1. Secure OMS with AES encrypted wallet

   All wallets have to be AES encrypted (orapki from 12.1 encrypts ewallet.p12 using AES, MOS Doc ID 2198551.1) with a key size of 2048.

   WebLogic in FIPS mode allows only generating an agent certificate with a 2048 bit key. Agent certificates are created with the same key size as OMS CA certificate. Follow the bellow steps to create a new OMS CA certificate with a 2048 bit key, and re-secure all agents:

   1. Check if OMS CA certificate is longer than 2048 bits:

      <OMS_HOME>/bin/emcli login -username=sysman
      <OMS_HOME>/bin/emcli sync
      emcli get_ca_info

      Sample output:

      Info about CA with ID: 1
      CA is not configured
      Signature algorithm : sha512
      Key strength : 1024
      DN: CN=example.com,C=US,ST=CA,L=EnterpriseManager on example.com,OU=EnterpriseManager on example.com,O=EnterpriseManager on example.com
      Serial# : -4357905706800919315
      Valid From: Tue Apr 14 07:43:33 PDT 2020
      Valid Till: Sat Apr 13 07:43:33 PDT 2030
      Number of Agents registered with CA ID CA ID 1 is 1

      If the OMS CA certificate has a key that is shorter than 2048 bits, create a new OMS CA following the instructions in step 4 below.

   2. Create OMS wallets:

      If OMS is already secure with 3rd party certificate (with 2048 bits keysize) then the new AES wallet can be converted or created with the same private key and certificate.

      • To convert a wallet to AES:

        orapki wallet convert -wallet <wallet_path> -compat_v12 -pwd <wallet_password>

      If Certificate key size is 1024, create new wallet for the OMS console:

      • From the OMS console, go to OMS upload , and with WebLogic use the orapki tool with -compat_v12 option

      Note:

      For more information regarding how to configure the OMS with SSL certificates, please see Doc ID 2202569.1.

   3. If the wallet is newly created, add Root CA certificate to trust store:

      <OMS_HOME>/bin/emctl secure oms -trust_certs_loc $WALLET_BASE/rootCA/cert.pem

      If you have SLB configured, run this command instead:

      <OMS_HOME>/bin/emctl secure oms -host <SLB hostname> -secure_port <port> -slb_port <port> -slb_console_port <port> -trust_certs_loc $WALLET_BASE/rootCA/cert.pem

      Note:

      Don't bounce the OMS, until completing the steps below.

   4. If key strength of OMS CA certificate is less than 2048 bits (in step 1), then create new CA:

      <OMS_HOME>/bin/emctl secure createca -key_strength 2048

      Sample output:

      Oracle Enterprise Manager 24ai Release 1  
      
      Copyright (c) 1996, 2024 Oracle Corporation.  All rights reserved.
      
      Creating CA... Started.
      
      Enter Enterprise Manager Root (SYSMAN) Password :
      
      Successfully created CA with ID 2

   5. Secure all agents

      Secure all agents irrespective of the OMS wallet being newly created or not, as the OMS CA has been regenerated with a 2048 bits size.

      Using the emcli command, you can also secure multiple agents together.

      <AGENT_HOME>/bin/emctl secure_agents
              [-agt_names="agt1;agt2;..."] [-agt_names_file="<file>"]

   6. Secure OMS with AES encryption

      <OMS_HOME>/bin/emctl secure oms -wallet $WALLET_BASE/em_cert -trust_certs_loc $WALLET_BASE/rootCA/cert.pem

      If you have SLB configured, run this command instead:

      <OMS_HOME>/bin/emctl secure oms -host <SLB hostname> -wallet $WALLET_BASE/slb_cert -secure_port <port> -slb_port <port> -slb_console_port <port> -trust_certs_loc $WALLET_BASE/rootCA/cert.pem

   7. Secure OMS Console with AES encryption

      <OMS_HOME>/bin/emctl secure console -wallet $WALLET_BASE/em_cert

      If you have SLB configured, run this command instead:

      <OMS_HOME>/bin/emctl secure console -wallet $WALLET_BASE/slb_cert -host <SLB HostName>

   8. Secure Weblogic with AES encrypted wallet

      <OMS_HOME>/bin>emctl secure wls -wallet $WALLET_BASE/em_cert

   9. Repeat the step g-h on all OMS

   10. Restart the OMS

       Primary first and then the secondary ones, one at a time:

       emctl stop oms -all

       emctl start oms

2. Enable FIPS mode flag

   Add SSLFIPS ON inside <IfModule ossl_module> in the following files:

   Note:

   Do not add SSLFIPS ON inside the file in <VirtualHost>

   In primary OMS:

   $DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1/ssl.conf
   $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/ohs1/ssl.conf

   In additional OMS (replace ohs2 to appropriate ohs instance):

   $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/ohs2/ssl.conf
   $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/ohs2/ssl.conf.emctl_secure (if exists)

   Example:

   Go to:

    $INSTANCE_HOME/user_projects/domains/GCDomain/config/fmwconfig/components/OHS/ohs1/ssl.conf

   Update the ssl.conf file as below:

   # Some MIME-types for downloading Certificates and CRLs SSLFIPS ON

1. Transparent Data Encryption (TDE) and DBMS_CRYPTO PL/SQL package program

   1. Configure:

      To configure Transparent Data Encryption and the DBMS_CRYPTO PL/SQL package program units to run in FIPS mode, set the DBFIPS_140 initialization parameter to TRUE.

      sqlplus / as sysdba
      
      SQL>SELECT name,value FROM SYS.V$PARAMETER WHERE NAME = 'DBFIPS_140';
      
      DBFIPS_140
      
      FALSE
      
      SQL>ALTER SYSTEM SET DBFIPS_140 = TRUE SCOPE=SPFILE ;
      
      SQL> shutdown immediate
      
      SQL> startup
      
      SQL> SELECT name,value FROM SYS.V$PARAMETER WHERE NAME = 'DBFIPS_140';
      
      DBFIPS_140
      
      TRUE
      
      SQL> exit

   2. Test

      select DBMS_CRYPTO.hash(UTL_RAW.CAST_TO_RAW ('TestString'), 2) from dual;
      
      second param is Hash algorithm
      
      HASH_MD4 (128 bit hash)     1
      
      HASH_MD5 (128 bit hash)     2
      
      HASH_SH1 (160 bit hash)     3
      
      HASH_SH256                      4
      
      HASH_SH384                     5
      
      HASH_SH512                     6
      
      Above query (MD4, MD5 hash) works in  non FIPS mode (DBFIPS_140=FALSE) and fails in FIPS mode (DBFIPS_140=TRUE)

2. SSL Transport Security

   1. Create DB Wallet

      To create a new wallet, from the OMS console, go to OMS upload , and with Weblogic use the orapki tool.

   2. Configure SSL Communication

      Add SSLFIPS_140=TRUE flag in

      $DB_HOME/ldap/admin/fips.ora

      For more information on configuring SSL communication, see Configure TLSv1.2 for the Enterprise Manager Repository.

   3. Restart Listener

      $DB_HOME/bin/lsnrctl stop

      $DB_HOME/bin/lsnrctl start

3. Configure EM to use TCPS listener

   For more information on configuring EM to use TCPS listener, see Configuring the Oracle Management Service to connect to the TLSv1.2-enabled Enterprise Manager Repository.

1. Add RSA JSSE and RSA JCE provider

   Add RSA providers at the top and move other existing providers down accordingly in the <OMS_HOME>/oracle_common/jdk/jre/lib/security/java.security file:

   security.provider.1=com.rsa.jsafe.provider.JsafeJCE
   security.provider.2=com.rsa.jsse.JsseProvider
   security.provider.3=sun.security.provider.Sun
   security.provider.4=sun.security.rsa.SunRsaSign
   security.provider.5=sun.security.ec.SunEC
   security.provider.6=com.sun.net.ssl.internal.ssl.Provider
   security.provider.7=com.sun.crypto.provider.SunJCE
   security.provider.8=sun.security.jgss.SunProvider
   security.provider.9=com.sun.security.sasl.Provider
   security.provider.10=org.jcp.xml.dsig.internal.dom.XMLDSigRI
   security.provider.11=sun.security.smartcardio.SunPCSC

2. Add FIPS compliant TrustStore and provider Jars in class path

   Follow these steps to add the two .jar files in Web-Logic and Node Manager, from $ORACLE_HOME/wlserver/server/lib:

   <OMS_HOME>/wlserver/server/lib/jcmFIPS.jar

   <OMS_HOME>/wlserver/server/lib/sslj.jar

   1. Add the FIPS configuration in <EM_INSTANCE_BASE/user_projects/domains/GCDomain/bin/startEMServer.sh after the EXT_POST_CLASSPATH="<omshome>/sysman/jlib/emagentPermissions.jar" export EXT_POST_CLASSPATH line:

      JAVA_OPTIONS="-Doracle.net.isFipsMode=true -Dcom.sun.net.ssl.enableECC=false ${JAVA_OPTIONS} "
      export JAVA_OPTIONS

      PRE_CLASSPATH="<OMS_HOME>/wlserver/server/lib/jcmFIPS.jar:<OMS_HOME>/wlserver/server/lib/sslj.jar:${PRE_CLASSPATH}"

      Example domain home:

      /u01/app/Oracle/gc_inst/user_projects/domains/GCDomain/bin/startEMServer.sh

   2. Add FIPS configuration in $DOMAIN_HOME/bin/startNodeManager.sh above the # start node manager ... line:

      JAVA_OPTIONS=" -Dcom.sun.net.ssl.enableECC=false ${JAVA_OPTIONS} "
      PRE_CLASSPATH="<OMS_HOME>/wlserver/server/lib/jcmFIPS.jar:<OMS_HOME>/wlserver/server/lib/sslj.jar"

      export JAVA_OPTIONS
      export PRE_CLASSPATH

   3. Start Node Manager:

      $DOMAIN_HOME/bin/startNodeManager.sh

   4. Re-create Trust store and Key store with Password based encryption with a FIPS compliant algorithm, such as aes-256-cbc, using openssl.

   5. Update the PKCS12 wallet under <EM_INSTANCE_BASE/em/omrWallets/<trustStore> and <EM_INSTANCE_BASE/em/omrWallets/<keyStore> with the trust and key of the newly updated PKCS12 wallet.

      openssl pkcs12 -in ewallet.p12 -out cert.pem <genrate pem file from already generated wallet under trsuststore and keystore >

      openssl pkcs12 -keypbe aes-256-cbc -certpbe aes-256-cbc -export -in <path to .pem file and file name> -out <path to .pfx file and file name>

      Example domain home:

      /u01/app/Oracle/gc_inst/em/omrWallets

   6. Bounce all components:

      emctl stop oms -all
      emctl start oms

Agent Communication

The table lists the default ciphers supported by the Oracle EM Agent. As some of the ciphers are not FIPS compliant, add the ciphers explicitly in the agent emd.properties file, and bounce the agent to be FIPS complaint:

SSLCipherSuites=ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:ECDHE_RSA_WITH_AES_128_GCM_SHA256:AES_128_CCM_8_SHA256:AES_128_CCM_SHA256:AES_128_GCM_SHA256:AES_256_GCM_SHA384:DHE_DSS_WITH_AES_:28_GCM_SHA256:DHE_DSS_WITH_AES_256_GCM_SHA384:DHE_RSA_WITH_AES_128_GCM_SHA256:DHE_RSA_WITH_AES_256_GCM_S:A384:ECDHE_RSA_WITH_AES_256_GCM_SHA384:DH_DSS_WITH_AES_128_GCM_SHA256:DH_DSS_WITH_AES_256_GCM_SHA384:TLS:DH_RSA_WITH_AES_128_GCM_SHA256:DH_RSA_WITH_AES_256_GCM_SHA384:ECDH_ECDSA_WITH_AES_128_GCM_SHA256:ECDH_EC:SA_WITH_AES_256_GCM_SHA384:ECDH_RSA_WITH_AES_128_GCM_SHA256:ECDH_RSA_WITH_AES_256_GCM_SHA384:DHE_DSS_WITH_AES_128_CB:_SHA:DHE_DSS_WITH_AES_128_CBC_SHA256:DHE_DSS_WITH_AES_256_CBC_SHA:DHE_DSS_WITH_AES_256_CBC_SHA256:DHE_:SA_WITH_AES_128_CBC_SHA:DHE_RSA_WITH_AES_128_CBC_SHA256:DHE_RSA_WITH_AES_256_CBC_SHA:DHE_RSA_WITH_AES_256_:BC_SHA256:ECDH_ECDSA_WITH_AES_128_CBC_SHA:ECDH_ECDSA_WITH_AES_128_CBC_SHA256:ECDH_ECDSA_WITH_AES_256_CBC_S:A:ECDH_ECDSA_WITH_AES_256_CBC_SHA384:ECDH_RSA_WITH_AES_128_CBC_SHA:ECDH_RSA_WITH_AES_128_CBC_SHA256:EC:H_RSA_WITH_AES_256_CBC_SHA:ECDH_RSA_WITH_AES_256_CBC_SHA384:ECDHE_ECDSA_WITH_AES_128_CBC_SHA:ECDHE_ECDSA_W:TH_AES_128_CBC_SHA256:ECDHE_ECDSA_WITH_AES_256_CBC_SHA:ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:ECDHE_RSA_WITH_:ES_128_CBC_SHA:ECDHE_RSA_WITH_AES_128_CBC_SHA256:ECDHE_RSA_WITH_AES_256_CBC_SHA:ECDHE_RSA_WITH_AES_256_CBC:SHA384:RSA_WITH_AES_128_CBC_SHA:RSA_WITH_AES_128_CBC_SHA256:RSA_WITH_AES_128_GCM_SHA256:RSA_WITH_AES_2:6_CBC_SHA:RSA_WITH_AES_256_CBC_SHA256:RSA_WITH_AES_256_GCM_SHA384

AgentCrypto's symmetric key algorithm is AES-128, which is FIPS compliant

1. Revert to wls certificate only in primary OMS:

   • emctl secure wls -use_demo_cert

   • Bounce primary OMS

2. Install OMS software in the new machine

   • Follow the steps described in Installing Additional Oracle Management Services in Silent Mode. As a software-only install, deploy the plug-ins,and apply all the patches you applied on the first OMS.

3. Copy wallet to the new OMS machine

4. Add RootCA into java truststore

   export ORACLE_HOME=<OMS_HOME>

   keytool -importcert -file <WalletPath ROOTCA>/cert.pem -alias emreprootca -keystore 
   $ORACLE_HOME/oracle_common/jdk/jre/lib/security/cacerts -storepass "<password>"

5. Export the configuration details from the first OMS and copy the bka file to new OMS machine

   $<ORACLE_HOME>/bin/emctl exportconfig oms -dir <absolute_path_to_directory>

6. Run OMSCA command

   $<ORACLE_HOME>/bin/omsca recover -ms -backup_file <absolute_path_to_bka_file> [-AS_HTTPS_PORT <port> -MSPORT <port> -MS_HTTPS_PORT <port> -EM_NODEMGR_PORT <port> -EM_UPLOAD_PORT <port> -EM_UPLOAD_HTTPS_PORT <port> -EM_CONSOLE_PORT <port> -EM_CONSOLE_HTTPS_PORT <port> -config_home <absolute_path_to_instance_dir> -EM_INSTANCE_HOST <second_oms_host_name>] -nostart

   This command is the same as the one in step 8 from Installing Additional Oracle Management Services in Silent Mode with additional -nostart flag.

7. Repeat all the steps in the above Oracle HTTP Server section in the new OMS except startup.

8. Repeat all the steps in the above Oracle Web-Logic server section in the new OMS except startup.

9. Start new OMS using the following steps:

   emctl stop oms -all
   emctl start oms

10. Resecure primary OMS to use custom certificate.