Summary
The security certificate is just one component of the Oracle Enterprise Manager Security. The certificate is utilized for https traffic therefore normal http traffic should be shut off for console and upload traffic there forcing all communication to the OMS to come from a secure channel that will utilize the certificate. Though it is not required to shut off the normal http traffic it is recommended when using a certificate as what would be the point of the certificate if you can use unsecured http.
Prepare Security Certificate Request
1. login to the first OEM server as the owner of the OMS installation typically oracle.
2. Set the environment to the repository database home or a database home installed on the OMS Server, unfortunately if you do not have a database installation on the OMS server you will need to utilize this is where the orapki utility is
. oraenv
ORACLE_SID = [oemrep] ? oemrep
The Oracle base remains unchanged with value /u00/app/oracle
3. Create an auto login wallet, an auto login wallet is needed for this installation/setup.
# orapki wallet create -wallet /home/oracle/wallet -auto_login
4. Generate the security certificate request, this must be done by the oracle wallet manager or orapki utilizy, generating this any other way is not ok. In this case we are calling the server oem.domain.com, this is not the actual server name, but the name utilized via the load balancer. Ensure that you use the server name that you are generating the certificate for as it will be used in addressing the server which typically includes the domain.
# orapki wallet add -wallet /home/oracle/wallet -dn "CN=oem.domain.com, OU=EM, O=My Company, L=My City, ST=My State, C=US" -keysize "2048" -pwd password
# orapki wallet export -wallet /home/oracle/wallet -dn "CN=oem.domain.com, OU=EM, O=My Company, L=My City, ST=My State, C=US" -pwd password -request /home/oracle/wallet/csr_request.txt
5. Send the csr_request.txt to security to generate certificate(s)
you should be returned 3 filess a Root, intermediate and ssl user certificate.
6. Do not remove the generated Wallet files as you will need these once the security certificates are given to you
Install the Security Certificate
1. Import the Root certificate into the wallet
# orapki wallet add -wallet /home/oracle/wallet -trusted_cert -cert /home/oracle/wallet/Root.cer.txt -pwd password
2. Import the intermediate certificate into the wallet
# orapki wallet add -wallet /home/oracle/wallet -trusted_cert -cert /home/oracle/wallet/intermediate.cer.txt -pwd password
3. Import the SSL/User certificate into the wallet
# orapki wallet add -wallet /home/oracle/wallet -user_cert -cert /home/oracle/wallet/server.cer.txt -pwd password
4. Display the wallet
orapki wallet display -wallet /home/oracle/wallet
5. cat the immediate certificate and the root certificate to a trusted certificates file
# cd /home/oracle/wallet
# cat intermediate.cet.txt >> trusted.cer.txt
# cat root.cet.txt >> trusted.cer.txt
6. set the environemnt to the oms
# . oraenv
oms
7. Secure the console
# emctl secure console -wallet /home/oracle/wallet
8. import the wallet and certificate into OMS
# emctl secure oms -host oem.domain.com -wallet /home/oracle/wallet -trust_certs_loc /home/oracle/wallet/trusted.cer.txt
9. secure the agent on the local OMS host by securing the agent and uploading the agent.
# . oraenv
agent
# emctl secure agent
# emctl upload agent
10. Lock the upload to only secure traffic
# emctl secure lock –upload
11. Lock the console access to only secure traffic (https)
# emctl secure lock -upload -console
12. Check the status of the OMS and agent in the console
http://oem.domain.com:7801/em
13. Login to the seconds OMS server and get to the oracle account and set the environment to the oms
# . oraenv
oms
14. Copy the certificates and wallets from the first OMS to same location /home/oracle/wallet
15. Secure the console
# emctl secure console -wallet /home/oracle/wallet
16. import the wallet and certificate into OMS
# emctl secure oms -host oem.domain.com -wallet /home/oracle/wallet -trust_certs_loc /home/oracle/wallet/trusted.cer.txt
17. secure the agent on the OMS server
# . oraenv
agent
# emctl secure agent
# emctl upload agent
18. Check the status of the OMS and agent in the console
http://oem.domain.com:7801/em
Secure All Agents on All Hosts
1. Go to all targets with and agent and resecure agent
. oraenv
agent
emctl secure agent or emctl secure agent -emdWalletSrcUrl https:
emctl upload agent
2. Check the status of the OMS and agent in the console for each target agent after secure
http://oem.domain.com:7801/em
** Special Note
when blackout of target is set prior to certificate work
I had issues here as I blacked out all my targets before I
started, after I stopped the blackout I had to go back to each agent and
execute a clear state, reload and upload to clear out all blackouts
emctl clearstate agent
emctl reload agent
emctl upload agent
2 comments:
Hello Mike,
Great article, much better then Oracle documents.
Question... we have to upgrade certificates to SHA-2. This will require to create a new wallet, load new certificates and secure console and OMS. Should we also secure all 500 existing agents?
Thanks
Greg
You will likely with a new certificate need to deal with the agent as well since the certificate has changed.
Post a Comment