8.7 Configuring SSL and SSL Certificates

View and restrict SSL/TLS protocols. Configure Oracle Trace File Analyzer to use self-signed or CA-signed certificates.

8.7.1 Configuring SSL/TLS Protocols

The Oracle Trace File Analyzer daemons in a cluster communicate securely using the SSL/TLS protocols.

The SSL protocols available for use by Oracle Trace File Analyzer are:

  • TLSv1.2

  • TLCv1.1

  • TLSv1

Oracle Trace File Analyzer always restricts use of older the protocols SSLv3 and SSLv2Hello.

To view and restrict protocols:

  1. To view the available and restricted protocols:
    tfactl print protocols
    For example:
    $ tfactl print protocols
    .---------------------------------------.
    |                 node1                 |
    +---------------------------------------+
    | Protocols                             |
    +---------------------------------------+
    | Available : [TLSv1, TLSv1.2, TLSv1.1] |
    | Restricted : [SSLv3, SSLv2Hello]      |
    '---------------------------------------'
    
  2. To restrict the use of certain protocols:
    tfactl restrictprotocol [-force] protocol
    For example:
    $ tfactl restrictprotocol TLSv1

8.7.2 Configuring Self-Signed Certificates

Use Java keytool to replace self-signed SSL certificates with personal self-signed certificates.

To configure Oracle Trace File Analyzer to use self-signed certificates:

  1. Create a private key and keystore file containing the self-signed certificate for the server:
    $ keytool -genkey -alias server_full -keyalg RSA -keysize 2048 -validity 18263 -keystore myserver.jks
  2. Create a private key and keystore file containing the private key and self signed-certificate for the client:
    $ keytool -genkey -alias client_full -keyalg RSA -keysize 2048 -validity 18263 -keystore myclient.jks
  3. Export the server public key certificate from the server keystore:
    $ keytool -export -alias server_full -file myserver_pub.crt -keystore myserver.jks -storepass password
  4. Export the client public key certificate from the server keystore:
    $ keytool -export -alias client_full -file myclient_pub.crt -keystore myclient.jks -storepass password
  5. Import the server public key certificate into the client keystore:
    $ keytool -import -alias server_pub -file myserver_pub.crt -keystore myclient.jks -storepass password
  6. Import the client public key certificate into the server keystore:
    $ keytool -import -alias client_pub -file myclient_pub.crt  -keystore myserver.jks -storepass password
  7. Restrict the permissions on the keystores to root  read-only.
    $ chmod 400 myclient.jks myserver.jks
  8. Copy the keystores (jks files) to each node.
  9. Configure Oracle Trace File Analyzer to use the new certificates:
    $ tfactl set sslconfig
  10. Restart the Oracle Trace File Analyzer process to start using new certificates:
    $ tfactl restart

8.7.3 Configuring CA-Signed Certificates

Use Java keytool and openssl to replace self-signed SSL certificates with the Certificate Authority (CA) signed certificates.

To configure Oracle Trace File Analyzer to use CA-signed certificates:

  1. Create a private key for the server request:
    $ openssl genrsa -aes256 -out myserver.key 2048
  2. Create a private key for the client request:
    $ openssl genrsa -aes256 -out myclient.key 2048
  3. Create a Certificate Signing Request (CSR) for the server:
    $ openssl req -key myserver.key -new -sha256 -out myserver.csr
  4. Create a Certificate Signing Request (CSR) for the client:
    $ openssl req -key myclient.key -new -sha256 -out myclient.csr
  5. Send the resulting CSR for the client and the server to the relevant signing authority.

    The signing authority sends back the signed certificates:

    • myserver.cert

    • myclient.cert

    • CA root certificate

  6. Convert the certificates to JKS format for the server and the client:
    $ openssl pkcs12 -export -out serverCert.pkcs12 -in myserver.cert -inkey myserver.key
    $ keytool -v -importkeystore -srckeystore serverCert.pkcs12 -srcstoretype PKCS12 -destkeystore myserver.jks -deststoretype JKS
    $ openssl pkcs12 -export -out clientCert.pkcs12 -in myclient.cert -inkey myclient.key
    $ keytool -v -importkeystore -srckeystore clientCert.pkcs12 -srcstoretype PKCS12 -destkeystore myclient.jks -deststoretype JKS
  7. Import the server public key into to the client jks file:
    $ keytool -import -v -alias server-ca -file myserver.cert -keystore myclient.jks
  8. Import the client public key to the server jks file:
    $ keytool -import -v -alias client-ca -file myclient.cert -keystore myserver.jks
  9. Import the CA root certificate from the signing authority into the Oracle Trace File Analyzer server certificate:
    $ keytool -importcert -trustcacerts -alias inter -file caroot.cert -keystore myserver.jks
  10. Restrict the permissions on the keystores to root  read-only:
    $ chmod 400 myclient.jks myserver.jks
  11. Copy the keystores (jks files) to each node.
  12. Configure Oracle Trace File Analyzer to use the new certificates:
    $ tfactl set sslconfig
  13. Restart the Oracle Trace File Analyzer process to start using the new certificates.
    $ tfactl stop 
    $ tfactl start

8.7.4 Configuring SSL Cipher Suite

The cipher suite is a set of cryptographic algorithms used by the TLS/SSL protocols to create keys and encrypt data.

Oracle Trace File Analyzer supports any of the cipher suites used by JRE 1.8.

The default cipher suite used is TLS_RSA_WITH_AES_128_CBC_SHA256.

  1. You can change the cipher suite with the command:
    tfactl set ciphersuite=cipher_suite
    For example:
    tfactl set ciphersuite=TLS_RSA_WITH_AES_128_GCM_SHA256