Secured Communication (TCPS) Access to Databases

Out of the box support is provided for discovering, monitoring, and administration of TCPS enabled listeners. All databases created through the Admin provisioning flow or Cloud Self Service portal support SSL enabled connection strings by default. Target databases can be monitored securely by configuring the TCPS connection protocol. By configuring secured access, data transport encryption is enabled between OMS and the database server target and between the Agent and the database server target.

As businesses look towards cloud solutions, secure user authentication is a key requirement of the product offering. Oracle's default authentication protocols O3LOGON and O5LOGON (introduced in Enterprise Manager 11g) have been revamped to enable user authentication using the TCPS protocol for Oracle Database Server instead of the not-so-secure TCP protocol.

Note:

Using secure authentication has no impact on normal database performance.

Configuring TCPS

To configure TCPS:

  1. Enable the Oracle Advanced Security TLS setting on the target database.
    For TLSv1.2 configuration,
    1) Ensure SSL_VERSION is set to 1.2 for configuring TLSv1.2 in the sqlnet.ora or the listener.ora file,
    2) Ensure the SSL_CLIENT_AUTHENTICATION parameter in the sqlnet.ora file is set to TRUE.
  2. Configure secure wallets with third party CA certificates.
  3. Configure third party CA certificate wallets for OMS and Agent communication.
  4. Set the connection protocol to TCPS in the monitoring configuration properties of target database.

Configuring Third Party CA Certificates for Communication With Target Databases

Pre-requisites

When connecting to target database over TCPS, Target DB acts as server , OMS and Monitoring Agents connect to it as clients.

  1. Ensure Target Database is configured for TCPS.

  2. A wallet need to be created with user,root and intermediate certificates used by DB server in it.

    Eg:/u01/server/swallets/
    A client wallet need to be created with root and intermediate certificates used by DB server in it.

  3. In the case of a DB in a RAC, the wallet must contain the public certificate of each VIP and the root and intermediate CA public certificate of DB as trusted certificate.

    Eg:/u01/server/cswallets/

  4. 4.listener.ora and sqlnet.ora in DB Home need to be updated as below

    $vi <DB_ORACLE_HOME>/network/admin/listener.ora

LISTENER = (ADDRESS=(PROTOCOL=tcps)(HOST=hostname)(PORT=1521))

SID_LIST_LISTENER = (SID_LIST=(SID_DESC=(SID_NAME=dbsid)(ORACLE_HOME=<DB HOME>))) -This is not mandatory

WALLET_LOCATION = (SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY= /u01/server/swallets/)))

SSL_CLIENT_AUTHENTICATION=TRUE  - To support 2-way SSL

SSL_CIPHER_SUITES=(<Supported Cipher Suite>) - This is not mandatory

SSL_VERSION=(Protocol Versions) - This is not mandatory

$vi <DB_ORACLE_HOME>/network/admin/sqlnet.ora

    Add the following to this file

    WALLET_LOCATION = (SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/u01/server/swallets/)))

SSL_CLIENT_AUTHENTICATION=TRUE - To support 2-way SSL

SSL_CIPHER_SUITES=(<Supported Cipher Suite>) - This is not mandatory

SSL_VERSION=(Protocol Versions) - This is not mandatory

  5. Only 1-way SSL is supported for communication between OMS and Repository Database.

    Hence SSL_CLIENT_AUTHENTICATION=FALSE for an EM Repository Database

  6. Copy root and all intermediate certificates used by Database to separate text files.

    For example root_certificate.txt, inter1_certificate.txt, inter2_certificate.txt

  7. Copy the above client wallet to OMS server and target DB server to any location owned by OMS and Agent. This will be used by Agent and OMS to trust the DB certificate chain

    Eg:/u01/client/cswallets/ on OMS server and target Agent Server

  8. If using 2-way SSL(SSL_CLIENT_AUTHENTICATION=TRUE) , then OMS and Monitoring Agent should also be configured to use third party certificates

Configure OMS to connect to Target Database over TCPS

If the steps below are already implemented once, then need not repeat for each database target

  1. Set the properties below on OMS to configure Truststore to trust the DB certificates

    <OMS HOME>/bin>emctl set property -sysman_pwd sysman -name em.targetauth.db.pki.TrustStoreType -value PKCS12
<OMS HOME>/bin>emctl set property -sysman_pwd sysman -name em.targetauth.db.pki.TrustStore -value /u01/client/cswallets/ewallet.p12
<OMS HOME>/bin>emctl set property -sysman_pwd sysman -name em.targetauth.db.pki.TrustStorePassword -value <password of wallet in cswallet folder>

  2. If client authentication is turned ON (in listener.ora), then need to follow the step below.To follow this it is mandatory for Agent and OMS to be secured with third party certificates

    1. Copy the third party wallets used by OMS upload to new location on OMS server, say /u01/clientoms/cwallets/

    2. Set the properties below on OMS

      <OMS HOME>/bin>emctl set property -sysman_pwd sysman -name em.targetauth.db.pki.KeyStoreType -value PKCS12
<OMS HOME>/bin>emctl set property -sysman_pwd sysman -name em.targetauth.db.pki.KeyStore -value /u01/clientoms/cwallets/ewallet.p12
<OMS HOME>/bin>emctl set property -sysman_pwd sysman -name em.targetauth.db.pki.KeyStorePassword -value <password of third party wallets of OMS>

  3. Restart each OMS in rolling fashion

    <OMS HOME>/bin>emctl stop oms -all -force
<OMS HOME>/bin>emctl start oms

Configure Monitoring Agent to connect to Target Database over TCPS

  1. Set the properties below on Monitoring Agent to configure Truststore to trust the DB certificates

    <AGENT HOME>/bin>emctl setproperty agent -name connectionTrustStoreType -value PKCS12
<AGENT HOME>/bin>emctl setproperty agent -name connectionTrustStoreLocation -value /u01/client/cswallets/ewallet.p12
<AGENT HOME>/bin>emctl setproperty agent -name connectionTrustStorePassword -value <password of wallet in cswallet folder>

  2. 2.If client authentication is turned ON (in listener.ora), then need to follow the step below.To follow this it is mandatory for Agent and OMS to be secured with third party certificates

    1. Copy the third party wallets used by Agent to new location on Agent server, say /u01/clientagent/cwallets/

    2. Set the properties below on Agent

      <AGENT HOME>/bin>emctl setproperty agent -name connectionKeyStoreType -value PKCS12
<AGENT HOME>/bin>emctl setproperty agent -name connectionKeyStoreLocation -value /u01/clientagent/cwallets/ewallet.p12
<AGENT HOME>/bin>emctl setproperty agent -name connectionKeyStorePassword -value <password of third party wallets of Agent>

  3. Restart Monitoring Agent

    <AGENT HOME>/bin>emctl stop agent
<AGENT HOME>/bin>emctl start agent

  4. Update the monitoring configuration of DB target to TCPS with emcli command below or from Console

    $emcli modify_target -name="database1.domainname" -type="oracle_database" -properties="Port:<TCPS_PORT>;Protocol:TCPS" -on_agent

    Note:

    If error 'Invalid Client or Server wallet' is logged when testing the connection to database from EM, apply 12.1.3 version of FMW Patch 20629366 on MW HOME of OMS.

Note:

TCPS Connection to Target Database Fails from 13.4 Agent on non-Linux Platforms. Refer to document below for solution.

13.4:TCPS Connection to Target Database Fails from Agent on non-Linux Platforms (Note 2746913.1)