Tags

, , ,

Outbound CA Certificates

Certificate files from certifying authorities are widely used for authentication.  Oracle has already loaded an exhaustive set of CA certs inside your OMS server.

Outward bound communication, like connections to an LDAP server, may require a CA cert to authenticate your connection.  Someone in your company is responsible for issuing and managing those certificates.  This procedure shows how easy it is to add your local certs.

Working with keytool

Certificate files are very simple text files that contain strings of nonsense text.

You can only read and edit the cacerts file using keytool (available on all hosts).  It is strongly recommended that you make edits to a copy of the cacerts file, verify the changes, and then deploy it.

Command Discussion
keytool –list –v –alias MY_CACERT -keystore cacerts Lists all CA certs in the keystore

You set the alias name

The java keystore filename in OEM is ‘cacerts’.  There is no jks suffix.

keytool -import -keystore cacerts -alias MY_CACERT -file /tmp/newcert.crt You can add a new certificate to the keystore using this command
Note about hyphens: After you paste these commands into your terminal you must manually replace each hyphen before executing the command. Otherwise it throws an error.

Installing cacerts

Task
Description or Illustration
Click stream or command
Backup your config.xml

All config details for your admin server are stored in this file

cd ../gc_inst1/user_projects/domains/GCDomain/config

cp config.xml config.xml_before_cacert

Create a working copy of the existing cacerts file, import your cert, then verify it You can’t change the location the cacerts file

Copy the updated cacerts file to all OMS servers in your cluster

cd ../MW13200/oracle_common/jdk/jre/lib/security

mkdir work

cp cacerts work/cacerts

cd work

#Execute the keytool import to add your certificate to the work copy of cacerts.

#Password for cacerts file can be found in MOS by searching for cacerts.

#The execute keytool list command to verify the import

cp cacerts ../cacerts

Bounce all OMS servers

to load updated file

Rollback if required The admin server will not start if it encounters errors emctl stop oms -all

cd ../gc_inst1/user_projects/domains/GCDomain/config

cp -f config.xml_before_cacert config.xml

emctl start oms -admin_only