2.5 Authentication and Encryption in Oracle VM

Since there are a number of inter-related components that make up the Oracle VM environment, and each of these components must be able to communicate with each other, it is important to understand how each component authenticates itself to another, and how communications are secured. To explain this, we need to first identify the different interactions and communications channels that each component uses. These are presented in the list below:

  • Internal component communications within Oracle VM Manager (for example, MySQL, WebLogic, the Oracle VM Manager application, and so on).

  • Oracle VM Manager communications with Oracle VM Servers via Oracle VM Agent.

  • Web-browser communications with Oracle VM Manager using the web-based user interface.

  • Client application communications with Oracle VM Manager via the Web Services API (command line interface, custom scripts and applications, utilities, and so on).

In this section, we discuss the authentication and encryption of these interactions in some detail. Further information is available in the Oracle VM Security Guide.

Internal component interactions

Oracle VM Manager is comprised of a number of different software components running on a single system. These include a MySQL database, an Oracle WebLogic Server that also includes the Application Development Framework (ADF) and the Oracle VM Manager application itself. Since each of these processes runs on the same system, there is no requirement to encrypt communications between them. However, authentication of each component is critical, to ensure that each process performing an interaction is legitimate.

During installation of Oracle VM Manager, a single password is set for all components. This password is used to authenticate communications between each process. The password used by Oracle Oracle WebLogic Server and the Oracle VM Manager application to access the MySQL database is stored in a secure keystore.

The same password is used for the administrative user to access the Oracle VM Manager application, via the web-based user interface, the command-line user interface or the web-services API. There are options within the product to change the password for the administrative user or to create additional user and password combinations to access the application. These are discussed in the Oracle VM Administrator's Guide.

Changing the password of the administrative user does not change the password used to authenticate to the Oracle WebLogic Server or MySQL database, and the original password is always used by the Oracle VM Manager application in its interactions with these. Therefore, it is important that this password is always kept safe and that this password properly complies with your security requirements.

Oracle VM Manager and Oracle VM Server Interactions

All communications between Oracle VM Manager and any Oracle VM Server are achieved via the Oracle VM Agent running on the Oracle VM Server. To help keep traffic segregated as far as possible, to improve security and to limit the impact of particular network transactions on each other, Oracle VM introduces the concept of dedicated network channels. By default, a single network channel known as the Management Network is created to facilitate all kinds of traffic between Oracle VM Manager and Oracle VM Servers, and between Oracle VM Servers themselves. Traffic can be further segregated according to different functions, to improve security and performance. See Section 5.6, “How are Network Functions Separated in Oracle VM?” for more information. Since these communications take place over a network, they are secured using an SSL certificate. Furthermore, the Oracle VM Manager instance must authenticate itself to the Oracle VM Server as the Oracle VM Manager instance that has ownership of that server.

For this reason, the Oracle VM Manager application creates and manages its own keystores containing various certificates and keys that are used for authentication and encryption purposes. Significantly, Oracle VM Manager generates its own Certificate Authority (CA) certificate and key that it uses to sign and validate certificates used within the infrastructure.

When Oracle VM Manager first takes ownership of an Oracle VM Server, it connects to the server via an SSL certificate that the server accepts to encrypt communications. During the ownership process, the user must provide the password that is set for the Oracle VM Agent. If the Oracle VM Server is already under the ownership of another Oracle VM Manager instance, the request to take ownership fails. Otherwise, the password is used to authenticate the Oracle VM Manager to the server. During this process, Oracle VM Manager uses its CA certificate to sign an SSL certificate and key that it provides to the server to authenticate future communications from the Oracle VM Manager instance.

From this point onwards, all authentication between Oracle VM Manager and the Oracle VM Server is achieved using SSL certificates. If a situation arises where the server is unable to validate or authenticate the certificate used by Oracle VM Manager, Oracle VM Manager must take ownership of the server again so that a new certificate and key pair can be exchanged.

The password for the Oracle VM Agent on a server can be reset when releasing ownership, using the web-based user interface, or can be reset for any server under the current ownership of Oracle VM Manager using the command line interface or Web Services API.

All certificate management for this process occurs internally within the application and does not require any user intervention at all.

Oracle VM Manager Web Interface

When a user connects to the Oracle VM Manager web-based user interface, this is achieved using an HTTPS connection secured with an SSL certificate. The user is still expected to authenticate using a plain text username and password on the Oracle VM Manager user interface login page. The SSL certificate is used to encrypt communications between the user's web-browser application and the Oracle VM Manager web application.

The SSL certificate that is used for this is automatically generated during the installation of Oracle VM Manager. The user may receive a certificate validation warning within the web-browser if the internal Oracle VM Manager CA certificate is not installed as a trusted certificate within the browser.

Oracle VM Manager provides tools to either obtain the CA certificate so that this can be installed within the web-browser, or to substitute the default SSL certificate with an alternate certificate that is signed by a trusted third-party CA. If you opt to do this, the SSL certificate hostname must match the fully qualified domain name of the Oracle VM Manager server and must be the same as the hostname that is used by your users to access the Oracle VM Manager web-based user interface.

More information on configuring this SSL certificate, or on obtaining the internal CA certificate, is provided in the Oracle VM Administrator's Guide.

Oracle VM Manager Web Services API interactions

All client applications, including the Oracle VM Manager command-line interface, are also capable of connecting to Oracle VM Manager across a network. Since all applications interact with Oracle VM Manager via a web-services API over HTTPS, these connections can be secured using the same SSL certificate as used for the Oracle VM Manager web-based user interface discussed above.

The command-line interface provides access to Oracle VM Manager via an SSH connection that can either be made using an administrator username and password, or which can be secured using standard SSH keys. The command-line interface application, then authenticates with the core Oracle VM Manager application using its own SSL certificate and key, issued and signed by the Oracle VM Manager CA certificate.

If you are developing your own application or script to interface with the Oracle VM Manager Web Services API, it is possible to achieve authentication either using the API login mechanisms that accept a username and password combination, or you can use SSL-based authentication. To do this, you generate your own certificate and key pair. You then sign the certificate and register it with the Oracle VM Manager CA, using one of the provided mechanisms. From this point on, your application can use SSL key-based authentication to obtain secure and authorized access to the API. Further information on this is provided in the Oracle VM Web Services API Developer's Guide.