Introduction

This post continues my series on securing Oracle Enterprise Manager environments with some updates relevant to EM13c. Oracle has made significant security improvements with Oracle Enterprise Manager 13c over the prior 12c version, first released in October 2011, more than four and a half years ago at this point. In the interest of security, I have to strongly recommend that any sites still using EM12c upgrade to (or perform a fresh installation of) EM13c as soon as possible. More recent versions of EM12c like 12.1.0.5 (June 2015) continue to use the same technology stack as the initial release, and the world of security has massively changed since then. Notably, EM13c uses Java 7, WebLogic 12.1.3, and disables SSLv3 out of the box.

Just to recap, back at the EM12c original release date:

• Practically nobody had ever heard of Edward Snowden
• The first release of Java 7 celebrated its three month birthday
• Two months later, Oracle released WebLogic 12c; EM12c users remained on WebLogic 10.3.6
• One month earlier, the public learned of the BEAST attack and people still believed that using RC4 (immune to BEAST) as a workaround improved security (spoiler warning: it did not)
• We had three years to wait before the POODLE vulnerability caused vendors to recognize the need to disable SSLv3 (you DID disable SSLv3, right?)
• Oracle still considered the MD5 hashing algorithm good enough to use in self-signed certificates produced by EM12c, despite flaws known to exist since 1996
• Web browsers considered the SHA-1 hashing algorithm, now also deprecated due to brokenness, good enough to use

As the security world’s known unknowns collapsed around us, proactive EM12c administrators sought to make the best of their lot. Outside of Oracle, I and others poked at the software and wrote blog articles, while inside Oracle effort proceeded to support more recent Java releases that brought with them better cipher suites and hashing algorithms, as well as the usual security fixes. This process took some time for all involved and hit a few bumps along the way.

• Replacement of EM12c certificates with custom certificates making use of the SHA-2 hashing algorithm appeared to work fine until we tried to apply patches: EM12c opatchauto, SHA256, and you
• Each time a new attack broke in the press, proactive EM12c administrators including myself looked for ways to mitigate it, as with my first fumbling efforts when the POODLE bug became public: How to unofficially disable SSL v3 in Oracle Enterprise Manager 12c to mitigate POODLE attack
• The difficulty of keeping track of now-monthly patching and rechecking known issues after patching led me to create an automated security check script for EM12c: EM12c R4 SSL Security Checkup Script
• The official documentation, though exhaustive, sometimes complicated security issues beyond the minimum necessary to achieve a task, so I produced a step-by-step guide to replacing as many certificates as possible with those sourced from third parties or internal sources: Step by step: Configuring third party SSL/TLS certificates in EM12c R4
• Sometimes bizarre bugs led to an inability to disable known weak cipher suites, requiring deep dives into patching and configuration: EM12c OHS, LOW strength ciphers, custom certificates, and patch 1994800 weirdness
• Sometimes we shoot ourselves in the foot by carelessly upgrading components: When proactive EM12c JDK upgrades bite back
• Applying your strong certificates to the full EM12c stack does not eliminate the severe security issues created by Oracle’s decision to include a widely known demo certificate authority with WebLogic: Insecure certificate warning still exists in EM12c WLS logs with third-party certificates applied

I do not intend in this post to review general day-to-day EM13c security design such as user roles or privileges, object level security within OEM, or integration with identity providers like LDAP; only the infrastructure level issues that tend to change in brief large bursts as new attacks come out. See this excellent list of EM13c blogs, links and videos that Philip Brown has provided for more details on these and other items.

On to EM13c

EM13c admins need to keep an eye on the same sorts of items as with EM12c. We really should read the documentation, even if only the Security Guide. I admit I often do not. It contains good information.

Patches

I consider it critical for admins to keep up with the OEM periodic patches, particularly security patches. The script below covers patches up to and including March 31, 2016. I plan to update again after the next set of Oracle security patches arrives, likely mid-April.

Certificates

The process for applying certificates on EM13c does not appear to have changed significantly from the prior version. I have confirmed that the new “omspatcher” tool that replaces opatchauto when applying a system patch to the OMS works perfectly fine with certificates on WebLogic that use the SHA-256 hashing algorithm. Given the upcoming deprecation of SHA-1 across all major browsers I do not see any valid reason not to use SHA-256 with new certificates.

Ciphersuites

Out of the box, my EM13c installation rejected weak ciphersuites and accepted the strong ones. Unfortunately it still accepted some that these versions of Java and OpenSSL consider as MEDIUM strength, so I want to disable those across the entire environment, leaving only the strongest ciphersuites available in this release and permitting other ciphersuites only where necessary.

We will have to live with these unwanted ciphersuites enabled until Oracle provides a supported procedure to disable them across the entire stack. I have performed some preliminary tests and I find it very easy to get OEM into a situation where it cannot startup after manually editing config files that define enabled ciphersuites. The script below will identify ports permitting ciphersuites you may wish to disable when a supported method becomes available.

Security Checkup

Below I provide an early version of the script I use to validate EM13c security configuration. I based this on my earlier EM12c script, linked above. The script will become more useful once I implement patch level checking after release of the first set of EM13c patches, but for the moment it will inspect your EM13c environment to identify relevant ports and confirm that your system will not respond to SSLv2 or SSLv3 requests, does respond to TLSv1 requests, supports HIGH, but not LOW or MEDIUM strength ciphersuites (as defined by the version of OpenSSL installed on your OMS host), and finally checks for the presence of demonstration-not-for-production-use certificates and self-signed certificates.

(A caveat on self-signed certificate checking: OpenSSL, not this script, performs the check, therefore if OpenSSL cannot validate your certificate to a trusted root, this script cannot either. If a well known certification authority has signed your certificates, OpenSSL should validate them successfully, but it may not do so if you use an internal certificate authority to sign certificates. In that case you should install a copy of your internal CA as a trusted root certificate in the system trust store so that OpenSSL can validate your EM13c certificates. I cannot document this process for every OS but Linux users should look to the documentation for the update-ca-certificates or update-ca-trust commands. If my script below incorrectly reports your certificate as self-signed, you can ignore the finding or address the issue at the OpenSSL level.)

EM13c TLS Security Checkup Script

[LATEST UPDATE: 20160406 covering 20160331 EM13c patch bundles]
Consider this version 0.2 beta for the moment. Only tested on Linux x86-64, but may work on AIX and Solaris as the EM12c version I built this upon did work there. Planned future enhancements include checking that you have disabled non-encrypted HTTP access to EM13c components, upgraded Java to the most recent EM13c-supported release, and more.

You can download the initial version of the script from pastebin.


#!/bin/bash
#
# This script should examine your EM13c environment, identify the ports
# each component uses, and check for SSLv2/SSLv3 usage, as well as make
# sure that weak cipher suites get rejected. It will soon contain a patch
# check currently comparing against the latest recommended patches
# and also flags the use of demo or self-signed certificates. Further
# enhancements will include checks for the EM13c Java JDK version.
#
# Released v0.1: Initial beta release 5 Apr 2016
# Changes v0.2: Updated for current patches
#
# From: @BrianPardy on Twitter
#
# Known functional on Linux x86-64, may work on Solaris and AIX.
#
# Run this script as the Oracle EM13c software owner, with your environment
# fully up and running.
#
# Thanks to Dave Corsar, who tested a previous version on Solaris and
# let me know the changes needed to make the script work on Solaris.
#
# Thanks to opa tropa who confirmed AIX functionality on a previous
# version and noted the use of GNU extensions to grep, which I have
# since removed.
#
# Dedicated to our two Lhasa Apsos:
# Lucy (6/13/1998 - 3/13/2015)
# Ethel (6/13/1998 - 7/31/2015)
#
#

SCRIPTNAME=`basename $0`
PATCHDATE="5 Apr 2016"
OMSHOST=`hostname -f`
VERSION="0.1"
FAIL_COUNT=0
FAIL_TESTS=""

RUN_DB_CHECK=0
VERBOSE_CHECKSEC=2

HOST_OS=`uname -s`
HOST_ARCH=`uname -m`

ORAGCHOMELIST="/etc/oragchomelist"
ORATAB="/etc/oratab"

if [[ ! -r $ORAGCHOMELIST ]]; then # Solaris
ORAGCHOMELIST="/var/opt/oracle/oragchomelist"
fi

if [[ ! -r $ORATAB ]]; then # Solaris
ORATAB="/var/opt/oracle/oratab"
fi

if [[ -x "/usr/sfw/bin/gegrep" ]]; then
GREP=/usr/sfw/bin/gegrep
else
GREP=`which grep`
fi

OMS_HOME=`$GREP -i oms $ORAGCHOMELIST | xargs ls -d 2>/dev/null`

if [[ "$OMS_HOME" == "." ]]; then
OMS_HOME=`cat $ORAGCHOMELIST | head -n 1`
fi

OPATCH="$OMS_HOME/OPatch/opatch"
OPATCHAUTO="$OMS_HOME/OPatch/opatchauto"
OMSPATCHER="$OMS_HOME/OMSPatcher/omspatcher"
OMSORAINST="$OMS_HOME/oraInst.loc"
ORAINVENTORY=`$GREP inventory_loc $OMSORAINST | awk -F= '{print $2}'`

MW_HOME=$OMS_HOME
COMMON_HOME="$MW_HOME/oracle_common"

AGENT_HOME=`$GREP -vi REMOVED $ORAINVENTORY/ContentsXML/inventory.xml | $GREP "HOME NAME=\"agent13c" | awk '{print $3}' | sed -e 's/LOC=\"//' | sed -e 's/"//'`

EM_INSTANCE_BASE=`$GREP GCDomain $MW_HOME/domain-registry.xml | sed -e 's/.*=//' | sed -e 's/\/user_projects.*$//' | sed -e 's/"//'`

EMGC_PROPS="$EM_INSTANCE_BASE/em/EMGC_OMS1/emgc.properties"
EMBIP_PROPS="$EM_INSTANCE_BASE/em/EMGC_OMS1/embip.properties"
#OPMN_PROPS="$EM_INSTANCE_BASE/WebTierIH1/config/OPMN/opmn/ports.prop"
#OHS_ADMIN_CONF="$EM_INSTANCE_BASE/WebTierIH1/config/OHS/ohs1/admin.conf"

PORT_UPL=`$GREP EM_UPLOAD_HTTPS_PORT $EMGC_PROPS | awk -F= '{print $2}'`
PORT_OMS=`$GREP EM_CONSOLE_HTTPS_PORT $EMGC_PROPS | awk -F= '{print $2}'`
PORT_OMS_JAVA=`$GREP MS_HTTPS_PORT $EMGC_PROPS | awk -F= '{print $2}'`
PORT_NODEMANAGER=`$GREP EM_NODEMGR_PORT $EMGC_PROPS | awk -F= '{print $2}'`
PORT_BIP=`$GREP BIP_HTTPS_PORT $EMBIP_PROPS | awk -F= '{print $2}'`
PORT_BIP_OHS=`$GREP BIP_HTTPS_OHS_PORT $EMBIP_PROPS | awk -F= '{print $2}'`
PORT_ADMINSERVER=`$GREP AS_HTTPS_PORT $EMGC_PROPS | awk -F= '{print $2}'`
#PORT_OPMN=`$GREP '/opmn/remote_port' $OPMN_PROPS | awk -F= '{print $2}'`
#PORT_OHS_ADMIN=`$GREP Listen $OHS_ADMIN_CONF | awk '{print $2}'`
PORT_AGENT=`$AGENT_HOME/bin/emctl status agent | $GREP 'Agent URL' | sed -e 's/\/emd\/main\///' | sed -e 's/^.*://' | uniq`

REPOS_DB_CONNDESC=`$GREP EM_REPOS_CONNECTDESCRIPTOR $EMGC_PROPS | sed -e 's/EM_REPOS_CONNECTDESCRIPTOR=//' | sed -e 's/\\\\//g'`
REPOS_DB_HOST=`echo $REPOS_DB_CONNDESC | sed -e 's/^.*HOST=//' | sed -e 's/).*$//'`
REPOS_DB_SID=`echo $REPOS_DB_CONNDESC | sed -e 's/^.*SID=//' | sed -e 's/).*$//'`

if [[ "$REPOS_DB_HOST" == "$OMSHOST" ]]; then
REPOS_DB_HOME=`$GREP "$REPOS_DB_SID:" $ORATAB | awk -F: '{print $2}'`
REPOS_DB_VERSION=`$REPOS_DB_HOME/OPatch/opatch lsinventory -oh $REPOS_DB_HOME | $GREP 'Oracle Database' | awk '{print $4}'`

if [[ "$REPOS_DB_VERSION" == "11.2.0.4.0" ]]; then
RUN_DB_CHECK=1
fi

if [[ "$REPOS_DB_VERSION" == "12.1.0.2.0" ]]; then
RUN_DB_CHECK=1
fi

if [[ "$RUN_DB_CHECK" -eq 0 ]]; then
echo -e "\tSkipping local repository DB patch check, only 11.2.0.4 or 12.1.0.2 supported by this script for now"
fi
fi

sslcheck () {
OPENSSL_CHECK_COMPONENT=$1
OPENSSL_CHECK_HOST=$2
OPENSSL_CHECK_PORT=$3
OPENSSL_CHECK_PROTO=$4

OPENSSL_RETURN=`echo Q | openssl s_client -prexit -connect $OPENSSL_CHECK_HOST:$OPENSSL_CHECK_PORT -$OPENSSL_CHECK_PROTO 2>&1 | $GREP Cipher | $GREP -c 0000`

if [[ $OPENSSL_CHECK_PROTO == "tls1" ]]; then
echo -en "\tConfirming $OPENSSL_CHECK_PROTO available for $OPENSSL_CHECK_COMPONENT at $OPENSSL_CHECK_HOST:$OPENSSL_CHECK_PORT... "
if [[ $OPENSSL_RETURN -eq "0" ]]; then
echo OK
else
echo FAILED
FAIL_COUNT=$((FAIL_COUNT+1))
FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$OPENSSL_CHECK_COMPONENT @ $OPENSSL_CHECK_HOST:${OPENSSL_CHECK_PORT}:$OPENSSL_CHECK_PROTO protocol connection failed"
fi
fi

if [[ $OPENSSL_CHECK_PROTO == "ssl2" || $OPENSSL_CHECK_PROTO == "ssl3" ]]; then
echo -en "\tConfirming $OPENSSL_CHECK_PROTO disabled for $OPENSSL_CHECK_COMPONENT at $OPENSSL_CHECK_HOST:$OPENSSL_CHECK_PORT... "
if [[ $OPENSSL_RETURN -ne "0" ]]; then
echo OK
else
echo FAILED
FAIL_COUNT=$((FAIL_COUNT+1))
FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$OPENSSL_CHECK_COMPONENT @ $OPENSSL_CHECK_HOST:${OPENSSL_CHECK_PORT}:$OPENSSL_CHECK_PROTO protocol connection succeeded"
fi
fi
}

opatchcheck () {
OPATCH_CHECK_COMPONENT=$1
OPATCH_CHECK_OH=$2
OPATCH_CHECK_PATCH=$3

if [[ "$OPATCH_CHECK_COMPONENT" == "ReposDBHome" ]]; then
OPATCH_RET=`$OPATCH_CHECK_OH/OPatch/opatch lsinv -oh $OPATCH_CHECK_OH | $GREP $OPATCH_CHECK_PATCH`
else
OPATCH_RET=`$OPATCH lsinv -oh $OPATCH_CHECK_OH | $GREP $OPATCH_CHECK_PATCH`
fi

if [[ -z "$OPATCH_RET" ]]; then
echo FAILED
FAIL_COUNT=$((FAIL_COUNT+1))
FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$OPATCH_CHECK_COMPONENT @ ${OPATCH_CHECK_OH}:Patch $OPATCH_CHECK_PATCH not found"
else
echo OK
fi

test $VERBOSE_CHECKSEC -ge 2 && echo $OPATCH_RET

}

opatchautocheck () {
OPATCHAUTO_CHECK_COMPONENT=$1
OPATCHAUTO_CHECK_OH=$2
OPATCHAUTO_CHECK_PATCH=$3

OPATCHAUTO_RET=`$OPATCHAUTO lspatches -oh $OPATCHAUTO_CHECK_OH | $GREP $OPATCHAUTO_CHECK_PATCH`

if [[ -z "$OPATCHAUTO_RET" ]]; then
echo FAILED
FAIL_COUNT=$((FAIL_COUNT+1))
FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$OPATCHAUTO_CHECK_COMPONENT @ ${OPATCHAUTO_CHECK_OH}:Patch $OPATCHAUTO_CHECK_PATCH not found"
else
echo OK
fi

test $VERBOSE_CHECKSEC -ge 2 && echo $OPATCHAUTO_RET

}

omspatchercheck () {
OMSPATCHER_CHECK_COMPONENT=$1
OMSPATCHER_CHECK_OH=$2
OMSPATCHER_CHECK_PATCH=$3

OMSPATCHER_RET=`$OMSPATCHER lspatches -oh $OMSPATCHER_CHECK_OH | $GREP $OMSPATCHER_CHECK_PATCH`

if [[ -z "$OMSPATCHER_RET" ]]; then
echo FAILED
FAIL_COUNT=$((FAIL_COUNT+1))
FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$OMSPATCHER_CHECK_COMPONENT @ ${OMSPATCHER_CHECK_OH}:Patch $OMSPATCHER_CHECK_PATCH not found"
else
echo OK
fi

test $VERBOSE_CHECKSEC -ge 2 && echo $OMSPATCHER_RET

}

certcheck () {
CERTCHECK_CHECK_COMPONENT=$1
CERTCHECK_CHECK_HOST=$2
CERTCHECK_CHECK_PORT=$3

echo -ne "\tChecking certificate at $CERTCHECK_CHECK_COMPONENT ($CERTCHECK_CHECK_HOST:$CERTCHECK_CHECK_PORT)... "

OPENSSL_SELFSIGNED_COUNT=`echo Q | openssl s_client -prexit -connect $CERTCHECK_CHECK_HOST:$CERTCHECK_CHECK_PORT -tls1 2>&1 | $GREP -ci "self signed certificate"`

if [[ $OPENSSL_SELFSIGNED_COUNT -eq "0" ]]; then
echo OK
else
echo FAILED - Found self-signed certificate
FAIL_COUNT=$((FAIL_COUNT+1))
FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$CERTCHECK_CHECK_COMPONENT @ ${CERTCHECK_CHECK_HOST}:${CERTCHECK_CHECK_PORT} found self-signed certificate"
fi
}

democertcheck () {
DEMOCERTCHECK_CHECK_COMPONENT=$1
DEMOCERTCHECK_CHECK_HOST=$2
DEMOCERTCHECK_CHECK_PORT=$3

echo -ne "\tChecking demo certificate at $DEMOCERTCHECK_CHECK_COMPONENT ($DEMOCERTCHECK_CHECK_HOST:$DEMOCERTCHECK_CHECK_PORT)... "

OPENSSL_DEMO_COUNT=`echo Q | openssl s_client -prexit -connect $DEMOCERTCHECK_CHECK_HOST:$DEMOCERTCHECK_CHECK_PORT -tls1 2>&1 | $GREP -ci "issuer=/C=US/ST=MyState/L=MyTown/O=MyOrganization/OU=FOR TESTING ONLY/CN"`

if [[ $OPENSSL_DEMO_COUNT -eq "0" ]]; then
echo OK
else
echo FAILED - Found demonstration certificate
FAIL_COUNT=$((FAIL_COUNT+1))
FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$DEMOCERTCHECK_CHECK_COMPONENT @ ${DEMOCERTCHECK_CHECK_HOST}:${DEMOCERTCHECK_CHECK_PORT} found demonstration certificate"
fi
}

ciphercheck () {
OPENSSL_CHECK_COMPONENT=$1
OPENSSL_CHECK_HOST=$2
OPENSSL_CHECK_PORT=$3

echo -ne "\tChecking LOW strength ciphers on $OPENSSL_CHECK_COMPONENT ($OPENSSL_CHECK_HOST:$OPENSSL_CHECK_PORT)..."

OPENSSL_LOW_RETURN=`echo Q | openssl s_client -prexit -connect $OPENSSL_CHECK_HOST:$OPENSSL_CHECK_PORT -tls1 -cipher LOW 2>&1 | $GREP Cipher | uniq | $GREP -c 0000`

if [[ $OPENSSL_LOW_RETURN -eq "0" ]]; then
echo -e "\tFAILED - PERMITS LOW STRENGTH CIPHER CONNECTIONS"
FAIL_COUNT=$((FAIL_COUNT+1))
FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$OPENSSL_CHECK_COMPONENT @ $OPENSSL_CHECK_HOST:${OPENSSL_CHECK_PORT}:Permits LOW strength ciphers"
else
echo -e "\tOK"
fi

echo -ne "\tChecking MEDIUM strength ciphers on $OPENSSL_CHECK_COMPONENT ($OPENSSL_CHECK_HOST:$OPENSSL_CHECK_PORT)..."

OPENSSL_MEDIUM_RETURN=`echo Q | openssl s_client -prexit -connect $OPENSSL_CHECK_HOST:$OPENSSL_CHECK_PORT -tls1 -cipher MEDIUM 2>&1 | $GREP Cipher | uniq | $GREP -c 0000`

if [[ $OPENSSL_MEDIUM_RETURN -eq "0" ]]; then
echo -e "\tFAILED - PERMITS MEDIUM STRENGTH CIPHER CONNECTIONS"
FAIL_COUNT=$((FAIL_COUNT+1))
FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$OPENSSL_CHECK_COMPONENT @ $OPENSSL_CHECK_HOST:${OPENSSL_CHECK_PORT}:Permits MEDIUM strength ciphers"
else
echo -e "\tOK"
fi

echo -ne "\tChecking HIGH strength ciphers on $OPENSSL_CHECK_COMPONENT ($OPENSSL_CHECK_HOST:$OPENSSL_CHECK_PORT)..."

OPENSSL_HIGH_RETURN=`echo Q | openssl s_client -prexit -connect $OPENSSL_CHECK_HOST:$OPENSSL_CHECK_PORT -tls1 -cipher HIGH 2>&1 | $GREP Cipher | uniq | $GREP -c 0000`

if [[ $OPENSSL_HIGH_RETURN -eq "0" ]]; then
echo -e "\tOK"
else
echo -e "\tFAILED - CANNOT CONNECT WITH HIGH STRENGTH CIPHER"
FAIL_COUNT=$((FAIL_COUNT+1))
FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$OPENSSL_CHECK_COMPONENT @ $OPENSSL_CHECK_HOST:${OPENSSL_CHECK_PORT}:Rejects HIGH strength ciphers"
fi
echo
}

wlspatchcheck () {
WLSDIR=$1
WLSPATCH=$2

WLSCHECK_RETURN=`( cd $MW_HOME/utils/bsu && $MW_HOME/utils/bsu/bsu.sh -report ) | $GREP $WLSPATCH`
WLSCHECK_COUNT=`echo $WLSCHECK_RETURN | wc -l`

if [[ $WLSCHECK_COUNT -ge "1" ]]; then
echo -e "\tOK"
else
echo -e "\tFAILED - PATCH NOT FOUND"
FAIL_COUNT=$((FAIL_COUNT+1))
FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$WLSDIR:Patch $WLSPATCH not found"
fi

test $VERBOSE_CHECKSEC -ge 2 && echo $WLSCHECK_RETURN

}

javacheck () {
WHICH_JAVA=$1
JAVA_DIR=$2

JAVACHECK_RETURN=`$JAVA_DIR/bin/java -version 2>&1 | $GREP version | awk '{print $3}' | sed -e 's/"//g'`

if [[ "$JAVACHECK_RETURN" == "1.6.0_95" ]]; then
echo -e "\tOK"
else
#echo -e "\tFAILED - Found version $JAVACHECK_RETURN"
echo -e "\tFAILED"
FAIL_COUNT=$((FAIL_COUNT+1))
FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$WHICH_JAVA Java in ${JAVA_DIR}:Found incorrect version $JAVACHECK_RETURN"
fi
test $VERBOSE_CHECKSEC -ge 2 && echo $JAVACHECK_RETURN
}

paramcheck () {
WHICH_PARAM=$1
WHICH_ORACLE_HOME=$2
WHICH_FILE=$3

PARAMCHECK_RETURN=`$GREP $WHICH_PARAM $WHICH_ORACLE_HOME/network/admin/$WHICH_FILE | awk -F= '{print $2}' | sed -e 's/\s//g'`
if [[ "$WHICH_PARAM" == "SSL_VERSION" ]]; then
if [[ "$PARAMCHECK_RETURN" == "1.0" ]]; then
echo -e "OK"
else
echo -e "FAILED - Found $WHICH_PARAM = $PARAMCHECK_RETURN"
FAIL_COUNT=$((FAIL_COUNT+1))
FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$WHICH_PARAM in $WHICH_FILE for home ${WHICH_ORACLE_HOME}:incorrect parameter value"
fi
test $VERBOSE_CHECKSEC -ge 2 && echo $PARAMCHECK_RETURN
fi

if [[ "$WHICH_PARAM" == "SSL_CIPHER_SUITES" ]]; then
if [[ "$PARAMCHECK_RETURN" == "(SSL_RSA_WITH_AES128_CBC_SHA,SSL_RSA_WITH_AES256_CBC_SHA)" ]]; then
echo -e "OK"
else
echo -e "FAILED - Found $WHICH_PARAM = $PARAMCHECK_RETURN"
FAIL_COUNT=$((FAIL_COUNT+1))
FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$WHICH_PARAM in $WHICH_FILE for home ${WHICH_ORACLE_HOME}:incorrect parameter value"
fi
test $VERBOSE_CHECKSEC -ge 2 && echo $PARAMCHECK_RETURN
fi
}

### MAIN SCRIPT HERE

echo -e "Performing EM13c security checkup version $VERSION on $OMSHOST at `date`.\n"

echo "Using port definitions from configuration files "
echo -e "\t/etc/oragchomelist"
echo -e "\t$EMGC_PROPS"
echo -e "\t$EMBIP_PROPS"
echo
echo -e "\tAgent port found at $OMSHOST:$PORT_AGENT"
echo -e "\tBIPublisher port found at $OMSHOST:$PORT_BIP"
echo -e "\tBIPublisherOHS port found at $OMSHOST:$PORT_BIP_OHS"
echo -e "\tNodeManager port found at $OMSHOST:$PORT_NODEMANAGER"
echo -e "\tOMSconsole port found at $OMSHOST:$PORT_OMS"
echo -e "\tOMSproxy port found at $OMSHOST:$PORT_OMS_JAVA"
echo -e "\tOMSupload port found at $OMSHOST:$PORT_UPL"
echo -e "\tWLSadmin found at $OMSHOST:$PORT_ADMINSERVER"
echo
echo -e "\tRepository DB version=$REPOS_DB_VERSION SID=$REPOS_DB_SID host=$REPOS_DB_HOST"

if [[ $RUN_DB_CHECK -eq "1" ]]; then
echo -e "\tRepository DB on OMS server, will check patches/parameters in $REPOS_DB_HOME"
fi

#exit 0

echo -e "\n(1) Checking SSL/TLS configuration (see notes 1602983.1, 1477287.1, 1905314.1)"

echo -e "\n\t(1a) Forbid SSLv2 connections"
sslcheck Agent $OMSHOST $PORT_AGENT ssl2
sslcheck BIPublisher $OMSHOST $PORT_BIP ssl2
sslcheck NodeManager $OMSHOST $PORT_NODEMANAGER ssl2
sslcheck BIPublisherOHS $OMSHOST $PORT_BIP_OHS ssl2
sslcheck OMSconsole $OMSHOST $PORT_OMS ssl2
sslcheck OMSproxy $OMSHOST $PORT_OMS_JAVA ssl2
sslcheck OMSupload $OMSHOST $PORT_UPL ssl2
#sslcheck OPMN $OMSHOST $PORT_OPMN ssl2
sslcheck WLSadmin $OMSHOST $PORT_ADMINSERVER ssl2

echo -e "\n\t(1b) Forbid SSLv3 connections"
sslcheck Agent $OMSHOST $PORT_AGENT ssl3
sslcheck BIPublisher $OMSHOST $PORT_BIP ssl3
sslcheck NodeManager $OMSHOST $PORT_NODEMANAGER ssl3
sslcheck BIPublisherOHS $OMSHOST $PORT_BIP_OHS ssl3
sslcheck OMSconsole $OMSHOST $PORT_OMS ssl3
sslcheck OMSproxy $OMSHOST $PORT_OMS_JAVA ssl3
sslcheck OMSupload $OMSHOST $PORT_UPL ssl3
#sslcheck OPMN $OMSHOST $PORT_OPMN ssl3
sslcheck WLSadmin $OMSHOST $PORT_ADMINSERVER ssl3

echo -e "\n\t(1c) Permit TLSv1 connections"
sslcheck Agent $OMSHOST $PORT_AGENT tls1
sslcheck BIPublisher $OMSHOST $PORT_BIP tls1
sslcheck NodeManager $OMSHOST $PORT_NODEMANAGER tls1
sslcheck BIPublisherOHS $OMSHOST $PORT_BIP_OHS tls1
sslcheck OMSconsole $OMSHOST $PORT_OMS tls1
sslcheck OMSproxy $OMSHOST $PORT_OMS_JAVA tls1
sslcheck OMSupload $OMSHOST $PORT_UPL tls1
#sslcheck OPMN $OMSHOST $PORT_OPMN tls1
sslcheck WLSadmin $OMSHOST $PORT_ADMINSERVER tls1

echo -e "\n(2) Checking supported ciphers at SSL/TLS endpoints (see notes 1477287.1, 1905314.1, 1067411.1)"
ciphercheck Agent $OMSHOST $PORT_AGENT
ciphercheck BIPublisher $OMSHOST $PORT_BIP
ciphercheck NodeManager $OMSHOST $PORT_NODEMANAGER
ciphercheck BIPublisherOHS $OMSHOST $PORT_BIP_OHS
ciphercheck OMSconsole $OMSHOST $PORT_OMS
ciphercheck OMSproxy $OMSHOST $PORT_OMS_JAVA
ciphercheck OMSupload $OMSHOST $PORT_UPL
#ciphercheck OPMN $OMSHOST $PORT_OPMN
ciphercheck WLSadmin $OMSHOST $PORT_ADMINSERVER

echo -e "\n(3) Checking self-signed and demonstration certificates at SSL/TLS endpoints (see notes 1367988.1, 1399293.1, 1593183.1, 1527874.1, 123033.1, 1937457.1)"
certcheck Agent $OMSHOST $PORT_AGENT
democertcheck Agent $OMSHOST $PORT_AGENT
certcheck BIPublisher $OMSHOST $PORT_BIP
democertcheck BIPublisher $OMSHOST $PORT_BIP
certcheck NodeManager $OMSHOST $PORT_NODEMANAGER
democertcheck NodeManager $OMSHOST $PORT_NODEMANAGER
certcheck BIPublisherOHS $OMSHOST $PORT_BIP_OHS
democertcheck BIPublisherOHS $OMSHOST $PORT_BIP_OHS
certcheck OMSconsole $OMSHOST $PORT_OMS
democertcheck OMSconsole $OMSHOST $PORT_OMS
certcheck OMSproxy $OMSHOST $PORT_OMS_JAVA
democertcheck OMSproxy $OMSHOST $PORT_OMS_JAVA
certcheck OMSupload $OMSHOST $PORT_UPL
democertcheck OMSupload $OMSHOST $PORT_UPL
#certcheck OPMN $OMSHOST $PORT_OPMN
#democertcheck OPMN $OMSHOST $PORT_OPMN
certcheck WLSadmin $OMSHOST $PORT_ADMINSERVER
democertcheck WLSadmin $OMSHOST $PORT_ADMINSERVER

echo -e "\n(4) Checking EM13c Oracle home patch levels against $PATCHDATE baseline (see notes 1664074.1, 1900943.1, 822485.1, 1470197.1, 1967243.1)"

if [[ $RUN_DB_CHECK -eq 1 ]]; then

if [[ "$REPOS_DB_VERSION" == "12.1.0.2.0" ]]; then
echo -ne "\n\t(4a) OMS REPOSITORY DATABASE HOME ($REPOS_DB_HOME) PSU 12.1.0.2.160119 (JAN2016) (21948354)... "
opatchcheck ReposDBHome $REPOS_DB_HOME 21948354

echo -ne "\n\t(4a) OMS REPOSITORY DATABASE HOME ($REPOS_DB_HOME) ORACLE JAVAVM COMPONENT 12.1.0.2.160119 DATABASE PSU (JAN2016) (22139226)... "
opatchcheck ReposDBHome $REPOS_DB_HOME 22139226
fi

echo -ne "\n\t(4b) OMS REPOSITORY DATABASE HOME ($REPOS_DB_HOME) sqlnet.ora SSL_VERSION parameter (1545816.1)... "
paramcheck SSL_VERSION $REPOS_DB_HOME sqlnet.ora

echo -ne "\n\t(4b) OMS REPOSITORY DATABASE HOME ($REPOS_DB_HOME) sqlnet.ora SSL_CIPHER_SUITES parameter (1545816.1)... "
paramcheck SSL_CIPHER_SUITES $REPOS_DB_HOME sqlnet.ora

echo -ne "\n\t(4b) OMS REPOSITORY DATABASE HOME ($REPOS_DB_HOME) listener.ora SSL_VERSION parameter (1545816.1)... "
paramcheck SSL_VERSION $REPOS_DB_HOME listener.ora

echo -ne "\n\t(4b) OMS REPOSITORY DATABASE HOME ($REPOS_DB_HOME) listener.ora SSL_CIPHER_SUITES parameter (1545816.1)... "
paramcheck SSL_CIPHER_SUITES $REPOS_DB_HOME listener.ora
fi

echo -ne "\n\t(4c) OMS CHAINED AGENT HOME ($AGENT_HOME) EM-AGENT BUNDLE PATCH 13.1.0.0.160331 (22823268)... "
opatchcheck Agent $AGENT_HOME 22823268

echo -ne "\n\t(4c) OMS CHAINED AGENT HOME ($AGENT_HOME) EM DB PLUGIN BUNDLE PATCH 13.1.1.0.160331 MONITORING (22920712)... "
opatchcheck Agent $AGENT_HOME 22920712

echo -ne "\n\t(4c) OMS CHAINED AGENT HOME ($AGENT_HOME) EM FMW PLUGIN BUNDLE PATCH 13.1.1.0.160331 MONITORING (22936491)... "
opatchcheck Agent $AGENT_HOME 22936491

echo -ne "\n\t(4c) OMS CHAINED AGENT HOME ($AGENT_HOME) EM SI PLUGIN BUNDLE PATCH 13.1.1.0.160331 MONITORING (22823189)... "
opatchcheck Agent $AGENT_HOME 22823189

echo -ne "\n\t(4d) OMS HOME ($OMS_HOME) ENTERPRISE MANAGER FOR OMS PLUGINS 13.1.1.0.160331 (22920724)... "
omspatchercheck OMS $OMS_HOME 22920724

echo
echo

if [[ $FAIL_COUNT -gt "0" ]]; then
echo "Failed test count: $FAIL_COUNT - Review output"
test $VERBOSE_CHECKSEC -ge 1 && echo -e $FAIL_TESTS
else
echo "All tests succeeded."
fi

echo
echo "Visit https://pardydba.wordpress.com/2016/04/05/securing-oracle-enterprise-manager-13c/ for the latest version."
echo

exit

EM13c TLS Security Checkup Script Sample Output


Performing EM13c security checkup version 0.1 on omshost.domain.com at Wed Apr 6 11:23:54 EDT 2016.

Using port definitions from configuration files
/etc/oragchomelist
/oracle/oem/gc_inst/em/EMGC_OMS1/emgc.properties
/oracle/oem/gc_inst/em/EMGC_OMS1/embip.properties

Agent port found at omshost.domain.com:3872
BIPublisher port found at omshost.domain.com:9803
BIPublisherOHS port found at omshost.domain.com:9851
NodeManager port found at omshost.domain.com:7403
OMSconsole port found at omshost.domain.com:7802
OMSproxy port found at omshost.domain.com:7301
OMSupload port found at omshost.domain.com:4903
WLSadmin found at omshost.domain.com:7102

Repository DB version=12.1.0.2.0 SID=oemdb host=omshost.domain.com
Repository DB on OMS server, will check patches/parameters in /oracle/oem/product/12.1.0/db

(1) Checking SSL/TLS configuration (see notes 1602983.1, 1477287.1, 1905314.1)

(1a) Forbid SSLv2 connections
Confirming ssl2 disabled for Agent at omshost.domain.com:3872... OK
Confirming ssl2 disabled for BIPublisher at omshost.domain.com:9803... OK
Confirming ssl2 disabled for NodeManager at omshost.domain.com:7403... OK
Confirming ssl2 disabled for BIPublisherOHS at omshost.domain.com:9851... OK
Confirming ssl2 disabled for OMSconsole at omshost.domain.com:7802... OK
Confirming ssl2 disabled for OMSproxy at omshost.domain.com:7301... OK
Confirming ssl2 disabled for OMSupload at omshost.domain.com:4903... OK
Confirming ssl2 disabled for WLSadmin at omshost.domain.com:7102... OK

(1b) Forbid SSLv3 connections
Confirming ssl3 disabled for Agent at omshost.domain.com:3872... OK
Confirming ssl3 disabled for BIPublisher at omshost.domain.com:9803... OK
Confirming ssl3 disabled for NodeManager at omshost.domain.com:7403... OK
Confirming ssl3 disabled for BIPublisherOHS at omshost.domain.com:9851... OK
Confirming ssl3 disabled for OMSconsole at omshost.domain.com:7802... OK
Confirming ssl3 disabled for OMSproxy at omshost.domain.com:7301... OK
Confirming ssl3 disabled for OMSupload at omshost.domain.com:4903... OK
Confirming ssl3 disabled for WLSadmin at omshost.domain.com:7102... OK

(1c) Permit TLSv1 connections
Confirming tls1 available for Agent at omshost.domain.com:3872... OK
Confirming tls1 available for BIPublisher at omshost.domain.com:9803... OK
Confirming tls1 available for NodeManager at omshost.domain.com:7403... OK
Confirming tls1 available for BIPublisherOHS at omshost.domain.com:9851... OK
Confirming tls1 available for OMSconsole at omshost.domain.com:7802... OK
Confirming tls1 available for OMSproxy at omshost.domain.com:7301... OK
Confirming tls1 available for OMSupload at omshost.domain.com:4903... OK
Confirming tls1 available for WLSadmin at omshost.domain.com:7102... OK

(2) Checking supported ciphers at SSL/TLS endpoints (see notes 1477287.1, 1905314.1, 1067411.1)
Checking LOW strength ciphers on Agent (omshost.domain.com:3872)... OK
Checking MEDIUM strength ciphers on Agent (omshost.domain.com:3872)... FAILED - PERMITS MEDIUM STRENGTH CIPHER CONNECTIONS
Checking HIGH strength ciphers on Agent (omshost.domain.com:3872)... OK

Checking LOW strength ciphers on BIPublisher (omshost.domain.com:9803)... OK
Checking MEDIUM strength ciphers on BIPublisher (omshost.domain.com:9803)... FAILED - PERMITS MEDIUM STRENGTH CIPHER CONNECTIONS
Checking HIGH strength ciphers on BIPublisher (omshost.domain.com:9803)... OK

Checking LOW strength ciphers on NodeManager (omshost.domain.com:7403)... OK
Checking MEDIUM strength ciphers on NodeManager (omshost.domain.com:7403)... FAILED - PERMITS MEDIUM STRENGTH CIPHER CONNECTIONS
Checking HIGH strength ciphers on NodeManager (omshost.domain.com:7403)... OK

Checking LOW strength ciphers on BIPublisherOHS (omshost.domain.com:9851)... OK
Checking MEDIUM strength ciphers on BIPublisherOHS (omshost.domain.com:9851)... FAILED - PERMITS MEDIUM STRENGTH CIPHER CONNECTIONS
Checking HIGH strength ciphers on BIPublisherOHS (omshost.domain.com:9851)... OK

Checking LOW strength ciphers on OMSconsole (omshost.domain.com:7802)... OK
Checking MEDIUM strength ciphers on OMSconsole (omshost.domain.com:7802)... OK
Checking HIGH strength ciphers on OMSconsole (omshost.domain.com:7802)... OK

Checking LOW strength ciphers on OMSproxy (omshost.domain.com:7301)... OK
Checking MEDIUM strength ciphers on OMSproxy (omshost.domain.com:7301)... FAILED - PERMITS MEDIUM STRENGTH CIPHER CONNECTIONS
Checking HIGH strength ciphers on OMSproxy (omshost.domain.com:7301)... OK

Checking LOW strength ciphers on OMSupload (omshost.domain.com:4903)... OK
Checking MEDIUM strength ciphers on OMSupload (omshost.domain.com:4903)... FAILED - PERMITS MEDIUM STRENGTH CIPHER CONNECTIONS
Checking HIGH strength ciphers on OMSupload (omshost.domain.com:4903)... OK

Checking LOW strength ciphers on WLSadmin (omshost.domain.com:7102)... OK
Checking MEDIUM strength ciphers on WLSadmin (omshost.domain.com:7102)... FAILED - PERMITS MEDIUM STRENGTH CIPHER CONNECTIONS
Checking HIGH strength ciphers on WLSadmin (omshost.domain.com:7102)... OK

(3) Checking self-signed and demonstration certificates at SSL/TLS endpoints (see notes 1367988.1, 1399293.1, 1593183.1, 1527874.1, 123033.1, 1937457.1)
Checking certificate at Agent (omshost.domain.com:3872)... FAILED - Found self-signed certificate
Checking demo certificate at Agent (omshost.domain.com:3872)... OK
Checking certificate at BIPublisher (omshost.domain.com:9803)... OK
Checking demo certificate at BIPublisher (omshost.domain.com:9803)... OK
Checking certificate at NodeManager (omshost.domain.com:7403)... OK
Checking demo certificate at NodeManager (omshost.domain.com:7403)... OK
Checking certificate at BIPublisherOHS (omshost.domain.com:9851)... OK
Checking demo certificate at BIPublisherOHS (omshost.domain.com:9851)... OK
Checking certificate at OMSconsole (omshost.domain.com:7802)... OK
Checking demo certificate at OMSconsole (omshost.domain.com:7802)... OK
Checking certificate at OMSproxy (omshost.domain.com:7301)... OK
Checking demo certificate at OMSproxy (omshost.domain.com:7301)... OK
Checking certificate at OMSupload (omshost.domain.com:4903)... OK
Checking demo certificate at OMSupload (omshost.domain.com:4903)... OK
Checking certificate at WLSadmin (omshost.domain.com:7102)... OK
Checking demo certificate at WLSadmin (omshost.domain.com:7102)... OK

(4) Checking EM13c Oracle home patch levels against 5 Apr 2016 baseline (see notes 1664074.1, 1900943.1, 822485.1, 1470197.1, 1967243.1)

(4a) OMS REPOSITORY DATABASE HOME (/oracle/oem/product/12.1.0/db) PSU 12.1.0.2.160119 (JAN2016) (21948354)... OK
Patch 21948354 : applied on Fri Jan 22 11:03:15 EST 2016 Patch description: "Database Patch Set Update : 12.1.0.2.160119 (21948354)"

(4a) OMS REPOSITORY DATABASE HOME (/oracle/oem/product/12.1.0/db) ORACLE JAVAVM COMPONENT 12.1.0.2.160119 DATABASE PSU (JAN2016) (22139226)... OK
Patch 22139226 : applied on Fri Jan 22 10:58:00 EST 2016 19699946, 19176885, 19623450, 22139226, 19909862, 21811517, 19223010

(4b) OMS REPOSITORY DATABASE HOME (/oracle/oem/product/12.1.0/db) sqlnet.ora SSL_VERSION parameter (1545816.1)... OK
1.0

(4b) OMS REPOSITORY DATABASE HOME (/oracle/oem/product/12.1.0/db) sqlnet.ora SSL_CIPHER_SUITES parameter (1545816.1)... OK
(SSL_RSA_WITH_AES128_CBC_SHA,SSL_RSA_WITH_AES256_CBC_SHA)

(4b) OMS REPOSITORY DATABASE HOME (/oracle/oem/product/12.1.0/db) listener.ora SSL_VERSION parameter (1545816.1)... OK
1.0

(4b) OMS REPOSITORY DATABASE HOME (/oracle/oem/product/12.1.0/db) listener.ora SSL_CIPHER_SUITES parameter (1545816.1)... OK
(SSL_RSA_WITH_AES128_CBC_SHA,SSL_RSA_WITH_AES256_CBC_SHA)

(4c) OMS CHAINED AGENT HOME (/oracle/oem/agent13cR1/agent_13.1.0.0.0) EM-AGENT BUNDLE PATCH 13.1.0.0.160331 (22823268)... OK
Patch 22823268 : applied on Wed Apr 06 09:53:14 EDT 2016 22823268, 22384903, 21779343, 22293781, 22568679, 22565184, 22988508

(4c) OMS CHAINED AGENT HOME (/oracle/oem/agent13cR1/agent_13.1.0.0.0) EM DB PLUGIN BUNDLE PATCH 13.1.1.0.160331 MONITORING (22920712)... OK
Patch 22920712 : applied on Wed Apr 06 10:40:33 EDT 2016 22920712, 22902094, 22908077

(4c) OMS CHAINED AGENT HOME (/oracle/oem/agent13cR1/agent_13.1.0.0.0) EM FMW PLUGIN BUNDLE PATCH 13.1.1.0.160331 MONITORING (22936491)... OK
Patch 22936491 : applied on Wed Apr 06 10:46:28 EDT 2016 22461699, 22936491

(4c) OMS CHAINED AGENT HOME (/oracle/oem/agent13cR1/agent_13.1.0.0.0) EM SI PLUGIN BUNDLE PATCH 13.1.1.0.160331 MONITORING (22823189)... OK
Patch 22823189 : applied on Wed Apr 06 11:07:32 EDT 2016 22128210, 22823189

(4d) OMS HOME (/oracle/oem/Middleware13cR1) ENTERPRISE MANAGER FOR OMS PLUGINS 13.1.1.0.160331 (22920724)... OK
oracle.sysman.emas.oms.plugin/13.1.1.0.0 Plugin 22920724 22823175 oracle.sysman.si.oms.plugin/13.1.1.0.0 Plugin 22920724 22589347 oracle.sysman.db.oms.plugin/13.1.1.0.0 Plugin 22920724 22823156

Failed test count: 8 - Review output

ciphercheck:Agent @ omshost.domain.com:3872:Permits MEDIUM strength ciphers
ciphercheck:BIPublisher @ omshost.domain.com:9803:Permits MEDIUM strength ciphers
ciphercheck:NodeManager @ omshost.domain.com:7403:Permits MEDIUM strength ciphers
ciphercheck:BIPublisherOHS @ omshost.domain.com:9851:Permits MEDIUM strength ciphers
ciphercheck:OMSproxy @ omshost.domain.com:7301:Permits MEDIUM strength ciphers
ciphercheck:OMSupload @ omshost.domain.com:4903:Permits MEDIUM strength ciphers
ciphercheck:WLSadmin @ omshost.domain.com:7102:Permits MEDIUM strength ciphers
certcheck:Agent @ omshost.domain.com:3872 found self-signed certificate

Visit https://pardydba.wordpress.com/2016/04/05/securing-oracle-enterprise-manager-13c/ for the latest version.