OracleVM 3.x Manager server uses self signed certificates by default. OracleVM Manager certificate can be changed to use custom server certificates but unfortunately every time OVM Manager is upgraded, the server certificates are reset back to self signed certificates.
The latest OVM Manager versions use certificates to connect between OVM client and the server. This means that in order to get OVM Manager working properly also the ovmclient certificate keystore needs to be updated to include the needed root CAs. The problem with updating the ovmclient keystore is that the password for the keystore is generated and stored in the JPS keystore.
Use abbreviations in this blog:
- CA = Certificate Authority
- CSR = Certificate signing request
In this article I’ve used imagenary company ACME (A company that makes everything).
Working directory for the certificates is:
/u01/app/oracle/ovm-manager-3/domains/ovm_domain/security
Please execute all these steps as “oracle” user, with the exception of restarting the OVM Manager.
Step 0: Backup
Before your start doing anything, you should back up all needed files. Start with backing up the domain security directory and it’s contents:
/u01/app/oracle/ovm-manager-3/domains/ovm_domain/security
Secondly back up domain config directory and it’s contents:
/u01/app/oracle/ovm-manager-3/domains/ovm_domain/config
Step 1: Create new OVM Manager identity keystore
For example:
/u01/app/oracle/java/bin/keytool -keystore vmm3.jks -genkey -alias vmm3 -dname "EMAILADDRESS=admin@acme.com, CN=vmm3.acme.com, OU=ACME Ltd, O=IT, L=Espoo, ST=Uusimaa, C=FI" -keyalg rsa -keysize 2048
You don’t need to change the trust keystore.
Step2: Create certificate request
/u01/app/oracle/java/bin/keytool -keystore vmm3.jks -certreq -alias vmm3 -keyalg rsa -keysize 2048 -file vmm3.csr
Step 3: Use your chosen CA to sign the CSR
Send the contents of vmm3.csr to your CA and generate the service certificate.
Step 4: Import your CA
If you are using custom CA or public CA you need to import the CA public certificate into your keystore. In my example cacert.crt file is the public certificate for ACME CA.
/u01/app/oracle/java/bin/keytool -import -keystore vmm3.jks -file cacert.crt -alias ACMECA
Step 5: Import OVM CA
In my installation I also imported the OVM CA that was generated by default for the installation. This step might not be needed since the OVM CA is already included in the trust jks. But anyways, importing this CA would not make any harm either.
/u01/app/oracle/java/bin/keytool -keystore vmm3.jks -import -file ovmca.pem -trustcacerts -alias ovmca
Step 6: Import your server certificate
After your CA has generated the server certificate, save it to e.g. vmm3.crt file and import it to the new keystore:
/u01/app/oracle/java/bin/keytool -import -keystore vmm3.jks -file vmm3.crt -alias vmm3
Step 7: Update WebLogic managed server keystore and SSL
At this point change the default ovmssl.jks to vmm3.jks and change the password to reflect the pwd you used when creating the vmm3.jks keystore.
When you restart the OVM Manager server you can see that https should now be working but you are still not able to connect to OVM Manager application. Instead you might see following error messages in the AdminServer.log file:
Caused By: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
at com.oracle.ovm.appfw.ws.client.SSLContextFactory$X509ExtendedTrustManagerWrapper.checkServerTrusted(SSLContextFactory.java:307)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428)
Step8: Update ovmclient.jks to include the used CA
ovmclient.jks is self generated keystore that also needs to have the CA certificate that OVM Manager server is using. In my example case the ACME CE certificate needs to be imported into this JKS keystore. The problem is that we need to dig out the keystore password first. This can be done using little piece of Jython code.
Create file e.g. called getpwd.py:
import sys
from oracle.security.jps.mas.mgmt.jmx.credstore import PortableCredential
connect('weblogic','password,'t3://localhost:7001')
domainRuntime()
on = ObjectName("com.oracle.jps:type=JpsCredentialStore")
sign = ["java.lang.String","java.lang.String"]
params = ["ovm_console","client.keystore"]
pwd = mbs.invoke(on, "getPortableCredential", params, sign)
credObject = PortableCredential.from(pwd)
print "PASSWORD:" + String.valueOf(credObject.getPassword())
Execute the script using wlst.sh
cd /u01/app/oracle/Middleware/oracle_common/common/bin
./wlst.sh getpwd.py
You should now have the password for the ovmclient.jks and ready for the final step.
Step 9: Import your CA into ovmclient.jks
/u01/app/oracle/java/bin/keytool -keystore ovmclient.jks -import -trustcacerts -file cacert.crt -alias ACMECA
Step 10: Restart the OVM server
As root:
service ovmm stop
service ovmm start
After these steps you should have your OVM Manager up and running using your chosen server certificate and your chosen CA.
1 comment:
hello,
there is ' missing after the "password" at line 3
however, there is an error "User: weblogic, failed to be authenticated." then
Post a Comment