The Hunger Site

Monday, October 26, 2009

Security and Grid Control

A Senior Infrastructure Architect wrote:

"I am coming across distinct resistance towards using OEM Grid from those concerned with security around listener ports and data content - on a colocated management infrastructure (same data centre as the given databases)."

My reponse to this was:

"Any large corporate's security team does have quesions about Grid Control, but this is mainly due to lack of information. Grid Control is fully secure.

Firstly you can have the console protected by a security certificate (https), you can also have the traffic between the agent and the management service in https instead of http, and also it has two levels of security - first, the Grid control admin security (you have to create separate admins for target groups) and then the database login itself. The sysman password should be withheld from most users of Grid control.

If the security department wants tighter security, please recommend Oracle's Advanced Security Option which allow sql net encryption of all sql traffic and data encryption in the database. Regarding listener ports, you can password protect the listeners. Firewall needs to be opened up for certain other ports of Grid control.

We were using Grid Control in a large corporate site with more than 700 databases and found no issues.

Its a great product so do try to convince your security team. The benefits to the company are immense, and it also improves the life of the DBA teams - it leaves them with more quality time to do their senior DBA stuff, like architecture etc, instead of worrying about scripts for RMAN backups and the setup of Dataguard, or applying patches on multiple databases, which are just some examples of the many things automated by Grid Control. "


Opinions expressed in this blog are entirely the opinions of the writers of this blog, and do not reflect the position of Oracle corporation. No responsiblity will be taken for any resulting effects if any of the instructions or notes in the blog are followed. It is at the reader's own risk and liability.

Blog Archive