Secure Configuration

To help protect users of Session Monitor and consumers' data, see the Session Monitor Security Guide for information on the security features of Session Monitor.

During the installation of a Session Monitor server, you will encounter the server certificate and trusted certificate pages.

Server Certificate

The Server Certificate page is used to see and change the certificate used by this server. This step is recommended to protect users' data.

For more information, see the discussion about encryption and certificates in the Session Monitor Security Guide.

Server Certificate

During a fresh installation, the Platform Setup Application automatically generates a self‑signed certificate. You can sign a certificate signing request (CSR) with your own PKI and authenticate it on the Session Monitor server for trusted access or you can regenerate a new self‑signed certificate.

It is recommended that you use CA-signed certificates. Starting with Release 6.1. the Server Certificate option allows you:

Select one of these options:
- Sign Certificate (for generating CSR)
- Regenerate Key and Certificate
Configure several parameters directly from the PSA page (Platform Setup Application) using the Advanced configuration dialog box
Create key pairs with different configurations

To proceed further with the configuration, you must select any one of the options:

Sign Certificate

Regenerate key and Certificate

Generating a Self Signed Certificate

You can sign a certificate signing request (CSR) with your own PKI and authenticate it on the Session Monitor server for trusted access or you can also regenerate a new self‑signed certificate.

Sign Certificate:
1. when you select the Sign Certificate option, the IP address of the machine is already added:
2. Click Advanced Configuration. For information, on the next steps, see the Advanced Configuration section.
3. Click Download Request to download the CSR. A new key pair is generated as per the configurations made in the previous step. The location is opt/oracle/ocsm/etc/iptego/csr/CSR_KEY.key.
4. Click Upload to upload the signed certificate.
  
  Note:
  when signed certificates are uploaded or regenerated, all dependent TLS connections are interrupted and must be re-established using the new signed certificate.
Regenerating Key and Certificate:
1. When you select this option, the IP address of the machine is already added.
2. Click Advanced Configuration. For information, on the next steps, see the Advanced Configuration section.
3. Click Apply to generate a new certificate using the settings made in the Advanced Configuration section and install the certificate on the system.
  
  Note:
  Regenerating the key and self-signed certificate breaks the existing certificate pinnings and signatures.

Advanced Configuration

The Advanced Configuration dialog box enables you to configure certificate parameters.

The fields Organization, Organization Unit, Common Name, Key Algorithm, Key Size, and Digest Algorithm are mandatory. By default, these fields are populated with default values, but you can may edit these fields as needed. Advanced Configuration is optional.

In the pop-up dialog box, add details for the configurable fields:

Table 4-3 Configurable parameters

Parameter	Description	Values
Country Code	Two-letter country code where the organization is located. Required for X.509 certificates to specify the country in the certificate's distinguished name (DN).	Select a value from the drop down list.
State	State or province name where the organization is located. Used to further specify the organization's location in the certificate	Provide an appropriate value
Locality	City or locality name where the organization is located. Used to specify the city or locality in the certificate.	Provide an appropriate value
Organization	Name of the organization that owns the certificate. Required for organizational identification in the certificate	Default Value: Oracle Corporation. This can be edited.
Organization Unit	Unit Department or unit within the organization. To specify the organizational unit responsible for the certificate.	Default Value: Communications. This can be edited.
Common Name	Fully Qualified Domain Name (FQDN) for which the certificate is issued. Essential for SSL/TLS certificates to secure a specific domain.	Default Value: Oracle Communications Session Monitor. This can be edited.
Key Usage List	Defines the purposes for which the key can be used. Used to enforce proper usage of the certificate's key. To restrict the key usage to specific purposes	digitalSignature^* nonRepudiation^* keyEncipherment^* dataEncipherment keyAgreement keyCertSign cRLSign encipherOnly decipherOnly * stands for Mandatory fields Note: Either leave this blank or necessarily include: digitalSignature nonRepudiation keyEncipherment
Extended Key Usage List	Specifies additional purposes for the certificate. Used for more granular control over the certificate's use cases.	serverAuth^* clientAuth^* codeSigning emailProtection timeStamping OCSPSigning ipsecIKE msCodeInd msCodeCom msCTLSign * stands for Mandatory fields Note: Either leave this blank or necessarily include: serverAuth clientAuth
Key Algorithm	Used when generating the key pair to determine the algorithm. To specify the cryptographic algorithm for the key pair.	RSA ECDSA
Key Size	Size of the cryptographic key in bits. Used when generating the key pair for the certificate. To determine the strength of the encryption	RSA 2048 3072 4096 ECDSA: p256 p384
Digest Algorithm	Hash function used for signing the certificate. To ensure the integrity and security of the certificate	SHA256 SHA384 SHA512

Click OK to apply the configuration changes. Clicking Reset sets all fields to their default values.

Note:
The Key Usage List and Extended Key Usage List parameters are used to specify the intended purposes of a certificate. Ensure that any modifications to these parameters comply with the Certificate Authority (CA) signing process guidelines and specifications required for Certificate Signing Request (CSR) generation.