in any form or by any means Reverse engineering disassembly or decompilation of this software unless required by law for interoperability is prohibited The information contained herein is subject to change without notice and is not warranted to be error free If you find any errors please report them to us in writing If this software or related documentation is delivered to the U S Government or anyone licensing it on behalf of the U S Government the following notice is applicable U S GOVERNMENT RIGHTS Programs software databases and related documentation and technical data delivered to U S Government customers are commercial computer software or commercial technical data pursuant to the applicable Federal Acquisition Regulation and agency specific supplemental regulations A
11. Product Notes Sun Fire X4170 X4270 and X4275 Servers Service Manual Oracle Key Manager Overview Oracle Key Manager Version 2 X Security and Authentication White Paper National Institute of Standards and Technology Special Publication 800 60 Volume I Revision 1 Sun Cryptographic Accelerator 6000 FIPS 140 2 Security Policy Oracle Key Manager Security Guide Page 24
12. any loss costs or damages incurred due to your access to or use of third party content products or services Oracle Key Manager Security Guide Page 2 Contents CONES enn cr bees cece cna stoic newton acenes daan tid lah endaceetu ected luaun sui dtela ta lartu dasa weeks 3 Part 2 Secure Installation and Sara ass caia seceded coanetactccnstesdaetaeacrlnetcneniblawalleaasands 8 Installation Overvie W ccruinne aaia EEEO ATETEA 8 Configuring the First KMA in an OKM CMG ata cascada cidaalceiotarignecanesepealidndeaiiay 13 Adding Additional KMAs to the OKM Cluster ccccccccccccccccccsccescssecssssssssesnnessssssssenas 14 Oracle Key Manager Security Guide Oracle Key Manager Security Guide Page 4 Part 1 Overview This section gives an overview of the product and explains the general principles of application security Product Overview The Oracle Key Manager OKM creates stores and manages encryption keys It consists of the following components Key Management Appliance KMA A security hardened box that delivers policy based Lifecycle Key Management authentication access control and key provisioning services As a trusted authority for storage networks the KMA ensures that all storage devices are registered and authenticated and that all encryption key creation provisioning and deletion is in accordance with prescribed policies Oracle Key Manager GUI A Graphical User Interface that is
13. empts an operation that requires quorum approval the defined threshold of key split users and passphrases must approve this operation before the system performs this operation Oracle Key Manager Security Guide Page 18 Audits Each KMA logs audit events for operations that it performs including those issued by agents users and peer KMAs in the OKM Cluster KMAs also log audit events whenever an agent user or peer KMA fails to authenticate itself Audit events that indicate a security violation are noted as such A failure to authenticate is an example of an audit event that indicates a security violation If SNMP Agents are identified in the OKM Cluster then KMAs also send SNMP Informs to these SNMP Agents should they encounter a security violation A user must properly log into the OKM Cluster and must have a role assigned to it before it is allowed to view audit events KMAs manage their audit events KMAs remove older audit events based on retention terms and limits counts The Security Officer can modify these retention terms and limits as needed Oracle Key Manager Security Guide Other Security Features Oracle Key Manager provides other security features Refer to the Oracle Key Manager Overview for more information about these and other OKM features Secure Communication The communication protocol between an agent and a KMA a user and a KMA and a KMA and a peer KMA is the same In each case the system uses the passph
14. ger Security Guide OKM Manager o Admin Workstation Administration C Customer Network 0 Key Exchange T10000 me Client Drive Encrypted Quickstart And Console Remote Console 2 C ELU MICOM Network I Figure 1 1 Connections to the KMA Oracle Key Manager Security Guide Page 6 General Security Principles The following principles are fundamental to using any application securely Keep Software Up To Date One of the principles of good security practice is to keep all software versions and patches up to date The latest Oracle Key Manager upgrade packages and installers are available on the My Oracle Support web site http support oracle com Restrict Network Access to Critical Services Keep your business applications behind a firewall The firewall provides assurance that access to these systems is restricted to a known network route which can be monitored and restricted if necessary As an alternative a firewall router substitutes for multiple independent firewalls Follow the Principle of Least Privilege The principle of least privilege states that users should be given the least amount of privilege to perform their jobs Over ambitious granting of responsibilities roles grants etc especially early on in an organization s life cycle when people are few and work needs to be done quickly often leaves a system wide open for abuse User privileges should be re
15. ity Guide Adding Additional KMAs to the OKM Cluster Bring up a web browser launch the Remote Console and launch the OKM QuickStart utility within the Remote Console Follow the Join Cluster procedure described in the Oracle Key Manager Administration Guide to add this KMA to the OKM Cluster Considerations When Adding Additional KMAs Oracle Key Manager offers the convenience option of Autonomous Unlock for each KMA This option is defined during the QuickStart procedure for the first and additional KMAs in a Cluster and can be modified by the Security Officer later If Autonomous Unlock is enabled then the KMA will automatically unlock itself at startup and will be ready to provide keys without requiring quorum approval If Autonomous Unlock is disabled then the KMA will remain locked at startup and will not provide keys until the Security Officer issues a request to unlock it and a quorum approves this request Refer to the Oracle Key Manager Version 2 X Security and Authentication White Paper for more information about the Autonomous Unlock option Characteristics of Hardened KMAs As stated above KMAs are manufactured as hardened appliances with Oracle Key Manager functionality already available on them As hardened appliances they have the following characteristics e Unneeded Solaris packages are not included in the Solaris image For example ftp and telnet services and utilities do not appear in the Solaris image e KMAs do
16. ompromised or disclosed to unauthorized parties Cryptographic keys are often used to protect data from unauthorized disclosure Thus they are another resource to be protected Highly reliable key management is essential to maintaining highly available data Another layer of resources to be protected includes the assets within the Oracle Key Manager Cluster itself including the Key Management Appliances From whom am I protecting the resources These resources must be protected from everyone who does not have authority to access them These resources should be physically protected You should consider which of your employees should have access to these resources Then identify which types of operations each employee should be able to issue in the Oracle Key Manager environment What will happen if the protections on strategic resources fail In some cases a fault in your security scheme is easily detected and considered nothing more than an inconvenience In other cases a fault might cause great damage to companies or individual clients that use your resources Understanding the security ramifications of each resource will help you protect it properly Oracle Key Manager Security Guide Page 8 Recommended Deployment Topologies The following image shows a typical deployment of an Oracle Key Manager solution Service Deliver Platform Data KMA Key Manageme ppliance B initial Setup Console LLL 71
17. pendices Appendix A Secure Deployment Checklist The following security checklist includes guidelines that help secure your database 1 2 10 Install each KMA in a physically secure environment Secure the BIOS on each KMA Define the key split configuration for this Oracle Key Manager Cluster Set the autonomous unlock setting for each KMA as appropriate Define Oracle Key Manager users and their associated roles Practice the principle of least privilege i Grant each Oracle Key Manager user only those roles as needed Monitor activity on the Oracle Key Manager Cluster i Investigate any errors especially Security Violations that are logged in the Oracle Key Manager audit log Back up the core security when the key split configuration is initially defined and whenever the key split configuration is modified Perform Oracle Key Manager backups on a regular basis Store core security backup files and Oracle Key Manager backup files in a secure location Oracle Key Manager Security Guide Appendix B References Oracle Key Manager Administration Guide November 2010 Revision AA Oracle Key Manager Installation and Service Manual November 2010 Revision D Oracle Key Manager Systems Assurance Guide December 2010 Revision D Oracle Integrated Lights Out Manager ILOM 3 0 Web Interface Procedures Guide Oracle Integrated Lights Out Manager ILOM 3 0 Concepts Guide Sun Fire X4170 M2 and X4270 M2 Servers
18. r the agent With the Root CA certificate agent certificate and key pair in place the agent can run the Transport Layer Security TLS protocol for all subsequent communications with the KMAs All certificates are X 509 certificates The OKM behaves as a root certificate authority to generate a root certificate that KMAs use in turn to derive self sign the certificates used by agents users and new KMAs Oracle Key Manager Security Guide Page 16 Access Control Users and Role Based Access Control The Oracle Key Manager provides the ability to define multiple users each with a user ID and passphrase Each user is given one or more pre defined roles These roles determine which operations a user is permitted to perform on an Oracle Key Manager system These roles are e Security Officer Performs Oracle Key Manager setup and management e Operator Performs agent setup and day to day operations e Compliance Officer Defines Key Groups and controls agent access to Key Groups e Backup Operator Performs backup operations e Auditor Views system audit trails e Quorum Member Views and approves pending quorum operations A Security Officer is defined during the QuickStart process which sets up a KMA in an OKM Cluster Later a user must log into the Cluster as a Security Officer using the Oracle Key Manager GUI in order to define additional users The Security Officer can choose to assign multiple roles to a particular u
19. rase for the entity initiating the communication to perform a challenge response protocol If successful the entity is provided with a certificate and its corresponding private key This certificate and private key can establish a Transport Layer Security TLS 1 0 secure sockets channel using 2048 bit RSA Establishing this session results in the endpoints agreeing on an Advanced Encryption Standard AES 256 bit key All subsequent communications are encrypted with this AES 256 bit key Mutual authentication is performed each end of any connection authenticates the other party Hardware Security Module KMAs have an available Hardware Security Module which is ordered separately This Hardware Security Module a Sun Cryptographic Accelerator SCA 6000 card is FIPS 140 2 Level 3 certified and provides Advanced Encryption Standard AES 256 bit encryption keys When the OKM Cluster operates in FIPS compliant mode encryption keys do not leave the cryptographic boundary of the SCA 6000 card in unwrapped form The SCA 6000 card uses a FIPS approved random number generator as specified in FIPS 186 2 DSA Random Number Generator using SHA 1 for generating encryption keys When a KMA is configured with an SCA 6000 card cryptography is performed using the Solaris Cryptographic Framework SCF PKCS 11 soft token AES Key Wrapping Oracle Key Manager uses AES Key Wrapping RFC 3994 with 256 bit key encrypting keys to protect symmetric keys as
20. s such the use duplication disclosure modification and adaptation shall be subject to the restrictions and license terms set forth in the applicable Government contract and to the extent applicable by the terms of the Government contract the additional rights set forth in FAR 52 227 19 Commercial Computer Software License 2011 Oracle USA Inc 500 Oracle Parkway Redwood City CA 94065 This software is developed for general use in a variety of information management applications It is not developed or intended for use in any inherently dangerous applications including applications which may create a risk of personal injury If you use this software in dangerous applications then you shall be responsible to take all appropriate fail safe backup redundancy and other measures to ensure the safe use of this software Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software in dangerous applications Oracle is a registered trademark of Oracle Corporation and or its affiliates Other names may be trademarks of their respective owners This software and documentation may provide access to or information on content products and services from third parties Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third party content products and services Oracle Corporation and its affiliates will not be responsible for
21. ser and can also choose to assign a particular role to multiple users Refer to the Oracle Key Manager Administration Guide for more information about the operations that each role allows and how a Security Officer creates users and assigns roles to them This role based access control supports National Institute of Standards and Technology NIST Special Publication SP 800 60 operational roles to segregate operational functions Quorum Protection Some operations are critical enough to require an additional level of security These operations include adding a KMA to an OKM Cluster unlocking a KMA creating users and adding roles to users To implement this security the system uses a set of key split credentials in addition to the role based access described above Key split credentials consists of a set of user ID and passphrase pairs together with the minimum number of these pairs necessary to the system to enable completion of certain operations The key split credentials are also referred to as the quorum and the minimum number as the quorum threshold Oracle Key Manager Security Guide Oracle Key Manager allows up to 10 key split user ID passphrase pairs and a threshold to be defined They are defined during the QuickStart process when the first KMA in an OKM Cluster is configured The key split users IDs and passphrases are different from user IDs and passphrases that are used to log into the system When a user att
22. ts appear in the Oracle Key Manage Systems Assurance Guide Provide these key split credentials and user IDs and passphrases to the appropriate personnel Refer to the Quorum Protection section later in this document for more information IMPORTANT Retain and protect these key split credentials and user IDs and passphrases Bring up a web browser launch the Remote Console and launch the OKM QuickStart utility within the Remote Console Follow the Initialize Cluster procedure described in the Oracle Key Manager Administration Guide to initialize the OKM Cluster on this KMA The key split credentials and a user with Security Officer privileges are defined during this procedure After the QuickStart procedure is completed then the Security Officer must log into the KMA and define additional OKM users Considerations When Defining Key Split Credentials Defining fewer key split user IDs and passphrases and a lower threshold is more convenient but is less secure Defining more key split user IDs and passphrases and a higher threshold is less convenient but is more secure Considerations When Defining Additional OKM Users Defining fewer OKM users some of whom has multiple roles assigned to them is more convenient but is less secure Defining more OKM users most of who have only one role assigned to them is less convenient but is more secure as it is more convenient to track operations performed by a given OKM user Oracle Key Manager Secur
23. viewed periodically to determine relevance to current job responsibilities Monitor System Activity System security stands on three legs good security protocols proper system configuration and system monitoring Auditing and reviewing audit records address this third requirement Each component within a system has some degree of monitoring capability Follow audit advice in this document and regularly monitor audit records Keep Up To Date on Latest Security Information Oracle continually improves its software and documentation Check the My Oracle Support web site yearly for revisions Adapted from the EBS Security Guide Oracle Key Manager Security Guide Part 2 Secure Installation and Configuration Installation Overview This section outlines the planning process for a secure installation and describes several recommended deployment topologies for the systems Understand Your Environment To better understand your security needs ask yourself the following questions Which resources am I protecting Many resources in the production environment can be protected Consider the resources you want to protect when deciding the level of security you must provide The primary resource to be protected is typically your data Other resources are outlined here because they are associated with managing and protecting your data Various concerns with protecting data include data loss that is data being unavailable and data being c
Download Pdf Manuals
Related Search