Custom Configurations

2.3.7.1 Configuring Custom Certificates for WebLogic Server

WebLogic Servers installed as part of Enterprise Manager Cloud control

(Administration Server and Managed Servers) are configured with a default identity keystore ( DemoIdentity.jks) and a default trust keystore ( DemoTrust.jks). In addition, WebLogic Server trusts the CA certificates in the JDK cacerts file. This default keystore configuration is appropriate for testing and development purposes. However, these keystores should not be used in a production environment.

Default Demo Certificate configured for WLS has a key length of 512 bits. If

Microsoft's Security update for minimum certificate key length (KB2661254) has been applied on the browser m/c, the WebLogic Admin Console will not be accessible on Internet Explorer. If you want to access WebLogic Admin Console using Internet Explorer, please configure custom certificate for WLS.

The following sections step you through configuring custom Weblogic Server certificates:

1. Create a Java KeyStore or Wallet for each OMS

2. Import Custom CA Certificates into the Agents Monitoring Trust Store 3. Configure the Custom Certificate for each WLS

Note: This procedure is applicable to Enterprise Manager 12c Cloud Control (12.1.0.2) and higher.

2.3.7.1.1 Create a Java KeyStore or Wallet for each OMS

1. Create a java keystore (JKS) for each OMS in the environment.

Regardless of whether the OMS is configured with a server load balancer or not, specify the OMS machine name for CN (Example: CN=myoms.mydomain.com) while generating the Certificate Signing Request (CSR). The OMS machine name can be found from the value of EM_INSTANCE_HOST property in <EM_

Instance_Home>/emgc.properties.

Make a note of the keystore password, private key entry's alias, and private key password of each keystore.

Note: Use only the signature algorithms supported by WLS.

2. Copy the keystores to corresponding OMS machines or place them in a location accessible from OMS machines.

Example: The keystores are /scratch/oms1.jks, /scratch/oms2.jks , /scratch/oms3.jks

3. Write the CA certificates to individual files (one CA certificate per file). Either copy these certificate files to the OMS machines or place them in a location accessible from the OMS machines.

Example: The filenames are /scratch/ca1cert.cer, /scratch/ca2cert.cer, /scratch/ca3cert.cer

2.3.7.1.2 Import Custom CA Certificates into the Agents Monitoring Trust Store Execute the following steps on Management Agents running on the OMS machines which are installed along with the OMS.

Note: Only required on Agents installed along with OMS and not on any other Agents.

1. Stop the Agent

<Agent_Instance_Home>/bin/emctl stop agent 2. Import the custom CA certificate into Agent:

<Agent_Instance_Home>/bin/emctl secure add_trust_cert_to_jks -trust_certs_loc <ca_cert_file>

-alias <certalias> [-password <montrust_jks_pwd>]

Example:

<Agent_Instance_Home>/bin/emctl secure add_trust_cert_to_jks -trust_certs_loc /scratch/ca1cert.cer

-alias ca1certalias [-password welcome]

Repeat this step for each CA involved in issuing the custom certificate.

Specify different alias each time.

3. Start the Agent.

<Agent_Instance_Home>/bin/emctl

2.3.7.1.3 Configure the Custom Certificate for each WLS Execute the following steps on each OMS:

1. Stop the OMS.

<OMS_Home>/bin/emctl stop oms 2. Run the following cmd:

emctl secure wls

(-jks_loc <loc> -jks_pvtkey_alias <alias> [-jks_pwd <pwd>] [-jks_pvtkey_pwd

<pwd>] | -wallet <loc>)

Specify jks_loc,jks_pvtkey_alias or wallet Example:

<OMS_OH>/bin/emctl secure wls

-jks_loc /scratch/oms1.jks -jks_pvtkey_alias pvtkey1alias

<OMS_OH>/bin/emctl secure wls -wallet /scratch/omswallet 3. Stop the OMS.

<OMS_Home>/bin/emctl stop oms -all 4. Start the OMS.

Note: Above steps need to be repeated on all the Management Services.

<OMS_Home>/bin/emctl start oms

2.3.7.1.4 Rolling back the WebLogic Servers to Demonstration Certificate If you need to switch to using the default WebLogic demonstration certificates, execute the following steps on each OMS.

1. Stop the OMS.

<OMS_Home>/bin/emctl stop oms 2. Run the following command:

<OMS_Home>/bin/emctl secure wls -use_demo_cert 3. Stop the OMS.

<OMS_Home>/bin/emctl stop oms -all 4. Start the OMS.

<OMS_Home>/bin/emctl start oms

Note: The above steps need to be excuted on all Management Services.

2.3.7.2 Configuring Custom Certificates for OMS Console Access

To configure the third party certificate for HTTPS WebTier Virtual Host:

1. Create a wallet for each OMS in the Cloud. Specify the host name of the machine where the OMS is installed or the Load Balancer Name if the OMS is behind the Server Load Balancer for Common Name.

2. Run the following command on each OMS and the restart that OMS:

emctl secure console -wallet <location of custom wallets> -self_signed [-host]

Note: One of the arguments -wallet or -self_signed is mandatory.

Note: Only Single-Sign-On (SSO) wallets are supported.

2.3.7.3 Configuring Custom Certificates for OMS Upload Access

You can configure the third party certificate for the HTTPS Upload Virtual Host in two ways:

Method I

1. Create a wallet for each OMS in the Cloud.

2. While creating the wallet, specify the host name of the machine where the OMS is installed or the Load Balancer Name if the OMS is behind the Load Balancer for Common Name.

3. Write the certificates of all the Certificate Authorities in the certificate chain (like the Root Certificate Authority, Intermediate Certificate Authority) into a file named trusted_certs.txt.

4. Download or copy the trusted_certs.txt file to the host machines on which each Agent that is communicating with the OMS is running.

5. Import the custom CA certificate(s) as trust certificate(s) for Agent by running the following command:

emctl secure add_trust_cert -trust_certs_loc <location of the trusted_certs.txt file>

6. Restart the Agent.

7. Secure the OMS and restart it.

emctl secure oms -wallet <location of wallet> -trust_certs_loc <loc of trusted_

certs.txt> [any other options]

Method 2

1. Create a wallet for each OMS in the Cloud.

2. Specify the host name of the machine where the OMS is installed or the Load Balancer Name if the OMS is behind the Server Load Balancer for Common Name (CN).

3. Write the certificates of all the Certificate Authorities in the certificate chain (like the Root Certificate Authority, Intermediate Certificate Authority) into a file named trusted_certs.txt.

4. Secure the OMS.

emctl secure oms -wallet <location of wallet> -trust_certs_loc <loc of trusted_

certs.txt> [any other options]

5. Restart the OMS.

6. Either re-secure the Agent by running the emctl secure agent command (should be run on all Agents) or import the trust points by running the emctl secure command.

Note: The trusted certs file (trusted_certs.txt) should contain only certificates in base64 format and not any special characters or comments..

2.3.7.4 Configuring Transport Layer Security

The Oracle Management Service can be configured in the following modes:

■ TLSv1-only mode: To configure the OMS to use only TLSv1 connections, do the following:

1. Stop the OMS by entering the following command:

<OMS_ORACLE_HOME>/bin/emctl stop oms 2. Enter the following command:

emctl secure oms -protocol TLSv1

3. Append -Dweblogic.security.SSL.protocolVersion=TLS1 to JAVA_

OPTIONS in Domain_Home/bin/startEMServer.sh/cmd. If this property already exists, update the value to TLS1.

4. Restart the OMS with the following command:

<OMS_ORACLE_HOME>/bin/emctl start oms

■ SSLv3 Only Mode: To configure the OMS to use SSLv3 connections only, do the following:

1. Stop the OMS by entering the following command:

<OMS_ORACLE_HOME>/bin/emctl stop oms 2. Enter the following command:

emctl secure oms -protocol SSLv3

3. Append -Dweblogic.security.SSL.protocolVersion=SSL3 to JAVA_

OPTIONS in Domain_Home/bin/startEMServer.sh or startEMServer.cmd on Windows. If this property already exists, update the value to SSL3.

4. Restart the OMS with the following command:

<OMS_ORACLE_HOME>/bin/emctl start oms

■ Mixed Mode: To configure the OMS to use both SSLv3 and TLSv1 connections, do the following:

1. Stop the OMS by entering the following command:

<OMS_ORACLE_HOME>/bin/emctl stop oms 2. Enter the following command:

emctl secure oms

3. Append -Dweblogic.security.SSL.protocolVersion=ALL to JAVA_OPTIONS in Domain_Home/bin/startEMServer.sh. If this property already exists, update the value to ALL.

4. Restart the OMS with the following command:

<OMS_ORACLE_HOME>/bin/emctl start oms

Note: By default, the OMS is configured to use the Mixed Mode. To configure the Management Agent in TLSv1 only mode, set

allowTLSOnly=true in the emd.properties file and restart the Agent.

In document Cloud Control Security Guide 12c Release 4 ( ) (Page 80-84)