How To Renew OMS And Agent Server Default Certificate

1) Run the command below to check the status of the OMS and gather its details

<OMS HOME>/bin>emctl status oms -details

2) If the OMS is running, then the certificates used by the OMS can be checked using the commands below: emctl or openssl

$OMS_HOME/bin>emctl secdiag openurl -url https://omshostname.domainname:4903/em -ssl_protocol TLSv1.2

openssl s_client -connect omshostname.domainnname:4903

3) if the OMS is not running, you can check the certificates used by the OMS by reading the contents of the wallet used by the OMS

<MW_HOME>/oracle_common/bin>./orapki wallet display -wallet /../gc_inst/user_projects/domains/GCDomain/config/fmwconfig/components/OHS/instances/ohs1/keystores/upload -summary

4)  Start Admin Server

cd <OMS_HOME>/bin
emctl stop oms -all -force
emctl start oms -admin_only

5)  Run the command below to create a new EM Certificate Authority (CA):

cd <OMS_HOME>/bin
emctl secure createca [-sysman_pwd ] [-host ] [-root_country <root_country>] [-root_state <root_state>] [-root_org <root_org>] [-root_unit <root_unit>] [-key_strength ] [-cert_validity ]

All the arguments are optional and can be specified, if required. sysman password will be prompted for if this is not provided at the command line.

Note: You can specify the "-cert_validity" value to the required time period.

6) In case of a multi-OMS setup, copy the

 <gc_inst>/em/EMGC_OMS1/sysman/config/b64LocalCertificate.txt from the machine on which "emctl secure createca" was run to all other OMS machines at the same location i.e <gc_inst>/em/EMGC_OMS/sysman/config/b64LocalCertificate.txt

7) Secure All the OMS with New CA

cd <OMS_HOME>/bin
emctl secure oms -force_newca [-protocol TLSv1(EM 12c only)] [-protocol TLSv1.2(EM 13c only)]
emctl secure console -self_signed

In case of a multi-OMS setup configured with an SLB, secure each of the OMS using:

<OMS_HOME>/bin>./emctl secure oms -host <SLB Host name> -secure_port <HTTPS Upload Port> -slb_port <SLB upload Port> -slb_console_port <SLB Console port> -force_newca -console [Other arguments if any]

8) Restart all the OMS:

cd <OMS_HOME>/bin
emctl stop oms -all
emctl start oms

9) You can view the details of new Certificate Authority created using the command below:

cd <OMS_HOME>/bin
emcli login -username=sysman
emcli sync
emcli get_ca_info -details

10) Secure all the Agents so that they are also issued a certificate by the newly created CA.

<AGENT HOME>/bin>./emctl secure agent
<AGENT HOME>/bin>./emctl start agent
<AGENT HOME>/bin>./emctl status agent

11) Verify the demo certificate details of the OMS url:

cd <OMS_HOME>/bin
emctl secdiag openurl -url https://<omshost.domain:upload_portno>/empbs/upload
emctl secdiag openurl -url https://<omshost.domain:console_portno>/em

If you like please follow and comment