RE: EM 12.1.0.5 Up and Running (Thanks to Brian Pardy) [Solution]
- From: "Chitale, Hemant K" <Hemant-K.Chitale@xxxxxx>
- To: "christopherdtaylor1994@xxxxxxxxx" <christopherdtaylor1994@xxxxxxxxx>
- Date: Tue, 17 Nov 2015 03:25:38 +0000
I'm probably going to [re]start a blog just because of this issue.
Agreed. Too much detail in an email that may disappear.
Hemant K Chitale
From: oracle-l-bounce@xxxxxxxxxxxxx [
mailto:oracle-l-bounce@xxxxxxxxxxxxx] On
Behalf Of Chris Taylor
Sent: Tuesday, November 17, 2015 8:11 AM
To: oracle-l@xxxxxxxxxxxxx
Subject: EM 12.1.0.5 Up and Running (Thanks to Brian Pardy) [Solution]
I'm probably going to [re]start a blog just because of this issue. HUGE thanks
goes out to Brian Pardy for his help on this and writing a great blog about
recreating (modifying) the Oracle Wallets to get rid of the demo certs.
First, this "adventure" started with laying down EM 12.1.0.5 vanilla install.
Due to the numerous java vulnerabilities identified in the last 12-15 months,
there have been several patches that browser makers have applied and pushed
out. These browser updates effectively "broke" the ability to peruse EM 12c
(the console) and generated numerous Metalink documents.
The error was:
https://host:port/console generates Server has a weak ephemeral Diffie-Hellman
public key. The
https://host:port/em server seemed to work ok.
Secondly, after trying to patch this problem away using the CPU 2015 Patch
Guide (Applying Enterprise Manager 12c Recommended Patches (Doc ID 1664074.1),
the brokeness of the EM 12.1.0.5 install only increased.
Then, I ran across Brian Pardy's blog post about setting the Oracle wallets and
getting rid of the demo certs and generating new certificates HERE:
https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/
(I skipped the section "Creating Wallets for each agent" about generating
certificates for each agent for now as that would require CSRs for each host
where an agent will be running. I might come back to that though.
So, here's the steps that got me to a perfectly useable EM 12.1.0.5
installation. I'm going to attempt the October 2015 Patching guide again now
but at least I know I can flash back to this structure and it be useable.
In a nutshell, when laying down EM 12.1.0.5 vanilla install today, you REALLY
should get 1024 or 2048 bit keys, appropriate Trusted/Issuing/User
Certificates, and patch Weblogic.
Steps (at a high level) - the only steps I came up with were the 3 Weblogic
Patching steps to support Keys longer than 512 bits (steps 16-18). This may
be messy but I formatted it with FIXED WIDTH and it shows up correctly in draft
mode.
01. Install EM 12.1.0.5 Software Browse to
https://host:port/console - should receive error due to browser updates. If
not, you don't have the latest updates.
02. Backup installed directories:
- agent dir $ORACLE_BASE/product/agent12c
- middleware dir $ORACLE_BASE/product/middleware
- instance dir $ORACLE_BASE/product/gc_inst
- swlib dir $ORACLE_BASE/product/swlib
03. Create an Oracle Wallet
https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/
04. Generate 2048 bit Keys inside wallet
https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/
05. Generate certificate signing request (CSR) for the created wallet
https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/
06. Send CSR to Signing Authority
https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/
07. After receiving certs import them into the wallet
https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/
08. Secure the OMS Console
https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/
09. Restart OMS
https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/
10. Secure the OMS upload port
https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/
11. Restart OMS
https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/
12. Secure the OMS upload port
https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/
13. Re-secure all agents
https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/
14. Shutdown oms all
$OMS_HOME/bin/emctl stop oms -all -force
15. Uninstall Delivered Weblogic Patches
$MW_HOME/utils/bsu/bsu.sh -remove -patchlist=6D9T,WE1X,SRUM
-prod_dir=$MW_HOME/wlserver_10.3/
16. Patch Weblogic (p20780171 EJUW - includes previous patches)
$MW_HOME/utils/bsu/bsu.sh -install
-patch_download_dir=$MW_HOME/utils/bsu/cache_dir/ -patchlist=EJUW
-prod_dir=$MW_HOME/wlserver_10.3/
17. Patch Weblogic #2 (p16420963 GDFA)
$MW_HOME/utils/bsu/bsu.sh -install
-patch_download_dir=$MW_HOME/utils/bsu/cache_dir/ -patchlist=GDFA
-prod_dir=$MW_HOME/wlserver_10.3/
18. Patch Weblogic #3 (p13964737 VP7Z)
$MW_HOME/utils/bsu/bsu.sh -install
-patch_download_dir=$MW_HOME/utils/bsu/cache_dir/ -patchlist=EVP7Z
-prod_dir=$MW_HOME/wlserver_10.3/
19. Secure WebLogic with the OMS wallet
- first secure the agent (root ca cert)
$OMS_HOME/bin/emctl secure add_trust_cert_to_jks -trust_certs_loc
$ORACLE_WALLET_LOC/root.cer -alias <choose_an_alias_name> -password welcome
- secure the agent (issuing ca cert)
$OMS_HOME/bin/emctl secure add_trust_cert_to_jks -trust_certs_loc
$ORACLE_WALLET_LOC/issuing.cer -alias <choose_an_alias_name> -password welcome
- backup important files
https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/
- backup important files
https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/
- backup important files
https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/
- backup important files
https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/
- backup important files
https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/
20. Stop the OMS all
$OMS_HOME/bin/emctl stop oms -all -force
21. Start OMS Admin Only Service
$OMS_HOME/bin/emctl start oms -admin_only
22. Secure Weblogic
$OMS_HOME/bin/emctl secure wls -wallet $ORACLE_WALLET_LOC
23. Stop OMS all
$OMS_HOME/bin/emctl stop oms -all -force
24. Start OMS all
$OMS_HOME/bin/emctl start oms
This email and any attachments are confidential and may also be privileged. If
you are not the intended recipient, please delete all copies and notify the
sender immediately. You may wish to refer to the incorporation details of
Standard Chartered PLC, Standard Chartered Bank and their subsidiaries at
https://www.sc.com/en/incorporation-details.html
Other related posts:
