Skip to Main Content
Forums

Enterprise Manager

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Enabling security for OEM Grid Control 11g fails

User13542511-OracleJul 6 2011 — edited Jul 11 2011
Hi Experts,

One of my Customer is referring the below command to secure OMS and it fails.
emctl secure oms [-sysman_pwd <sysman password>] [-reg_pwd <registration password>] [-host <hostname>] [-slb_port <slb port>] [-slb_console_port <slb console port>] [-reset] [-console] [-lock] [-lock_console] [-secure_port <secure_port>] [-upload_http_port <upload_http_port>] [-root_dc <root_dc>] [-root_country <root_country>] [-root_email <root_email>] [-root_state <root_state>] [-root_loc <root_loc>] [-root_org <root_org>] [-root_unit <root_unit>] [-wallet <wallet_loc> -trust_certs_loc <certs_loc>] [-wallet_pwd <pwd>] [-key_strength <strength>] [-cert_validity <validity>] [-protocol <protocol>]

The error message as below.
Securing OMS... Started.
<May 31, 2011 4:40:31 PM CEST> <Warning> <Security> <BEA-090504> <Certificate chain received from <hostname of the actual node running OEM> - <IP of the hostname of the actual node running OEM> failed hostname verification check. Certificate contained <SLB hostname> but check expected <hostname of the actual node running OEM>
Securing OMS... Failed


The brief background of the wallet creation is as below.
The actual certificate and CSR is created using openssl with a config file openssl-oemgc.cnf. This is according to customer organization's policy and how the production signed certificates have to be requested. The CN is indeed <SLB hostname>. The used syntax was:

openssl req -new -keyout <SLB hostname>.key -out <SLB hostname>.csr -config openssl-oemgc.cnf

The config file content can be referred in the service request.

Following the guide on
http://download.oracle.com/docs/cd/E21764_01/web.1111/e13749/utils.htm#ADMRF151
the certificates were imported into a java keystore 'identity.jks'. And the certificate chain was imported in a java keystore 'trust.jks'.

With these customer has followed note 1278609.1 to configure these keystores in WLS. The certificates show up fine without errors in the browser when opening the WLS console.

Then according to notes 1116717.1 customer has created an Oracle wallet. Then he copied that wallet to an old 10g oracle application server and opened the wallet with 'owm' and saved it. Then he has copied the wallet to the new Oem Grid Control and opened it with'owm' (this now succeeds) and saved it with SSO. This is the wallet that customer is using while trying to secure the OMS.

Service Request: 3-3731274961


Any input is highly appreciated.

Thanks
Prakash

Edited by: user13542511 on Jul 6, 2011 8:09 AM
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Aug 8 2011
Added on Jul 6 2011
1 comment
261 views