Configuring SSL on Enterprise Manager and the SLB (Release 12.1.0.2 and later)
From: http://docs.oracle.com/html/E24089_42/ha_setup.htm#sthref833
If the SLB is configured to use Third-Party/Custom SSL certificates, you must ensure that the CA certificates are properly configured in order for the trust relationship to be maintained between the Agent, SLB, and the OMS. Specifically, the following must be carried out:
-
Import the CA certificates of the SLB into the OMS trust store.
-
Copy the Enterprise Manager CA certificates to the trust store of the SLB
Enterprise Manager uses the default Enterprise Manager certificates and not the Custom certificates. In order for Agents to upload information successfully to the OMS through the SLB, these custom trusted certificates need to be copied/imported to the trust store of the OMS and AgentsThe following procedures illustrate the process used to secure the 12c OMS and Agent when an SLB is configured with Third Party/Custom SSL certificates.
Verifying the SSL Certificate used at the SLB
Perform the following steps to determine whether the SLB is using different certificates than the OMS:
-
To check the certificate chain used by any URL, run the following command:
<OMS_HOME>/bin>./emctl secdiag openurl -url <HTTPS URL>
To check the certificates used by the SLB URL, run the following command:
<OMS_HOME>/bin>./emctl secdiag openurl -url https://<SLB Hostname>:<HTTPS Upload port>/empbs/upload
To check the certificates used by the OMS URL, run the following command:
<OMS_HOME>/bin>./emctl secdiag openurl -url https://<OMS Hostname>:<HTTPS Upload port>/empbs/upload
-
If the default Enterprise Manager self-signed certificates are used in the SLB, the output of both the commands will appear as follows:
Issuer : CN=<OMS Hostname>, C=US, ST=CA, L=EnterpriseManager on <OMS Hostname>, OU=EnterpriseManager on <OMS Hostname>, O=EnterpriseManager on <OMS Hostname>
-
If a custom or self-signed SSL certificate is used in the SLB, then output of the command executed with the SLB Name will provide details shown here:
Issuer : CN=Entrust Certification Authority - L1C, OU="(c) 2014 Entrust, Inc.", OU=www.entrust.net/rpa is incorporated by reference, O="Entrust, Inc.", C=US
In this example, the SLB is using the custom certificate (CN=Entrust Certification Authority - L1C, OU="(c) 2014 Entrust, Inc."), which needs to be imported as trusted certificate into the OMS.
-
If OpenSSL is available on the OS, you can also check the value of CN by running the following command:
$openssl s_client -connect <HOSTNAME>:<PORT>
Importing the SSL Certificate of the SLB to the Trust Store of the OMS and Agent
-
Export the SLB certificate in base64 format to a text file named:
customca.txt
. -
Secure the OMS:
cd <OMS_HOME>/bin>
./emctl secure oms -host <SLB Host name> -secure_port <HTTPS Upload Port> -slb_port <SLB upload Port> -slb_console_port <SLB Console port> -console -trust_certs_loc <path to customca.txt>
Note:
All the OMS's behind the SLB need to be secured using the emctl secure oms command.The CA certificate of the OMS is present in the
<EM_INSTANCE_HOME>/em/EMGC_OMS1/sysman/config/b64LocalCertificate.txt
file and needs to be copied to the SSL trust store of the SLB. -
Restart all the OMS:
cd <OMS_HOME>/bin
emctl stop oms -all
emctl start oms
-
Secure all the Agents pointing to this Enterprise Manager setup:
cd <AGENT_HOME>/bin
./emctl secure agent –emdWalletSrcUrl <SLB Upload URL>