Securing Database Communication in CA UIM 9.0.2 with TLS v1.2 (Oracle)
CA Unified Infrastructure Management 9.0.2, a leading infrastructure management monitoring solution, provides enhanced security by supporting Transport Layer Security (TLS) v1.2. In a past article, we shared how this works with Microsoft SQL Server. This article will focus on how you can support TLS v1.2 with Oracle, without compromising on the product performance.
At a high level, enabling TLS v1.2 support in CA UIM 9.0.2 is a two-step process:
- Perform configurations on the Oracle database server.
- Enable the TLS option and provide relevant details during installation of the UIM Server.
Supporting TLS v1.2 on Oracle
The following diagram shows the steps that are required to enable TLS v1.2 when the UIM database is Oracle 11g or 12c:
Configurations on the Database Server—Oracle
Perform the following tasks on the database server—Oracle:
Verify the FQDN System Requirement.Verify that your full computer name is FQDN (for example, VI02-E74.ca.com). If not, add the domain name (for example, ca.com) to the computer name.
Verify and Apply Patches for Oracle. For Oracle 11.2, which does not support TLS v1.2 by default, download and install the 126.96.36.199.2 DBPSU patch and p25874796_112040_MSWIN-x86-64 from Oracle Support.
Disable Previous Certificates. Change the registry keys to disable all the previous versions of certificates on the database server.
Perform Wallet Configuration for the Server: Use the Oracle Wallet Manager user interface or the orapki utility (command line) to perform the wallet configuration for the server, which includes the following tasks:
- Create a server wallet.
- Enable auto-login to true.
- Create a certificate request.
- Export the certificate request into a file and send it to Certification Authority (CA).
- Get the certificate from CA.
- Import the user certificate into the server wallet.
Perform Wallet Configuration for the Client. Use the Oracle Wallet Manager user interface or the orapki utility (command line) to perform wallet configuration for the client. Follow the same steps that you followed for the server wallet.
Set the TLS Configuration on the Database Server.Use Oracle Net Manager to set the TLS configuration details. This configuration includes the following tasks:
- Enter the location of the server wallet.
- Specify that the configuration is for the server.
- Set the TLS version for the server.
- Add listener for TLS.
Configurations on the UIM Server Computer
Perform the following tasks on the computer where you plan to install the UIM Server:
- Verify that Oracle Instant Client (version 188.8.131.52.0) is available on the computer where you want to install the UIM Server.
- Copy the client wallet folder from the database server to the computer where you plan to install the UIM Server.
- Provide the required client wallet location, wallet password, wallet type, and whether client authentication is needed when you install the UIM Server. The UIM Server installer copies the required wallet files from the provided location and places them in the <Nimsoft>\security folder.
After you complete the UIM Server installation, ensure that the following entries are present in the sqlnet.ora file that is available in the <Nimsoft>\security folder:
For detailed information about considerations, how to perform various tasks outlined in this article, or to view the list of enhanced probes, see the related DocOps article: Support for TLS v1.2 (Oracle).