1. User’s Guide
  2. Collecting Diagnostic Data and Triaging, Diagnosing, and Resolving Issues
  3. Managing and Configuring Oracle Trace File Analyzer
  4. Configuring SSL and SSL Certificates

16.7 Configuring SSL and SSL Certificates

View and restrict SSL/TLS protocols. Configure Oracle Trace File Analyzer to use self-signed or CA-signed certificates.

Parent topic: Managing and Configuring Oracle Trace File Analyzer

16.7.1 Configuring SSL/TLS Protocols

The Oracle Trace File Analyzer daemons in a cluster communicate securely using the SSL/TLS protocols.

The SSL protocols available for use by Oracle Trace File Analyzer are:

  • TLSv1.2

  • TLCv1.1

  • TLSv1

Oracle Trace File Analyzer always restricts use of older the protocols SSLv3 and SSLv2Hello.

To view and restrict protocols:

  1. To view the available and restricted protocols:
    tfactl print protocols
    For example:
    $ tfactl print protocols
.---------------------------------------.
|                 node1                 |
+---------------------------------------+
| Protocols                             |
+---------------------------------------+
| Available : [TLSv1, TLSv1.2, TLSv1.1] |
| Restricted : [SSLv3, SSLv2Hello]      |
'---------------------------------------'
  2. To restrict the use of certain protocols:
    tfactl restrictprotocol [-force] protocol
    For example:
    $ tfactl restrictprotocol TLSv1

Parent topic: Configuring SSL and SSL Certificates

16.7.2 Configuring Self-Signed Certificates

Use Java keytool to replace self-signed SSL certificates with personal self-signed certificates.

To configure Oracle Trace File Analyzer to use self-signed certificates:

  1. Create a private key and keystore file containing the self-signed certificate for the server:
    $ keytool -genkey -alias server_full -keyalg RSA -keysize 2048 -validity 18263 -keystore myserver.jks
  2. Create a private key and keystore file containing the private key and self signed-certificate for the client:
    $ keytool -genkey -alias client_full -keyalg RSA -keysize 2048 -validity 18263 -keystore myclient.jks
  3. Export the server public key certificate from the server keystore:
    $ keytool -export -alias server_full -file myserver_pub.crt -keystore myserver.jks -storepass password
  4. Export the client public key certificate from the server keystore:
    $ keytool -export -alias client_full -file myclient_pub.crt -keystore myclient.jks -storepass password
  5. Import the server public key certificate into the client keystore:
    $ keytool -import -alias server_pub -file myserver_pub.crt -keystore myclient.jks -storepass password
  6. Import the client public key certificate into the server keystore:
    $ keytool -import -alias client_pub -file myclient_pub.crt  -keystore myserver.jks -storepass password
  7. Restrict the permissions on the keystores to root  read-only.
    $ chmod 400 myclient.jks myserver.jks
  8. Copy the keystores (jks files) to each node.
  9. Configure Oracle Trace File Analyzer to use the new certificates:
    $ tfactl set sslconfig
  10. Restart the Oracle Trace File Analyzer process to start using new certificates:
    $ tfactl restart

Parent topic: Configuring SSL and SSL Certificates

16.7.3 Configuring CA-Signed Certificates

Use Java keytool and openssl to replace self-signed SSL certificates with the Certificate Authority (CA) signed certificates.

To configure Oracle Trace File Analyzer to use CA-signed certificates:

  1. Create a private key for the server request:
    $ openssl genrsa -aes256 -out myserver.key 2048
  2. Create a private key for the client request:
    $ openssl genrsa -aes256 -out myclient.key 2048
  3. Create a Certificate Signing Request (CSR) for the server:
    $ openssl req -key myserver.key -new -sha256 -out myserver.csr
  4. Create a Certificate Signing Request (CSR) for the client:
    $ openssl req -key myclient.key -new -sha256 -out myclient.csr
  5. Send the resulting CSR for the client and the server to the relevant signing authority.

    The signing authority sends back the signed certificates:

    • myserver.cert

    • myclient.cert

    • CA root certificate

  6. Convert the certificates to JKS format for the server and the client:
    $ openssl pkcs12 -export -out serverCert.pkcs12 -in myserver.cert -inkey myserver.key
    $ keytool -v -importkeystore -srckeystore serverCert.pkcs12 -srcstoretype PKCS12 -destkeystore myserver.jks -deststoretype JKS
    $ openssl pkcs12 -export -out clientCert.pkcs12 -in myclient.cert -inkey myclient.key
    $ keytool -v -importkeystore -srckeystore clientCert.pkcs12 -srcstoretype PKCS12 -destkeystore myclient.jks -deststoretype JKS
  7. Import the server public key into to the client jks file:
    $ keytool -import -v -alias server-ca -file myserver.cert -keystore myclient.jks
  8. Import the client public key to the server jks file:
    $ keytool -import -v -alias client-ca -file myclient.cert -keystore myserver.jks
  9. Import the CA root certificate from the signing authority into the Oracle Trace File Analyzer server certificate:
    $ keytool -importcert -trustcacerts -alias inter -file caroot.cert -keystore myserver.jks
  10. Restrict the permissions on the keystores to root  read-only:
    $ chmod 400 myclient.jks myserver.jks
  11. Copy the keystores (jks files) to each node.
  12. Configure Oracle Trace File Analyzer to use the new certificates:
    $ tfactl set sslconfig
  13. Restart the Oracle Trace File Analyzer process to start using the new certificates.
    $ tfactl stop 
$ tfactl start

Parent topic: Configuring SSL and SSL Certificates

16.7.4 Configuring SSL Cipher Suite

The cipher suite is a set of cryptographic algorithms used by the TLS/SSL protocols to create keys and encrypt data.

Oracle Trace File Analyzer supports any of the cipher suites used by JRE 1.8.

The default cipher suite used is TLS_RSA_WITH_AES_128_CBC_SHA256.

  1. You can change the cipher suite with the command:
    tfactl set ciphersuite=cipher_suite
    For example:
    tfactl set ciphersuite=TLS_RSA_WITH_AES_128_GCM_SHA256

Parent topic: Configuring SSL and SSL Certificates