4.8 Adding a Trusted CA Certificate and Keystore for SSL Encryption

By default, Oracle VM Manager provides its own SSL certification stored within a custom keystore. The certificate that is provided is not signed by a recognized Certificate Authority. While it serves to provide SSL encryption for all HTTP traffic, it is recommended that you obtain and install a trusted certificate from a well-known and recognized Certificate Authority (CA).

A default installation of Oracle VM Manager does not use the default keystore and certification provided by Oracle WebLogic Server. Instead, it makes use of its own 2048-bit keystore located at /u01/app/oracle/ovm-manager-3/weblogic/ovmm_wls.jks. This folder also contains the scripts that are used to set up the keystore during installation, as well as the certificates required for Oracle VM Manager.

Oracle VM Manager runs on Oracle WebLogic Server, and Oracle WebLogic provides the interface for updating the digital certificate and keystore. To add your own trusted CA certificate and keystore, see the procedures set out in the Oracle WebLogic documentation:

http://docs.oracle.com/cd/E17904_01/apirefs.1111/e13952/taskhelp/security/ConfigureKeystoresAndSSL.html and http://docs.oracle.com/cd/E23943_01/web.1111/e13707/identity_trust.htm

Two variables are mentioned in this procedure that you need to know when installing the certificate. The values for these variables in Oracle VM Manager are:

$JAVA_HOME\jre\lib\security   /u01/app/oracle/java/jre/lib/security
$WL_HOME\server\lib           /u01/app/oracle/Middleware/wlserver_10.3/server/lib 

To access the Oracle WebLogic Server console, enter:


Log in with the user weblogic and the password you set during the Oracle VM Manager installation.

If you need to revert back to the default keystore and certificates provided with a fresh installation of Oracle VM Manager, this can be easily achieved by running the script at /u01/app/oracle/ovm-manager-3/weblogic/configureIdentityTrust.sh. You will be prompted for the password that you have configured for Weblogic Server during the installation process:

# /u01/app/oracle/ovm-manager-3/weblogic/configureIdentityTrust.sh 
Configuring OVM Manager Identity and Trust Keystore ...

Please enter the password for weblogic : 
Initializing WebLogic Scripting Tool (WLST) ...

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands

Connecting to t3://localhost:7001 with userid weblogic ...
Successfully connected to Admin Server 'AdminServer' that belongs to domain 'base_adf_domain'.

Warning: An insecure protocol was used to connect to the 
server. To ensure on-the-wire security, the SSL port or 
Admin port should be used instead.

Location changed to edit tree. This is a writable tree with 
DomainMBean as the root. To make changes you will need to start 
an edit session via startEdit(). 

For more help, use help(edit)

Starting an edit session ...
Started edit session, please be sure to save and activate your 
changes once you are done.
Saving all your changes ...
Saved all your changes successfully.
Saving all your changes ...
Saved all your changes successfully.
Activating all your changes, this may take a while ... 
The edit lock associated with this edit session is released 
once the activation is completed.

The following non-dynamic attribute(s) have been changed on MBeans 
that require server re-start:
MBean Changed : com.bea:Name=t3,Type=NetworkAccessPoint,Server=AdminServer
Attributes changed : CustomPrivateKeyPassPhraseEncrypted

Activation completed
Disconnected from weblogic server: AdminServer
Configuring OVM Manager Identity and Trust Keystore succeeded, it needs to restart OVM Manager 
  to take effect.


Since the script is used to initially configure SSL on the WebLogic Server during the installation process, it connects to WebLogic using the unencrypted HTTP port (7001). You can ignore the warning message that is generated in the output.