Site Logo

IzzySoft


OEM
{itemlist}
 

OEM hints

Securing agent connections

Oracle’s default installation not only permits deprecated TLS versions (TLSv1, TLSv1.1), but also totally outdated ciphers (RC4). Thus a security auditor would rightfully complain, though this might be „only in the IntraNet“. Let’s get that fixed: We’ll only permit TLS1.2+ and also remove RC4 ciphers.

  1. log in to the OEM console
  2. use the drop-down menu in the upper right: Setup › Manage Cloud Control › Agents
  3. mark the agent, open Properties
  4. use the drop-down in the upper left: Agent › Properties
  5. in the Show drop-down select All Properties
  6. hit the Expand all button or just expand Runtime Settings
  7. scroll to minimumTLSVersion and adjust its value to TLSv1.2
  8. scroll to SSLCipherSuites and adjust (e.g. to TLS_RSA_WITH_AES_128_CBC_SHA:SSL_RSA_WITH_3DES_EDE_CBC_SHA)
  9. press the Apply button in the upper right
  10. repeat steps 3 to 9 for all other agents

That done, restart the agents on all affected machines: emctl stop agent && emctl start agent

Alternatively, from the command line on the agent host:

# stop the agent
emctl stop agent

# Take a backup and edit <AGENT INST HOME>/sysman/config/emd.properties file
# add the following lines and then save the file again:
_frameworkTlsProtocols=TLSv1.2
_frameworkSSLContextProtocol=TLSv1.2
minimumTLSVersion=TLSv1.2

# start the agent again
emctl start agent

# set the cipher suites
$AGENT_BASE/agent_inst/bin/emctl setproperty agent -name SSLCipherSuites \
-value TLS_RSA_WITH_AES_128_CBC_SHA:TLS_RSA_WITH_AES_256_CBC_SHA:RSA_WITH_AES_256_CBC_SHA256

That's what the MOS notes say (see below). In practice it will usually suffice to

$AGENT_BASE/agent_inst/bin/emctl setproperty agent -name minimumTLSVersion \
-value TLSv1.2
$AGENT_BASE/agent_inst/bin/emctl setproperty agent -name SSLCipherSuites \
-value TLS_RSA_WITH_AES_128_CBC_SHA:TLS_RSA_WITH_AES_256_CBC_SHA:RSA_WITH_AES_256_CBC_SHA256

The „underscore parameter“ won't be accepted by setproperty or getproperty, but do not seem to be required either: after applying the above to a 13.4 agent, connections with TLS < 1.2 were no longer possible.

Verification is possible e.g. using the openssl tool on Linux:

# check cipher suite
openssl s_client -connect <host>:<port> -cipher <cipher_value>
# check TLS version
openssl s_client -connect <host>:<port> <tls_version>
# examples:
openssl s_client -connect localhost:3872 -cipher AES # should succeed
openssl s_client -connect localhost:3872 -tls1_2     # should succeed
openssl s_client -connect localhost:3872 -cipher RC4 # should fail
openssl s_client -connect localhost:3872 -tls1_1     # should fail

Using an invalid <cipher_value> (e.g. RC4) you should receive a "handshake alert error" – while using a valid one (e.g. AES128) a list of session properties should be returned. Similarly for <tls_version> it should fail for -tls1 and -tls1_1, but succeed with -tls1_2 if above changes were applied successfully.

For the server site, you'll need to adjust multiple components: OMS (OHS component), WLS, OHS Admin Port. How to do that and also more details on the above can be found at:

Should you need to enforce cipher order, take a look at the SSLHonorCipherOrder Directive. This is set in the OMS OHS component. Example:

SSLCipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

SSLHonorCipherOrder ON

Default is OFF, i.e. cipher order is not enforced. For the Agent, this is done as simple as adding SSLHonorCipherOrder=true to the emd.properties file. You can test whether this is honored as described above:

# check cipher suite
openssl s_client -connect <host>:<port> -cipher <low_cipher_value>:<high_cipher_value>

(going by the specified SSLCipherSuites putting a lower (aka further-to-the-end) suite first and a higher last, the latter should be what is used as the agent has it earlier in its order).

2021-08-25