- Cloud Control Advanced Installation and Configuration Guide
- Updating Demonstration Keystores to Reflect Alias Hostnames
G Updating Demonstration Keystores to Reflect Alias Hostnames
If you are using demonstration WebLogic certificates, and if you have implemented alias hostnames as part of preparation for implementing Standby OMSs using the Storage Replication DR architecture, the demonstration identity certificates configured for WebLogic Server need to be recreated on each OMS to have the alias hostname for the OMS, instead of the physical hostname of the server. These steps need to be implemented after installations and upgrades. These steps involve downtime as the OMS must be restarted. To maintain availability, these steps should be performed serially, first on OMS1 and then one by one on additional OMSs so that other OMSs remain online while only one OMS is being updated at a time.
Perform the following steps serially, first on OMS1 and then on each additional OMS:
- Backup existing
DemoIdentity.jks
file.cp -p <NEW_INSTANCE_BASE>/user_projects/domains/GCDomain/security/DemoIdentity.jks <NEW_INSTANCE_BASE>/user_projects/domains/GCDomain/security/DemoIdentity.jks.before_regen_YYYYMMDD
For example:
cp -p /u01/app/oracle/OMS/gc_inst/user_projects/domains/GCDomain/security/DemoIdentity.jks /u01/app/oracle/OMS/gc_inst/user_projects/domains/GCDomain/security/DemoIdentity.jks.before_regen_20160402
- Backup existing
DemoTrust.jks
file.cp -p <NEW_MIDDLEWARE_HOME>/wlserver/server/lib/DemoTrust.jks <NEW_MIDDLEWARE_HOME>/wlserver/server/lib/DemoTrust.jks.before_regen_YYYYMMDD
For example:
cp -p /u01/app/oracle/OMS/MWare13c/wlserver/server/lib/DemoTrust.jks /u01/app/oracle/OMS/MWare13c/wlserver/server/lib/DemoTrust.jks.before_regen_20160402
- Run the following commands in a separate session to prevent the environment variable settings required to run these steps from affecting other commands. These environment variable settings can cause issues to the standard OMS operations and the other instructions in this upgrade and transition process.
- Open a new shell session as the Oracle Software Owner User.
- Set the necessary environment variables.
-
Change directory to the bin directory for the domain.
cd <NEW_INSTANCE_BASE>/user_projects/domains/GCDomain/bin
For example:
cd /u01/app/oracle/OMS/gc_inst/user_projects/domains/GCDomain/bin
-
Source the script to set environment variables. Make sure you source the contents of the script using the exact syntax below including the leading dot and space.
. ./setDomainEnv.sh
-
- Create a new keystores directory to use while generating these files.
mkdir -p <NEW_MIDDLEWARE_HOME>/keystores
For example:
mkdir -p /u01/app/oracle/OMS/MWare13c/keystores
- Change directory to the new keystores directory.
cd <NEW_MIDDLEWARE_HOME>/keystores
For example:
cd /u01/app/oracle/OMS/MWare13c/keystores
- Generate the new certificate with the alias hostname for the OMS server. In the following command, replace
<OMS_ALIAS_HOSTNAME_FQDN>
with the value for<OMS1_ALIAS_HOSTNAME_FQDN>
when running these commands on OMS1 and with the value for<OMS<#>_ALIAS_HOSTNAME_FQDN>
when running these commands on OMS<#>.java utils.CertGen -cn <OMS_ALIAS_HOSTNAME_FQDN> -keyfilepass DemoIdentityPassPhrase -certfile democert -keyfile demokey
For example:
java utils.CertGen -cn emoms1.example.com -keyfilepass DemoIdentityPassPhrase -certfile democert -keyfile demokey
- Import the new certificate into a new
DemoIdentity.jks
file.java utils.ImportPrivateKey -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase -keyfilepass DemoIdentityPassPhrase -certfile democert.pem -keyfile demokey.pem -alias demoidentity
- Confirm that the newly generated certificate in the keystore references the alias hostname FQDN of the OMS. When prompted for a password, hit enter as a password is not required to view contents of the keystore. Examine the value after
CN=
on the line that startsOwner:
keytool -list -v -keystore DemoIdentity.jks
- Delete the four interim files that are no longer needed, leaving just the new
DemoIdentity.jks
file in the current directory:rm democert.*
rm demokey.*
- Exit the separate shell session that was started to execute these commands.
- Stop the OMS.
<NEW_MIDDLEWARE_HOME>/bin/emctl stop oms -all
For example:
/u01/app/oracle/OMS/MWare13c/bin/emctl stop oms -all
- Change directory to the new keystores directory.
cd <NEW_MIDDLEWARE_HOME>/keystores
For example:
cd /u01/app/oracle/OMS/MWare13c/keystores
- Replace the old DemoIdentity.jks file with the newly generated file. Note that we are explicitly NOT passing the -p parameter to cp here so that the target file retains its original permissions. Specifying -p here will cause the wrong permissions to be set on the target file.
cp DemoIdentity.jks <NEW_INSTANCE_BASE>/user_projects/domains/GCDomain/security/
For example:
cp DemoIdentity.jks /u01/app/oracle/OMS/gc_inst/user_projects/domains/GCDomain/security/
- Confirm that the
DemoIdentity.jks
file has been copied successfully.ls -alF <NEW_INSTANCE_BASE>/user_projects/domains/GCDomain/security/Demo*
For example:
ls -alF /u01/app/oracle/OMS/gc_inst/user_projects/domains/GCDomain/security/Demo*
- Start the OMS.
<NEW_MIDDLEWARE_HOME>/bin/emctl start oms
For example:
/u01/app/oracle/OMS/MWare13c/bin/emctl start oms
- Run the following commands in a separate session to prevent the environment variable settings required to run these steps from affecting other commands. These environment variable settings can cause issues to the standard OMS operations and the other instructions in this upgrade and transition process.
-
Open a new shell session as the Oracle Software Owner User.
-
Set necessary environment variables
-
Change directory to the bin directory for WebLogic Home.
cd <NEW_MIDDLEWARE_HOME>/wlserver/server/bin
For example:
cd /u01/app/oracle/OMS/MWare13c/wlserver/server/bin
-
Source script to set the environment needed to run wlst. Make sure you source the contents of the script using the exact syntax below including the leading dot and space.
. ./setWLSEnv.sh
-
-
Change directory to prepare to run wlst.
cd <NEW_MIDDLEWARE_HOME>/oracle_common/common/bin
For example:
cd /u01/app/oracle/OMS/MWare13c/oracle_common/common/bin
-
Launch wlst.
java -Dweblogic.security.TrustKeyStore=DemoTrust -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1 weblogic.WLST
-
At this point you should be able to successfully connect to this OMS server via wlst specifying the alias hostname for this OMS server, and if you have already completed these steps on the other OMS server(s) you should also be able to connect to the other OMS server(s).
-
Attempt to connect to the Admin server:
connect('<ADMIN_SERVER_USER>','<ADMIN_SERVER_PASSWORD>','t3s://<OMS1_ALIAS_HOSTNAME_FQDN>:<ADMIN_SERVER_HTTPS_PORT>')
For example:
connect('weblogic','myadminpassword','t3s://emoms1.example.com:7101')
-
Attempt to connect to the OMS1 Managed Server.
connect('<ADMIN_SERVER_USER>','<ADMIN_SERVER_PASSWORD>','t3s://<OMS1_ALIAS_HOSTNAME_FQDN>:<OMS_SERVER_HTTPS_PORT>')
For example:
connect('weblogic','myadminpassword','t3s://emoms1.example.com:7301')
-
Attempt to connect to the OMS<#> Managed Server (will fail until these steps are completed on OMS<#>. These connection tests can be repeated again once the process is complete on all OMS servers.
connect('<ADMIN_SERVER_USER>','<ADMIN_SERVER_PASSWORD>','t3s://<OMS<#>_ALIAS_HOSTNAME_FQDN>:<OMS_SERVER_HTTPS_PORT>')
For example:
connect('weblogic','myadminpassword','t3s://emoms2.example.com:7301')
-
Exit wlst.
exit()
-
Exit the separate shell session that was started to execute these commands.
-