OMS Server SSL/TLS Configuration

Overview

The OMS server supports Secure Socket Layer / Transport Layer Security (SSL/TLS). SSL/TLS provides for data privacy and integrity as well as OMS server authentication by the OMS clients. Whether SSL/TLS is used for network communications is determined by the OMS client configuration.

The OMS server supports both SSL/TLS encryption and authentication.

OMS Client to OMS Server SSL/TLS Encryption

There are two types of OMS clients:

  • Universal Agent UAG component
  • Universal Controller

Each can be configured separately to support SSL/TLS encryption.

UAG to OMS SSL Configuration

It is recommended that the following configuration options are reviewed and adjusted to suit your security requirements.

UAG Server (OMS Client) Configuration: uags.conf

Option

Keyword

Values

Description

ENABLE_SSL

N/A

YES

Prior to Universal Agent 7.0.0.0, ENABLE_SSL was a configurable value that allowed the SSL/TLS protocol to be disabled for network communication between UAG and OMS.

Starting with Universal Agent 7.0.0.0, the ability to configure this option was removed and SSL/TLS is always used for UAG/OMS communication.

MIN_SSL_PROTOCOL

min_ssl_protocol

TLS1_0 or TLS1_2,
(default = TLS1_2)

Specifies the minimum SSL/TLS protocol level that will be negotiated and used. This also can be set in the OMS server configuration; both the OMS server and OMS clients must contain at least one common protocol in order to successfully communicate. You should be aware that older versions may not support TLS1_2.

SSL_CIPHER_LIST

ssl_cipher_list

list of cipher suites

Specifies one or more acceptable cipher suites to use for network communication. You should review this list and adjust it in order to enforce the level of encryption to suit your security policy requirements. This also can be set in the OMS server configuration; both the OMS server and OMS clients must contain at least one common cipher suite in order to successfully communicate. You should be aware that different versions may not support all of the same cipher suites.

Universal Controller (OMS Client) Configuration

By default, Universal Controller uses the default SSL/TLS context; check with your server administrator for information on how your environment is configured.

Universal Controller Configuration: opswise.properties

Property

Desscription

uc.trustmanager.ssl.protocols

Comma-separated list of SSL/TLS protocols that can be negotiated and used. This also can be set in the OMS server configuration; both the OMS server and OMS clients must contain at least one common protocol in order to successfully communicate. You should be aware that older versions may not support TLS1_2.

OMS Server Configuration

OMS Server Configuration: oms.conf

Option

Keyword

Values

Description

MIN_SSL_PROTOCOL

min_ssl_protocol

TLS1_0 or TLS1_2,
(default = TLS1_2)

Specifies the minimum SSL/TLS protocol level that will be negotiated and used. This also can be set in the UAGS server configuration; both the OMS server and OMS clients must contain at least one common protocol in order to successfully communicate. You should be aware that older versions may not support TLS1_2.

SSL_CIPHER_LIST

ssl_cipher_list

list of cipher suites

Specifies one or more acceptable cipher suites to use for network communication. You should review this list and adjust it in order to enforce the level of encryption to suit your security policy requirements. This also can be set in the UAGS server configuration; both the OMS server and OMS clients must contain at least one common cipher suite in order to successfully communicate. You should be aware that different versions may not support all of the same cipher suites.


OMS Server Authentication

Each OMS client can request to authenticate the OMS server. If this option, is configured the OMS client will validate the OMS server certificate to ensure that the OMS server host is valid. This is done by validating the OMS host or IP address in the OMS client's OMS server definition with the Common Name (CN) of the OMS server certificate. The OMS server inherits its certificate from its Universal Broker.

OMS Server Certificate Configuration: ubroker.conf

Option

Keyword

Description

CERTIFICATE

certificate

Specifies the location of the file that contains the PEM-formatted X.509 certificate.

PRIVATE_KEY

private_key

Specifies the location of the PEM-formatted file that contains the RSA private key associated with OMS Server's UBROKER X.509 certificate.

PRIVATE_KEY_PWD

private_key_password

If the RSA private key requires a password or passphrase; specifies that password or passphrase.

UAG (OMS Client) Configuration: uags.conf

Option

Keyword

Values

Description

SSL_SERVER_AUTH

ssl_server_auth

YES or NO,
(default = NO)

Specifies whether or not UAG authenticates the OMS server certificate as part of the SSL handshake.

Controller (OMS Client) Configuration

The Controller specifies whether or not to authenticate the OMS server certificate as part of the SSL/TLS handshake, based on whether the /wiki/spaces/UC71x/pages/5177479 field is checked in the OMS Server Details for that OMS server in the Controller user interface.
 

OMS Client Authentication

The OMS server can decide from which TCP/IP addresses OMS clients are permitted to establish a TCP/IP connection with the OMS server.

OMS Server UACL Configuration: uacl.conf

UACL Entry

Keyword

Values

Description

OMS_ACCESS

oms_access

HOST,{allow|deny}

Controls from which TCP/IP addresses clients are permitted to establish a TCP/IP connection with the OMS server.