Oracle - How to strengthen Oracle Cloud Control Security?
The following Document you may need to read to do this:
Self-signed certificate & Untrusted CA
EM 13c, 12c: How to Configure the Enterprise Manager Cloud Control Management Agent for Secure Socket Layer (SSL) Certificates (Doc ID 2213661.1)
Disable TLSv1.0 / TLSv1.1 / SSLv3
EM 12c can just support TLS v1.0
EM 13c: Enterprise Manager 13c Cloud Control Configuration with Specific Transport Layer Security Protocol:TLSv1.0,TLSv1.1,TLSv1.2 (Doc ID 2212006.1)
EM 12c: Configure Enterprise Manager 12c Cloud Control to Accept Connections with TLSv1.0 Protocol (Doc ID 1602983.1)
Disable Weak Cipher Suites
13c: How to Disable Weak SSLCipherSuites in Enterprise Manager 13c Cloud Control (Doc ID 2138391.1)
EM 12c: How to Disable Weak SSLCipherSuites Used by Enterprise Manager 12c Cloud Control (Doc ID 1477287.1)
How To Disable Anonymous and Weak Cipher Suites in Oracle WebLogic Server (Doc ID 1067411.1)
If you are using EM13.2, JDK should be upgraded in advance to at least 1.7_131
How to Use JDK 7 Update 191 with EM 13.2 / 13.3 OMS (Doc ID 2241358.1)
Somethings you may need:
1-Determine the port of OMS / agent
$ /u01/app/oracle/agent/agent_13.3.0.0.0/bin/emctl status agent|grep URL Agent URL : https://oem13:3872/emd/main/ Local Agent URL in NAT : https://oem13:3872/emd/main/ Repository URL : https://oem13:4903/empbs/upload $ emctl status oms -details Oracle Enterprise Manager Cloud Control 13c Release 3 Copyright (c) 1996, 2018 Oracle Corporation. All rights reserved. Enter Enterprise Manager Root (SYSMAN) Password : Console Server Host : oem13 HTTP Console Port : 7788 HTTPS Console Port : 7803 HTTP Upload Port : 4889 HTTPS Upload Port : 4903 EM Instance Home : /u01/app/oracle/gc_inst/em/EMGC_OMS1 OMS Log Directory Location : /u01/app/oracle/gc_inst/em/EMGC_OMS1/sysman/log OMS is not configured with SLB or virtual hostname Agent Upload is locked. OMS Console is locked. Active CA ID: 1 Console URL: https://oem13:7803/em Upload URL: https://oem13:4903/empbs/upload WLS Domain Information Domain Name : GCDomain Admin Server Host : oem13 Admin Server HTTPS Port: 7102 Admin Server is RUNNING Oracle Management Server Information Managed Server Instance Name: EMGC_OMS1 Oracle Management Server Instance Host: oem13 WebTier is Up Oracle Management Server is Up JVMD Engine is Up BI Publisher Server Information BI Publisher Managed Server Name: BIP BI Publisher Server is Up BI Publisher HTTP Managed Server Port : 9701 BI Publisher HTTPS Managed Server Port : 9803 BI Publisher HTTP OHS Port : 9788 BI Publisher HTTPS OHS Port : 9851 BI Publisher is locked. BI Publisher Server named ‘BIP’ running at URL: https://oem13:9851/xmlpserver/servlet/home BI Publisher Server Logs: /u01/app/oracle/gc_inst/user_projects/domains/GCDomain/servers/BIP/logs/ BI Publisher Log : /u01/app/oracle/gc_inst/user_projects/domains/GCDomain/servers/BIP/logs/bipublisher/bipublisher.log $ cd /u01/app/oracle/ $ find . -name nodemanager.properties ./gc_inst/user_projects/domains/GCDomain/nodemanager/nodemanager.properties $ cat ./gc_inst/user_projects/domains/GCDomain/nodemanager/nodemanager.properties|grep ListenPort ListenPort=7403
2-Check TLSv1.0 / TLSv1.1 / SSLv3 / Weak Cipher
$ openssl s_client -connect localhost:3872 -ssl3 $ openssl s_client -connect localhost:3872 -tls1 $ openssl s_client -connect localhost:3872 -tls1_1 $ openssl s_client -connect localhost:3872 -cipher MEDIUM
3-Determine WLS Version
$ source ./setWLSEnv.sh $ java weblogic.version
4-Change the password of SYSMAN in database
https://docs.oracle.com/cd/E73210_01/EMSEC/GUID-5DD3B11A-1159-40BD-8AEB-41EDE664AB12.htm#EMSEC12918
During password change, if see error
$ /u01/app/oracle/middleware/bin/emctl config oms -change_repos_pwd -use_sys_pwd -sys_pwd oracle -new_pwd Oracle$123 Oracle Enterprise Manager Cloud Control 13c Release 3 Copyright (c) 1996, 2018 Oracle Corporation. All rights reserved. Changing passwords in backend … Passwords changed in backend successfully. Updating repository password in Credential Store… javax.management.RuntimeMBeanException: javax.management.RuntimeMBeanException Error occurred. Check the log /u01/app/oracle/gc_inst/em/EMGC_OMS1/sysman/log/secure.log
And also find exception in the log file
./gc_inst/em/EMGC_OMS1/sysman/log/secure.log
Refer the following document to deal with.
OPSS: Applying EM/OMS 12.1.0.3.3 PSU Patch 18604893 Fails. emctl.log Shows: Failed to find OMS details: JPS-01030: Cannot get credential. | JPS-10000: There was an internal error in the policy store.. (Doc ID 2015186.1)
5-Reset agent registration password
Enterprise Manager Cloud Control Security: How to Create or Edit the Agent Registration Password for Agent to OMS Secure Communication (Doc ID 1367946.1)
