Following is the how i configured third party certificates for Oracle Enterprise Manager Cloud Control 13c.
The environment I used here is the following
ORACLE_BASE=/opt/oracle
ORACLE_HOME=/opt/oracle/occ/13.1.0.0
ORACLE_INSTANCE_HOME_LOCATION=/opt/oracle/occ/13.1.0.0/gc_inst
ADMIN_SERVER_HTTPS_PORT=7101
EM_CONSOLE_HTTPS_PORT=7799
AGENT_BASE=/opt/oracle/occ/13.1.0.0/agentbase
AGENT_PORT=3872
EM_UPLOAD_HTTPS_PORT==1159
You may need to make changes depending on your environment.
Step 1 – Create Oracle wallet for the OMS
/opt/oracle/occ/13.1.0.0/oraclehome/oracle_common/bin/orapki \
wallet create \
-wallet /opt/oracle/occ/13.1.0.0/occwallet \
-auto_login \
-pwd walletpassword
Display the wallet contents
/opt/oracle/occ/13.1.0.0/oraclehome/oracle_common/bin/orapki \
wallet display \
-wallet /opt/oracle/occ/13.1.0.0/occwallet
You get the output like this
Requested Certificates:
User Certificates:
Trusted Certificates:
Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US
Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Step 2 – Create a key within the wallet(Use larger key size)
Your dn will change based on your organization
/opt/oracle/occ/13.1.0.0/oraclehome/oracle_common/bin/orapki \
wallet add \
-wallet /opt/oracle/occ/13.1.0.0/occwallet \
-dn "cn=yourcn, ou=yourou, o=yourorg, c=yourc" \
-keysize 2048 \
-pwd 'walletpassword'
Display the wallet contents once more
Requested Certificates:
Subject: CN=%1,CN=yourcn,CN=yourcn,OU=yourou,O=yourorg,C=yourc
User Certificates:
Trusted Certificates:
Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US
Step 3 – Create a certificate signing request (CSR) based on this key
Make sure the -dn you specify exactly matches the -dn specified earlier.
Provide a filename in the -request argument in which to store the certificate signing request (CSR).
/opt/oracle/occ/13.1.0.0/oraclehome/oracle_common/bin/orapki \
wallet export \
-wallet /opt/oracle/occ/13.1.0.0/occwallet \
-dn "cn=yourcn, ou=yourou, o=yourorg, c=yourc" \
-request /tmp/EM12cCSR.txt
Check the CSR – /tmp/EM12cCSR.txt
It will be something like this
-----BEGIN NEW CERTIFICATE REQUEST-----
ABCDEFIICijCCAX3cxDjAMBgNVBAoTBXN3aWZ0MRMwEQYDVQQLEwpzc2xz
.........
ABCDEF98kjdf9s6at1D36mrOtmk4xyz
-----END NEW CERTIFICATE REQUEST-----
Step 4 – Generate third party certificates, from your Certificate Signing Authority, using the above CSR (Certificate Signing Request)
You might need “Reference number” & “Authorization code” for your Signing Authority
You will get 2 certificate files – One root certificate and one user certificate (Sometimes you might also have an intermediate certificate)
Let’s say you placed the certificates in the following locations
root certificate in – /opt/oracle/occ/13.1.0.0/occwallet/ca.cer
user certificate in – /opt/oracle/occ/13.1.0.0/occwallet/cert.cer
Step 5 – Import the root, intermediate, and user certificates into the OMS wallet
root & intermediate certificates must be imported using -trusted_cert
/opt/oracle/occ/13.1.0.0/oraclehome/oracle_common/bin/orapki \
wallet add \
-wallet /opt/oracle/occ/13.1.0.0/occwallet \
-trusted_cert -cert /opt/oracle/occ/13.1.0.0/occwallet/ca.cer \
-pwd 'walletpassword'
You must import the user certificate using -user_cert.
/opt/oracle/occ/13.1.0.0/oraclehome/oracle_common/bin/orapki \
wallet add \
-wallet /opt/oracle/occ/13.1.0.0/occwallet \
-user_cert -cert /opt/oracle/occ/13.1.0.0/occwallet/cert.cer \
-pwd 'walletpassword'
Display the wallet contents
Requested Certificates:
User Certificates:
Subject: CN=%1,CN=yourcn,CN=yourcn,OU=yourou,O=yourorg,C=yourww
Trusted Certificates:
Subject: O=yourorg
Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US
Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Step 6 – Secure the OMS console using the OMS wallet
Now using emctl from the $OMS_HOME, secure the OMS console using the certificate contained in your wallet.
$OMS_HOME/bin/emctl \
secure console \
-wallet /opt/oracle/occ/13.1.0.0/occwallet \
-sysman_pwd yoursysmanpassword
Step 7 – Secure the OMS upload port using the OMS wallet
$OMS_HOME/bin/emctl \
secure oms \
-wallet /opt/oracle/occ/13.1.0.0/occwallet \
-trust_certs_loc /opt/oracle/occ/13.1.0.0/occwallet/ca.cer \
-sysman_pwd yoursysmanpassword \
-reg_pwd youragentregistrationpassword
Step 8 – Re-secure all agents
Apply patch 22568679 – otherwise the agents will not be able to communicate with the oms server
on the agents
- backup the file ewallet.p12 in /opt/oracle/occ/13.1.0.0/agentbase/agent_inst/sysman/config/server
- backup any cwallet.sso files
- Run secure agent command /opt/oracle/occ/13.1.0.0/agentbase/agent_13.1.0.0.0/bin/emctl \
secure agent youragentregistrationpassword
Step 9 – Create Oracle wallets for agents
The OMS connects to the agents at this URL to submit management requests. At the moment, the agents still use self-signed certificates to secure this URL. For this process we create an Oracle wallet, on the OMS host, using the same ORAPKI command as for the OMS wallet. We will generate a certificate signing request from each agent wallet, submit those CSRs to a certificate authority, and import the received certificates. As with the OMS, the agents must use single-host certificates, not wildcard or subject alternate name (SAN) certificates.
Create directories on OMS server to store agent wallets
mkdir /opt/oracle/occ/13.1.0.0/agentbase/occagentwallets
mkdir /opt/oracle/occ/13.1.0.0/agentbase/occagentwallets/agenthost1
mkdir /opt/oracle/occ/13.1.0.0/agentbase/occagentwallets/agenthost2
Create the Agent wallet – This time do NOT use -auto_login_local, use only -auto_login, as you will distribute these wallets to the agent hosts after generating them on the OMS host.
/opt/oracle/occ/13.1.0.0/oraclehome/oracle_common/bin/orapki \
wallet create \
-wallet /opt/oracle/occ/13.1.0.0/agentbase/occagentwallets/agenthost1 \
-auto_login -pwd 'walletpassword'
Add key to the Agent wallet
To determine the correct fully qualified domain name for each agent, execute emctl status agent from the agent home.
/opt/oracle/occ/13.1.0.0/agentbase/agent_13.1.0.0.0/bin/emctl status agent
in the output of above command, use the below part
Agent URL : https://YOURAGENTHOST:3872/emd/main/
/opt/oracle/occ/13.1.0.0/oraclehome/oracle_common/bin/orapki \
wallet add \
-wallet /opt/oracle/occ/13.1.0.0/agentbase/occagentwallets/agenthost1 \
-dn "cn=yourcn, ou=yourou, o=yourorg, c=yourc" \
-keysize 2048 \
-pwd 'walletpassword'
Create certificate signing request (CSR) based on this key
/opt/oracle/occ/13.1.0.0/oraclehome/oracle_common/bin/orapki \
wallet export \
-wallet /opt/oracle/occ/13.1.0.0/agentbase/occagentwallets/agenthost1 \
-dn "cn=yourcn, ou=yourou, o=yourorg, c=yourc" \
-request /tmp/CSR_agenthost1.txt
Generate third party certificates, from your Certificate Signing Authority, using the above CSR (Certificate Signing Request)
Get the third party certificate and put them in following locations
root in /opt/oracle/occ/13.1.0.0/agentbase/occagentwallets/ca.cer
user in /opt/oracle/occ/13.1.0.0/agentbase/occagentwallets/agenthost1/cert.cer
Import the root, intermediate, and user certificates into the agent wallets
root & intermediate certificates must be imported using -trusted_cert
/opt/oracle/occ/13.1.0.0/oraclehome/oracle_common/bin/orapki \
wallet add \
-wallet /opt/oracle/occ/13.1.0.0/agentbase/occagentwallets/agenthost1 \
-trusted_cert -cert /opt/oracle/occ/13.1.0.0/agentbase/occagentwallets/ca.cer \
-pwd 'walletpassword'
You must import the user certificate using -user_cert.
/opt/oracle/occ/13.1.0.0/oraclehome/oracle_common/bin/orapki \
wallet add \
-wallet /opt/oracle/occ/13.1.0.0/agentbase/occagentwallets/agenthost1 \
-user_cert -cert /opt/oracle/occ/13.1.0.0/agentbase/occagentwallets/agenthost1/cert.cer \
-pwd 'walletpassword'
Step 10 – Configure the agents to use their wallets
Inside the agent wallets you’ve just created on OMS server, you will find a cwallet.sso file. Take this file from each agent’s wallet and copy it to the agent host.
On the agent host
– Stop the agent – emctl stop agent
– Backup existing cwallet.sso files
ex –
mv /opt/oracle/occ/13.1.0.0/agentbase/agent_inst/sysman/config/cwallet.sso /opt/oracle/occ/13.1.0.0/agentbase/agent_inst/sysman/config/cwallet.sso.20161216
– Copy the cwallet.sso file from OMS server (location – /opt/oracle/occ/13.1.0.0/agentbase/occagentwallets/agenthost1/cwallet.sso) and copy it to the agent host to this directory – $AGENT_INSTANCE_DIR/sysman/config/server/
– change permissions on $AGENT_INSTANCE_DIR/sysman/config/server/cwallet.sso to 640
– Start the agent – emctl start agent
Check agent certificate with the following methods
– Check Certificate by accessing url https://agenthost1:3872/emd/main/
– from oms server call this – /opt/oracle/occ/13.1.0.0/oraclehome/bin/emctl secdiag openurl -url https://agenthost1:3872/emd/main/
Step 11 – Secure WebLogic with the OMS wallet
Securing WebLogic with a wallet only works as of EM12c R3, earlier versions must use a Java keystore. See note Metalink note – 1527874.1 for more information.
Import the root and intermediate certificates to the keystore on the OMS host’s agent
Use the default password welcome for the agent keystore, and alias names rootcacert and intercacert.
/opt/oracle/occ/13.1.0.0/agentbase/agent_13.1.0.0.0/bin/emctl \
secure add_trust_cert_to_jks \
-trust_certs_loc /opt/oracle/occ/13.1.0.0/occwallet/ca.cer \
-alias rootcacert \
-password welcome
Back up some WLS configuration files, just in case, before securing WLS with your certificate.
mkdir /home/ora_occ/wlscertbak/
cp -a /opt/oracle/occ/13.1.0.0/gc_inst/em/EMGC_OMS1/emgc.properties /home/ora_occ/wlscertbak/
cp -a /opt/oracle/occ/13.1.0.0/gc_inst/user_projects/domains/GCDomain/nodemanager/nodemanager.properties /home/ora_occ/wlscertbak/
cp -a /opt/oracle/occ/13.1.0.0/gc_inst/user_projects/domains/GCDomain/config/fmwconfig/components/OHS/ohs1/keystores/proxy /home/ora_occ/wlscertbak/
cp -a /opt/oracle/occ/13.1.0.0/gc_inst/user_projects/domains/GCDomain/config/config.xml /home/ora_occ/wlscertbak
Stop OMS
/opt/oracle/occ/13.1.0.0/oraclehome/bin/emctl stop oms
Secure WLS using the OMS wallet created earlier
/opt/oracle/occ/13.1.0.0/oraclehome/bin/emctl secure wls \
-wallet /opt/oracle/occ/13.1.0.0/occwallet \
-sysman_pwd sysmanpassword
Stop Webtier
/opt/oracle/occ/13.1.0.0/oraclehome/bin/emctl stop oms -all
Start OMS
/opt/oracle/occ/13.1.0.0/oraclehome/bin/emctl start oms
Check the Certificate
– Check the certificate by accessing admin server port –
ex – this is the default port – https://OMSSERVER:7101/
– from oms server call this – /opt/oracle/occ/13.1.0.0/oraclehome/bin/emctl secdiag openurl -url https://OMSSERVER:7101/
Troubleshooting
To Check certificates
openssl s_client -connect :7799
You can use any used port in place of 7799
To Check certificate dates
openssl s_client -connect :7799| openssl x509 -noout -dates
To Check the certificates used by OMS upload
/opt/oracle/occ/13.1.0.0/oraclehome/bin/emctl secdiag openurl -url https://yourserver:1159/empbs/upload
To Check the certificates used by Target Agent
/opt/oracle/occ/13.1.0.0/oraclehome/bin/emctl secdiag openurl -url https://youragentmachine:3872/emd/main/
Reference – EM 12c, EM 13c: Troubleshooting Guide for Enterprise Manager Cloud Control Agent Communication Errors Like: peer Not authenticated (Doc ID 1556543.1)