Certificate installation on OEM

Login to OEM server <OMS server> follow the procedure : 
  

Create a keystore : 

  
$ cd /<base>/Middleware/jdk16/jdk/bin 
  
./keytool -genkey -alias <host name>  -keyalg RSA -keystore <host name>.jks  -keysize 2048 
  

Fill the details : 

  
Enter keystore password: 
Re-enter new password: 
What is your first and last name? 
  [Unknown]:  <host name>​ 
What is the name of your organizational unit? 
  [Unknown]:  Secure-24 
What is the name of your organization? 
  [Unknown]:  Secure-24 
What is the name of your City or Locality? 
  [Unknown]:  Southfield 
What is the name of your State or Province? 
  [Unknown]:  Michigan 
What is the two-letter country code for this unit? 
  [Unknown]:  US 
Is CN=<host name>, OU=Secure-24, O=Secure-24, L=Southfield, ST=Michigan, C=US correct? 
  [no]:  yes 
  
Enter key password for <<host name>> 
        (RETURN if same as keystore password):******** 
Re-enter new password:***** 
  

Create CSR by using newly created keystore : 

  
$./keytool -certreq -alias <host name> -keystore <host name>.jks -file <host name>.csr 
  
EX: 
[oracle@<host name> bin]$ ./keytool -certreq -alias <host name> -keystore <host name>.jks -file <host name>.csr 
Enter keystore password: 
  
Submit the new CSR to certificate authority, once you have the certs import all the certs to key store: 
  
Bundle cert : 
  
$./keytool -import -alias root -keystore <host name>.jks -trustcacerts -file bundle.cer 
  
Chain cert : 
  
$ ./keytool -import -alias intermed -keystore <host name>.jks -trustcacerts -file gdig2.cer 
Root cert : 
  
$ ./keytool -import -alias root_GD -keystore <host name>.jks -trustcacerts -file root.crt 
  
Server cert : 
  
$ ./keytool -import -alias <host name> -keystore <host name>.jks -trustcacerts -file server.cer 
Validation of the imported certs : 
  
$. /keytool -importkeystore -srckeystore <host name>.jks -destkeystore <host name>.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass **** -deststorepass **** -srcalias <host name> -destalias <host name> -srckeypass **** -destkeypass *** -noprompt 
 $openssl pkcs12 -in <host name>.p12 -out tempcrt.pem 
  $openssl x509 -in tempcrt.pem -noout -enddate 
  

Create a wallet : 

  
cd /u03/app/oracle/Middleware/ 
  
  mkdir wallet1 
   
   orapki wallet create -wallet /u03/app/oracle/Middleware/wallet1 
   
   orapki wallet jks_to_pkcs12 -wallet jks_to_pkcs12 -wallet /u03/app/oracle/Middleware/wallet1 -keystore /u03/app/oracle/Middleware/jdk16/jdk/bin/<host name>.jks 
   
   orapki wallet create -wallet /u03/app/oracle/Middleware/wallet1 -auto_login 
   
    orapki wallet display -wallet /u03/app/oracle/Middleware/wallet1 
  

SSL configurations on Webtier : 

  
cd /u03/app/oracle/Middleware/gc_inst/WebTierIH1/config/OHS/ohs1 
  
Change the wallet location in ssl.conf to newly created wallet location i.e /u03/app/oracle/Middleware/wallet1 



Backout Plan: 

This either works or it doesnt.   The only backout plan is to remove the certificate file and restart the OMS 
Note: This activity was performed by my coleague thanks to him for sharing ..

 Thanks
Anil Vejendla

Comments

Post a Comment

Popular posts from this blog

Useful OEM Queries to get Target details from OEM Repository

List Targets with TNS Listener ports configured : SELECT mgmt$target.host_name , mgmt$target.target_name , mgmt$target.target_type , mgmt$target_properties.property_name , mgmt$target_properties.property_value FROM mgmt$target , mgmt$target_properties WHERE ( mgmt$target.target_name = mgmt$target_properties.target_name ) AND ( mgmt$target.target_type = mgmt$target_properties.target_type ) and ( mgmt$target.target_type = 'oracle_listener' ) and ( mgmt$target_properties.property_name = 'Port' ); Devora02       LISTENER_ora02                       oracle_listener Port 1529 Devora01       LISTENER_ora01                       oracle_listener Port 1529 Devora04       LISTENER_ora04                       oracle_listener Port 1529 List Machine_Names, CPU Count & Database Verion for Licensing SELECT mgmt$target.host_name , mgmt$target_properties.property_name , mgmt$target_properties.property_value FROM mgmt$target , mgmt$target_properties WHERE ( mgmt$
Read more

WARNING: Subscription for node down event still pending' in Listener Log

Image
These messages are related to the Oracle TNS Listener's default subscription to the Oracle Notification Service (ONS). In a non-RAC environment it is recommended to disable this subscription.   This feature was introduced in Oracle 10g. SOLUTION Set the following parameter in the listener.ora: SUBSCRIBE_FOR_NODE_DOWN_EVENT_<listener_name>=OFF Where <listener_name> should be replaced with the actual listener name configured in the LISTENER.ORA file. SUBSCRIBE_FOR_NODE_DOWN_EVENT_<listener_name> parameter is to be placed by itself on an empty line. It will be necessary to restart or reload the listener following the addition of this parameter. This will prevent the messages from being written to the log file and may also prevent the TNS Listener from hanging periodically.  See (10g only) NOTE 340091.1 Intermittent TNS Listener Hang, New Child Listener Process Forked Please Note: Setting SUBSCRIBE_FOR_NODE_DOWN_<listener_n
Read more

ORA-65139: Mismatch between XML metadata file and data file

Error: CDB$ROOT@EBTUPRDC> CREATE PLUGGABLE DATABASE EBTUSPRDPDB1 using '/home/oracle/EBTUSPRDC.xml' nocopy tempfile reuse; CREATE PLUGGABLE DATABASE EBTUSPRDPDB1 using '/home/oracle/EBTUSPRDC.xml' nocopy tempfile reuse * ERROR at line 1: ORA-65139: Mismatch between XML metadata file and data file /u05/odb/ORADATA_1/EBTUSPRDC/datafile/system.1531.807800993 for value of fcpsb (2230502002 in the plug XML file, 2230505492 in the data file) Fix: Don't open Non-CDB database until we complete pdb creation other wise we will get above error. Shutdown immediate; startup mount; alter database open read only; create xml file. shutdown immediate; Connect to CDB and Create Pluggable database .
Read more