1.1.2 Security Aspects of Oracle VM

The Oracle VM security architecture, by design, eliminates many security threats. The guidelines for secure deployment of virtualized solutions based on Oracle VM are largely based on network security. As these guidelines are generally applicable, they should always be reviewed for applicability in the context of each implementation and the security requirements and policies of the broader environment in which Oracle VM is deployed.

The following list describes the main aspects of the Oracle VM security architecture:

  • Both Oracle VM Server and Oracle VM Manager provide an Oracle Linux environment that includes an iptables firewall with a default ruleset and policies.

  • Oracle VM Server is a minimalist OS implementation derived from  Oracle Linux and uses the Unbreakable Enterprise Kernel (UEK) Release 3  for enhanced performance and scale. By design, it has few moving parts and a minimum of network exposed services to reduce administrative effort, overhead, and attack surface.

  • Oracle VM Manager 3.3.1 environments may only use the bundled MySQL database which is installed locally on the same host where Oracle VM Manager is installed. Access is restricted to localhost connections and is not remotely accessible. Furthermore, backup processes are automated to assist with recovery in the case of failure. The MySQL database may not be used for any other application outside of Oracle VM Manager.

  • Default installations of Oracle VM Server or Oracle VM Manager do not provide physical security. They can be booted (using runlevel 1 or a rescue cd) and compromised by anyone with access to the physical console. Suitable physical security should be provided to prevent this type of exposure.

  • SSL is used extensively to secure and authenticate communications between Oracle VM Manager and Oracle VM Servers; to secure and authenticate access to the Oracle VM Manager Web Services API; to secure all HTTPS communications and within the network component of a VM migration.

  • The Oracle VM Servers' administrative connection to Oracle VM Manager uses HTTPS by default.

  • Openssh along with public/private key authentication are fully supported on Oracle VM Server.

  • 802.1q VLANS are fully supported for segregating VM and dom0 network traffic.

All components of the Oracle VM installation communicate with each other in a secure way. The following table shows, in detail, how each individual line of communication is set up securely:

Communication

Description

Browser to Oracle VM Manager GUI

When you log on to Oracle VM Manager, we strongly recommend that you use HTTPS and connect to TCP port 7002, since the user interface expects you to authenticate using a username and password, which must be protected. SSL encrypted communication is available as of version 3.1.1, and regular HTTP connectivity at TCP/7001 is disabled by default. However, it may be enabled via Oracle WebLogic Server for testing and demo purposes.

In Oracle VM 3.3, the SSL certificate that is used for communication encryption is generated by default within Oracle VM Manager and is signed by in internal CA (Certificate Authority) certificate within Oracle VM Manager. Tools are available to replace this certificate with one signed by a trusted third-party CA, if required, or alternately to obtain the internal CA certificate to add it to your own trusted CA certificates within your web-browser or application keystore. This CA certificate can be used to validate the SSL certificate presented when you connect to the HTTPS port for Oracle VM Manager. More information on the tools provided to manage these certificates is provided in Oracle VM Administrator's Guide.

Oracle VM Manager GUI to Oracle VM Core

The Oracle VM Manager application uses the underlying Web-Services API to communicate with Oracle VM Core, running on the same server. The Web-Services API is exposed on the same HTTPS port as the Oracle VM Manager application, since it is served out of the same process space within Oracle WebLogic Server. All communication is secured using the same SSL certificate that is used to encrypt communications between the Oracle VM Manager GUI and a web-browser. Authentication of the Oracle VM Manager application to Oracle VM Core is achieved using the username and password of the user that authenticated against the user interface front-end.

When the Oracle VM Manager application is started, it makes a connection to the Oracle VM Core Web-Services API to populate the GUI model and to periodically poll for events to keep the GUI model up-to-date. Authentication of the Oracle VM Manager application to Oracle VM Core for this purpose is achieved using an SSL certificate. This certificate is generated during the installation of Oracle VM Manager. The certificate is signed and registered by the internal CA, which is used by Oracle VM Core to validate and authenticate connections from the Oracle VM Manager application. The public certificate for this certificate-key pair is stored in a Java truststore available to the Oracle VM Core. The private key for this certificate is stored within a secure Java keystore within the Oracle VM Manager application.

Web Services to Oracle VM Core

Oracle VM Core offers a web services API (WSAPI) that provides both SOAP and REST endpoints exposed via HTTPS available on TCP port 7002. Communications are encrypted using the same SSL certificate that is used to encrypt communications between the Oracle VM Manager GUI and a web-browser. It is possible to register and sign a certificate to perform certificate based authentication with Oracle VM Core using the keytool management application described in Setting up SSL on Oracle VM Manager in the Oracle VM Administrator's Guide, or programmatically using the methods provided by the WSAPI itself, as discussed in Certificate Management for Certificate-based Authentication Using SOAP in the Oracle VM Web Services API Developer's Guide. When creating a certificate to use for authentication purposes, it is highly advisable that the certificate key is generated with an adequate passphrase, and that the certificate and key are stored either in a passhprase protected keystore, or that they are stored in a protected area on the file system with access permissions limited to the user that intends to use them.

Client to CLI

The Oracle VM Manager Command Line Interface (CLI) is officially supported as of version 3.2.1. The client connects to the CLI, which runs on the Oracle VM Manager host, using SSH over port TCP/10000. A public key can be set up in the SSH server in order to allow CLI users to log on automatically without having to enter credentials each time. If this approach is used, it is recommended that a passphrase is still set for the private key and that an SSH Agent is used to handle the authentication of the key for repeated requests. The private key must be stored in a secure location on the file system with access permissions limited to the user that intends to use it.

CLI to Oracle VM Core

The Oracle VM Manager Command Line Interface (CLI) communicates with Oracle VM Core via the Web-Services API on TCP/7002 using HTTPS. Communications are encrypted using the same SSL certificate that is used to encrypt communications between the Oracle VM Manager GUI and a web-browser. Authentication of the CLI to Oracle VM Core is achieved using the username and password of the user that authenticated against the user interface front-end.

Oracle VM Agent to Oracle VM Core

The Oracle VM Agents running on the Oracle VM Servers use SSL encryption to communicate with Oracle VM Core via TCP/7002 (HTTPS) through the WSAPI. Authentication is achieved using an SSL certificate registered for the Oracle VM Agent when ownership is taken. The API access is limited to the type of communications that the Agent has with Oracle VM Core, such as the notification of events and the provision of statistical information.

Oracle VM Core to Oracle VM Agent

Oracle VM Core, in turn, uses TCP/8899 to communicate with the Oracle VM Agents in the environment. The protocol is also HTTPS. Oracle VM Core initially authenticates itself to the Oracle VM Agent using a username and password combination during the process of taking ownership of the Oracle VM Server. Once the Oracle VM Core has been authenticated by the Oracle VM Agent, an additional SSL certificate is exchanged so that the Oracle VM Agent can perform future authentication of the Oracle VM Core using an SSL certificate-key pair, and vice versa.

VNC and Serial Console Access

Oracle VM Manager opens a secure SSL-encrypted connection to the VNC server that is created by the Xen hypervisor for each remote virtual machine running on an Oracle VM Server. These are accessed on the Oracle VM Server on TCP ports 6900 and up. Connections from client web-browsers take advantage of the noVNC console that is provided within the Oracle VM Manager web user interface. This connection uses the same TCP 7002 port as used to access the web user interface, and this is secured using the same SSL certificate.

For serial console connections, Oracle VM Manager opens a secure SSL-encrypted connection to the serial terminal exported for each remote virtual machine running on an Oracle VM Server. These are accessed on the Oracle VM Server on TCP ports 10000 and up. Connections from client web-browsers take advantage of the jsTerm terminal emulator that is provided within the Oracle VM Manager web user interface. This connection uses the same TCP 7002 port as used to access the web user interface, and this is secured using the same SSL certificate.

Live Migration

Traffic related to live migration of virtual machines uses separate ports: TCP/8002 for non-encrypted and TCP/8003 for SSL-encrypted (TCPS) live migration. Secure live migration is a setting the user needs to switch on in the server pool properties as required. Based on this setting, Oracle VM Manager initiates SSL or non-SSL migration of the running virtual machine. For optimized security and performance, consider further network segregation by creating a separate network for live migration.

Oracle VM Agent Certificate

At installation, the Oracle VM Agent generates an SSL key and matching certificate. The properties are:

  • key algorithm: RSA.

  • private key size: 2048 bits.

  • certificate data management: according to X.509 standard.

  • location of the SSL key and certificate: /etc/ovs-agent/cert.

By default, VNC traffic, virtual machine migration traffic and Oracle VM Agent communications are all secured using the same SSL key and certificate. The administrator can regenerate the key/certificate combination via the Oracle VM Server command line by means of this command: ovs-agent-keygen. It is technically possible to use separate SSL keys and certificates for Oracle VM Agent communications and for secure virtual machine migration. Note that changing the SSL key and certificate combination on a server, requires that the server is released from ownership by Oracle VM Manager and that you will need to take ownership of the server again after the operation is completed.

During the process where an Oracle VM Manager instance takes ownership of the Oracle VM Server, the public certificate used by the Oracle VM Agent is exchanged with Oracle VM Manager and it is signed and registered with the Oracle VM Manager instance using an internal CA certificate. A new key is generated and provided to the Oracle VM Agent. This key and the signed certificate is used to authenticate and secure subsequent communications with Oracle VM Manager.

Other traffic

In an Oracle VM environment, the Oracle VM Manager host is frequently used as the reference to provide time synchronization. In this case, an inbound connection from all Oracle VM Servers to UDP port 123 is required for NTP traffic.

Oracle VM Servers in a clustered server pool use an OCFS2 pool file system and require a heartbeat network function to determine the status of each cluster member. The port used for this specific type of traffic is TCP/7777.

Some external applications may continue to use the legacy API, which is available on TCP/54322 and is secured using SSL. This API is due to be deprecated, and applications currently making use of it may need to be upgraded in the future. If you are not using any other applications outside of Oracle VM itself [a] , to perform management within your environment, you should ensure that access to this port is disabled in your firewall rules.

[a] Some of the unsupported Oracle VM Utilities described in the Oracle VM Administrator's Guide may still use this API but if you run them locally, on the same host where Oracle VM Manager is installed, you may still close access on the firewall.