Overview

The OMS server supports Secure Socket Layer / Transport Layer Security (SSL/TLS). SSL/TLS provides for data privacy and integrity as well as OMS server authentication by the OMS clients. Whether SSL/TLS is used for network communications is determined by the OMS client configuration.

The OMS server supports both SSL/TLS encryption and authentication.

OMS Client to OMS Server SSL/TLS Encryption

There are two types of OMS clients:

Universal Agent UAG component
Universal Controller

Each can be configured separately to support SSL/TLS encryption.

UAG to OMS SSL Configuration

It is recommended that the following configuration options are reviewed and adjusted to suit your security requirements.

UAG Server (OMS Client) Configuration: uags.conf

Option

Keyword

Values

Description

ENABLE_SSL

N/A

YES

Prior to Universal Agent 7.0.0.0, ENABLE_SSL was a configurable value that allowed the SSL/TLS protocol to be disabled for network communication between UAG and OMS.

Starting with Universal Agent 7.0.0.0, the ability to configure this option was removed and SSL/TLS is always used for UAG/OMS communication.

MIN_SSL_PROTOCOL

min_ssl_protocol

TLS1_0 or TLS1_2,
(default = TLS1_2)

Specifies the minimum SSL/TLS protocol level that will be negotiated and used. This also can be set in the OMS server configuration; both the OMS server and OMS clients must contain at least one common protocol in order to successfully communicate. You should be aware that older versions may not support TLS1_2.

SSL_CIPHER_LIST

ssl_cipher_list

list of cipher suites

Specifies one or more acceptable cipher suites to use for network communication. You should review this list and adjust it in order to enforce the level of encryption to suit your security policy requirements. This also can be set in the OMS server configuration; both the OMS server and OMS clients must contain at least one common cipher suite in order to successfully communicate. You should be aware that different versions may not support all of the same cipher suites.

Universal Controller (OMS Client) Configuration

By default, Universal Controller uses the default SSL/TLS context; check with your server administrator for information on how your environment is configured.

Universal Controller Configuration: opswise.properties

Property	Desscription
uc.trustmanager.ssl.protocols	Comma-separated list of SSL/TLS protocols that can be negotiated and used. This also can be set in the OMS server configuration; both the OMS server and OMS clients must contain at least one common protocol in order to successfully communicate. You should be aware that older versions may not support TLS1_2.

OMS Server Configuration

OMS Server Configuration: oms.conf

Option	Keyword	Values	Description
MIN_SSL_PROTOCOL	min_ssl_protocol	TLS1_0 or TLS1_2, (default = TLS1_2)	Specifies the minimum SSL/TLS protocol level that will be negotiated and used. This also can be set in the UAGS server configuration; both the OMS server and OMS clients must contain at least one common protocol in order to successfully communicate. You should be aware that older versions may not support TLS1_2.
SSL_CIPHER_LIST	ssl_cipher_list	list of cipher suites	Specifies one or more acceptable cipher suites to use for network communication. You should review this list and adjust it in order to enforce the level of encryption to suit your security policy requirements. This also can be set in the UAGS server configuration; both the OMS server and OMS clients must contain at least one common cipher suite in order to successfully communicate. You should be aware that different versions may not support all of the same cipher suites.

OMS Server Authentication

Each OMS client can request to authenticate the OMS server. If this option, is configured the OMS client will validate the OMS server certificate to ensure that the OMS server host is valid. This is done by validating the OMS host or IP address in the OMS client's OMS server definition with the Common Name (CN) of the OMS server certificate. The OMS server inherits its certificate from its Universal Broker.

OMS Server Certificate Configuration: ubroker.conf

Option	Keyword	Description
CERTIFICATE	certificate	Specifies the location of the file that contains the PEM-formatted X.509 certificate.
PRIVATE_KEY	private_key	Specifies the location of the PEM-formatted file that contains the RSA private key associated with OMS Server's UBROKER X.509 certificate.
PRIVATE_KEY_PWD	private_key_password	If the RSA private key requires a password or passphrase; specifies that password or passphrase.

UAG (OMS Client) Configuration: uags.conf

Option	Keyword	Values	Description
SSL_SERVER_AUTH	ssl_server_auth	YES or NO, (default = NO)	Specifies whether or not UAG authenticates the OMS server certificate as part of the SSL handshake.

Controller (OMS Client) Configuration

The Controller specifies whether or not to authenticate the OMS server certificate as part of the SSL/TLS handshake, based on whether the /wiki/spaces/UC71x/pages/5177479 field is checked in the OMS Server Details for that OMS server in the Controller user interface.

OMS Client Authentication

The OMS server can decide from which TCP/IP addresses OMS clients are permitted to establish a TCP/IP connection with the OMS server.

OMS Server UACL Configuration: uacl.conf

UACL Entry	Keyword	Values	Description
OMS_ACCESS	oms_access	HOST,{allow\|deny}	Controls from which TCP/IP addresses clients are permitted to establish a TCP/IP connection with the OMS server.

Browser not supported