Tags
Outbound CA Certificates
Certificate files from certifying authorities are widely used for authentication. Oracle has already loaded an exhaustive set of CA certs inside your OMS server.
Outward bound communication, like connections to an LDAP server, may require a CA cert to authenticate your connection. Someone in your company is responsible for issuing and managing those certificates. This procedure shows how easy it is to add your local certs.
Working with keytool
Certificate files are very simple text files that contain strings of nonsense text.
You can only read and edit the cacerts file using keytool (available on all hosts). It is strongly recommended that you make edits to a copy of the cacerts file, verify the changes, and then deploy it.
Command | Discussion |
---|---|
keytool –list –v –alias MY_CACERT -keystore cacerts | Lists all CA certs in the keystore
You set the alias name The java keystore filename in OEM is ‘cacerts’. There is no jks suffix. |
keytool -import -keystore cacerts -alias MY_CACERT -file /tmp/newcert.crt | You can add a new certificate to the keystore using this command |
Note about hyphens: After you paste these commands into your terminal you must manually replace each hyphen before executing the command. Otherwise it throws an error. |
Installing cacerts
Task
|
Description or Illustration
|
Click stream or command
|
---|---|---|
Backup your config.xml
All config details for your admin server are stored in this file |
cd ../gc_inst1/user_projects/domains/GCDomain/config
cp config.xml config.xml_before_cacert |
|
Create a working copy of the existing cacerts file, import your cert, then verify it | You can’t change the location the cacerts file
Copy the updated cacerts file to all OMS servers in your cluster |
cd ../MW13200/oracle_common/jdk/jre/lib/security
mkdir work cp cacerts work/cacerts cd work #Execute the keytool import to add your certificate to the work copy of cacerts. #Password for cacerts file can be found in MOS by searching for cacerts. #The execute keytool list command to verify the import cp cacerts ../cacerts |
Bounce all OMS servers
to load updated file |
||
Rollback if required | The admin server will not start if it encounters errors | emctl stop oms -all
cd ../gc_inst1/user_projects/domains/GCDomain/config cp -f config.xml_before_cacert config.xml emctl start oms -admin_only |