Wednesday, February 20, 2013

OEM 12c Security Certificate Installation




Summary
The security certificate is just one component of the Oracle Enterprise Manager Security.  The certificate is utilized for https traffic therefore normal http traffic should be shut off for console and upload traffic there forcing all communication to the OMS to come from a secure channel that will utilize the certificate.  Though it is not required to shut off the normal http traffic it is recommended when using a certificate as what would be the point of the certificate if you can use unsecured http.

 Prepare Security Certificate Request
1. login to the first OEM server as the owner of the OMS installation typically oracle.

 2. Set the environment to the repository database home or a database home installed on the OMS Server, unfortunately if you do not have a database installation on the OMS server you will need to utilize this is where the orapki utility is


. oraenv
ORACLE_SID = [oemrep] ? oemrep
The Oracle base remains unchanged with value /u00/app/oracle

3. Create an auto login wallet, an auto login wallet is needed for this installation/setup.


# orapki wallet create -wallet /home/oracle/wallet -auto_login

4. Generate the security certificate request, this must be done by the oracle wallet manager or orapki utilizy, generating this any other way is not ok.  In this case we are calling the server oem.domain.com, this is not the actual server name, but the name utilized via the load balancer.  Ensure that you use the server name that you are generating the certificate for as it will be used in addressing the server which typically includes the domain.

# orapki wallet add -wallet /home/oracle/wallet -dn "CN=oem.domain.com, OU=EM, O=My Company, L=My City, ST=My State, C=US" -keysize "2048" -pwd password


# orapki wallet export -wallet /home/oracle/wallet -dn "CN=oem.domain.com, OU=EM, O=My Company, L=My City, ST=My State, C=US" -pwd password -request /home/oracle/wallet/csr_request.txt

5. Send the csr_request.txt to security to generate certificate(s)
you should be returned 3 filess a Root, intermediate and ssl user certificate.

6. Do not remove the generated Wallet files as you will need these once the security certificates are given to you

Install the Security Certificate
1. Import the Root certificate into the wallet


# orapki wallet add -wallet /home/oracle/wallet -trusted_cert -cert /home/oracle/wallet/Root.cer.txt -pwd password

2. Import the intermediate certificate into the wallet


# orapki wallet add -wallet /home/oracle/wallet -trusted_cert -cert /home/oracle/wallet/intermediate.cer.txt -pwd password

3. Import the SSL/User certificate into the wallet


# orapki wallet add -wallet /home/oracle/wallet -user_cert -cert /home/oracle/wallet/server.cer.txt -pwd password

4. Display the wallet


orapki wallet display -wallet /home/oracle/wallet

5. cat the immediate certificate and the root certificate to a trusted certificates file


# cd /home/oracle/wallet
# cat intermediate.cet.txt >> trusted.cer.txt
# cat root.cet.txt >> trusted.cer.txt

6. set the environemnt to the oms


# . oraenv
oms

7. Secure the console


# emctl secure console -wallet /home/oracle/wallet

8. import the wallet and certificate into OMS


# emctl secure oms -host oem.domain.com -wallet /home/oracle/wallet -trust_certs_loc /home/oracle/wallet/trusted.cer.txt

9. secure the agent on the local OMS host by securing the agent and uploading the agent. 


# . oraenv
agent
# emctl secure agent
# emctl upload agent

10. Lock the upload to only secure traffic

# emctl secure lock –upload

11. Lock the console access to only secure traffic (https)

# emctl secure lock -upload -console

12. Check the status of the OMS and agent in the console

http://oem.domain.com:7801/em

13. Login to the seconds OMS server and get to the oracle account and set the environment to the oms


# . oraenv
oms

14. Copy the certificates and wallets from the first OMS to same location /home/oracle/wallet

15. Secure the console


# emctl secure console -wallet /home/oracle/wallet


16. import the wallet and certificate into OMS


# emctl secure oms -host oem.domain.com -wallet /home/oracle/wallet -trust_certs_loc /home/oracle/wallet/trusted.cer.txt


17. secure the agent on the OMS server


# . oraenv
agent
# emctl secure agent 
# emctl upload agent

18. Check the status of the OMS and agent in the console

http://oem.domain.com:7801/em

 Secure All Agents on All Hosts
1. Go to all targets with and agent and resecure agent
. oraenv
agent
emctl secure agent  or emctl secure agent -emdWalletSrcUrl https::/em
emctl upload agent



2. Check the status of the OMS and agent in the console for each target agent after secure

http://oem.domain.com:7801/em

** Special Note when blackout of target is set prior to certificate work
I had issues here as I blacked out all my targets before I started, after I stopped the blackout I had to go back to each agent and execute a clear state, reload and upload to clear out all blackouts

emctl clearstate agent
emctl reload agent
emctl upload agent
Posted by at 2 comments:

OEM 12c Manual Agent Installation



Get the agent software from OMS on the OMS server
** This only needs to be done 1 time per platform for agent installation this can be copied to other servers as required that are the same platform/OS this will stage the agent software installation on the OMS server.

1.       Login to the OMS using the emcli utility

# emcli login -username=sysman -password=passwordhere
Login successful

2.        Get List of supported platforms to see if your platform for an agent is there

# emcli get_supported_platforms

Getting list of platforms ...
Check the logs at /u00/app/oracle/Middleware/gc_inst/em/EMGC_OMS1/sysman/emcli/setup/.emcli/agent.log
About to access self-update code path to retrieve the platforms list..
Getting Platforms list  ...
-----------------------------------------------
Version = 12.1.0.2.0
 Platform = Linux x86-64
-----------------------------------------------
Platforms list displayed successfully.


3.       Get the agent for your platform, you will use the platform value from the previous step.

# emcli get_agentimage -destination=/home/oracle -platform="Linux x86-64" -version=12.1.0.2.0

Platform:Linux x86-64
Destination:/home/oracle
 === Partition Detail ===
Space free : 2 GB
Space required : 1 GB
Check the logs at /u00/app/oracle/Middleware/gc_inst/em/EMGC_OMS1/sysman/emcli/setup/.emcli/get_agentimage_2012-12-05_21-04-34-PM.log
Setting property ORACLE_HOME to:/u00/app/oracle/Middleware/oms
calling pulloneoffs with arguments:/u00/app/oracle/Middleware/oms/u00/app/oracle/Middleware/oms/sysman/agent/12.1.0.2.0_AgentCore_226.zip12.1.0.2.0linux_x64
Check this logs for more information: /u00/app/oracle/Middleware/oms/sysman/prov/agentpush/logs

Install Agent on Each Server
** For every server that needs an agent installation do the following steps
1.        Copy the extracted agent software to the node where agent is to be installed
               
# cd /u01/app/oracle
# mkdir software
# cd software
# scp :/home/oracle/12.1.0.2.0_AgentCore_226.zip ./

2.       unzip the copied agent installation

# unzip 12.1.0.2.0_AgentCore_226.zip

3.        Update the agent.rsp file, note that the ORACLE_HOSTNAME has to be update with each install, the example below is for guidance and will vary in your environment.

# vi agent.rsp

Example:
OMS_HOST=oem.domain.com
EM_UPLOAD_PORT=4901
AGENT_REGISTRATION_PASSWORD=weblogic031oemrep
AGENT_INSTANCE_HOME=/u01/app/oracle/product/agent/agent_inst
AGENT_PORT=3872
b_startAgent=true
ORACLE_HOSTNAME=server.domain.com
s_agentHomeName="agent12cR2"


4.        If a load balancer is utilized you will need to ensure the load balancer name is in the /etc/host or DNS otherwise the OMS server name you are using will need to be in /etc/hosts or in DNS

# vi /etc/hosts

# Example
192.168.1.112    oem.domain.com                   oem


5.       Execute the agent silent installation

# /u01/app/oracle/software/agentDeploy.sh AGENT_BASE_DIR=/u01/app/oracle/product/agent RESPONSE_FILE=/u01/app/oracle/software/agent.rsp

Example Output:
Validating the OMS_HOST & EM_UPLOAD_PORT
Executing command : /u01/app/oracle/product/agent/core/12.1.0.2.0/jdk/bin/java -classpath /u01/app/oracle/product/agent/core/12.1.0.2.0/jlib/agentInstaller.jar:/u01/app/oracle/product/agent/core/12.1.0.2.0/oui/jlib/OraInstaller.jar oracle.sysman.agent.installer.AgentInstaller /u01/app/oracle/product/agent/core/12.1.0.2.0 /u01/app/oracle/software /u01/app/oracle/product/agent -prereq

Validating oms host & port with url: http://oem.domain.com:4901/empbs/genwallet
Validating oms host & port with url: https://oem.domain.com:4901/empbs/genwallet
Return status:3
Unzipping the agentcoreimage.zip to /u01/app/oracle/product/agent ....
12.1.0.2.0_PluginsOneoffs_226.zip
Executing command : /u01/app/oracle/software/unzip -o /u01/app/oracle/software/12.1.0.2.0_PluginsOneoffs_226.zip -d /u01/app/oracle/product/agent
Executing command : /u01/app/oracle/product/agent/core/12.1.0.2.0/jdk/bin/java -classpath /u01/app/oracle/product/agent/core/12.1.0.2.0/oui/jlib/OraInstaller.jar:/u01/app/oracle/product/agent/core/12.1.0.2.0/oui/jlib/xmlparserv2.jar:/u01/app/oracle/product/agent/core/12.1.0.2.0/oui/jlib/srvm.jar:/u01/app/oracle/product/agent/core/12.1.0.2.0/oui/jlib/emCfg.jar:/u01/app/oracle/product/agent/core/12.1.0.2.0/jlib/agentInstaller.jar:/u01/app/oracle/product/agent/core/12.1.0.2.0/oui/jlib/share.jar oracle.sysman.agent.installer.AgentInstaller /u01/app/oracle/product/agent/core/12.1.0.2.0 /u01/app/oracle/software /u01/app/oracle/product/agent /u01/app/oracle/product/agent/agent_inst AGENT_BASE_DIR=/u01/app/oracle/product/agent AGENT_BASE_DIR=/u01/app/oracle/product/agent RESPONSE_FILE=/u01/app/oracle/software/agent.rsp


Executing agent install prereqs...
Executing command: /u01/app/oracle/product/agent/core/12.1.0.2.0/oui/bin/runInstaller -ignoreSysPrereqs -prereqchecker -silent -ignoreSysPrereqs -waitForCompletion  -prereqlogloc /u01/app/oracle/product/agent/core/12.1.0.2.0/cfgtoollogs/agentDeploy -entryPoint oracle.sysman.top.agent_Complete -detailedExitCodes PREREQ_CONFIG_LOCATION=/u01/app/oracle/product/agent/core/12.1.0.2.0/prereqs  -J-DORACLE_HOSTNAME=server.domain.com -J-DAGENT_PORT=3872 -J-DAGENT_BASE_DIR=/u01/app/oracle/product/agent
Prereq Logs Location:/u01/app/oracle/product/agent/core/12.1.0.2.0/cfgtoollogs/agentDeploy/prereq.log
Agent install prereqs completed successfully

Cloning the agent home...
Executing command: /u01/app/oracle/product/agent/core/12.1.0.2.0/oui/bin/runInstaller -ignoreSysPrereqs -clone -forceClone -silent -waitForCompletion -nowait ORACLE_HOME=/u01/app/oracle/product/agent/core/12.1.0.2.0 -responseFile /u01/app/oracle/software/agent.rsp  AGENT_BASE_DIR=/u01/app/oracle/product/agent AGENT_BASE_DIR=/u01/app/oracle/product/agent RESPONSE_FILE=/u01/app/oracle/software/agent.rsp -noconfig  ORACLE_HOME_NAME=agent12cR2 -force b_noUpgrade=true
Clone Action Logs Location:/u01/app/oraInventory/logs/cloneActions.log
Cloning of agent home completed successfully

Attaching sbin home...
Executing command: /u01/app/oracle/product/agent/core/12.1.0.2.0/oui/bin/runInstaller -ignoreSysPrereqs -attachHome -waitForCompletion -nowait ORACLE_HOME=/u01/app/oracle/product/agent/sbin ORACLE_HOME_NAME=sbin12c1 -force
Attach Home Logs Location:/u01/app/oracle/product/agent/core/12.1.0.2.0/cfgtoollogs/agentDeploy/AttachHome.log
Attach home for sbin home completed successfully.

Updating home dependencies...
Executing command: /u01/app/oracle/product/agent/core/12.1.0.2.0/oui/bin/runInstaller -ignoreSysPrereqs -updateHomeDeps -waitForCompletion HOME_DEPENDENCY_LIST={/u01/app/oracle/product/agent/sbin:/u01/app/oracle/product/agent/core/12.1.0.2.0,} -invPtrLoc /u01/app/oracle/product/agent/core/12.1.0.2.0/oraInst.loc -force
Update Home Dependencies Location:/u01/app/oracle/product/agent/core/12.1.0.2.0/cfgtoollogs/agentDeploy/UpdateHomeDeps.log
Update home dependency completed successfully.

Performing the agent configuration...
Executing command: /u01/app/oracle/product/agent/core/12.1.0.2.0/oui/bin/runConfig.sh ORACLE_HOME=/u01/app/oracle/product/agent/core/12.1.0.2.0 RESPONSE_FILE=/u01/app/oracle/product/agent/core/12.1.0.2.0/agent.rsp ACTION=configure MODE=perform COMPONENT_XML={oracle.sysman.top.agent.11_1_0_1_0.xml} RERUN=true
Configuration Log Location:/u01/app/oracle/product/agent/core/12.1.0.2.0/cfgtoollogs/cfgfw/CfmLogger.log
Agent Configuration completed successfully

The following configuration scripts need to be executed as the "root" user.
#!/bin/sh
#Root script to run
 /u01/app/oracle/product/agent/core/12.1.0.2.0/root.sh
To execute the configuration scripts:
1. Open a terminal window
2. Log in as "root"
3. Run the scripts
Agent Deployment Successful.
Agent deployment log location:
/u01/app/oracle/product/agent/core/12.1.0.2.0/cfgtoollogs/agentDeploy/agentDeploy_2012-12-05_22-12-33-PM.log
Agent deployment completed successfully.


7. Run the root.sh as indicated

# su -
# /u01/app/oracle/product/agent/core/12.1.0.2.0/root.sh

Finished product-specific root actions.
/etc exist

Creating /etc/oragchomelist file...
Finished product-specific root actions.


****** Note: All nodes in a cluster must have agent installed and discovered in OEM prior to being able to add any cluster items such as databases, ASM, etc.
Posted by at No comments:
Subscribe to: Posts (Atom)