By default, Oracle VM Manager provides its own SSL certificates stored within a custom keystore. The certificates that are provided are signed using an internal Certificate Authority (CA). As of version 3.3.1 of Oracle VM, SSL certificates are used extensively throughout the product:
For the authentication of Oracle VM Manager to each Oracle VM Server that it has discovered and for the encryption of communications between Oracle VM Manager and the Oracle VM Agent running on each Oracle VM Server.
For the authentication and encryption of some tools that make use of the Oracle VM Manager web-services API.
For the encryption of communications between a web-browser and the Oracle VM Manager web-based user interface .
Certificates are generated automatically during the installation of Oracle VM Manager. To avoid SSL validation issues in client web-browsers, you can obtain the internal CA certificate used by Oracle VM Manager and install it into each web-browser that is used to access the Oracle VM Manager web user interface. This is discussed in Exporting the CA certificate. Alternatively, if you have obtained an SSL certificate signed by an external CA that is already trusted by your users' web-browsers, you can change the SSL certificate that is used for the encryption of communications between the web-browser and the Oracle VM Manager web-based user interface. This is discussed in more detail in Changing the SSL Key. Finally, if you need to generate a new SSL key that is signed by the internal CA, you can follow the instructions provided in Generating a New SSL Key.
Once you have started configuring your environment using Oracle VM Manager you must avoid changing the CA certificate under any circumstances. This certificate is used for a variety of purposes, such as the authentication of Oracle VM Manager to each Oracle VM Server instance. Changing the CA certificate breaks all previously configured certificate-based authentication and can result in an unusable environment.
Oracle VM Manager does not use the default keystore and certification provided by Oracle WebLogic Server. Instead, it makes use of its own 2048-bit keystores. These are located at:
/u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmssl.jks/u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmca.jks
The passwords for these keystores are randomized at installation. If you need to update a keystore, such as the CA keystore, to add mutually trusted CAs to the keystore, you may need to change the keystore password using the Oracle VM Key Tool. Changing the keystore password is described in Changing the Keystore Password.