How To Renew OMS And Agent Server Default Certificate
1) Run the command below to check the status of the OMS and gather its details
<OMS HOME>/bin>emctl status oms -details
2) If the OMS is running, then the certificates used by the OMS can be checked using the commands below: emctl or openssl
$OMS_HOME/bin>emctl secdiag openurl -url https://omshostname.domainname:4903/em -ssl_protocol TLSv1.2
openssl s_client -connect omshostname.domainnname:4903
3) if the OMS is not running, you can check the certificates used by the OMS by reading the contents of the wallet used by the OMS
<MW_HOME>/oracle_common/bin>./orapki wallet display -wallet /../gc_inst/user_projects/domains/GCDomain/config/fmwconfig/components/OHS/instances/ohs1/keystores/upload -summary
4) Start Admin Server
cd <OMS_HOME>/bin
emctl stop oms -all -force
emctl start oms -admin_only
5) Run the command below to create a new EM Certificate Authority (CA):
cd <OMS_HOME>/bin
emctl secure createca [-sysman_pwd ] [-host ] [-root_country <root_country>] [-root_state <root_state>] [-root_org <root_org>] [-root_unit <root_unit>] [-key_strength ] [-cert_validity ]
All the arguments are optional and can be specified, if required. sysman password will be prompted for if this is not provided at the command line.
Note: You can specify the "-cert_validity" value to the required time period.
6) In case of a multi-OMS setup, copy the
<gc_inst>/em/EMGC_OMS1/sysman/config/b64LocalCertificate.txt from the machine on which "emctl secure createca" was run to all other OMS machines at the same location i.e <gc_inst>/em/EMGC_OMS/sysman/config/b64LocalCertificate.txt
7) Secure All the OMS with New CA
cd <OMS_HOME>/bin
emctl secure oms -force_newca [-protocol TLSv1(EM 12c only)] [-protocol TLSv1.2(EM 13c only)]
emctl secure console -self_signed
In case of a multi-OMS setup configured with an SLB, secure each of the OMS using:
<OMS_HOME>/bin>./emctl secure oms -host <SLB Host name> -secure_port <HTTPS Upload Port> -slb_port <SLB upload Port> -slb_console_port <SLB Console port> -force_newca -console [Other arguments if any]
8) Restart all the OMS:
cd <OMS_HOME>/bin
emctl stop oms -all
emctl start oms
9) You can view the details of new Certificate Authority created using the command below:
cd <OMS_HOME>/bin
emcli login -username=sysman
emcli sync
emcli get_ca_info -details
10) Secure all the Agents so that they are also issued a certificate by the newly created CA.
<AGENT HOME>/bin>./emctl secure agent
<AGENT HOME>/bin>./emctl start agent
<AGENT HOME>/bin>./emctl status agent
11) Verify the demo certificate details of the OMS url:
cd <OMS_HOME>/bin
emctl secdiag openurl -url https://<omshost.domain:upload_portno>/empbs/upload
emctl secdiag openurl -url https://<omshost.domain:console_portno>/em
Post a Comment
Post a Comment