Support for TLS v1.2 (Oracle)
CA UIM supports Transport Layer Security (TLS) v1.2 when communicating with the CA UIM database: Oracle. This support enables the UIM Server to establish secure communication with the UIM database. To enable TLS v1.2 support for Oracle, ensure that you perform the required configurations on the Oracle computer (database server) and UIM Server (client computer).
uim902
CA UIM supports Transport Layer Security (TLS) v1.2 when communicating with the UIM database: Oracle. This support enables the UIM Server to establish secure communication with the UIM database. To enable TLS v1.2 support for Oracle, ensure that you perform the required configurations on the Oracle computer (database server) and UIM Server (client computer).
The following Oracle versions are supported:
- 11g
- 12c
The following diagram shows the high-level process:
Oracle TLS Support

- The cabi 4.10 probe supports TLS v1.2 when communicating with the UIM database: Oracle.
- The cabi 3.40, available with UMP 9.0.2 HF2, probe supports TLS v1.2 when communicating with the UIM database: Oracle. For more information about how to apply the UMP 9.0.2 HF2 for CABI TLS functionality, see UMP 9.0.2 HF2.
- The cabi 3.32 probe does not support TLS v1.2 when communicating with the UIM database: Oracle. As a result, you cannot view the Operator Console home page, OOTB CABI dashboards, and OOTB CABI reports.
- TLS v1.2 support is not enabled by default when you install CA UIM 9.0.2.
Configurations on Database Server
Perform the following tasks on the database server.
- Verify FQDN Requirement
- Verify and Apply Patches for Oracle
- Disable Previous Certificates
- Perform Wallet Configuration for Server
- Perform Wallet Configuration for Client
- Set TLS Configuration on Database Server
Verify FQDN Requirement
Verify that your full computer name is FQDN (for example, VI02-E74.ca.com). If not, add the domain name (for example, ca.com) to the computer name.
Follow these steps:
- Access the properties panel of your computer (for example, right-click the Computer icon on your desktop and selectProperties).
- ClickAdvanced system settingsin the left pane.
- Click theComputer Nametab.
- ClickChange.
- ClickMore.
- Enter your domain name in thePrimary DNS suffix of this computerfield.
- ClickOKand restart the computer.
- Verify that your full computer name is now FQDN.
The following example screenshot shows that the full computer name is FQDN:

Verify and Apply Patches for Oracle
For Oracle 11.2, which does not support TLS v1.2 by default, perform the following tasks:
- Download and install the 11.2.0.4.2 DBPSU patch from Oracle Support.
- Download and apply the p25874796_112040_MSWIN-x86-64 patch from Oracle Support.
Disable Previous Certificates
Change the registry keys to disable all the previous versions of certificates on the database server. Verify the following registry keys on the database server:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server
For the Client and Server entries, enter the following Word and Value entries:
- DisabledByDefault=00000000
- Enabled=00000001
For more information, see the TLS 1.2 section on TLS/SSL Settings.
Perform Wallet Configuration for Server
Use the Oracle Wallet Manager user interface or the orapki utility (command line) to perform the wallet configuration, which includes the following tasks:
- Create a server wallet.
- Enable auto-login to true.
- Create a certificate request.
- Export the certificate request into a file and send it to certification authority.
- Get the certificate from certification authority.
- Import the user certificate into the server wallet.
When using certificates, the certificate must be issued to FQDN (Fully Qualified Domain Name) of the computer, not the host name. Also, ensure that the database server name must also be FQDN. If both (certificate name and server name) are not FQDN, you will encounter connection issues.
Using the Oracle Wallet Manager UI
To complete the above tasks, follow these steps in the Oracle Wallet Manager UI:
- Open the Oracle Wallet Manager UI.
- ClickWallet, Newas shown in the following example screenshot:
- ClickYeson the directory creation dialog (if prompted).
- Enter the wallet password, and clickOK.A message appears prompting you to specify whether you want to create a certificate request.
- ClickYes.TheCreate Certificate Requestdialog opens.
- Enter the required information to create the certificate, and clickOK. Ensure that you use the FQDN when entering information in theCommon Namefield as shown in the following screenshot:
- ClickOKon the confirmation dialog.
- ClickWallet, Savein the main menu to save the wallet.
- ClickWalletin the main menu and enable theAuto-Loginoption to enable the auto-login for the wallet.
- Right-click the created wallet and selectExport Certificate Requestfrom the context menu.
- Browse to the location where you want to export the certificate request, enter a name for the file, and save the file.
- Send the exported certificate request to the certification authority (CA).The CA shares the signed user certificate.You receive the signed user certificate, perhaps with some CA certificates or a link to the required CA website, from CA. The standard Oracle wallet must include the root CA certificate. If the intermediate CA has signed the certificate, you must find the correct root CA certificate and then the intermediate certificates to establish the complete certificate chain. Import all the required certificates in the sequence. That is, first, import the root CA certificate, then other intermediate certificates (if applicable). You perform this import operation only if the root CA certificate or other required intermediate certificates are not already available in the wallet. Use theImport Trusted Certificateoption to perform this step.
- To import the signed user certificate into the server wallet, right-click the created wallet (underWallet) and selectImport User Certificatefrom the context menu.The signed user certificate is imported into the specified location.
For more information, see Using Oracle Wallet Manager. For more information about the orapki utility, see Oracle Wallet Manager and orapki.
Using the orapki Utility
You can also use the orapki utility to perform wallet-related tasks:
- Create a new auto-login walletSyntax:orapki wallet create -wallet <Wallet Location> -pwd <Wallet Password> -auto_loginExample:orapki wallet create -wallet C:\Server_Wallet -pwd [email protected] -auto_login
- Add a certificate request to the walletSyntax:orapki wallet add -wallet <Wallet Location> -pwd <Wallet Password> -dn "CN=<FQDN>" -keysize 2048Example:orapki wallet add -wallet C:\Server_Wallet -pwd [email protected] -dn "CN=VI-074.ca.com" -keysize 2048
- Export the certificate requestSyntax:orapki wallet export -wallet <Wallet Location> -pwd <Wallet Password> -dn "CN=<FQDN>" -request <Certificate Request>Example:orapki wallet export -wallet C:\Server_Wallet -pwd [email protected] -dn "CN=VI-074.ca.com" -request C:\Server_Wallet_Cert_Requests\certificate_request_filename.txt
- Send the certificate request to CASend the certificate request to the appropriate CA in your organization.
- Add the root CA certificate (if required)The CA shares the signed user certificate. You receive the signed user certificate, perhaps with some CA certificates or a link to the required CA website, from CA. The standard Oracle wallet must include the root CA certificate. If the intermediate CA has signed the certificate, you must find the correct root CA certificate and then the intermediate certificates to establish the complete certificate chain. Import all the required certificates in the sequence. That is, first, add the root CA certificate, then other intermediate certificates (if applicable). You perform this import operation only if the root CA certificate or other required intermediate certificates are not already available in the wallet. Use the following command to perform this step:Syntax:orapki wallet add -wallet <Wallet Location> -pwd <Wallet Password> -trusted_cert -cert <Trusted Certificate Location>Example:orapki wallet add -wallet C:\Server_Wallet -pwd [email protected] -trusted_cert -cert C:\certificate_request_filename.crt
- Add the user certificate issued by CASyntax:orapki wallet add -wallet <Wallet Location> -pwd <Wallet Password> -user_cert -cert <User Certificate Location>Example:orapki wallet add -wallet C:\Server_Wallet -pwd [email protected] -user_cert -cert C:\user_certificate_filename.crt
Perform Wallet Configuration for Client
Use the Oracle Wallet Manager user interface or the orapki utility (command line) to perform wallet configuration.
- Create a client wallet.
- Enable auto-login to true.
- Create a certificate request.
- Export the certificate request into a file and send to certificate authority.
- Get the certificate from certificate authority.
- Import the user certificate into the client wallet.
When using certificates, the certificate must be issued to FQDN (Fully Qualified Domain Name) of the computer, not the host name. Also, ensure that the database server name must also be FQDN. That is, the certificate and the server name must be FQDN. Otherwise, you will encounter connection issues.
Follow the same steps that you followed for the server wallet.
After you import the required certificates into server and client wallets, add the server certificate file as a trusted certificate to the client wallet and the client certificate file to the server wallet. As mentioned previously, you can also use the orapki utility commands to perform all the wallet-related tasks. For example, the command to perform this operation is as follows:
To add the server certificate as a trusted certificate to the client wallet:
- Syntax:orapki wallet add -wallet <Client Wallet location> -pwd <Client Wallet Password> -trusted_cert -cert <server_certificate_file_location>Example:C:\orapki wallet add -wallet "C:\Client_Wallet" -pwd [email protected] -trusted_cert -cert C:\Wallet_Store\server-certificate.crt
To add the client certificate as a trusted certificate to the server wallet:
- Syntax:orapki wallet add -wallet <Server Wallet location> -pwd <Server Wallet Password> -trusted_cert -cert <client_certificate_file_location>Example:orapki wallet add -wallet C:\Server_Wallet -pwd [email protected] -trusted_cert -cert C:\Wallet_Store2\client-certificate.crt>
Set TLS Configuration on Database Server
Use Oracle Net Manager to set the TLS configuration details. This configuration includes the following tasks:
- Enter the location of the server wallet.
- Specify that the configuration is for the server.
- Set the TLS version for the server.
- Add listener for TLS.
To complete the above tasks, follow these steps in the Oracle Net Manager UI:
- Open Oracle Net Manager.
- ExpandOracle Net Configuration.
- ExpandLocaland clickProfile.
- SelectNetwork Securityfrom the drop-down list.
- ClickSSL.
- For wallet directory location, browse to the location where you have saved the server certificates.
- SelectServerfor theConfigure SSL foroption.
- SelectAnyfrom theRequire SSL Versiondrop-down list as shown in the following example screenshot:
- ExpandListenersand clickLISTENER.
- Select the location of the listener from the drop-down list.
- Add address with the following information:
- Protocol:TCP/IP with SSL
- Host:Server host name
- Port:2484 (default)
- ClickFile, Save Network Configurationto save all the changes.
- Restart the listener (lnsrctl stop and lnsrctl start).
The sqlnet.ora file is updated with the following entries:
wallet_location =
(SOURCE=
(METHOD=File)
(METHOD_DATA=
(DIRECTORY=server_wallet_location)))
This file is available at .
<Oracle_Home>
\network\adminAlso, you can enable or disable client authentication, as required. The following entry is available in sqlnet.ora to do so:
SSL_CLIENT_AUTHENTICATION = TRUE
For more information, see Configuring Secure Sockets Layer Authentication.
Configurations on UIM Server
You must perform the following steps on the computer where you want to install the UIM Server:
- Verify that Oracle Instant Client (version 12.1.0.2.0) is available on the UIM Server.
- Copy the client wallet folder from the database server to the computer where you plan to install the UIM Server.
- Note that you need to provide the required client wallet location, wallet password, wallet type, and whether client authentication is needed when you install the UIM Server. The UIM Server installer copies the required wallet files from the provided location and places them in the<Nimsoft>\securityfolder. For more information about the UIM Server installation, see Install UIM Server and Installation Parameters. The following screenshot shows the TLS v1.2 options (Enable TLS,Wallet Location,Wallet Type,Wallet Password, andAuthenticate Client) during the UIM Server installation:Ensure that the ppm probe version is 3.48 and robot version is 7.96 to display TLS v1.2 configuration options in Admin Console. Otherwise, TLS v1.2 options are not displayed in Admin Console.The TLS v1.2-related options are as follows:
- Enable TLS:Select the option to enable TLS v1.2 in CA UIM, which lets the UIM Server to establish a secure communication with the UIM database (Oracle in this case).
- Wallet Location:Specify the location of the wallet where your security certificates are available. This location includes your trusted security certificates. The same security certificate must be available on the database server.
- Wallet Type:Select the wallet type from the drop-down list. The selected wallet type takes the precedence. Note that both SSO and PKCS12 are copied to the UIM Server (<Nimsoft>\security) irrespective of the wallet type you select.
- Wallet Password:Specify the password to access the wallet information.
- Authenticate Client:Select the option to specify whether you want to enable client authentication.
- After you complete the UIM Server installation, ensure that the following entries are present in the sqlnet.ora file that is available in the <Nimsoft>\securityfolder:SSL_CLIENT_AUTHENTICATION = TRUEwallet_location =(SOURCE=(METHOD=File)(METHOD_DATA=(DIRECTORY=client_wallet_location)))
Additional Information
Review the following additional information:
- In upgrade scenarios and in situations where you want to enable TLS v1.2 support after the UIM Server installation, perform the following tasks on the UIM Server:
- Verify the availability of Oracle Instant Client.
- Copy the client wallet.
- Use the data_engine Admin Console or Infrastructure Manager to configure the TLS v1.2-related parameters. Provide the required TLS v1.2 information; for example, client wallet location, wallet password, wallet type, and whether client authentication is needed. data_engine copies the required wallet files from the provided location and places them in the<Nimsoft>\securityfolder.After you provide the information, restart the data_engine probe. The data_engine probe is successfully configured to support TLS v1.2. You can now deploy other probes and use the secure communication when interacting with the UIM database. Also, review the impacted probes and packages list. These items have been updated to support TLS v1.2. Ensure that you use the latest version of these items if you want them to work in the TLS v1.2 environment. The following screenshot shows the TLS v1.2 options (Enable TLS,Wallet Type,Wallet Location,Wallet Password, andNeed Client Authentication) in Admin Console:
- Ensure that the sqlnet.ora file is created and placed it in the <Nimsoft>\securityfolder. Verify that the following entries are present in the file:SSL_CLIENT_AUTHENTICATION = TRUEwallet_location =(SOURCE=(METHOD=File)(METHOD_DATA=(DIRECTORY=client_wallet_location)))
- Open the raw configuration for the controller probe, navigate to the environment section, enter the value as<Nimsoft>\securityfor theTNS_ADMINvariable, save the changes, and restart the robot.
- Additionally, for upgrade scenarios, the CA UIM system can be either TLS v1.2 enabled or disabled for all components; it cannot be a partial TLS v1.2-enabled system. That is, all the infrastructure components across layers (for example, primary hub, secondary hub, probes) should be upgraded to the TLS v1.2-supported version.
- When you want to update a certificate (for example, older certificate has expired), specify the wallet location that includes the new certificate in the data_engine UI. The data_engine UI uses that information to place the new wallet files on the primary hub in a specific location (<
folder). Restart the data_engine probe. Also, restart the affected probes on other robots.Nimsoft>\security - You can enable or disable the TLS v1.2 mode by configuring the data_engine UI. Also, restart of data_engine is needed whenever TLS v1.2 mode is changed.
- If you upgrade from a previous version of CA UIM to this version, the state of the system remains in non-TLS v1.2 mode. To enable TLS v1.2 mode, perform all the required manual steps that are mentioned above and use the data_engine UI to enable TLS v1.2.
- If you encounter any database-connectivity issue in a TLS v1.2-enabled environment, the most probable reason for this issue might be that your certificate is not using FQDN.
- Before you deploy CABI External version 3.4 on a secondary robot, copy the wallet file (SSO or PKCS12) from the UIM Server (<Nimsoft>\security)) to the CABI External secondary robot (<Nimsoft>\security).
Probes and Packages Updated for TLS v1.2
TLS v1.2-related updates have been made to the following items so that they can work in a TLS v1.2 environment:
- ace 9.03
- alarm_routing_service 10.20
- apmgtw 3.20
- audit 9.03
- axagateway 1.32
- cisco_ucm 2.00
- cm_data_import 9.02
- data_engine 9.02
- discovery_agent 9.02
- discovery_server 9.02
- ems 10.20
- fault_correlation_engine 9.03
- hub 7.96
- maintenance_mode 9.02
- mon_config_service 9.02
- mpse 9.03
- nas 9.03
- nis_server 9.03
- qos_processor 9.02
- relationship_services 9.03
- robot 7.96
- sla_engine 9.02
- telemetry 1.20
- topology_agent 9.03
- topology_fault_correlation 9.03
- trellis 9.02
- udm_manager 9.02
- ump_relationshipviewer 9.02
- usage_metering 9.11
- wasp 9.02
- webservices_rest 9.02
Troubleshooting
The following topic provides information about how you can troubleshoot a TLS v1.2-related issue:
Unable to Change "Need Client Authentication" in the data_engine UI
Symptom:
This issue occurs when TLS v1.2 is enabled for Oracle (UIM database) and you try to change the Need Client Authentication
option. In the data_engine AC or IM interface, when you try to change the Need Client Authentication
option, the appropriate value for this option is not set in the sqlnet.ora file. The sqlnet.ora file is available in the <
Nimsoft>\security
folder on the UIM Server computer. Solution
As a workaround, you must manually update the value of the SSL_CLIENT_AUTHENTICATION
parameter. To do so, follow these steps:- On the UIM Server computer, navigate to the<Nimsoft>\securityfolder.
- Locate and open the sqlnet.ora file.
- Update theSSL_CLIENT_AUTHENTICATIONparameter in the sqlnet.ora file based on whether theNeed Client Authenticationoption is selected or not (in the data_engine IM interface).For example, if the option is selected in the IM interface, the parameter must be set as follows:SSL_CLIENT_AUTHENTICATION = TRUEIf the option is not selected, the parameter must be set as follows:SSL_CLIENT_AUTHENTICATION = FALSE
- Restart the data_engine probe.
Facing Issues with the UIM Database (Oracle)
Symptom:
I am facing issues with the Oracle database in my TLS v1.2 environment.Solution:
To identify the problem, install SQL*Plus Instant Client and use the following command:Sqlplus [email protected] "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=DatabaseHost) (PORT=DatabasePort))(CONNECT_DATA=(SERVICE_NAME=Servicename)))"