Securing Java Management
This topic provides security information and recommendations for Java Management Service.
Java Management Service (JMS) monitors Java deployments on Oracle Cloud Infrastructure (OCI) instances and instances running in customer data centers. It enables you to observe and manage the use of Java in your enterprise.
Security Responsibilities
To use JMS securely, learn about your security and compliance responsibilities.
Oracle is responsible for the following security requirements:
- Physical Security: Oracle is responsible for protecting the global infrastructure that runs all services offered in Oracle Cloud Infrastructure. This infrastructure consists of the hardware, software, networking, and facilities that run Oracle Cloud Infrastructure services.
- Data Encryption: Oracle uses standard Oracle Cloud Infrastructure encryption for all data stored at rest in JMS. No additional configuration is necessary.
JMS users don't use encryption keys directly. Internally, JMS stores data in an autonomous database, which uses Oracle Cloud Infrastructure Vault to securely store encryption keys. Oracle manages and secures these resources.
- Data Durability: Oracle configures the JMS service for daily backups. No additional backup configuration by you is necessary.
Your security responsibilities are described on this page, which include the following areas:
- Access Control: Limit privileges as much as possible. Users should be given only the access necessary to perform their work.
- Agent Security:
- Install the agent to the instance with the minimal privilege. Do not install it as
root
. - Obtain an installation key. Verify the key's expiration and the number of installation instances.
- Delete the key after the agent is successfully installed.
- Verify that ports or proxy are set up correctly to only allow for the agent connection to OCI.
- Configure the agent to only scan the wanted directories and with the wanted frequency.
- Install the agent to the instance with the minimal privilege. Do not install it as
Initial Security Tasks
Use this checklist to identify the tasks you perform to secure JMS in a new Oracle Cloud Infrastructure tenancy.
If you're new to JMS, see Setting Up Oracle Cloud Infrastructure for Java Management Service.
Task | More Information |
---|---|
Use IAM policies to grant access to users and resources | IAM Policies |
Routine Security Tasks
IAM Policies
Use policies to limit access to JMS.
A policy specifies who can access Oracle Cloud Infrastructure resources and how. For more information, see How Policies Work.
Assign a group the least privileges that are required to perform their responsibilities. Each policy has a verb that describes what actions the group is allowed to do. From the least amount of access to the most, the available verbs are: inspect
, read
, use
, and manage
.
Create policies to allow group FLEET_MANAGERS
to manage fleets in compartment Fleet_Compartment
.
ALLOW GROUP FLEET_MANAGERS TO MANAGE fleet IN COMPARTMENT Fleet_Compartment
ALLOW GROUP FLEET_MANAGERS TO MANAGE management-agents IN COMPARTMENT Fleet_Compartment
ALLOW GROUP FLEET_MANAGERS TO MANAGE management-agent-install-keys IN COMPARTMENT Fleet_Compartment
ALLOW GROUP FLEET_MANAGERS TO READ METRICS IN COMPARTMENT Fleet_Compartment
ALLOW GROUP FLEET_MANAGERS TO MANAGE tag-namespaces IN TENANCY
Create policies to allow dynamic group JMS_DYNAMIC_GROUP
to deploy and use agents in the Management Agent service in compartment Fleet_Compartment
.
ALLOW DYNAMIC-GROUP JMS_DYNAMIC_GROUP TO MANAGE management-agents IN COMPARTMENT Fleet_Compartment
ALLOW DYNAMIC-GROUP JMS_DYNAMIC_GROUP TO USE tag-namespaces IN TENANCY
Allow service javamanagementservice to manage metrics IN COMPARTMENT Fleet_Compartment where target.metrics.namespace='java_management_service'
For more information about deploying management agents, see Perform Prerequisites for Deploying Management Agents.
For more information about JMS policies, see Details for the Java Management Service.
Patching
Ensure that your JMS resources are running the latest security updates.
If you disabled the automatic upgrade feature of the Management Agent, then you must manually check for updates to the agent and the JMS plugin. See Upgrade Management Agents.
Auditing
Locate access logs and other security data for JMS.
The Audit service automatically records all API calls to Oracle Cloud Infrastructure resources. You can achieve your security and compliance goals by using the Audit service to monitor all user activity within your tenancy. Because all Console, SDK, and command line (CLI) calls go through our APIs, all activity from those sources is included. Audit records are available through an authenticated, filterable query API or they can be retrieved as batched files from Object Storage. Audit log contents include what activity occurred, the user that initiated it, the date and time of the request, as well as source IP, user agent, and HTTP headers of the request. See Viewing Audit Log Events.