Monday, September 30, 2013

SSH-KEY security for Oracle Enterprise Manager

In many companies who do use Oracle products Oracle Enterprise Manager is used for managing and monitoring purposes. This is making Oracle Enterprise Manager more and more a central application used to connect to a number of systems. From some point of view this is a good thing, from other points of view this might be a less favorable thing to do. Primarily from a security point of view a number of security specialists have reasoned that if someone would be able to hack Oracle Enterprise Manager it would be an ideal stepping stone into the rest of the network from the company which is under attack.

Oracle has introduced the option to now use a public/private key pare solution when connecting from Oracle Enterprise Manager to other systems. This is still not satisfying some security officers however it is tying more into the general ssh-key authentication mechanisms used for authentication at UNIX machines used in many companies. The ssh-keys are stored within Oracle Enterprise Manager as part of a named credential. A Named Credential specifies a users' authentication information on a system. Named credentials can be a username/password pair like the operating system login credentials, or Oracle home owner credentials primarily used for performing operations such as running jobs, patching and other system management tasks.

The advantaged of using a SSH key method for login to remote servers using SSH is that this is considered much more secure then using a username/password combination.Public key authentication is one of the most secure methods to authenticate using Secure Shell. Public key authentication uses a pair of computer generated keys - one public and one private. Each key is usually between 1024 and 2048 bits in length, it is useless unless you have the corresponding private key

A guide on how to use SSH keys in OEM can be seen in the below video from Oracle:

No comments: