With the recent POODLE vulnerability, server operators must now (finally) disable SSL version 3.0 and move up to TLS 1.0 at the minimum, if not TLS 1.2.
UPDATE: Many thanks to Courtney Llamas who provided me with a link to the section of the documentation that describes the right way to do this. If you want to disable SSLv3 in EM12c, follow the instructions in section 22.214.171.124 of chapter 2 of the Oracle Enterprise Manager Cloud Control Security Guide. You will need to re-secure your OMS during the process and this will require that you have access to the SYSMAN password and an agent registration password. I can confirm that the steps in this document work and do disable SSLv3. Make sure you follow the steps in the document to secure the management agents, too.
[EDIT: 20150312: Please note that you MUST install the 126.96.36.199.6 Agent bundle patch 20423395 to allow the agent-side “allowTLSOnly” property to function correctly. If you do not install this patch on your 188.8.131.52 agent, the agent will continue to permit SSLv3 connections.]
What follows demonstrates what happens when someone with a little too much information doesn’t read through the documentation. Don’t do what I did. Do it the right way, as described above.
I do not wish to wait for Oracle to provide a procedure to disable SSL version 3.0 in Oracle Enterprise Manager 12c, so I have come up with this process. This will apply to Oracle Enterprise Manager 12c, PS3, PSU1 (aka 184.108.40.206.1, aka EM12c R4). This process may work on older versions.
IMPORTANT DISCLAIMER: Oracle Support has not blessed this process and should provide an official method of fixing this issue soon. You take all responsibility for any issues you encounter by following these instructions. Of course, you also take the responsibility for operating your EM12c system in a way by which your encrypted connections can be trivially hacked, so make a decision appropriate to your environment. I recommend you do NOT follow these steps and instead raise a priority Sev-1 service request with Oracle demanding an immediate, supported fix, but for those in a situation requiring an immediate response, I offer this post.
Do I have SSL v3 enabled now?
If you have not made a specific effort to disable it or applied a future patchset in which Oracle disables the functionality, you have SSL v3 enabled.
How do I test for SSL v3 in EM12c?
How can you test and how can you validate that you have disabled it once complete? I advise that you open up a copy of the Firefox browser, and go to the about:config page. In about:config, search for “security.tls.version”. You can (as of the date I wrote this post) force Firefox to use only SSLv3 by setting both security.tls.version.min and security.tls.version.max to the value 0. The image below shows a secure setting of 1, and 3 (for TLS 1.0 and TLS 1.2 respectively).
Double-click on each of the top two lines and change the setting to 0. The screen should now look like the image below.
Make sure you change this setting back once you have finished testing or you have created a huge security risk for this browser. See my previous post on Firefox security for more information.
Now that you have forced Firefox to use only SSLv3, navigate to your Oracle Enterprise Manager login screen. If the page loads and you see a login prompt like below, your EM12c installation allows insecure SSLv3 connections.
After disabling SSLv3 you should return to this section, repeat these steps, and make sure that you get an error page instead of the login screen.
Disabling SSLv3 in EM12c Oracle HTTP Server
As an aside, MOS note 1935500.1 appears to provide the master note for details about mitigating the POODLE attack in Oracle products. In this instance, we specifically care about disabling SSLv3 in the Oracle HTTP Server (OHS) used by Oracle Enterprise Manager, and the documentation to make this change is available to the public in the Oracle HTTP Server documentation.
Specifically, you need to modify the SSLProtocol declaration in four different configuration files:
$EM_INSTANCE_BASE/WebTierIH1/config/OHS/ohs1/httpd_em.conf $EM_INSTANCE_BASE/WebTierIH1/config/OHS/ohs1/ssl.conf $MW_HOME/Oracle_WT/ohs/conf/ssl.conf $OMS_HOME/sysman/config/httpd_em.conf.template
In the first three files, find the line that looks like:
SSLProtocol all -SSLv2
Change this line to:
SSLProtocol all -SSLv2 -SSLv3
In the last file, find the line that looks like:
Change this line to:
SSLProtocol all -SSLv2 -SSLv3
Then bounce your entire EM12c stack and return to the test procedure at the top of this post, force Firefox to SSLv3, connect to Oracle Enterprise Manager. You should now see an error like the following:
Success! Now revert those Firefox security.tls.version.min and security.tls.version.max settings back to 1 and 3 respectively, and return to EM12c and you should see the login page again.
Congratulations, you’ve just turned off SSLv3 in EM12c. Please save these steps so that you can revert them back to the out-of-the-box behavior if requested to do so by Oracle or when they provide an official fix. I hope to update this post in the future with similar instructions for the Weblogic admin console but I really hope Oracle Support beats me to it.
Pingback: EM12c R4 SSL Security Checkup Script | Pardy DBA
Pingback: Securing Oracle Enterprise Manager 13c | Pardy DBA