By enabling the TLSv1.2 protocol for communication with the Enterprise Manager Repository, the Oracle Management Service communicates with the repository in a secured mode using TLS to encrypt communication traffic and allow the Enterprise Manager Repository to authenticate itself to the Oracle Management Service.
To enable TLSv1.2 protocol for communication with the Enterprise Manager Repository, follow these steps:
Step 1: Configure TLSv1.2 for the Enterprise Manager Repository
For a sample configuration on an Oracle 11.2 RAC, refer to MOS Note ID 1448841.1.
In the sqlnet.ora or the listener.ora file, ensure that the SSL_VERSION parameter is set to 1.2 for configuring TLSv1.2.
In the sqlnet.ora file, ensure that the SSL_CLIENT_AUTHENTICATION parameter is set to FALSE.
Verify the configuration by making an SSL connection using the SQLPLUS and TCPS connect descriptors before proceeding to the next step.
To ensure that the connect descriptors are correct, you can test the connection by running the following command:
./sqlplus sysman/<sysman_pwd>@"(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=<REPOS_HOST/SCAN_HOST>)(PORT=<TCPS_PORT>)))(CONNECT_DATA= (SID=<SID/SERVICE>)))"
Note:
It is important to keep both TCP and TCPS listeners up until the Oracle Management Service connect descriptor is changed to use TCPS, as show in Step 2.Step 2: Configuring the Oracle Management Service to connect to the TLSv1.2-enabled Enterprise Manager Repository
Perform the following sequence of steps in a rolling manner—start with the Primary Oracle Management Service first and then proceed with the remaining Oracle Management Services.
Import the database server CA certificate into the Oracle Management Service JDK TrustStore.
$ORACLE_HOME/oracle_common/jdk/bin/keytool -importcert -file trustCert.pem -alias emreprootca -keystore $ORACLE_HOME/oracle_common/jdk/jre/lib/security/cacerts -storepass "changeit"
Note:
The JDK TrustStore password is "changeit".Disable Oracle DB client native encryption.
<ORACLE_HOME>/gc_inst/em/EMGC_OMS<n>/emgc.properties
file and add the following line:
oracle.sysman.core.conn.enableEncryption=false
emctl set property -name "oracle.sysman.core.conn.enableEncryption" -value "false" -sysman_pwd sysman
Change the connect descriptor to use only TCPS.
Obtain the existing connect descriptor using the command: emctl config oms -list_repos_details
emctl config oms -store_repos_details -repos_user sysman -repos_pwd <SYSMAN_PWD> -repos_conndesc "(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST= <REPOS_HOST/SCAN_HOST>)(PORT=<TCPS_PORT>)))(CONNECT_DATA= (SID=<SID/SERVICE>)))"
<EM_INSTANCE>/user_projects/domains/GCDomain/config/fmwconfig/jps-config.xml <EM_INSTANCE>/user_projects/domains/GCDomain/config/fmwconfig/jps-config-jse.xml <EM_INSTANCE>/user_projects/domains/GCDomain/config/fmwconfig/embi-policystoremerge-jpscfg.xml
Change the Connect Descriptor of Services to use only TCPS.
If there are other services created for subsystems such as Ping, Events, Jobs and Loader, modify its connect descriptor to use the new TCPS configuration details.
Execute the following on the Primary Oracle Management Service first.
emctl set property -name "oracle.sysman.core.omsAgentComm.ping.connectionService.connectDescriptor " -value "\(DESCRIPTION=\(ADDRESS_LIST=\(ADDRESS=\(PROTOCOL=TCPS\)\(HOS T=<REPOS_HOST/SCAN_HOST>\)\(PORT=<TCPS_PORT>\)\)\)\(CONNECT_ DATA=\(SERVICE_NAME=ping\)\)\)" -sysman_pwd <SYSMAN_PWD>
emctl set property -name "oracle.sysman.core.events.connectDescriptor" -value "\(DESCRIPTION=\(ADDRESS_LIST=\(ADDRESS=\(PROTOCOL=TCPS\)\(HOS T=<REPOS_HOST/SCAN_HOST>\)\(PORT=<TCPS_PORT>\)\)\)\(CONNECT_ DATA=\(SERVICE_NAME=event\)\)\)" -sysman_pwd <SYSMAN_PWD>
emctl set property -name "oracle.sysman.core.jobs.conn.service" -value "\(DESCRIPTION=\(ADDRESS_LIST=\(ADDRESS=\(PROTOCOL=TCPS\)\(HOS T=<REPOS_HOST/SCAN_HOST>\)\(PORT=<TCPS_PORT>\)\)\)\(CONNECT_ DATA=\(SERVICE_NAME=emjob\)\)\)" -sysman_pwd <SYSMAN_PWD>
emctl set property -name "oracle.sysman.core.pbs.gcloader.connectDescriptor" -value "\(DESCRIPTION=\(ADDRESS_LIST=\(ADDRESS=\(PROTOCOL=TCPS\)\(HOS T=<REPOS_HOST/SCAN_HOST>\)\(PORT=<TCPS_PORT>\)\)\)\(CONNECT_ DATA=\(SERVICE_NAME=loader\)\)\)" -sysman_pwd <SYSMAN_PWD>
Once steps 2–1 through 2–4 have been run on the Primary Oracle Management Service, repeat them for all remaining Oracle Management Services .
Step 3: Configure blackouts for Enterprise Manager Repository-related targets
In order to suppress alerts until the target configurations are complete, place all targets related to the Enterprise Manager Repository (oracle_database , oracle_emrep, oracle_oms ,and metadata_repository target types) under blackout.
Step 4: Bounce all Oracle Management Services
Execute the following on all Oracle Management Services starting with Primary Oracle Management Service:
emctl stop oms –all
Disable the TCP listener in the listener.ora file of Enterprise Manager Repository and bounce the listener again to enable only the TCPS connection.
Start the primary Oracle Management Service.
emctl start oms
Note:
If the Oracle Management Services do not start, you will need to do one of the following:
Add “SQLNET.RECV_TIMEOUT=100000“ to the database sqlnet.ora file.
OR
Apply database patch 20544797 (preferred method).
Once the Primary Oracle Management Service is up, start the remaining Oracle Management Services one at a time.
Step 5: Reconfigure the Agents monitoring the Enterprise Manager Repository
Reconfigure the Primary Oracle Management Service central agent that is monitoring the Management Repository by locating the target “Management Services and Repository” in its target.xml file. If RAC is configured for the repository, you will also need to locate the Enterprise Manager Repository host Agent(s).
<AGENT_INSTANCE>/bin/emctl setproperty agent -name connectionTrustStoreLocation -value <...>/client/wallet/ewallet.p12 <AGENT_INSTANCE>/bin/emctl setproperty agent -name connectionTrustStorePassword -value <…>
<AGENT_INSTANCE>/bin/emctl setproperty agent -name connectionTrustStoreType -value PKCS12
Locate the sqlnet.ora configuration file in the following directory inside the home directory for the Primary Oracle Management Service central agent that is monitoring the Management Repository:
AGENT_HOME/network/admin (UNIX)
AGENT_HOME\network\admin (Windows)
SSL_CLIENT_AUTHENTICATION = FALSE
SSL_VERSION = 1.2
WALLET_LOCATION = (SOURCE =
(METHOD = FILE) (METHOD_DATA =
(DIRECTORY = <...>/client/wallet ) )
)
Bounce the agents that have been modified in this step.
Step 6: Reconfigure the targets referencing the Enterprise Manager Repository connection
Identify the targets referencing the repository connection in the target XML of the Primary Oracle Management Service central Agent monitoring the Enterprise Manager Repository. Also, identify the targets in target XML of the local physical host Agent if it is deployed on the Enterprise Manager Repository host.
emcli modify_target -name="<Target Name>" -type="<target_type>" -properties="<Property>:<Property Value>;<Property>:<Property Value>" -on_agent
Note:
Make sure you use the target_name, target_type, property and property value format gathered from the Agent’s targets.xml file.Examples:
emcli modify_target -name="database1.mycompany.com" -type="oracle_database" -properties="Port:<TCPS_PORT>;Protocol:TCPS" -on_agent
emcli modify_target -name="Management Services and Repository" -type="oracle_emrep" -properties="ConnectDescriptor:(DESCRIPTION=(ADDRESS_LIST=(ADDRESS= (PROTOCOL=TCPS)(HOST=<REPOS_HOST/SCAN_HOST>)(PORT=<TCPS_ PORT>)))(CONNECT_DATA=(SID=<SID>)))" -on_agent
emcli modify_target -name="primary_oms.mycompany.com:4889_Management_Service" -type="oracle_oms" -properties="ConnectDescriptor:(DESCRIPTION=(ADDRESS_LIST=(ADDRESS= (PROTOCOL=TCPS)(HOST=<REPOS_HOST/SCAN_HOST>)(PORT=<TCPS_ PORT>)))(CONNECT_DATA=(SID=<SID>)))" -on_agent
emcli modify_target -name="/EMGC_GCDomain/GCDomain/EMGC_ADMINSERVER/mds-owsm" -type="metadata_repository" -properties="JdbcUrl|jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADD RESS=(PROTOCOL=TCPS)(HOST=<REPOS_HOST/SCAN_HOST>)(PORT=< TCPS_PORT>)))(CONNECT_DATA=(SID=<SID>)))" -on_agent -subseparator=properties="|"
emcli modify_target -name="/EMGC_GCDomain/GCDomain/EMGC_ADMINSERVER/mds-sysman_mds" -type="metadata_repository" -properties="DatabaseName:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=( PROTOCOL=TCPS)(HOST=<REPOS_HOST/SCAN_HOST>)(PORT=<TCPS_P ORT>)))(CONNECT_DATA=(SID=<SID>)))" -on_agent
Step 7: End blackouts for Management Repository-related targets
Bring the Enterprise Manager Repository-related targets out of blackout and verify that the targets have Target Up status in Enterprise Manager Console.