2.5. Oracle VM Post-Installation Configuration

2.5.1. Adding a Trusted CA Certificate and Keystore for SSL Encryption
2.5.2. Securing Oracle VM Agent Communications with a Certificate
2.5.3. Changing Certificate Settings for VNC and Live Migration
2.5.4. Enabling Secure TCP Connectivity to Oracle VM Manager
2.5.5. Setting Up Virtual Machine Access

The purpose of this section is to describe any security configuration changes that must be made after installation. However, the installers for Oracle VM components have been designed to mimimize security risks by default, so potential issues are addressed automatically during the installation procedure. Some general security considerations are listed here:

2.5.1. Adding a Trusted CA Certificate and Keystore for SSL Encryption

To create a secure production environment you need to obtain and install a trusted certificate from a Certificate Authority (CA). Oracle VM Manager runs on Oracle WebLogic Server, and Oracle WebLogic provides the interface for updating the digital certificate and keystore. To add a trusted CA certificate and keystore, see the procedure set out in the Oracle WebLogic documentation:


Two variables are mentioned in this procedure that you need to know when installing the certificate. The values for these variables in Oracle VM Manager are:

$JAVA_HOME\jre\lib\security   /u01/app/oracle/java/jre/lib/security
$WL_HOME\server\lib           /u01/app/oracle/Middleware/wlserver_10.3/server/lib 

Oracle VM has SSL enabled by default, and installs with a self-signed CA certificate. If you connect to Oracle VM Manager over HTTPS at TCP port 7002, you will receive a warning because your browser cannot verify the identity of Oracle VM Manager and considers the connection untrusted. It is recommended that you obtain a certificate from an official Certificate Authority, as described in this section and in the Oracle WebLogic documentation.

To access the Oracle WebLogic Server console, enter:

  • https://hostname:7002/console -or-

  • http://hostname:7001/console (HTTP is disabled by default in Release 3.2.1)

Log in with the user weblogic and the password you set during the Oracle VM Manager installation.

2.5.2. Securing Oracle VM Agent Communications with a Certificate

Communications between Oracle VM Agents and Oracle VM Manager are SSL-encrypted using an RSA algorithm and 1024-bit private key. The relevant files are located in /etc/ovs-agent/cert:

  • certificate.pem

  • key.pem

  • request.pem

To replace the default self-signed certificate with your own trusted certificate, replace the certificate file.

To generate a new certificate and key files, log on to an Oracle VM Server and execute the command ovs-agent-keygen. The command is used as follows:

# ovs-agent-keygen -h
Usage: ovs-agent-keygen [OPTION]
Generate SSL certificate and key files for Oracle VM Agent XMLRPC Server.
-f, --force      override existing files
-v, --version    show version number and exit
-h, --help       show this help message and exit

The generated files are placed in the directory mentioned above. If you use the "-f" option, the existing files are overwritten.


The Oracle VM Agent password, which you set during the installation of the Oracle VM Servers, can be modified by an administrator via Oracle VM Manager. For details, see Changing Oracle VM Agent Passwords on Oracle VM Servers.

2.5.3. Changing Certificate Settings for VNC and Live Migration

In a default Oracle VM installation, VNC and Live Migration traffic are secured with the same certificate as the one used for Oracle VM Agent communications. If required by your security policy, you can use a different certificate by specifying the appropriate location in the configuration file /etc/xen/xend-config.sxp. More specifically, you must look up the section below in the configuration file and change the location parameters of the certificate and key files:

# SSL key and certificate to use for the ssl relocation interface, if 
#   xend-relocation-ssl-server is set.
(xend-relocation-server-ssl-key-file /etc/ovs-agent/cert/key.pem)
(xend-relocation-server-ssl-cert-file /etc/ovs-agent/cert/certificate.pem)

2.5.4. Enabling Secure TCP Connectivity to Oracle VM Manager

By default, an instance of the Oracle VM Manager UI can only log into its own core (the API layer). In some situations you may want to log in from a remote location to Oracle VM Manager's core; for example: when using Oracle Enterprise Manager to mange the Oracle VM environment. To enable this, you must perform some set up on the Oracle VM Manager host to allow remote log ins.


Once secure TCP connectivity has been configured, it cannot be disabled again. There are no remote (regular) TCP connections allowed.

Figure 2.1. Oracle VM Manager remote log in

This diagram illustrates both local and remote log in to Oracle VM Manager. Local log ins use the TCP protocol, and remote log ins use the TCPS protocol.

If remote logins are configured, a remote instance of Oracle VM Manager can log into the local instance and interact with all the objects the local instance owns and manages. If you want to enable remote management of your Oracle VM environment, you set up remote TCPS authentication. To do this you must first generate a keystore, then use it to enable remote TCPS connections.

To enable TCPS connections from a remote Oracle VM Manager:

  1. Enter the following commands on the Oracle VM Manager host to create the keystore:

    # cd /u01/app/oracle/ovm-manager-3/bin
    # ./secureOvmmTcpGenKeyStore.sh

    You are prompted to enter the following information:

    Generate OVMM TCP over SSH key store by following steps:
    Enter keystore password: password
    Re-enter new password: password
    What is your first and last name?
      [Unknown]:  name     
    What is the name of your organizational unit?
      [Unknown]:  unit       
    What is the name of your organization?
      [Unknown]:  organization
    What is the name of your City or Locality?
      [Unknown]:  City
    What is the name of your State or Province?
      [Unknown]:  State
    What is the two-letter country code for this unit?
      [Unknown]:  country_code
    Is CN=name, OU=unit, O=organization, L=City, ST=State, C=country_code correct?
      [no]:  yes
    Enter key password for <ovmm> 
            (RETURN if same as keystore password): password
    Re-enter new password: password
  2. Use the keystore to enable the TCPS service using the secureOvmmTcp.sh script, which is in the same directory as the keystore script above. On the Oracle VM Manager host, enter:

    # ./secureOvmmTcp.sh

    You are prompted to enter the following information:

    Enabling OVMM TCP over SSH service
    Please enter the OVM manager user name: username            The local Oracle VM Manager
                                                                      username to use
    Please enter the OVM manager user password: password        The local Oracle VM Manager 
                                                                      password to use
    Please enter the password for TCPS key store : password     The keystore password created 
                                                                       in the previous script
    The job of enabling OVMM TCPS service is committed, please restart OVMM to take effect.

    The username and password entered here are the local Oracle VM Manager authentication credentials to use when logging in from the remote Oracle VM Manager instance.

  3. Restart the local Oracle VM Manager instance:

    # /sbin/service ovmm stop
    # /sbin/service ovmm start
  4. In the (remote) Oracle VM Manager UI, enable the Management Server URI field as follows: in the Tools and Resources tab, go to Preferences, select Show Management Server URI, and click Apply.

  5. Log out of the current Oracle VM Manager UI session. You can now connect to a remotely running Oracle VM Manager. In the Oracle VM Manager UI login screen, enter the Management Server URI in the top right corner:


    Using the username and password you enabled with the secureOvmmTcp.sh script.

If you preform an upgrade from Oracle VM Manager 3.0.x to Oracle VM Manager 3.1.1, the scripts above are not included. You should download the scripts by searching the patch 14067211 from the My Oracle Support website at: https://updates.oracle.com/ARULink/PatchDetails/process_form? patch_num=14067211.

Alternatively you can use Java keytool and Oracle VM Utilities which provide more configuration options. For information on configuring secure TCP (TCPS) for Oracle VM Manager, see the My Oracle Support website at: https://support.oracle.com/oip/faces/secure/km/DocumentDisplay.jspx?id=1456338.1.

2.5.5. Setting Up Virtual Machine Access

Oracle VM Manager uses a secure tunnel to protect virtual machine console data traffic across the network. Oracle VM Manager does not make a direct connection but rather uses a VNC proxy and SSL-encrypted tunneling. The virtual machine console is accessed via a client instance of a VNC viewer. The preferred location to install a VNC viewer is on the Oracle VM Manager host server.

Oracle recommends that you install the latest TightVNC package from http://oss.oracle.com/oraclevm/manager/RPMS/

Install TightVNC with this command:

# rpm -ivh tightvnc-java-version.noarch.rpm

Any firewall between Oracle VM Manager and the client accessing a virtual machine needs TCP port 15901 to be open for access to the secure VNC proxy. Any firewall between Oracle VM Manager and the Oracle VM Servers needs TCP ports 6900 and above to be open; one port for each virtual machine. For example, if you have 50 virtual machines, you should allow traffic over TCP ports 6900-6949.


For non-encrypted local VNC connections to virtual machines, TCP ports 5900 and above can be used. SSL encryption is preferred from a security standpoint.

For more details about the installation and use of VNC, see Installing and Configuring a VNC Viewer in the Oracle VM Installation and Upgrade Guide.