Oracle Enterprise Manager FIPS140-2 Settings

Starting with 13c Release 5 Update 21, Oracle Enterprise Manager can run compliant with the Federal Information Processing Standard Publication 140-2, (FIPS 140-2). Follow the steps in the sections below to make sure all EM components run in FIPS mode:

Prerequisites:

As a prerequisite, please ensure you have installed the latest OMS patch. For detailed instructions, please see MOS Doc ID 2776765.1.

Oracle HTTP Server in FIPS Mode

  1. Secure OMS with AES encrypted wallet

    All wallets have to be AES encrypted (orapki from 12.1 encrypts ewallet.p12 using AES, MOS Doc ID 2198551.1) with a key size of 2048.

    WebLogic in FIPS mode allows only generating an agent certificate with a 2048 bit key. Agent certificates are created with the same key size as OMS CA certificate. Follow the bellow steps to create a new OMS CA certificate with a 2048 bit key, and re-secure all agents:

    1. Check if OMS CA certificate is longer than 2048 bits:

      <OMS_HOME>/bin/emcli login -username=sysman
<OMS_HOME>/bin/emcli sync
emcli get_ca_info

      Sample output:

      Info about CA with ID: 1
CA is not configured
Signature algorithm : sha512
Key strength : 1024
DN: CN=example.com,C=US,ST=CA,L=EnterpriseManager on example.com,OU=EnterpriseManager on example.com,O=EnterpriseManager on example.com
Serial# : -4357905706800919315
Valid From: Tue Apr 14 07:43:33 PDT 2020
Valid Till: Sat Apr 13 07:43:33 PDT 2030
Number of Agents registered with CA ID CA ID 1 is 1

      If the OMS CA certificate has a key that is shorter than 2048 bits, create a new OMS CA following the instructions in step 4 below.

    2. Create OMS wallets:

      If OMS is already secure with 3rd party certificate (with 2048 bits keysize) then the new AES wallet can be converted or created with the same private key and certificate.

      • To convert a wallet to AES:
        orapki wallet convert -wallet <wallet_path> -compat_v12 -pwd <wallet_password>

      If Certificate key size is 1024, create new wallet for the OMS console:

      • From the OMS console, go to OMS upload , and with WebLogic use the orapki tool with -compat_v12 option

      Note:

      For more information regarding how to configure the OMS with SSL certificates, please see Doc ID 2202569.1.

    3. If the wallet is newly created, add Root CA certificate to trust store:

      <OMS_HOME>/bin/emctl secure oms -trust_certs_loc $WALLET_BASE/rootCA/cert.pem

      If you have SLB configured, run this command instead:

      <OMS_HOME>/bin/emctl secure oms -host <SLB hostname> -secure_port <port> -slb_port <port> -slb_console_port <port> -trust_certs_loc $WALLET_BASE/rootCA/cert.pem

      Note:

      Don't bounce the OMS, until completing the steps below.

    4. If key strength of OMS CA certificate is less than 2048 bits (in step 1), then create new CA:

      <OMS_HOME>/bin/emctl secure createca -key_strength 2048

      Sample output:

      Oracle Enterprise Manager 24ai Release 1  

Copyright (c) 1996, 2024 Oracle Corporation.  All rights reserved.

Creating CA... Started.

Enter Enterprise Manager Root (SYSMAN) Password :

Successfully created CA with ID 2

    5. Secure all agents

      Secure all agents irrespective of the OMS wallet being newly created or not, as the OMS CA has been regenerated with a 2048 bits size.

      Using the emcli command, you can also secure multiple agents together. 

      <AGENT_HOME>/bin/emctl secure_agents
        [-agt_names="agt1;agt2;..."] [-agt_names_file="<file>"]

    6. Secure OMS with AES encryption

      <OMS_HOME>/bin/emctl secure oms -wallet $WALLET_BASE/em_cert -trust_certs_loc $WALLET_BASE/rootCA/cert.pem

      If you have SLB configured, run this command instead:

      <OMS_HOME>/bin/emctl secure oms -host <SLB hostname> -wallet $WALLET_BASE/slb_cert -secure_port <port> -slb_port <port> -slb_console_port <port> -trust_certs_loc $WALLET_BASE/rootCA/cert.pem

    7. Secure OMS Console with AES encryption

      <OMS_HOME>/bin/emctl secure console -wallet $WALLET_BASE/em_cert

      If you have SLB configured, run this command instead:

      <OMS_HOME>/bin/emctl secure console -wallet $WALLET_BASE/slb_cert -host <SLB HostName>

    8. Secure Weblogic with AES encrypted wallet

      <OMS_HOME>/bin>emctl secure wls -wallet $WALLET_BASE/em_cert

    9. Repeat the step g-h on all OMS

    10. Restart the OMS

      Primary first and then the secondary ones, one at a time:

      emctl stop oms -all
      emctl start oms

  2. Enable FIPS mode flag

    Add SSLFIPS ON inside <IfModule ossl_module> in the following files:

    Note:

    Do not add SSLFIPS ON inside the file in <VirtualHost>

    In primary OMS:

    $DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1/ssl.conf
$DOMAIN_HOME/config/fmwconfig/components/OHS/instances/ohs1/ssl.conf

    In additional OMS (replace ohs2 to appropriate ohs instance):

    $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/ohs2/ssl.conf
$DOMAIN_HOME/config/fmwconfig/components/OHS/instances/ohs2/ssl.conf.emctl_secure (if exists)

    Example:

    Go to:

     $INSTANCE_HOME/user_projects/domains/GCDomain/config/fmwconfig/components/OHS/ohs1/ssl.conf

    Update the ssl.conf file as below: 

    # Some MIME-types for downloading Certificates and CRLs SSLFIPS ON

EM Repository Database in FIPS Mode

  1. Transparent Data Encryption (TDE) and DBMS_CRYPTO PL/SQL package program

    1. Configure:

      To configure Transparent Data Encryption and the DBMS_CRYPTO PL/SQL package program units to run in FIPS mode, set the DBFIPS_140 initialization parameter to TRUE.

      sqlplus / as sysdba

SQL>SELECT name,value FROM SYS.V$PARAMETER WHERE NAME = 'DBFIPS_140';

DBFIPS_140

FALSE

SQL>ALTER SYSTEM SET DBFIPS_140 = TRUE SCOPE=SPFILE ;

SQL> shutdown immediate

SQL> startup

SQL> SELECT name,value FROM SYS.V$PARAMETER WHERE NAME = 'DBFIPS_140';

DBFIPS_140

TRUE

SQL> exit

    2. Test

      select DBMS_CRYPTO.hash(UTL_RAW.CAST_TO_RAW ('TestString'), 2) from dual;

second param is Hash algorithm

HASH_MD4 (128 bit hash)     1

HASH_MD5 (128 bit hash)     2

HASH_SH1 (160 bit hash)     3

HASH_SH256                      4

HASH_SH384                     5

HASH_SH512                     6

Above query (MD4, MD5 hash) works in  non FIPS mode (DBFIPS_140=FALSE) and fails in FIPS mode (DBFIPS_140=TRUE)

  2. SSL Transport Security

    1. Create DB Wallet

      To create a new wallet, from the OMS console, go to OMS upload , and with Weblogic use the orapki tool.

    2. Configure SSL Communication

      Add SSLFIPS_140=TRUE flag in 
      $DB_HOME/ldap/admin/fips.ora

      For more information on configuring SSL communication, see Configure TLSv1.2 for the Enterprise Manager Repository.

    3. Restart Listener

      $DB_HOME/bin/lsnrctl stop
      $DB_HOME/bin/lsnrctl start

  3. Configure EM to use TCPS listener

    For more information on configuring EM to use TCPS listener, see Configuring the Oracle Management Service to connect to the TLSv1.2-enabled Enterprise Manager Repository.

Oracle WebLogic Server

  1. Add RSA JSSE and RSA JCE provider

    Add RSA providers at the top and move other existing providers down accordingly in the <OMS_HOME>/oracle_common/jdk/jre/lib/security/java.security file: 

    security.provider.1=com.rsa.jsafe.provider.JsafeJCE
security.provider.2=com.rsa.jsse.JsseProvider
security.provider.3=sun.security.provider.Sun
security.provider.4=sun.security.rsa.SunRsaSign
security.provider.5=sun.security.ec.SunEC
security.provider.6=com.sun.net.ssl.internal.ssl.Provider
security.provider.7=com.sun.crypto.provider.SunJCE
security.provider.8=sun.security.jgss.SunProvider
security.provider.9=com.sun.security.sasl.Provider
security.provider.10=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.11=sun.security.smartcardio.SunPCSC

  2. Add FIPS compliant TrustStore and provider Jars in class path

    Follow these steps to add the two .jar files in Web-Logic and Node Manager, from $ORACLE_HOME/wlserver/server/lib: 

    <OMS_HOME>/wlserver/server/lib/jcmFIPS.jar
    <OMS_HOME>/wlserver/server/lib/sslj.jar

    1. Add the FIPS configuration in <EM_INSTANCE_BASE/user_projects/domains/GCDomain/bin/startEMServer.sh after the EXT_POST_CLASSPATH="<omshome>/sysman/jlib/emagentPermissions.jar" export EXT_POST_CLASSPATH line: 

      JAVA_OPTIONS="-Doracle.net.isFipsMode=true -Dcom.sun.net.ssl.enableECC=false ${JAVA_OPTIONS} "
export JAVA_OPTIONS
      PRE_CLASSPATH="<OMS_HOME>/wlserver/server/lib/jcmFIPS.jar:<OMS_HOME>/wlserver/server/lib/sslj.jar:${PRE_CLASSPATH}"

      Example domain home:

      /u01/app/Oracle/gc_inst/user_projects/domains/GCDomain/bin/startEMServer.sh

    2. Add FIPS configuration in $DOMAIN_HOME/bin/startNodeManager.sh above the # start node manager ... line: 

      JAVA_OPTIONS=" -Dcom.sun.net.ssl.enableECC=false ${JAVA_OPTIONS} "
PRE_CLASSPATH="<OMS_HOME>/wlserver/server/lib/jcmFIPS.jar:<OMS_HOME>/wlserver/server/lib/sslj.jar"
      export JAVA_OPTIONS
export PRE_CLASSPATH

    3. Start Node Manager:

      $DOMAIN_HOME/bin/startNodeManager.sh
    4. Re-create Trust store and Key store with Password based encryption with a FIPS compliant algorithm, such as aes-256-cbc, using openssl.

    5. Update the PKCS12 wallet under <EM_INSTANCE_BASE/em/omrWallets/<trustStore> and <EM_INSTANCE_BASE/em/omrWallets/<keyStore> with the trust and key of the newly updated PKCS12 wallet. 

      openssl pkcs12 -in ewallet.p12 -out cert.pem <genrate pem file from already generated wallet under trsuststore and keystore >
      openssl pkcs12 -keypbe aes-256-cbc -certpbe aes-256-cbc -export -in <path to .pem file and file name> -out <path to .pfx file and file name>

      Example domain home:

      /u01/app/Oracle/gc_inst/em/omrWallets
    6. Bounce all components:
      emctl stop oms -all
emctl start oms

Oracle EM Agent in FIPS Mode

Agent Communication

The table lists the default ciphers supported by the Oracle EM Agent. As some of the ciphers are not FIPS compliant, add the ciphers explicitly in the agent emd.properties file, and bounce the agent to be FIPS complaint: 

SSLCipherSuites=ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:ECDHE_RSA_WITH_AES_128_GCM_SHA256:AES_128_CCM_8_SHA256:AES_128_CCM_SHA256:AES_128_GCM_SHA256:AES_256_GCM_SHA384:DHE_DSS_WITH_AES_:28_GCM_SHA256:DHE_DSS_WITH_AES_256_GCM_SHA384:DHE_RSA_WITH_AES_128_GCM_SHA256:DHE_RSA_WITH_AES_256_GCM_S:A384:ECDHE_RSA_WITH_AES_256_GCM_SHA384:DH_DSS_WITH_AES_128_GCM_SHA256:DH_DSS_WITH_AES_256_GCM_SHA384:TLS:DH_RSA_WITH_AES_128_GCM_SHA256:DH_RSA_WITH_AES_256_GCM_SHA384:ECDH_ECDSA_WITH_AES_128_GCM_SHA256:ECDH_EC:SA_WITH_AES_256_GCM_SHA384:ECDH_RSA_WITH_AES_128_GCM_SHA256:ECDH_RSA_WITH_AES_256_GCM_SHA384:DHE_DSS_WITH_AES_128_CB:_SHA:DHE_DSS_WITH_AES_128_CBC_SHA256:DHE_DSS_WITH_AES_256_CBC_SHA:DHE_DSS_WITH_AES_256_CBC_SHA256:DHE_:SA_WITH_AES_128_CBC_SHA:DHE_RSA_WITH_AES_128_CBC_SHA256:DHE_RSA_WITH_AES_256_CBC_SHA:DHE_RSA_WITH_AES_256_:BC_SHA256:ECDH_ECDSA_WITH_AES_128_CBC_SHA:ECDH_ECDSA_WITH_AES_128_CBC_SHA256:ECDH_ECDSA_WITH_AES_256_CBC_S:A:ECDH_ECDSA_WITH_AES_256_CBC_SHA384:ECDH_RSA_WITH_AES_128_CBC_SHA:ECDH_RSA_WITH_AES_128_CBC_SHA256:EC:H_RSA_WITH_AES_256_CBC_SHA:ECDH_RSA_WITH_AES_256_CBC_SHA384:ECDHE_ECDSA_WITH_AES_128_CBC_SHA:ECDHE_ECDSA_W:TH_AES_128_CBC_SHA256:ECDHE_ECDSA_WITH_AES_256_CBC_SHA:ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:ECDHE_RSA_WITH_:ES_128_CBC_SHA:ECDHE_RSA_WITH_AES_128_CBC_SHA256:ECDHE_RSA_WITH_AES_256_CBC_SHA:ECDHE_RSA_WITH_AES_256_CBC:SHA384:RSA_WITH_AES_128_CBC_SHA:RSA_WITH_AES_128_CBC_SHA256:RSA_WITH_AES_128_GCM_SHA256:RSA_WITH_AES_2:6_CBC_SHA:RSA_WITH_AES_256_CBC_SHA256:RSA_WITH_AES_256_GCM_SHA384
Cipher FIPS
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 YES
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 YES
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 YES
TLS_AES_128_CCM_8_SHA256 YES
TLS_AES_128_CCM_SHA256 YES
TLS_AES_128_GCM_SHA256 YES
TLS_AES_256_GCM_SHA384 YES
TLS_CHACHA20_POLY1305_SHA256 NO
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 YES
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 YES
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 YES
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 YES
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 NO
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 YES
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 NO
TLS_DH_DSS_WITH_AES_128_GCM_SHA256 YES
TLS_DH_DSS_WITH_AES_256_GCM_SHA384 YES
TLS_DH_RSA_WITH_AES_128_GCM_SHA256 YES
TLS_DH_RSA_WITH_AES_256_GCM_SHA384 YES
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 YES
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 YES
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 YES
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 YES
TLS_DH_DSS_WITH_AES_128_CBC_SHA NO
TLS_DH_DSS_WITH_AES_128_CBC_SHA256 NO
TLS_DH_DSS_WITH_AES_256_CBC_SHA NO
TLS_DH_DSS_WITH_AES_256_CBC_SHA256 NO
TLS_DH_RSA_WITH_AES_128_CBC_SHA NO
TLS_DH_RSA_WITH_AES_128_CBC_SHA256 NO
TLS_DH_RSA_WITH_AES_256_CBC_SHA NO
TLS_DH_RSA_WITH_AES_256_CBC_SHA256 NO
TLS_DHE_DSS_WITH_AES_128_CBC_SHA YES
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 YES
TLS_DHE_DSS_WITH_AES_256_CBC_SHA YES
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 YES
TLS_DHE_RSA_WITH_AES_128_CBC_SHA YES
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 YES
TLS_DHE_RSA_WITH_AES_256_CBC_SHA YES
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 YES
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA YES
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 YES
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA YES
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 YES
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA YES
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 YES
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA YES
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 YES
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA YES
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 YES
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA YES
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 YES
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA YES
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 YES
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA YES
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 YES
TLS_RSA_WITH_AES_128_CBC_SHA YES
TLS_RSA_WITH_AES_128_CBC_SHA256 YES
TLS_RSA_WITH_AES_128_GCM_SHA256 YES
TLS_RSA_WITH_AES_256_CBC_SHA YES
TLS_RSA_WITH_AES_256_CBC_SHA256 YES
TLS_RSA_WITH_AES_256_GCM_SHA384 YES
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA NO
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA NO

AgentCrypto's symmetric key algorithm is AES-128, which is FIPS compliant

Steps to Add a New Additional OMS in FIPS Mode

  1. Revert to wls certificate only in primary OMS:

    • emctl secure wls -use_demo_cert
    • Bounce primary OMS

  2. Install OMS software in the new machine

  3. Copy wallet to the new OMS machine

  4. Add RootCA into java truststore

    export ORACLE_HOME=<OMS_HOME>
    keytool -importcert -file <WalletPath ROOTCA>/cert.pem -alias emreprootca -keystore 
$ORACLE_HOME/oracle_common/jdk/jre/lib/security/cacerts -storepass "<password>"

  5. Export the configuration details from the first OMS and copy the bka file to new OMS machine

    $<ORACLE_HOME>/bin/emctl exportconfig oms -dir <absolute_path_to_directory>

  6. Run OMSCA command

    $<ORACLE_HOME>/bin/omsca recover -ms -backup_file <absolute_path_to_bka_file> [-AS_HTTPS_PORT <port> -MSPORT <port> -MS_HTTPS_PORT <port> -EM_NODEMGR_PORT <port> -EM_UPLOAD_PORT <port> -EM_UPLOAD_HTTPS_PORT <port> -EM_CONSOLE_PORT <port> -EM_CONSOLE_HTTPS_PORT <port> -config_home <absolute_path_to_instance_dir> -EM_INSTANCE_HOST <second_oms_host_name>] -nostart

    This command is the same as the one in step 8 from Installing Additional Oracle Management Services in Silent Mode with additional -nostart flag.

  7. Repeat all the steps in the above Oracle HTTP Server section in the new OMS except startup.

  8. Repeat all the steps in the above Oracle Web-Logic server section in the new OMS except startup.

  9. Start new OMS using the following steps:

    emctl stop oms -all
emctl start oms

  10. Resecure primary OMS to use custom certificate.