Support for TLS v1.2 (Oracle)

CA UIM supports Transport Layer Security (TLS) v1.2 when communicating with the CA UIM database: Oracle. This support enables the UIM Server to establish secure communication with the UIM database. To enable TLS v1.2 support for Oracle, ensure that you perform the required configurations on the Oracle computer (database server) and UIM Server (client computer).
uim902
CA UIM supports Transport Layer Security (TLS) v1.2 when communicating with the UIM database: Oracle. This support enables the UIM Server to establish secure communication with the UIM database. To enable TLS v1.2 support for Oracle, ensure that you perform the required configurations on the Oracle computer (database server) and UIM Server (client computer).
The following Oracle versions are supported:
  • 12c
  • 19c
The following diagram shows the high-level process:
Oracle TLS Support
Oracle TLS Support
  • The cabi 4.10 probe supports TLS v1.2 when communicating with the UIM database: Oracle.
  • The cabi 3.40, available with UMP 9.0.2 HF2, probe supports TLS v1.2 when communicating with the UIM database: Oracle. For more information about how to apply the UMP 9.0.2 HF2 for CABI TLS functionality, see UMP 9.0.2 HF2.
  • The cabi 3.32 probe does not support TLS v1.2 when communicating with the UIM database: Oracle. As a result, you cannot view the Operator Console home page, OOTB CABI dashboards, and OOTB CABI reports.
  • TLS v1.2 support is not enabled by default when you install CA UIM 9.0.2.
Configurations on Database Server
Perform the following tasks on the database server.
  1. Verify FQDN Requirement
  2. Verify and Apply Patches for Oracle
  3. Disable Previous Certificates
  4. Perform Wallet Configuration for Server
  5. Perform Wallet Configuration for Client
  6. Set TLS Configuration on Database Server
Verify FQDN Requirement
Verify that your full computer name is FQDN (for example, VI02-E74.ca.com). If not, add the domain name (for example, ca.com) to the computer name.
Follow these steps:
  1. Access the properties panel of your computer (for example, right-click the Computer icon on your desktop and select
    Properties
    ).
  2. Click
    Advanced system settings
    in the left pane.
  3. Click the
    Computer Name
    tab.
  4. Click
    Change
    .
  5. Click
    More
    .
  6. Enter your domain name in the
    Primary DNS suffix of this computer
    field.
  7. Click
    OK
    and restart the computer.
  8. Verify that your full computer name is now FQDN.
The following example screenshot shows that the full computer name is FQDN:
FQDN.jpg
Disable Previous Certificates
Change the registry keys to disable all the previous versions of certificates on the database server. Verify the following registry keys on the database server:
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server
For the Client and Server entries, enter the following Word and Value entries:
  • DisabledByDefault=00000000
  • Enabled=00000001
For more information, see the TLS 1.2 section on TLS/SSL Settings.
Perform Wallet Configuration for Server
Use the Oracle Wallet Manager user interface or the orapki utility (command line) to perform the wallet configuration, which includes the following tasks:
  1. Create a server wallet.
  2. Set auto-login to true.
  3. Create a certificate request.
  4. Export the certificate request into a file and send it to certification authority.
  5. Get the certificate from certification authority.
  6. Import the user certificate into the server wallet.
When using certificates, the certificate must be issued to FQDN (Fully Qualified Domain Name) of the computer, not the host name. Also, ensure that the database server name must also be FQDN. If both (certificate name and server name) are not FQDN, you will encounter connection issues.
Using the Oracle Wallet Manager UI
To complete the above tasks, follow these steps in the Oracle Wallet Manager UI:
  1. Open the Oracle Wallet Manager UI.
  2. Click
    Wallet, New
    as shown in the following example screenshot:
    Wallet_New.jpg
  3. Click
    Yes
    on the directory creation dialog (if prompted).
  4. Enter the wallet password, and click
    OK
    .
    A message appears prompting you to specify whether you want to create a certificate request.
  5. Click
    Yes
    .
    The
    Create Certificate Request
    dialog opens.
  6. Enter the required information to create the certificate, and click
    OK
    . Ensure that you use the FQDN when entering information in the
    Common Name
    field as shown in the following screenshot:
    Certificate request.jpg
  7. Click
    OK
    on the confirmation dialog.
  8. Click
    Wallet, Save
    in the main menu to save the wallet.
  9. Click
    Wallet
    in the main menu and enable the
    Auto-Login
    option to enable the auto-login for the wallet.
    Wallet Autologin.jpg
  10. Right-click the created wallet and select
    Export Certificate Request
    from the context menu.
  11. Browse to the location where you want to export the certificate request, enter a name for the file, and save the file.
  12. Send the exported certificate request to the certification authority (CA).
    The CA shares the signed user certificate.
    You receive the signed user certificate, perhaps with some CA certificates or a link to the required CA website, from the CA. The standard Oracle wallet must include the root CA certificate. If the intermediate CA has signed the certificate, you must find the correct root CA certificate and then the intermediate certificates to establish the complete certificate chain. Import all the required certificates in the sequence. That is, first, import the root CA certificate, then other intermediate certificates (if applicable). You perform this import operation only if the root CA certificate or other required intermediate certificates are not already available in the wallet. Use the
    Import Trusted Certificate
    option to perform this step.
  13. To import the signed user certificate into the server wallet, right-click the created wallet (under
    Wallet
    ) and select
    Import User Certificate
    from the context menu.
    The signed user certificate is imported into the specified location.
For more information, see Using Oracle Wallet Manager. For more information about the orapki utility, see Oracle Wallet Manager and orapki.
Using the orapki Utility
You can also use the orapki utility to perform wallet-related tasks:
  1. Create a new auto-login wallet
    Syntax:
    orapki wallet create -wallet <Wallet Location> -pwd  <Wallet Password> -auto_login
    Example:
    orapki wallet create -wallet C:\Server_Wallet -pwd  [email protected] -auto_login
  2. Add a certificate request to the wallet
    Syntax:
    orapki wallet add -wallet <Wallet Location> -pwd <Wallet Password> -dn "CN=<FQDN>" -keysize 2048
    Example:
    orapki wallet add -wallet C:\Server_Wallet -pwd [email protected] -dn "CN=VI-074.ca.com" -keysize 2048
  3. Export the certificate request
    Syntax:
    orapki wallet export -wallet <Wallet Location> -pwd <Wallet Password> -dn "CN=<FQDN>" -request <Certificate Request>
    Example:
    orapki wallet export -wallet C:\Server_Wallet -pwd [email protected] -dn "CN=VI-074.ca.com" -request C:\Server_Wallet_Cert_Requests\certificate_request_filename.txt
  4. Send the certificate request to the CA
    Send the certificate request to the appropriate CA in your organization.
  5. Add the root CA certificate (if required)
    The CA shares the signed user certificate. You receive the signed user certificate, perhaps with some CA certificates or a link to the required CA website, from the CA. The standard Oracle wallet must include the root CA certificate. If the intermediate CA has signed the certificate, you must find the correct root CA certificate and then the intermediate certificates to establish the complete certificate chain. Import all the required certificates in the sequence. That is, first, add the root CA certificate, then other intermediate certificates (if applicable). You perform this import operation only if the root CA certificate or other required intermediate certificates are not already available in the wallet. Use the following command to perform this step:
    Syntax:
    orapki wallet add -wallet <Wallet Location> -pwd <Wallet Password> -trusted_cert -cert <Trusted Certificate Location>
    Example:
    orapki wallet add -wallet C:\Server_Wallet -pwd [email protected] -trusted_cert -cert C:\certificate_request_filename.crt
  6. Add the user certificate issued by the CA
    Syntax:
    orapki wallet add -wallet <Wallet Location> -pwd <Wallet Password> -user_cert -cert <User Certificate Location>
    Example:
    orapki wallet add -wallet C:\Server_Wallet -pwd [email protected] -user_cert -cert C:\user_certificate_filename.crt
Perform Wallet Configuration for Client
Use the Oracle Wallet Manager user interface or the orapki utility (command line) to perform wallet configuration.
  1. Create a client wallet.
  2. Set auto-login to true.
  3. Create a certificate request.
  4. Export the certificate request into a file and send to certificate authority.
  5. Get the certificate from certificate authority.
  6. Import the user certificate into the client wallet.
When using certificates, the certificate must be issued to FQDN (Fully Qualified Domain Name) of the computer, not the host name. Also, ensure that the database server name must also be FQDN. That is, the certificate and the server name must be FQDN. Otherwise, you will encounter connection issues.
Follow the same steps that you followed for the server wallet.
After you import the required certificates into server and client wallets, add the server certificate file as a trusted certificate to the client wallet and the client certificate file to the server wallet. As mentioned previously, you can also use the orapki utility commands to perform all the wallet-related tasks. For example, the command to perform this operation is as follows:
To add the server certificate as a trusted certificate to the client wallet:
  • Syntax:
    orapki wallet add -wallet <Client Wallet location> -pwd <Client Wallet Password> -trusted_cert -cert <server_certificate_file_location>
    Example:
    C:\orapki wallet add -wallet "C:\Client_Wallet" -pwd [email protected] -trusted_cert -cert C:\Wallet_Store\server-certificate.crt
To add the client certificate as a trusted certificate to the server wallet:
  • Syntax:
    orapki wallet add -wallet <Server Wallet location> -pwd <Server Wallet Password> -trusted_cert -cert <client_certificate_file_location>
    Example:
    orapki wallet add -wallet C:\Server_Wallet -pwd [email protected] -trusted_cert -cert C:\Wallet_Store2\client-certificate.crt>
Set TLS Configuration on Database Server
Use Oracle Net Manager to set the TLS configuration details. This configuration includes the following tasks:
  • Enter the location of the server wallet.
  • Specify that the configuration is for the server.
  • Set the TLS version for the server.
  • Add listener for TLS.
To complete the above tasks, follow these steps in the Oracle Net Manager UI:
  1. Open Oracle Net Manager.
  2. Expand
    Oracle Net Configuration
    .
  3. Expand
    Local
    and click
    Profile
    .
  4. Select
    Network Security
    from the drop-down list.
  5. Click
    SSL
    .
  6. For wallet directory location, browse to the location where you have saved the server certificates.
  7. Select
    Server
    for the
    Configure SSL for
    option.
  8. Select
    Any
    from the
    Require SSL Version
    drop-down list as shown in the following example screenshot:
    SSL.jpg
  9. Expand
    Listeners
    and click
    LISTENER
    .
  10. Select the location of the listener from the drop-down list.
  11. Add address with the following information:
    • Protocol:
      TCP/IP with SSL
    • Host:
      Server host name
    • Port:
      2484 (default)
    The following example screenshot shows the settings:
    Listener.jpg
  12. Click
    File, Save Network Configuration
    to save all the changes.
  13. Restart the listener (lnsrctl stop and lnsrctl start).
The sqlnet.ora file is updated with the following entries:
wallet_location =
(SOURCE=
(METHOD=File)
(METHOD_DATA=
(DIRECTORY=server_wallet_location)))
This file is available at
<Oracle_Home>
\network\admin
.
Also, you can enable or disable client authentication, as required. The following entry is available in sqlnet.ora to do so:
SSL_CLIENT_AUTHENTICATION = TRUE
Configurations on UIM Server
You must perform the following steps on the computer where you want to install the UIM Server:
  1. Verify that Oracle Instant Client (version 12.1.0.2.0) is available on the UIM Server.
  2. Copy the client wallet folder from the database server to the computer where you plan to install the UIM Server.
  3. Note that you need to provide the required client wallet location, wallet password, wallet type, and whether client authentication is needed when you install the UIM Server. The UIM Server installer copies the required wallet files from the provided location and places them in the
    <Nimsoft>\security
    folder. For more information about the UIM Server installation, see Install UIM Server and Installation Parameters. The following screenshot shows the TLS v1.2 options (
    Enable TLS
    ,
    Wallet Location
    ,
    Wallet Type
    ,
    Wallet Password
    , and
    Authenticate Client
    ) during the UIM Server installation:
    oracle_UIM_Server.jpg
    Ensure that the ppm probe version is 3.48 or later and robot version is 7.96 or later to display TLS v1.2 configuration options in Admin Console. Otherwise, TLS v1.2 options are not displayed in Admin Console.
    The TLS v1.2-related options are as follows:
    • Enable TLS:
      Select the option to enable TLS v1.2 in CA UIM, which lets the UIM Server to establish a secure communication with the UIM database (Oracle in this case).
    • Wallet Location:
      Specify the location of the wallet where your security certificates are available. This location includes your trusted security certificates. The same security certificate must be available on the database server.
    • Wallet Type:
      Select the wallet type from the drop-down list. The selected wallet type takes the precedence. Note that both SSO and PKCS12 are copied to the UIM Server (
      <Nimsoft>\security
      ) irrespective of the wallet type you select.
    • Wallet Password:
      Specify the password to access the wallet information.
    • Authenticate Client:
      Select the option to specify whether you want to enable client authentication.
  4. After you complete the UIM Server installation, ensure that the following entries are present in the sqlnet.ora file that is available in the <
    Nimsoft>\security
    folder:
    SSL_CLIENT_AUTHENTICATION = TRUE
    wallet_location =
    (SOURCE=
    (METHOD=File)
    (METHOD_DATA=
    (DIRECTORY=client_wallet_location)))
Additional Information
Review the following additional information:
  • In upgrade scenarios and in situations where you want to enable TLS v1.2 support after the UIM Server installation, perform the following tasks on the UIM Server:
    1. Verify the availability of Oracle Instant Client.
    2. Copy the client wallet.
    3. Use the data_engine Admin Console or Infrastructure Manager to configure the TLS v1.2-related parameters. Provide the required TLS v1.2 information; for example, client wallet location, wallet password, wallet type, and whether client authentication is needed. data_engine copies the required wallet files from the provided location and places them in the
      <Nimsoft>\security
      folder.
      After you provide the information, restart the data_engine probe. The data_engine probe is successfully configured to support TLS v1.2. You can now deploy other probes and use the secure communication when interacting with the UIM database. Also, review the impacted probes and packages list. These items have been updated to support TLS v1.2. Ensure that you use the latest version of these items if you want them to work in the TLS v1.2 environment. The following screenshot shows the TLS v1.2 options (
      Enable TLS
      ,
      Wallet Type
      ,
      Wallet Location
      ,
      Wallet Password
      , and
      Need Client Authentication
      ) in Admin Console:
      Oracle_Admin Console.jpg
    4. Ensure that the sqlnet.ora file is created and placed it in the <
      Nimsoft>\security
      folder. Verify that the following entries are present in the file:
      SSL_CLIENT_AUTHENTICATION = TRUE
      wallet_location =
      (SOURCE=
      (METHOD=File)
      (METHOD_DATA=
      (DIRECTORY=client_wallet_location)))
    5. Open the raw configuration for the controller probe, navigate to the environment section, enter the value as
      <Nimsoft>\security
      for the
      TNS_ADMIN
      variable, save the changes, and restart the robot.
  • Additionally, for upgrade scenarios, the CA UIM system can be either TLS v1.2 enabled or disabled for all components; it cannot be a partial TLS v1.2-enabled system. That is, all the infrastructure components across layers (for example, primary hub, secondary hub, probes) should be upgraded to the TLS v1.2-supported version.
  • When you want to update a certificate (for example, older certificate has expired), specify the wallet location that includes the new certificate in the data_engine UI. The data_engine UI uses that information to place the new wallet files on the primary hub in a specific location (<
    Nimsoft>\security
    folder). Restart the data_engine probe. Also, restart the affected probes on other robots.
  • You can enable or disable the TLS v1.2 mode by configuring the data_engine UI. Also, restart of data_engine is needed whenever TLS v1.2 mode is changed.
  • If you upgrade from a previous version of CA UIM to this version, the state of the system remains in non-TLS v1.2 mode. To enable TLS v1.2 mode, perform all the required manual steps that are mentioned above and use the data_engine UI to enable TLS v1.2.
  • If you encounter any database-connectivity issue in a TLS v1.2-enabled environment, the most probable reason for this issue might be that your certificate is not using FQDN.
  • Before you deploy CABI External version 3.4 on a secondary robot, copy the wallet file (SSO or PKCS12) from the UIM Server (<Nimsoft>\security)) to the CABI External secondary robot (<Nimsoft>\security).
Probes and Packages Updated for TLS v1.2
TLS v1.2-related updates have been made to the following items so that they can work in a TLS v1.2 environment. These are the minimum versions with TLS v1.2 related updates:
  • ace 9.03
    The ace probe has been deprecated in UIM 20.3.3.
  • alarm_routing_service 10.20
  • apmgtw 3.20
  • audit 9.03
  • axagateway 1.32
  • cisco_ucm 2.00
  • cm_data_import 9.02
  • data_engine 9.02
  • discovery_agent 9.02
  • discovery_server 9.02
  • ems 10.20
  • hub 7.96
  • maintenance_mode 9.02
  • mon_config_service 9.02
  • mpse 9.03
  • nas 9.03
  • nis_server 9.03
  • qos_processor 9.02
  • robot 7.96
  • sla_engine 9.02
  • telemetry 1.20
  • trellis 9.02
  • udm_manager 9.02
  • usage_metering 9.11
  • wasp 9.02
  • webservices_rest 9.02
Troubleshooting
The following topic provides information about how you can troubleshoot TLS v1.2 related issue:
Unable to Change "Need Client Authentication" in the data_engine UI
Symptom:
This issue occurs when TLS v1.2 is enabled for Oracle (UIM database) and you try to change the
Need Client Authentication
option. In the data_engine AC or IM interface, when you try to change the
Need Client Authentication
option, the appropriate value for this option is not set in the sqlnet.ora file. The sqlnet.ora file is available in the
<
Nimsoft>\security
folder on the UIM Server computer.
Solution:
As a workaround, you must manually update the value of the
SSL_CLIENT_AUTHENTICATION
parameter. To do so, follow these steps:
  1. On the UIM Server computer, navigate to the
    <
    Nimsoft>\security
    folder.
  2. Locate and open the sqlnet.ora file.
  3. Update the
    SSL_CLIENT_AUTHENTICATION
    parameter in the sqlnet.ora file based on whether the
    Need Client Authentication
    option is selected or not (in the data_engine IM interface).
    For example, if the option is selected in the IM interface, the parameter must be set as follows:
    SSL_CLIENT_AUTHENTICATION = TRUE
    If the option is not selected, the parameter must be set as follows:
    SSL_CLIENT_AUTHENTICATION = FALSE
  4. Restart the data_engine probe.
Facing Issues with the UIM Database (Oracle)
Symptom:
I am facing issues with the Oracle database in my TLS v1.2 environment.
Solution:
To identify the problem, install SQL*Plus Instant Client and use the following command:
Sqlplus [email protected] "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=DatabaseHost) (PORT=DatabasePort))(CONNECT_DATA=(SERVICE_NAME=Servicename)))"