Oracle VM Manager also includes its own key management tool to help manage SSL certificates in conjunction with the keytool provided in the Java Development Kit (JDK) that is installed on the Oracle VM Manager host. This tool is located on the Oracle VM Manager host at:
/u01/app/oracle/ovm-manager-3/ovm_upgrade/bin/ovmkeytool.sh
Before using this tool, you must set the MW_HOME environment variable to point to the location of the Oracle WebLogic Server Middleware directory for your current installation of Oracle VM Manager:
# export MW_HOME=/u01/app/oracle/Middleware
The Oracle VM Key Tool is intended for use by advanced administrators. Incorrect usage can cause authentication issues that have wide-reaching repercussions. Ensure that you understand what you are doing before you use this tool.
Syntax
ovmkeytool.sh [
--help
] [
--overwrite
] [
--quiet
] [
--verbose
] [
--propertyFile
] [
filename -D
] [
property=value--noWebLogic
] {
[{
show
} | {
check
} | {
setup
} | {
setupWebLogic
} | {
gencakey
} | {
setcakey
} | {
gensslkey
} | {
setsslkey
} | {
changepass
} | {
exportca
}]
}
Options
The following table shows the available options for this tool.
Option | Description |
|---|---|
| Display the ovmkeytool.sh command parameters and options. |
| Allow existing keystores to be overwritten if user interaction is disabled. |
| Run with no user interaction using property values exclusively. |
| Output extra information while running. |
| The specified file can be used to provide properties to the tool. |
| Sets a property to a given value. |
| Do not attempt to configure Oracle WebLogic Server or verify Oracle WebLogic Server settings. |
Commands
The following table shows the available commands for this tool. Only one command can be run at once.
Option | Description |
|---|---|
| Show the current values being used, including details about the current contents of the keystores. |
| Checks the current set-up and outputs details about any errors that are found. |
| Sets up all of the keystore files and configures Oracle WebLogic Server. |
| Configures existing keystore settings in Oracle WebLogic Server. |
| Generates a new certificate authority (CA) key. Also puts this key into the trust-store. Avoid running this command on an instance of Oracle VM Manager that has already been configured. |
| Sets the certificate authority (CA) key to use an existing key from an existing keystore file. Avoid running this command on an instance of Oracle VM Manager that has already been configured. |
| Generates a new SSL key. |
| Sets the SSL key to use an existing key from an existing keystore file. |
| Allows the passwords for existing keystore files and keys to be configured or changed. |
| Exports the CA certificate (in PEM format). |
Many of the commands provided with this tool prompt for the Oracle WebLogic Server username and password. The default weblogic user should be used, and the password must match the one-time password that is set during Oracle VM Manager installation.
At any time the show and check commands can be used to output details about the Oracle VM Manager and Oracle WebLogic Server SSL configuration and to verify the configuration appears valid. The check is by no means exhaustive, but it does verify that the keystore files exist, contain the expected keys, and are configured the same way in Oracle WebLogic Server as in the Oracle VM Manager. An example of the check command is presented below:
# ./ovmkeytool.sh check
Oracle MiddleWare Home (MW_HOME): [/u01/app/oracle/Middleware]
WebLogic domain directory: [/u01/app/oracle/ovm-manager-3/domains/ovm_domain]
Oracle WebLogic Server name: [AdminServer]
WebLogic username: [weblogic]
WebLogic password: [********]
WLST session logged at: /tmp/wlst-session2891919577425803475.log
The Oracle VM Manager CA and SSL configuration appears to be valid.Oracle VM Manager contains it's own internal Certificate Authority (CA) which it uses for performing certificate-based authentication and to sign the SSL certificate that is used for the web-based user interface. To avoid certificate errors in web browsers connecting to the Oracle VM Manager web user interface, this CA certificate may be added as a trusted CA into the user's browser. The internal CA certificate can be retrieved, in PEM format, using the exportca command:
# ./ovmkeytool.sh exportca ----BEGIN CERTIFICATE----- MIID+zCCAuOgAwIBAgIUamdPKrCAl4O1yD8QlywkYhmh0l8wDQYJKoZIhvcNAQEL BQAwgaQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRUwEwYDVQQH EwxSZWR3b29kIENpdHkxGzAZBgNVBAoTEk9yYWNsZSBDb3Jwb3JhdGlvbjEaMBgG A1UECxMRT3JhY2xlIFZNIE1hbmFnZXIxMDAuBgNVBAMTJ09WTSBDQSAwMDA0ZmIw MDAwMDEwMDAwN2RiZmM3M2UyYTFkNjY3ZTAeFw0xMzExMDYxNDU5MjBaFw0yMzEx MDcxNDU5MjBaMIGkMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEV MBMGA1UEBxMMUmVkd29vZCBDaXR5MRswGQYDVQQKExJPcmFjbGUgQ29ycG9yYXRp b24xGjAYBgNVBAsTEU9yYWNsZSBWTSBNYW5hZ2VyMTAwLgYDVQQDEydPVk0gQ0Eg MDAwNGZiMDAwMDAxMDAwMDdkYmZjNzNlMmExZDY2N2UwggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQCKEekWsegMBt6aAPLAq+riDX8TS6ssr6NNjdDNy0mQ 32NZRyoR8K85T0O0KoFJ9lkgJOH8Ll4Q4219S2xey0obnqMqt5byW/XhXjiDLgpF ESg/p2IGic8MubElhOQI3V71SeIcMHGk2b6sdS12T583uZD+FxvzCZoSTod4l4Pw KvmAWV0FJQHaeOlGxj2tUaAWyVGbw66IzXZM4WlmNFH/2SNdx7XK4lXtPD/QiMVB 7bXaP/wCTc1vQlXgP550idwRQi5ol2ly7IO2fbflfX5wdnkuJWFOKzJfnkclsMHo DW1FX5FEj34dEd/97wXvfAfYXRtC1DIq91mrF4vxD3lzAgMBAAGjIzAhMA8GA1Ud EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgAFMA0GCSqGSIb3DQEBCwUAA4IBAQAe JK82gdNA/7tftEAgON7GlzJ0BSgu/3e1Luali+xOt2FFGAvrDtTdLxJjEEWM0OU4 Bhoc/6kjQ71nFs9Q/xxP9qC3YQPXa447Q1i9RZql5g2S5aQBr18ZHqeXp6HannLo iwLBfSpbACgAhZwpzo7ZS38yENir6u1LKAnFAP/6D55Jgx7/UnbHNcFTSXc2u4cI N3MHJ+0p8umz4+HrqqhFChNYZF2XhmuPawgL8TmRB2FNlQUcbmH19Nwb4UeOxEuD isAf90p/GlTdtwzbNbm6Mv3rPEK2GtIL5YcIwLyKYKZ07P5VW6tGuzJTMipN0cLo ij8FtceX5tmLGxlGQoKN -----END CERTIFICATE-----
Refer to your web-browser documentation to determine how to add CA certificates to your list of trusted CAs within your browser.
The default SSL certificates generated during the installation of Oracle VM Manager are valid for ten years from the date of installation. Nonetheless, there may be a requirement to update the SSL certificate served by Oracle VM Manager at any point. This can be achieved using the genssl command, which generates a new SSL certificate signed by the Oracle VM Manager internal CA. This is essentially the same configuration as is achieved after a fresh installation, but the certificate is generated afresh. The example below shows the typical output of this command:
# ./ovmkeytool.sh gensslkey Path for SSL keystore: [/u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmssl.jks] The hostname should be the fully qualified hostname of the system (this is the hostname you'd use to access this system from outside the local domain). Depending on your machine setup the value below may not be correct. Fully qualified hostname: [myserver.example.com] Key distinguished name is "CN=myserver.example.com, OU=Oracle VM Manager, O=Oracle Corporation, L=Redwood City, ST=California, C=US". Use these values? [yes] Alternate hostnames (separated by commas): [myserver.example.com,myserver] You may either specify passwords or use random passwords. If you choose to use a random password, only WebLogic, the Oracle VM Manager, and this application will have access to the information stored in this keystore. Use random passwords? [yes] Generating SSL key and certificate and persisting them to the keystore... Updating keystore information in WebLogic Oracle MiddleWare Home (MW_HOME): [/u01/app/oracle/Middleware] WebLogic domain directory: [/u01/app/oracle/ovm-manager-3/domains/ovm_domain] Oracle WebLogic Server name: [AdminServer] WebLogic username: [weblogic] WebLogic password: [********] WLST session logged at:/tmp/wlst-session178461015146984067.log
Note that the command prompts you to provide the values for various steps through the procedure as the new SSL certificate is generated. Notably, you must enter a valid fully qualified domain name for the server. This value is used for the hostname in the SSL certificate and must match the hostname that is used to access the Oracle VM Manager web-based user interface.
If you have already obtained an SSL certificate that has been signed by a third-party CA, you may wish to use this instead of the default SSL certificate used for Oracle VM Manager. To do this, you must first create your own Java keystore and import your certificate into this. This is achieved using the keytool command provided with the JDK. To create a new keystore:
# keytool -genkey -aliasmydomain-keyalg RSA -keystore/home/oracle/keystore.jks-keysize 2048
To import a PEM format certificate file into the new keystore:
# keytool -import -trustcacerts -aliasmydomain-filemydomain.crt-keystore \/home/oracle/keystore.jks
Once you have an existing keystore containing your SSL certificate, use the setsslkey command in the ovmkeytool.sh command to use this instead of the default keystore:
# ./ovmkeytool.sh setsslkey Path for SSL keystore: [/u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmssl.jks]/home/oracle/keystore.jksKeystore password: Alias of key to use as SSL key:mydomainKey password: Updating keystore information in WebLogic Oracle MiddleWare Home (MW_HOME): [/u01/app/oracle/Middleware] WebLogic domain directory: [/u01/app/oracle/ovm-manager-3/domains/ovm_domain] Oracle WebLogic Server name: [AdminServer] WebLogic username: [weblogic] WebLogic password: [********] WLST session logged at: /tmp/wlst-session5820685079094897641.log
In some scenarios, you may also want to configure Oracle WebLogic Server's SSL truststore to provide additional trusted CAs. To do this you may use the changepass command to change the truststore password, since the default password for the keystore is randomized and it would not be possible to modify the keystore without the correct password. Once you have reset the password, you can modify the keystore using the Java keytool, as required. It is imperative that the existing internal Oracle VM Manager CA certificate is not removed from the keystore.
An example of setting the keystore password and then accessing trust information using the Java keytool command is shown below:
# ./ovmkeytool.sh changepass You may either specify passwords or use random passwords. If you choose to use a random password, only WebLogic, the Oracle VM Manager, and this application will have access to the information stored in this keystore. Use random passwords? [yes] no Change CA Keystore and Key passwords? [yes] no Change SSL Keystore and Key passwords? [yes] no Change SSL Trustore password? [yes] SSL Trust Keystore password: Verify SSL Trust Keystore password: Updating trust-store information in WebLogic Oracle MiddleWare Home (MW_HOME): [/u01/app/oracle/Middleware] WebLogic domain directory: [/u01/app/oracle/ovm-manager-3/domains/ovm_domain] Oracle WebLogic Server name: [WLS1] AdminServer WebLogic username: [weblogic] WebLogic password: [********] WLST session logged at: /tmp/wlst-session6297528751781822860.log
# keytool -list -keystore /u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmtrust.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry ovmmgr_ca_key_entry, Nov 7, 2013, trustedCertEntry, Certificate fingerprint (MD5): 65:31:9C:17:35:59:6C:A7:A3:93:C8:93:F0:A7:81:6A