Overview
You will follow 7 high-level steps to complete the process of securing your EM13c environment with custom third-party SSL/TLS certificates.
- Create an Oracle wallet for the OMS.
- Secure the OMS console using the OMS wallet.
- Secure the OMS upload port using the OMS wallet.
- Re-secure all agents.
- Create Oracle wallets for agents.
- Configure the agents to use their wallets.
- Secure WebLogic with the OMS wallet.
/u01/app/oracle/product/13.2.0.0/middleware/oracle_common/bin/orapki wallet display -wallet /u01/app/oracle/product/emwallets cert_pwd
Send the csr_request.txt to security to generate certificate(s)
/u01/app/oracle/product/13.2.0.0/middleware/oracle_common/bin/orapki wallet create -wallet /u01/app/oracle/product/emwallets -auto_login /u01/app/oracle/product/13.2.0.0/middleware/oracle_common/bin/orapki wallet add -wallet /u01/app/oracle/product/emwallets -dn "CN=oemslb.com, OU=EM, O=deeds, L=city, ST=state, C=US" -keysize "2048" -pwd cert_pwd /u01/app/oracle/product/13.2.0.0/middleware/oracle_common/bin/orapki wallet export -wallet /u01/app/oracle/product/emwallets -dn "CN=oemslb.com, OU=EM, O=deeds, L=city, OU=EM, ST=state, C=US" -pwd cert_pwd -request /u01/app/oracle/product/emwallets/newdevSLB13c.txt
Create Base64 format.
—> cat the immediate certificate and the root certificate to a trusted certificates file
cat root.cer >> trusted.cer.txt
cat immediate.cer >> trusted.cer.txt
Install the Security certificate /u01/app/oracle/product/13.2.0.0/middleware/oracle_common/bin/orapki wallet add -wallet /u01/app/oracle/product/emwallets -trusted_cert -cert /u01/app/oracle/product/emwallets/"root.cer" -pwd cert_pwd /u01/app/oracle/product/13.2.0.0/middleware/oracle_common/bin/orapki wallet add -wallet /u01/app/oracle/product/emwallets -trusted_cert -cert /u01/app/oracle/product/emwallets/"immediate.cer" -pwd cert_pwd /u01/app/oracle/product/13.2.0.0/middleware/oracle_common/bin/orapki wallet add -wallet /u01/app/oracle/product/emwallets -user_cert -cert /u01/app/oracle/product/emwallets/devcertnew.cer -pwd cert_pwd emctl secure console -wallet /u01/app/oracle/product/emwallets
—> cat the immediate certificate and the root certificate to a trusted certificates file
cat immediate.cer >> trusted.cer.txt
cat root.cer >> trusted.cer.txt
Update OEM SLB with 3rd Certificate file.
emctl secure oms -sysman_pwd PWD -host oemslb.com -secure_port 4903 -slb_port 4900 -slb_console_port 443 -slb_jvmd_http_port 7201 -slb_jvmd_https_port 7301 -slb_bip_https_port 5443 -trust_certs_loc /u01/app/oracle/product/emwallets/trust.cer
Secure the OMS to Use the Wallet and Agent
We will first secure the OMS to use the wallet we just created, then restart the OMS to make sure that everything comes up correctly. As you will see throughout, a restart of OMS is needed after just about every step in this process.
cd /u01/app/oracle/product/13.2.0.0/middleware/oracle_common/bin emctl secure console -wallet /u01/app/oracle/product/emwallets emctl stop oms -all emctl start oms This is then to use secure the agent. cd $AGENT_HOME/bin ./emctl secure agent
Use Trusted_Certs.txt
We will now use the trusted_certs.txt file, which we created earlier, and secure the agents and the OMS using this file. You will also need to run this same process for the agent on any remote agents you have deployed. This will be followed up by a restart of OMS.
cd $AGENT_HOME/bin ./emctl secure add_trust_cert -trust_certs_loc /u01/app/oracle/product/emwallets/trusted_certs.txt cd $OMS_HOME/bin ./emctl secure oms -wallet /u01/app/oracle/product/emwallets -trust_certs_loc /u01/app/oracle/product/emwallets/trusted_certs.txt ./emctl stop oms -all ./emctl start oms
Check the Agents and Secure the Weblogic Component
Once OMS is back up, I usually will then test all of the agents by running a status and then upload command to make sure that all of the pieces are communicating like they should.
cd $AGENT_HOME/bin ./emctl status agent ./emctl upload Now, we will secure the Weblogic component. $/bin> ./emctl secure wls -wallet /u01/app/oracle/product/emwallets ./emctl stop oms -all ./emctl start oms
Allow OMS Host and Weblogic to Communicate
The last step in this process is to secure the agent that is on the OMS host so that it can communicate with the Weblogic component. We will upload the root certificate and the intermediate certificate to the agent. It’s a good idea to run an upload agent command after this step to verify.
cd $AGENT_HOME/bin ./emctl stop agent ./emctl secure add_trust_cert_to_jks -trust_certs_loc /u01/app/oracle/product/emwallets/root.cer -alias rootcacert -password welcome ./emctl secure add_trust_cert_to_jks -trust_certs_loc /u01/app/oracle/product/emwallets/intermediate.cer -alias intercacert -password welcome ./emctl start agent ./emctl upload agent
Check with PCI Scan for Vulnerabilities and also you can check with OpenSSL commands
openssl s_client -connect hostname:443 openssl s_client -connect hostname:7102 openssl s_client -prexit -connect hostname:3872 -tls1_2 -cipher MEDIUM or HIGH openssl s_client -prexit -connect hostname:7803 -tls1_2 -cipher MEDIUM or HIGH
DBADEEDS 
Leave a reply to Solved: Databases – TopAceEssays Cancel reply