Configuring Secure Communication

This section contains the following topics:

About Secure Communication

Enterprise Manager Framework Security provides safe and secure communication channels between the components of Enterprise Manager. For example, Framework Security provides secure connections between your Oracle Management Service and its Management Agents. Secure communication also protects against network threats such as eavesdropping and ensures confidentiality/integrity by utilizing technologies such as public-key cryptography.

Enterprise Manager Framework Security implements the following types of secure connections between the Enterprise Manager components:

  • HTTPS and Public Key Infrastructure (PKI) components, including signed digital certificates, for communications between the Management Service and the Management Agents.

  • Oracle Advanced Security for communications between the Management Service and the Management Repository.

Enabling Security for the Oracle Management Service

To enable Enterprise Manager Framework Security for the Management Service, you use the emctl secure oms utility, which is located in the following subdirectory of the Management Service home directory: 

<OMS_ORACLE_HOME>/bin

The emctl secure oms utility performs the following actions:

  • Generates a Root Key within your Management Repository. The Root Key is used during distribution of Oracle Wallets containing unique digital certificates for your Management Services & Management Agents. An Oracle Wallet is used to store security credentials on Oracle Clients and servers, see oracle Advanced Security Administrators Guide for more information on Oracle Wallets.

  • Modifies your WebTier to enable an HTTPS channel between your Management Service and Management Agents, independent from any existing HTTPS configuration that may be present in your WebTier.

  • Enables your Management Service to accept requests from Management Agents using Enterprise Manager Framework Security.

To run the emctl secure oms utility you must first choose an Agent Registration Password. The Agent Registration password is used to validate that future installation of Oracle Management Agents are authorized to load their data into this Enterprise Manager installation.

To enable Enterprise Manager Framework Security for the Oracle Management Service:

  1. Stop the Management Service, the WebTier using the following command:
    <OMS_ORACLE_HOME>/bin/emctl stop oms
  2. Enter the following command:
    <OMS_ORACLE_HOME>/bin/emctl secure oms
  3. You will be prompted for the Enterprise Manager Root Password. Enter the SYSMAN password.
  4. You will be prompted for the Agent Registration Password, which is the password required for any Management Agent attempting to establish secure communication with the Management Service. Specify an Agent Registration Password for the Management Service.
  5. Restart the OMS.
  6. After the Management Service restarts, test the secure connection to the Management Service by browsing to the following secure URL using the HTTPS protocol:
    https://hostname.domain:https_console_port/em

    Note: The Enterprise Manager console URL can be found by running the "emctl status oms -details" command.

    For example:

    $ emctl status oms -details
Oracle Enterprise Manager 24ai Release 1
Copyright (c) 1996, 2024 Oracle Corporation. All rights reserved.
Enter Enterprise Manager Root (SYSMAN) Password :
...
Console URL: https://omshost.example.com:5416/em

    If the Management Service security has been enabled successfully, your browser displays the Enterprise Manager login page.

Example 2-3 Sample Output of the emctl secure oms Command

$ emctl secure oms
Oracle Enterprise Manager 24ai Release 1
Copyright (c) 1996, 2024 Oracle Corporation. All rights reserved.
Securing OMS... Started.
Enter Enterprise Manager Root (SYSMAN) Password :
Enter Agent Registration Password :
Securing OMS... Successful
Restart OMS

Configuring the OMS with Server Load Balancer

When you deploy a Management Service that is available behind a Server Load Balancer (SLB), special attention must be given to the DNS host name through which the Management Service will be available. Although the Management Service may run on a particular local host, for example test01.example.com, your Management Agents will access the Management Service using the host name that has been assigned to the Server Load Balancer. For example, oracleoms.example.com.

As a result, when you enable Enterprise Manager Framework Security for the Management Service, it is important to ensure that the Server Load Balancer host name is embedded into the Certificate that the Management Service uses for SSL communications. This may be done by using emctl secure oms and specifying the host name using an extra -host parameter as shown below.

Note:

Before running the commands, you must first identify the SLB hostname, port, and ensure that the SLB is configured.

  • Enable security on the Management Service by entering the following command:

    emctl secure oms -host <slb_hostname> [-slb_console_port <slb UI port>] [-slb_port <slb upload port>] [other params]

    Run this command on each OMS. You will need to restart each OMS after running the 'emctl secure oms' command.

  • Create virtual servers and pools on the Server Load Balancer.

  • Verify that the console can be accessed using the following URL:

    https://slb_hostname:slb_console_port/em

  • Re-secure the Agents with Server Load Balancer by using the following command:

    emctl secure agent -emdWalletSrcUrl <SLB Upload or UI URL>

    For example:

    $ <AGENT_HOME>/bin/emctl secure agent -emdWalletSrcUrl https://slb_hostname:slb_upload_port/em

It is possible to configure Oracle Enterprise Manager with one load balancer for upload operations and one for console operations. To do this, the pools at both of the SLBs must be configured with respective ports and the OMS must be secured separately for console and upload operations, using the following commands: 

$emctl secure oms -host <slb_hostname>[-slb_port <slb upload port>] [other params] $emctl secure console -host <slb_hostname> other params
Removing a Server Load Balancer Configuration

If you had previously configured the OMS with an SLB using emctl secure oms -host and now want to remove the SLB configuration, run the following command: 

emctl secure oms -no_slb

If you had secured Agents using the SLB hostname they will need to be re-secured using the OMS hostname. To re-secure the Agents, run the following command:

emctl secure agent -emdWalletSrcUrl <Upload URL>

Creating a New Certificate Authority

You may need to create a new Certificate Authority (CA) if the current CA is expiring, if you want to change the key strength, or if you want to change the signature algorithm. A unique identifier is assigned to each CA. For instance, the CA created during installation may have an identifier as ID 1, subsequent CAs will have the IDs 2,3, and so on. At any given time, the last created CA is active and issues certificates for OMSs and Agents.

  1. Run the emctl secure createca command on one of the OMS machines.
  2. If there are multiple OMSs in your environment, copy <EM_Instance_Home>/sysman/config/b64LocalCertificate.txt from the machine on which emctl secure createca was run to all other OMS machines at the same location i.e <EM_Instance_Home>/sysman/config/b64LocalCertificate.txt
  3. Restart all the OMSs.

Example 2-4 Creating a New Certificate Authority

emctl secure createca [-host <hostname>] [-key_strength <strength>] [-cert_validity <validity>] [-root_dc <root_dc>] [-root_country <root_country>] [-root_email <root_email>] [-root_state <root_state>] [-root_loc <root_loc>] [-root_org <root_org>] [-root_unit <root_unit>] [-sign_alg <md5|sha1|sha256|sha384|sha512>] [-cert_validity <validity>]
Oracle Enterprise Manager 24ai Release 1
Copyright (c) 1996, 2024 Oracle Corporation.  All rights reserved.
Creating CA... Started.
Successfully created CA with ID 2

Example 2-5 Viewing Information about a Certificate Authority

emcli get_ca_info -ca_id="1;2" -details
Info about CA with ID: 1
CA is not configured
DN: CN=myhost.example.com, C=US
Serial# : 3423643907115516586
Valid From: Tue Mar 16 11:06:20 PDT 2011
Valid Till: Sat Mar 14 11:06:20 PDT 2020
Number of Agents registered with CA ID 1 is 1
myhost.example.com:3872

Info about CA with ID: 2
CA is configured
DN: CN=myhost.example.com, C=US, ST=CA
Serial# : 1182646629511862286
Valid From: Fri Mar 19 05:17:15 PDT 2011
Valid Till: Tue Mar 17 05:17:15 PDT 2020
There are no Agents registered with CA ID 2
Administration Credentials Wallet

The WebLogic Administrator and Node Manager passwords are stored in the Administration Credentials Wallet. This is present in the <MW_HOME>/sysman/config/adminCredsWallet directory. To recreate Administrator Credentials wallet, run the following command on each machine on which the Management Service is running:

emctl secure create_admin_creds_wallet [-admin_pwd <pwd>] [-nodemgr_pwd <pwd>]

Viewing the Security Status and OMS Port Information

To view the security status and OMS port information, use the following command

Example 2-6 emctl status oms -details

Oracle Enterprise Manager 24ai Release 1
Copyright (c) 1996, 2024 Oracle Corporation. All rights reserved.
Console Server Host : test01.example.com
HTTP Console Port : 7802
HTTPS Console Port : 5416
HTTP Upload Port : 7654
HTTPS Upload Port : 4473
EM Instance Home : <MW_HOME>/oracle/work/em/EMGC_OMS1
OMS Log Directory Location : <MW_HOME>/oracle/work/em/EMGC_OMS1/sysman/log
OMS is not configured with SLB or virtual hostname
Agent Upload is locked.
OMS Console is unlocked.
Active CA ID: 2
Console URL: https://test01.example.com:5416/em
Upload URL: https://test01.example.com:4473/empbs/upload
 
WLS Domain Information
Domain Name : EMGC_DOMAIN
Admin Server Host : test01.example.com
Admin Server HTTPS Port: 7022
Admin Server is RUNNING
 
Managed Server Information
Managed Server Instance Name: EMGC_OMS1
Managed Server Instance Host: test01.example.com
WebTier is Up
Oracle Management Server is Up

Configuring Transport Layer Security

The Oracle Management Service can be configured in TLSv1.2 modes. By default, all three modes are enabled. To configure the OMS to use only one or two modes, do the following:

  1. Stop the OMS by entering the following command:
    <OMS_ORACLE_HOME>/bin/emctl stop oms
  2. Enter a command similar to one of the following commands:

    To restrict the OMS to one particular mode, enter:

    emctl secure -protocol "TLSv1"

    To enable more than one mode, use a space delimited list, for example:

    emctl secure oms -protocol "TLSv1.2"
  3. Restart the OMS with the following command:
    <OMS_ORACLE_HOME>/bin/emctl start oms

Securing the Oracle Management Agent

When you install the Management Agent on a host, you must identify the Management Service that will be used by the Management Agent. To enable Enterprise Manager Framework Security for the Management Agent, use the emctl secure agent utility, which is located in the following directory of the Management Agent home directory: 

<AGENT_INSTANCE_HOME>/bin (UNIX)
<AGENT_INSTANCE_HOME>\bin (Windows)

The emctl secure agent utility performs the following actions:

  • Obtains an Oracle Wallet from the Management Service that contains a unique digital certificate for the Management Agent. This certificate is required in order for the Management Agent to conduct SSL communication with the secure Management Service.

  • Obtains an Agent Key for the Management Agent that is registered with the Management Service.

  • Configures the Management Agent so it is available on your network over HTTPS and so it uses the Management Service HTTPS upload URL for all its communication with the Management Service.

To enable Enterprise Manager Framework Security for the Management Agent:

  1. Ensure that your Management Service and the Management Repository are up and running.
  2. Stop the Management Agent:
    emctl stop agent
  3. Enter the following command:
    emctl secure agent

    The emctl secure agent utility prompts you for the Agent Registration Password, authenticates the password against the Management Service, and reconfigures the Management Agent to use Enterprise Manager Framework Security.

    Example 2-7 shows sample output of the emctl secure agent utility.

  4. Restart the Management Agent:
    emctl start agent
  5. Confirm that the Management Agent is secure by checking the Management Agent home page.

    Note:

    You can also check if the Agent Management is secure by running the emctl status agent -secure command, or by checking the Agent and Repository HTTPS URLs in the output of the emctl status agent command.

    In the Management Agent home page , the Secure Upload field indicates whether or not Enterprise Manager Framework Security has been enabled for the Management Agent.

Example 2-7 Sample Output of the emctl secure agent Utility

emctl secure agent
Oracle Enterprise Manager 24ai Release 1.
Copyright (c) 1996, 2024 Oracle Corporation.  All rights reserved.
Securing agent...   Started
Securing agent...   Successful.

Example 2-8 Sample Output of the emctl status agent secure Command

$ emctl status agent -secure
Oracle Enterprise Manager 24ai Release 1
Copyright (c) 1996, 2024 Oracle Corporation. All rights reserved.
Checking the security status of the Agent at location set in <MW_HOME>/oracle/work/agentStateDir/sysman/config/emd.properties... Done.
Agent is secure at HTTPS Port 1838.
Checking the security status of the OMS at http://test01.example.com:7654/empbs/upload/... Done.
OMS is secure on HTTPS Port 4473

Managing Agent Registration Passwords

Enterprise Manager uses the Agent Registration password to validate that installations of Oracle Management Agents are authorized to load their data into the Oracle Management Service.

The Agent Registration password is created during installation when security is enabled for the Oracle Management Service. You can add/edit/delete registration passwords directly from the Enterprise Manager console.

Note:

If you want to avoid new Agents from being registered with the OMS, delete all registration passwords.

Using the Enterprise Manager Console to Manage Agent Registration Passwords

You can use the Enterprise Manager Console to manage your existing registration passwords or create additional registration passwords:

  1. From the Setup menu, select Security, then select Registration Passwords.
  2. Enterprise Manager displays the Registration Passwords page. Registration password specified during install appears in the Registration Passwords table with description <Initial Agent Registration Password>.
  3. Use the Registration Passwords page to change your registration password, create additional registration passwords, or remove registration passwords associated with the current Management Repository.

When you create or edit an Agent Registration Password on the Registration Passwords page, you can determine whether the password is persistent and available for multiple Management Agents or to be used only once or for a predefined period of time.

For example, if an administrator requests to install a Management Agent on a particular host, you can create a one-time-only password that the administrator can use to install and configure one Management Agent.

On the other hand, you can create a persistent password that an administrator can use for the next two weeks before it expires and the administrator must ask for a new password.

Using emctl to Add a New Agent Registration Password

To add a new Agent Registration Password, use the following emctl command on the machine on which the Management Service has been installed: 

emctl secure setpwd [sysman pwd] [new registration pwd]

The emctl secure setpwd command requires that you provide the password of the Enterprise Manager super administrator user, sysman, to authorize the addition of the Agent Registration Password.

As with other security passwords, you should change the Agent Registration Password on a regular and frequent basis to prevent it from becoming too widespread.

Restricting HTTP Access to the Management Service

It is important that only secure Management Agent installations that use the Management Service HTTPS channel are able to upload data to your Management Repository and Enterprise Manager console is accessible via HTTPS only.

To restrict access so Management Agents can upload data to the Management Service only over HTTPS:

  1. Stop the Management Service, the WebTier:
    cd <OMS_ORACLE_HOME>/bin
emctl stop oms
  2. Enter the following command to prevent Management Agents from uploading data to the Management Service over HTTP:
    emctl secure lock -upload

    To lock the console and prevent HTTP access to the console, enter the following command:

    emctl secure lock -console

    To lock both, enter either of the following commands:

    emctl secure lock or 
emctl secure lock -upload -console

    To lock both the console access and uploads from Agents while enabling security on the Management Service, enter the following command:

    emctl secure oms -lock [other options]
  3. Restart the Management Service, the WebTier, and the other application server components:
    emctl start oms
  4. Verify that you cannot access the OMS upload URL using the HTTP protocol:

    For example, navigate to the following URL:

    http://hostname.domain:4889/empbs/upload

    You should receive an error message similar to the following:

    Forbidden
You are not authorised to access this resource on the server.

    Note: The HTTP upload port number can be found using the emctl status oms -details command. Search for "HTTP Upload Port"

  5. Verify that you can access the OMS Upload URL using the HTTPS protocol:

    For example, navigate to the following URL:

    https://hostname.domain:4888/empbs/upload

    You should receive the following message, which confirms the secure upload port is available to secure Management Agents:

    Http XML File receiver
Http Recceiver Servlet active!

Example 2-9 Sample Output of the emctl secure lock Command

emctl secure lock
Oracle Enterprise Manager 24ai Release 1
Copyright (c) 1996, 2024 Oracle Corporation.  All rights reserved.
OMS Console is locked. Access the console over HTTPS ports.
Agent Upload is locked. Agents must be secure and upload over HTTPS port.
Restart OMS

Example 2-10 Sample Output of the emctl secure unlock Command

emctl secure unlock
Oracle Enterprise Manager 24ai Release 1
Copyright (c) 1996, 2024 Oracle Corporation.  All rights reserved.
OMS Console is unlocked. HTTP ports too can be used to access console.
Agent Upload is unlocked. Unsecure Agents may upload over HTTP.
Restart OMS

To allow the Management Service to accept uploads from unsecure Management Agents, use the following command:

emctl secure unlock -upload

Note:

  • The OMS need to be stopped before running 'secure unlock', and then restarted afterwards.

  • To unlock the console and allow HTTP access to the console, enter the following command:

    emctl secure unlock -console

  • To unlock both, enter either of the following command:

    emctl secure unlock
emctl secure unlock -console -upload

Note:

The Oracle Management Service is locked (both console & upload) by default.

Enabling HSTS Response Headers on Oracle Management Service and Agent Ports

Starting Enterprise Manager version 13c Release 5 Update 03 (13.5.0.3), the HSTS header is available in Oracle Management Agent response by default. Use the steps below to enable the HTTP Strict Transport Security (HSTS) response headers on the WebLogic Server and Oracle HTTP Server / API Gateway ports of Oracle Management Service:

Topics

Enabling HSTS Response Headers on OMS WebLogic Server Port

  1. Run the command below on each OMS Home to enable HSTS on OMS:

    1. Retrieve the existing value of JAVA_EM_ARGS: 

      <OMS HOME>/bin>emctl get property -name JAVA_EM_ARGS

    2. Append the value -Dweblogic.http.headers.enableHSTS=true to the existing JAVA_EM_ARGS retrieved in the previous step: 

      <OMS HOME>/bin>emctl set property -name JAVA_EM_ARGS -value "<existing_value_of_JAVA_EM_ARGS> -Dweblogic.http.headers.enableHSTS=true" -module emoms -oms_name local_oms -sysman_pwd <sysman_password>

      Consider the following response while retrieving the value of JAVA_EM_ARGS: 

      <OMS HOME>/bin>emctl get property -name JAVA_EM_ARGSOracle Enterprise Manager Cloud Control 13c Release 5Copyright (c) 1996, 2021 Oracle Corporation. All rights reserved.SYSMAN password:Value for property JAVA_EM_ARGS for oms local_oms is -XX:+HeapDumpOnOutOfMemoryError
      -XX:HeapDumpPath=/app/oracle/mw/13.5/null/sysman/log/oms_heap_dump
      -XX:OnOutOfMemoryError=/app/oracle/mw/13.5/bin/heap_dump_rolling.sh

      Then, run the following command to append -Dweblogic.http.headers.enableHSTS=true to the value of JAVA_EM_ARGS: 

      <OMS HOME>/bin>emctl set property -name JAVA_EM_ARGS -value "-XX:+HeapDumpOnOutOfMemoryError
      -XX:HeapDumpPath=/app/oracle/mw/13.5/null/sysman/log/oms_heap_dump
      -XX:OnOutOfMemoryError=/app/oracle/mw/13.5/bin/heap_dump_rolling.sh -Dweblogic.http.headers.enableHSTS=true" -module emoms -oms_name local_oms -sysman_pwd <sysman_password>

  2. Restart the OMS: 

    <OMS HOME>/bin>emctl stop oms -all -force
<OMS HOME>/bin>emctl start oms

    However, if you want to enable the HSTS to the OMS (Webtier OHS/API Gateway), then you can restart the OMS after implementing that section.

Enabling HSTS Response Headers on OMS API Gateway Port for Enterprise Manager 24ai Release 1

  1. Run below command to enable the HSTS at API Gateway:

    <OMS_HOME>/bin/emctl set webtier_property -name enableHsts -value true

  2. Restart the OMS: 

    <OMS HOME>/bin>emctl stop oms -all -force
<OMS HOME>/bin>emctl start oms

Enabling HSTS Response Headers on OMS Oracle HTTP Server Port for Enterprise Manager 13c Release 5

  1. Locate the below files for the OHS port of OMS, and take a backup of each file:

    • <EM_INSTANCE_BASE>/user_projects/domains/GCDomain/config/fmwconfig/components/OHS/ohs(n)/moduleconf/httpd_em.conf

    • <EM_INSTANCE_BASE>/user_projects/domains/GCDomain/config/fmwconfig/components/OHS/ohs(n)/ssl.conf

    • <EM_INSTANCE_BASE>/user_projects/domains/GCDomain/config/fmwconfig/components/OHS/ohs(n)/httpd.conf.emctl_secure

    • <EM_INSTANCE_BASE>/user_projects/domains/GCDomain/config/fmwconfig/components/OHS/ohs(n)/ssl.conf.emctl_secure

    • <EM_INSTANCE_BASE>/user_projects/domains/GCDomain/config/fmwconfig/components/OHS/ohs(n)/moduleconf/ssl_bip.conf (SSL Configuration file for BIP, if exists)

    In case of a multi-OMS setup, the above files are present only on the primary OMS Server where the Admin Server is running. Update each of them.

    • <EM_INSTANCE_BASE>/user_projects/domains/GCDomain/config/fmwconfig/components/OHS/instances/ohs(n)/moduleconf/httpd_em.conf

    • <EM_INSTANCE_BASE>/user_projects/domains/GCDomain/config/fmwconfig/components/OHS/instances/ohs(n)/ssl.conf

    • <EM_INSTANCE_BASE>/user_projects/domains/GCDomain/config/fmwconfig/components/OHS/instances/ohs(n)/httpd.conf.emctl_secure

    • <EM_INSTANCE_BASE>/user_projects/domains/GCDomain/config/fmwconfig/components/OHS/instances/ohs(n)/ssl.conf.emctl_secure

    • <EM_INSTANCE_BASE>/user_projects/domains/GCDomain/config/fmwconfig/components/OHS/instances/ohs(n)/moduleconf/ssl_bip.conf (SSL Configuration file for BIP, if exists)

  2. Restart the OMS: 

    <OMS HOME>/bin>emctl stop oms -all -force
<OMS HOME>/bin>emctl start oms

Verifying that HSTS Response Header is Enabled

Run the following command to check if HSTS is enabled at the port level:

$curl -s -D- https://<HOSTNAME>:<SSL PORT>/ --insecure | grep Strict

Example output: 

Output:
Strict-Transport-Security: max-age=31536000; includeSubDomains;
    preload

Configuring the Management Service and Agents to Connect to a Secure Management Repository and Target Databases

Topics:

Enabling Oracle Advanced Security for the Management Repository

To ensure that your database is secure and that only encrypted data is transferred between your database server and other sources, review the security documentation available for your database version. Go to Oracle Database Documentation, select your database version from the drop-down, and click the Security section to locate the Database Security Guide. Configure your repository database to encrypt data that is sent over a network.

The following instructions provide an example of how your Management Repository database may be configured for communication with the Management Service:

  1. Locate the sqlnet.ora configuration file in the database Oracle Home directory <ORACLE_HOME>/network/admin.
  2. Examine the following entries in the sqlnet.ora file:
    sqlnet.encryption_server
sqlnet.encryption_types_server
sqlnet.crypto_checksum_server
sqlnet.crypto_checksum_types_server

    For example, the sqlnet.ora file entries may look like this: 

    sqlnet.encryption_server=ACCEPTED
sqlnet.encryption_types_server=(AES256)
sqlnet.crypto_checksum_server=REQUESTED
sqlnet.crypto_checksum_types_server=(SHA256)

    These parameters indicate that network data can be encrypted and it shows the data encryption and data integrity parameters used.

    Note that the possible values for sqlnet.encryption_server and sqlnet.crypto_checksum_server are: REJECTED, ACCEPTED, REQUESTED, or REQUIRED.

    REJECTED indicates you do not want encryption to be enabled.

    ACCEPTED indicates that encryption is possible if requested by the client.

    REQUESTED indicates that encryption is possible if the client accepts it.

    REQUIRED indicates that encryption must be enabled.

    If any values are set to REJECTED, data encryption is not possible. Any other values depend on the client setup as well.

    Make a note of these values. You will use this information when configuring the OMS.

    Note that in order for the repository database to also be a managed target, you must complete the steps in Enabling Oracle Advanced Security for the OMS to Connect to Target Databases.

Enabling Oracle Advanced Security for the OMS to Connect to the Management Repository

If you have enabled the encryption of data sent over a network for your Management Repository database, then use the following procedure to also enable this for the Oracle Management Service (OMS):

  1. Stop the primary OMS and any other OMS instances, if a multi-OMS system:
    <OMS_ORACLE_HOME>/bin/emctl stop oms -all -force
  2. Based on the value set on the repository side, add the following value(s) in all <GC_INST>/em/EMGC_OMS<n>/emgc.properties files, where <n> indicates OMS instance number in the case of multi-node OMS setup, for example, EMGC_OMS2: 
    oracle.sysman.core.conn.enableEncryption=true
oracle.net.encryption_client=<see table below>
oracle.net.encryption_types_client=<see table below> 
oracle.net.crypto_checksum_client=<see table below>
oracle.net.crypto_checksum_types_client=<see table below>

    The possible properties that can be set for the OMS are listed in the table below:

    Property Possible Values Default OMS Values Description

    oracle.net.encryption_client

    		 REJECTED, ACCEPTED, REQUESTED, and REQUIRED.

    REQUESTED

    Defines the client/OMS encryption.

    This parameter must be set to ACCEPTED, REQUESTED or REQUIRED to use secure connections. If it is set to REJECTED, data encryption is not possible.

    If sqlnet.encryption_server parameter is:

    • ACCEPTED, then set oracle.net.encryption_client to REQUESTED or REQUIRED.
    • REQUESTED or REQUIRED, then set oracle.net.encryption_client to ACCEPTED, REQUESTED or REQUIRED

    oracle.net.encryption_types_client

    		 A combination of one or more of the following values: (AES128), (AES192), (AES256), (3DES168), (3DES112), (DES56C), (DES40C), (RC4_256), (RC4_128), and (RC4_40, RC4_56 )

    (AES256, AES192, AES128, 3DES168, 3DES112, DES56C, DES40C, RC4_256, RC4_128, RC4_40, RC4_56)

    Defines the different types of encryption algorithms the client/OMS supports.

    Set this parameter to the same type the sqlnet.encryption_types_server parameter is set to on your repository database sqlnet.ora.

    oracle.net.crypto_checksum_client

    		 REJECTED, ACCEPTED, REQUESTED, and REQUIRED

    REQUESTED

    Defines the client/OMS checksum.

    This parameter must be set to ACCEPTED, REQUESTED or REQUIRED to use secure connections. If it is set to REJECTED, data encryption is not possible.

    If the oracle.net.crypto_checksum_server is:

    • ACCEPTED, then set oracle.net.crypto_checksum_client to REQUESTED or REQUIRED.
    • REQUESTED or REQUIRED, then set oracle.net.crypto_checksum_client to ACCEPTED, REQUESTED or REQUIRED

    oracle.net.crypto_checksum_types_client

    		 A combination of one or more of the following values: (SHA1), (SHA256), (MD5), (SHA384), and (SHA512)

    (MD5, SHA1, SHA256)

    This property defines the different types of checksums algorithms the client/OMS supports. This parameter is set to the same type the sqlnet.crypto_checksum_types_server is set to on the repository database sqlnet.ora.

    Note: Starting with Oracle Enterprise Manager 13c Release 5 Update 25 (13.5.0.25), the default OMS values are (MD5, SHA1, SHA256). The default values are (MD5, SHA1) for the earlier versions.

  3. Restart the OMS:
    <OMS_HOME>/bin/emctl start oms

Note that in order for the repository database to also be a managed target, you must complete the steps in Enabling Oracle Advanced Security for the OMS to Connect to Target Databases.

Enabling Oracle Advanced Security for Management Agents to Connect to Target Databases

If you have enabled the network encryption of data for your Management Repository database or any target database, you must also enable this for the management agents monitoring these databases.

If a management agent is not specifically configured for certain types of encryption and integrity algorithms, the JDBC default values are honored. See the table below for these default values.

To set different types of encryption and integrity algorithms values, follow these steps:

  1. Set the properties with the agent using the command:
    <AGENT_HOME>/bin/emctl setproperty agent -name <Property Name> -value "<Value>"

    where the property names and values are listed below.

    Property Possible Values Default Agent Values Description

    connectionEncryptionLevel

    		 REJECTED, ACCEPTED, REQUESTED, and REQUIRED.

    ACCEPTED

    Defines the client/agent encryption.

    This parameter must be set to ACCEPTED, REQUESTED or REQUIRED to use secure connections. If it is set to REJECTED, data encryption is not possible.

    If the sqlnet.encryption_server parameter is:

    • ACCEPTED, then set connectionEncryptionLevel to REQUESTED or REQUIRED.
    • REQUESTED or REQUIRED, then set connectionEncryptionLevel to ACCEPTED, REQUESTED or REQUIRED

    connectionEncryptionType

    		 (AES128), (AES192) and (AES256)

    NULL

    Client and server negotiate.

    Defines the different types of encryption algorithms the client/agent supports.

    Set this parameter to the same type(s) the sqlnet.encryption_types_server parameter is set to on your repository database sqlnet.ora.

    For example, <AGENT_HOME>/bin/emctl setproperty agent -name connectionEncryptionType -value "AES128,AES192,AES256"

    connectionChecksumLevel

    		 REJECTED, ACCEPTED, REQUESTED, and REQUIRED.

    ACCEPTED

    Defines the client/agent checksum.

    This parameter must be set to ACCEPTED, REQUESTED or REQUIRED to use secure connections. If it is set to REJECTED, data encryption is not possible.

    If the oracle.net.crypto_checksum_server parameter is:

    • ACCEPTED, then set connectionChecksumLevel to REQUESTED or REQUIRED.
    • REQUESTED or REQUIRED, then set connectionChecksumLevel to ACCEPTED, REQUESTED or REQUIRED

    connectionChecksumType

    		 (SHA256), (SHA384), and (SHA512)

    NULL

    Client and server negotiate.

    This property defines the different types of checksums algorithms the client/agent supports.

    Set this parameter to the same type(s) the sqlnet.crypto_checksum_types_server is set to on the repository database sqlnet.ora.

    For example, <AGENT_HOME>/bin/emctl setproperty agent -name connectionChecksumType -value "SHA256,SHA384,SHA512"

  2. Restart the management agent:

    <AGENT_HOME>/bin/emctl stop agent
    <AGENT_HOME>/bin/emctl start agent

Enabling Oracle Advanced Security for the OMS to Connect to Target Databases

Perform the following steps to enable network data encryption between a target database and the OMS:

  1. Enable a target database network data encryption. See Enabling Oracle Advanced Security for the Management Repository.
  2. Enable encryption for the OMS:
    1. Set the enableEncryption value for the OMS:
      emctl set property -name oracle.sysman.core.conn.enableEncryption -value TRUE -sysman_pwd <your_sysman_password>
    2. Based on the value set on the repository side, set the different types of checksum algorithms the client supports using this command:
      <OMS_HOME>/bin/emctl set property -name oracle.sysman.core.conn.crypto_checksum_types_client -value "<repository checksum type>"

      Examples:

      If the sqlnet.ora parameter sqlnet.crypto_checksum_types_server=(SHA256), set the OMS value: 

      <OMS_HOME>/bin/emctl set property -name oracle.sysman.core.conn.crypto_checksum_types_client -value "SHA256"

      If the sqlnet.ora parameter is set to multiple values such as sqlnet.crypto_checksum_types_server=(SHA256,SHA384,SHA512), set the OMS value: 

      <OMS_HOME>/bin/emctl set property -name oracle.sysman.core.conn.crypto_checksum_types_client -value "SHA256,SHA384,SHA512"

    3. Restart the OMS and any other OMS instances, if a multi-OMS system:

      <OMS_ORACLE_HOME>/bin/emctl stop oms -all -force
      <OMS_HOME>/bin/emctl start oms

    4. Set these additional OMS properties if the default values are not your required setup, using the following command:

      emctl set property -name <property> -value "<value>"

      The additional possible security properties that should be set for the OMS are listed in table below:

      Property Possible Values Default OMS Values Description

      oracle.net.encryption_client

      		 REJECTED, ACCEPTED, REQUESTED, and REQUIRED.

      REQUESTED

      Defines the client/OMS encryption.

      This parameter must be set to ACCEPTED, REQUESTED or REQUIRED to use secure connections. If it is set to REJECTED, data encryption is not possible.

      If sqlnet.encryption_server parameter is:

      • ACCEPTED, then set oracle.net.encryption_client to REQUESTED or REQUIRED.
      • REQUESTED or REQUIRED, then set oracle.net.encryption_client to ACCEPTED, REQUESTED or REQUIRED

      oracle.sysman.core.conn.encryption_types_client

      		 A combination of one or more of the following values: (AES128), (AES192), (AES256), (3DES168), (3DES112), (DES56C), (DES40C), (RC4_256), (RC4_128), and (RC4_40, RC4_56 )

      (AES256, AES192, AES128, 3DES168, 3DES112, DES56C, DES40C, RC4_256, RC4_128, RC4_40, RC4_56)

      Defines the different types of encryption algorithms the client/OMS supports.

      Set this parameter to the same type the sqlnet.encryption_types_server parameter is set to on your repository database sqlnet.ora.

      oracle.net.crypto_checksum_client

      		 REJECTED, ACCEPTED, REQUESTED, and REQUIRED

      REQUESTED

      Defines the client/OMS checksum.

      This parameter must be set to ACCEPTED, REQUESTED or REQUIRED to use secure connections. If it is set to REJECTED, data encryption is not possible.

      If the oracle.net.crypto_checksum_server is:

      • ACCEPTED, then set oracle.net.crypto_checksum_client to REQUESTED or REQUIRED.
      • REQUESTED or REQUIRED, then set oracle.net.crypto_checksum_client to ACCEPTED, REQUESTED or REQUIRED

      oracle.sysman.core.conn.crypto_checksum_types_client

      		 A combination of one or more of the following values: (SHA1), (SHA256), (MD5), (SHA384), and (SHA512)

      (MD5, SHA1, SHA256)

      This property defines the different types of checksums algorithms the client/OMS supports. This parameter is set to the same type the sqlnet.crypto_checksum_types_server is set to on the repository database sqlnet.ora.

      Note: Starting with Oracle Enterprise Manager 13c Release 5 Update 25 (13.5.0.25), the default OMS values are (MD5, SHA1, SHA256). The default values are (MD5, SHA1) for the earlier versions.

Custom Configurations

Configuring Custom Certificates for WebLogic Server

WebLogic Servers installed as part of Enterprise Manager (Administration Server and Managed Servers) are configured with a default identity keystore ( DemoIdentity.jks) and a default trust keystore ( DemoTrust.jks). In addition, WebLogic Server trusts the CA certificates in the JDK cacerts file. This default keystore configuration is appropriate for testing and development purposes. However, these keystores should not be used in a production environment.

Default Demo Certificate configured for WLS has a key length of 512 bits. If Microsoft's Security update for minimum certificate key length (KB2661254) has been applied on the browser m/c, the WebLogic Admin Console will not be accessible on Internet Explorer. If you want to access WebLogic Admin Console using Internet Explorer, please configure custom certificate for WLS.

The following sections step you through configuring custom Weblogic Server certificates:

  1. Create a Java KeyStore or Wallet for each OMS
  2. Import Custom CA Certificates into the Agents Monitoring Trust Store
  3. Configure the Custom Certificate for each WLS
Create a Java KeyStore or Wallet for each OMS

  1. Create a java keystore (JKS) for each OMS in the environment.

    Regardless of whether the OMS is configured with a server load balancer or not, specify the OMS machine name for CN (Example: CN=myoms.example.com) while generating the Certificate Signing Request (CSR). The OMS machine name can be found from the value of EM_INSTANCE_HOST property in <EM_INSTANCE_HOME>/emgc.properties.

    Make a note of the keystore password, private key entry's alias, and private key password of each keystore.

    Note: Use only the signature algorithms supported by WLS.

  2. Copy the keystores to corresponding OMS machines or place them in a location accessible from OMS machines.

    Example: The keystores are /scratch/oms1.jks, /scratch/oms2.jks , /scratch/oms3.jks

  3. Write the CA certificates to individual files (one CA certificate per file). Either copy these certificate files to the OMS machines or place them in a location accessible from the OMS machines.

    Example: The filenames are /scratch/ca1cert.cer, /scratch/ca2cert.cer, /scratch/ca3cert.cer

Import Custom CA Certificates into the Agents Monitoring Trust Store

Execute the following steps on Management Agents running on the OMS machines which are installed along with the OMS.

Note:

Only required on Agents installed along with OMS and not on any other Agents.

  1. Stop the Agent

    <Agent_Instance_Home>/bin/emctl stop agent

  2. Import the custom CA certificate into Agent: 
    <Agent_Instance_Home>/bin/emctl secure add_trust_cert_to_jks 
-trust_certs_loc <ca_cert_file>
-alias <certalias> [-password <montrust_jks_pwd>]

    Example:

    <Agent_Instance_Home>/bin/emctl secure add_trust_cert_to_jks -trust_certs_loc /scratch/ca1cert.cer
-alias ca1certalias [-password welcome]

    Repeat this step for each CA involved in issuing the custom certificate.

    Specify different alias each time.

  3. Start the Agent.

    <Agent_Instance_Home>/bin/emctl

Configure the Custom Certificate for each WLS

Execute the following steps on each OMS:

  1. Stop the OMS.

    <OMS_Home>/bin/emctl stop oms

  2. Run the following cmd:
    emctl secure wls
(-jks_loc <loc> -jks_pvtkey_alias <alias> [-jks_pwd <pwd>] [-jks_pvtkey_pwd <pwd>] | -wallet <loc>)
Specify jks_loc,jks_pvtkey_alias or wallet

    Example:

    <OMS_OH>/bin/emctl secure wls 
-jks_loc /scratch/oms1.jks -jks_pvtkey_alias pvtkey1alias

<OMS_OH>/bin/emctl secure wls -wallet /scratch/omswallet
  3. Stop the OMS.

    <OMS_Home>/bin/emctl stop oms -all

  4. Start the OMS.

    Note:

    Above steps need to be repeated on all the Management Services.

    <OMS_Home>/bin/emctl start oms

Rolling back the WebLogic Servers to Demonstration Certificate

If you need to switch to using the default WebLogic demonstration certificates, execute the following steps on each OMS.

  1. Stop the OMS.

    <OMS_Home>/bin/emctl stop oms

  2. Run the following command:
    <OMS_Home>/bin/emctl secure wls -use_demo_cert
  3. Stop the OMS.

    <OMS_Home>/bin/emctl stop oms -all

  4. Start the OMS.

    <OMS_Home>/bin/emctl start oms

Repeat the above steps on all the Management Services.

Configuring Custom Certificates for OMS Console Access

To configure the third party certificate for HTTPS WebTier Virtual Host:

  1. Create a wallet for each OMS in the Cloud. Specify the host name of the machine where the OMS is installed or the Load Balancer Name if the OMS is behind the Server Load Balancer for Common Name.
  2. Run the following command on each OMS and the restart that OMS:
    emctl secure console -wallet <location of custom wallets> -self_signed [-host]

    One of the arguments -wallet or -self_signed is mandatory.

    Only Single-Sign-On (SSO) wallets are supported.

Configuring Custom Certificates for OMS Upload Access

You can configure the third party certificate for the HTTPS Upload Virtual Host in two ways:

Method I

  1. Create a wallet for each OMS in the Cloud.

  2. While creating the wallet, specify the host name of the machine where the OMS is installed or the Load Balancer Name if the OMS is behind the Load Balancer for Common Name.

  3. Write the certificates of all the Certificate Authorities in the certificate chain (like the Root Certificate Authority, Intermediate Certificate Authority) into a file named trusted_certs.txt.

  4. Download or copy the trusted_certs.txt file to the host machines on which each Agent that is communicating with the OMS is running.

  5. Import the custom CA certificate(s) as trust certificate(s) for Agent by running the following command:

    emctl secure add_trust_cert -trust_certs_loc <location of the trusted_certs.txt file>

  6. Restart the Agent.

  7. Secure the OMS and restart it.

    emctl secure oms -wallet <location of wallet> -trust_certs_loc <loc of trusted_certs.txt> [any other options]

Method 2

  1. Create a wallet for each OMS in the Cloud.
  2. Specify the host name of the machine where the OMS is installed or the Load Balancer Name if the OMS is behind the Server Load Balancer for Common Name (CN).
  3. Write the certificates of all the Certificate Authorities in the certificate chain (like the Root Certificate Authority, Intermediate Certificate Authority) into a file named trusted_certs.txt.
  4. Secure the OMS. 
    emctl secure oms -wallet <location of wallet> -trust_certs_loc <loc of trusted_certs.txt> [any other options]
  5. Restart the OMS.
  6. Either re-secure the Agent by running the emctl secure agent command (should be run on all Agents) or import the trust points by running the emctl secure command.

    Note:

    The trusted certs file (trusted_certs.txt) should contain only certificates in base64 format and not any special characters or comments..

Secure Communication Setup Tools

The following emctl commands are used to secure various components of the Enterprise Manager infrastructure.

emctl secure oms

emctl secure oms [-reg_pwd <registration password>]
        [-host <hostname>] [-ms_hostname <Managed Server hostname>]
        [-slb_port <SLB HTTPS upload port>] [-slb_console_port <ty6 HTTPS console port>] [-no_slb]
        [-secure_port <API gateway Port>] [-upload_http_port <API Gateway port>]
        [-reset] [-console] [-force_newca]
        [-lock_upload] [-lock_console] [-unlock_upload] [-unlock_console]
        [-wallet <wallet_loc> -trust_certs_loc <certs_loc>]
        [-key_strength <strength>] [-sign_alg <md5|sha1|sha256|sha384|sha512>]
        [-cert_validity <validity>] [-protocol <protocol>]
        [-root_dc <root_dc>] [-root_country <root_country>] [-root_email <root_email>]
        [-root_state <root_state>] [-root_loc <root_loc>] [-root_org <root_org>] [-root_unit <root_unit>]
Parameter Description

reg_pwd

The Management Agent registration password.

host

The host name to be used in the certificate used by the Oracle Management Service. You may need to use the SLB host name if there is an SLB before the Management Service.

reset

A new certificate authority will be created. All the Agents and Oracle Management Services need to be resecured.

secure_port

Specify this to change HTTPS Upload port on WebTier.

upload_http_port

Specify this to change HTTP Upload port on WebTier

slb_port

This parameter is required when Server Load Balancer is used. It specifies the secure upload port configured in the Server Load Balancer.

slb_console_port

This parameter is required when Server Load Balancer is used. It specifies the secure console port configured in the Server Load Balancer.

no_slb

Remove SLB configuration.

root_dc

The domain component used in the root certificate. The default value is com.

root_country

The country to be used in the root certificate. The default value is US.

root_state

The state to be used in the root certificate. The default value is CA.

root_loc

The location to be used in the root certificate. The default value is EnterpriseManager on <hostname>.

root_org

The organization name to be used in the root certificate. The default value is EnterpriseManager on <hostname>.

root_unit

The organizational unit to be used in the root certificate. The default value is EnterpriseManager on <hostname>.

root_email

The email address to be used in the root certificate. The default value is EnterpriseManager@<hostname>.

wallet

This is the location of the wallet containing the third party certificate. This parameter should be specified while configuring third party certificates.

trust_certs_loc

The location of the trusted_certs.txt (required when third party certificates are used).

key_strength

The strength of the key to be used. Valid values are 512, 1024, 2048, and 4096.

Note: For the IBM AIX Platform, the maximum allowed key_strength is 2048 bits.

cert_validity

The number of days for which the self-signed certificate is valid. The valid range is between 1 to 3650.

protocol

This parameter is used to configure Oracle Management Service in TLSv1-only or SSLv3-only or mixed mode (default). Valid values are the allowed values as per Apache's SSLProtocol directive.

Note: The key_strength and cert_validity parameters are applicable only when the -wallet option is not used.

force_newca

If specified, any Agents that are still configured with an older Certificate Authority are ignored.

ms_hostname

Managed Server's hostname.

sign_alg

Signature algorithm.

lock

Locks the Upload

lock_console

Locks the Console

console

If specified, the certificate is recreated for the HTTPS console port as well.

emctl secure agent

Secures the agent against an OMS. The registration password (or password file) must be provided.

emctl secure agent <registration password> [-passwd_file <absolute path to file>]

emctl secure wls

emctl secure wls (-jks_loc <loc> -jks_pvtkey_alias <alias> | -wallet <loc> | -use_demo_cert)
Specify jks_loc,jks_pvtkey_alias or wallet or use_demo_cert
        [-jks_pwd <pwd>] [-jks_pvtkey_pwd <pwd>]
        -jks_loc : Location of JKS containing the custom cert for Admin & Managed Servers
        -jks_pvtkey_alias : JKS's private key alias
        -jks_pwd : JKS's keystore password
        -jks_pvtkey_pwd : JKS's private key password
        -wallet : Location of wallet containing the custom cert for Admin & Managed Servers
        -use_demo_cert: Configure the demo cert for Admin & Managed Servers

emctl status oms -details

emctl status oms -details

Configuring Third Party Certificates

You can configure third party certificates for:

  • HTTPS Console Users

  • HTTPS Upload Virtual Host

Note:

Only Single Sign-On wallets are supported.

Configuring a Third Party Certificate for HTTPS Console Users

To configure the third party certificate for HTTPS WebTier Virtual Host:

  1. Create a wallet for each OMS. Specify the host name of the machine where the OMS is installed or the Load Balancer Name if the OMS is behind the Server Load Balancer for Common Name.
  2. Run the following command on each OMS and the restart that OMS:
    emctl secure console -wallet <location of custom wallets> -self_signed [-host]

    Note:

    One of the arguments -wallet or -self_signed is mandatory.

    Note:

    Only single-sign-on wallets are supported.

Configuring Third Party Certificate for HTTPS Upload Virtual Host

You can configure the third party certificate for the HTTPS Upload Virtual Host in two ways:

Method I

  1. Create a wallet for each OMS.

  2. While creating the wallet, specify the host name of the machine where the OMS is installed or the Load Balancer Name if the OMS is behind the Load Balancer for Common Name.

  3. Write the certificates of all the Certificate Authorities in the certificate chain (like the Root Certificate Authority, Intermediate Certificate Authority) into a file named trusted_certs.txt.

  4. Download or copy the trusted_certs.txt file to the host machines on which each Agent that is communicating with the OMS is running.

  5. Run the add_trust_cert command on each Agent and then restart that Agent.

    emctl secure add_trust_cert -trust_certs_loc <location of the trusted_certs.txt file>

  6. Secure the OMS and restart it.

    emctl secure oms -wallet <location of wallet> -trust_certs_loc <loc of trusted_certs.txt> [any other options]

Method 2

  1. Create a wallet for each OMS in the Cloud.
  2. Specify the host name of the machine where the OMS is installed or the Load Balancer Name if the OMS is behind the Server Load Balancer for Common Name (CN).
  3. Write the certificates of all the Certificate Authorities in the certificate chain (like the Root Certificate Authority, Intermediate Certificate Authority) into a file named trusted_certs.txt.
  4. Restart the OMS after it has been secured. 
    emctl secure oms -wallet <location of wallet> -trust_certs_loc <loc of trusted_certs.txt> [any other options]
  5. Either re-secure the Agent by running the emctl secure agent command (should be run on all Agents) or import the trust points by running the emctl secure add_trust_cert -trust_certs_loc <location of the trusted_certs.txt file> command. The -trust_certs_loc parameter must contain the path and the filename of the trusted_certs.txt file.

    Note:

    This file must only contain certificates in base64 format and no special characters or empty lines.