Resolving Warning Messages for Custom Certification Authority (CA) SSL Certificate

Note:

The following information applies to the users of the Oracle ILOM Remote System Console and the Oracle ILOM Remote System Console Plus.

As of Oracle ILOM firmware version 3.2.10, additional certificate checks will be conducted by Oracle ILOM when a custom SSL certificate is configured.

Note:

For further information about using a trusted SSL certificate in Oracle ILOM, see Improve Security by Using a Trusted SSL Certificate and Private Key in Oracle ILOM Security Guide For Firmware Release 5.1.x.

When the Custom CA SSL Certificate is in use, Oracle ILOM remote KVMS console users might experience a warning message. For instance:

Oracle ILOM Remote System Console Plus Users - Warning Message — Remote host can not be identified: Could not validate the Remote Host Certificate. Either a man-in-the-middle attack could be occurring or it is possible that the remote host certificate has been changed.
Oracle ILOM Remote System Console Users - Warning Message — Certification validation failed. Could not validate the Remote Host Certificate. Either a man-in-the-middle attack could be occurring or it is possible that the remote host certificate has been changed.

A warning message occurs when the Java client is not properly configured to validate a custom CA SSL certificate that is currently being used by Oracle ILOM. The Java client uses a keystore to validate CA certificates. In cases where the required root CA certificate or intermediate root CA certificate is not in the Java keystore, the validation will fail.

Required User Action: Follow these steps to ensure the custom CA SSL Certificate can be validated.

Verify that the required root CA certificate or intermediate root CA certificate is configured in client side Java keystore. To view the Java keystore, use the keytool command with the -list option, for example:
- On a Windows system, at the prompt, type:
  keytool -list -keystore "c:\Program Files (x86)\Java\jre<version>\lib\security\cacerts
- On a Linux system, at the prompt, type:
  keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts
Locate the alias and/or fingerprint of the root CA certificate or intermediate root CA certificate that is required by the custom CA certificate currently configured in Oracle ILOM.
If the required root CA Certificate or intermediate root CA certificate is missing in the Java keystore, consult with your security officer or system administrator prior to continuing this procedure to add the missing CA certificate details to the Java keystore.
Use the -importcert keytool command to add the missing root CA certificate or intermediate root certificate to the Java keystore. For example:
- On a Windows system, at the prompt, type:
  
  Note:
  The -importcert command needs to be run an administrator. To start a command prompt as an administrator on a Windows systems: Click Start, click All Programs, and then click Accessories. Right-click Command prompt, and then click Run as administrator.
  
  keytool -importcert -alias certalias -file root-ca-cert -keystore "c:\Program Files (x86)\Java\jre<version>\lib\security\cacerts"
- On a Linux system, at the prompt, type:
  keytool -importcert -alias certalias -file root-ca-cert -keystore $JAVA_HOME/jre/lib/security/cacerts
Verify that the required root CA certificate or intermediate root CA certificate is now available in the Java keystore using the keytool command with the -list and -alias options, for example:
- On a Windows system, at the prompt, type:
  keytool -list -alias certalias -keystore "c:\Program Files (x86)\Java\jre<version>\lib\security\cacerts"
- On a Linux system, at the prompt, type:
  keytool -list -alias certalias -keystore $JAVA_HOME/jre/lib/security/cacerts