Guidelines for SSL Communication

Ensure TLSv1.2 Protocol is Enabled

Transport Layer Security (TLS) is a cryptographic protocol used to increase security over computer networks by providing communication privacy and data integrity between applications. Although it is technically the successor of SSL, TLS is generically referred to as SSL. TLSv1.2 is enabled by default.

In the case of Enterprise Manager, these secure communication channels are between various components of the Enterprise Manager framework. The TLSv1.2 protocol is supported on the infrastructure communication channels including:

Oracle Management Services to 13c Agent
13c Agent to Agent
EMCLI to Oracle Management Services
Browser to Admin Server/Managed Server Console
Oracle Management Services to Server Load Balancer
13c Agent to Always-On Monitoring Application
Oracle Management Services to My Oracle Support
13c Agent to Fusion Middleware Target
Oracle Management Services to Fusion Middleware Target

Enabling Oracle Management Service to Database Communication on TLS1.2

You can also configure TLSv1.2 communication channels between the OMS and target databases, which include the Enterprise Manager Management Repository.

For specific instructions on enabling TLSv1.2 communication between the Oracle Management Service and the Management Repository, see Configure TLSv1.2 for Communication with the Enterprise Manager Repository.
For information on configuring TLSv1.2 communication with target Oracle databases, see Secured Communication (TCPS) Access to Databases.

Enabling Always-On Monitoring Communication on TLS1.2

The Always-On Monitoring application provides the ability to monitor critical target status and metric alerts when the Oracle Management Service is unavailable. The service continuously monitors critical targets through the Enterprise Manager Agent and can be easily configured to send email notifications for these events to administrators. For information on configuring TLSv1.2 for communication between the Always-On Monitoring (AOM) application and AOM Repository, and between the AOM application and Enterprise Manager Repository, refer to Configuring the Always-On Monitoring Application for Secure Communication Using the TLSv1.2 Protocol in the Enterprise Manager Administrator’s Guide.

Locking Down the Oracle Management Service to Use the TLSv1.2 Protocol Only

In order to restrict Oracle Management Services communication to use the TLSv1.2 protocol only:

Stop the Oracle Management Services. From the command line, run the following:

<OMS_ORACLE_HOME>/bin/emctl stop oms
Set the OMS communication protocol: From the command line, run the following:

<OMS_ORACLE_HOME>/bin/emctl secure oms -protocol TLSv1.2
Enter the following command to restart the OMS:

$ emctl start oms

Enabling TLS in Mixed Version Environments

If you are installing a Enterprise Manager for the very first time, all of the aforementioned communication channels will use TLSv1.2 by default. If you have an existing Enterprise Manager deployment and you want to enable TLS, you need to be aware that older Agents do not support TLSv1.2.

If there are 12c Agents in the environment which are not yet upgraded to 13c, the communication between the Agent and Oracle Management Service will default to SSL. To configure a 12c Agent to support only TLS v1.0 protocol while the Agent listens as a server, edit the Agent properties in the Enterprise Manager console or run emctl setproperty at the command line. For example:

$ emctl setproperty agent -name allowTLSOnly -value true

To edit multiple Agents simultaneously, from the Setup menu, choose Manage and then Agents. From the list, select the Agents you want to modify and then click Properties. This will create a job definition where you specify the Agent property that needs to be changed. On the Parameters page, set the minimumTLSVersion property to TLSv1.2. The change will be applied to all selected Agents.

Once the changes have been made, you must bounce the Management Agent(s) in order for the changes to take effect.

Leave Communication in Secure-Lock Mode

Secure and Lock the OMS and Agents

The Oracle Management Service and Oracle Management Agents can run in non-secure (HTTP) or secure (HTTPS) modes. The recommendation is to always use secure mode, hence the default installation will automatically secure-lock the OMS. The secure-lock mode takes security one step further in requiring that agents communicate only through HTTPS port (HTTP port is locked). This ensures that the OMS-Agent communication is always encrypted and mutually authenticated. All requests from un-secure agents are rejected by the OMS. Similarly, any un-secure request from the OMS is rejected by the agent. This helps safeguard the management system from any malicious ‘man-in-the-middle' attack happening from within the infrastructure.

If your installation was done before Oracle Enterprise Manager 10g Release 5, you may be required to secure-lock your OMS manually. In the case of upgrades, if the pre-upgrade environment is secured, the upgrade retains the secure mode but does not secure-lock the OMS. If the pre-upgrade environment is already secure-locked, the upgrade retains the secure-lock mode between OMS and Agent.

To check the secure status of the OMS and secure-lock the communication between OMS and agent run the command and restart the OMS:

$ emctl status oms –details 
Oracle Enterprise Manager 24ai Release 1 
Copyright (c) 1996, 2024 Oracle Corporation. All rights reserved. 
Enter Enterprise Manager Root (SYSMAN) Password : 
Console Server Host : test01.example.com 
HTTP Console Port : 7790 
HTTPS Console Port : 7803 
HTTP Upload Port : 4890 
HTTPS Upload Port : 4904 
OMS is not configured with SLB or virtual hostname 
Agent Upload is locked. 
OMS Console is locked. 
Active CA ID: 1 
Console URL: https://test01.example.com:7803/em 
Upload URL: https://test01.example.com:4904/empbs/upload 
…

$ emctl secure lock –upload 
Oracle Enterprise Manager 24ai Release 1 
Copyright (c) 1996, 2024 Oracle Corporation. All rights reserved. 
Enter Enterprise Manager Root (SYSMAN) Password : 
Agent Upload is locked. Agents must be secure and upload over HTTPS port. Restart OMS.

Note that once OMSs are running in secure-lock mode, unsecure agents will not able to upload any data to the OMSs. To check the status and secure the agent issue the following, you will be prompted for the registration password:

$ emctl status agent –secure 
Oracle Enterprise Manager 24ai Release 1 
Copyright (c) 1996, 2024 Oracle Corporation. All rights reserved. 
Checking the security status of the Agent at location set in <AGENT_LOCATION>/em12/agent/agent_inst/sysman/config/emd.properties... Done. 
Agent is secure at HTTPS Port 3872. 
Checking the security status of the OMS at https://test01.example.com:4904/empbs/upload/... Done. 
OMS is secure on HTTPS Port 4904

$ emctl secure agent 
Oracle Enterprise Manager 24ai Release 1 
Copyright (c) 1996, 2024 Oracle Corporation. All rights reserved. 
Agent successfully stopped... Done. 
Securing agent... Started. 
Enter Agent Registration Password : 
Agent successfully restarted... Done. 
EMD gensudoprops completed successfully 
Securing agent... Successful.

To ensure the console access from the client browser is secure over SSL/TSL, the console must be locked as well. From Oracle Enterprise Manager 10g Release 5 installations are secure-locked by default. In the case of upgrades, if the pre-upgrade environment is not secure-locked, after the upgrade you need to run the following command to secure-lock the console access:

$ emctl secure lock –console

Modify Cipher Configuration if Required

A cipher suite is a combination of cryptographic parameters that define the security algorithms and key sizes used for authentication, key agreement, encryption, and integrity protection. Cipher suites protect the integrity of a communication. For example, the cipher suite called SSL_RSA_WITH_AES_128_CBC_SHA uses RSA for key exchange, AES with a 128-bit key, CBC, and SHA for bulk encryption. A cipher suite is a combination of cryptographic parameters that define the security algorithms and key sizes used for authentication, key agreement, encryption, and integrity protection. Cipher suites protect the integrity of a communication. For example, the cipher suite called SSL_RSA_WITH_AES_128_CBC_SHA uses RSA for key exchange, AES with a 128-bit key, CBC, and SHA for bulk encryption.

In Enterprise Manager, ciphers are configured for the following end points:

Oracle Management Services (OMS) Console end point
OMS Upload end point
Agent end point
WebLogic end point

Ciphers Supported for OMS Console and Upload End Points

Ciphers supported for OMS Console and Upload end points depends on the ciphers supported and exposed by Oracle HTTP Server (OHS), the web server front-ending the OMS server. The ciphers supported by the OHS web server is listed in Table 1: Cipher Suites Supported in the OMS Console and Upload End Points,

A subset of the OHS-supported ciphers are set as default in the configuration files available within the EMGC_DOMAIN home and is used for OMS Console and Upload end points. The default set of OHS-supported ciphers used for the OMS Console and Upload end points are listed in the table below.

In order to modify the default cipher suites for OMS Console end points, edit the SSLCipherSuite property in the following ssl.conf file and add/modify from the list of OHS-supported ciphers list.

For a typical multi-OMS scenario:

Modify the following file on the primary OMS server:

<WEBTIER_INSTANCE_HOME>/user_projects/domains/EMGC_DOMAIN/config/fmwconfig/components/OHS/ohs1/ssl.conf
Modify the following file on each of the additional OMS servers:

<WEBTIER_INSTANCE_HOME>/user_projects/domains/EMGC_DOMAIN/config/fmwconfig/components/OHS/instance/ohs1/ssl.conf.emctl_secure

In order to modify the default cipher suites for the Upload end point, edit the SSLCipherSuite property in the following httpd_em.conf file and add/modify from the list of OHS supported ciphers.

For a typical multi-OMS scenario,

Modify the following file on primary OMS server:

<WEBTIER_INSTANCE_HOME>/user_projects/domains/EMGC_DOMAIN/config/fmwconfig/components/OHS/ohs1/moduleconf/httpd_em.conf
Modify the following file on each additional OMS server:

<WEBTIER_INSTANCE_HOME>/user_projects/domains/EMGC_DOMAIN/config/fmwconfig/components/OHS/instance/ohs1/moduleconf/httpd_em.conf.emctl_secure

Any modification of cipher suites for the OMS console and Upload end points requires a restart of the OMS, including the Admin server.

OHS Supported Cipher Suites	OMS Default: Console	OMS Default: Upload
SSL_RSA_WITH_AES_128_CBC_SHA	No	Yes
RSA_WITH_AES_128_CBC_SHA256	No	Yes
SSL_RSA_WITH_AES_256_CBC_SHA	No	Yes
RSA_WITH_AES_256_CBC_SHA256	No	Yes
ECDHE_RSA_WITH_AES_128_CBC_SHA	No	Yes
ECDHE_RSA_WITH_AES_256_CBC_SHA	No	Yes
RSA_WITH_AES_128_GCM_SHA256	No	Yes
RSA_WITH_AES_256_GCM_SHA384	No	Yes

Ciphers Supported for Agent End Points

Ciphers supported for Agent EMD_URL / end points ( if it is enabled in Agent’s JDK) are listed in Table 2. A subset of these supported ciphers are set as defaults on the agent end points. The table also shows which ciphers for the Agent EMD_URL /end point are enabled by default.

In order to override the default cipher suites used by the agent , edit the SSLCipherSuites property in emd.properties to include the ciphers from the list of supported ones. Optionally, you can use the setproperty command as follows:

$ emctl setproperty agent -name SSLCipherSuites -value <values>

Supported Cipher Suites	Agent Default
RSA_WITH_AES_128_CBC_SHA	Yes
RSA_WITH_AES_128_CBC_SHA256	Yes
RSA_WITH_AES_256_CBC_SHA	No
RSA_WITH_AES_256_CBC_SHA256	Yes
ECDHE_RSA_WITH_AES_128_CBC_SHA	No
ECDHE_RSA_WITH_AES_128_CBC_SHA256	Yes
ECDHE_RSA_WITH_AES_256_CBC_SHA	No
ECDHE_RSA_WITH_AES_256_CBC_SHA384	Yes
DHE_RSA_WITH_AES_128_CBC_SHA	No
DHE_RSA_WITH_AES_128_CBC_SHA256	Yes
DHE_RSA_WITH_AES_256_CBC_SHA	No
DHE_RSA_WITH_AES_256_CBC_SHA256	Yes

Notes:

AES_256 ciphers will only work if the Agent JKS has unlimited strength policy file corresponding to the Agent Java version currently installed on the system. For instance, 13.2 agents using Java 7, download unlimited strength policy file from http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html. Unzip and copy local_policy.jar & US_export_policy.jar in to <agent_base_directory>/agent_13.2.0.0.0/oracle_common/jdk/jre/lib/security.
All cipher suites using SHA256 & above will only work for TLS1.2. See Ensure TLSv1.2 Protocol is Enabled for information on making sure the end point is configured on TLS1.2.
For SSL handshake to happen on a particular cipher suite, it should be enabled on both client and server. For example, if the communication from agent to OMS Server should happen on 'ECDHE_RSA_WITH_AES_128_CBC_SHA' cipher suite, then this cipher suite should be configured on both agent (client) and OMS Upload end point(server).

Ciphers Supported for WebLogic End Points

WebLogic end point uses the ciphers provided by the underlying JDK by default. In order to change the default ciphers, refer to the official guide on Fusion Middleware Administering Security for Oracle WebLogic Server 12.1.3.

Third Party Certificates

Use a certificate from well-known Certificate Authority (CA) to secure OMS-Agent communication and console access to take advantage of the well-known trusted certificates with different expiry and key size.

Oracle Wallets

Oracle has introduced the concept of a wallet, which is a password-protected container used to store authentication and signing credentials, including private keys, certificates, and trusted certificates needed by SSL.

To secure the console using a custom certificate authority, you need to create a wallet location and secure the console against that wallet location. For more information on creating a wallet, see the Oracle Fusion Middleware Administrator's Guide.

Creating an Oracle Wallet

The following example shows you how to create and add a certificate to an Oracle wallet.

Create the wallet container:

Note:

Currently, only single sign-on (SSO) wallets are supported.

S /u01/app/oracle/middleware/oracle_common/bin/orapki wallet create -wallet /home/oracle/labs/mywallet -auto_login_only

Add a certificate to the wallet: When creating the wallet you must specify the Common Name (CN) as the hostname of the machine where the OMS is installed or the SLB name, if the OMS is behind an SLB. In this example, the OMS is behind an SLB, test.example.com.
```
S /u01/app/oracle/middleware/oracle_common/bin/orapki wallet add -wallet /home/oracle/labs/mywallet -dn 'CN=test.example.com, OU=Oracle, O=Oracle University, L=Boise, ST=ID, C=US' -keysize 2048 -self_signed -validity 3650 -auto_login_only
```
Set the required environment variables for the existing Weblogic domain. They must be set before using orapkiles:
```
 $ . setDomainEnv.sh
```

View the certificates in the wallet:

S /u01/app/oracle/middleware/oracle_common/bin/orapki wallet display -wallet /home/oracle/labs/mywallet

Best Practices for Securing Communication

Here is a summary of the best practices for securing communication:

• Enable ICMP for ping check validation

• Configure firewalls as appropriate in your environment

• Secure and lock the OMS and Agents

• Configure strong cipher suites for the OMS and Agent

• Secure upload and console virtual HTTPS hosts with third party certificates