Skip to main content

Oracle VM Manager SSL Certificates ReGeneration with ovmkeytool.sh

Oracle VM Manager SSL Certificates ReGeneration with ovmkeytool.sh


Changing Oracle VM Manager certificates involves updating the SSL certificates used by the Oracle WebLogic Server that Oracle VM Manager runs on. It might be required when the certificates are expired as well.

1) Confirm if the below folder exists locally (/u01) on the Active Management Node.

# ll /u01/app/oracle/ovm-manager-3/domains/ovm_domain/security
# ll /u01/app/oracle/ovm-manager-3/domains/ovm_domain/config


2) Regenerate the certificates using the below command from root user

# export MW_HOME=/u01/app/oracle/Middleware
# /u01/app/oracle/ovm-manager-3/ovm_upgrade/bin/ovmkeytool.sh setup

Please make sure that you answer the setup questions as belowIit should always be pointing to the local storage(/u01) as per below:

# /u01/app/oracle/ovm-manager-3/ovm_upgrade/bin/ovmkeytool.sh setup
Dec 17, 2023 10:07:15 AM oracle.security.jps.JpsStartup start
INFO: Jps initializing.
Dec 17, 2023 10:07:17 AM oracle.security.jps.JpsStartup start
INFO: Jps started.
Oracle VM Manager is currently configured to use CA keystore at:
/u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmca.jks
Do you wish to generate a new key and/or specify a different keystore? [yes]
Generate new CA keystore (as opposed to specifying an existing keystore)? [yes]
Path for CA keystore:
[/u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmca.jks]
A file already exists at the path
/u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmca.jks
Is it ok to overwrite this file with your new keystore? [no] yes
Oracle VM Manager is currently configured to use the SSL Trust-store at:
/u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmtrust.jks
Do you wish to use this existing trust-store location? [yes]
Key distinguished name is "CN=OVM CA 0004fb0000010000536123bfa5c8aceb, OU=Oracle VM Manager, O=Oracle Corporation, L=Redwood City, ST=California, C=US". Use these values? [yes]
You may either specify passwords or use random passwords.
If you choose to use a random password, only WebLogic, the Oracle VM Manager, and this application will have access to the information stored in this keystore.
Use random passwords? [yes]
Generating CA key and certificate and persisting them to the keystore...

Oracle VM Manager is currently configured to use SSL keystore at:
/u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmssl.jks <== Note that this path could be pointing to /nfs but can be ignored
Do you wish to generate a new key and/or specify a different keystore? [yes]
Generate new SSL keystore (as opposed to specifying an existing keystore)? [yes]
Path for SSL keystore:
[/u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmssl.jks]
A file already exists at the path
/u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmssl.jks
Is it ok to overwrite this file with your new keystore? [no] yes
The hostname should be the fully qualified hostname of the system (this is the hostname you'd use to access this system from outside the local domain).
Depending on your machine setup the value below may not be correct.
Fully qualified hostname: [ovcamn05r1] myhostname
Key distinguished name is "CN=myhostname, OU=Oracle VM Manager, O=Oracle Corporation, L=Redwood City, ST=California, C=US". Use these values? [yes]
Alternate hostnames (separated by commas): [myhostname]
Generating SSL key and certificate and persisting them to the keystore...

Updating keystore information in WebLogic
Oracle MiddleWare Home (MW_HOME): [/u01/app/oracle/Middleware]
WebLogic domain directory: [/u01/app/oracle/ovm-manager-3/domains/ovm_domain]

WebLogic server name: [AdminServer]
WebLogic username: [weblogic]
WebLogic password: [********]
WLST session logged at: /tmp/wlst-session5459692698762652173.log

3) Once the above is done there should be a fresh set of three .jks files generated under the below path, verify the same (ovmssl.jks, ovmtrust.jks, ovmca.jks) with recent timestamp:

# cd /u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/
# ll
4) Restart ovmm service

# service ovmm stop
# service ovmm start
5) Next the client side certificates should be regenerated, use the below command to do the same:

# /u01/app/oracle/ovm-manager-3/bin/configure_client_cert_login.sh
6) Certificate regeneration is now complete.

7) Restart ovmm service once again and verify if you are able to login to the Manager

# service ovmm stop
# service ovmm start
 


If you like please follow and comment
Labels:

Comments

Post a Comment

Popular posts from this blog

WebLogic migration to OCI using WDT tool

WebLogic migration to OCI using WDT tool Oracle WebLogic Deploy Tool (WDT) is an open-source project designed to simplify and streamline the management of Oracle WebLogic Server domains. With WDT, you can export configuration and application files from one WebLogic Server domain and import them into another, making it a highly effective tool for tasks like migrating on-premises WebLogic configurations to Oracle Cloud. This blog outlines a detailed step-by-step process for using WDT to migrate WebLogic resources and configurations. Supported WLS versions Why Use WDT for Migration? When moving Oracle WebLogic resources from an on-premises environment to Oracle Cloud (or another WebLogic Server), WDT provides an efficient and reliable approach to: Discover and export domain configurations and application binaries. Create reusable models and archives for deployment in a target domain. Key Pre-Requisites Source System: An Oracle WebLogic Server with pre-configured resources such as: Applica...
Post a Comment
Read more

How to Validate TDE Wallet Password in Oracle Database

How to Validate TDE Wallet Password in Oracle Database Validating the Transparent Data Encryption (TDE) wallet password is crucial, especially when ensuring that the password is correct without using the OPEN or CLOSE commands in the database. This blog post explains a straightforward method to validate the TDE password using the mkstore utility. Steps to Validate TDE Wallet Password Follow these steps to validate the TDE wallet password: Step 1: Copy the Keystore/Wallet File Navigate to your existing TDE wallet directory. Copy only the ewallet.p12 file to a new directory. If a cwallet.sso file exists, do not copy it . The absence of cwallet.sso ensures that the wallet does not use auto-login, forcing the utility to prompt for the password. Step 2: Validate Using mkstore Use the mkstore utility to check the contents of the wallet file. The mkstore utility will prompt you for the TDE wallet password, allowing you to validate its correctness. Command Syntax To display the conten...
Post a Comment
Read more

Rename a PDB in Oracle Database Multitenant Architecture in TDE and Non TDE Environment

Rename a PDB in Oracle Database Multitenant Architecture I am sharing a step-by-step guide to help you rename a PDB. This approach uses SQL commands. Without TDE or encryption Wallet Initial Check Check the Current Database Name and Open Mode: SQL > SELECT NAME, OPEN_MODE FROM V$DATABASE; NAME OPEN_MODE --------- -------------------- BEECDB READ WRITE List Current PDBs: SQL > SHOW PDBS; CON_ID CON_NAME OPEN MODE RESTRICTED ---------- ------------------------------ ---------- ---------- 2 PDB$SEED READ ONLY NO 3 FUAT READ WRITE NO We need to RENAME FUAT to BEE  Steps to Rename the PDB Step 1: Export ORACLE_SID Set the Oracle SID to the Container Database (CDB): export ORACLE_SID=BEECDB Step 2: Verify Target PDB Name Availability If the target PDB name is different from the current PDB name, ensure no service exists with the target PDB name. Run SQL to Check Exi...
Post a Comment
Read more