2.5 Oracle VM Post-Installation Configuration

2.5.1 Adding a Trusted CA Certificate and Keystore for SSL Encryption
2.5.2 Securing Oracle VM Agent Communications with a Certificate
2.5.3 Changing Certificate Settings for VNC and Live Migration
2.5.4 Enabling LDAP Authentication on Dom0
2.5.5 Setting Up Virtual Machine Access

The purpose of this section is to describe any security configuration changes that must be made after installation. However, the installers for Oracle VM components have been designed to mimimize security risks by default, so potential issues are addressed automatically during the installation procedure. Some general security considerations are listed here:

2.5.1 Adding a Trusted CA Certificate and Keystore for SSL Encryption

To create a secure production environment you need to obtain and install a trusted certificate from a Certificate Authority (CA). Oracle VM Manager runs on Oracle WebLogic Server, and Oracle WebLogic provides the interface for updating the digital certificate and keystore. To add a trusted CA certificate and keystore, see the procedure set out in the Oracle WebLogic documentation:


Two variables are mentioned in this procedure that you need to know when installing the certificate. The values for these variables in Oracle VM Manager are:

$JAVA_HOME\jre\lib\security   /u01/app/oracle/java/jre/lib/security
$WL_HOME\server\lib           /u01/app/oracle/Middleware/wlserver_10.3/server/lib 

Oracle VM has SSL enabled by default, and installs with a self-signed CA certificate. If you connect to Oracle VM Manager over HTTPS at TCP port 7002, you will receive a warning because your browser cannot verify the identity of Oracle VM Manager and considers the connection untrusted. It is recommended that you obtain a certificate from an official Certificate Authority, as described in this section and in the Oracle WebLogic documentation.

To access the Oracle WebLogic Server console, enter:

  • https://hostname:7002/console -or-

  • http://hostname:7001/console (HTTP is disabled by default in Release 3.2.1)

Log in with the user weblogic and the password you set during the Oracle VM Manager installation.

2.5.2 Securing Oracle VM Agent Communications with a Certificate

Communications between Oracle VM Agents and Oracle VM Manager are SSL-encrypted using an RSA algorithm and 1024-bit private key. The relevant files are located in /etc/ovs-agent/cert:

  • certificate.pem

  • key.pem

  • request.pem

To replace the default self-signed certificate with your own trusted certificate, replace the certificate file.

To generate a new certificate and key files, log on to an Oracle VM Server and execute the command ovs-agent-keygen. The command is used as follows:

# ovs-agent-keygen -h
Usage: ovs-agent-keygen [OPTION]
Generate SSL certificate and key files for Oracle VM Agent XMLRPC Server.
-f, --force      override existing files
-v, --version    show version number and exit
-h, --help       show this help message and exit

The generated files are placed in the directory mentioned above. If you use the "-f" option, the existing files are overwritten.

As of Oracle VM 3.3.1, the Oracle VM Agent password is only used for authentication during the intial discovery process. Thereafter, all authentication between the Oracle VM Manager and Oracle VM Agent is achieved using certificates. This approach improves security and helps to limit access to the Oracle VM Agent to the Oracle VM Manager instance that has ownership of the Oracle VM Server where the agent is running.

If you are using a version of Oracle VM prior to 3.3.1, you may wish to change the Oracle VM Agent password on occassion. The Oracle VM Manager user interface provides an option to batch change the Oracle VM Agent password for all of the servers within a server pool. You can find out more about this option within the Oracle VM User's Guide for your particular version of Oracle VM. This option is no longer available in version 3.3.1, due to the change of authentication mechanism.

2.5.3 Changing Certificate Settings for VNC and Live Migration

In a default Oracle VM installation, VNC and Live Migration traffic are secured with the same certificate as the one used for Oracle VM Agent communications. If required by your security policy, you can use a different certificate by specifying the appropriate location in the configuration file /etc/xen/xend-config.sxp. More specifically, you must look up the section below in the configuration file and change the location parameters of the certificate and key files:

# SSL key and certificate to use for the ssl relocation interface, if 
#   xend-relocation-ssl-server is set.
(xend-relocation-server-ssl-key-file /etc/ovs-agent/cert/key.pem)
(xend-relocation-server-ssl-cert-file /etc/ovs-agent/cert/certificate.pem)

If the self-signed certificate expires, you may need to update the certificate keystore. This can be achieved by performing the following steps.

To update the certificate keystore for the VNC RAS Proxy:

  1. Enter the following commands on the Oracle VM Manager host to create the keystore:

    # cd /u01/app/oracle/ovm-manager-3/bin
    # ./secureOvmmTcpGenKeyStore.sh

    You are prompted to enter the following information:

    Generate OVMM TCP over SSL key store by following steps:
    Enter keystore password: password
    Re-enter new password: password
    What is your first and last name?
      [Unknown]:  name     
    What is the name of your organizational unit?
      [Unknown]:  unit       
    What is the name of your organization?
      [Unknown]:  organization
    What is the name of your City or Locality?
      [Unknown]:  City
    What is the name of your State or Province?
      [Unknown]:  State
    What is the two-letter country code for this unit?
      [Unknown]:  country_code
    Is CN=name, OU=unit, O=organization, L=City, ST=State, C=country_code correct?
      [no]:  yes
    Enter key password for <ovmm> 
            (RETURN if same as keystore password): password
    Re-enter new password: password
  2. Use the keystore to enable the TCPS service using the secureOvmmTcp.sh script, which is in the same directory as the keystore script above. On the Oracle VM Manager host, enter:

    # ./secureOvmmTcp.sh

    You are prompted to enter the following information:

    Enabling OVMM TCP over SSL service
    Please enter the OVM manager user name: username            
    Please enter the OVM manager user password: password        
    Please enter the password for TCPS key store : password
               The keystore password created 
                                                                       in the previous script
    The job of enabling OVMM TCPS service is committed, please restart OVMM to take effect.
  3. Restart the local Oracle VM Manager instance:

    # /sbin/service ovmm stop
    # /sbin/service ovmm start

2.5.4 Enabling LDAP Authentication on Dom0

In environments with an existing LDAP authentication infrastructure, it may be preferable to enable LDAP authentication on each Oracle VM Server instance, to control and log access attempts on Dom0. This can enhance security for a critical asset (Dom0) for the same reasons that make centralized user control valuable in other contexts.

The packages required to the LDAP client are not included on the Oracle VM ServerISO. Therefore, it is necessary to download and install the packages manually. This section describes the steps required to do this.

Add the public or internal Yum repositories at the Oracle Linux 5u7 level. The most direct way to do this is to follow the instructions at http://public-yum.oracle.com/ for Oracle Linux 5:

# cd /etc/yum.repos.d
# wget http://public-yum.oracle.com/public-yum-el5.repo

Install the required packages to enable LDAP authentication, as well as any dependencies:

# yum install openldap-clients
# yum install nss_ldap

The installation prompts you to determine whether you wish to proceed, to which you should respond by returning the 'y' character to the prompt. The required dependencies are also listed and downloaded. If you intend to copy the package files and install them manually on your server instances, take note of the listed dependencies and ensure that these are also made available on each server where you intend to install the LDAP client.

Once installation is complete, copy the server SSL/TLS certificate to /etc/openldap/cacerts/openldap.pem. Make sure the certificate has the right permissions:

# chmod 644 /etc/openldap/cacerts/openldap.pem

Rehash the CA certificates:

# cacertdir_rehash /etc/openldap/cacerts

Enable LDAP authentication using the authconfig command:

# authconfig-tui

Ensure that LDAP is configured correctly to access your LDAP server. Configuration is specific to your own environment and requirements and falls outside of the scope of this document, however the following example configurations may serve to assist you:

  • /etc/openldap/ldap.conf:

    TLS_CACERTDIR /etc/openldap/cacerts
    BASE dc=example,dc=com
    URI ldap://ldapserver.example.com:389
  • /etc/ldap.conf:

    ssl start_tls
    tls_cacertdir /etc/openldap/cacerts
    base dc=example,dc=com
    uri ldap://ldapserver.example.com:389
    pam_password md5

2.5.5 Setting Up Virtual Machine Access

Oracle VM Manager uses a secure tunnel to protect virtual machine console data traffic across the network. Oracle VM Manager does not make a direct connection but rather uses a VNC proxy and SSL-encrypted tunneling. The virtual machine console is accessed via a client instance of a VNC viewer. The preferred location to install a VNC viewer is on the Oracle VM Manager host server.

Oracle recommends that you install the latest TightVNC package from http://oss.oracle.com/oraclevm/manager/RPMS/

Install TightVNC with this command:

# rpm -ivh tightvnc-java-version.noarch.rpm

Any firewall between Oracle VM Manager and the client accessing a virtual machine needs TCP port 15901 to be open for access to the secure VNC proxy. Any firewall between Oracle VM Manager and the Oracle VM Servers needs TCP ports 6900 and above to be open; one port for each virtual machine. For example, if you have 50 virtual machines, you should allow traffic over TCP ports 6900-6949.


For non-encrypted local VNC connections to virtual machines, TCP ports 5900 and above can be used. SSL encryption is preferred from a security standpoint.

For more details about the installation and use of VNC, see Installing and Configuring Virtual Machine Console Utilities in the Oracle VM Installation and Upgrade Guide.