OMS SSL Certificate Renewal

 When deciding to configure Oracle Enterprise Manager with custom or third-party SSL certificates,  you usually need to complete configuration tasks with following EM components

  *  EM Cloud Control Console

  *  Oracle Management Service (OMS) and EM Agent

  *  WebLogic Server (WLS)

Oracle Enterperise Manager Cloud control console overview: Is a web based Enterprise manger cloud console is a rich interface that provides you customizable feature for monitoring and managing wide variety of targets witnin your Enterprise. Oracle Management Agent (Management Agent) is one of the core components of Enterprise Manager Cloud Control that enables you to convert an unmanaged host to a managed host in the Enterprise Manager system. The Management Agent works in conjunction with the plug-ins to monitor the targets running on that managed host. Therefore, at any point in time, if you want to monitor a target running on a host, ensure that you first convert that unmanaged host to a managed host by installing a Management Agent, and then manually discover the targets running on it to start monitoring them.

An Oracle Management Server (OMS) is a software system that functions as a middle tier between Oracle intelligent agents and Oracle management consoles. The system may operate on multiple nodes and by default uses a schema named DBSNMP.

By including the SSL feature, the Oracle Advanced Security option expands its own support for encryption and provides public key authentication based on the SSL standard.

You can use the SSL feature of the Oracle Advanced Security option to secure communications between any client and any server. Specifically, you can use SSL to authenticate:

    Any client or server to one or more Oracle servers

    An Oracle server to any client 


Components of SSL in an Oracle Environment

The components of SSL in an Oracle environment include the following, each of which is described below:

  --  Certificate

  -- Certificate Authority (CA)

  --  Wallet


Certificate

A certificate ensures that the entity's identity information is correct and that the public key actually belongs to that entity. A certificate is created when an entity's public key is signed by a trusted identity, that is, a certificate authority (CA), described more fully in this section.

A certificate contains the entity's name, public key, serial number, and expiration date. It may contain information about the privileges associated with the certificate.

Certificate Authority (CA)

A trusted third party that certifies that other entities--users, databases, administrators, clients, servers--are who they say they are. The certificate authority verifies the user's identity and grants a certificate, signing it with the certificate authority's private key. 

Wallet

An abstraction used to store and manage authentication data such as keys, certificates, and trusted certificates which are needed by SSL. In an Oracle environment, each system using SSL has a wallet with an X509 version 3 certificate, private key, and list of trusted certificates. 

How SSL Works in an Oracle Environment: The SSL Handshake

 In an Oracle environment, the authentication process involves three basic steps:

    ---The user initiates a Net8 connection to the server by using SSL.

    ---SSL performs the handshake between client and server.

    --- If the handshake is successful, the server verifies that the user has the appropriate authorization to           access the database. 


OEM SSL certificate Renewal Steps:

Step 1: Take backup of OMS home. 

Step 2: Create directory for a new wallet location

        cd <OMS_HOME>/ 

        mkdir <wallet_directory>

    EX: cd /u01/app/oracle/prodcut/em13cr5

           mkdir wallet_SLB_05May2023

Step 3: Create a wallet using ORAPKI utility

        Run following command below to set the EM environment

        <OMS_HOME>/oracle_common/bin/orapki wallet create -wallet <wallet_location> -auto_login

Here, <OMS_HOME> is OMS Home path, <wallet_location> is directory path where the wallet will be created


Step 4: Create Certificate Signing Request (CSR) file

       * Add a certificate request to the Oracle wallet created in the previous step with following command

        <OMS_HOME>/oracle_common/bin/orapki wallet add -wallet <wallet_location> -dn <certificate_dn> -keysize 512|1024|2048 -pwd <wallet_password>

<OMS_HOME>/oracle_common/bin/orapki wallet add -wallet /u01/app/oracle/prodcut/em13cr5/wallet_SLB_05May2023 -dn "<certificate_dn>" -keysize 2048 -pwd ******

Here,

        <wallet_password> is the password entered in previous step

        <certificate_dn> is Subject DN of the requestor/owner of the certificate. It consists of a number of fields which are called relative distinguished names (RDN), following are some of the most common RDNs:

          CN: Common Name

          OU: Organizational Unit

          O:  Organization

          L: Locality

          S or ST: State Or Province Name

          C: Country Name

Note: Specify Common Name(CN) with the host name entered while installing OMS. It is DNS alias or host name of the machine where the OMS is installed. For example, I have a Linux server which host name is host01.lab.dbaplus.ca. In addition, an DNS alias oms.lab.dbaplus.ca is also resolved to same IP address and I entered oms.lab.dbaplus.ca as host name while installing OMS. 

For example

        $ orapki wallet add -wallet /u01/app/oracle/wallet -dn "CN=oms.lab.dbaplus.ca, OU=Lab, O=DBA Plus Workshop, C=CA" -keysize 2048 -pwd oracle4U!

Step 5: List certificate request in the wallet by running command

        <OMS_HOME>/oracle_common/bin/orapki wallet display -wallet <wallet_location>

Step 6: Export the CSR to a text file:

        <OMS_HOME>/oracle_common/bin/orapki wallet export -wallet <wallet_location> -dn <certificate_dn> -request <certificate_request_file>

Here, <certificate_request_file> is the name of the CSR file being created

 For Example:

orapki wallet export -wallet /u01/app/oracle/wallet -dn "CN=oms.lab.dbaplus.ca, OU=Lab, O=DBA Plus Workshop, C=CA" -request /tmp/dbaplus_csr.txt

Step 7: Submit CSR file to a third-party trusted Certificate Authority(CA) to get signed SSL certificates in Base64 format 

       The third-party trusted Certificate Authority (ex. Verisign, DigiCert, etc) will give you a User Certificate (a.k.a Identity or Server Certificate), one or more intermediate CA certificates (if applicable) and a Root CA certificate.

Note

       A. For EM 13.4 or later, EM OMS Console, OMS Upload and Agent can be secured with wildcard SSL certificates and SAN Certificates. When submitting CSR, the wildcard character (*.<DOMAIN_NAME>) must be specified instead of the host name (<HOSTNAME>.<DOMAIN_NAME>).

       B. While securing 13.4 OMS with wildcard certificates,ensure that all the Agents are at version 13.4. Pre 13.4 Agents will not be able to communicate to 13.4 OMS secured with wildcard certificates.

       C. SAN certificates can be created using the orapki command from OEM 13.4 onward

       D. For EM 12.1.0.5 to 13.3.0.0.0, a wallet with SAN certificate can be created using openssl, or another utility, that can be used to secure the OMS or Agent. The orapki cannot be used.

       E. The WebLogic instance supporting EM 13.4 can also be secured with wildcard and SAN certificate after applying RU3 or higher patches.


Step 8: Import certificate in wallet

 It usually includes three files:

User certificate (server certificate for your oms) file

  Intermediate CA certificates file

Root CA certificate file

* To import intermediate CA certificates & Root CA certificate, run command

<OMS_HOME>/oracle_common/bin/orapki wallet add -wallet <wallet_location> -trusted_cert -cert <certificate_file> 

* To import user certificate, run command

<OMS_HOME>/oracle_common/bin/orapki wallet add -wallet <wallet_location> -user_cert -cert <certificate_file>   

For Example:

       $ orapki wallet add -wallet /u01/app/oracle/wallet -trusted_cert -cert /tmp/Root_CA_Certificate.txt -pwd oracle4U!

 $ orapki wallet add -wallet /u01/app/oracle/wallet -trusted_cert -cert  /tmp/Intermediate_CA_Certificate.txt -pwd oracle4U!

$ orapki wallet add -wallet /u01/app/oracle/wallet -user_cert -cert /tmp/oms_lab_dbaplus_ca.cer -pwd oracle4U!   

   

Step 9: Display the wallet to make sure the certificate are added 

        Run Command: 

        $ orapki wallet display -wallet <wallet_location>  

   

Step 10: Secure EM Cloud Control Console with third-party certificates         

        * Secure EM console with following command

        <OMS_HOME>/bin/emctl secure console -wallet <wallet_location> [-host <SLB_host_name>]  

         For Example:

        $ <OMS_HOME>/bin>emctl secure console -wallet <wallet_location>

Step 11: Restart OMS with following commands

        <OMS_HOME>/bin>emctl stop oms -all [-force]

        <OMS_HOME>/bin>emctl start oms   

For Example:

$ emctl stop oms -all -force

$ emctl start oms

Step 12: In case of any issues, the EM console access can be rolled back to to self-signed certificate with following commands,

        <OMS_HOME>/bin>emctl secure console -self_signed

        <OMS_HOME>/bin>emctl stop oms -all -force

        <OMS_HOME>/bin>emctl start oms

   

   




Comments

Post a Comment

Popular posts from this blog

Oracle GoldenGate Microservices Architecture - 1

Image
Data Replication techniques has gained importance in the market with the need of maintaing production data in other databases like Postgre, Mysql etc.. to avoid heavy license fee charged by top rdbms providers like Oracle, Sql Server .Goldengate is one of the most famous and popular software which can be used for data replication between homogenous and hetrogenous databases.  GoldenGate supports two types of architectures : Classic Architecture Microservice Architecture CLASSIC ARCHITECTURE It is first architecture supported by the Goldengate when it was introduced 20 years ago. Goldengate Classic architecture drawn many advantages in the market when customers are facing problems when replicating data between heterogenous databases. Classic Architecture has below components: Manager - Is the master process running in the Goldengate which takes care of all other slave                 process like Extract, Datapump, Replicat and Collector....
Read more

All About Oracle Database Block

Image
  INITTrans  Whenever a DML transaction wants to modify a block , it should inform the block by sending 'interested to modify' message to the block .Technically speaking, a dml transaction will always send message to the block , that it is interested to modify the block . This message is stored in ITL slots ,which is preallocated in the block header. Transactions whose entry is there in this ITL slots can only modify the block.This ITL slots are controlled by INITRANS and MAXTRANS values, the inittrans controls the minimum number of slots that will be allocated in the block header. Honestly speaking, the number of ITL slots is equal to number of DML transactions that can happen parallely at one time. Each ITL slot occupies 24 bytes of space in the block. Inittrans values is 1 for table and 2 for index by default. MAXTrans Maxtrans is the maximum number of ITL slots that can be allocated in the block . When the block runs out of this ITL slots and there is enough free space in ...
Read more

ORACLE CLOUD INFRASTRUCTURE(OCI) FOR ABSOLUTE BEGINNER'S

Image
CLOUD CONCEPTS   Today, we will discuss about the Oracle cloud Concepts . Like all the Cloud Technologies, Oracle cloud which is called as OCI offers variety of services with better SLA's and performance.OCI is considered as most robust cloud technology because of its high security and high availability. Lets discuss few cloud basic terms before jumping in to OCI Architecture. On Demand self service -- In cloud, the services are provisioned automatically without human interaction with service provider. Broad network access   -- The cloud services are accessed by broad network which follow standard mechanisms. Resource pooling            -- In cloud, all the services of provider are pooled at one place and this are allocated to multiple customers on their requirement. Rapid Elasticity              -- In cloud , services are scaled up and down automatically and sometimes without any impact to the running env...
Read more