How do I update the supported NFM-P TLS versions and ciphers?
Purpose
CAUTION Service Disruption |
Updating the TLS version and cipher support requires a complete NFM-P system shutdown, which creates a network management outage.
Perform the procedure only during a scheduled maintenance period of sufficient duration with the guidance of technical support.
Outdated TLS versions or ciphers present a security risk. Perform this procedure to update the lists of supported TLS versions and ciphers in an NFM-P system.
Note: An NFM-P system upgrade replaces the current TLS version and cipher support settings with the defaults for the new release. After an upgrade, you may need to reconfigure the settings.
Note: You require the following user privileges:
Note: The Oracle management user and group names are specified during database installation; the default is ‘oracle’ in the ‘dba’ group.
Note: The following RHEL CLI prompts in command lines denote the active user, and are not to be included in typed commands:
Steps
Prepare new cipher and TLS files | |
1 |
Log in to the standalone or primary NFM-P main server station as the nsp user. |
2 |
Enter the following: bash$ cd /opt/nsp/nfmp/server/nms/bin/security_management/ssl ↵ |
3 |
Enter the following to create the default cipher list file: bash$ ./ciphers_and_tls_update.bash create -cdc default-ciphers-file ↵ |
4 |
Enter the following to create the default TLS list file: bash$ ./ciphers_and_tls_update.bash create -cdt default-TLS-file ↵ |
5 |
Enter the following to copy the default ciphers file to a new file: bash$ cp default-ciphers-file new_ciphers_file ↵ where new_ciphers_file is the name to assign to the new ciphers file |
6 |
Open new_ciphers_file using a plain-text editor such as vi. |
7 |
Edit the file to remove any unsupported ciphers. |
8 |
Save and close the file. |
9 |
Enter the following to copy the default TLS file to a new file: bash$ cp default-TLS-file new_TLS_file ↵ where new_TLS_file is the name to assign to the new TLS file |
10 |
Open new_TLS_file using a plain-text editor such as vi. |
11 |
Edit the file to remove any unsupported TLS versions. Note: You must not remove TLSv1.2. Note: TLSv1.0 and TLSv1.1 are deprecated in IETF RFC draft-ietf-tls-oldversions-deprecate-06. |
12 |
Save and close the file. |
Distribute files to system components | |
13 |
If the NFM-P system is redundant, distribute the required files to the standby main server station.
|
14 |
If the system includes one or more auxiliary servers, distribute the required files to each auxiliary server station.
|
15 |
Distribute the required files to each main database station.
|
Stop NFM-P system | |
16 |
Close the open client sessions.
|
17 |
If the NFM-P system is redundant, stop the standby main server.
|
18 |
If the system includes one or more auxiliary servers, stop each auxiliary server.
|
19 |
Stop the standalone or primary main server.
|
20 |
If the NFM-P system is redundant, stop the standby database proxy.
|
21 |
Stop the standalone or primary database proxy.
|
Apply new cipher and TLS lists | |
22 |
Perform the following steps on each main database station to apply the new TLS configuration.
|
23 |
Perform the following steps on each main server station to apply the new TLS configuration.
|
24 |
If the system includes one or more auxiliary servers, perform the following steps on each auxiliary server station to apply the new TLS configuration.
|
Start NFM-P system | |
25 |
Start the standalone or primary database proxy. As the root user on the database station, enter the following: # systemctl start nfmp-oracle-proxy.service ↵ The database proxy starts. |
26 |
If the NFM-P system is redundant, start the standby database proxy. As the root user on the standby database station, enter the following: # systemctl start nfmp-oracle-proxy.service ↵ The database proxy starts. |
27 |
Start the standalone or primary main server. As the nsp user on the main server station, enter the following: bash$ /opt/nsp/nfmp/server/nms/bin/nmsserver.bash start ↵ The main server starts. |
28 |
If the NFM-P system is redundant, start the standby main server. As the nsp user on the standby main server station, enter the following: bash$ /opt/nsp/nfmp/server/nms/bin/nmsserver.bash start ↵ The main server starts. |
29 |
If the system includes one or more auxiliary servers, start each auxiliary server. As the nsp user on the auxiliary server station, enter the following: bash$ /opt/nsp/nfmp/auxserver/nms/bin/auxnmsserver.bash auxstart ↵ The auxiliary server starts. |
30 |
Close the open console windows. End of steps |