DBADEEDS

Actions Expresses Priorities

How to Secure your Oracle Enterprise Manager[OEM] with PCI Compliance

Published by

DBADEEDS

on

PCI Compliance

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.

Why we should do

To continue the business with the client & assuring the data is safe & secure. There is a security team they are running some scan on all servers to find out if there is any kind of breaches. As far I know they use rapid tool with some set of standard security protocols like TCP/UPD/ssl2/ssl3 etc. basically applications on the server has to meet there criteria

What is PCI Scan

They are two different PCI scan results for Database Team.

  • PCI Scan on the Database server
    Here is the only outstanding issue is to install Custom Certificates individual into the database agent software is running
  • PCI Scan on OEM Servers
    Applied several patches & Oracle Configuration changes
    Still working with Oracle to fill the gaps.

Pre-Requisites

Apply the OHS Below on Middleware Home
export ORACLE_HOME= /OPatch/opatch apply
Patch 26625183 EMBP Patch Set Update 13.2.0.0.171017
Apply PSU 2 patch (12.1.3.0.2) or higher on 12.1.3 WLS. This is required to configure Nodemanager with stronger Cipher suites
Patch 26519417: WLS PATCH SET UPDATE 12.1.3.0.171017 –> Latest PSU Weblogic patch but there were internal patch process problems, adjustments made to fix, and Patch 18974665 was removed and replaced by another # and included in the PSU as a cumulative fix.
Conflict With Patch 18974665 When Applying WebLogic Server 12.1.3 PSU ( Doc ID 2295478.1 )
RollBack Patches
$ORACLE_HOME/OPatch/opatch rollback -id 25388793
$ORACLE_HOME/OPatch/opatch rollback -id 18974665
Download unlimited strength policy file
http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html .
Unzip and copy local_policy.jar & US_export_policy.jar in to /oracle_common/jdk/jre/lib/security after taking backup of existing files
Unzip and copy local_policy.jar & US_export_policy.jar in to /oracle_common/jdk/jre/lib/security after taking backup of existing files
scp -r *.jar oracle@SERVERNAME://u01/app/oracle/product/oem13c/agent_13.2.0.0.0/oracle_common/jdk/jre/lib/security/
Apply below patches on Agents.
Patch 26649994: EM-AGENT Bundle Patch 13.2.0.0.170930
Patch 25162444: EM-BEACON Bundle Patch 13.2.0.0.161231

Configuration Changes

OMS

Perform the following to restrict low strength ciphers and allow only high strength AES ciphers for interactions with the EM 13c OMS
Stop the OMS:
cd /bin
emctl stop oms -all -force
Take a backup of the files below from your OMS server and edit it.
Please find the files name in below table.
Set the value of SSLCipherSuite as below to set only strong AES ciphers . If the parameter does not exist, add it.
SSLCipherSuite = HIGH
I have had tried with other cipher where those failed
Fatal error in NodeManager server: java.lang.IllegalArgumentException: Unsupported ciphersuite ECDHE_RSA_WITH_AES_256_CBC_SHA>
Fatal error in NodeManager server: java.lang.IllegalArgumentException: Unsupported ciphersuite ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Fatal error in NodeManager server: java.lang.IllegalArgumentException: Unsupported ciphersuite RSA_WITH_AES_256_CBC_SHA256

WLS

EM 13c Cloud Control uses the 12.1.3.0 version of WLS and in EM the WLS Home is $MIDDLEWARE_HOME/wlserver_10.3
Add these value into config.xml file in below mention table..
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Agent

Perform the steps listed below to disable weak and medium SSL Ciphers for EM 13c Agent interactions:
Download unlimited strength policy file from http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html .Unzip and copy local_policy.jar & US_export_policy.jar in to /agent_13.2.0.0.0/oracle_common/jdk/jre/lib/security after taking backup of existing files
scp -r *.jar oracle@SERVERNAME://u01/app/oracle/product/oem13c/agent_13.2.0.0.0/oracle_common/jdk/jre/lib/security/
emctl setproperty agent -name SSLCipherSuites -value TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
emctl setproperty agent -name minimumTLSVersion -value TLSv1.2

Configuring TLSv1.2 only mode is also required to overcome Vulnerability

Secure the OMS using the command below.
/bin>emctl secure oms -console -protocol TLSv1.2

Note:
If the OMS is configured with custom/third party certificates, then specify the wallet location also in the secure command with -wallet and -trust_certs_loc argument.
Then run the command below to secure console with custom/third-party certificates
/bin>emctl secure console -wallet

Stop the OMS using the command below
/bin>emctl stop oms -all

Take a backup of the startEMServer.sh file (Unix) or startEMServer.cmd (Windows) located in the /user_projects/domains/GCDomain/bin directory.
For example: /home/oracle/Oracle/gc_inst/user_projects/domains/GCDomain/bin/startEMServer.sh

Open the file startEMServer.sh / startEMServer.cmd and locate the line which begins with: JAVA_OPTIONS. Look for the last entry for JAVA_OPTIONS in the file
For example:
JAVA_OPTIONS="${JAVA_OPTIONS} -Djava.security.egd=file:///dev/urandom"

Append the below property to the JAVA_OPTIONS. If this property already exists, update the value to TLS1.2
-Dweblogic.security.SSL.protocolVersion=TLS1.2

/u01/app/oracle/product/13.2.0.0/gc_inst/user_projects/domains/GCDomain/bin/startEMServer.sh
JAVA_OPTIONS="${JAVA_OPTIONS} ${JAVA_EM_ARGS} -Djavax.xml.bind.JAXBContext=com.sun.xml.bind.v2.ContextFactory -Djava.security.egd=file:///dev/./urandom -Dweblogic.debug.DebugWebAppSecurity=true -Dweblogic.SSL.LoginTimeoutMillis=300000 -Djps.auth.debug=true -Djps.authz=ACC -Djps.combiner.optimize.lazyeval=true -Djps.combiner.optimize=true -Djps.subject.cache.key=5 -Djps.subject.cache.ttl=600000 -Doracle.apm.home=/u01/app/oracle/product/13.2.0.0/middleware/apm/ -DAPM_HELP_FILENAME=oesohwconfig.xml -Dweblogic.data.canTransferAnyFile=true -Dhttps.protocols=TLSv1.2 -DHTTPClient.retryNonIdempotentRequest=false -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2 "
NodeManager
/u01/app/oracle/product/13.2.0.0/gc_inst/user_projects/domains/GCDomain/bin/startNodeManager.sh
JAVA_OPTIONS="${JAVA_OPTIONS} -Doracle.security.jps.config=/u01/app/oracle/product/13.2.0.0/gc_inst/user_projects/domains/GCDomain/config/fmwconfig/jps-config-jse.xml -Dcommon.components.home=/u01/app/oracle/product/13.2.0.0/middleware/oracle_common -Dopss.version=12.1.3 -Dhttps.protocols=TLSv1.2 -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2"
/u01/app/oracle/product/13.2.0.0/middleware/bin/startOMS.py
nm.addJvmArg("-Dweblogic.security.SSL.protocolVersion=TLSv1.2")

Tried with these scans but OMS is unsupported requesting Oracle to investigating
Fatal error in NodeManager server: java.lang.IllegalArgumentException: Unsupported ciphersuite ECDHE_RSA_WITH_AES_256_CBC_SHA>
Fatal error in NodeManager server: java.lang.IllegalArgumentException: Unsupported ciphersuite ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Fatal error in NodeManager server: java.lang.IllegalArgumentException: Unsupported ciphersuite RSA_WITH_AES_256_CBC_SHA256

Configuration Table

Port Vulnerability Changes
4903 TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32) TLS/SSL Server Supports RC4 Cipher Algorithms (CVE-2013-2566) TLS Server Supports TLS version 1.0 TLS/SSL Server is enabling the BEAST attack cd Middleware_Home/gc_inst/user_projects/domains/GCDomain/config Node 1 fmwconfig/components/OHS/ohs1/httpd.conf fmwconfig/components/OHS/ohs2/ssl.conf fmwconfig/components/OHS/instances/ohs1/ssl.conf node2 fmwconfig/components/OHS/instances/ohs2/ssl.conf
7803 TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32) TLS/SSL Server is enabling the BEAST attack TLS Server Supports TLS version 1.0 TLS/SSL Server Supports RC4 Cipher Algorithms (CVE-2013-2566)
9851 TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32) TLS/SSL Server is enabling the BEAST attack TLS Server Supports TLS version 1.0 TLS/SSL Server Supports RC4 Cipher Algorithms (CVE-2013-2566) Please refer to certificate installation attachment
9803 TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32) TLS Server Supports TLS version 1.0 TLS/SSL Server is enabling the BEAST attack
7301 TLS/SSL Server is enabling the BEAST attack TLS Server Supports TLS version 1.0 cd Middleware_Home/gc_inst/user_projects/domains/GCDomain/config Node1 fmwconfig/components/OHS/ohs1/ssl.conf fmwconfig/components/OHS/ohs1/moduleconf/httpd_em.conf fmwconfig/components/OHS/ohs1/moduleconf/ssl_bip.conf fmwconfig/components/OHS/ohs2/ssl.conf fmwconfig/components/OHS/instances/ohs1/ssl.conf fmwconfig/components/OHS/instances/ohs1/ssl.conf.emctl_secure config.xml nodemanager/nodemanager.properties ———————————————————- Node2 fmwconfig/components/OHS/instances/ohs2/ssl.conf fmwconfig/components/OHS/instances/ohs2/ssl.conf.emctl_secure config.xml nodemanager/nodemanager.properties
7102 TLS/SSL Server is enabling the BEAST attack TLS Server Supports TLS version 1.0
7403 TLS/SSL Server is enabling the BEAST attack TLS Server Supports TLS version 1.0

 

Leave a comment

Previous Post
Next Post

Recent posts

Quote of the week

“I asked my database for a joke, but it returned a NULL value. Guess it doesn’t have a sense of humor.”

~ Gpt

DBADEEDS

About

A passionate Dhoni & Basketball fan

☕ Buy Us a Coffee!

If this website has helped you understand your database faster, troubleshoot smarter, or save DBA time — consider buying us a coffee ☕ to fuel future improvements.

Follow Us

Blog at WordPress.com.