Tuesday, August 14, 2018

Restrict OEM agent 13.2 to use TLS protocol TLSv1.2

Oracle Enterprise Manager 13.2 agent, by default, is configured to use TLS protocol TLSv1.0, TLSv1.1 and TLSv1.2,all versions of TLS when OEM 13.2 released. To restrict agent to use only TLSv1.2 as following,

1. Stop the agent
   <AGENT_HOME>/bin/emctl stop agent
[oracle@host01]$ /u01/software/em/agent/agent_13.2.0.0.0/bin/emctl stop agent
Oracle Enterprise Manager Cloud Control 13c Release 2 
Copyright (c) 1996, 2016 Oracle Corporation.  All rights reserved.
Stopping agent ... stopped.

2. Add following lines to agent configuration file <AGENT_INST_HOME>/sysman/config/emd.properties
    _frameworkTlsProtocols=TLSv1.2
    _frameworkSSLContextProtocol=TLSv1.2
[oracle@host01]$ cd /u01/software/em/agent/agent_inst/sysman/config
[oracle@host01]$ grep '^_' emd.properties
_dumpDispatcherWhenOverloaded=true
_disableLoadDPFromCacheNormal=true
_enableJobSystemStreamsTracing=true
_SchedulePersistTimer=30
[oracle@host01]$
[oracle@host01]$ echo "_frameworkTlsProtocols=TLSv1.2" >> emd.properties
[oracle@host01]$ echo "_frameworkSSLContextProtocol=TLSv1.2" >> emd.properties
[oracle@host01]$
[oracle@host01]$ grep '^_' emd.properties
_dumpDispatcherWhenOverloaded=true
_disableLoadDPFromCacheNormal=true
_enableJobSystemStreamsTracing=true
_SchedulePersistTimer=30
_frameworkTlsProtocols=TLSv1.2
_frameworkSSLContextProtocol=TLSv1.2

3.If the Agent is running on AIX platform , then download and apply 12.1.3 version of Patch 25237184 on Agent Home. Here, version number 12.1.3 is the version of WebLogic released with OEM 13.2, not agent version.
[oracle@host01]$ export ORACLE _HOME=/u01/software/em/agent/agent _13.2.0.0.0
[oracle@host01]$ cd /stage/patch/25237184
[oracle@host01]$ $ORACLE _HOME/OPatch/opatch apply
Oracle Interim Patch Installer version 13.9.1.3.0
Copyright (c) 2018, Oracle Corporation.  All rights reserved.

Oracle Home       : /u01/software/em/agent/agent_13.2.0.0.0
Central Inventory : /u1/app/oracle/oraInventory
   from           : /u01/software/em/agent/agent_13.2.0.0.0/oraInst.loc
OPatch version    : 13.9.1.3.0
OUI version       : 13.9.1.0.0
Log file location : /u01/software/em/agent/agent_13.2.0.0.0/cfgtoollogs/opatch/opatch2018-08-14_17-30-13PM_1.log

OPatch detects the Middleware Home as "/u01/software/em/agent"
Verifying environment and performing prerequisite checks...
OPatch continues with these patches:   25237184 
Do you want to proceed? [y|n]
y
User Responded with: Y
All checks passed.
Please shutdown Oracle instances running out of this ORACLE_HOME on the local system.
(Oracle Home = '/u01/software/em/agent/agent_13.2.0.0.0')

Is the local system ready for patching? [y|n]
y
User Responded with: Y
Backing up files...
Applying interim patch '25237184' to OH '/u01/software/em/agent/agent_13.2.0.0.0'
ApplySession: Optional component(s) [ oracle.wsm.jrf, 12.1.3.0.0 ] , [ oracle.wsm.jrf, 12.1.3.0.0 ] , [ oracle.wsm.console.core, 12.1.3.0.0 ] , [ oracle.wsm.console.core, 12.1.3.0.0 ] , [ oracle.css.wls, 12.1.3.0.0 ] , [ oracle.css.wls, 12.1.3.0.0 ] , [ oracle.opss.jrf.was, 12.1.3.0.0 ] , [ oracle.opss.jrf.was, 12.1.3.0.0 ] , [ oracle.opss.jrf, 12.1.3.0.0 ] , [ oracle.opss.jrf, 12.1.3.0.0 ] , [ oracle.wsm.agent.fmw, 12.1.3.0.0 ] , [ oracle.wsm.agent.fmw, 12.1.3.0.0 ] , [ oracle.wsm.agent.wls, 12.1.3.0.0 ] , [ oracle.wsm.agent.wls, 12.1.3.0.0 ] , [ oracle.oamclient.wls, 12.1.3.0.0 ] , [ oracle.oamclient.wls, 12.1.3.0.0 ] , [ oracle.opss.jrf.wls, 12.1.3.0.0 ] , [ oracle.opss.jrf.wls, 12.1.3.0.0 ] , [ oracle.idm.uishell, 12.1.3.0.0 ] , [ oracle.idm.uishell, 12.1.3.0.0 ] , [ oracle.wsm.pmlib, 12.1.3.0.0 ] , [ oracle.wsm.pmlib, 12.1.3.0.0 ] , [ oracle.opss.wls, 12.1.3.0.0 ] , [ oracle.opss.wls, 12.1.3.0.0 ] , [ oracle.wsm.agent.thirdparty, 12.1.3.0.0 ] , [ oracle.wsm.agent.thirdparty, 12.1.3.0.0 ]  not present in the Oracle Home or a higher version is found.
Patching component oracle.pki, 12.1.3.0.0...
Patching component oracle.pki, 12.1.3.0.0...
Patching component oracle.osdt.core, 12.1.3.0.0...
Patching component oracle.osdt.core, 12.1.3.0.0...
Patching component oracle.wsm.common, 12.1.3.0.0...
Patching component oracle.wsm.common, 12.1.3.0.0...
Patching component oracle.opss.core, 12.1.3.0.0...
Patching component oracle.opss.core, 12.1.3.0.0...
Patch 25237184 successfully applied.
Log file location: /u01/software/em/agent/agent_13.2.0.0.0/cfgtoollogs/opatch/opatch2018-08-14_17-30-13PM_1.log
OPatch succeeded.

4. Start the agent
   <AGENT_HOME>/bin/emctl start agent
[oracle@host01]$ /u01/software/em/agent/agent _13.2.0.0.0/bin/emctl start agent
Oracle Enterprise Manager Cloud Control 13c Release 2 
Copyright (c) 1996, 2016 Oracle Corporation.  All rights reserved.
Starting agent ................ started.

5. To validate used protocol by running command openssl,
  * Test if TLSv1.0 is used,
    openssl s_client -connect <AGENT_HOST_IP:AGENT_LISTEN_PORT> -tls1      

  * Test if TLSv1.1 is used,
    openssl s_client -connect <AGENT_HOST_IP:AGENT_LISTEN_PORT> -tls1_1      

  * Test if TLSv1.2 is used,
    openssl s_client -connect <AGENT_HOST_IP:AGENT_LISTEN_PORT> -tls1_2      
If the specified version of TLS is used, the output looks like following,
[oracle@host01]$ openssl s _client -connect host01.dbaplus.ca:3872 -tls1
CONNECTED(00000003)
depth=1 O = EnterpriseManager on oms1.dbaplus.ca, OU = EnterpriseManager on oms1.dbaplus.ca, L = EnterpriseManager on oms1.dbaplus.ca, ST = CA, C = US, CN = oms1.dbaplus.ca
verify error:num=19:self signed certificate in certificate chain
---
   <<Contents truncated>>
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 5B7344B917B62A0CDFFEF164901B6C4CCB5406B2E3995CBFD6DE96401F1A4421
    Session-ID-ctx:
    Master-Key: E148FFD5828A4796990ABC7A01257EE8EBFDA3F81DD58217623F2A352A1A2FFB67288C778E9DC34BB5025E890266012B
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1534280889
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---

If the specified version of TLS is not used, the output looks like,
[oracle@host01]$ openssl s _client -connect host01.corp.toronto.ca:3872 -tls1
CONNECTED(00000003)
804401144:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:656:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)       
Secure Renegotiation IS NOT supported
Compression: NONE                   
Expansion: NONE                     
No ALPN negotiated                  
SSL-Session:                        
    Protocol  : TLSv1               
    Cipher    : 0000                
    Session-ID:                     
    Session-ID-ctx:                 
    Master-Key:                     
    Key-Arg   : None                
    PSK identity: None              
    PSK identity hint: None         
    SRP username: None              
    Start Time: 1534283067          
    Timeout   : 7200 (sec)          
    Verify return code: 0 (ok)      
---                                 

No comments: