1. Cloud Control Security Guide
  2. Configure TLSv1.2 for Communication with the Enterprise Manager Repository

E Configure TLSv1.2 for Communication with the Enterprise Manager Repository

By enabling the TLSv1.2 protocol for communication with the Enterprise Manager Repository, the Oracle Management Service communicates with the repository in a secured mode using TLS to encrypt communication traffic and allow the Enterprise Manager Repository to authenticate itself to the Oracle Management Service.

To enable TLSv1.2 protocol for communication with the Enterprise Manager Repository, follow these steps:

Step 1: Configure TLSv1.2 for the Enterprise Manager Repository

Because the Enterprise Manager Repository resides within an Oracle database, the best practices for configuring SSL on an Oracle database also apply to the Enterprise Manager Repository. Refer to the Oracle Database Security Guide to obtain detailed information on configuring SSL.

  • For a sample configuration on an Oracle 11.2 RAC, refer to MOS Note ID 1448841.1.

  • In the sqlnet.ora or the listener.ora file, ensure that the SSL_VERSION parameter is set to 1.2 for configuring TLSv1.2.

  • In the sqlnet.ora file, ensure that the SSL_CLIENT_AUTHENTICATION parameter is set to FALSE.

  • Verify the configuration by making an SSL connection using the SQLPLUS and TCPS connect descriptors before proceeding to the next step.

    To ensure that the connect descriptors are correct, you can test the connection by running the following command:

    ./sqlplus sysman/<sysman_pwd>@"(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=<REPOS_HOST/SCAN_HOST>)(PORT=<TCPS_PORT>)))(CONNECT_DATA= (SID=<SID/SERVICE>)))"

Note:

It is important to keep both TCP and TCPS listeners up until the Oracle Management Service connect descriptor is changed to use TCPS, as show in Step 2.

Step 2: Configuring the Oracle Management Service to connect to the TLSv1.2-enabled Enterprise Manager Repository

Perform the following sequence of steps in a rolling manner—start with the Primary Oracle Management Service first and then proceed with the remaining Oracle Management Services.

  1. Import the database server CA certificate into the Oracle Management Service JDK TrustStore.

    Execute the following after backing up the server CA certificates
    $ORACLE_HOME/oracle_common/jdk/bin/keytool -importcert -file  trustCert.pem -alias emreprootca -keystore 
$ORACLE_HOME/oracle_common/jdk/jre/lib/security/cacerts -storepass $JDK_PASSWORD

  2. Disable Oracle DB client native encryption.

    Edit the <ORACLE_HOME>/gc_inst/em/EMGC_OMS<n>/emgc.properties file and add the following line: 
    oracle.sysman.core.conn.enableEncryption=false
    Execute the following on the Primary Oracle Management Service only:
    emctl set property -name "oracle.sysman.core.conn.enableEncryption" -value "false" -sysman_pwd sysman

  3. Change the connect descriptor to use only TCPS.

    Obtain the existing connect descriptor using the command: emctl config oms -list_repos_details

    Execute the following using the changed TCPS protocol and port.
    emctl config oms -store_repos_details -repos_user sysman -repos_pwd <SYSMAN_PWD> -repos_conndesc "(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST= <REPOS_HOST/SCAN_HOST>)(PORT=<TCPS_PORT>)))(CONNECT_DATA= (SID=<SID/SERVICE>)))"
    Ensure Port and Protocol properties are modified in the following files. If not, modify Port and Protocol properties to use the TCPS setting.
    <EM_INSTANCE>/user_projects/domains/GCDomain/config/fmwconfig/jps-config.xml 
<EM_INSTANCE>/user_projects/domains/GCDomain/config/fmwconfig/jps-config-jse.xml 
<EM_INSTANCE>/user_projects/domains/GCDomain/config/fmwconfig/embi-policystoremerge-jpscfg.xml

  4. Change the Connect Descriptor of Services to use only TCPS.

    If there are other services created for subsystems such as Ping, Events, Jobs and Loader, modify its connect descriptor to use the new TCPS configuration details.

    Execute the following on the Primary Oracle Management Service first.

    For the Ping subsystem connect descriptor:
    emctl set property -name "oracle.sysman.core.omsAgentComm.ping.connectionService.connectDescriptor " -value "\(DESCRIPTION=\(ADDRESS_LIST=\(ADDRESS=\(PROTOCOL=TCPS\)\(HOS T=<REPOS_HOST/SCAN_HOST>\)\(PORT=<TCPS_PORT>\)\)\)\(CONNECT_ DATA=\(SERVICE_NAME=ping\)\)\)" -sysman_pwd <SYSMAN_PWD>
    For the Event subsystem connect descriptor:
    emctl set property -name "oracle.sysman.core.events.connectDescriptor" -value "\(DESCRIPTION=\(ADDRESS_LIST=\(ADDRESS=\(PROTOCOL=TCPS\)\(HOS T=<REPOS_HOST/SCAN_HOST>\)\(PORT=<TCPS_PORT>\)\)\)\(CONNECT_ DATA=\(SERVICE_NAME=event\)\)\)" -sysman_pwd <SYSMAN_PWD>
    For the Jobs subsystem connect descriptor:
    emctl set property -name "oracle.sysman.core.jobs.conn.service" -value "\(DESCRIPTION=\(ADDRESS_LIST=\(ADDRESS=\(PROTOCOL=TCPS\)\(HOS T=<REPOS_HOST/SCAN_HOST>\)\(PORT=<TCPS_PORT>\)\)\)\(CONNECT_ DATA=\(SERVICE_NAME=emjob\)\)\)" -sysman_pwd <SYSMAN_PWD>
    For Loader subsystem connect descriptor:
    emctl set property -name "oracle.sysman.core.pbs.gcloader.connectDescriptor" -value "\(DESCRIPTION=\(ADDRESS_LIST=\(ADDRESS=\(PROTOCOL=TCPS\)\(HOS T=<REPOS_HOST/SCAN_HOST>\)\(PORT=<TCPS_PORT>\)\)\)\(CONNECT_ DATA=\(SERVICE_NAME=loader\)\)\)" -sysman_pwd <SYSMAN_PWD>

Once steps 2–1 through 2–4 have been run on the Primary Oracle Management Service, repeat them for all remaining Oracle Management Services .

Step 3: Configure blackouts for Enterprise Manager Repository-related targets

In order to suppress alerts until the target configurations are complete, place all targets related to the Enterprise Manager Repository (oracle_database , oracle_emrep, oracle_oms ,and metadata_repository target types) under blackout.

Step 4: Bounce all Oracle Management Services

Execute the following on all Oracle Management Services starting with Primary Oracle Management Service:

emctl stop oms –all

Disable the TCP listener in the listener.ora file of Enterprise Manager Repository and bounce the listener again to enable only the TCPS connection.

Start the primary Oracle Management Service. 

emctl start oms

Note:

If the Oracle Management Services do not start, you will need to do one of the following:

Add “SQLNET.RECV_TIMEOUT=100000“ to the database sqlnet.ora file.

OR

Apply database patch 20544797 (preferred method).

Once the Primary Oracle Management Service is up, start the remaining Oracle Management Services one at a time.

Step 5: Reconfigure the Agents monitoring the Enterprise Manager Repository

Reconfigure the Primary Oracle Management Service central agent that is monitoring the Management Repository by locating the target “Management Services and Repository” in its target.xml file. If RAC is configured for the repository, you will also need to locate the Enterprise Manager Repository host Agent(s).

Execute the following on each of the above two agents identified which monitors a target referring to Repository connection:
<AGENT_INSTANCE>/bin/emctl setproperty agent -name connectionTrustStoreLocation -value <...>/client/wallet/ewallet.p12 

<AGENT_INSTANCE>/bin/emctl setproperty agent -name connectionTrustStorePassword -value <…>
<AGENT_INSTANCE>/bin/emctl setproperty agent -name connectionTrustStoreType -value PKCS12

Locate the sqlnet.ora configuration file in the following directory inside the home directory for the Primary Oracle Management Service central agent that is monitoring the Management Repository:

AGENT_HOME/network/admin (UNIX)

AGENT_HOME\network\admin (Windows)

Ensure sqlnet.ora contains the following snippet:
SSL_CLIENT_AUTHENTICATION = FALSE 
SSL_VERSION = 1.2
WALLET_LOCATION = (SOURCE =
   (METHOD = FILE) (METHOD_DATA =
      (DIRECTORY = <...>/client/wallet ) )
)

Bounce the agents that have been modified in this step.

Step 6: Reconfigure the targets referencing the Enterprise Manager Repository connection

Identify the targets referencing the repository connection in the target XML of the Primary Oracle Management Service central Agent monitoring the Enterprise Manager Repository. Also, identify the targets in target XML of the local physical host Agent if it is deployed on the Enterprise Manager Repository host.

Execute the following EMCLI command for each of the targets identified:
emcli modify_target -name="<Target Name>" -type="<target_type>" -properties="<Property>:<Property Value>;<Property>:<Property Value>" -on_agent

Note:

Make sure you use the target_name, target_type, property and property value format gathered from the Agent’s targets.xml file.

Examples:

emcli modify_target -name="database1.mycompany.com" -type="oracle_database" -properties="Port:<TCPS_PORT>;Protocol:TCPS" -on_agent
emcli modify_target -name="Management Services and Repository" -type="oracle_emrep" -properties="ConnectDescriptor:(DESCRIPTION=(ADDRESS_LIST=(ADDRESS= (PROTOCOL=TCPS)(HOST=<REPOS_HOST/SCAN_HOST>)(PORT=<TCPS_ PORT>)))(CONNECT_DATA=(SID=<SID>)))" -on_agent
emcli modify_target -name="primary_oms.mycompany.com:4889_Management_Service" -type="oracle_oms" -properties="ConnectDescriptor:(DESCRIPTION=(ADDRESS_LIST=(ADDRESS= (PROTOCOL=TCPS)(HOST=<REPOS_HOST/SCAN_HOST>)(PORT=<TCPS_ PORT>)))(CONNECT_DATA=(SID=<SID>)))" -on_agent
emcli modify_target -name="/EMGC_GCDomain/GCDomain/EMGC_ADMINSERVER/mds-owsm" -type="metadata_repository" -properties="JdbcUrl|jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADD RESS=(PROTOCOL=TCPS)(HOST=<REPOS_HOST/SCAN_HOST>)(PORT=< TCPS_PORT>)))(CONNECT_DATA=(SID=<SID>)))" -on_agent -subseparator=properties="|"
emcli modify_target -name="/EMGC_GCDomain/GCDomain/EMGC_ADMINSERVER/mds-sysman_mds" -type="metadata_repository" -properties="DatabaseName:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=( PROTOCOL=TCPS)(HOST=<REPOS_HOST/SCAN_HOST>)(PORT=<TCPS_P ORT>)))(CONNECT_DATA=(SID=<SID>)))" -on_agent

Step 7: End blackouts for Management Repository-related targets

Bring the Enterprise Manager Repository-related targets out of blackout and verify that the targets have Target Up status in Enterprise Manager Console.