OMS Server SSL/TLS Configuration
Overview
The OMS server supports Secure Socket Layer / Transport Layer Security (SSL/TLS). SSL/TLS provides for data privacy and integrity as well as OMS server authentication by the OMS clients. Whether SSL/TLS is used for network communications is determined by the OMS client configuration.
The OMS server supports both SSL/TLS encryption and authentication.
OMS Client to OMS Server SSL/TLS Encryption
There are two types of OMS clients:
- Universal Agent UAG component
- Universal Controller
Each can be configured separately to support SSL/TLS encryption.
UAG to OMS SSL Configuration
It is recommended that the following configuration options are reviewed and adjusted to suit your security requirements.
UAG Server (OMS Client) Configuration: uags.conf
Option | Keyword | Values | Description |
|---|---|---|---|
ENABLE_SSL | N/A | YES | Prior to Universal Agent 7.0.0.0, ENABLE_SSL was a configurable value that allowed the SSL/TLS protocol to be disabled for network communication between UAG and OMS. Starting with Universal Agent 7.0.0.0, the ability to configure this option was removed and SSL/TLS is always used for UAG/OMS communication. |
min_ssl_protocol | TLS1_0 or TLS1_2, | Specifies the minimum SSL/TLS protocol level that will be negotiated and used. This also can be set in the OMS server configuration; both the OMS server and OMS clients must contain at least one common protocol in order to successfully communicate. You should be aware that older versions may not support TLS1_2. | |
ssl_cipher_list | Specifies one or more acceptable cipher suites to use for network communication. You should review this list and adjust it in order to enforce the level of encryption to suit your security policy requirements. This also can be set in the OMS server configuration; both the OMS server and OMS clients must contain at least one common cipher suite in order to successfully communicate. You should be aware that different versions may not support all of the same cipher suites. |
Universal Controller (OMS Client) Configuration
By default, Universal Controller uses the default SSL/TLS context; check with your server administrator for information on how your environment is configured.
Universal Controller Configuration: opswise.properties
Property | Desscription |
|---|---|
Comma-separated list of SSL/TLS protocols that can be negotiated and used. This also can be set in the OMS server configuration; both the OMS server and OMS clients must contain at least one common protocol in order to successfully communicate. You should be aware that older versions may not support TLS1_2. |
OMS Server Configuration
OMS Server Configuration: oms.conf
Option | Keyword | Values | Description |
|---|---|---|---|
min_ssl_protocol | TLS1_0 or TLS1_2, | Specifies the minimum SSL/TLS protocol level that will be negotiated and used. This also can be set in the UAGS server configuration; both the OMS server and OMS clients must contain at least one common protocol in order to successfully communicate. You should be aware that older versions may not support TLS1_2. | |
ssl_cipher_list | Specifies one or more acceptable cipher suites to use for network communication. You should review this list and adjust it in order to enforce the level of encryption to suit your security policy requirements. This also can be set in the UAGS server configuration; both the OMS server and OMS clients must contain at least one common cipher suite in order to successfully communicate. You should be aware that different versions may not support all of the same cipher suites. |
OMS Server Authentication
Each OMS client can request to authenticate the OMS server. If this option, is configured the OMS client will validate the OMS server certificate to ensure that the OMS server host is valid. This is done by validating the OMS host or IP address in the OMS client's OMS server definition with the Common Name (CN) of the OMS server certificate. The OMS server inherits its certificate from its Universal Broker.
OMS Server Certificate Configuration: ubroker.conf
Option | Keyword | Description |
|---|---|---|
certificate | Specifies the location of the file that contains the PEM-formatted X.509 certificate. | |
private_key | Specifies the location of the PEM-formatted file that contains the RSA private key associated with OMS Server's UBROKER X.509 certificate. | |
private_key_password | If the RSA private key requires a password or passphrase; specifies that password or passphrase. |
UAG (OMS Client) Configuration: uags.conf
Option | Keyword | Values | Description |
|---|---|---|---|
ssl_server_auth | YES or NO, | Specifies whether or not UAG authenticates the OMS server certificate as part of the SSL handshake. |
Controller (OMS Client) Configuration
The Controller specifies whether or not to authenticate the OMS server certificate as part of the SSL/TLS handshake, based on whether the /wiki/spaces/UC71x/pages/5177479 field is checked in the OMS Server Details for that OMS server in the Controller user interface.
OMS Client Authentication
The OMS server can decide from which TCP/IP addresses OMS clients are permitted to establish a TCP/IP connection with the OMS server.
OMS Server UACL Configuration: uacl.conf
UACL Entry | Keyword | Values | Description |
|---|---|---|---|
oms_access | HOST,{allow|deny} | Controls from which TCP/IP addresses clients are permitted to establish a TCP/IP connection with the OMS server. |