Chapter 2 Configuring Oracle VM Manager After Installation
After you successfully install Oracle VM Manager, you can perform several configuration tasks to customize your environment. These configuration tasks include setting the session timeout period for the Oracle VM Manager Web Interface, and configuring SSL.
2.1 Configuring Oracle VM Manager Web Interface Session Timeout
You can change the amount of time that an Oracle VM Manager session can remain inactive before a timeout occurs through the Oracle WebLogic Server Administration Console.
To configure Oracle VM Manager Web Interface session timeout, do the following:
-
Open the Oracle WebLogic Server Administration Console at:
https://
hostname
:7002/consoleWhere
hostname
is the Oracle VM Manager hostname or IP address. -
Log in as the
weblogic
user. -
Locate the Domain Structure pane on the left and then click Deployments.
-
Click Next in the list of deployed applications until you locate the ovm_console application.
-
Click "+" to expand the ovm_console application and then click ovm/console.
The settings for ovm_console are displayed.
-
Click the Configuration tab and then click Lock and Edit in the Change Center pane to modify the settings.
-
From the Configuration tab, locate the General subtab and then edit the value of the Session Timeout field. The default setting is half an hour (1800 seconds).
When you are finished with your changes, click Save.
NoteIf you receive a permissions related error, you might need to change the permissions or ownership on the file located at
/u01/app/oracle/ovm-manager-3/weblogic/deploy/ovm_console/plan/plan.xml
. Use the following command:chown oracle:dba /u01/app/oracle/ovm-manager-3/weblogic/deploy/ovm_console/plan/plan.xml
After you change permissions on the file, you must edit and save the value of the Session Timeout field again.
-
Click Deployments in the Domain Structure pane on the left to return to the list of deployed applications.
-
Locate and select the ovm_console check box and then click Update to redeploy the application.
-
Change the source and deployment plan paths as appropriate and then click Finish.
-
To activate the changes, click Activate Changes in the Change Center.
Due to the nature of some pages served within Oracle VM Manager, the client browser auto-refreshes regularly to poll for changes. This is particularly apparent on the Health page. Since the client is constantly refreshing, UI timeout may not behave as expected. Therefore, a configuration parameter for ADF has been set to timeout automatic polling after a default period of 20 minutes where there has been no mouse or keyboard interaction within Oracle VM Manager. This means that for these pages, the UI timeout value only becomes effective after the polling timeout has been effected.
Changes to the polling timeout are not directly configurable. If you require this facility to be modified contact Oracle Support.
2.2 Setting Up SSL
By default, Oracle VM Manager provides its own SSL certificates stored in a custom keystore. The certificates that are provided are signed using an internal Certificate Authority (CA). Oracle VM uses SSL certificates:
-
For the authentication of Oracle VM Manager to each Oracle VM Server that it has discovered and for the encryption of communications between Oracle VM Manager and the Oracle VM Agent running on each Oracle VM Server.
-
For the authentication and encryption of some tools that make use of the Oracle VM Manager web-services API.
-
For the encryption of communications between a web-browser and the Oracle VM Manager web-based user interface .
Certificates are generated automatically during the installation of Oracle VM Manager. To avoid SSL validation issues in client web-browsers, you can obtain the internal CA certificate used by Oracle VM Manager and install it into each web-browser that is used to access the Oracle VM Manager web user interface. See Section 2.2.4, “Exporting the CA Certificate”.
Alternatively, if you already have an SSL certificate that is signed by an external CA, you can change the SSL certificate that is used for the encryption of communications between the web-browser and the Oracle VM Manager web-based user interface. See Section 2.2.6, “Changing the Default SSL Certificate”.
Finally, if you need to generate a new SSL key that is signed by the internal CA, you can follow the instructions provided in Section 2.2.5, “Generating a New SSL Key”.
Changing the Oracle VM Manager CA certificate impacts authentication between Oracle VM Manager and various internal components. Changing the CA certificate also impacts authentication between Oracle VM Manager and each Oracle VM Server instance and other external applications such as web browsers.
If you plan to change the CA certificate, you should do so before you begin any other Oracle VM Manager configuration to avoid authentication and communication issues between components.
Oracle VM Manager uses the following 2048-bit keystores instead of the default Oracle WebLogic Server keystore:
-
/u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmca.jks
-
/u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmclient.jks
-
/u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmssl.jks
-
/u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmtrust.jks
The passwords for these keystores are randomized at installation. If you need to update a keystore, such as the CA keystore, to add mutually trusted CAs to the keystore, you may need to change the keystore password using the Oracle VM Key Tool. For instructions on changing the keystore password, see Section 2.2.7, “Changing the Keystore Password”.
2.2.1 Oracle VM Key Tool
Oracle VM Manager includes a key management utility to help manage SSL certificates. You use the Oracle VM Key Tool in conjunction with the Java keytool in the Java Development Kit (JDK) that is installed on the Oracle VM Manager host. These utilities are located on the Oracle VM Manager host as follows:
-
Oracle VM Key Tool:
/u01/app/oracle/ovm-manager-3/ovm_upgrade/bin/ovmkeytool.sh
-
Java keytool:
/u01/app/oracle/java/bin/keytool
Using key management utilities incorrectly can cause authentication issues between Oracle VM Manager, internal components, and external systems and applications. In some cases, authentication issues can result in complete loss of service. You should carefully plan any changes before using a key management utility and consider the impact those changes have on your environment.
Syntax
ovmkeytool.sh
[
--help
] [
--overwrite
] [
--quiet
] [
--verbose
] [
--propertyFile
] [
filename
-D
] [
property
=value
--noWebLogic
] {
[{
show
} | {
check
} | {
setup
} | {
setupWebLogic
} | {
gencakey
} | {
setcakey
} | {
gensslkey
} | {
setsslkey
} | {
changepass
} | {
exportca
}]
}
Options
The following table shows the available options for this tool.
Option |
Description |
---|---|
|
Display the ovmkeytool.sh command parameters and options. |
|
Allow existing keystores to be overwritten if user interaction is disabled. |
|
Run with no user interaction using property values exclusively. |
|
Output extra information while running. |
|
The specified file can be used to provide properties to the tool. |
|
Sets a property to a given value. |
|
Do not attempt to configure Oracle WebLogic Server or verify Oracle WebLogic Server settings. |
Commands
The following table shows the available commands for this tool. Only one command can be run at a time.
Option |
Description |
---|---|
|
Displays SSL configuration details such as the CA and SSL keystore files, certificate key aliases, and certificate details. |
|
Validates the current SSL configuration and provides information if any errors exist. |
|
Sets up all of the keystore files and configures Oracle WebLogic Server. |
|
Configures existing keystore settings in Oracle WebLogic Server. |
|
Generates a new certificate authority (CA) key and puts the key into the trust store. You should not run this command if you have already configured Oracle VM Manager |
|
Sets the CA key to use an existing key from an existing keystore file. You should not run this command if you have already configured Oracle VM Manager |
|
Generates a new SSL key. |
|
Sets the SSL key to use an existing key from an existing keystore file. |
|
Allows the passwords for existing keystore files and keys to be configured or changed. |
|
Exports the CA certificate in PEM format. |
Command Prompts
Depending on the command you run, the Oracle VM Key Tool prompts you for the following information:
-
Oracle WebLogic Server
Middleware
directoryYou can set the
MW_HOME
environment variable to point to the location of the Oracle WebLogic ServerMiddleware
directory. Otherwise you must specify the default directory each time you run the Oracle VM key tool. The default directory is/u01/app/oracle/Middleware
.Run the following command to set the
MW_HOME
environment variable:# export MW_HOME=/u01/app/oracle/Middleware
-
Oracle WebLogic Server domain directory
The default directory is
/u01/app/oracle/ovm-manager-3/domains/ovm_domain
. -
Oracle WebLogic Server name
The default server name is
AdminServer
. -
Oracle WebLogic Server credentials
Use the default
weblogic
username and the one-time password that you set during Oracle VM Manager installation.
2.2.2 Showing the Certificate Configuration
Use the show command to view details about the current Certificate Authority (CA) and SSL configuration.
The following is an example of the show command:
# ./ovmkeytool.sh showtime_stamp
oracle.security.jps.JpsStartup start INFO: Jps initializing.time_stamp
oracle.security.jps.JpsStartup start INFO: Jps started. CA Keystore File: /u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmca.jks CA Key Alias: ca Certificate details: Algorithm: SHA256withRSA Subject: CN=OVM CA 0004fb00000100007c08b684bd203388, OU=Oracle VM Manager, O=Oracle Corporation, L=Redwood City, ST=California, C=US Issuer: CN=OVM CA 0004fb00000100007c08b684bd203388, OU=Oracle VM Manager, O=Oracle Corporation, L=Redwood City, ST=California, C=US Serial number: 836053555564701558087207803980684693673312169403 Valid fromday mm dd hh:mm:ss CET yyyy
today mm dd hh:mm:ss CET yyyy
SHA256 Fingerprint: b4:6b:00:cd:d3:e1:69:d6:f2:10:80:cf:a8:ef:89:c9:b3 This is a valid Certificate to be used as a CA. Full Certificate: -----BEGIN CERTIFICATE----- MIID/DCCAuSgAwIBAgIVAJJx8CLgw6WudhsYXsY70zxLaq27MA0GCSqGSIb3DQEB CwUAMIGkMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEVMBMGA1UE BxMMUmVkd29vZCBDaXR5MRswGQYDVQQKExJPcmFjbGUgQ29ycG9yYXRpb24xGjAY BgNVBAsTEU9yYWNsZSBWTSBNYW5hZ2VyMTAwLgYDVQQDEydPVk0gQ0EgMDAwNGZi MDAwMDAxMDAwMDdjMDhiNjg0YmQyMDMzODgwHhcNMTUwMzIyMTYxMTI1WhcNMjUw MzIzMTYxMTI1WjCBpDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx FTATBgNVBAcTDFJlZHdvb2QgQ2l0eTEbMBkGA1UEChMST3JhY2xlIENvcnBvcmF0 aW9uMRowGAYDVQQLExFPcmFjbGUgVk0gTWFuYWdlcjEwMC4GA1UEAxMnT1ZNIENB IDAwMDRmYjAwMDAwMTAwMDA3YzA4YjY4NGJkMjAzMzg4MIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEAprkZ3RYvS433ZOx+3RKK7iK7E52znhNpLPzM6b9s O0fIdCiTBB16h6SU+GQlMMpQbqDh5V9OgWGd7BqCEnKhCU0O3L+xY45sXWGQ0S9R DvQMH/68VgDwoSsI6BFL5gJHspWWr9wdqkpVcTpau9IN9nDGD38XnTd0KOtVvt+d 32lK3hBzQiXf/W2vX6vNA/RFMlfFBncnYIO4POvtQDsVSDzbfPq4CPqAxn/io1Gk lycRrVbzemsrWuvusFCOpUkGpmaqwXneg/ozfN8ObUr+bh/PKhLniOo6gJsY2Y9l ZjD6XiSUEd/Xb4s89SO6yHsNr65RC+wCCHpWjArr/3oVfQIDAQABoyMwITAPBgNV HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIABTANBgkqhkiG9w0BAQsFAAOCAQEA Iv4g3Djf3KFwWLdQ/Tw1vK4kmzGIxcd9SS1YQUPYnddYeU22dwkqgIn9ap8dVK1u lmkYdYZ4BDte4Y+Lptxqhf149S3nX1lBKfpg4eLsfUIZ+DTnxcuTCiFp/UNKp4Xk yn43GMpUtyz8D//QX7T3FOtKq786Rl4i522i9xnWizyEXjTsSZ1T0b0y8lK7a+C4 mFOC53Ah1Ihmjl+1Q/zrcf+iFFFInCFywXDrpslE1R8H3Luse4EO42+xhEbxGY6h xdVkG3vVCYqExBX3XWFfkVPF78+6bmzZbKZzam+NT49dVJRole4mssyOWa1AdWmB RXXs6j6MR1mcveQVRFhPjg== -----END CERTIFICATE----- SSL Keystore File: /u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmssl.jks SSL Key Alias: ovmm Certificate details: Algorithm: SHA256withRSA Subject: CN=ovmm.virtlab.info, OU=Oracle VM Manager, O=Oracle Corporation, L=Redwood City, ST=California, C=US Issuer: CN=OVM CA 0004fb00000100007c08b684bd203388, OU=Oracle VM Manager, O=Oracle Corporation, L=Redwood City, ST=California, C=US Serial number: 942935368201955864664901535859030776122723582749 Valid fromday mm dd hh:mm:ss CET yyyy
today mm dd hh:mm:ss CET yyyy
SHA256 Fingerprint: 83:16:23:e1:2e:f5:7e:ff:3a:d5:72:1b:0b:d9:80:5b:d3:d6:b3 Subject Alternative Names: Hostnames:myserver.example.com
myovmm
Full Certificate: -----BEGIN CERTIFICATE----- MIID6TCCAtGgAwIBAgIVAKUqryxHow/khR23pDPGttbIbMMdMA0GCSqGSIb3DQEB CwUAMIGkMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEVMBMGA1UE BxMMUmVkd29vZCBDaXR5MRswGQYDVQQKExJPcmFjbGUgQ29ycG9yYXRpb24xGjAY BgNVBAsTEU9yYWNsZSBWTSBNYW5hZ2VyMTAwLgYDVQQDEydPVk0gQ0EgMDAwNGZi MDAwMDAxMDAwMDdjMDhiNjg0YmQyMDMzODgwHhcNMTUwMzIyMTYxMTM5WhcNMjUw MzIzMTYxMTM5WjCBjjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx FTATBgNVBAcTDFJlZHdvb2QgQ2l0eTEbMBkGA1UEChMST3JhY2xlIENvcnBvcmF0 aW9uMRowGAYDVQQLExFPcmFjbGUgVk0gTWFuYWdlcjEaMBgGA1UEAxMRb3ZtbS52 aXJ0bGFiLmluZm8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCZEiTS iY6sgh/23myW2l2PyO02ajGohnRxeDYFHRcfmdw/5C9XZXKY7rEpTx1WdPlRTjG0 DFD1dFjCjhJyIJo4DemyulniDoAKJG7dUoiB1sLb0HwVLyjGr3xQ/TbDyw04nppc mdCGzhS/7ivzm2haMSSxiAoDFVZbeL/CmJSeN59fJmuUvZW01be/6TUNZVoMoOy0 GZm4D6cGWVcXIOuJSjfXep1mzkLIr4zsBTJQLV5uzRDXWjUANPSoN/XeLeHhYLYY hBuDkDUMYGt0MsGomgQ4jbWchEid5/zQ3Th6FIKZ9PHVsVJPaeYSjObjNEUKkcIz 360d17bUqzQPXMK3AgMBAAGjJjAkMCIGA1UdEQQbMBmCEW92bW0udmlydGxhYi5p bmZvggRvdm1tMA0GCSqGSIb3DQEBCwUAA4IBAQAeQfaXBGqfoQFisguthG/yPY4G CLhp+78qSItCdMYPRrfXpUeeIVwrE6GQvuVflXZk/PPBZQGdDR3n/+hDfD9lccv0 MHFS8akON471tiDoku8tjm8a/EMir2/fEHU4PbgH57qUU9bj3lqzDZVI880qmPEx IvSHwZy0KbrtPf+KkqHn75O/JlN46J+8AgRwuB/6e5ch7wAL2hupO3WeZV7O/icB FJieePjxvMV5oXqxkFMHuidvVyAKN0MJK26w2lOWwTJtEmnBJ6UF1btNRQdgujUL anJoGhJsLHyoosIrXbj3M+SmezwV+2kAPLDd8C/aNnXzZC4m55cwEB/GphYd -----END CERTIFICATE----- SSL Trust Keystore File: /u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmtrust.jks Trusted certificates: CN=OVM CA 0004fb00000100007c08b684bd203388, OU=Oracle VM Manager, O=Oracle Corporation, L=Redwood City, ST=California, C=US CA certificiate found in SSL Trust-Store Oracle MiddleWare Home (MW_HOME): [home/u01/app/oracle/Middleware] WebLogic domain directory: [/u01/app/oracle/ovm-manager-3/domains/ovm_domain] WebLogic server name: [AdminServer] WebLogic username: [weblogic] WebLogic password: [********] WLST session logged at:/tmp/wlst-session178461015146984067.log
WebLogic SSL Keystore File: /u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmssl.jks WebLogic SSL Key Alias: ovmm WebLogic SSL Trust Keystore File: /u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmtrust.jks
2.2.3 Validating the Certificate Configuration
Use the check command to verify the current CA and SSL configuration. If any issues exist with the configuration, the command displays information to help you resolve them.
The following is an example of the check command:
# ./ovmkeytool.sh checktime_stamp
oracle.security.jps.JpsStartup start INFO: Jps initializing.time_stamp
oracle.security.jps.JpsStartup start INFO: Jps started. Oracle MiddleWare Home (MW_HOME): [/u01/app/oracle/Middleware] WebLogic domain directory: [/u01/app/oracle/ovm-manager-3/domains/ovm_domain] Oracle WebLogic Server name: [AdminServer] WebLogic username: [weblogic] WebLogic password: [********] WLST session logged at:/tmp/wlst-session178461015146984067.log
The Oracle VM Manager CA and SSL configuration appears to be valid.
2.2.4 Exporting the CA Certificate
Oracle VM Manager contains an internal CA that performs certificate-based authentication and signs the default SSL certificate. Use the exportca command to export the CA certificate in PEM format. You can then add it as a trusted CA in a browser or use as required.
The following is an example of the exportca command:
# ./ovmkeytool.sh exportcatime_stamp
oracle.security.jps.JpsStartup start INFO: Jps initializing.time_stamp
oracle.security.jps.JpsStartup start INFO: Jps started. ----BEGIN CERTIFICATE----- MIID+zCCAuOgAwIBAgIUamdPKrCAl4O1yD8QlywkYhmh0l8wDQYJKoZIhvcNAQEL BQAwgaQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRUwEwYDVQQH EwxSZWR3b29kIENpdHkxGzAZBgNVBAoTEk9yYWNsZSBDb3Jwb3JhdGlvbjEaMBgG A1UECxMRT3JhY2xlIFZNIE1hbmFnZXIxMDAuBgNVBAMTJ09WTSBDQSAwMDA0ZmIw MDAwMDEwMDAwN2RiZmM3M2UyYTFkNjY3ZTAeFw0xMzExMDYxNDU5MjBaFw0yMzEx MDcxNDU5MjBaMIGkMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEV MBMGA1UEBxMMUmVkd29vZCBDaXR5MRswGQYDVQQKExJPcmFjbGUgQ29ycG9yYXRp b24xGjAYBgNVBAsTEU9yYWNsZSBWTSBNYW5hZ2VyMTAwLgYDVQQDEydPVk0gQ0Eg MDAwNGZiMDAwMDAxMDAwMDdkYmZjNzNlMmExZDY2N2UwggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQCKEekWsegMBt6aAPLAq+riDX8TS6ssr6NNjdDNy0mQ 32NZRyoR8K85T0O0KoFJ9lkgJOH8Ll4Q4219S2xey0obnqMqt5byW/XhXjiDLgpF ESg/p2IGic8MubElhOQI3V71SeIcMHGk2b6sdS12T583uZD+FxvzCZoSTod4l4Pw KvmAWV0FJQHaeOlGxj2tUaAWyVGbw66IzXZM4WlmNFH/2SNdx7XK4lXtPD/QiMVB 7bXaP/wCTc1vQlXgP550idwRQi5ol2ly7IO2fbflfX5wdnkuJWFOKzJfnkclsMHo DW1FX5FEj34dEd/97wXvfAfYXRtC1DIq91mrF4vxD3lzAgMBAAGjIzAhMA8GA1Ud EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgAFMA0GCSqGSIb3DQEBCwUAA4IBAQAe JK82gdNA/7tftEAgON7GlzJ0BSgu/3e1Luali+xOt2FFGAvrDtTdLxJjEEWM0OU4 Bhoc/6kjQ71nFs9Q/xxP9qC3YQPXa447Q1i9RZql5g2S5aQBr18ZHqeXp6HannLo iwLBfSpbACgAhZwpzo7ZS38yENir6u1LKAnFAP/6D55Jgx7/UnbHNcFTSXc2u4cI N3MHJ+0p8umz4+HrqqhFChNYZF2XhmuPawgL8TmRB2FNlQUcbmH19Nwb4UeOxEuD isAf90p/GlTdtwzbNbm6Mv3rPEK2GtIL5YcIwLyKYKZ07P5VW6tGuzJTMipN0cLo ij8FtceX5tmLGxlGQoKN -----END CERTIFICATE-----
2.2.5 Generating a New SSL Key
By default, Oracle VM Manager generates and signs an SSL certificate that is valid for ten years from the date of installation. If necessary, you can use the genssl command to generate a new SSL certificate that is signed by the Oracle VM Manager internal CA.
The following is an example of the genssl command:
# ./ovmkeytool.sh gensslkey Path for SSL keystore: [/u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmssl.jks] The hostname should be the fully qualified hostname of the system (this is the hostname you'd use to access this system from outside the local domain). Depending on your machine setup the value below may not be correct. Fully qualified hostname: [myserver.example.com
] Validity in months: [120] Key distinguished name is "CN=myserver.example.com
, OU=Oracle VM Manager, O=Oracle Corporation, L=Redwood City, ST=California, C=US". Use these values? [yes] Alternate hostnames (separated by commas): [myserver.example.com
,myserver
] You may either specify passwords or use random passwords. If you choose to use a random password, only WebLogic, the Oracle VM Manager, and this application will have access to the information stored in this keystore. Use random passwords? [yes] Generating SSL key and certificate and persisting them to the keystore... Updating keystore information in WebLogic Oracle MiddleWare Home (MW_HOME): [/u01/app/oracle/Middleware] WebLogic domain directory: [/u01/app/oracle/ovm-manager-3/domains/ovm_domain] Oracle WebLogic Server name: [AdminServer] WebLogic username: [weblogic] WebLogic password: [********] WLST session logged at:/tmp/wlst-session178461015146984067.log
Note that the command prompts you to provide the values for various steps through the procedure as the new SSL certificate is generated. Notably, you must enter a valid fully qualified domain name for the server. This value is used for the hostname in the SSL certificate and must match the hostname that is used to access the Oracle VM Manager web-based user interface.
2.2.6 Changing the Default SSL Certificate
You can change the default SSL certificate that Oracle VM Manager serves for authentication. For example, you can configure Oracle VM Manager to use an SSL certificate that has been signed by a third-party CA.
This section describes how to use the Java keytool and the Oracle VM Key Tool to change the default SSL certificate.
You should modify the example commands for the Java keytool to suit your business needs. Refer to the appropriate Java keytool documentation for more information.
Creating a Keystore on Oracle VM Manager
If you do not already have a third-party CA certificate and SSL certificate, you can create a new keystore on Oracle VM Manager. The keystore you create contains one entry for a private key. After you create the keystore, you generate a certificate signing request (CSR) for that private key and submit the CSR to a third-party CA. The third-party CA then signs the CSR and returns a signed SSL certificate and a copy of the CA certificate. You then import the CA certificate and SSL certificate into the keystore and configure Oracle VM Manager to use it as the SSL keystore.
-
Create a new keystore.
# keytool -genkeypair -alias
alias
-keyalg RSA -keysizekey_size
\ -dnamedistinguished_name
-keypassprivate_key_password
\ -storetype jks -keystorekeystore
.jks -storepasskeystore_password
-
Generate a certificate signing request (CSR).
# keytool -certreq -alias
alias
-filecertreq
.csr -keypassprivate_key_password
\ -storetype jks -keystorekeystore
.jks -storepasskeystore_password
-
Submit the CSR file to the relevant third-party CA for signing.
-
Import the CA certificate into the keystore.
# keytool -importcert -trustcacerts -noprompt -alias
alias
-fileca_cert_file
\ -storetype jks -keystorekeystore
.jks -storepasskeystore_password
-
Import the SSL certificate into the keystore.
# keytool -importcert -trustcacerts -noprompt -alias
alias
-filessl_cert_file
\ -keypassprivate_key_password
-storetype jks -keystorekeystore
.jks \ -storepasskeystore_password
-
Use the setsslkey command to configure Oracle VM Manager to use the new keystore.
# ./ovmkeytool.sh setsslkey Path for SSL keystore: [/u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmssl.jks]
/path/to/keystore.jks
Keystore password: Alias of key to use as SSL key:alias
Key password: Updating keystore information in WebLogic Oracle MiddleWare Home (MW_HOME): [/u01/app/oracle/Middleware] WebLogic domain directory: [/u01/app/oracle/ovm-manager-3/domains/ovm_domain] Oracle WebLogic Server name: [AdminServer] WebLogic username: [weblogic] WebLogic password: [********] WLST session logged at:/tmp/wlst-session5820685079094897641.log
-
As the root user, configure the client certificate login.
# su -c "/u01/app/oracle/ovm-manager-3/bin/configure_client_cert_login.sh /
path
/to
/cacert
"Where
/
is the absolute path to the CA certificate. You must provide the path to the CA certificate if you used a CA other than the default Oracle VM Manager CA to sign the SSL certificate.path
/to
/cacert
Importing a Keystore into Oracle VM Manager
If you already have a CA certificate and SSL certificate, use the SSL certificate to create a keystore. You can then import that keystore into Oracle VM Manager and configure it as the SSL keystore.
-
Import the keystore into Oracle VM Manager.
keytool -importkeystore -noprompt -srckeystore
source_keystore
\ -srcstoretypesource_format
-srcstorepasssource_keystore_password
\ -destkeystoredestination_keystore
.jks -deststoretype JKS \ -deststorepassdestination_keystore_password
-
Use the setsslkey command to configure Oracle VM Manager to use the new keystore.
# ./ovmkeytool.sh setsslkey Path for SSL keystore: [/u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmssl.jks]
/path/to/keystore.jks
Keystore password: Alias of key to use as SSL key:alias
Key password: Updating keystore information in WebLogic Oracle MiddleWare Home (MW_HOME): [/u01/app/oracle/Middleware] WebLogic domain directory: [/u01/app/oracle/ovm-manager-3/domains/ovm_domain] Oracle WebLogic Server name: [AdminServer] WebLogic username: [weblogic] WebLogic password: [********] WLST session logged at:/tmp/wlst-session5820685079094897641.log
-
As the root user, configure the client certificate login.
# su -c "/u01/app/oracle/ovm-manager-3/bin/configure_client_cert_login.sh /
path
/to
/cacert
"Where
/
is the absolute path to the CA certificate. You must provide the path to the CA certificate if you used a CA other than the default Oracle VM Manager CA to sign the SSL certificate.path
/to
/cacert
2.2.7 Changing the Keystore Password
In some scenarios, you may also want to configure Oracle WebLogic Server's SSL truststore to provide additional trusted CAs. To do this you may use the changepass command to change the truststore password, since the default password for the keystore is randomized and it would not be possible to modify the keystore without the correct password. Once you have reset the password, you can modify the keystore using the Java keytool, as required. It is imperative that the existing internal Oracle VM Manager CA certificate is not removed from the keystore.
An example of setting the keystore password and then accessing trust information using the Java keytool command is shown below:
# ./ovmkeytool.sh changepass You may either specify passwords or use random passwords. If you choose to use a random password, only WebLogic, the Oracle VM Manager, and this application will have access to the information stored in this keystore. Use random passwords? [yes] no Change CA Keystore and Key passwords? [yes] no Change SSL Keystore and Key passwords? [yes] no Change SSL Trustore password? [yes] SSL Trust Keystore password: Verify SSL Trust Keystore password: Updating trust-store information in WebLogic Oracle MiddleWare Home (MW_HOME): [/u01/app/oracle/Middleware] WebLogic domain directory: [/u01/app/oracle/ovm-manager-3/domains/ovm_domain] Oracle WebLogic Server name: [WLS1] AdminServer WebLogic username: [weblogic] WebLogic password: [********] WLST session logged at: /tmp/wlst-session6297528751781822860.log
# keytool -list -keystore /u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmtrust.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry ovmmgr_ca_key_entry, Nov 7, 2013, trustedCertEntry, Certificate fingerprint (MD5): 65:31:9C:17:35:59:6C:A7:A3:93:C8:93:F0:A7:81:6A