When using Enterprise Manager version 12.1 and a Secure Socket Layer (SSL) protocol or Transport Layer Security (TLS) protocol to discover and monitor WebLogic servers, the Management Agent must be able to trust the server before it can establish a secure communication link. The Agent maintains a Java Keystore (JKS) truststore containing certificates of Certification Authorities (CAs) that it can trust when establishing a secure connection. The Agent comes with nine well-known CA certificates.
It is recommended that customers using WebLogic t3s in a production environment use certificates signed by a well-known Certification Authority (CA), such as VeriSign or Thawte, on their WebLogic servers. A few popular Root CA certificates are available out-of-box in the Agent's JKS-based truststore and does not require any action by the customer. However, if self-signed certificates or the default (out-of-box) demo certificate are being used on the WebLogic servers, then the following step is needed to explicitly import the Root CA certificate for these server certificates to the Agent's truststore.
The JKS Agent truststore is located at the following location:
$ORACLE_HOME/sysman/config/montrust/AgentTrust.jks
Note: ORACLE_HOME is the Management Agent's instance home.
Updating the Agent truststore is required on ALL Enterprise Manager Agents involved in the discovery and monitoring of the WebLogic domain using any secure protocol.
To update the Agent truststore (AgentTrust.jks), you use EMCTL. If the default demo certificate, or a self-signed certificate is being used on the WebLogic servers for t3s/iiops, then the Root CA certificate for this must be added to AgentTrust.jks in order for the Agent to be able to discover and monitor these WebLogic servers and J2EE applications using t3s. An EMCTL command is provided for this purpose.
emctl secure add_trust_cert_to_jks [-password <password> -trust_certs_loc <loc> -alias <alias>]
Where:
password = password to the AgentTrust.jks (if not specified, you will be prompted for the password at the command line)
trust_certs_loc = location of the certificate file to import
alias = alias for the certificate to import
To import the Root CA certificate for a Demo WebLogic server into the Agent's truststore, the EMCTL secure command needs to be executed from the host on which the Agent is located.
<ORACLE_HOME>/bin/emctl secure add_trust_cert_to_jks -password "welcome"
Note: ORACLE_HOME is the Management Agent's instance home.
The following example demonstrates a typical session using the secure command with the add_trust_cert_to_jks option.
The default out-of-box password for the AgentTrust.jks is "welcome" and it is recommended that this be changed using the JDK keytool utility. If no password is specified along with the EMCTL command, the system will prompt you for the password.
Example 7-1 Sample Session
./emctl secure add_trust_cert_to_jks -password welcome Oracle Enterprise Manager 12c Release 1 Cloud Control 12.1.0.2.0 Copyright (c) 1996, 2012 Oracle Corporation. All rights reserved. Message : Certificate was added to keystore ExitStatus: SUCCESS
If the WebLogic servers are secured with another certificate, such as a self-signed certificate, then that Root CA certificate must be imported into the Agent's truststore as follows:
<ORACLE_HOME>/bin/emctl secure add_trust_cert_to_jks -password "welcome" trust_certs_loc <location of certificate> -alias <certificate-alias>
Note: ORACLE_HOME is the Management Agent's instance home.
If the Oracle Management Service is running in TLS mode only, set the following parameters on the Management Agent of the target. This is the Management Agent which is going to run the discovery of the WebLogic Server Domain.
emctl secure agent -protocol TLS emctl setproperty agent -name allowTLSOnly -value true