EM 13c: How To Renew Oracle Management Server (OMS) And Agent Server Default Certificate Expired?

 

Click to add to FavoritesTo BottomTo Bottom

In this Document

Goal
Solution
References

APPLIES TO:

Enterprise Manager Base Platform - Version 13.2.0.0.0 and later
Information in this document applies to any platform.

GOAL

Steps to change Oracle Management Server (OMS) and Agent server default certificate expired for an EM 13c installation.

Steps applicable only for Oracle Enterprise Manager (EM) Cloud Control default certificate expires

For Custom certificate expired follow the below Note
Note: 2202569.1 EM 13c, 12c: How to Configure the Enterprise Manager Management Service (OMS) with Secure Socket Layer (SSL) Certificates

 

SOLUTION

Following steps can be executed to renew Oracle Enterprise Manager (EM) Cloud Control default certificate:

1. Take a backup of EM (OMS and Repository DB) before executing steps below.

1a. Start Admin Server

cd <OMS_HOME>/bin
emctl stop oms -all -force
emctl start oms -admin_only

2. Run the command below to create a new EM Certificate Authority (CA):

cd <OMS_HOME>/bin
emctl secure createca [-sysman_pwd ] [-host ] [-root_country <root_country>] [-root_state <root_state>] [-root_org <root_org>] [-root_unit <root_unit>] [-key_strength ] [-cert_validity ]

All the arguments are optional and can be specified, if required. sysman password will be prompted for if this is not provided at the command line.

Note: You can specify the "-cert_validity" value to the required time period. The number of days for which the self-signed certificate is valid. The valid range is between 1 to 3650


3. In case of a multi-OMS setup, copy the <gc_inst>/em/EMGC_OMS1/sysman/config/b64LocalCertificate.txt from the machine on which "emctl secure createca" was run to all other OMS machines at the same location i.e <gc_inst>/em/EMGC_OMS/sysman/config/b64LocalCertificate.txt

4. Secure All the OMS with New CA

cd <OMS_HOME>/bin
emctl secure oms -force_newca [-protocol TLSv1(EM 12c only)] [-protocol TLSv1.2(EM 13c only)]
emctl secure console -self_signed

In case of a multi-OMS setup configured with an SLB, secure each of the OMS using:

<OMS_HOME>/bin>./emctl secure oms -host <SLB Host name> -secure_port <HTTPS Upload Port> -slb_port <SLB upload Port> -slb_console_port <SLB Console port> -force_newca -console [Other arguments if any]


5. Restart all the OMS:

cd <OMS_HOME>/bin
emctl stop oms -all
emctl start oms

6. You can view the details of new Certificate Authority created using the command below:

cd <OMS_HOME>/bin
emcli login -username=sysman
emcli sync
emcli get_ca_info -details

7. Secure all the Agents so that they are also issued a certificate by the newly created CA.

<AGENT HOME>/bin>./emctl secure agent

8. Verify the demo certificate details of the OMS url:

cd <OMS_HOME>/bin
emctl secdiag openurl -url https://<omshost.domain:upload_portno>/empbs/upload
emctl secdiag openurl -url https://<omshost.domain:console_portno>/em

Comments

Post a Comment

Popular posts from this blog

12c: emctl start agent Fails or Hangs or Timeout or Connection Refused

EM 12c: emctl start agent Fails or Hangs or Timeout or Connection Refused Due to PKCS11 'security.pkcs11.P11SecureRandom.implNextBytes' Reported in Thread Dump 'Hang detected' (Doc ID 1427773.1) APPLIES TO: Enterprise Manager Base Platform - Version 12.1.0.1.0 to 12.1.0.2.0 [Release 12.1] Oracle Solaris on SPARC (64-bit) SYMPTOMS $AGENT_INST/bin/emctl start agent fails to start or gets hung Oracle Enterprise Manager Cloud Control 12c Release 2 Copyright (c) 1996, 2012 Oracle Corporation. All rights reserved. Starting agent ........................................................................................... OR $AGENT_INST/bin/emctl start agent fails with following error Oracle Enterprise Manager 12c Cloud Control 12.1.0.1.0 Copyright (c) 1996, 2012 Oracle Corporation. All rights reserved. Agent status could not be determined. Check the agent process Consult the log files in: /oracle/product/Agent_home/agent_inst/sysman/log $AGENT_INST/bin/emctl
Read more
Image
12.2 Creating New WLS Domain Fails On Adcfgclone.pl With "oracle.as.t2p.exceptions.FMWT2PPasteConfigException: PasteConfig failed. Make sure that the move plan and the values specified in moveplan are correct." (Doc ID 2215729.1) To Bottom In this Document Symptoms Cause Solution References APPLIES TO: Oracle Applications Manager - Version 12.2 and later Information in this document applies to any platform. SYMPTOMS E-Business Suite 12.2 Applications Manager, Rapidclone Related issues When creating to clone E-Business Suite adcfgclone.pl fails with the following error: WARNING : Nov 20, 2016 01:00:05 - WARNING - CLONE-20454 Execution of wlst script is not successful. WARNING : Nov 20, 2016 01:00:05 - CAUSE - CLONE-20454 An internal operation failed while executing /fs1/inst/apps/<CONTEXT_Name>/logs/appl/rgf/TXK/CLONINGCLIENT573700/tmp14795960.py wlst script. WARNING : Nov 20, 2016 01:00:05 - ACTION - CLONE-20454 Check clone log a
Read more

EM 13c, 12c: How to Configure the Enterprise Manager Management Service (OMS) with Secure Socket Layer (SSL) Certificates

Image
  EM 13c, 12c: How to Configure the Enterprise Manager Management Service (OMS) with Secure Socket Layer (SSL) Certificates (Doc ID 2202569.1) To Bottom In this Document Purpose Details   A. How to determine the certificates used by the OMS   B. How to create a wallet and import third-party certificates to the wallet   C. How to secure/renew EM Cloud Control Console Access with third-party certificates   D. How to secure the OMS using third-party certificates   E. How to import third-party / custom SSL certificates used at SLB to the OMS and Agents   F. How to renew third-party certificates used with the OMS   G. How to increase the keystrength and signature algorithm of certificates used with the OMS   H. How to rollback the OMS to default EM demo certificates(Also applicable when OMS certificates are Expired) References APPLIES TO: Enterprise Manager Base Platform - Version 12.1.0.2.0 and later Enterprise Manager for Oracle Database - Version 12.1.0.5.0 and later Information in this
Read more