As Published In
Oracle Magazine
March/April 2009

COMMENT: All Secure

Securing Support

By Mary Ann Davidson

Leaking a well-kept security secret: Oracle Configuration Manager

I’ve recently been plagued by financial institution voice response systems—which, if not from hell, are at least from purgatory. I keep getting routed to another branch of the automated voice response tree for the answer to every question except the one I want answered; I have to provide information I know they already have; and when I finally figure out the magic elixir for talking to An Actual Customer Support Representative, I have to provide the exact same information all over again . As customers, we all want to cut through the flak and go straight to actual assistance, and the more suppliers know about us and can access quickly (without our having to give information to them multiple times), the better and faster their service can be, and the happier we are.

Along the lines of “customers shouldn’t have to manually provide information the supplier ought to know,” Oracle recently launched its new Web support portal, My Oracle Support (previously known as Oracle MetaLink ), with the goal of providing better, faster, and more-complete service to customers. Speaking as a security fan, I think some of the most significant benefits of the new My Oracle Support portal are the integrated configuration management capabilities provided through the use of Oracle Configuration Manager.

With Oracle Configuration Manager, customers do not have to provide lots of information manually, and the fact that it includes automated security hygiene tools is a well-kept secret I’d like to “leak,” since most customers I talk to don’t seem to know that Oracle has tools to help them with the cybersecurity equivalent of “don’t forget to brush and floss, and you might want to check on that bicuspid.”

Oracle Configuration Manager can automatically gather the configuration information of Oracle product installs and upload this information into Oracle’s support systems, which makes it faster and easier for Oracle to help customers. Some of the information Oracle Configuration Manager can collect includes 

  • Installed patches
  • Deployment platforms, dates, versions, and types
  • Deployed components and applications
  • Content of configuration files
  • Information about network configurations


Next Steps

LEARN more about
My Oracle Support
Oracle Configuration Manager

READ more Davidson

Once collected, this configuration data can be used to populate the customer’s private My Oracle Support dashboard. The My Oracle Support dashboard can give customers a heads-up on what’s running in their enterprise, the configuration settings of what’s running, and how those configurations have changed over time. This is a key security point to help mediate the insider threat (did someone weaken a security setting?) and also help customers maintain their “mission readiness.”

The uploaded data allows Oracle Support to provide what the military calls situational awareness: what’s in your enterprise and what’s the overall readiness of those systems (such as release and patch levels currently installed in the environment). Further, Oracle Configuration Manager can provide “marching orders”: recommendations to ensure that each system operates in peak condition. From a security standpoint, getting automated recommendations about how your security settings could be tightened and the latest security patch you should apply (critical patch update) is actionable intelligence that can lead to a better security posture.

An important security note: the information collected by Oracle Configuration Manager is limited to configuration information and does not include actual customer data or other security-related customer information such as password hash values, audit records, and so on. Another security feature: customers need to specifically enable Oracle Configuration Manager in order for it to start collecting configuration information and to securely send this information to Oracle Support. For customers whose policies restrict sending of configuration information outside of the organization, Oracle Configuration Manager can be configured so a customer can review the information before it is sent to Oracle Support.

Back to my rant about manually providing customer information the supplier already has: a great Oracle Configuration Manager feature is the ability to quickly create a service request (SR) with accurate and complete system configuration information attached, because the SR can be prepopulated with the information typically required by Oracle Support in order to initiate a service request. And isn’t that what we all want—to get to actual assistance faster?


Mary Ann Davidson
is the chief security officer of Oracle, responsible for secure development practices and security evaluations and assessments. She represents Oracle on the board of directors of the Information Technology Information Security Analysis Center (IT-ISAC), has served on the U.S. Defense Science Board, and is on the editorial review board of SC Magazine.

Send us your comments