Use > Hardening > Database Hardening > Configure Universal CMDB to Support Oracle Advanced Security Option (ASO)

Configure Universal CMDB and Configuration Manager to Support Oracle Advanced Security Option (ASO)

This section describes how to configure UCMDB and CM to support Oracle Advanced Security Option (ASO).

Note Because the properties for ASO are not included in installation, additional steps described below are required. When connecting to Oracle ASO, It is recommended to perform the installation first, and then switch the UCMDB server, CM, and database to ASO.

Configure Universal CMDB to Support Oracle Advanced Security Option (ASO)

  1. Add the following lines to the sqlnet.ora file:

    SQLNET.ENCRYPTION_SERVER = required
    SQLNET.ENCRYPTION_TYPES_SERVER= (AES256)
    SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER= (SHA1)
    SQLNET.CRYPTO_SEED = '23456789'
    SQLNET.CRYPTO_CHECKSUM_SERVER = required
    

    Note  

  2. On the UCMDB Server, perform the following:

    1. Open the directory <UCMDB_install_dir>\UCMDBServer\conf. Locate the jdbc.properties file and add the following lines:

      For Oracle drivers (which are OOTB drivers used by UCMDB Server):

      Oracle=orcl
      orcl.CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_LEVEL=REQUIRED
      orcl.CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_TYPES=AES256
      orcl.CONNECTION_PROPERTY_THIN_NET_CHECKSUM_LEVEL=REQUIRED
      orcl.CONNECTION_PROPERTY_THIN_NET_CHECKSUM_TYPES=SHA1

      For DataDirect drivers:

      Oracle=ddoracle
      ddoracle.EncryptionTypes=AES256
      ddoracle.EncryptionLevel=required
      ddoracle.DataIntegrityTypes=SHA1
      ddoracle.DataIntegrityLevel=required
      

      Note  

      • If the file does not exist, create an empty jdbc.properties file under the above folder and add the above lines in it.
      • For instructions about how to switch between DataDirect drivers and native Oracle drivers, see Data PushData Push.
    2. Open the directory <UCMDB_install_dir>\UCMDBServer\bin\jre\lib\security. Replace the local_policy.jar and US_export_policy.jar files with the similar jar files from the Zulu Cryptography Extension Kit provided by OpenJDK.
    3. Restart the UCMDB Server.

Note If upgrading UCMDB to version 2018.05, after the upgrade, open the <UCMDB_install_dir>\UCMDBServer\bin\jre\lib\security directory and replace the local_policy.jar and US_export_policy.jar files with the similar jar files from the Zulu Cryptography Extension Kit provided by OpenJDK.

Caution It is strongly recommended not to perform any downgrade action if the UCMDB is configured to support Oracle ASO.

Enable support for Oracle ASO on Configuration Manager

To enable Oracle ASO support on CM,

  1. Stop Configuration Manager.
  2. Copy the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for Java 8 to the java\windows\x86_64\lib\security folder.

    The JCE Unlimited Strength Jurisdiction Policy Files can be downloaded from http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html.

  3. Open the datamodelContext.xml file (in the servers\server-0\webapps\cnc\WEB-INF\classes\META-INF\spring folder) using a text editor, and then copy and add the following property tag to bean id="dataSource" class="com.mchange.v2.c3p0.ComboPooledDataSource":

    <property name="properties">
    <props>
    <prop key="EncryptionTypes">AES256</prop>
    <prop key="EncryptionLevel">required</prop>
    <prop key="DataIntegrityTypes">SHA1</prop>
    <prop key="DataIntegrityLevel">required</prop>
    </props>
    </property>
  4. Save the file.
  5. Start Configuration Manager.