Certificate installation on OEM

Login to OEM server <OMS server> follow the procedure : 
  

Create a keystore : 

  
$ cd /<base>/Middleware/jdk16/jdk/bin 
  
./keytool -genkey -alias <host name>  -keyalg RSA -keystore <host name>.jks  -keysize 2048 
  

Fill the details : 

  
Enter keystore password: 
Re-enter new password: 
What is your first and last name? 
  [Unknown]:  <host name>​ 
What is the name of your organizational unit? 
  [Unknown]:  Secure-24 
What is the name of your organization? 
  [Unknown]:  Secure-24 
What is the name of your City or Locality? 
  [Unknown]:  Southfield 
What is the name of your State or Province? 
  [Unknown]:  Michigan 
What is the two-letter country code for this unit? 
  [Unknown]:  US 
Is CN=<host name>, OU=Secure-24, O=Secure-24, L=Southfield, ST=Michigan, C=US correct? 
  [no]:  yes 
  
Enter key password for <<host name>> 
        (RETURN if same as keystore password):******** 
Re-enter new password:***** 
  

Create CSR by using newly created keystore : 

  
$./keytool -certreq -alias <host name> -keystore <host name>.jks -file <host name>.csr 
  
EX: 
[oracle@<host name> bin]$ ./keytool -certreq -alias <host name> -keystore <host name>.jks -file <host name>.csr 
Enter keystore password: 
  
Submit the new CSR to certificate authority, once you have the certs import all the certs to key store: 
  
Bundle cert : 
  
$./keytool -import -alias root -keystore <host name>.jks -trustcacerts -file bundle.cer 
  
Chain cert : 
  
$ ./keytool -import -alias intermed -keystore <host name>.jks -trustcacerts -file gdig2.cer 
Root cert : 
  
$ ./keytool -import -alias root_GD -keystore <host name>.jks -trustcacerts -file root.crt 
  
Server cert : 
  
$ ./keytool -import -alias <host name> -keystore <host name>.jks -trustcacerts -file server.cer 
Validation of the imported certs : 
  
$. /keytool -importkeystore -srckeystore <host name>.jks -destkeystore <host name>.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass **** -deststorepass **** -srcalias <host name> -destalias <host name> -srckeypass **** -destkeypass *** -noprompt 
 $openssl pkcs12 -in <host name>.p12 -out tempcrt.pem 
  $openssl x509 -in tempcrt.pem -noout -enddate 
  

Create a wallet : 

  
cd /u03/app/oracle/Middleware/ 
  
  mkdir wallet1 
   
   orapki wallet create -wallet /u03/app/oracle/Middleware/wallet1 
   
   orapki wallet jks_to_pkcs12 -wallet jks_to_pkcs12 -wallet /u03/app/oracle/Middleware/wallet1 -keystore /u03/app/oracle/Middleware/jdk16/jdk/bin/<host name>.jks 
   
   orapki wallet create -wallet /u03/app/oracle/Middleware/wallet1 -auto_login 
   
    orapki wallet display -wallet /u03/app/oracle/Middleware/wallet1 
  

SSL configurations on Webtier : 

  
cd /u03/app/oracle/Middleware/gc_inst/WebTierIH1/config/OHS/ohs1 
  
Change the wallet location in ssl.conf to newly created wallet location i.e /u03/app/oracle/Middleware/wallet1 



Backout Plan: 

This either works or it doesnt.   The only backout plan is to remove the certificate file and restart the OMS 
Note: This activity was performed by my coleague thanks to him for sharing ..

 Thanks
Anil Vejendla

Comments

Post a Comment

Popular posts from this blog

ORA-28086: The data redaction policy expression has an error

Image
Error: ERROR at line 1: ORA-28086: The data redaction policy expression has an error. ORA-06512: at "SYS.DBMS_REDACT_INT", line 3 ORA-06512: at "SYS.DBMS_REDACT", line 42 ORA-06512: at line 1 When we try to run same as sys user it is working perfectly fine, but as a normal user it is failing with below errors. No Privileges issue because AVO user had DBA Privilege .. Versions  confirmed  as being affected 12.1.0.2 (Server Patch Set) 11.2.0.4 Fixed: The fix for 20693579 is first included in 12.2.0.1 (Base Release) Cause : Bug 20693579 - DBMS_REDACT.ADD_POLICY fails with ORA-28086 when CURSOR_SHARING is force (Doc ID 20693579.8) To Bottom Bug 20693579  DBMS_REDACT.ADD_POLICY fails with ORA-28086 when CURSOR_SHARING is force  This note gives a brief overview of bug 20693579.  The content was last updated on: 17-FEB-2017   Click  here  for details of each of the sections below. Aff...
Read more

ORA-65139: Mismatch between XML metadata file and data file

Error: CDB$ROOT@EBTUPRDC> CREATE PLUGGABLE DATABASE EBTUSPRDPDB1 using '/home/oracle/EBTUSPRDC.xml' nocopy tempfile reuse; CREATE PLUGGABLE DATABASE EBTUSPRDPDB1 using '/home/oracle/EBTUSPRDC.xml' nocopy tempfile reuse * ERROR at line 1: ORA-65139: Mismatch between XML metadata file and data file /u05/odb/ORADATA_1/EBTUSPRDC/datafile/system.1531.807800993 for value of fcpsb (2230502002 in the plug XML file, 2230505492 in the data file) Fix: Don't open Non-CDB database until we complete pdb creation other wise we will get above error. Shutdown immediate; startup mount; alter database open read only; create xml file. shutdown immediate; Connect to CDB and Create Pluggable database .
Read more

TFA-00002 : Oracle Trace File Analyzer (TFA) is not running

TFA Failed to start listening for commands on one of the Rac Node : As a root user /etc/init.d/init.tfa  start Starting TFA.. start: Job is already running: oracle-tfa Waiting up to 100 seconds for TFA to be started.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Successfully started TFA Process.. . . . . . TFA-00002 : Oracle Trace File Analyzer (TFA) is not running TFA Failed to start listening for commands Solution : run synctfanodes.sh  if you have root password . if no root password copy below files to TFA Failed node and try to restart TFA .. Please check whether these 4 files exist on all nodes are similar. TFA_HOME/server.jks TFA_HOME/client.jks TFA_HOME/internal/ssl.properties   TFA_HOME/internal/ portmapping.txt If not similar just copy these files to TFA Failing node and try TFA Restart ..It Worked for me .   [root@host01]# ./tfactl  -v "debug" start Starting TFA...
Read more