from:http://docs.oracle.com/html/e24089_42/ha_setup.htm#sthref833
If The SLB is configured-Third-party/custom SSL certificates, you must ensure the CA certificates is properly Configured in order for the trust relationship to be maintained between the Agent, SLB, and the OMS. Specifically, the following must is carried out:
Enterprise Manager uses the default Enterprise Manager certificates and not the Custom certificates. In order for Agents to upload information successfully to the OMS through the SLB, these custom trusted certificates need To being copied/imported to the Trust store, the OMS and agentsthe following procedures illustrate the process used to SECU Re the 12c OMS and Agent when a SLB is configured with third Party/custom SSL certificates.
Verifying The SSL Certificate used at the SLB
Perform the following steps to determine whether the SLB is using different certificates than the OMS:
-
To check the certificate chain used by any URL, run the following command:
<oms_home>/b In>./emctl secdiag openurl-url
To check the certificates used by the SLB URL, run the F ollowing command:
<oms_home>/bin>./emctl secdiag openurl-url Https://<SLB Hostname>:
To check the certificates used by the OMS URL, run the FO llowing command:
<oms_home>/bin>./emctl secdiag openurl-url Https://<OMS Hostname >:
If The default Enterprise Manager self-signed certificates is used in the SLB, the output of both the commands would APPEA R as follows:
Issuer:cn=<oms Hostname>, C=us, St=ca, L=enterprisemanager on <oms Hostname>, Ou=enterprisemanager on <OM S Hostname>, O=enterprisemanager on <oms hostname>
If a custom or self-signed SSL certificate is used in the SLB and then output of the command executed with the SLB Name would Provide details shown here:
Issuer:cn=entrust certification authority-l1c, ou= "(c) Entrust, Inc.", Ou=www.entrust.net/rpa was incorporated by Reference, o= "Entrust, Inc.", C=us
In this example, the SLB is using the custom certificate (cn=entrust certification authority-l1c, ou= "(c) Entrust, Inc. "), which needs to being imported as trusted certificate into the OMS.
If OpenSSL is available on the OS, you can also check the value of GB by running the following command:
$openssl s_client -connect <HOSTNAME>:<PORT>
Importing the SSL Certificate of the SLB to the Trust Store of the OMS and Agent
Export the SLB Certificate in base64 format to a text file named: customca.txt
.
-
Secure the OMS:
CD <oms_home>/bin>
./emctl Secure Oms-host <SLB host name>-secure_port
emctl secure Oms command. The CA Certificate of the OMS is present in The <em_instance_home>/em/emgc_oms1/sysman/ Config/b64localcertificate.txt
file and needs to being copied to the SSL Trust store of the SLB.
Restart all the OMS:
cd <OMS_HOME>/bin
emctl stop oms -all
emctl start oms
Secure all the Agents pointing to this Enterprise Manager setup:
cd <AGENT_HOME>/bin
./emctl secure agent –emdWalletSrcUrl <SLB Upload URL>
Configuring SSL on Enterprise Manager and the SLB (Release 12.1.0.2 and later)