EM 13c, 12c: How to Configure the Enterprise Manager Management Service (OMS) with Secure Socket Layer (SSL) Certificates
- Get link
- Other Apps
In this Document
APPLIES TO:Enterprise Manager Base Platform - Version 12.1.0.2.0 and laterEnterprise Manager for Oracle Database - Version 12.1.0.5.0 and later Information in this document applies to any platform. PURPOSEThe Enterprise Manager Management Service (OMS) is secured out-of-box with EM self-signed certificates of 1024 bit keystrength and signed with SHA512withRSA signature algorithm. This document provides steps to check the certificates used with the OMS and how to change the OMS certificates if needed. DETAILSThe following consultative solutions will help you:A. Determine the certificates used by OMS B. Create a wallet and import third-party certificates to the wallet C. Secure the EM Cloud Control Console Access with third-party certificates D. Secure OMS with third-party certificates E. Import third-party / custom SSL certificates used at an SLB to the OMS and Agents F. Renew third party certificates used with the OMS G. Increase the key strength and signature algorithm of certificates used with the OMS H. Rollback the OMS to the default EM demo certificates A. How to determine the certificates used by the OMS1.Run the command below to check the status of the OMS and gather its details <OMS HOME>/bin>emctl status oms -details Oracle Enterprise Manager Cloud Control 12c Release 5 Copyright (c) 1996, 2014 Oracle Corporation. All rights reserved. Enter Enterprise Manager Root (SYSMAN) Password : Console Server Host : omshostname.domainnname HTTP Console Port : 7788 HTTPS Console Port : 7802 HTTP Upload Port : 4889 HTTPS Upload Port : 4903 EM Instance Home : /u01/app/oracle/product/gc_inst/em/EMGC_OMS1 OMS Log Directory Location : /u01/app/oracle/product/gc_inst/em/EMGC_OMS1/sysman/log OMS is not configured with SLB or virtual hostname Agent Upload is locked. OMS Console is locked. Active CA ID: 1 Console URL: https://omshostname.domainnname:7802/em Upload URL: https://omshostname.domainnname:4903/empbs/upload WLS Domain Information Oracle Management Server Information BI Publisher is not configured to run on this host.
2. If the OMS is running, then the certificates used by the OMS can be checked using the commands below: emctl or openssl $OMS_HOME/bin>emctl secdiag openurl -url https://omshostname.domainname:4903/em -ssl_protocol TLSv1.2 Oracle Enterprise Manager Cloud Control 13c Release 5 Copyright (c) 1996, 2021 Oracle Corporation. All rights reserved. Log file: /tmp/OpenPage_2022_08_08_19_03_021712235622964956751.log Opening page: https://omshostname.domainname:4903/em Negotiated protocol: TLSv1.2 Getting the certificate chain Details of cert# 1 in chain: Details of cert# 2 in chain: Following headers are present in the response: Response saved at :
$openssl s_client -connect omshostname.domainnname:4903 CONNECTED(00000003) depth=1 O = EnterpriseManager on hostname.domainname, OU = EnterpriseManager on hostname.domainname, L = EnterpriseManager on hostname.domainname, ST = CA, C = US, CN = omshostname.domainname verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/CN=omshostname.domainname i:/O=EnterpriseManager on hostname.domainname/OU=EnterpriseManager on hostname.domainname/L=EnterpriseManager on hostname.domainname/ST=CA/C=US/CN=hostname.domainname 1 s:/O=EnterpriseManager on hostname.domainname/OU=EnterpriseManager on hostname.domainnname/L=EnterpriseManager on hostname.domainnname/ST=CA/C=US/CN=hostname.domainname i:/O=EnterpriseManager on hostname.domainname/OU=EnterpriseManager on hostname.domainname/L=EnterpriseManager on hostname.domainname/ST=CA/C=US/CN=hostname.domainname --- Server certificate -----BEGIN CERTIFICATE----- MIICzDCCAjWgAwIBAgIJAx8vCqOscge8MA0GCSqGSIb3DQEBDQUAMIHpMTcwNQYD VQQKEy5FbnRlcnByaXNlTWFuYWdlciBvbiBzdXBwY2xvdWRlbS52bS5vcmFjbGUu Y29tMTcwNQYDVQQLEy5FbnRlcnByaXNlTWFuYWdlciBvbiBzdXBwY2xvdWRlbS52 bS5vcmFjbGUuY29tMTcwNQYDVQQHEy5FbnRlcnByaXNlTWFuYWdlciBvbiBzdXBw Y2xvdWRlbS52bS5vcmFjbGUuY29tMQswCQYDVQQIEwJDQTELMAkGA1UEBhMCVVMx IjAgBgNVBAMTGXN1cHBjbG91ZGVtLnZtLm9yYWNsZS5jb20wHhcNMTQxMDE0MDAz NDUyWhcNMjQxMDEyMDAzNDUyWjAkMSIwIAYDVQQDFBlzdXBwY2xvdWRlbS52bS5v cmFjbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDZZs85y0Nw6vBm lO4iz9pYf2FkR/VY1BkJnbwwmAB1DuJQlqKu/sdb2/pVBLSHyeiMonhmM9Juc/zV h9tXM0V0qeGFCWtbA9IRS2HLHFT3MsZvh7DAh0XX6dAuuNhJxhXUwpW6EOt2FLaH 49NrCgALK2D6ARedBxMq1Of+qrvcrQIDAQABo0AwPjAMBgNVHRMBAf8EAjAAMA8G A1UdDwEB/wQFAwMH6AAwHQYDVR0OBBYEFJfDwu3GZtWMfFN7Hr92Rs5HLem1MA0G CSqGSIb3DQEBDQUAA4GBABf/MOtvKIyQ3OkO0EjPgal1cKIxx2logcUcgstTLNUX 4JlQahyOZP9Pkt2PebOtPFdpiTlPNlrAsa8YU71iyiTlsGA26CKvLVZL9CBBgpTG QvpmlpsMuynyCdfIuIPhZryGRPDVymjPq6CBRCRpzA/JquqPZ7dvRlWvlioxP3M4 -----END CERTIFICATE----- subject=/CN=omshostname.domainname issuer=/O=EnterpriseManager on hostname.domainname/OU=EnterpriseManager on hostname.domainname/L=EnterpriseManager on hostname.domainname/ST=CA/C=US/CN=hostname.domainname --- No client certificate CA names sent --- SSL handshake has read 1766 bytes and written 461 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 1886CAAE5175E4B2C29216DBD9552E37 Session-ID-ctx: Master-Key: 0B9EACCE56AD032041B41F221734711673717CBD759EDE8B7D2FD273170BABFBBEDDEC25B54014D04C9A3FE8F5A34AC7 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1478701274 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain)
3. If the OMS is not running, you can check the certificates used by the OMS by reading the contents of the wallet used by the OMS <MW_HOME>/oracle_common/bin>./orapki wallet display -wallet /../gc_inst/user_projects/domains/GCDomain/config/fmwconfig/components/OHS/instances/ohs1/keystores/upload -summary Oracle PKI Tool : Version 12.2.1.4.0 Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved. Requested Certificates:
B. How to create a wallet and import third-party certificates to the walletAn Oracle Wallet is required to store the certificates. 1. Run the command below to set the EM environment <OMS BASE>/gc_inst/user_projects/domains/GCDomain/bin>. ./setDomainEnv.sh 2. Create the wallet using ORAPKI utility available in <MIDDLEWARE_HOME>/oracle_common/bin directory on the OMS Server <MIDDLEWARE_HOME>/oracle_common/bin>./orapki wallet create -wallet <wallet_location> -auto_login -wallet: specifies a location for the new wallet For example: $MIDDLEWARE_HOME/oracle_common/bin/orapki wallet create -wallet <wallet_location> -auto_loginOracle PKI Tool : Version 12.2.1.4.0 Enter password: Note: The wallet directory should have both cwallet.sso and ewallet.p12 files created. $ls /home/oracle/wallets cwallet.sso ewallet.p12 3. Raise a Certificate Signing Request(CSR) <MIDDLEWARE_HOME>/oracle_common/bin>./orapki wallet add -wallet <wallet_location> -dn <user_dn> -keysize 512|1024|2048|4096 -pwd <wallet_password> -wallet: specifies the location of the wallet to which you want to add a certificate request Example: <MIDDLEWARE_HOME>/oracle_common/bin>./orapki wallet add -wallet <wallet_location> -dn "CN=omshostname.domainname, OU=EM, O=ORACLE, L=Bangalore, ST=Karnataka, C=IN" -keysize 2048 -pwd <wallet_password>
Note: 1. While raising the CSR, specify the host name of the machine where the OMS is installed or the Load Balancer(SLB) Name if the OMS is behind the Load Balancer for Common Name(CN). Hostname should be same as used by OMS or SLB and in same case. 2. Wildcard certificates and SAN (Subject Alternate Name) certificates are not supported in EM Cloud Control 12c/13c, until version EM13.4:
4. You can view the contents in the wallet using the command below <MIDDLEWARE_HOME>/$ORACLE_HOME/oracle_common/bin/orapki wallet display -wallet <wallet_location> Oracle PKI Tool : Version 12.2.1.4.0 Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved. Requested Certificates: 5. Export the CSR to a text file <MIDDLEWARE_HOME>/oracle_common/bin>orapki wallet export -wallet <wallet_location> -dn <certificate_request_dn> -request <certificate_request_filename> -pwd <wallet password> -wallet: specifies the location of the wallet to which you want to add a certificate request Example: $MIDDLEWARE_HOME/oracle_common/bin/orapki wallet export -wallet <wallet_location> -dn "CN=omshostname.domainname, OU=EM, O=ORACLE, L=Bangalore, ST=Karnataka, C=IN" -request CSR.txt -pwd oracle11 Operation is successfully completed. The CSR.txt file contains the details of certificate request (CSR) in the below format: -----BEGIN NEW CERTIFICATE REQUEST----- MIIBuDCCASECAQAweDELMAkGA1UEBhMCSU4xEjAQBgNVBAgTCUthcm5hdGFrYTESMBAGA1UEBxMJ QmFuZ2Fsb3JlMQ8wDQYDVQQKEwZPUkFDTEUxCzAJBgNVBAsTAkVNMSMwIQYDVQQDExphc2luZ2Fy YS1wYy5pZGMub3JhY2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqBjWMQ3RYmIE oTf9g2YdtODmnwJM4/UpKhg5dBCPlRbmPZe8PGls8TIqVMfYcKpG8/nMPk9tGEPVv9/34DK96zg2 SNNXnxJ05xuIRYKQuYQkWgrLaz94oEChapr5KIQy1eeJFfjNJWqMCKGgqS8HWfvxecR7RLx6gdyg vYKpp9kCAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBAGi07XxUX60AXqQzpOQIgqewf63a75Sn9PR0 UljLi6Vkv1k0NZNCR63xPiSjRsT5n9/gFlkbNAPeLjRg7O7kKUBQSv6kFZO5ya58HebFk9RUo0Zz f6UbXz2sDZSUIyk4c0KX/bGPNXsoxT+qDmYh3wqoeriNTfTbJmjYqRxaIPx3 -----END NEW CERTIFICATE REQUEST----- 6. Submit this certificate request to a third-party trusted Certificate Authority(CA) to get signed SSL certificates in Base64 format .The file extension can be .txt,.pem or .csr, but contents need to be in Base64 format as below - user.txt contains only the user / server certificate: -----BEGIN CERTIFICATE----- MIIDxjCCAq6gAwIBAgIQXrbvzBlVCahMEVcaT6ZAOjANBgkqhkiG9w0BAQUFADCB qDELMAkGA1UEBhMCVVMxFTATBgNVBAoTDFRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEwMC4GA1UECxMnRm9yIFRl c3QgUHVycG9zZXMgT25seS4gIE5vIGFzc3VyYW5jZXMuMSYwJAYDVQQDEx1UaGF3 dGUgVHJpYWwgU2VjdXJlIFNlcnZlciBDQTAeFw0xMTEwMTUwMDAwMDBaFw0xMTEx MDUyMzU5NTlaMIGqMQswCQYDVQQGEwJJTjESMBAGA1UECBMJS2FybmF0YWthMRIw EAYDVQQHFAlCYW5nYWxvcmUxDzANBgNVBAoUBk9SQUNMRTELMAkGA1UECxQCRU0x MDAuBgNVBAsUJ0ZvciBUZXN0IFB1cnBvc2VzIE9ubHkuICBObyBhc3N1cmFuY2Vz LjEjMCEGA1UEAxQaYXNpbmdhcmEtcGMuaWRjLm9yYWNsZS5jb20wgZ8wDQYJKoZI hvcNAQEBBQADgY0AMIGJAoGBAKgY1jEN0WJiBKE3/YNmHbTg5p8CTOP1KSoYOXQQ j5UW5j2XvDxpbPEyKlTH2HCqRvP5zD5PbRhD1b/f9+Ayves4NkjTV58SdOcbiEWC kLmEJFoKy2s/eKBAoWqa+SiEMtXniRX4zSVqjAihoKkvB1n78XnEe0S8eoHcoL2C qafZAgMBAAGjbDBqMAwGA1UdEwEB/wQCMAAwOwYDVR0fBDQwMjAwoC6gLIYqaHR0 cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVRyaWFsU1NMQ0EuY3JsMB0GA1UdJQQW MBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQUFAAOCAQEAtezXRX/G QjKbOi7mWFHo2dJPkybi5P/CryBGNigDklgbtkPRzlf17fBqclw24R9GPHWd6rpU KELV3drYqpKWQ0R/Ge0/X+LUrz2WyvXygUjyqE+Zkij0KuzExXgCgtm8nkHEiW5t 2hW5MFRhw34urR2pTrJA8OL2RrsGZwUOGEgaAw2+S71sH8hFew4cxHsAJmun85Cv EDte+E5UMHbDHU9Lb08wuYGcAmorVWw2MU5Lz/iLbhIF1PWO2Y2UK2+GE1Mzg4jI hW0U9EB4SiW7NiHcf0GKak0rLojp4bSRbTlkNCXtcypHti6pUajq2xhye9SLFeUk OwfTVhf/ST7hTQ== -----END CERTIFICATE----- - inter.txt contains only the intermediate CA certificate (if there are multiple intermediate CA certificates, then create a separate file for each one): -----BEGIN CERTIFICATE----- MIIEijCCA3KgAwIBAgIQO6EebHiOSuFcciShhv7n1TANBgkqhkiG9w0BAQUFADCB rTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEwMC4GA1UECxMnRm9yIFRl c3QgUHVycG9zZXMgT25seS4gIE5vIGFzc3VyYW5jZXMuMSswKQYDVQQDEyJ0aGF3 dGUgVHJpYWwgU2VjdXJlIFNlcnZlciBSb290IENBMB4XDTEwMDIwNDAwMDAwMFoX DTIwMDIwMzIzNTk1OVowgagxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxUaGF3dGUs IEluYy4xKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24x MDAuBgNVBAsTJ0ZvciBUZXN0IFB1cnBvc2VzIE9ubHkuICBObyBhc3N1cmFuY2Vz LjEmMCQGA1UEAxMdVGhhd3RlIFRyaWFsIFNlY3VyZSBTZXJ2ZXIgQ0EwggEiMA0G CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDWxZ4vCS+9h4gW7CnTwPhEFueWeH8I FM/+n870zbwOV13YZQ4pYgxQYqqKwMXA+6l8fkv5n7zIAnluoaa/NfMb9yNGXBGU 8c/CLDOdBlrC2ZGnwjuxgsR2gK2Mvqq9PF3Z16SkHphbD6NLoJ/6O5C6JKebBgYj UlumU4DF92wIZEFNBOsGOVd1IeU/wzJ/kQY8jU6JaydOPImie2OlfTVbMdSKP6GB 1OJ+s8Tn6LrMocUb2lwYebnV1IEPTsWQTgPz3dYWsshUtunStECIhPmVcfMARJ5L Rfbwa/Pn3H9YSnjSV3T5z2BUuzDSqxJHqjJ6psatdheRql0accQPknFTAgMBAAGj gagwgaUwEgYDVR0TAQH/BAgwBgEB/wIBADA/BgNVHR8EODA2MDSgMqAwhi5odHRw Oi8vY3JsLnRoYXd0ZS5jb20vdGhhd3RlVHJpYWxTU0xSb290Q0EuY3JsMA4GA1Ud DwEB/wQEAwIBBjAdBgNVHQ4EFgQUKWy1Nf0D1kj7BO86n6sVTgr0TVAwHwYDVR0j BBgwFoAUBUJohgPpyWXBJ7PZm9QP93/1BUAwDQYJKoZIhvcNAQEFBQADggEBAEiZ 692P7wsPEJonArD7jKMHE9s6y1FRXzzDP7ahGZ7OQgJdrqRP8vYDo/1O/tAQQ3W9 jfWb3vTZUMFMpzLHyiVi+gmK05TOkMLXDvtPLW1WBO0VxZH3Q49C2k9eBFSqHmkh y/7nay7BMnyFhWZKwtR/P2octog6fZRWxuXBxDmsjq2OiNotmXZqqEzN54gE+yWo Yqy17Y09GQFjXBeqPhSjfrismdWGqQRTT8M6di1kxb+t7O1Xd+492on2DMtJev3X 4lpuhl7mcdSxNYbdxWol6PF/6B2nJUcvb3DYn5zNF9871Kes7raMLkjViKzVt8By MjpGgXwjtW+WMNzutfM= -----END CERTIFICATE----- - root.txt contains only the Root CA certificate: -----BEGIN CERTIFICATE----- MIIEKDCCAxCgAwIBAgIQP1MpAnGSsgnuvzehial42DANBgkqhkiG9w0BAQUFADCB rTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEwMC4GA1UECxMnRm9yIFRl c3QgUHVycG9zZXMgT25seS4gIE5vIGFzc3VyYW5jZXMuMSswKQYDVQQDEyJ0aGF3 dGUgVHJpYWwgU2VjdXJlIFNlcnZlciBSb290IENBMB4XDTA5MTAwOTAwMDAwMFoX DTI5MTAwODIzNTk1OVowga0xCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwx0aGF3dGUs IEluYy4xKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24x MDAuBgNVBAsTJ0ZvciBUZXN0IFB1cnBvc2VzIE9ubHkuICBObyBhc3N1cmFuY2Vz LjErMCkGA1UEAxMidGhhd3RlIFRyaWFsIFNlY3VyZSBTZXJ2ZXIgUm9vdCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAML5kYGJjOCgOr6QShUH2ruI qOdSYQJP+P/Rvm94Xkdn9X/ob8AfnLUaXAEByfLEaAlzVKgt2dqlg6KzMWv1Gui2 i9rdWXFdIJcfVruRC76RRup0SBW+KJAnwGTuv69fLtifb+3fhPcioe5bT/0i6/A4 NErip1QmYWlt0G2m+jpNg1/bvNtvZuA1was/cpKUKwIWsx0jWbNhQjKKvEGuMzGn FImphg+Tu8LYVFevno9Z0+sk9OXugngBDykCPZeOFIvWl7VNasSRuNUL6W3DqKlU QIiOYtHeLNur18z1sf2rq4iB5pAzySYqxyFNM1o8eoGFLXkt/kdZ74uW64MzTCsC AwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0O BBYEFAVCaIYD6cllwSez2ZvUD/d/9QVAMA0GCSqGSIb3DQEBBQUAA4IBAQC4PptV QCvjjNW1WG+cq8pbv+IwnH7TC11VG3SNKEOp/3DIAR2yjPGUJy5+oDyeVxU9qWan O4uMNaXMiGPDVsULlZwVOQAF6pqWXeZcL4ErcC8XzcrPufbKy2nP/8VUb7y7dA9Y M6qc25j29J2YTw9FNgQDVOvkCK+8SpTLVImSGYWE9/+qWXUff6cD9cw5nHPxnCo6 7ozmk+K8FVK1mvA22IrH0MGEdyXhxNwbxeL/oOr7koALOv8lDR2IJqLZMwoMMG7d P64PAQwPtTPBJr03ysFL61qDrYVRSXcE8bM2ar5KVXfIwxZuK5FOf8bMSp1DqKKL yOd9BFgQ0GxeXdXA -----END CERTIFICATE----- Note: These files should not contain any special characters, empty lines or extra blank spaces. The contents in the certificate file can be read using emctl command as below <OMS HOME>/bin>emctl secdiag dumpcertsinfile -file user.txt 7. Copy these user.txt,inter.txt,root.txt to the OMS server, where the wallet is being created to import them into the wallet 7a. Run the command below to import the root certificate to wallet <MIDDLEWARE_HOME>/oracle_common/bin>./orapki wallet add -wallet <wallet_location> -trusted_cert -cert <root_certificate_location> -pwd <wallet_password> Example: <MIDDLEWARE_HOME>/oracle_common/bin>./orapki wallet add -wallet /home/oracle/wallets -trusted_cert -cert /u01/app/oracle/product/11.2.0/dbhome_1/bin/ssl/root.txt -pwd <password> Operation is successfully completed. 7b. Run the command below to import the intermediate certificate to wallet <MIDDLEWARE_HOME>/oracle_common/bin>./orapki wallet add -wallet <wallet_location> -trusted_cert -cert <intermediate_certificate_location> -pwd <wallet_password> Example: <MIDDLEWARE_HOME>/oracle_common/bin>./orapki wallet add -wallet /home/oracle/wallets -trusted_cert -cert /u01/app/oracle/product/11.2.0/dbhome_1/bin/ssl/inter.txt -pwd <password> Operation is successfully completed. <MIDDLEWARE_HOME>/oracle_common/bin>./orapki wallet add -wallet /home/oracle/wallets -trusted_cert -cert /u01/app/oracle/product/11.2.0/dbhome_1/bin/ssl/inter2.txt -pwd <password> Operation is successfully completed. 7c. Run the command below to import the user certificate to wallet <MIDDLEWARE_HOME>/oracle_common/bin>./orapki wallet add -wallet <wallet_location> -user_cert -cert <user_certificate_location> -pwd <wallet_password> $ ./orapki wallet add -wallet /home/oracle/wallets -user_cert -cert /u01/app/oracle/product/11.2.0/dbhome_1/bin/ssl/user.txt -pwd <password> Operation is successfully completed. You can view the contents of the wallet using the command below <MIDDLEWARE_HOME>/oracle_common/bin>./orapki wallet display -wallet /home/oracle/wallets Oracle PKI Tool : Version 12.2.1.4.0 Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved. Requested Certificates: 8.Copy the trusted certificates that you obtained from the third party - intermediate certificate(s) and the root certificate into a file(trusted_certs.txt) for use in Step D. How to secure the OMS using third-party certificates and Step F. How to renew third-party certificates used with the OMS -----BEGIN CERTIFICATE----- MIIEijCCA3KgAwIBAgIQO6EebHiOSuFcciShhv7n1TANBgkqhkiG9w0BAQUFADCB rTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEwMC4GA1UECxMnRm9yIFRl c3QgUHVycG9zZXMgT25seS4gIE5vIGFzc3VyYW5jZXMuMSswKQYDVQQDEyJ0aGF3 dGUgVHJpYWwgU2VjdXJlIFNlcnZlciBSb290IENBMB4XDTEwMDIwNDAwMDAwMFoX DTIwMDIwMzIzNTk1OVowgagxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxUaGF3dGUs IEluYy4xKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24x MDAuBgNVBAsTJ0ZvciBUZXN0IFB1cnBvc2VzIE9ubHkuICBObyBhc3N1cmFuY2Vz LjEmMCQGA1UEAxMdVGhhd3RlIFRyaWFsIFNlY3VyZSBTZXJ2ZXIgQ0EwggEiMA0G CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDWxZ4vCS+9h4gW7CnTwPhEFueWeH8I FM/+n870zbwOV13YZQ4pYgxQYqqKwMXA+6l8fkv5n7zIAnluoaa/NfMb9yNGXBGU 8c/CLDOdBlrC2ZGnwjuxgsR2gK2Mvqq9PF3Z16SkHphbD6NLoJ/6O5C6JKebBgYj UlumU4DF92wIZEFNBOsGOVd1IeU/wzJ/kQY8jU6JaydOPImie2OlfTVbMdSKP6GB 1OJ+s8Tn6LrMocUb2lwYebnV1IEPTsWQTgPz3dYWsshUtunStECIhPmVcfMARJ5L Rfbwa/Pn3H9YSnjSV3T5z2BUuzDSqxJHqjJ6psatdheRql0accQPknFTAgMBAAGj gagwgaUwEgYDVR0TAQH/BAgwBgEB/wIBADA/BgNVHR8EODA2MDSgMqAwhi5odHRw Oi8vY3JsLnRoYXd0ZS5jb20vdGhhd3RlVHJpYWxTU0xSb290Q0EuY3JsMA4GA1Ud DwEB/wQEAwIBBjAdBgNVHQ4EFgQUKWy1Nf0D1kj7BO86n6sVTgr0TVAwHwYDVR0j BBgwFoAUBUJohgPpyWXBJ7PZm9QP93/1BUAwDQYJKoZIhvcNAQEFBQADggEBAEiZ 692P7wsPEJonArD7jKMHE9s6y1FRXzzDP7ahGZ7OQgJdrqRP8vYDo/1O/tAQQ3W9 jfWb3vTZUMFMpzLHyiVi+gmK05TOkMLXDvtPLW1WBO0VxZH3Q49C2k9eBFSqHmkh y/7nay7BMnyFhWZKwtR/P2octog6fZRWxuXBxDmsjq2OiNotmXZqqEzN54gE+yWo Yqy17Y09GQFjXBeqPhSjfrismdWGqQRTT8M6di1kxb+t7O1Xd+492on2DMtJev3X 4lpuhl7mcdSxNYbdxWol6PF/6B2nJUcvb3DYn5zNF9871Kes7raMLkjViKzVt8By MjpGgXwjtW+WMNzutfM= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIEKDCCAxCgAwIBAgIQP1MpAnGSsgnuvzehial42DANBgkqhkiG9w0BAQUFADCB rTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEwMC4GA1UECxMnRm9yIFRl c3QgUHVycG9zZXMgT25seS4gIE5vIGFzc3VyYW5jZXMuMSswKQYDVQQDEyJ0aGF3 dGUgVHJpYWwgU2VjdXJlIFNlcnZlciBSb290IENBMB4XDTA5MTAwOTAwMDAwMFoX DTI5MTAwODIzNTk1OVowga0xCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwx0aGF3dGUs IEluYy4xKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24x MDAuBgNVBAsTJ0ZvciBUZXN0IFB1cnBvc2VzIE9ubHkuICBObyBhc3N1cmFuY2Vz LjErMCkGA1UEAxMidGhhd3RlIFRyaWFsIFNlY3VyZSBTZXJ2ZXIgUm9vdCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAML5kYGJjOCgOr6QShUH2ruI qOdSYQJP+P/Rvm94Xkdn9X/ob8AfnLUaXAEByfLEaAlzVKgt2dqlg6KzMWv1Gui2 i9rdWXFdIJcfVruRC76RRup0SBW+KJAnwGTuv69fLtifb+3fhPcioe5bT/0i6/A4 NErip1QmYWlt0G2m+jpNg1/bvNtvZuA1was/cpKUKwIWsx0jWbNhQjKKvEGuMzGn FImphg+Tu8LYVFevno9Z0+sk9OXugngBDykCPZeOFIvWl7VNasSRuNUL6W3DqKlU QIiOYtHeLNur18z1sf2rq4iB5pAzySYqxyFNM1o8eoGFLXkt/kdZ74uW64MzTCsC AwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0O BBYEFAVCaIYD6cllwSez2ZvUD/d/9QVAMA0GCSqGSIb3DQEBBQUAA4IBAQC4PptV QCvjjNW1WG+cq8pbv+IwnH7TC11VG3SNKEOp/3DIAR2yjPGUJy5+oDyeVxU9qWan O4uMNaXMiGPDVsULlZwVOQAF6pqWXeZcL4ErcC8XzcrPufbKy2nP/8VUb7y7dA9Y M6qc25j29J2YTw9FNgQDVOvkCK+8SpTLVImSGYWE9/+qWXUff6cD9cw5nHPxnCo6 7ozmk+K8FVK1mvA22IrH0MGEdyXhxNwbxeL/oOr7koALOv8lDR2IJqLZMwoMMG7d P64PAQwPtTPBJr03ysFL61qDrYVRSXcE8bM2ar5KVXfIwxZuK5FOf8bMSp1DqKKL yOd9BFgQ0GxeXdXA -----END CERTIFICATE----- Note: There should be no special characters, empty lines or extra blank spaces in the file. The certificates need not be placed in any particular order.
C. How to secure/renew EM Cloud Control Console Access with third-party certificatesEnsure that the wallets are created and certificates with omshostname.domainname/slbhostname.domainname are imported to the wallet. In case of a multi-OMS setup, the steps below need to be performed on each OMS.The steps can be performed in a Rolling fashion 1.Secure the EM Cloud Control Console with third-party certificates using the command below <OMS_HOME>/bin>emctl secure console -wallet <location of custom wallets> Example: If the OMS is configured behind an SLB, run the following command: <OMS_HOME>/bin>emctl secure console -wallet <location of custom wallets> -host <SLB HostName> 2.Restart OMS <OMS_HOME>/bin>emctl stop oms -all -force <OMS_HOME>/bin>emctl start oms
D. How to secure the OMS using third-party certificatesEnsure that the wallets are created and certificates with omshostname.domainname/slbhostname.domainname is imported to the wallet. 1.Run the command below to import trusted certificates to OMS trust store and the EM Repository. In case of multiple OMS setup, execute the command below on each OMS. <OMS_HOME>/bin>./emctl secure oms -trust_certs_loc <location of trusted_certs.txt> [other arguments if any] Example: <OMS_ORACLE_HOME>/bin>./emctl secure oms -trust_certs_loc /home/oracle/wallets/trusted_certs.txt [-protocol TLSv1(EM 12c only)] [-protocol TLSv1.2(EM 13c only)] If the OMS is configured behind an SLB, run the following command: <OMS_HOME>/bin>./emctl secure oms -host <SLB hostname> -secure_port <port> -slb_port <port> -slb_console_port <port> -trust_certs_loc <location of trusted_certs.txt> [other arguments if any]
Hint: We have just copied trusted certificates to the OMS trust store and Repository. The OMS is still running with existing certificates. Note: The command copies the contents of the wallet to the appropriate key stores within the OMS home. The wallet should be kept in a safe place should it be needed in the future to secure the OMS again with the same certificates. 2.Restart the OMS.OMS can be restarted in a Rolling fashion <OMS_HOME>/bin>emctl stop oms -all -force <OMS_HOME>/bin>emctl start oms 3.Secure all the Agents <AGENT_HOME>/bin>./emctl secure agent You can also secure multiple agents together using the emcli command below cd <OMS_HOME>/bin ./emcli login -username=sysman ./emcli sync ./emcli secure_agents [-agt_names="agt1;agt2;..."] [-agt_names_file="<file>"] [-group_name="group_name"] [-use_pref_creds] [-username="username"] [-password="password"] [-disable_ca_check] 4.Run the command below to secure the OMS with third-party certificates <OMS_ORACLE_HOME>/bin>./emctl secure oms -wallet <wallet_location> -trust_certs_loc <location of trusted certificate> [Other Arguments if any] Example: <OMS_ORACLE_HOME>/bin>./emctl secure oms -wallet /home/oracle/wallets -trust_certs_loc /home/oracle/wallets/trusted_certs.txt [-protocol TLSv1(EM 12c only)] [-protocol TLSv1.2(EM 13c only)] If the OMS is configured behind an SLB, run the following command: <OMS_HOME>/bin>./emctl secure oms -host <SLB hostname> -wallet /home/oracle/wallets -secure_port <port> -slb_port <port> -slb_console_port <port> -slb_jvmd_https_port <slb_jvmd_port> -trust_certs_loc <location of trusted_certs.txt> [Other Arguments if any] 5.Restart the OMS. OMS can be restarted in a Rolling fashion <OMS_HOME>/bin>./emctl stop oms -all -force <OMS_HOME>/bin>./emctl start oms
E. How to import third-party / custom SSL certificates used at SLB to the OMS and AgentsThese steps are required if SLB is also secured/configured with SSL certificates. <OMS_HOME>/bin>./emctl secdiag openurl -url https://<SLB Hostname>:<HTTPS Upload port>/empbs/upload [-ssl_protocol TLSv1.2] <OMS_HOME>/bin>./emctl secdiag openurl -url https://<OMS Hostname>:<HTTPS Upload port>/empbs/upload [-ssl_protocol TLSv1.2] 2.If no certificates are used at the SLB, then the output of both the commands above will show same value for 'Issuer' and Serial Number of certificates will be same.Example below Issuer : CN=<OMS hostname.domainname>, C=US, ST=CA, L=EnterpriseManager on <OMS hostname.domainname>, OU=EnterpriseManager on <OMS hostname.domainname>, O=EnterpriseManager on <OMS hostname.domainname> Serial#: 1234 3.If a custom or third-party SSL certificate is used in the SLB, then output of the command executed with SLB name will provide details as in example below: SLB: Issuer : CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.", OU=www.entrust.net/rpa is incorporated by reference, O="Entrust, Inc.", C=US The SLB is using the custom certificate (CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc."), which needs to be imported as trusted certificate into the OMS. Serial#: 9999 OMS: Issuer : CN=<OMS hostname.domainname>, C=US, ST=CA, L=EnterpriseManager on <OMS hostname.domainname>, OU=EnterpriseManager on <OMS hostname.domainname>, O=EnterpriseManager on <OMS hostname.domainname> Serial#: 1234 4.Get all the trusted certificates (root and intermediate) used by the SLB and copy it/them to a file customca.txt 5.Run the command below to import these certificates to the OMS and the Agent <OMS_HOME>/bin>./emctl secure oms -host <SLB Host name> -secure_port <HTTPS Upload Port> -slb_port <SLB upload Port> -slb_console_port <SLB Console port> -slb_jvmd_https_port <slb_jvmd_port> -trust_certs_loc <Location of customca.txt> [Other Arguments if any] Example: <OMS_HOME>/bin>./emctl secure oms -host slbhostname.domainname -secure_port 1159 -slb_port 1159 -slb_console_port 443 -slb_jvmd_https_port 7301 -trust_certs_loc /home/oracle/customca.txt [-wallet <wallet_location>] [-protocol TLSv1(EM 12c only)] [-protocol TLSv1.2(EM 13c only)] Note: 1.All the OMS behind an SLB need to be secured with the above command. 2.If OMS is also secured with third-party or custom certificates, then you need to specify the location of the third-party certificates/wallets of OMS in the above command by passing ' -wallet <wallet_location>' 3.The CA certificate of the OMS is present in <EM_INSTANCE_HOME>/em/EMGC_OMS1/sysman/config/b64LocalCertificate.txt file and needs to be copied to SSL Trust store of the SLB. SLB Admin need to be contacted to import the certificates to SLB Trust store as it is out of scope of Oracle. 4.In case of certificate renew,ensure custom.txt contain both the existing root and intermediate certificates and new root and intermediate certificates 5.If error 'Either of -slb_jvmd_http_port or -slb_jvmd_https_port must be specified' is reported when securing OMS,follow the document below EM 13c: "emctl secure oms" Command Fails with Error: Either of -slb_jvmd_http_port or -slb_jvmd_https_port must be specified Note 2120008.1 6.Restart each OMS. OMS can be restarted in a Rolling fashion <OMS_HOME>/bin>./emctl stop oms -all -force <OMS_HOME>/bin./emctl start oms 7.Secure all the Agents <AGENT_HOME>/bin>./emctl secure agent -emdWalletSrcUrl <SLB Upload URL>
F. How to renew third-party certificates used with the OMS1. Create a new wallet and generate a new CSR to get the renewed certificates and import it to new wallet. 2. If the user certificate is being renewed and the trusted certificates (root and intermediate) remain the same, then securing of Agents are not required and skip Steps 3,4,5 and continue with Step 6. 3. Run the command below to import trusted certificates to OMS trust store and Repository.In case of multiple OMS setup, the command below need to be executed on each OMS. <OMS_HOME>/bin>./emctl secure oms -wallet <Location of existing wallets(not new wallets)> -trust_certs_loc <location of trusted_certs.txt> [other arguments if any] Example: <OMS_ORACLE_HOME>/bin>./emctl secure oms -wallet /home/oracle/wallets_existing -trust_certs_loc /home/oracle/wallets/trusted_certs.txt [-protocol TLSv1(EM 12c only)] [-protocol TLSv1.2(EM 13c only)] If the OMS is configured behind an SLB, run the following command: <OMS_HOME>/bin>./emctl secure oms -host <SLB hostname> -secure_port <port> -slb_port <port> -slb_console_port <port> -slb_jvmd_https_port <slb_jvmd_port> -wallet <Location of existing wallets(not new wallets)> -trust_certs_loc <location of trusted_certs.txt> [other arguments if any]
Note: In case of renew,ensure trusted_certs.txt contain both the existing root and intermediate certificates and new root and intermediate certificates. Else Agents will fail to communicate to OMS after securing 4. Restart the OMS. OMS can be restarted in a Rolling fashion <OMS_HOME>/bin>emctl stop oms -all -force <OMS_HOME>/bin>emctl start oms 5. Secure all the Agents <AGENT_HOME>/bin>./emctl secure agent You can also secure multiple agents together using the emcli command below cd <OMS_HOME>/bin ./emcli login -username=sysman ./emcli sync ./emcli secure_agents [-agt_names="agt1;agt2;..."] [-agt_names_file="<file>"] [-group_name="group_name"] [-use_pref_creds] [-username="username"] [-password="password"] [-disable_ca_check] 6. Run the command below to secure the OMS with third-party certificates <OMS_ORACLE_HOME>/bin>./emctl secure oms -wallet <new wallet_location> -trust_certs_loc <location of trusted certificate> [Other Arguments if any] Example: <OMS_ORACLE_HOME>/bin>./emctl secure oms -wallet /home/oracle/wallets -trust_certs_loc /home/oracle/wallets/trusted_certs.txt [-protocol TLSv1(EM 12c only)] [-protocol TLSv1.2(EM 13c only)] [-wallet <> If the OMS is configured behind an SLB, run the following command on each OMS in the setup: <OMS_HOME>/bin>./emctl secure oms -host <SLB hostname> -secure_port <port> -slb_port <port> -slb_console_port <port> -slb_jvmd_https_port <slb_jvmd_port> -wallet <new wallet_location> -trust_certs_loc <location of trusted_certs.txt> [Other Arguments if any] 7. Restart the OMS. OMS can be restarted in a Rolling fashion <OMS_HOME>/bin>./emctl stop oms -all -force <OMS_HOME>/bin>./emctl start oms
G. How to increase the keystrength and signature algorithm of certificates used with the OMSEnterprise Manager 12c (OMS and Agent) by default are configured with SSL certificates of keystrength 1024 bits and signature algorithm SHA512withRSA. Hint: If the OMS or Agents are configured with third-party trusted certificates, then you need to contact the third-party Certificate Authority to get certificates with a higher keystrength and signature algorithm. The steps below are not applicable in that case. 1. Run the command below to create a new EM Certificate Authority with 2048 bit keystrength: <OMS_HOME>/bin>emctl secure createca -key_strength 2048 Note: The above command will create a new default CA and there is no need of wallet directory to create
3. Restart the OMS. OMS can be restarted in a Rolling fashion <OMS_HOME>/bin>emctl stop oms -all -force <OMS_HOME>/bin>emctl start oms 4. You can view the details of the new Certificate Authority that was just created using the command below: <OMS_HOME>/bin>emcli get_ca_info -details 5. Secure all the Agents so they will use a certificate with 2048 bit keystrength <AGENT HOME>/bin>./emctl secure agent In case of a multi-OMS setup configured with an SLB, secure each of the Agent using: <AGENT_HOME>/bin>./emctl secure agent -emdWalletSrcUrl <SLB Upload URL> 6 .Secure the OMS after securing all the Agents <OMS_ORACLE_HOME>/bin>./emctl secure oms -console [Other Arguments if any] 7.Restart the OMS. OMS can be restarted in a Rolling fashion <OMS_ORACLE_HOME>/bin>./emctl secure console [Other Arguments if any] Example: In case of a multi-OMS setup configured with an SLB, secure each of the OMS using: <OMS_HOME>/bin>./emctl secure oms -host <SLB Host name> -secure_port <HTTPS Upload Port> -slb_port <SLB upload Port> -slb_console_port <SLB Console port> -slb_jvmd_https_port <slb_jvmd_port> -console [Other arguments if any]
<OMS_HOME>/bin>./emctl stop oms -all -force <Back to Top> <OMS_HOME>/bin>./emctl start oms H. How to rollback the OMS to default EM demo certificates(Also applicable when OMS certificates are Expired)1. It is not possible and supported to unsecure the OMS or run it in non-ssl mode. If you want to switch the OMS upload back to the EM self-signed certificates, run the command below <OMS_HOME>/bin>./emctl secure oms [Other arguments if any] Example: <OMS_HOME>/bin>./emctl secure oms [-protocol TLSv1(EM 12c only)] [-protocol TLSv1.2(EM 13c only)] In case of a multi-OMS setup configured with an SLB, secure each of the OMS using: <OMS_HOME>/bin>./emctl secure oms -host <SLB Host name> -secure_port <HTTPS Upload Port> -slb_port <SLB upload Port> -slb_console_port <SLB Console port> [Other arguments if any]
Note: Admin Server need to be RUNNING for executing any secure commands in EM. If Admin Server is not running or not accessible due to expired ssl certificates,refer to Note 2220788.1 ,Section F. How to rollback EM WLS to default WLS demo certificates ' to start the Admin Server and then secure OMS. 2. Restart the OMS <OMS_HOME>/bin>./emctl stop oms -all -force <OMS_HOME>/bin>./emctl start oms 3. If you want to switch the EM Cloud Control Console back to the EM self-signed certificates, run the command below: <OMS_HOME>/bin>./emctl secure console -self_signed 4. Restart the OMS <OMS_HOME>/bin>./emctl stop oms -all -force <OMS_HOME>/bin>./emctl start oms |
- Get link
- Other Apps
Comments
Post a Comment