7.7 Configuring SSL and SSL Certificates

View and restrict SSL/TLS protocols. Configure Oracle Trace File Analyzer to use self-signed or CA-signed certificates.

• Configuring SSL/TLS Protocols
  The Oracle Trace File Analyzer daemons in a cluster communicate securely using the SSL/TLS protocols.
• Configuring Self-Signed Certificates
  Use Java keytool to replace self-signed SSL certificates with personal self-signed certificates.
• Configuring CA-Signed Certificates
  Use Java keytool and openssl to replace self-signed SSL certificates with the Certificate Authority (CA) signed certificates.
• Configuring SSL Cipher Suite
  The cipher suite is a set of cryptographic algorithms used by the TLS/SSL protocols to create keys and encrypt data.

7.7.1 Configuring SSL/TLS Protocols

The Oracle Trace File Analyzer daemons in a cluster communicate securely using the SSL/TLS protocols.

The SSL protocols available for use by Oracle Trace File Analyzer are:

• TLSv1.2

• TLCv1.1

• TLSv1

Oracle Trace File Analyzer always restricts use of older the protocols SSLv3 and SSLv2Hello.

To view and restrict protocols:

1. To view the available and restricted protocols:

   tfactl print protocols

   For example:

   $ tfactl print protocols
   .---------------------------------------.
   |                 node1                 |
   +---------------------------------------+
   | Protocols                             |
   +---------------------------------------+
   | Available : [TLSv1, TLSv1.2, TLSv1.1] |
   | Restricted : [SSLv3, SSLv2Hello]      |
   '---------------------------------------'
   

2. To restrict the use of certain protocols:

   tfactl restrictprotocol [-force] protocol

   For example:

   tfactl restrictprotocol TLSv1

7.7.2 Configuring Self-Signed Certificates

Use Java keytool to replace self-signed SSL certificates with personal self-signed certificates.

To configure Oracle Trace File Analyzer to use self-signed certificates:

Note:

The key size of default self-signed certificates shipped by TFA is 2048 bits.

1. Create a private key and keystore file containing the self-signed certificate for the server:

   keytool -genkey -alias server_full -keyalg RSA -keysize 2048 -validity 18263 -keystore myserver.jks

2. Create a private key and keystore file containing the private key and self signed-certificate for the client:

   keytool -genkey -alias client_full -keyalg RSA -keysize 2048 -validity 18263 -keystore myclient.jks

3. Export the server public key certificate from the server keystore:

   keytool -export -alias server_full -file myserver_pub.crt -keystore myserver.jks -storepass password

4. Export the client public key certificate from the server keystore:

   keytool -export -alias client_full -file myclient_pub.crt -keystore myclient.jks -storepass password

5. Import the server public key certificate into the client keystore:

   keytool -import -alias server_pub -file myserver_pub.crt -keystore myclient.jks -storepass password

6. Import the client public key certificate into the server keystore:

   keytool -import -alias client_pub -file myclient_pub.crt  -keystore myserver.jks -storepass password

7. Restrict the permissions on the keystores to root  read-only.

   chmod 400 myclient.jks myserver.jks

8. Copy the keystores (jks files) to each node.
9. Configure Oracle Trace File Analyzer to use the new certificates:

   tfactl set sslconfig

   tfactl set sslconfig
   Please Enter server certificate path : /u01/oracle.ahf/data/host/tfa/myserver.jks 
   Please Enter Password for server keystore keypass :
   Please Confirm Password for server keystore keypass :
   Please Enter Password for server keystore storepass :
   Please Confirm Password for server keystore storepass :
   Please Enter client certificate path? : /u01/oracle.ahf/data/host/tfa/myclient.jks
   Please Enter Password for client keystore keypass :
   Please Confirm Password for client keystore keypass :
   Please Enter Password for client keystore storepass :
   Please Confirm Password for client keystore storepass :
   SSL certificate details successfully set
   The certificates are restricted to root read only

10. Restart the Oracle Trace File Analyzer process to start using new certificates:

    tfactl restart

7.7.3 Configuring CA-Signed Certificates

Use Java keytool and openssl to replace self-signed SSL certificates with the Certificate Authority (CA) signed certificates.

To configure Oracle Trace File Analyzer to use CA-signed certificates:

1. Create a private key for the server request:

   openssl genrsa -aes256 -out myserver.key 2048

2. Create a private key for the client request:

   openssl genrsa -aes256 -out myclient.key 2048

3. Create a Certificate Signing Request (CSR) for the server:

   openssl req -key myserver.key -new -sha256 -out myserver.csr

4. Create a Certificate Signing Request (CSR) for the client:

   openssl req -key myclient.key -new -sha256 -out myclient.csr

5. Send the resulting CSR for the client and the server to the relevant signing authority.

   The signing authority sends back the signed certificates:

   • myserver.cert
   • myclient.cert
   • CA root certificate
   • Intermediate certificate
6. Convert the certificates to JKS format for the server and the client:

   openssl pkcs12 -export -out serverCert.pkcs12 -in myserver.cert -inkey myserver.key

   keytool -v -importkeystore -srckeystore serverCert.pkcs12 -srcstoretype PKCS12 -destkeystore myserver.jks -deststoretype JKS

   openssl pkcs12 -export -out clientCert.pkcs12 -in myclient.cert -inkey myclient.key

   keytool -v -importkeystore -srckeystore clientCert.pkcs12 -srcstoretype PKCS12 -destkeystore myclient.jks -deststoretype JKS

7. Import the server public key into to the client jks file:

   keytool -import -v -alias server-ca -file myserver.cert -keystore myclient.jks

8. Import the client public key to the server jks file:

   keytool -import -v -alias client-ca -file myclient.cert -keystore myserver.jks

9. Import CA root certificate from the signing authority into the Oracle Trace File Analyzer server certificate:

   keytool -importcert -trustcacerts -alias root -file caroot.cert -keystore myserver.jks

10. Import Intermediate certificate into the Oracle Trace File Analyzer server certificate:

    keytool -importcert -trustcacerts -alias inter -file intermediate.cert -keystore myserver.jks

11. Restrict the permissions on the keystores to root  read-only:

    chmod 400 myclient.jks myserver.jks

12. Copy the keystores (jks files) to each node.
13. Configure Oracle Trace File Analyzer to use the new certificates:

    tfactl set sslconfig

    tfactl set sslconfig
    Please Enter server certificate path : /u01/oracle.ahf/data/host/tfa/myserver.jks 
    Please Enter Password for server keystore keypass :
    Please Confirm Password for server keystore keypass :
    Please Enter Password for server keystore storepass :
    Please Confirm Password for server keystore storepass :
    Please Enter client certificate path? : /u01/oracle.ahf/data/host/tfa/myclient.jks
    Please Enter Password for client keystore keypass :
    Please Confirm Password for client keystore keypass :
    Please Enter Password for client keystore storepass :
    Please Confirm Password for client keystore storepass :
    SSL certificate details successfully set
    The certificates are restricted to root read only

14. Restart the Oracle Trace File Analyzer process to start using the new certificates.

    tfactl stop 
    tfactl start

7.7.4 Configuring SSL Cipher Suite

The cipher suite is a set of cryptographic algorithms used by the TLS/SSL protocols to create keys and encrypt data.

Oracle Trace File Analyzer supports any of the cipher suites used by JRE 1.8.

The default cipher suite used is TLS_RSA_WITH_AES_128_CBC_SHA256.

1. You can change the cipher suite with the command:

   tfactl set ciphersuite=cipher_suite

   For example:

   tfactl set ciphersuite=TLS_RSA_WITH_AES_128_GCM_SHA256

   For a list of JRE cipher suites, see:

   https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider