G Updating Demonstration Keystores to Reflect Alias Hostnames

If you are using demonstration WebLogic certificates, and if you have implemented alias hostnames as part of preparation for implementing Standby OMSs using the Storage Replication DR architecture, the demonstration identity certificates configured for WebLogic Server need to be recreated on each OMS to have the alias hostname for the OMS, instead of the physical hostname of the server. These steps need to be implemented after installations and upgrades. These steps involve downtime as the OMS must be restarted. To maintain availability, these steps should be performed serially, first on OMS1 and then one by one on additional OMSs so that other OMSs remain online while only one OMS is being updated at a time.

Perform the following steps serially, first on OMS1 and then on each additional OMS:

  1. Backup existing DemoIdentity.jks file.

    cp -p <NEW_INSTANCE_BASE>/user_projects/domains/GCDomain/security/DemoIdentity.jks <NEW_INSTANCE_BASE>/user_projects/domains/GCDomain/security/DemoIdentity.jks.before_regen_YYYYMMDD

    For example:

    cp -p /u01/app/oracle/OMS/gc_inst/user_projects/domains/GCDomain/security/DemoIdentity.jks /u01/app/oracle/OMS/gc_inst/user_projects/domains/GCDomain/security/DemoIdentity.jks.before_regen_20160402

  2. Backup existing DemoTrust.jks file.

    cp -p <NEW_MIDDLEWARE_HOME>/wlserver/server/lib/DemoTrust.jks <NEW_MIDDLEWARE_HOME>/wlserver/server/lib/DemoTrust.jks.before_regen_YYYYMMDD

    For example:

    cp -p /u01/app/oracle/OMS/MWare13c/wlserver/server/lib/DemoTrust.jks /u01/app/oracle/OMS/MWare13c/wlserver/server/lib/DemoTrust.jks.before_regen_20160402

  3. Run the following commands in a separate session to prevent the environment variable settings required to run these steps from affecting other commands. These environment variable settings can cause issues to the standard OMS operations and the other instructions in this upgrade and transition process.
    1. Open a new shell session as the Oracle Software Owner User.
    2. Set the necessary environment variables.
      1. Change directory to the bin directory for the domain.

        cd <NEW_INSTANCE_BASE>/user_projects/domains/GCDomain/bin

        For example:

        cd /u01/app/oracle/OMS/gc_inst/user_projects/domains/GCDomain/bin

      2. Source the script to set environment variables. Make sure you source the contents of the script using the exact syntax below including the leading dot and space. . ./setDomainEnv.sh

    3. Create a new keystores directory to use while generating these files.

      mkdir -p <NEW_MIDDLEWARE_HOME>/keystores

      For example:

      mkdir -p /u01/app/oracle/OMS/MWare13c/keystores

    4. Change directory to the new keystores directory.

      cd <NEW_MIDDLEWARE_HOME>/keystores

      For example:

      cd /u01/app/oracle/OMS/MWare13c/keystores

    5. Generate the new certificate with the alias hostname for the OMS server. In the following command, replace <OMS_ALIAS_HOSTNAME_FQDN> with the value for <OMS1_ALIAS_HOSTNAME_FQDN> when running these commands on OMS1 and with the value for <OMS<#>_ALIAS_HOSTNAME_FQDN> when running these commands on OMS<#>.

      java utils.CertGen -cn <OMS_ALIAS_HOSTNAME_FQDN> -keyfilepass DemoIdentityPassPhrase -certfile democert -keyfile demokey

      For example:

      java utils.CertGen -cn emoms1.example.com -keyfilepass DemoIdentityPassPhrase -certfile democert -keyfile demokey

    6. Import the new certificate into a new DemoIdentity.jks file.

      java utils.ImportPrivateKey -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase -keyfilepass DemoIdentityPassPhrase -certfile democert.pem -keyfile demokey.pem -alias demoidentity

    7. Confirm that the newly generated certificate in the keystore references the alias hostname FQDN of the OMS. When prompted for a password, hit enter as a password is not required to view contents of the keystore. Examine the value after CN= on the line that starts Owner: keytool -list -v -keystore DemoIdentity.jks
    8. Delete the four interim files that are no longer needed, leaving just the new DemoIdentity.jks file in the current directory:

      rm democert.*

      rm demokey.*

    9. Exit the separate shell session that was started to execute these commands.
  4. Stop the OMS.

    <NEW_MIDDLEWARE_HOME>/bin/emctl stop oms -all

    For example:

    /u01/app/oracle/OMS/MWare13c/bin/emctl stop oms -all

  5. Change directory to the new keystores directory.

    cd <NEW_MIDDLEWARE_HOME>/keystores

    For example:

    cd /u01/app/oracle/OMS/MWare13c/keystores

  6. Replace the old DemoIdentity.jks file with the newly generated file. Note that we are explicitly NOT passing the -p parameter to cp here so that the target file retains its original permissions. Specifying -p here will cause the wrong permissions to be set on the target file.

    cp DemoIdentity.jks <NEW_INSTANCE_BASE>/user_projects/domains/GCDomain/security/

    For example:

    cp DemoIdentity.jks /u01/app/oracle/OMS/gc_inst/user_projects/domains/GCDomain/security/

  7. Confirm that the DemoIdentity.jks file has been copied successfully.

    ls -alF <NEW_INSTANCE_BASE>/user_projects/domains/GCDomain/security/Demo*

    For example:

    ls -alF /u01/app/oracle/OMS/gc_inst/user_projects/domains/GCDomain/security/Demo*

  8. Start the OMS.

    <NEW_MIDDLEWARE_HOME>/bin/emctl start oms

    For example:

    /u01/app/oracle/OMS/MWare13c/bin/emctl start oms

  9. Run the following commands in a separate session to prevent the environment variable settings required to run these steps from affecting other commands. These environment variable settings can cause issues to the standard OMS operations and the other instructions in this upgrade and transition process.
    1. Open a new shell session as the Oracle Software Owner User.

    2. Set necessary environment variables

      1. Change directory to the bin directory for WebLogic Home.

        cd <NEW_MIDDLEWARE_HOME>/wlserver/server/bin

        For example:

        cd /u01/app/oracle/OMS/MWare13c/wlserver/server/bin

      2. Source script to set the environment needed to run wlst. Make sure you source the contents of the script using the exact syntax below including the leading dot and space.

        . ./setWLSEnv.sh

    3. Change directory to prepare to run wlst.

      cd <NEW_MIDDLEWARE_HOME>/oracle_common/common/bin

      For example:

      cd /u01/app/oracle/OMS/MWare13c/oracle_common/common/bin

    4. Launch wlst.

      java -Dweblogic.security.TrustKeyStore=DemoTrust -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1 weblogic.WLST

    5. At this point you should be able to successfully connect to this OMS server via wlst specifying the alias hostname for this OMS server, and if you have already completed these steps on the other OMS server(s) you should also be able to connect to the other OMS server(s).

    6. Attempt to connect to the Admin server:

      connect('<ADMIN_SERVER_USER>','<ADMIN_SERVER_PASSWORD>','t3s://<OMS1_ALIAS_HOSTNAME_FQDN>:<ADMIN_SERVER_HTTPS_PORT>')

      For example:

      connect('weblogic','myadminpassword','t3s://emoms1.example.com:7101')

    7. Attempt to connect to the OMS1 Managed Server.

      connect('<ADMIN_SERVER_USER>','<ADMIN_SERVER_PASSWORD>','t3s://<OMS1_ALIAS_HOSTNAME_FQDN>:<OMS_SERVER_HTTPS_PORT>')

      For example:

      connect('weblogic','myadminpassword','t3s://emoms1.example.com:7301')

    8. Attempt to connect to the OMS<#> Managed Server (will fail until these steps are completed on OMS<#>. These connection tests can be repeated again once the process is complete on all OMS servers.

      connect('<ADMIN_SERVER_USER>','<ADMIN_SERVER_PASSWORD>','t3s://<OMS<#>_ALIAS_HOSTNAME_FQDN>:<OMS_SERVER_HTTPS_PORT>')

      For example:

      connect('weblogic','myadminpassword','t3s://emoms2.example.com:7301')

    9. Exit wlst.

      exit()

    10. Exit the separate shell session that was started to execute these commands.