Support for TLS v1.2 (Oracle)

CA UIM supports Transport Layer Security (TLS) v1.2 when communicating with the CA UIM database: Oracle. This support enables the UIM Server to establish secure communication with the UIM database. To enable TLS v1.2 support for Oracle, ensure that you perform the required configurations on the Oracle computer (database server) and UIM Server (client computer).
uim902
CA UIM supports Transport Layer Security (TLS) v1.2 when communicating with the UIM database: Oracle. This support enables the UIM Server to establish secure communication with the UIM database. To enable TLS v1.2 support for Oracle, ensure that you perform the required configurations on the Oracle computer (database server) and UIM Server (client computer).
The following Oracle versions are supported:
  • 11g
  • 12c
The following diagram shows the high-level process:
Oracle TLS Support
Oracle TLS Support
  • The cabi 4.10 probe supports TLS v1.2 when communicating with the UIM database: Oracle.
  • The cabi 3.40, available with UMP 9.0.2 HF2, probe supports TLS v1.2 when communicating with the UIM database: Oracle. For more information about how to apply the UMP 9.0.2 HF2 for CABI TLS functionality, see UMP 9.0.2 HF2.
  • The cabi 3.32 probe does not support TLS v1.2 when communicating with the UIM database: Oracle. As a result, you cannot view the Operator Console home page, OOTB CABI dashboards, and OOTB CABI reports.
  • TLS v1.2 support is not enabled by default when you install CA UIM 9.0.2.
Configurations on Database Server
Perform the following tasks on the database server.
  1. Verify FQDN Requirement
  2. Verify and Apply Patches for Oracle
  3. Disable Previous Certificates
  4. Perform Wallet Configuration for Server
  5. Perform Wallet Configuration for Client
  6. Set TLS Configuration on Database Server
Verify FQDN Requirement
Verify that your full computer name is FQDN (for example, VI02-E74.ca.com). If not, add the domain name (for example, ca.com) to the computer name.
 
Follow these steps:
 
  1. Access the properties panel of your computer (for example, right-click the Computer icon on your desktop and select 
    Properties
    ).
  2. Click 
    Advanced system settings
     in the left pane.
  3. Click the 
    Computer Name
     tab.
  4. Click 
    Change
    .
  5. Click 
    More
    .
  6. Enter your domain name in the 
    Primary DNS suffix of this computer
     field.
  7. Click 
    OK
     and restart the computer.
  8. Verify that your full computer name is now FQDN.
The following example screenshot shows that the full computer name is FQDN:
  FQDN.jpg  
Verify and Apply Patches for Oracle
For Oracle 11.2, which does not support TLS v1.2 by default, perform the following tasks:
  1. Download and install the 11.2.0.4.2 DBPSU patch from Oracle Support.
  2. Download and apply the p25874796_112040_MSWIN-x86-64 patch from Oracle Support. 
Disable Previous Certificates
Change the registry keys to disable all the previous versions of certificates on the database server. Verify the following registry keys on the database server:
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server
For the Client and Server entries, enter the following Word and Value entries:
  • DisabledByDefault=00000000
  • Enabled=00000001
For more information, see the TLS 1.2 section on TLS/SSL Settings.
Perform Wallet Configuration for Server
Use the Oracle Wallet Manager user interface or the orapki utility (command line) to perform the wallet configuration, which includes the following tasks:
  1. Create a server wallet.
  2. Enable auto-login to true.
  3. Create a certificate request.
  4. Export the certificate request into a file and send it to certification authority.
  5. Get the certificate from certification authority.
  6. Import the user certificate into the server wallet.
 When using certificates, the certificate must be issued to FQDN (Fully Qualified Domain Name) of the computer, not the host name. Also, ensure that the database server name must also be FQDN. If both (certificate name and server name) are not FQDN, you will encounter connection issues.
 
Using the Oracle Wallet Manager UI
 
To complete the above tasks, follow these steps in the Oracle Wallet Manager UI:
  1. Open the Oracle Wallet Manager UI.
  2. Click 
    Wallet, New
     as shown in the following example screenshot:
    Wallet_New.jpg  
  3. Click 
    Yes
     on the directory creation dialog (if prompted).
  4. Enter the wallet password, and click 
    OK
    .
    A message appears prompting you to specify whether you want to create a certificate request.
  5. Click 
    Yes
    .
    The 
    Create Certificate Request
     dialog opens.
  6. Enter the required information to create the certificate, and click 
    OK
    . Ensure that you use the FQDN when entering information in the 
    Common Name
     field as shown in the following screenshot:
    Certificate request.jpg  
  7. Click 
    OK
     on the confirmation dialog.
  8. Click 
    Wallet, Save
     in the main menu to save the wallet.
  9. Click 
    Wallet
     in the main menu and enable the 
    Auto-Login
     option to enable the auto-login for the wallet.
    Wallet Autologin.jpg  
  10. Right-click the created wallet and select 
    Export Certificate Request
     from the context menu. 
  11. Browse to the location where you want to export the certificate request, enter a name for the file, and save the file.
  12. Send the exported certificate request to the certification authority (CA).
    The CA shares the signed user certificate.
    You receive the signed user certificate, perhaps with some CA certificates or a link to the required CA website, from CA. The standard Oracle wallet must include the root CA certificate. If the intermediate CA has signed the certificate, you must find the correct root CA certificate and then the intermediate certificates to establish the complete certificate chain. Import all the required certificates in the sequence. That is, first, import the root CA certificate, then other intermediate certificates (if applicable). You perform this import operation only if the root CA certificate or other required intermediate certificates are not already available in the wallet. Use the 
    Import Trusted Certificate
     option to perform this step.
  13. To import the signed user certificate into the server wallet, right-click the created wallet (under 
    Wallet
    ) and select 
    Import User Certificate
     from the context menu.
    The signed user certificate is imported into the specified location.
For more information, see Using Oracle Wallet Manager. For more information about the orapki utility, see Oracle Wallet Manager and orapki.
 
Using the orapki Utility
 
You can also use the orapki utility to perform wallet-related tasks:
  1.  
    Create a new auto-login wallet
    Syntax:
     
    orapki wallet create -wallet <Wallet Location> -pwd  <Wallet Password> -auto_login 
    Example:
     
    orapki wallet create -wallet C:\Server_Wallet -pwd  [email protected] -auto_login
     
  2.  
    Add a certificate request to the wallet
    Syntax: 
     
    orapki wallet add -wallet <Wallet Location> -pwd <Wallet Password> -dn "CN=<FQDN>" -keysize 2048
    Example: 
     
    orapki wallet add -wallet C:\Server_Wallet -pwd [email protected] -dn "CN=VI-074.ca.com" -keysize 2048
     
  3.  
    Export the certificate request
    Syntax: 
     
    orapki wallet export -wallet <Wallet Location> -pwd <Wallet Password> -dn "CN=<FQDN>" -request <Certificate Request>
    Example: 
     
    orapki wallet export -wallet C:\Server_Wallet -pwd [email protected] -dn "CN=VI-074.ca.com" -request C:\Server_Wallet_Cert_Requests\certificate_request_filename.txt
     
  4.  
    Send the certificate request to CA
    Send the certificate request to the appropriate CA in your organization.
  5.  
    Add the root CA certificate (if required)
    The CA shares the signed user certificate. You receive the signed user certificate, perhaps with some CA certificates or a link to the required CA website, from CA. The standard Oracle wallet must include the root CA certificate. If the intermediate CA has signed the certificate, you must find the correct root CA certificate and then the intermediate certificates to establish the complete certificate chain. Import all the required certificates in the sequence. That is, first, add the root CA certificate, then other intermediate certificates (if applicable). You perform this import operation only if the root CA certificate or other required intermediate certificates are not already available in the wallet. Use the following command to perform this step:
    Syntax: 
     
    orapki wallet add -wallet <Wallet Location> -pwd <Wallet Password> -trusted_cert -cert <Trusted Certificate Location>
    Example: 
     
    orapki wallet add -wallet C:\Server_Wallet -pwd [email protected] -trusted_cert -cert C:\certificate_request_filename.crt
     
  6.  
    Add the user certificate issued by CA
    Syntax:
     
    orapki wallet add -wallet <Wallet Location> -pwd <Wallet Password> -user_cert -cert <User Certificate Location>
    Example:
     
    orapki wallet add -wallet C:\Server_Wallet -pwd [email protected] -user_cert -cert C:\user_certificate_filename.crt
     
Perform Wallet Configuration for Client
Use the Oracle Wallet Manager user interface or the orapki utility (command line) to perform wallet configuration.
  1. Create a client wallet.
  2. Enable auto-login to true.
  3. Create a certificate request.
  4. Export the certificate request into a file and send to certificate authority.
  5. Get the certificate from certificate authority.
  6. Import the user certificate into the client wallet.
 When using certificates, the certificate must be issued to FQDN (Fully Qualified Domain Name) of the computer, not the host name. Also, ensure that the database server name must also be FQDN. That is, the certificate and the server name must be FQDN. Otherwise, you will encounter connection issues.
Follow the same steps that you followed for the server wallet.
After you import the required certificates into server and client wallets, add the server certificate file as a trusted certificate to the client wallet and the client certificate file to the server wallet. As mentioned previously, you can also use the orapki utility commands to perform all the wallet-related tasks. For example, the command to perform this operation is as follows:
To add the server certificate as a trusted certificate to the client wallet:
  •  
    Syntax:
     
    orapki wallet add -wallet <Client Wallet location> -pwd <Client Wallet Password> -trusted_cert -cert <server_certificate_file_location>
    Example: 
     
    C:\orapki wallet add -wallet "C:\Client_Wallet" -pwd [email protected] -trusted_cert -cert C:\Wallet_Store\server-certificate.crt
     
To add the client certificate as a trusted certificate to the server wallet:
  •  
    Syntax:
     
     orapki wallet add -wallet <Server Wallet location> -pwd <Server Wallet Password> -trusted_cert -cert <client_certificate_file_location>
     
    Example: 
    orapki wallet add -wallet C:\Server_Wallet -pwd [email protected] -trusted_cert -cert C:\Wallet_Store2\client-certificate.crt>
     
Set TLS Configuration on Database Server
Use Oracle Net Manager to set the TLS configuration details. This configuration includes the following tasks:
  • Enter the location of the server wallet.
  • Specify that the configuration is for the server.
  • Set the TLS version for the server.
  • Add listener for TLS.
To complete the above tasks, follow these steps in the Oracle Net Manager UI:
  1. Open Oracle Net Manager.
  2. Expand 
    Oracle Net Configuration
    .
  3. Expand 
    Local
     and click 
    Profile
    .
  4. Select 
    Network Security
     from the drop-down list.
  5. Click 
    SSL
    .
  6. For wallet directory location, browse to the location where you have saved the server certificates.
  7. Select 
    Server
     for the 
    Configure SSL for
     option.
  8. Select 
    Any
     from the 
    Require SSL Version
     drop-down list as shown in the following example screenshot:
    SSL.jpg  
  9. Expand 
    Listeners
     and click 
    LISTENER
    .
  10. Select the location of the listener from the drop-down list.
  11. Add address with the following information:
    •  
      Protocol:
       TCP/IP with SSL
    •  
      Host:
       Server host name
    •  
      Port:
       2484 (default)
    The following example screenshot shows the settings:
    Listener.jpg  
  12. Click 
    File, Save Network Configuration
     to save all the changes.
  13. Restart the listener (lnsrctl stop and lnsrctl start).
The sqlnet.ora file is updated with the following entries:
 
wallet_location = 
 (SOURCE=
 (METHOD=File)
 (METHOD_DATA=
 (DIRECTORY=server_wallet_location)))
 
This file is available at 
 
<Oracle_Home>
\network\admin
.
Also, you can enable or disable client authentication, as required. The following entry is available in sqlnet.ora to do so:
 
SSL_CLIENT_AUTHENTICATION = TRUE
 
Configurations on UIM Server
You must perform the following steps on the computer where you want to install the UIM Server: 
  1. Verify that Oracle Instant Client (version 12.1.0.2.0) is available on the UIM Server. 
  2. Copy the client wallet folder from the database server to the computer where you plan to install the UIM Server.
  3. Note that you need to provide the required client wallet location, wallet password, wallet type, and whether client authentication is needed when you install the UIM Server. The UIM Server installer copies the required wallet files from the provided location and places them in the 
    <Nimsoft>\security
     folder. For more information about the UIM Server installation, see Install UIM Server and Installation Parameters. The following screenshot shows the TLS v1.2 options (
    Enable TLS
    Wallet Location
    Wallet Type
    Wallet Password
    , and 
    Authenticate Client
    ) during the UIM Server installation:
    oracle_UIM_Server.jpg  
     Ensure that the ppm probe version is 3.48 and robot version is 7.96 to display TLS v1.2 configuration options in Admin Console. Otherwise, TLS v1.2 options are not displayed in Admin Console.
    The TLS v1.2-related options are as follows:
    •  
      Enable TLS:
       Select the option to enable TLS v1.2 in CA UIM, which lets the UIM Server to establish a secure communication with the UIM database (Oracle in this case).
    •  
      Wallet Location:
       Specify the location of the wallet where your security certificates are available. This location includes your trusted security certificates. The same security certificate must be available on the database server.
    •  
      Wallet Type:
       Select the wallet type from the drop-down list. The selected wallet type takes the precedence. Note that both SSO and PKCS12 are copied to the UIM Server (
      <Nimsoft>\security
      ) irrespective of the wallet type you select.
    •  
      Wallet Password:
       Specify the password to access the wallet information.
    •  
      Authenticate Client:
       Select the option to specify whether you want to enable client authentication.
  4. After you complete the UIM Server installation, ensure that the following entries are present in the sqlnet.ora file that is available in the <
    Nimsoft>\security
     folder:
    SSL_CLIENT_AUTHENTICATION = TRUE
    wallet_location = 
    (SOURCE=
    (METHOD=File)
    (METHOD_DATA=
    (DIRECTORY=client_wallet_location)))
     
Additional Information
Review the following additional information:
  • In upgrade scenarios and in situations where you want to enable TLS v1.2 support after the UIM Server installation, perform the following tasks on the UIM Server:
    1. Verify the availability of Oracle Instant Client.
    2. Copy the client wallet.
    3. Use the data_engine Admin Console or Infrastructure Manager to configure the TLS v1.2-related parameters. Provide the required TLS v1.2 information; for example, client wallet location, wallet password, wallet type, and whether client authentication is needed. data_engine copies the required wallet files from the provided location and places them in the 
      <Nimsoft>\security
       folder.
      After you provide the information, restart the data_engine probe. The data_engine probe is successfully configured to support TLS v1.2. You can now deploy other probes and use the secure communication when interacting with the UIM database. Also, review the impacted probes and packages list. These items have been updated to support TLS v1.2. Ensure that you use the latest version of these items if you want them to work in the TLS v1.2 environment. The following screenshot shows the TLS v1.2 options (
      Enable TLS
      Wallet Type
      Wallet Location
      Wallet Password
      , and 
      Need Client Authentication
      ) in Admin Console:
      Oracle_Admin Console.jpg  
    4. Ensure that the sqlnet.ora file is created and placed it in the <
      Nimsoft>\security
       folder. Verify that the following entries are present in the file:
      SSL_CLIENT_AUTHENTICATION = TRUE
      wallet_location = 
      (SOURCE=
      (METHOD=File)
      (METHOD_DATA=
      (DIRECTORY=client_wallet_location)))
       
    5. Open the raw configuration for the controller probe, navigate to the environment section, enter the value as 
      <Nimsoft>\security
       for the 
      TNS_ADMIN
       variable, save the changes, and restart the robot.
  • Additionally, for upgrade scenarios, the CA UIM system can be either TLS v1.2 enabled or disabled for all components; it cannot be a partial TLS v1.2-enabled system. That is, all the infrastructure components across layers (for example, primary hub, secondary hub, probes) should be upgraded to the TLS v1.2-supported version.
  • When you want to update a certificate (for example, older certificate has expired), specify the wallet location that includes the new certificate in the data_engine UI. The data_engine UI uses that information to place the new wallet files on the primary hub in a specific location (<
    Nimsoft>\security
    folder). Restart the data_engine probe. Also, restart the affected probes on other robots.
  • You can enable or disable the TLS v1.2 mode by configuring the data_engine UI. Also, restart of data_engine is needed whenever TLS v1.2 mode is changed.
  • If you upgrade from a previous version of CA UIM to this version, the state of the system remains in non-TLS v1.2 mode. To enable TLS v1.2 mode, perform all the required manual steps that are mentioned above and use the data_engine UI to enable TLS v1.2.
  • If you encounter any database-connectivity issue in a TLS v1.2-enabled environment, the most probable reason for this issue might be that your certificate is not using FQDN.
  • Before you deploy CABI External version 3.4 on a secondary robot, copy the wallet file (SSO or PKCS12) from the UIM Server (<Nimsoft>\security)) to the CABI External secondary robot (<Nimsoft>\security).
Probes and Packages Updated for TLS v1.2
TLS v1.2-related updates have been made to the following items so that they can work in a TLS v1.2 environment:
  • ace 9.03
  • alarm_routing_service 10.20 
  • apmgtw 3.20 
  • audit 9.03
  • axagateway 1.32
  • cisco_ucm 2.00 
  • cm_data_import 9.02
  • data_engine 9.02
  • discovery_agent 9.02 
  • discovery_server 9.02
  • ems 10.20
  • fault_correlation_engine 9.03
  • hub 7.96
  • maintenance_mode 9.02
  • mon_config_service 9.02
  • mpse 9.03
  • nas 9.03
  • nis_server 9.03
  • qos_processor 9.02
  • relationship_services 9.03
  • robot 7.96
  • sla_engine 9.02
  • telemetry 1.20
  • topology_agent 9.03
  • topology_fault_correlation 9.03 
  • trellis 9.02
  • udm_manager 9.02
  • ump_relationshipviewer 9.02 
  • usage_metering 9.11
  • wasp 9.02 
  • webservices_rest 9.02
Troubleshooting
The following topic provides information about how you can troubleshoot a TLS v1.2-related issue:
Unable to Change "Need Client Authentication" in the data_engine UI
 
Symptom: 
This issue occurs when TLS v1.2 is enabled for Oracle (UIM database) and you try to change the 
Need Client Authentication
 option. In the data_engine AC or IM interface, when you try to change the 
Need Client Authentication
 option, the appropriate value for this option is not set in the sqlnet.ora file. The sqlnet.ora file is available in the 
<
 
Nimsoft>\security
 folder on the UIM Server computer. 
 
Solution 
As a workaround, you must manually update the value of the 
SSL_CLIENT_AUTHENTICATION
 parameter. To do so, follow these steps:
  1. On the UIM Server computer, navigate to the 
    <
     
    Nimsoft>\security
     folder.
  2. Locate and open the sqlnet.ora file.
  3. Update the 
    SSL_CLIENT_AUTHENTICATION
     parameter in the sqlnet.ora file based on whether the 
    Need Client Authentication
     option is selected or not (in the data_engine IM interface).
    For example, if the option is selected in the IM interface, the parameter must be set as follows:
    SSL_CLIENT_AUTHENTICATION = TRUE
    If the option is not selected, the parameter must be set as follows:
    SSL_CLIENT_AUTHENTICATION = FALSE
     
  4. Restart the data_engine probe.
Facing Issues with the UIM Database (Oracle)
 
Symptom:
 I am facing issues with the Oracle database in my TLS v1.2 environment.
 
Solution:
 To identify the problem, install SQL*Plus Instant Client and use the following command:
 
Sqlplus [email protected] "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=DatabaseHost) (PORT=DatabasePort))(CONNECT_DATA=(SERVICE_NAME=Servicename)))"