EM 12.1.0.5 Up and Running (Thanks to Brian Pardy) [Solution]

From: Chris Taylor <christopherdtaylor1994_at_gmail.com>
Date: Mon, 16 Nov 2015 18:11:10 -0600
Message-ID: <CAP79kiQj=e+CuKB6BkZ3XkNCyOTvv_jQpemmRB78hAUwN1mtxQ_at_mail.gmail.com>

I'm probably going to [re]start a blog just because of this issue. HUGE thanks goes out to Brian Pardy for his help on this and writing a great blog about recreating (modifying) the Oracle Wallets to get rid of the demo certs.

First, this "adventure" started with laying down EM 12.1.0.5 vanilla install. Due to the numerous java vulnerabilities identified in the last 12-15 months, there have been several patches that browser makers have applied and pushed out. These browser updates effectively "broke" the ability to peruse EM 12c (the console) and generated numerous Metalink documents.

The error was:

https://host:port/console generates Server has a weak ephemeral Diffie-Hellman public key. The https://host:port/em server seemed to work ok.

Secondly, after trying to patch this problem away using the CPU 2015 Patch Guide (Applying Enterprise Manager 12c Recommended Patches (Doc ID 1664074.1), the brokeness of the EM 12.1.0.5 install only increased.

Then, I ran across Brian Pardy's blog post about setting the Oracle wallets and getting rid of the demo certs and generating new certificates HERE:

https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/

(I skipped the section "Creating Wallets for each agent" about generating certificates for each agent for now as that would require CSRs for each host where an agent will be running. I might come back to that though.

So, here's the steps that got me to a perfectly useable EM 12.1.0.5 installation. I'm going to attempt the October 2015 Patching guide again now but at least I know I can flash back to this structure and it be useable.
In a nutshell, when laying down EM 12.1.0.5 vanilla install today, you *REALLY *should get 1024 or 2048 bit keys, appropriate Trusted/Issuing/User Certificates, and patch Weblogic.

Steps (at a high level) - the only steps I came up with were the 3 Weblogic Patching steps to support Keys longer than 512 bits (steps 16-18). This may be messy but I formatted it with FIXED WIDTH and it shows up correctly in draft mode.

01. Install EM 12.1.0.5 Software Browse to https://host:port/console - should receive error due to browser updates. If not, you don't have the latest updates.
02. Backup installed directories:
- agent dir $ORACLE_BASE/product/agent12c

middleware dir $ORACLE_BASE/product/middleware
instance dir $ORACLE_BASE/product/gc_inst
swlib dir $ORACLE_BASE/product/swlib 03. Create an Oracle Wallet https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/ 04. Generate 2048 bit Keys inside wallet https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/ 05. Generate certificate signing request (CSR) for the created wallet https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/ 06. Send CSR to Signing Authority https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/ 07. After receiving certs import them into the wallet https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/ 08. Secure the OMS Console https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/ 09. Restart OMS https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/ 10. Secure the OMS upload port https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/ 11. Restart OMS https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/ 12. Secure the OMS upload port https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/ 13. Re-secure all agents https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/ 14. Shutdown oms all $OMS_HOME/bin/emctl stop oms -all -force 15. Uninstall Delivered Weblogic Patches $MW_HOME/utils/bsu/bsu.sh -remove
-patchlist=6D9T,WE1X,SRUM -prod_dir=$MW_HOME/wlserver_10.3/
16. Patch Weblogic (p20780171 EJUW - includes previous patches) $MW_HOME/utils/bsu/bsu.sh
-install -patch_download_dir=$MW_HOME/utils/bsu/cache_dir/ -patchlist=EJUW
-prod_dir=$MW_HOME/wlserver_10.3/
17. Patch Weblogic #2 (p16420963 GDFA) $MW_HOME/utils/bsu/bsu.sh -install
-patch_download_dir=$MW_HOME/utils/bsu/cache_dir/ -patchlist=GDFA
-prod_dir=$MW_HOME/wlserver_10.3/
18. Patch Weblogic #3 (p13964737 VP7Z) $MW_HOME/utils/bsu/bsu.sh -install
-patch_download_dir=$MW_HOME/utils/bsu/cache_dir/ -patchlist=EVP7Z
-prod_dir=$MW_HOME/wlserver_10.3/
19. Secure WebLogic with the OMS wallet
first secure the agent (root ca cert) $OMS_HOME/bin/emctl secure add_trust_cert_to_jks -trust_certs_loc $ORACLE_WALLET_LOC/root.cer -alias <choose_an_alias_name> -password welcome
secure the agent (issuing ca cert) $OMS_HOME/bin/emctl secure add_trust_cert_to_jks -trust_certs_loc $ORACLE_WALLET_LOC/issuing.cer
-alias <choose_an_alias_name> -password welcome
backup important files https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/
backup important files https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/
backup important files https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/
backup important files https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/
backup important files https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/ 20. Stop the OMS all $OMS_HOME/bin/emctl stop oms -all -force 21. Start OMS Admin Only Service $OMS_HOME/bin/emctl start oms -admin_only 22. Secure Weblogic $OMS_HOME/bin/emctl secure wls -wallet $ORACLE_WALLET_LOC 23. Stop OMS all $OMS_HOME/bin/emctl stop oms -all -force 24. Start OMS all $OMS_HOME/bin/emctl start oms

--

http://www.freelists.org/webpage/oracle-l Received on Tue Nov 17 2015 - 01:11:10 CET

This message: [ Message body ]
Next message: August Spier: "Re: EM 12.1.0.5 Up and Running (Thanks to Brian Pardy) [Solution]"
Previous message: Rich J: "Re: Segment growth monitoring"
Next in thread: August Spier: "Re: EM 12.1.0.5 Up and Running (Thanks to Brian Pardy) [Solution]"
Reply: August Spier: "Re: EM 12.1.0.5 Up and Running (Thanks to Brian Pardy) [Solution]"
Reply: Chitale, Hemant K: "RE: EM 12.1.0.5 Up and Running (Thanks to Brian Pardy) [Solution]"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message