• Login to your database server: dbadeeds.co.dbasystems.com

Check the agent13c Home from oratab
AGH=/u01/app/oracle/oem13c/agent_13.2.0.0.0

• Create a directory for agwallets

mkdir -p /u01/app/oracle/agwallets 

• Make sure orapki exists in the below location. If not check /etc/oratab for the path.

export PKI=/u01/app/oracle/oem13c/agent_13.2.0.0.0/oracle_common/bin/orapki

dbadeeds:/u01/app/oracle/agwallets
oracle:agent13c $ cd /u01/app/oracle/agwallets

CN=servername, O= company name, L=Location, -keysize=strength-of-cert

$PKI wallet create -wallet /u01/app/oracle/agwallets -auto_login
$PKI wallet add -wallet /u01/app/oracle/agwallets -dn "CN=dbadeeds.co.dbasystems.com, OU=EM, O=dbadeeds, L=dallas, ST=TX, C=US" -keysize "2048" -pwd ask_admin
$PKI wallet export -wallet /u01/app/oracle/agwallets -dn "CN=dbadeeds.co.dbasystems.com, OU=EM, O=dbadeeds, L=dallas, ST=TX, C=US" -pwd ask_admin -request /u01/app/oracle/agwallets/dbadeeds.txt

• Get root & Immediate certificates from Windows Admin and submit CRS.txt file. request to create BASE64 user certificate.
• Download & rename your user certificate to server_name.cer  & move the file to working dir

dbadeeds:/u01/app/oracle/agwallets

Install the Security certificate
$PKI wallet add -wallet /u01/app/oracle/agwallets -trusted_cert -cert /u01/app/oracle/agwallets/"root.cer" -pwd ask_admin
$PKI wallet add -wallet /u01/app/oracle/agwallets -trusted_cert -cert /u01/app/oracle/agwallets/"inter.cer" -pwd ask_admin
$PKI wallet add -wallet /u01/app/oracle/agwallets -user_cert -cert /u01/app/oracle/agwallets/dbadeeds.cer -pwd ask_admin
$PKI wallet display -wallet /u01/app/oracle/agwallets 
You should be able the see all 3 certs in placed.

set . oraenv

agent13c
emctl status agent
emctl stop agent

• Set strong CIPHERSUITES to agent

emctl setproperty agent -name SSLCipherSuites -value TLS_RSA_WITH_AES_128_CBC_SHA:TLS_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
emctl setproperty agent -name minimumTLSVersion -value TLSv1.2

• ORACLE REQUEST TO USE SPECIAL JAR FILES IN ORDER TO USE STRONG CIPHERS WITH 3RD PARTY CERTIFICATES.

Download unlimited strength policy file from http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html .Unzip and copy local_policy.jar & US_export_policy.jar in to /oracle_common/jdk/jre/lib/security after taking backup of existing files

total 16
-rw-rw-r–. 1 oracle oinstall 2487 Jan 17 16:02 US_export_policy.jar
-rw-r–r–. 1 oracle oinstall 7289 Jan 17 16:02 README.txt
-rw-rw-r–. 1 oracle oinstall 2500 Jan 17 16:02 local_policy.jar
Copy above files to local machine & move those Jar files to /u01/app/oracle/oem13c/agent_13.2.0.0.0/oracle_common/jdk/jre/lib/security/
dbadeeds:/u01/app/oracle/agwallets>
oracle:agent13c $ cp -p cwallet.sso /u01/app/oracle/oem13c/agent_inst/sysman/config/server/

dbadeeds:/u01/app/oracle/agwallets>
oracle:agent13c $ cd /u01/app/oracle/oem13c/agent_inst/sysman/config/server/

dbadeeds:/u01/app/oracle/oem13c/agent_inst/sysman/config/server>
oracle:agent13c $ chmod 640 cwallet.sso

emctl clearstate agent; emctl start agent; emctl status agent; emctl pingOMS; emctl upload agent

—————————————————————
Agent is Running and Ready
Oracle Enterprise Manager Cloud Control 13c Release 2
—————————————————————
EMD pingOMS completed successfully
Oracle Enterprise Manager Cloud Control 13c Release 2
—————————————————————
EMD upload completed successfully

Verification

• Copy & Paste the agent url in IE/Chrome & click for certificate & you should be to see your 3rd party certificates.
• You should only able to connect only with protocol TLSv1.2 or Cipher=HIGH
  After disabling the weak cipher suites, verify using the command below:

$ openssl s_client -connect : -cipher LOW|MEDIUM|HIGH

$ openssl s_client -connect dbadeeds.co.dbasystems.com:3872 -cipher LOW
CONNECTED(00000003)
18287:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:583:

$ openssl s_client -connect dbadeeds.co.dbasystems.com:3872 -cipher MEDIUM
CONNECTED(00000003)
18287:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:583:

oracle:AGH $ openssl s_client -connect dbadeeds.co.dbasystems.com:3872 -tls1
CONNECTED(00000003)
139797147858848:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : 0000
      Verify return code: 0 (ok)

oracle:AGH $ openssl s_client -connect dbadeeds.co.dbasystems.com:3872 -tls1_1
CONNECTED(00000003)
139797147858848:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : 0000
      Verify return code: 0 (ok)

oracle:AGH $ openssl s_client -connect dbadeeds.co.dbasystems.com:3872 -tls1_2
CONNECTED(00000003)
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
 0 s:/C=US/ST=TX/L=dallas/O=dbadeeds/OU=EM/CN=dbadeeds.co.dbasystems.com
---
Server certificate

No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 6211 bytes and written 439 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA
    PSK identity hint: None
    Start Time: 1517236169
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
^C