Oracle Cloud Infrastructure for government offers best-in-class security technology and operational processes to secure its enterprise cloud services. However, for you to securely run your workloads , you must be aware of your security and compliance responsibilities. By design, Oracle provides security of cloud infrastructure and operations (cloud operator access controls, infrastructure security patching, and so on), and you are responsible for securely configuring your cloud resources. Security in the cloud is a shared responsibility between you and Oracle.
For more information about shared responsibilities in the Oracle Cloud, see the following white papers:
As a Government Cloud customer, you must bring your own identity provider that meets your agency's compliance requirements and supports common access card/personal identity verification card (CAC/PIV) authentication. You can federate Oracle Cloud Infrastructure with SAML 2.0 compliant identity providers that also support CAC/PIV authentication. For instructions on setting up a federation, see Federating with Identity Providers.
Remove the Oracle Cloud Infrastructure Default Administrator User and Any Other Non-Federated Users
When your organization signs up for an Oracle account and Identity Domain, Oracle sets up a default administrator for the account. This person will be the first IAM user for your company and will have full administrator access to your tenancy. This user can set up your federation.
After you have successfully set up the federation with your chosen identity provider, you can delete the default administrator user and any other IAM service local users you might have added to assist with setting up your tenancy. Deleting the local, non-federated users ensures that only users in your chosen identity provider can access Oracle Cloud Infrastructure.
To delete the default administrator:
Sign in to the Console through your identity provider.
Open a supported browser and go to the Government CloudConsole URL.
Enter your Cloud Tenant and click Continue.
On the Single Sign-On pane, select your identity provider and click Continue. You will be redirected to your identity provider to sign in.
Enter your user name and password.
Open the navigation menu. Under Governance and Administration, go to Identity and click Users. The list of users is displayed.
On the User Type filter, select only Local Users.
For each local user, go to the the Actions icon (three dots) and click Delete.
Using a Common Access Card/Personal Identity Verification Card to Sign in to the Console
After you set up CAC/PIV authentication with your identity provider and successfully federate with Oracle Cloud Infrastructure, you can use your CAC/PIV credentials to sign in to the Oracle Cloud InfrastructureConsole. See your identity provider's documentation for the specific details for your implementation.
If prompted, enter your Cloud Tenant name and click Continue.
Select the Single Sign-On provider and click Continue.
On your identity provider's sign on page, select the appropriate card, for example, PIV Card.
If presented with a certificate picker, choose the appropriate certificate or other attributes set up by your organization.
When prompted, enter the PIN.
IPv6 Support for Virtual Cloud Networks
US Government Cloud customers have the option to enable IPv6 addressing for their VCNs. For more information, see IPv6 Addresses.
Setting Up Secure Access for Compute Hosts
You can set up CAC/PIV authentication using third-party tools to enable multi-factor authentication for securely connecting to your compute hosts. Example tools include PuTTY-CAC for Windows and Open SC for macOS. For more information see the U.S. Government website, PIV Usage Guidelines.
Enabling FIPS Mode for Your Operating System
Government Cloud customers are responsible for enabling FIPS mode for the operating systems on their Compute hosts. To make your operating system compliant with Federal Information Processing Standard (FIPS) Publication 140-2, follow the guidelines for your operating system:
The following guidance is for enabling FIPS on CentOS 7.5. These procedures are valid for both VM and bare metal instances, and only in NATIVE mode. These procedures can be modified for both Emulated and PV modes as needed. Note that this procedure provides an instance that contains the exact FIPS cryptographic modules EXCEPT kernel. However, the kernel module is the same major/minor version but is accelerated in revision, so can be considered compliant under most FIPS compliant models.
After you complete this procedure, Oracle strongly recommends that you do NOT run system-wide yum updates. The system-wide update will remove the FIPS modules contained herein.
Verify that the version of the kernel, FIPS modules, and FIPS software are at the minimum version:
Validate the current version of the kernel package meets the requirement:
Current version: kernel-3.10.0-693.el7
Execute rpm -qa | grep kernel-3
Execute the following and validate the major or minor version is the same as the requirements.
yum list <package_name>
Verify that the major/minor version matches the required ones.
Required packages and versions are:
fipscheck - fipscheck-1.4.1-6.el7
hmaccalc - hmaccalc-0.9.13-4.el7
dracut-fips - dracut-fips-033-502.el7
dracut-fips-aesni - dracut-fips-aesni-033-502.el7
c. For each version of package that is not installed, run
yum install <package_name>
Download and install the following packages:
Packages already installed as part of the image:
Create a directory called preinstall.
Download the following packages into this directory: