Forum Stats

  • 3,769,804 Users
  • 2,253,023 Discussions
  • 7,875,210 Comments

Discussions

How to disable SSL security protocols for OEM 12.1.0.5 ?

4179715
4179715 Member Posts: 4
edited Feb 5, 2020 9:49AM in Enterprise Manager

Hello,

I have OEM 12.1.0.5 running on Oracle Linux 64 bit platform and I would like to disable all SSL protocols for security reason. I will really appreciate if you can provide the detailed steps. Thank you for your hep.

Best Answer

  • Venkata Thiruveedhi-Oracle
    Venkata Thiruveedhi-Oracle Posts: 590 Employee
    edited Jan 30, 2020 9:06AM Accepted Answer

    Hi Jean,

    I am not sure if i can attach a file.

    But here i am pasting the content.

    I OMS:

    Following the below steps will force the OMS to accept only connections in TLSv1 protocol on non-AIX OS platforms:

    1. Secure the OMS using command below .
    <OMS HOME>/bin>emctl secure oms -console -protocol TLSv1

    Note:
    If the OMS is configured with custom/third party certificates,

    1.Then specify the wallet location also in the secure command with -wallet and -trust_certs_loc argument.
    <OMS HOME>/bin>./emctl secure oms -wallet <wallet_location> -trust_certs_loc <location of trusted certificate> -console -protocol TLSv1"

    2.Then run the command below to again secure console with custom/third party certificates
    <OMS_HOME>/bin>emctl secure console -wallet <location of custom wallets>

    2. Stop the OMS using the command below
    <OMS HOME>/bin>emctl stop oms -all

    3.  Take a backup of the startEMServer.sh file (Unix) or startEMServer.cmd (Windows) located in the <EM_INSTANCE_BASE>/user_projects/domains/GCDomain/bin directory.
    For example: /home/oracle/Oracle/gc_inst/user_projects/domains/GCDomain/bin/startEMServer.sh

    4. Open the file startEMServer.sh / startEMServer.cmd and locate the line which begins with:  JAVA_OPTIONS. Look for the last entry for JAVA_OPTIONS in the file
    For example:

    JAVA_OPTIONS="${JAVA_OPTIONS} -Djava.security.egd=file:///dev/urandom"

    5. Append the below property to the JAVA_OPTIONS. If this property already exists, update the value to TLS1.

    -Dweblogic.security.SSL.protocolVersion=TLS1


    For example:

    JAVA_OPTIONS="${JAVA_OPTIONS} -Djava.security.egd=file:///dev/urandom -Dweblogic.security.SSL.protocolVersion=TLS1"

    6. Start the OMS:

    OMS_HOME>/bin>emctl start oms

    Note:  EM 12c Agents on AIX platforms need to be patched as per steps in documents below after configuring any OMS in TLSV1 only mode.
    EM12c : Enterprise Manager 12c Cloud Control Agent on AIX cannot Secure or Upload to an OMS Configured to Accept only tls Communications (Note 1965676.1)
    EM12c: Agent Deployment on AIX Server Fails after Securing OMS with TLSv1 only Protocol (Note 2067158.1)

    II Agent:

    1. To configure the 12.1.0.5 Management Agent in TLSv1 only mode, no additional patches are required and continue with Step 2

      To configure the 12.1.0.4 Management Agent in TLSv1 only mode, apply 12.1.0.4.10 Agent Bundle Patch 21168025 or higher on 12.1.0.4 Agent Home

      To configure the 12.1.0.3 Management Agent in TLSv1 only mode,apply 12.1.0.3.11 Agent Bundle Patch 19930706 and Patch 19154291 on 12.1.0.3 Agent Home.

    2. Then run the commands below on Agent Home to set TLSv1 only mode.

    <AGENT_ORACLE_HOME>/bin/emctl setproperty agent -name allowTLSOnly -value true
    <AGENT_ORACLE_HOME>/bin/emctl stop agent
    <AGENT_ORACLE_HOME>/bin/emctl start agent

    3. You can also configure this parameter 'allowTLSOnly' to true from the OEM console.
    Refer to Note 1371799.1 on 'How to Configure Properties of Single / Multiple Agents From Console UI'

    III WLS:

    By default, the WLS server(Admin Server and Managed Server) used with OEM 12c does not accept connections using SSLv2 but accepts SSL connections using SSLv3 or TLSv1, as negotiated during the SSL handshake with the client.

    1. To configure the WLS server(Admin Server and Managed Server) used with OEM 12c to accept connections over TLSv1 only , OMS need to be configured in TLSv1 only mode.

    2. To configure the WLS server(Admin Server and Managed Server) used with OEM 12c to accept connections over SSLv3 only , OMS need to be configured in SSLv3 only mode.

    3. The emnodemanager process accept connections over SSLv2,SSLv3 and TLSv1 protocols by default though OMS is configured in TLSv1 or SSLv3 mode.This is due to a bug
    EMNodemanager can be configured to accept either SSLv3 or TLSv1 connections only, from OEM 12.1.0.3 version using the workaround below.

    +Take a backup of <OMS_HOME>/bin/startOMS.py file and edit it.

    +Add following line in $OMS_HOME/bin/startOMS.py in executeNM method.

    nm.addJvmArg("-Dweblogic.security.SSL.protocolVersion=TLS1")

    Example:

    def executeNM(**nmProps):
    try:
    global childProcess
    nm = JavaExec.createCommand("weblogic.NodeManager")
    nm.addDefaultClassPath()
    #adding verbose arg
    #nm.addArg("-v")
    # adding jvm args
    nm.addJvmArg("-Xms126m")
    nm.addJvmArg("-Xmx382m")
    nm.addJvmArg("-Dweblogic.security.SSL.protocolVersion=TLS1")
    javaVendor = System.getProperty("java.vendor")
    javaDataArch = System.getProperty("sun.arch.data.model")
    doNotUseD64 = System.getProperty("do.not.use.d64")
    osName = System.getProperty("os.name")

    Save the file

    +Restart OMS
    <OMS_HOME>/bin>emctl stop oms -all
    <OMS_HOME>/bin>emctl start oms

    IV: Rollback / Mixed Mode:

    This is the default mode used by the OMS, which allows it to accept both SSLv3 and TLSv1 connections, depending on the negotiation done at the time of SSL handshake with the client:

    1. Secure the OMS using command below .
    <OMS HOME>/bin>emctl secure oms -console

    If the OMS is configured with custom/third party certificates, then specify the wallet location also in the secure command with -wallet and -trust_certs_loc argument.

    2. Stop the OMS using the command below
    <OMS HOME>/bin>emctl stop oms -all

    3. Take a backup of the startEMServer.sh file (Unix) or startEMServer.cmd (Windows) located in the <EM_INSTANCE_BASE>/user_projects/domains/GCDomain/bin directory.
    For example: /home/oracle/Oracle/gc_inst/user_projects/domains/GCDomain/bin/startEMServer.sh

    4. Open the file startEMServer.sh / startEMServer.cmd and locate the line which begins with: JAVA_OPTIONS.
    For example:

    JAVA_OPTIONS="${JAVA_OPTIONS} -Djava.security.egd=file:///dev/urandom"

    5. Add the below property to the JAVA_OPTIONS. If this property already exists, update the value to ALL.

    -Dweblogic.security.SSL.protocolVersion=ALL

    For example:

    JAVA_OPTIONS="${JAVA_OPTIONS} -Djava.security.egd=file:///dev/urandom -Dweblogic.security.SSL.protocolVersion=ALL"

    6. Start the OMS:

    <OMS_HOME>/bin>emctl start oms

    V  OPMN:

    If there is a requirement to disable SSLv3 and allow only TLSv1.0 on OHS Admin Port 9999 and OPMN Port 6701, then follow the steps below 1. Stop the OMS:

    cd <OMS_HOME>/bin
    ./emctl stop oms -all

    2 For port 9999:

    - Take a backup of the <gc_inst>/WebTierIH1/config/OHS/ohs1/admin.conf.
    - Edit file and modify the below parameter to:

    SSLProtocol -All +TLSv1

    - Save the file.

    3. For port 6701:

    - Apply Patch 19345576 to webtier home.
    - Take a backup of the <gc_inst>/WebTierIH1/config/OHS/ohs1/ssl.conf
    - Edit the ssl.conf available at <gc_inst>/WebTierIH1/config/OHS/ohs1/

    change:
    SSLProtocol TLSv1
    to
    SSLProtocol -All +TLSv1

    - Take a backup of the <gc_inst>/WebTierIH1/config/OPMN/opmn/opmn.xml.

    - Now edit opmn.xml file and modify:

    from:
    <ssl enabled="true" wallet-file="<EM_INSTANCE_HOME>/WebTierIH1/config/OPMN/opmn/wallet"/>

    to:
    <ssl enabled="true" wallet-file="<EM_INSTANCE_HOME>/WebTierIH1/config/OPMN/opmn/wallet" ssl-versions="TLSv1.0" ssl-ciphers="SSL_RSA_WITH_AES_128_CBC_SHA"/>

    NOTE: In above the path needs to be modified according to your env.

    4. Now restart OMS:

    emctl start oms

    VI Verification:

    To verify whether the OMS / Agent can accept a particular SSL protocol version, you can use OS-level utilities such as openssl on Unix / Linux.

    1. To check whether OMS / Agent can accept SSLv2:

    openssl s_client -connect <oms host name>.<domain>:<oms https console/upload port> -ssl2
    openssl s_client -connect <agent host name>.<domain>:<agent port> -ssl2

    For example:

    openssl s_client -connect <oms host name>.<domain>:7799 -ssl2
    openssl s_client -connect <agent host name>.<domain>:3872 -ssl2

    2. To check whether OMS / Agent can accept SSLv3:

    openssl s_client -connect <oms host name>.<domain>:<oms https console/upload port> -ssl3
    openssl s_client -connect <agent host name>.<domain>:<agent port> -ssl3

    3. To check whether OMS / Agent can accept TLSv1:

    openssl s_client -connect <oms host name>.<domain>:<oms https console/upload port> -tls1
    openssl s_client -connect <agent host name>.<domain>:<agent port> -tls1

    If the OMS / Agent does not accept a particular SSL version, then the command will fail with an error. For example, using sslv2 will result in:

    CONNECTED(00000003)
    13406:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:

Answers

  • Venkata Thiruveedhi-Oracle
    Venkata Thiruveedhi-Oracle Posts: 590 Employee
    edited Jan 30, 2020 7:15AM

    Hi,

    Please find the document below:

    EM 12c: Configure Enterprise Manager 12c Cloud Control to Accept Connections with TLSv1.0 Protocol (Doc ID 1602983.1)

    Best Regards,
    Venkat

  • 4179715
    4179715 Member Posts: 4
    edited Jan 30, 2020 8:53AM

    Venkat,

    Thank you for your quick response but unfortunately I was not able to open this document. I was wondering if you can send me this document as an attachment. Once again thank you for you precious help. Have a wonderful day.

    Sincerely,

    Jean-Jacques

  • Venkata Thiruveedhi-Oracle
    Venkata Thiruveedhi-Oracle Posts: 590 Employee
    edited Jan 30, 2020 9:06AM Accepted Answer

    Hi Jean,

    I am not sure if i can attach a file.

    But here i am pasting the content.

    I OMS:

    Following the below steps will force the OMS to accept only connections in TLSv1 protocol on non-AIX OS platforms:

    1. Secure the OMS using command below .
    <OMS HOME>/bin>emctl secure oms -console -protocol TLSv1

    Note:
    If the OMS is configured with custom/third party certificates,

    1.Then specify the wallet location also in the secure command with -wallet and -trust_certs_loc argument.
    <OMS HOME>/bin>./emctl secure oms -wallet <wallet_location> -trust_certs_loc <location of trusted certificate> -console -protocol TLSv1"

    2.Then run the command below to again secure console with custom/third party certificates
    <OMS_HOME>/bin>emctl secure console -wallet <location of custom wallets>

    2. Stop the OMS using the command below
    <OMS HOME>/bin>emctl stop oms -all

    3.  Take a backup of the startEMServer.sh file (Unix) or startEMServer.cmd (Windows) located in the <EM_INSTANCE_BASE>/user_projects/domains/GCDomain/bin directory.
    For example: /home/oracle/Oracle/gc_inst/user_projects/domains/GCDomain/bin/startEMServer.sh

    4. Open the file startEMServer.sh / startEMServer.cmd and locate the line which begins with:  JAVA_OPTIONS. Look for the last entry for JAVA_OPTIONS in the file
    For example:

    JAVA_OPTIONS="${JAVA_OPTIONS} -Djava.security.egd=file:///dev/urandom"

    5. Append the below property to the JAVA_OPTIONS. If this property already exists, update the value to TLS1.

    -Dweblogic.security.SSL.protocolVersion=TLS1


    For example:

    JAVA_OPTIONS="${JAVA_OPTIONS} -Djava.security.egd=file:///dev/urandom -Dweblogic.security.SSL.protocolVersion=TLS1"

    6. Start the OMS:

    OMS_HOME>/bin>emctl start oms

    Note:  EM 12c Agents on AIX platforms need to be patched as per steps in documents below after configuring any OMS in TLSV1 only mode.
    EM12c : Enterprise Manager 12c Cloud Control Agent on AIX cannot Secure or Upload to an OMS Configured to Accept only tls Communications (Note 1965676.1)
    EM12c: Agent Deployment on AIX Server Fails after Securing OMS with TLSv1 only Protocol (Note 2067158.1)

    II Agent:

    1. To configure the 12.1.0.5 Management Agent in TLSv1 only mode, no additional patches are required and continue with Step 2

      To configure the 12.1.0.4 Management Agent in TLSv1 only mode, apply 12.1.0.4.10 Agent Bundle Patch 21168025 or higher on 12.1.0.4 Agent Home

      To configure the 12.1.0.3 Management Agent in TLSv1 only mode,apply 12.1.0.3.11 Agent Bundle Patch 19930706 and Patch 19154291 on 12.1.0.3 Agent Home.

    2. Then run the commands below on Agent Home to set TLSv1 only mode.

    <AGENT_ORACLE_HOME>/bin/emctl setproperty agent -name allowTLSOnly -value true
    <AGENT_ORACLE_HOME>/bin/emctl stop agent
    <AGENT_ORACLE_HOME>/bin/emctl start agent

    3. You can also configure this parameter 'allowTLSOnly' to true from the OEM console.
    Refer to Note 1371799.1 on 'How to Configure Properties of Single / Multiple Agents From Console UI'

    III WLS:

    By default, the WLS server(Admin Server and Managed Server) used with OEM 12c does not accept connections using SSLv2 but accepts SSL connections using SSLv3 or TLSv1, as negotiated during the SSL handshake with the client.

    1. To configure the WLS server(Admin Server and Managed Server) used with OEM 12c to accept connections over TLSv1 only , OMS need to be configured in TLSv1 only mode.

    2. To configure the WLS server(Admin Server and Managed Server) used with OEM 12c to accept connections over SSLv3 only , OMS need to be configured in SSLv3 only mode.

    3. The emnodemanager process accept connections over SSLv2,SSLv3 and TLSv1 protocols by default though OMS is configured in TLSv1 or SSLv3 mode.This is due to a bug
    EMNodemanager can be configured to accept either SSLv3 or TLSv1 connections only, from OEM 12.1.0.3 version using the workaround below.

    +Take a backup of <OMS_HOME>/bin/startOMS.py file and edit it.

    +Add following line in $OMS_HOME/bin/startOMS.py in executeNM method.

    nm.addJvmArg("-Dweblogic.security.SSL.protocolVersion=TLS1")

    Example:

    def executeNM(**nmProps):
    try:
    global childProcess
    nm = JavaExec.createCommand("weblogic.NodeManager")
    nm.addDefaultClassPath()
    #adding verbose arg
    #nm.addArg("-v")
    # adding jvm args
    nm.addJvmArg("-Xms126m")
    nm.addJvmArg("-Xmx382m")
    nm.addJvmArg("-Dweblogic.security.SSL.protocolVersion=TLS1")
    javaVendor = System.getProperty("java.vendor")
    javaDataArch = System.getProperty("sun.arch.data.model")
    doNotUseD64 = System.getProperty("do.not.use.d64")
    osName = System.getProperty("os.name")

    Save the file

    +Restart OMS
    <OMS_HOME>/bin>emctl stop oms -all
    <OMS_HOME>/bin>emctl start oms

    IV: Rollback / Mixed Mode:

    This is the default mode used by the OMS, which allows it to accept both SSLv3 and TLSv1 connections, depending on the negotiation done at the time of SSL handshake with the client:

    1. Secure the OMS using command below .
    <OMS HOME>/bin>emctl secure oms -console

    If the OMS is configured with custom/third party certificates, then specify the wallet location also in the secure command with -wallet and -trust_certs_loc argument.

    2. Stop the OMS using the command below
    <OMS HOME>/bin>emctl stop oms -all

    3. Take a backup of the startEMServer.sh file (Unix) or startEMServer.cmd (Windows) located in the <EM_INSTANCE_BASE>/user_projects/domains/GCDomain/bin directory.
    For example: /home/oracle/Oracle/gc_inst/user_projects/domains/GCDomain/bin/startEMServer.sh

    4. Open the file startEMServer.sh / startEMServer.cmd and locate the line which begins with: JAVA_OPTIONS.
    For example:

    JAVA_OPTIONS="${JAVA_OPTIONS} -Djava.security.egd=file:///dev/urandom"

    5. Add the below property to the JAVA_OPTIONS. If this property already exists, update the value to ALL.

    -Dweblogic.security.SSL.protocolVersion=ALL

    For example:

    JAVA_OPTIONS="${JAVA_OPTIONS} -Djava.security.egd=file:///dev/urandom -Dweblogic.security.SSL.protocolVersion=ALL"

    6. Start the OMS:

    <OMS_HOME>/bin>emctl start oms

    V  OPMN:

    If there is a requirement to disable SSLv3 and allow only TLSv1.0 on OHS Admin Port 9999 and OPMN Port 6701, then follow the steps below 1. Stop the OMS:

    cd <OMS_HOME>/bin
    ./emctl stop oms -all

    2 For port 9999:

    - Take a backup of the <gc_inst>/WebTierIH1/config/OHS/ohs1/admin.conf.
    - Edit file and modify the below parameter to:

    SSLProtocol -All +TLSv1

    - Save the file.

    3. For port 6701:

    - Apply Patch 19345576 to webtier home.
    - Take a backup of the <gc_inst>/WebTierIH1/config/OHS/ohs1/ssl.conf
    - Edit the ssl.conf available at <gc_inst>/WebTierIH1/config/OHS/ohs1/

    change:
    SSLProtocol TLSv1
    to
    SSLProtocol -All +TLSv1

    - Take a backup of the <gc_inst>/WebTierIH1/config/OPMN/opmn/opmn.xml.

    - Now edit opmn.xml file and modify:

    from:
    <ssl enabled="true" wallet-file="<EM_INSTANCE_HOME>/WebTierIH1/config/OPMN/opmn/wallet"/>

    to:
    <ssl enabled="true" wallet-file="<EM_INSTANCE_HOME>/WebTierIH1/config/OPMN/opmn/wallet" ssl-versions="TLSv1.0" ssl-ciphers="SSL_RSA_WITH_AES_128_CBC_SHA"/>

    NOTE: In above the path needs to be modified according to your env.

    4. Now restart OMS:

    emctl start oms

    VI Verification:

    To verify whether the OMS / Agent can accept a particular SSL protocol version, you can use OS-level utilities such as openssl on Unix / Linux.

    1. To check whether OMS / Agent can accept SSLv2:

    openssl s_client -connect <oms host name>.<domain>:<oms https console/upload port> -ssl2
    openssl s_client -connect <agent host name>.<domain>:<agent port> -ssl2

    For example:

    openssl s_client -connect <oms host name>.<domain>:7799 -ssl2
    openssl s_client -connect <agent host name>.<domain>:3872 -ssl2

    2. To check whether OMS / Agent can accept SSLv3:

    openssl s_client -connect <oms host name>.<domain>:<oms https console/upload port> -ssl3
    openssl s_client -connect <agent host name>.<domain>:<agent port> -ssl3

    3. To check whether OMS / Agent can accept TLSv1:

    openssl s_client -connect <oms host name>.<domain>:<oms https console/upload port> -tls1
    openssl s_client -connect <agent host name>.<domain>:<agent port> -tls1

    If the OMS / Agent does not accept a particular SSL version, then the command will fail with an error. For example, using sslv2 will result in:

    CONNECTED(00000003)
    13406:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428: