EM 13c: Enterprise Manager 13c Cloud Control Configuration to Support Transport Layer Security Protocol:TLSv1.2 only (Doc ID 2212006.1)
Applies to:
Enterprise Manager Base Platform – Version 13.1.0.0.0 and later
Information in this document applies to any platform.
Goal
This document provides the steps for configuring EM 13c to use a particular TLS protocol version :TLSv1.0,TLSv1.1,TLSv1.2.
For EM 12c ,follow Note 1602983.1 EM 12c: Configure to Accept Connections with a Specific SSL Protocol(SSLv3 or TLSv1,to Disable SSL 3.0)
1. This Note is applicable prior to JDK 1.8 update 301 Versions on OMS and Agent.Starting from JDK 1.8 update 301, TLS 1.0 and TLS 1.1 are disabled and by default it uses TLSv1.
Solution
OMS
13c EM Oracle Management Service is configured to use TLSv1.0, TLSv1.1 and TLSv1.2 protocols out-of-box. Perform the steps below to restrict OMS to use specific protocols like TLSv1.2.
This will address vulnerabilities like ‘TLS Server Supports TLS version 1.0’.
In case of a multi-OMS setup, the steps below need to be performed on each OMS .
1.For OEM 13.2 OMS,Upgrade Java on OMS Server to JDK 7 Update 191 as per the steps in document below.If OMS is running on AIX platform, then Java upgrade is not required and ignore this step
How to Use JDK 7 Update 191 with EM 13c OMS (Note 2241358.1).
(For OEM 13.1 OMS,Upgrade Java on OMS Server to JDK 7 Update 131,which is the highest certified JDK version with 13.1 OMS)
13.3 OMS has java version 1.7.0_171 out-of-box, hence the java upgrade is not required on 13.3 and later.
2.Secure the OMS using command below .
To restrict the OMS to one particular mode, enter:
<OMS HOME>/bin>emctl secure oms -console -protocol "TLSv1.2"
3. In case of a multi-OMS setup configured with SLB and configured with OEM default certificates,secure each of the OMS using:
<OMS_HOME>/bin>./emctl secure oms -host <SLB Host name> -secure_port <HTTPS Upload Port> -slb_port <SLB upload Port> -slb_console_port <SLB Console port> -console -protocol "TLSv1.2"
Important Notes:
NOTE: This process will require you know the SYSMAN and Agent Registration PasswordIf you don’t recall the Agent Registration Password, you can create a one-time or persistent password using the steps in the following document:
– Enterprise Manager Cloud Control Security: How to Create or Edit the Agent Registration Password for Agent to OMS Secure Communication (Document 1367946.1)
NOTE: a) The OMS will need to be enabled for the lowest TLS version to support lower version Agents, In this case TLS 1.0 for 12.1.0.5 agents. The 12.1.0.5 agents will not work with an OMS exclusively using TLS 1.2.b) If the OMS is configured with custom/third party certificates,1.Then specify the wallet location also in the secure command with -wallet and -trust_certs_loc argument. <OMS HOME>/bin>./emctl secure oms -wallet <wallet_location> -trust_certs_loc <location of trusted certificate> -protocol “TLSv1.2″1a. In case of a multi-OMS setup configured with SLB and configured with OEM custom certificates,secure each of the OMS using:
<OMS_HOME>/bin>./emctl secure oms -host slbhostname.domainname -secure_port 1159 -slb_port 1159 -slb_console_port 443 -trust_certs_loc /home/oracle/customca.txt -wallet <wallet_location> -protocol "TLSv1.2"Note: No need to add -console argument in the above commands
2. Restart the OMS with the following command:
<OMS HOME>/bin>emctl stop oms -all <OMS HOME>/bin>emctl start oms
To enable more than one mode, use a space delimited list, for example:
<OMS HOME>/bin>emctl secure oms -console -protocol "TLSv1.1 TLSv1.2"
3.Restart the OMS with the following command:
<OMS HOME>/bin>emctl stop oms -all <OMS HOME>/bin>emctl start oms
Agent
13c EM Agent is configured to use TLSv1.0, TLSv1.1 and TLSv1.2 protocols out-of-box. Perform the steps below to restrict Agent to use specific protocols like TLSv1.2.
This will address vulnerabilities like ‘TLS Server Supports TLS version 1.0’
1.Stop the Agent
<AGENT HOME>/bin>emctl stop agent
2.Take a backup and edit <AGENT INST HOME>/sysman/config/emd.properties file
Add the properties below to it
_frameworkTlsProtocols=TLSv1.2 _frameworkSSLContextProtocol=TLSv1.2 minimumTLSVersion=TLSv1.2
Save the file
To edit multiple Agents simultaneously, from the Setup menu, choose Manage Cloud Control and then Agents. From the list, select the Agents you want to modify and then click Properties. This will create a job definition where you specify the Agent property that needs to be changed. On the Parameters page, set the minimumTLSVersion property to TLSv1.2. The change will be applied to all selected Agents.But the properties below need to be manually set in emd.properties file only and can’t be set through console
_frameworkTlsProtocols=TLSv1.2
_frameworkSSLContextProtocol=TLSv1.2Once the changes have been made, you must bounce the Management Agent(s) in order for the changes to take effect.
3.If the Agent is running on AIX or zLinux platform , then download and apply 12.1.3 version of Patch 25237184 on 13c Agent Home.
The Patch is included in 13.3 Agent out-of-box and hence not required to be applied explicitly on 13.3
Set your current directory to the directory where the patch is located.
$ cd PATCH_TOP/25237184
Run OPatch to apply the patch.
$ opatch apply
4.Start the Agent
<AGENT HOME>/bin>emctl start agent
WLS
13c EM (up to EM 13.3 version) is deployed on 12.1.3 version of Weblogic server.
A.To configure the WLS server(Admin Server and Managed Server) in EM 13c to use specific TLSv1.2 protocol , OMS need to be secured with that specific protocol. If OMS already secured with specific TLSv1.2 protocol, then the steps below are not required to be performed again
1.Secure each OMS using command below .
To restrict the OMS to one particular mode, enter:
<OMS HOME>/bin>emctl secure oms -protocol "TLSv1.2"
To enable more than one mode, use a space delimited list, for example:
<OMS HOME>/bin>emctl secure oms -protocol "TLSv1.1 TLSv1.2"
2.If this is a multi OMS setup configured behind Server Load Balancer, then perform the step below also to enforce SLB JVMD Port to use TLSv1.2
Backup <MIDDLEWARE_HOME>/oracle_common/jdk/jre/lib/security/java.security
Add parameter:
jdk.tls.disabledAlgorithms
and the values to be added are TLSv1,TLSV1.1.
For example:
jdk.tls.disabledAlgorithms=SSLv3,TLSv1, TLSv1.1, MD5withRSA, DH keySize < 768
3.Restart eachOMS with the following command:
<OMS HOME>/bin>emctl stop oms -all -force <OMS HOME>/bin>emctl start oms
B.To configure the WLS Nodemanager in EM 13c to use TLSv1.2 protocol, perform the steps below.
In case of a multi-OMS setup, the steps below need to be performed on each OMS
1. Stop the OMS
OMS_HOME/bin>emctl stop oms -all
2. Apply 12.1.3.0.161018 Weblogic PSU Patch 23744018 or higher PSU on Middleware Home.
This patching step is not required if version of EM is 13.4 or higher
See “12.1.3.0 Patch Set Updates” in the following article for the latest applicable PSU:
Note 1470197.1 Patch Set Update (PSU) Release Listing for Oracle WebLogic Server (WLS)
3. Take a backup of <EM INSTANCE HOME>/user_projects/domains/GCDomain/bin/startNodeManager.sh
Update JAVA_OPTIONS by adding -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2 as follows:
From
JAVA_OPTIONS="${JAVA_OPTIONS} -Doracle.security.jps.config=<EM INSTANCE HOME>/user_projects/domains/GCDomain/config/fmwconfig/jps-config-jse.xml -Dcommon.components.home=/u01/app/oracle/Middleware/oracle_common -Dopss.version=12.1.3"
To
JAVA_OPTIONS="${JAVA_OPTIONS} -Doracle.security.jps.config=<EM INSTANCE HOME>/user_projects/domains/GCDomain/config/fmwconfig/jps-config-jse.xml -Dcommon.components.home=/u01/app/oracle/Middleware/oracle_common -Dopss.version=12.1.3 -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2"
Save the file
4.Start the OMS
<OMS HOME>/bin>emctl start oms
Limiting Interchanges to TLSv1.2
13.4 & 13.5 EM is deployed on 12.2.1.3 & 12.2.1.4 version of Weblogic server (WLS).
The WLS server (Admin Server, Managed Server, and Nodemanager) in EM 13.4 & 13.5 is configured to use TLSv1.0, TLSv1.1 and TLSv1.2 protocols out-of-box.
To limit WLS to use of TLSv1.2 only:
Make a back up of <EM INSTANCE HOME>/user_projects/domains/GCDomain/bin/startNodeManager.sh
Update JAVA_OPTIONS as follows:
JAVA_OPTIONS="${JAVA_OPTIONS} -Doracle.security.jps.config=<EM INSTANCE HOME>/user_projects/domains/GCDomain/config/fmwconfig/jps-config-jse.xml -Dcommon.components.home=/u01/app/oracle/Middleware/oracle_common -Dopss.version=12.2.1.3 -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2"
For OMS to Repository Database
Refer the below Note:
Note: 2850673.1 EM 13c: How to Configure the Oracle Management Service to connect to the TLSv1.2-enabled Enterprise Manager Repository (Doc ID 2850673.1)
For AOM
Refer the below Note:
Note: 2758419.1 EM 13c: How to configure AOM Secure Communication Using the TLSv1.2 Protocol (Doc ID 2758419.1)
Verification
To verify whether the OMS / Agent can use a specific TLS protocol version, you can use emctl command
1. To check whether OMS / Agent can accept TLSv1.0:
cd $OMS_HOME/bin emctl secdiag openurl -url https://<OMS host name>.<domain>:<oms https console/upload port>/em -ssl_protocol TLSv1 emctl secdiag openurl -url https://<Agent host name>.<domain>:<agent port>/em -ssl_protocol TLSv1
2. To check whether OMS / Agent can accept TLSv1.1:
cd $OMS_HOME/bin emctl secdiag openurl -url https://<OMS host name>.<domain>:<oms https console/upload port>/em -ssl_protocol TLSv1.1 emctl secdiag openurl -url https://<Agent host name>.<domain>:<agent port>/em -ssl_protocol TLSv1.1
3. To check whether OMS / Agent can accept TLSv1.2:
cd $OMS_HOME/bin emctl secdiag openurl -url https://<OMS host name>.<domain>:<oms https console/upload port>/em -ssl_protocol TLSv1.2 emctl secdiag openurl -url https://<Agent host name>.<domain>:<agent port>/em -ssl_protocol TLSv1.2