Re: EM 12.1.0.5 Up and Running (Thanks to Brian Pardy) [Solution]
Date: Mon, 16 Nov 2015 21:33:22 -0600
Message-ID: <CAP79kiQ+7HwHHx=KzddUir_W=OZN+8F_3CGDjiWCDgeTS+XTsA_at_mail.gmail.com>
Right but wanted to get it out there since Oracle-L is searchable - might help someone in the same boat :)
Chris
On Mon, Nov 16, 2015 at 9:25 PM, Chitale, Hemant K <Hemant-K.Chitale_at_sc.com> wrote:
> > I'm probably going to [re]start a blog just because of this issue.
>
>
>
> Agreed. Too much detail in an email that may disappear.
>
>
>
> Hemant K Chitale
>
>
>
>
>
> *From:* oracle-l-bounce_at_freelists.org [mailto:
> oracle-l-bounce_at_freelists.org] *On Behalf Of *Chris Taylor
> *Sent:* Tuesday, November 17, 2015 8:11 AM
> *To:* oracle-l_at_freelists.org
> *Subject:* EM 12.1.0.5 Up and Running (Thanks to Brian Pardy) [Solution]
>
>
>
> I'm probably going to [re]start a blog just because of this issue. HUGE
> thanks goes out to Brian Pardy for his help on this and writing a great
> blog about recreating (modifying) the Oracle Wallets to get rid of the demo
> certs.
>
>
>
> First, this "adventure" started with laying down EM 12.1.0.5 vanilla
> install. Due to the numerous java vulnerabilities identified in the last
> 12-15 months, there have been several patches that browser makers have
> applied and pushed out. These browser updates effectively "broke" the
> ability to peruse EM 12c (the console) and generated numerous Metalink
> documents.
>
>
>
> The error was:
>
>
>
> https://host:port/console generates Server has a weak ephemeral
> Diffie-Hellman public key. The https://host:port/em server seemed to
> work ok.
>
>
>
> Secondly, after trying to patch this problem away using the CPU 2015 Patch
> Guide (Applying Enterprise Manager 12c Recommended Patches (Doc ID
> 1664074.1), the brokeness of the EM 12.1.0.5 install only increased.
>
>
>
> Then, I ran across Brian Pardy's blog post about setting the Oracle
> wallets and getting rid of the demo certs and generating new certificates
> HERE:
>
>
> https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/
>
>
>
> (I skipped the section "Creating Wallets for each agent" about generating
> certificates for each agent for now as that would require CSRs for each
> host where an agent will be running. I might come back to that though.
>
>
>
> So, here's the steps that got me to a perfectly useable EM 12.1.0.5
> installation. I'm going to attempt the October 2015 Patching guide again
> now but at least I know I can flash back to this structure and it be
> useable.
>
> In a nutshell, when laying down EM 12.1.0.5 vanilla install today, you *REALLY
> *should get 1024 or 2048 bit keys, appropriate Trusted/Issuing/User
> Certificates, and patch Weblogic.
>
>
>
> Steps (at a high level) - the only steps I came up with were the 3
> Weblogic Patching steps to support Keys longer than 512 bits (steps 16-18).
> This may be messy but I formatted it with FIXED WIDTH and it shows up
> correctly in draft mode.
>
>
>
> 01. Install EM 12.1.0.5 Software Browse
> to https://host:port/console - should receive error due to browser
> updates. If not, you don't have the latest updates.
>
> 02. Backup installed directories:
>
> - agent dir $ORACLE_BASE/product/agent12c
>
> - middleware dir $ORACLE_BASE/product/middleware
>
> - instance dir $ORACLE_BASE/product/gc_inst
>
> - swlib dir $ORACLE_BASE/product/swlib
>
> 03. Create an Oracle Wallet
> https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/
>
> 04. Generate 2048 bit Keys inside wallet
> https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/
>
>
> 05. Generate certificate signing request (CSR) for the created wallet
> https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/
>
> 06. Send CSR to Signing Authority
> https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/
>
> 07. After receiving certs import them into the wallet
> https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/
>
> 08. Secure the OMS Console
> https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/
>
> 09. Restart OMS
> https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/
>
> 10. Secure the OMS upload port
> https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/
>
> 11. Restart OMS
> https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/
>
> 12. Secure the OMS upload port
> https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/
>
> 13. Re-secure all agents
> https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/
>
> 14. Shutdown oms all
> $OMS_HOME/bin/emctl stop oms -all -force
>
> 15. Uninstall Delivered Weblogic Patches
> $MW_HOME/utils/bsu/bsu.sh -remove -patchlist=6D9T,WE1X,SRUM
> -prod_dir=$MW_HOME/wlserver_10.3/
>
> 16. Patch Weblogic (p20780171 EJUW - includes previous patches)
> $MW_HOME/utils/bsu/bsu.sh -install
> -patch_download_dir=$MW_HOME/utils/bsu/cache_dir/ -patchlist=EJUW
> -prod_dir=$MW_HOME/wlserver_10.3/
>
> 17. Patch Weblogic #2 (p16420963 GDFA)
> $MW_HOME/utils/bsu/bsu.sh -install
> -patch_download_dir=$MW_HOME/utils/bsu/cache_dir/ -patchlist=GDFA
> -prod_dir=$MW_HOME/wlserver_10.3/
>
> 18. Patch Weblogic #3 (p13964737 VP7Z)
> $MW_HOME/utils/bsu/bsu.sh -install
> -patch_download_dir=$MW_HOME/utils/bsu/cache_dir/ -patchlist=EVP7Z
> -prod_dir=$MW_HOME/wlserver_10.3/
>
> 19. Secure WebLogic with the OMS wallet
>
> - first secure the agent (root ca cert)
> $OMS_HOME/bin/emctl secure add_trust_cert_to_jks -trust_certs_loc
> $ORACLE_WALLET_LOC/root.cer -alias <choose_an_alias_name> -password welcome
>
> - secure the agent (issuing ca cert)
> $OMS_HOME/bin/emctl secure add_trust_cert_to_jks -trust_certs_loc
> $ORACLE_WALLET_LOC/issuing.cer -alias <choose_an_alias_name> -password
> welcome
>
> - backup important files
> https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/
>
> - backup important files
> https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/
>
> - backup important files
> https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/
>
> - backup important files
> https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/
>
> - backup important files
> https://pardydba.wordpress.com/2015/03/03/step-by-step-configuring-third-party-ssltls-certificates-in-em12c-r4/
>
> 20. Stop the OMS all
> $OMS_HOME/bin/emctl stop oms -all -force
>
> 21. Start OMS Admin Only Service
> $OMS_HOME/bin/emctl start oms -admin_only
>
> 22. Secure Weblogic
> $OMS_HOME/bin/emctl secure wls
> -wallet $ORACLE_WALLET_LOC
>
> 23. Stop OMS all
> $OMS_HOME/bin/emctl stop oms -all -force
>
> 24. Start OMS all
> $OMS_HOME/bin/emctl start oms
>
>
>
>
>
> This email and any attachments are confidential and may also be
> privileged. If you are not the intended recipient, please delete all copies
> and notify the sender immediately. You may wish to refer to the
> incorporation details of Standard Chartered PLC, Standard Chartered Bank
> and their subsidiaries at https://www.sc.com/en/incorporation-details.html
>
-- http://www.freelists.org/webpage/oracle-lReceived on Tue Nov 17 2015 - 04:33:22 CET