1. Oracle Fleet Patching and Provisioning Administrator's Guide
  2. Fleet Patching and Provisioning Postinstallation Tasks
  3. Oracle Fleet Patching and Provisioning Security Postinstallation Tasks
  4. Switching Oracle FPP Server to a New Custom Certificate

Switching Oracle FPP Server to a New Custom Certificate

You can switch the Oracle FPP Server to use a new custom security certificate to replace self-signed certificate or update expired certificate.

When you switch Oracle FPP Server to use a new custom certificate, communication with the Oracle FPP clients is broken. You must complete the following steps to restore the communication.
  1. Perform a sanity check from the Oracle FPP Client to ensure that the client can connect to the server. 
    $ rhpctl query server
  2. Generate a P12 file from the security certificate that you want to use for the Oracle FPP Server configuration.
    $ openssl pkcs12 -export -inkey ${SERVER_KEY} -passin pass:${PASS} -in ${SERVER_CRT} 
-name orakey -certfile ${CA_CRT} -caname cakey -out ${P12_FILE} -password pass:${P12_PASS}
  3. Configure Oracle FPP Server to use the new custom certificate from the generated P12 file and provide a name for this certificate.
    $ srvctl stop rhpserver
# srvctl modify rhpserver -p12certpath P12_file_path -certname cert_name
$ srvctl start rhpserver
  4. Export credentials from the Oracle FPP Server to a client data file.
    $ rhpctl export client -client cluster_name -clientdata file_path
  5. Copy the generated credential file securely to the Oracle FPP Client cluster.
  6. Perform a sanity check from the Oracle FPP Client.
    $ rhpctl query server
    This command is expected to fail with the PRGO-1068 error.
  7. Configure the Oracle FPP Client to use a new custom certificate.
    1. Generate a P12 file from the security certificate that you want to use for the Oracle FPP Client configuration.
      $ openssl pkcs12 -export -inkey ${SERVER_KEY} -passin pass:${PASS} -in ${SERVER_CRT} 
-name orakey -certfile ${CA_CRT} -caname cakey -out ${P12_FILE} -password pass:${P12_PASS}
    2. Configure Oracle FPP Client to use the new custom certificate from the generated P12 file and provide a name for this certificate.
      $ srvctl stop rhpclient
# srvctl modify rhpclient -p12certpath P12_file_path -certname cert_name

      Note:

      It is not mandatory to use custom security certificate for all Oracle FPP Clients, even if you are using it for the Oracle FPP Server. Similarly, you can use custom security certificate for one or more Oracle FPP Clients, but not for the Oracle FPP Server.
  8. Update the public security key of the Oracle FPP Server.
    # srvctl modify rhpclient -clientdata file_path
$ srvctl start rhpclient
    This command updates Oracle FPP Client's public key on the Oracle FPP Server.
  9. Perform a sanity check from the Oracle FPP Client to ensure that the client can connect to the server. 
    $ rhpctl query server
  10. Repeat steps 4 through 9 on all other Oracle FPP Client cluster nodes.

Parent topic: Oracle Fleet Patching and Provisioning Security Postinstallation Tasks