The purpose of this section is to describe any security configuration changes that must be made after installation. However, the installers for Oracle VM components have been designed to mimimize security risks by default, so potential issues are addressed automatically during the installation procedure. Some general security considerations are listed here:
It is good practice to remove or disable components that are not needed in a given type of deployment. However, Oracle VM is based on a lightweight, optimized version of Oracle Linux: obsolete packages and components are simply not included in the installation media.
Installation requires the creation and assignment of superusers and root passwords so that software can be installed and configured. As soon as the installation and configuration tasks have been completed, it is recommended that you create individual user accounts for each Oracle VM administrator. Consider disabling root access where possible.
Weak or plain-text protocols, such as FTP or standard HTTP, must be disabled by default. For demo and testing purposes it would be acceptable to use them, but you must always be aware that this is insecure. Communications between Oracle VM components are properly secured by default. Oracle VM Manager and the Oracle VM Servers communicate via the Oracle VM Agents, and all agent communication is SSL-encrypted. Access to the Oracle VM Manager is configured to use HTTPS by default. To add a trusted CA certificate, follow the detailed instructions in Section 2.5.1, “Adding a Trusted CA Certificate and Keystore for SSL Encryption”. Additional instructions for the configuration of certificates are also included in this section.
Any files that may contain sensitive information should have restrictive file permissions by default. These files include audit logs, password files and configuration. Oracle VM is configured in such a way that no sensitive data, for example clear text passwords, can be disclosed in any logs or temporary files. File permissions are kept strict by default to prevent unauthorized access, and encryption is applied where required.
Access to the physical servers is tightly restricted by
default, which implies that the risk of information being
compromised is very small. Therefore, sensitive data such as
log files, password files and configuration data are generally
well protected in an Oracle VM environment. After successful
installation or upgrade of Oracle VM Manager, be sure to remove the log
files from /tmp
, as instructed by the
installer.
To create a secure production environment you need to obtain and install a trusted certificate from a Certificate Authority (CA). Oracle VM Manager runs on Oracle WebLogic Server, and Oracle WebLogic provides the interface for updating the digital certificate and keystore. To add a trusted CA certificate and keystore, see the procedure set out in the Oracle WebLogic documentation:
Two variables are mentioned in this procedure that you need to know when installing the certificate. The values for these variables in Oracle VM Manager are:
$JAVA_HOME\jre\lib\security /u01/app/oracle/java/jre/lib/security $WL_HOME\server\lib /u01/app/oracle/Middleware/wlserver_10.3/server/lib
Oracle VM has SSL enabled by default, and installs with a self-signed CA certificate. If you connect to Oracle VM Manager over HTTPS at TCP port 7002, you will receive a warning because your browser cannot verify the identity of Oracle VM Manager and considers the connection untrusted. It is recommended that you obtain a certificate from an official Certificate Authority, as described in this section and in the Oracle WebLogic documentation.
To access the Oracle WebLogic Server console, enter:
https://
-or-
hostname
:7002/console
http://
(HTTP is disabled by default in Release 3.2.1)
hostname
:7001/console
Log in with the user weblogic and the password you set during the Oracle VM Manager installation.
Communications between Oracle VM Agents and Oracle VM Manager are
SSL-encrypted using an RSA algorithm and 1024-bit private key.
The relevant files are located in
/etc/ovs-agent/cert
:
certificate.pem
key.pem
request.pem
To replace the default self-signed certificate with your own trusted certificate, replace the certificate file.
To generate a new certificate and key files, log on to an
Oracle VM Server and execute the command
ovs-agent-keygen
. The command is used as
follows:
# ovs-agent-keygen -h Usage: ovs-agent-keygen [OPTION] Generate SSL certificate and key files for Oracle VM Agent XMLRPC Server. Options: -f, --force override existing files -v, --version show version number and exit -h, --help show this help message and exit
The generated files are placed in the directory mentioned above.
If you use the "-f
" option, the existing
files are overwritten.
As of Oracle VM 3.3.1, the Oracle VM Agent password is only used for authentication during the intial discovery process. Thereafter, all authentication between the Oracle VM Manager and Oracle VM Agent is achieved using certificates. This approach improves security and helps to limit access to the Oracle VM Agent to the Oracle VM Manager instance that has ownership of the Oracle VM Server where the agent is running.
If you are using a version of Oracle VM prior to 3.3.1, you may wish to change the Oracle VM Agent password on occassion. The Oracle VM Manager user interface provides an option to batch change the Oracle VM Agent password for all of the servers within a server pool. You can find out more about this option within the Oracle VM User's Guide for your particular version of Oracle VM. This option is no longer available in version 3.3.1, due to the change of authentication mechanism.
In a default Oracle VM installation, VNC and Live Migration
traffic are secured with the same certificate as the one used
for Oracle VM Agent communications. If required by your security
policy, you can use a different certificate by specifying the
appropriate location in the configuration file
/etc/xen/xend-config.sxp
. More
specifically, you must look up the section below in the
configuration file and change the location parameters of the
certificate and key files:
# SSL key and certificate to use for the ssl relocation interface, if # xend-relocation-ssl-server is set. (xend-relocation-server-ssl-key-file/etc/ovs-agent/cert/key.pem
) (xend-relocation-server-ssl-cert-file/etc/ovs-agent/cert/certificate.pem
)
If the self-signed certificate expires, you may need to update the certificate keystore. This can be achieved by performing the following steps.
To update the certificate keystore for the VNC RAS Proxy:
Enter the following commands on the Oracle VM Manager host to create the keystore:
# cd /u01/app/oracle/ovm-manager-3/bin # ./secureOvmmTcpGenKeyStore.sh
You are prompted to enter the following information:
Generate OVMM TCP over SSL key store by following steps: Enter keystore password:password
Re-enter new password:password
What is your first and last name? [Unknown]:name
What is the name of your organizational unit? [Unknown]:unit
What is the name of your organization? [Unknown]:organization
What is the name of your City or Locality? [Unknown]:City
What is the name of your State or Province? [Unknown]:State
What is the two-letter country code for this unit? [Unknown]:country_code
Is CN=name
, OU=unit
, O=organization
, L=City
, ST=State
, C=country_code
correct? [no]:yes
Enter key password for <ovmm> (RETURN if same as keystore password):password
Re-enter new password:password
Use the keystore to enable the TCPS service using the
secureOvmmTcp.sh
script, which is in the
same directory as the keystore script above. On the Oracle VM Manager
host, enter:
# ./secureOvmmTcp.sh
You are prompted to enter the following information:
Enabling OVMM TCP over SSL service Please enter the OVM manager user name:username
Please enter the OVM manager user password:password
Please enter the password for TCPS key store :password
The keystore password created in the previous script The job of enabling OVMM TCPS service is committed, please restart OVMM to take effect.
Restart the local Oracle VM Manager instance:
# /sbin/service ovmm stop # /sbin/service ovmm start
In environments with an existing LDAP authentication infrastructure, it may be preferable to enable LDAP authentication on each Oracle VM Server instance, to control and log access attempts on Dom0. This can enhance security for a critical asset (Dom0) for the same reasons that make centralized user control valuable in other contexts.
The packages required to the LDAP client are not included on the Oracle VM ServerISO. Therefore, it is necessary to download and install the packages manually. This section describes the steps required to do this.
Add the public or internal Yum repositories at the Oracle Linux 5u7 level. The most direct way to do this is to follow the instructions at http://public-yum.oracle.com/ for Oracle Linux 5:
# cd /etc/yum.repos.d # wget http://public-yum.oracle.com/public-yum-el5.repo
Install the required packages to enable LDAP authentication, as well as any dependencies:
# yum install openldap-clients # yum install nss_ldap
The installation prompts you to determine whether you wish to proceed, to which you should respond by returning the 'y' character to the prompt. The required dependencies are also listed and downloaded. If you intend to copy the package files and install them manually on your server instances, take note of the listed dependencies and ensure that these are also made available on each server where you intend to install the LDAP client.
Once installation is complete, copy the server SSL/TLS
certificate to
/etc/openldap/cacerts/openldap.pem
. Make
sure the certificate has the right permissions:
# chmod 644 /etc/openldap/cacerts/openldap.pem
Rehash the CA certificates:
# cacertdir_rehash /etc/openldap/cacerts
Enable LDAP authentication using the authconfig command:
# authconfig-tui
Ensure that LDAP is configured correctly to access your LDAP server. Configuration is specific to your own environment and requirements and falls outside of the scope of this document, however the following example configurations may serve to assist you:
/etc/openldap/ldap.conf:
TLS_CACERTDIR /etc/openldap/cacerts BASE dc=example,dc=com URI ldap://ldapserver.example.com:389
/etc/ldap.conf:
ssl start_tls tls_cacertdir /etc/openldap/cacerts base dc=example,dc=com uri ldap://ldapserver.example.com:389 pam_password md5
Oracle VM Manager uses a secure tunnel to protect virtual machine console data traffic across the network. Oracle VM Manager does not make a direct connection but rather uses a VNC proxy and SSL-encrypted tunneling. The virtual machine console is accessed via a client instance of a VNC viewer. The preferred location to install a VNC viewer is on the Oracle VM Manager host server.
Oracle recommends that you install the latest TightVNC package from http://oss.oracle.com/oraclevm/manager/RPMS/
Install TightVNC with this command:
# rpm -ivh tightvnc-java-version
.noarch.rpm
Any firewall between Oracle VM Manager and the client accessing a virtual machine needs TCP port 15901 to be open for access to the secure VNC proxy. Any firewall between Oracle VM Manager and the Oracle VM Servers needs TCP ports 6900 and above to be open; one port for each virtual machine. For example, if you have 50 virtual machines, you should allow traffic over TCP ports 6900-6949.
For non-encrypted local VNC connections to virtual machines, TCP ports 5900 and above can be used. SSL encryption is preferred from a security standpoint.
For more details about the installation and use of VNC, see Installing and Configuring Virtual Machine Console Utilities in the Oracle VM Installation and Upgrade Guide.