By default, Oracle PCA and Oracle VM Manager use a self-signed SSL certificate for authentication. While it serves to provide SSL encryption for all HTTP traffic, it is recommended that you obtain and install your own custom trusted certificate from a well-known and recognized Certificate Authority (CA).
Both the Oracle PCA Dashboard and the Oracle VM Manager web interface run on Oracle WebLogic Server. The functionality to update the digital certificate and keystore is provided by the Oracle VM Key Tool in conjunction with the Java Keytool in the JDK. The tools are installed on the Oracle PCA management nodes.
If you do not already have a third-party CA certificate, you can create a new keystore. The keystore you create contains one entry for a private key. After you create the keystore, you generate a certificate signing request (CSR) for that private key and submit the CSR to a third-party CA. The CA then signs the CSR and returns a signed SSL certificate and a copy of the CA certificate, which you then import into your keystore.
Creating a Keystore with a Custom CA Certificate
Using SSH and an account with superuser privileges, log into the management node.
NoteThe data center IP address used in this procedure is an example.
# ssh root@10.100.1.101 root@10.100.1.101's password: [root@ovcamn05r1 ~]#
Go to the security directory of the Oracle VM Manager WebLogic domain.
# cd /u01/app/oracle/ovm-manager-3/domains/ovm_domain/security
Create a new keystore. Transfer ownership to user oracle in the user group dba.
# /u01/app/oracle/java/bin/keytool -genkeypair -alias
ca
-keyalgRSA
-keysize2048
\ -keypassWelcome1
-storetype jks -keystoremykeystore.jks
-storepassWelcome1
# chown oracle.dbamykeystore.jks
Generate a certificate signing request (CSR). Transfer ownership to user oracle in the user group dba.
# /u01/app/oracle/java/bin/keytool -certreq -alias
ca
-filepcakey.csr
\ -keypassWelcome1
-storetype jks -keystoremykeystore.jks
-storepassWelcome1
# chown oracle.dbapcakey.csr
Submit the CSR file to the relevant third-party CA for signing.
For the signed files returned by the CA, transfer ownership to user oracle in the user group dba.
# chown oracle.dba
ca_cert_file
# chown oracle.dbassl_cert_file
Import the signed CA certificate into the keystore.
# /u01/app/oracle/java/bin/keytool -importcert -trustcacerts -noprompt -alias
ca
\ -fileca_cert_file
-storetype jks -keystoremykeystore.jks
-storepassWelcome1
Import the signed SSL certificate into the keystore.
# /u01/app/oracle/java/bin/keytool -importcert -trustcacerts -noprompt -alias
ca
\ -filessl_cert_file
-keypassWelcome1
-storetype jks -keystoremykeystore.jks
\ -storepassWelcome1
Use the setsslkey command to configure the system to use the new keystore.
# /u01/app/oracle/ovm-manager-3/ovm_upgrade/bin/ovmkeytool.sh setsslkey Path for SSL keystore: /u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/
mykeystore.jks
Keystore password: Alias of key to use as SSL key:ca
Key password: Updating keystore information in WebLogic Oracle MiddleWare Home (MW_HOME): [/u01/app/oracle/Middleware] WebLogic domain directory: [/u01/app/oracle/ovm-manager-3/domains/ovm_domain] Oracle WebLogic Server name: [AdminServer] WebLogic username: [weblogic] WebLogic password: [********] WLST session logged at:/tmp/wlst-session5820685079094897641.log
Configure the client certificate login.
# /u01/app/oracle/ovm-manager-3/bin/configure_client_cert_login.sh \ /u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/
pcakey.crt
Test the new SSL configuration by logging into the Oracle PCA Dashboard. From there, proceed to Oracle VM Manager with the button "Login to OVM Manager". The browser now indicates that your connection is secure.
If you already have a CA certificate and SSL certificate, use the SSL certificate to create a keystore. You can then import that keystore into Oracle PCA and configure it as the SSL keystore.
Importing a Keystore with an Existing CA and SSL Certificate
Using SSH and an account with superuser privileges, log into the management node.
NoteThe data center IP address used in this procedure is an example.
# ssh root@10.100.1.101 root@10.100.1.101's password: [root@ovcamn05r1 ~]#
Import the keystore.
# /u01/app/oracle/java/bin/keytool -importkeystore -noprompt \ -srckeystore
existing_keystore.jks
-srcstoretypesource_format
-srcstorepassWelcome1
-destkeystoremykeystore.jks
-deststoretype jks -deststorepassWelcome1
Use the setsslkey command to configure the system to use the new keystore.
# /u01/app/oracle/ovm-manager-3/ovm_upgrade/bin/ovmkeytool.sh setsslkey Path for SSL keystore: /u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/
mykeystore.jks
Keystore password: Alias of key to use as SSL key:ca
Key password: Updating keystore information in WebLogic Oracle MiddleWare Home (MW_HOME): [/u01/app/oracle/Middleware] WebLogic domain directory: [/u01/app/oracle/ovm-manager-3/domains/ovm_domain] Oracle WebLogic Server name: [AdminServer] WebLogic username: [weblogic] WebLogic password: [********] WLST session logged at:/tmp/wlst-session5820685079094897641.log
Test the new SSL configuration by logging into the Oracle PCA Dashboard. From there, proceed to Oracle VM Manager with the button "Login to OVM Manager". The browser now indicates that your connection is secure.