Transport Layer Security (TLS) is a cryptographic protocol used to increase security over computer networks by providing communication privacy and data integrity between applications. In the case of Always-On Monitoring (AOM), these secure communication channels are between the following components:

• The AOM application and the AOM repository

• The AOM application and the Enterprise Manager repository

The following instructions cover how to enable TLSv1.2 communication for Always-On Monitoring.

Storing CA Certificates

The server CA certificates of the Always-On Monitoring repository and Enterprise Manager repository can be stored either in an external Trust Store or in the Oracle Management Service’s JDK Trust Store (JAVA_HOME/jre/lib/security/cacerts).

Storing the Certificates in an External Trust Store

If you choose to store the certificates in an external Trust Store, then you need to set the following environment variables:

• AOM_DB_WALLET_LOC - Absolute path to the external Trust Store. For example: /home/aom/externalTrustSTore.jks

• AOM_DB_WALLET_TYPE - The type of Trust Store being used. JKS. PKCS12 (For Enterprise Manager 13.3, the SSO Trust Store is not supported)

• AOM_DB_WALLET_PASSWORD - The Trust Store password (For JKS and PKCS12)

% setenv AOM_DB_WALLET_LOC /home/aom/externalTrustStore.jks

% export AOM_DB_WALLET_LOC=/home/aom/externalTrustStore.jks

Storing the Certificates in the Oracle Management Service’s JDK Trust Store

If you choose to store the certificates in the Oracle Management Service’s JDK Trust Store, then you can use the emsca or emsctl scripts without additional configuration.

Guidelines for Configuring Always-On Monitoring to use TLSv1.2

• During initial Always-On Monitoring setup with emsca, when prompted for the DB connection string, you must specify the connection string using the long form that has the protocol type (TCPS) being used and not the short form as shown in the following examples.

  Long Form

  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=myserver.myco.com) (PORT=15044)) (CONNECT_DATA =(SID=dbview))  

  Short Form (will not work with TCPS):

  myserver.myco.com:15044:dbview

• If Always-On Monitoring was initially configured to use the TCP protocol as part of emsca configuration, and at a later point you want to switch over to TCPS, you can re-configure Always-On Monitoring by performing the following steps:

  1. Change the Always-On Monitoring database connection string in the emsConfig.properties file ($AOM_HOME/conf/emsConfig.properties).

  2. Change Enterprise Manager Repository connection string in Always-On Monitoring database which is stored in table - EMS_SYNC_CONNECT_PROPS.connect_string.

  3. Ensure that either the JDK wallet (under JAVA_HOME/jre/lib/security/cacerts) or the external Trust Store has the root CA certificates for both the Always-On Monitoring and Enterprise Manager repositories.

• If Always-On Monitoring was initially configured to use the TCPS protocol as part of emsca configuration, and at a later point you want to switch over to TCP, you can re-configure Always-On Monitoring by performing the following steps:

  1. In the AOM_HOME/conf/emsConfig.properties file, replace the correct AOM database connection string with the property emsRepConnectString. If TCP protocol is used to connect to the database, you can use either short or long form for the connection string. If TCPS is used, you must provide the database connection string in the long form as discussed previously.

  2. To change the Enterprise Manager connection string, you must update the EMS_SYNC_CONNECT_PROPS.connect_string field in the Always-On Monitoring database.