OEM Vulnerability : SSL Certificate Chain Contains RSA Keys Less Than 2048 bits

Increasing Key strength to 2048 from 1024 and signature algorithm of certificates with the OMS.

  • Check the OMS status

[em@OMSHOST805 bin]$ ./emctl status oms
Oracle Enterprise Manager Cloud Control 13c Release 4
Copyright (c) 1996, 2020 Oracle Corporation. All rights reserved.
WebTier is Up
Oracle Management Server is Up
JVMD Engine is Up
BI Publisher Server is Up
[em@OMSHOST805 bin]$

  • Login to OMS using sysman user

[em@OMSHOST805 bin]$ ./emcli login -username=sysman
Enter password :

Login successful

  • Get the current certificate details:

[em@OMSHOST805 bin]$ ./emcli get_ca_info -details

Info about CA with ID: 1
CA is not configured
Signature algorithm : sha512
Key strength : 1024
DN: CN=OMSHOST805.xxx.com, C=US, ST=CA, L=EnterpriseManager on OMSHOST805.xxx.com, OU=EnterpriseManager on OMSHOST805.xxx.com, O=EnterpriseManager on OMSHOST805.xxx.com
Serial# : 15353633977450860890
Valid From: Sun Dec 13 12:54:41 AST 2020
Valid Till: Thu Dec 12 12:54:41 AST 2030
Number of Agents registered with CA ID CA ID 1 is 31
xxxxxxxx
xxxxxxxx
xxxxxxxx

  • Run the command below to create a new Certificate Authority with 2048 bit keystrength:

[em@OMSHOST805 bin]$ ./emctl secure createca -key_strength 2048
Oracle Enterprise Manager Cloud Control 13c Release 4
Copyright (c) 1996, 2020 Oracle Corporation. All rights reserved.
Creating CA… Started.
Enter Enterprise Manager Root (SYSMAN) Password :
Successfully created CA with ID 3
[em@OMSHOST805 bin]$

  • View the details of new Certificate Authority that was just created using the command below:

[em@OMSHOST805 bin]$ ./emcli get_ca_info -details

Info about CA with ID: 1
CA is not configured
Signature algorithm : sha512
Key strength : 1024
DN: CN=OMSHOST805.xxx.com, C=US, ST=CA, L=EnterpriseManager on OMSHOST805.xxx.com, OU=EnterpriseManager on OMSHOST805.xxx.com, O=EnterpriseManager on OMSHOST805.xxx.com
Serial# : 15353633977450860890
Valid From: Sun Dec 13 12:54:41 AST 2020
Valid Till: Thu Dec 12 12:54:41 AST 2030
Number of Agents registered with CA ID CA ID 1 is 31

Info about CA with ID: 2
CA is not configured
Signature algorithm : sha512
Key strength : 2048
DN: CN=OMSHOST805.xxx.com, C=US, ST=CA, L=CA2, OU=EnterpriseManager on OMSHOST805.xxx.com, O=EnterpriseManager on OMSHOST805.xxx.com
Serial# : -7562746367185428360
Valid From: Tue Apr 06 14:59:29 AST 2021
Valid Till: Sat Apr 05 14:59:29 AST 2031
Number of Agents registered with CA ID CA ID 2 is 5
xxxxxxxx
xxxxxxxx
xxxxxxxx

  • Secure all the Agents so they will use a certificate with 2048 bit keystrength

em@s0client01:/em1/agent_inst/bin$ ./emctl secure agent
Oracle Enterprise Manager Cloud Control 13c Release 4
Copyright (c) 1996, 2020 Oracle Corporation. All rights reserved.
Agent successfully stopped… Done.
Securing agent… Started.
Enter Agent Registration Password :
Agent successfully restarted… Done.
Securing agent… Successful.
em@s0client01:/em1/agent_inst/bin$

  • Secure the OMS after securing all the Agents

[em@OMSHOST805 bin]$ ./emctl secure oms -console -protocol TLSv1.2
Oracle Enterprise Manager Cloud Control 13c Release 4
Copyright (c) 1996, 2020 Oracle Corporation. All rights reserved.
Securing OMS… Started.
Enter Enterprise Manager Root (SYSMAN) Password :
Enter Agent Registration Password :
[em@OMSHOST805 bin]$
[em@OMSHOST805 bin]$ ./emcli get_ca_info -details

Info about CA with ID: 1
CA is not configured
Signature algorithm : sha512
Key strength : 1024
DN: CN=OMSHOST805.xxx.com, C=US, ST=CA, L=EnterpriseManager on OMSHOST805.xxx.com, OU=EnterpriseManager on OMSHOST805.xxx.com, O=EnterpriseManager on OMSHOST805.xxx.com
Serial# : 15353633977450860890
Valid From: Sun Dec 13 12:54:41 AST 2020
Valid Till: Thu Dec 12 12:54:41 AST 2030
Number of Agents registered with CA ID CA ID 1 is 31
xxxxxxxx
xxxxxxxx
xxxxxxxx

Info about CA with ID: 2
CA is not configured
Signature algorithm : sha512
Key strength : 2048
DN: CN=OMSHOST805.xxx.com, C=US, ST=CA, L=CA2, OU=EnterpriseManager on OMSHOST805.xxx.com, O=EnterpriseManager on OMSHOST805.xxx.com
Serial# : -7562746367185428360
Valid From: Tue Apr 06 14:59:29 AST 2021
Valid Till: Sat Apr 05 14:59:29 AST 2031
Number of Agents registered with CA ID CA ID 2 is 4
xxxxxxxx
xxxxxxxx
xxxxxxxx

  • Restart the OMS

[em@OMSHOST805 bin]$ ./emctl stop oms -all
Oracle Enterprise Manager Cloud Control 13c Release 4
Copyright (c) 1996, 2020 Oracle Corporation. All rights reserved.
Stopping Oracle Management Server…
WebTier Successfully Stopped
Oracle Management Server Successfully Stopped
Oracle Management Server is Down
JVMD Engine is Down
Stopping BI Publisher Server…
BI Publisher Server Successfully Stopped
AdminServer Successfully Stopped
BI Publisher Server is Down

[em@OMSHOST805 bin]$ ./emctl start oms
Oracle Enterprise Manager Cloud Control 13c Release 4
Copyright (c) 1996, 2020 Oracle Corporation. All rights reserved.
Starting Oracle Management Server…
WebTier Successfully Started
Oracle Management Server Successfully Started
Oracle Management Server is Up
JVMD Engine is Up
Starting BI Publisher Server …
BI Publisher Server Successfully Started
BI Publisher Server is Up
[em@OMSHOST805 bin]$

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s