Oracle Cloud Infrastructure Documentation

Information for Oracle Cloud Infrastructure Government Cloud Customers

This topic contains information specific to Oracle Cloud Infrastructure Government Cloud customers.

Government Cloud Regions

The region names and identifiers for the Oracle Cloud Infrastructure Government Cloud regions are shown in the following table:

Region Name Region Identifier Region Location Region Key Realm Key Availability Domains
US Gov East (Ashburn) us-langley-1 Ashburn, VA LFI OC2 1
US Gov West (Phoenix) us-luke-1 Phoenix, AZ LUF OC2 1

After your tenancy is created in one of the Government Cloud regions, you can subscribe to the other region in the Government Cloud. Government Cloud tenancies cannot subscribe to the commercial regions. For information about subscribing to a region, see Managing Regions.

Government Cloud Console Sign-in URLs

To sign in to the Oracle Cloud Infrastructure Government Cloud, enter one of the following URLs in a supported browser:

https://console.us-langley-1.oraclegovcloud.com/

https://console.us-luke-1.oraclegovcloud.com/

Authorizations

Oracle Cloud Infrastructure Government Cloud has obtained the following authorizations:

  • FedRAMP Moderate
  • DISA Impact Level 2

Services Not Supported in Oracle Cloud Infrastructure Government Cloud

The following services are currently not available for tenancies in the Government Cloud:

Core Infrastructure services and features not available:

  • Compute service features:
    • Autoscaling
  • Data Transfer service
  • File Storage service

Database services not available:

  • Autonomous Data Warehouse
  • Autonomous Transaction Processing

Solutions and Platform services not available:

  • Streaming
  • Resource Manager
  • Email Delivery
  • Notifications
  • DNS Zone Management
  • Traffic Management Steering Policies
  • WAF service
  • Health Checks
  • Monitoring
  • Container Engine for Kubernetes
  • Registry
  • Marketplace

Governance and Administration features not supported

  • Auto-federation with Oracle Identity Cloud Service
  • Announcements

Infrastructure Tools

  • Oracle Cloud Infrastructure Terraform Provider

Integration with Oracle SaaS and PaaS services, including those listed here: Getting Started with Oracle Platform Services.

Shared Responsibilities

Oracle Cloud Infrastructure Government Cloud offers best-in-class security technology and operational processes to secure its enterprise cloud services. However, for you to securely run your workloads in Oracle Cloud Infrastructure Government Cloud, you must be aware of your security and compliance responsibilities. By design, Oracle provides security of cloud infrastructure and operations (cloud operator access controls, infrastructure security patching, and so on), and you are responsible for securely configuring your cloud resources. Security in the cloud is a shared responsibility between you and Oracle.

For more information about shared responsibilities in the Oracle Cloud, see the following white papers:

Setting Up an Identity Provider for Your Tenancy

As a Government Cloud customer, you must bring your own identity provider that meets your agency's compliance requirements and supports common access card/personal identity verification card (CAC/PIV) authentication. You can federate Oracle Cloud Infrastructure with SAML 2.0 compliant identity providers that also support CAC/PIV authentication. For instructions on setting up a federation, see Federating with Identity Providers.

Remove the Oracle Cloud Infrastructure Default Administrator User and Any Other Non-Federated Users

When your organization signs up for an Oracle account and Identity Domain, Oracle sets up a default administrator for the account. This person will be the first IAM user for your company and will have full administrator access to your tenancy. This user can set up your federation.

After you have successfully set up the federation with your chosen identity provider, you can delete the default administrator user and any other IAM service local users you might have added to assist with setting up your tenancy. Deleting the local, non-federated users ensures that only users in your chosen identity provider can access Oracle Cloud Infrastructure.

To delete the default administrator:

  1. Sign in to the Console through your identity provider.

    More details
  2. Open the navigation menu. Under Governance and Administration, go to Identity and click Users. The list of users is displayed.
  3. On the User Type filter, select only Local Users.
  4. For each local user, go to the the Actions icon (three dots) and click Delete.

Using a Common Access Card/Personal Identity Verification Card to Sign in to the Console

After you set up CAC/PIV authentication with your identity provider and successfully federate with Oracle Cloud Infrastructure, you can use your CAC/PIV credentials to sign in to the Oracle Cloud Infrastructure Console. See your identity provider's documentation for the specific details for your implementation.

In general, the sign in steps are:

  1. Insert your CAC/PIV card into your card reader.
  2. Navigate to the Oracle Cloud Infrastructure Console sign in page.
  3. If prompted, enter your Cloud Tenant name and click Continue.
  4. Select the Single Sign-On provider and click Continue.
  5. On your identity provider's sign on page, select the appropriate card, for example, PIV Card.
  6. If presented with a certificate picker, choose the appropriate certificate or other attributes set up by your organization.
  7. When prompted, enter the PIN.

IPv6 Support for Virtual Cloud Networks

Government Cloud customers have the option to enable IPv6 addressing for their VCNs. For more information, see IPv6 Addresses.

Setting Up Secure Access for Compute Hosts

You can set up CAC/PIV authentication using third-party tools to enable multi-factor authentication for securely connecting to your compute hosts. Example tools include PuTTY-CAC for Windows and Open SC for macOS. For more information see the U.S. Government website, PIV Usage Guidelines.

Enabling FIPS Mode for Your Operating System

Oracle Cloud Infrastructure Government Cloud customers are responsible for enabling FIPS mode for the operating systems on their Compute hosts. To make your operating system compliant with Federal Information Processing Standard (FIPS) Publication 140-2, follow the guidelines for your operating system:

Oracle Linux

Follow the guidance provided at Enabling FIPS Mode on Oracle Linux.

Ubuntu

Follow the guidance provided at Ubuntu Security Certifications.

Windows Server 2008 and 2012

Follow the guidance provided at Data Encryption for Web console and Reporting server Connections.

Windows Server 2016

First, follow the guidance provided at How to Use FIPS Compliant Algorithms.

Next, go to the Microsoft document, FIPS 140 Validation and navigate to the topic Information for System Integrators. Follow the instructions under "Step 2 – Setting FIPS Local/Group Security Policy Flag" to complete the FIPS enablement.

CentOS

The following guidance is for enabling FIPS on CentOS 7.5. These procedures are valid for both VM and bare metal instances, and only in NATIVE mode. These procedures can be modified for both Emulated and PV modes as needed. Note that this procedure provides an instance that contains the exact FIPS cryptographic modules EXCEPT kernel. However, the kernel module is the same major/minor version but is accelerated in revision, so can be considered compliant under most FIPS compliant models.

After you complete this procedure, Oracle strongly recommends that you do NOT run system-wide yum updates. The system-wide update will remove the FIPS modules contained herein.

Verify that the version of the kernel, FIPS modules, and FIPS software are at the minimum version:

  1. Validate the current version of the kernel package meets the requirement:

    1. Current version: kernel-3.10.0-693.el7
    2. Execute rpm -qa | grep kernel-3

  2. Execute the following and validate the major or minor version is the same as the requirements.

    1. Run

       yum list <package_name>
    2. Verify that the major/minor version matches the required ones.

    Required packages and versions are:

    • fipscheck - fipscheck-1.4.1-6.el7
    • hmaccalc - hmaccalc-0.9.13-4.el7

    • dracut-fips - dracut-fips-033-502.el7

    • dracut-fips-aesni - dracut-fips-aesni-033-502.el7

    c. For each version of package that is not installed, run

     yum install <package_name>
  3. Download and install the following packages:
    1. Packages already installed as part of the image:
      1. Create a directory called preinstall.

      2. Download the following packages into this directory:

        openssl, openssl-libs – 1.0.2k-8.el7

        nss, nss-tools, nss-sysinit – 3.28.4-15.el7_4

        nss-util – 3.28.4-3.el7

        nss-softokn, nss-softokn-freebl – 3.28.3-8.el7_4

        openssh, openssh-clients, openssh-server – 7.4p1-11.el7

      3. In the preinstall directory, run

        yum - -nogpgcheck downgrade *.rpm
    2. Packages to be added to the image:
      1. Create a directory called newpackages.
      2. Download the following packages into this directory:

        libreswan – 3.20-3.el7

        libgcrypt – 1.5.3-14.el7

        gnutls – 3.3.26-9.el7

        gmp – 6.0.0-15.el7

        nettle – 2.7.1-8.el7

      3. In the newpackages directory, run

         yum - -nogpgcheck localinstall *.rpm

The URLs for the packages used for this installation are:

Preinstall:

http://linuxsoft.cern.ch/cern/centos/7/updates/x86_64/Packages/nss-3.28.4-15.el7_4.x86_64.rpm

http://linuxsoft.cern.ch/cern/centos/7/updates/x86_64/Packages/nss-util-3.28.4-3.el7.x86_64.rpm

http://linuxsoft.cern.ch/cern/centos/7/updates/x86_64/Packages/nss-tools-3.28.4-15.el7_4.x86_64.rpm

http://linuxsoft.cern.ch/cern/centos/7/updates/x86_64/Packages/nss-sysinit-3.28.4-15.el7_4.x86_64.rpm

http://linuxsoft.cern.ch/cern/centos/7/updates/x86_64/Packages/nss-softokn-freebl-3.28.3-8.el7_4.x86_64.rpm

http://linuxsoft.cern.ch/cern/centos/7/updates/x86_64/Packages/nss-softokn-3.28.3-8.el7_4.x86_64.rpm

http://linuxsoft.cern.ch/cern/centos/7/updates/x86_64/Packages/openssl-1.0.2k-8.el7.x86_64.rpm

http://linuxsoft.cern.ch/cern/centos/7/updates/x86_64/Packages/openssl-libs-1.0.2k-8.el7.x86_64.rpm

http://linuxsoft.cern.ch/cern/centos/7/updates/x86_64/Packages/openssh-7.4p1-11.el7.x86_64.rpm

http://linuxsoft.cern.ch/cern/centos/7/updates/x86_64/Packages/openssh-clients-7.4p1-11.el7.x86_64.rpm

http://linuxsoft.cern.ch/cern/centos/7/updates/x86_64/Packages/openssh-server-7.4p1-11.el7.x86_64.rpm

Newpackages:

http://linuxsoft.cern.ch/cern/centos/7/updates/x86_64/Packages/libreswan-3.20-3.el7.x86_64.rpm

http://linuxsoft.cern.ch/cern/centos/7/updates/x86_64/Packages/libgcrypt-1.5.3-14.el7.x86_64.rpm

http://linuxsoft.cern.ch/cern/centos/7/updates/x86_64/Packages/gnutls-3.3.26-9.el7.x86_64.rpm

http://linuxsoft.cern.ch/cern/centos/7/updates/x86_64/Packages/gmp-6.0.0-15.el7.x86_64.rpm

http://linuxsoft.cern.ch/cern/centos/7/updates/x86_64/Packages/nettle-2.7.1-8.el7.x86_64.rpm

Kernel FIPS module and initramfs validation installation.

Perform this procedure as root:

  1. Regenerate dracut:

    dracut -f -v
  2. Add the fips argument to the end of the default kernel boot command line:

    1. Edit /etc/default/grub

    2. At the end of the line starting with “GRUB_CMDLINE_LINUX”, add

      fips=1 

      inside the double quotes of the command.

    3. Save the result.

  3. Generate a new grub.cfg:

    grub2-mkconfig -o /etc/grub2-efi.cfg

Configure SSH to limit the encryption algorithms.

  1. Sudo to root.

  2. Edit /etc/ssh/sshd_config.

  3. Add the following lines to the bottom of the file:

    Protocol 2

    Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

    Macs hmac-sha1

  4. Reboot the instance.
  5. After instance has rebooted, validate that FIPS mode has been enabled in the kernel:
    1. Sudo to root.

    2. Run the following command:

      cat /proc/sys/crypto/fips-enabled

      The result should be '1'.

To further secure CentOS7/RHEL 7.x systems as required by individual agency guidance, follow the checklist contained in the OpenSCAP guide. This guide can be found here: https://static.open-scap.org/ssg-guides/ssg-centos7-guide-index.html

The STIG for evaluating compliance under multiple profiles can be found here: https://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx . Use the Red Hat Linux 7.x STIG for CentOS 7.5 releases.

Required VPN Connect Parameters for the Government Cloud

If you use VPN Connect with the Government Cloud, you must configure the IPSec connection with the following FIPS-compliant IPSec parameters.

Government Cloud: ISAKMP Policy Options

For some parameters, Oracle supports multiple values, and the recommended one is highlighted in red italics.

  • ISAKMP Protocol version 1
  • Exchange type: Main mode
  • Authentication method: pre-shared-keys
  • Encryption: AES-256-cbc, AES-192-cbc, AES-128-cbc
  • Authentication algorithm: SHA-384, SHA-256, SHA1 (also called SHA or SHA1-96)
  • Diffie-Hellman group: group 14, group 19, group 20
  • IKE session key lifetime: 28800 seconds (8 hours)

Government Cloud: IPSec Policy Options

For some parameters, Oracle supports multiple values, and the recommended one is highlighted in red italics.

  • IPSec protocol: ESP, tunnel-mode
  • Encryption: AES-256-cbc, AES-192-cbc, AES-128-cbc, AES-128-gcm, AES-192-gcm, AES-256-gcm
  • Authentication algorithm: HMAC-SHA-256-128 (note that if you're using GCM encryption (Galois/Counter Mode), authentication is built into GCM)
  • IPSec session key lifetime: 3600 seconds (1 hour)
  • Perfect Forward Secrecy (PFS): enabled, group 14

Oracle's BGP ASN

For network engineers who configure an edge device for FastConnect or VPN Connect: Oracle's BGP ASN for the Government Cloud is 6142.