JavaScript must be enabled to correctly display this content

Chapter 2 Configuring Oracle VM Manager After Installation

After you successfully install Oracle VM Manager, you can perform several configuration tasks to customize your environment. These configuration tasks include setting the session timeout period for the Oracle VM Manager Web Interface, and configuring SSL.

2.1 Configuring Oracle VM Manager Web Interface Session Timeout

You can change the amount of time that an Oracle VM Manager session can remain inactive before a timeout occurs through the Oracle WebLogic Server Administration Console.

To configure Oracle VM Manager Web Interface session timeout, do the following:

Open the Oracle WebLogic Server Administration Console at:

https://hostname:7002/console

Where hostname is the Oracle VM Manager hostname or IP address.
Log in as the weblogic user.
Locate the Domain Structure pane on the left and then click Deployments.
Click Next in the list of deployed applications until you locate the ovm_console application.
Click "+" to expand the ovm_console application and then click ovm/console.

The settings for ovm_console are displayed.
Click the Configuration tab and then click Lock and Edit in the Change Center pane to modify the settings.
From the Configuration tab, locate the General subtab and then edit the value of the Session Timeout field. The default setting is half an hour (1800 seconds).

When you are finished with your changes, click Save.
Note

If you receive a permissions related error, you might need to change the permissions or ownership on the file located at /u01/app/oracle/ovm-manager-3/weblogic/deploy/ovm_console/plan/plan.xml. Use the following command:
```
chown oracle:dba /u01/app/oracle/ovm-manager-3/weblogic/deploy/ovm_console/plan/plan.xml
```
After you change permissions on the file, you must edit and save the value of the Session Timeout field again.
Click Deployments in the Domain Structure pane on the left to return to the list of deployed applications.
Locate and select the ovm_console check box and then click Update to redeploy the application.
Change the source and deployment plan paths as appropriate and then click Finish.
To activate the changes, click Activate Changes in the Change Center.

Important

Due to the nature of some pages served within Oracle VM Manager, the client browser auto-refreshes regularly to poll for changes. This is particularly apparent on the Health page. Since the client is constantly refreshing, UI timeout may not behave as expected. Therefore, a configuration parameter for ADF has been set to timeout automatic polling after a default period of 20 minutes where there has been no mouse or keyboard interaction within Oracle VM Manager. This means that for these pages, the UI timeout value only becomes effective after the polling timeout has been effected.

Changes to the polling timeout are not directly configurable. If you require this facility to be modified contact Oracle Support.

2.2 Setting Up SSL

By default, Oracle VM Manager provides its own SSL certificates stored in a custom keystore. The certificates that are provided are signed using an internal Certificate Authority (CA). Oracle VM uses SSL certificates:

For the authentication of Oracle VM Manager to each Oracle VM Server that it has discovered and for the encryption of communications between Oracle VM Manager and the Oracle VM Agent running on each Oracle VM Server.
For the authentication and encryption of some tools that make use of the Oracle VM Manager web-services API.
For the encryption of communications between a web-browser and the Oracle VM Manager web-based user interface .

Certificates are generated automatically during the installation of Oracle VM Manager. To avoid SSL validation issues in client web-browsers, you can obtain the internal CA certificate used by Oracle VM Manager and install it into each web-browser that is used to access the Oracle VM Manager web user interface. See Section 2.2.4, “Exporting the CA Certificate”.

Alternatively, if you already have an SSL certificate that is signed by an external CA, you can change the SSL certificate that is used for the encryption of communications between the web-browser and the Oracle VM Manager web-based user interface. See Section 2.2.6, “Changing the Default SSL Certificate”.

Finally, if you need to generate a new SSL key that is signed by the internal CA, you can follow the instructions provided in Section 2.2.5, “Generating a New SSL Key”.

Important

Changing the Oracle VM Manager CA certificate impacts authentication between Oracle VM Manager and various internal components. Changing the CA certificate also impacts authentication between Oracle VM Manager and each Oracle VM Server instance and other external applications such as web browsers.

If you plan to change the CA certificate, you should do so before you begin any other Oracle VM Manager configuration to avoid authentication and communication issues between components.

Oracle VM Manager uses the following 2048-bit keystores instead of the default Oracle WebLogic Server keystore:

/u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmca.jks
/u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmclient.jks
/u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmssl.jks
/u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmtrust.jks

The passwords for these keystores are randomized at installation. If you need to update a keystore, such as the CA keystore, to add mutually trusted CAs to the keystore, you may need to change the keystore password using the Oracle VM Key Tool. For instructions on changing the keystore password, see Section 2.2.7, “Changing the Keystore Password”.

2.2.1 Oracle VM Key Tool

Oracle VM Manager includes a key management utility to help manage SSL certificates. You use the Oracle VM Key Tool in conjunction with the Java keytool in the Java Development Kit (JDK) that is installed on the Oracle VM Manager host. These utilities are located on the Oracle VM Manager host as follows:

Oracle VM Key Tool: /u01/app/oracle/ovm-manager-3/ovm_upgrade/bin/ovmkeytool.sh
Java keytool: /u01/app/oracle/java/bin/keytool

Important

Using key management utilities incorrectly can cause authentication issues between Oracle VM Manager, internal components, and external systems and applications. In some cases, authentication issues can result in complete loss of service. You should carefully plan any changes before using a key management utility and consider the impact those changes have on your environment.

Syntax

ovmkeytool.sh [ --help ] [ --overwrite ] [ --quiet ] [ --verbose ] [ --propertyFile filename ] [ -D property=value ] [ --noWebLogic ] { [{ show } | { check } | { setup } | { setupWebLogic } | { gencakey } | { setcakey } | { gensslkey } | { setsslkey } | { changepass } | { exportca }] }

Options

The following table shows the available options for this tool.

Option	Description
`--help`	Display the ovmkeytool.sh command parameters and options.
`--overwrite`	Allow existing keystores to be overwritten if user interaction is disabled.
`--quiet`	Run with no user interaction using property values exclusively.
`--verbose`	Output extra information while running.
`--propertyFile filename`	The specified file can be used to provide properties to the tool.
`-D property=value`	Sets a property to a given value.
`--noWebLogic`	Do not attempt to configure Oracle WebLogic Server or verify Oracle WebLogic Server settings.

Commands

The following table shows the available commands for this tool. Only one command can be run at a time.

Option	Description
`show`	Displays SSL configuration details such as the CA and SSL keystore files, certificate key aliases, and certificate details.
`check`	Validates the current SSL configuration and provides information if any errors exist.
`setup`	Sets up all of the keystore files and configures Oracle WebLogic Server.
`setupWebLogic`	Configures existing keystore settings in Oracle WebLogic Server.
`gencakey`	Generates a new certificate authority (CA) key and puts the key into the trust store. You should not run this command if you have already configured Oracle VM Manager
`setcakey`	Sets the CA key to use an existing key from an existing keystore file. You should not run this command if you have already configured Oracle VM Manager
`gensslkey`	Generates a new SSL key.
`setsslkey`	Sets the SSL key to use an existing key from an existing keystore file.
`changepass`	Allows the passwords for existing keystore files and keys to be configured or changed.
`exportca`	Exports the CA certificate in PEM format.

Command Prompts

Depending on the command you run, the Oracle VM Key Tool prompts you for the following information:

Oracle WebLogic Server Middleware directory

You can set the MW_HOME environment variable to point to the location of the Oracle WebLogic Server Middleware directory. Otherwise you must specify the default directory each time you run the Oracle VM key tool. The default directory is /u01/app/oracle/Middleware.

Run the following command to set the MW_HOME environment variable:
```
# export MW_HOME=/u01/app/oracle/Middleware
```
Oracle WebLogic Server domain directory

The default directory is /u01/app/oracle/ovm-manager-3/domains/ovm_domain.
Oracle WebLogic Server name

The default server name is AdminServer.
Oracle WebLogic Server credentials

Use the default weblogic username and the one-time password that you set during Oracle VM Manager installation.

2.2.2 Showing the Certificate Configuration

Use the show command to view details about the current Certificate Authority (CA) and SSL configuration.

The following is an example of the show command:

# ./ovmkeytool.sh show

time_stamp oracle.security.jps.JpsStartup start
INFO: Jps initializing.
time_stamp oracle.security.jps.JpsStartup start
INFO: Jps started.
CA Keystore File: /u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmca.jks
CA Key Alias: ca
Certificate details:
  Algorithm: SHA256withRSA
  Subject: CN=OVM CA 0004fb00000100007c08b684bd203388, OU=Oracle VM Manager, 
    O=Oracle Corporation, L=Redwood City, ST=California, C=US
  Issuer: CN=OVM CA 0004fb00000100007c08b684bd203388, OU=Oracle VM Manager, 
    O=Oracle Corporation, L=Redwood City, ST=California, C=US
  Serial number: 836053555564701558087207803980684693673312169403
  Valid from day mm dd hh:mm:ss CET yyyy to day mm dd hh:mm:ss CET yyyy
  SHA256 Fingerprint: b4:6b:00:cd:d3:e1:69:d6:f2:10:80:cf:a8:ef:89:c9:b3
  This is a valid Certificate to be used as a CA.
Full Certificate:
-----BEGIN CERTIFICATE-----
MIID/DCCAuSgAwIBAgIVAJJx8CLgw6WudhsYXsY70zxLaq27MA0GCSqGSIb3DQEB
CwUAMIGkMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEVMBMGA1UE
BxMMUmVkd29vZCBDaXR5MRswGQYDVQQKExJPcmFjbGUgQ29ycG9yYXRpb24xGjAY
BgNVBAsTEU9yYWNsZSBWTSBNYW5hZ2VyMTAwLgYDVQQDEydPVk0gQ0EgMDAwNGZi
MDAwMDAxMDAwMDdjMDhiNjg0YmQyMDMzODgwHhcNMTUwMzIyMTYxMTI1WhcNMjUw
MzIzMTYxMTI1WjCBpDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
FTATBgNVBAcTDFJlZHdvb2QgQ2l0eTEbMBkGA1UEChMST3JhY2xlIENvcnBvcmF0
aW9uMRowGAYDVQQLExFPcmFjbGUgVk0gTWFuYWdlcjEwMC4GA1UEAxMnT1ZNIENB
IDAwMDRmYjAwMDAwMTAwMDA3YzA4YjY4NGJkMjAzMzg4MIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAprkZ3RYvS433ZOx+3RKK7iK7E52znhNpLPzM6b9s
O0fIdCiTBB16h6SU+GQlMMpQbqDh5V9OgWGd7BqCEnKhCU0O3L+xY45sXWGQ0S9R
DvQMH/68VgDwoSsI6BFL5gJHspWWr9wdqkpVcTpau9IN9nDGD38XnTd0KOtVvt+d
32lK3hBzQiXf/W2vX6vNA/RFMlfFBncnYIO4POvtQDsVSDzbfPq4CPqAxn/io1Gk
lycRrVbzemsrWuvusFCOpUkGpmaqwXneg/ozfN8ObUr+bh/PKhLniOo6gJsY2Y9l
ZjD6XiSUEd/Xb4s89SO6yHsNr65RC+wCCHpWjArr/3oVfQIDAQABoyMwITAPBgNV
HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIABTANBgkqhkiG9w0BAQsFAAOCAQEA
Iv4g3Djf3KFwWLdQ/Tw1vK4kmzGIxcd9SS1YQUPYnddYeU22dwkqgIn9ap8dVK1u
lmkYdYZ4BDte4Y+Lptxqhf149S3nX1lBKfpg4eLsfUIZ+DTnxcuTCiFp/UNKp4Xk
yn43GMpUtyz8D//QX7T3FOtKq786Rl4i522i9xnWizyEXjTsSZ1T0b0y8lK7a+C4
mFOC53Ah1Ihmjl+1Q/zrcf+iFFFInCFywXDrpslE1R8H3Luse4EO42+xhEbxGY6h
xdVkG3vVCYqExBX3XWFfkVPF78+6bmzZbKZzam+NT49dVJRole4mssyOWa1AdWmB
RXXs6j6MR1mcveQVRFhPjg==
-----END CERTIFICATE-----


SSL Keystore File: /u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmssl.jks
SSL Key Alias: ovmm
Certificate details:
  Algorithm: SHA256withRSA
  Subject: CN=ovmm.virtlab.info, OU=Oracle VM Manager, 
    O=Oracle Corporation, L=Redwood City, ST=California, C=US
  Issuer: CN=OVM CA 0004fb00000100007c08b684bd203388, OU=Oracle VM Manager, 
    O=Oracle Corporation, L=Redwood City, ST=California, C=US
  Serial number: 942935368201955864664901535859030776122723582749
  Valid from day mm dd hh:mm:ss CET yyyy to day mm dd hh:mm:ss CET yyyy
  SHA256 Fingerprint: 83:16:23:e1:2e:f5:7e:ff:3a:d5:72:1b:0b:d9:80:5b:d3:d6:b3
  Subject Alternative Names:
    Hostnames:
      myserver.example.com
      myovmm
Full Certificate:
-----BEGIN CERTIFICATE-----
MIID6TCCAtGgAwIBAgIVAKUqryxHow/khR23pDPGttbIbMMdMA0GCSqGSIb3DQEB
CwUAMIGkMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEVMBMGA1UE
BxMMUmVkd29vZCBDaXR5MRswGQYDVQQKExJPcmFjbGUgQ29ycG9yYXRpb24xGjAY
BgNVBAsTEU9yYWNsZSBWTSBNYW5hZ2VyMTAwLgYDVQQDEydPVk0gQ0EgMDAwNGZi
MDAwMDAxMDAwMDdjMDhiNjg0YmQyMDMzODgwHhcNMTUwMzIyMTYxMTM5WhcNMjUw
MzIzMTYxMTM5WjCBjjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
FTATBgNVBAcTDFJlZHdvb2QgQ2l0eTEbMBkGA1UEChMST3JhY2xlIENvcnBvcmF0
aW9uMRowGAYDVQQLExFPcmFjbGUgVk0gTWFuYWdlcjEaMBgGA1UEAxMRb3ZtbS52
aXJ0bGFiLmluZm8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCZEiTS
iY6sgh/23myW2l2PyO02ajGohnRxeDYFHRcfmdw/5C9XZXKY7rEpTx1WdPlRTjG0
DFD1dFjCjhJyIJo4DemyulniDoAKJG7dUoiB1sLb0HwVLyjGr3xQ/TbDyw04nppc
mdCGzhS/7ivzm2haMSSxiAoDFVZbeL/CmJSeN59fJmuUvZW01be/6TUNZVoMoOy0
GZm4D6cGWVcXIOuJSjfXep1mzkLIr4zsBTJQLV5uzRDXWjUANPSoN/XeLeHhYLYY
hBuDkDUMYGt0MsGomgQ4jbWchEid5/zQ3Th6FIKZ9PHVsVJPaeYSjObjNEUKkcIz
360d17bUqzQPXMK3AgMBAAGjJjAkMCIGA1UdEQQbMBmCEW92bW0udmlydGxhYi5p
bmZvggRvdm1tMA0GCSqGSIb3DQEBCwUAA4IBAQAeQfaXBGqfoQFisguthG/yPY4G
CLhp+78qSItCdMYPRrfXpUeeIVwrE6GQvuVflXZk/PPBZQGdDR3n/+hDfD9lccv0
MHFS8akON471tiDoku8tjm8a/EMir2/fEHU4PbgH57qUU9bj3lqzDZVI880qmPEx
IvSHwZy0KbrtPf+KkqHn75O/JlN46J+8AgRwuB/6e5ch7wAL2hupO3WeZV7O/icB
FJieePjxvMV5oXqxkFMHuidvVyAKN0MJK26w2lOWwTJtEmnBJ6UF1btNRQdgujUL
anJoGhJsLHyoosIrXbj3M+SmezwV+2kAPLDd8C/aNnXzZC4m55cwEB/GphYd
-----END CERTIFICATE-----


SSL Trust Keystore File: /u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmtrust.jks
Trusted certificates:
  CN=OVM CA 0004fb00000100007c08b684bd203388, OU=Oracle VM Manager, 
    O=Oracle Corporation, L=Redwood City, ST=California, C=US
CA certificiate found in SSL Trust-Store

Oracle MiddleWare Home (MW_HOME): [home/u01/app/oracle/Middleware]
WebLogic domain directory: [/u01/app/oracle/ovm-manager-3/domains/ovm_domain] 
WebLogic server name: [AdminServer] 
WebLogic username: [weblogic] 
WebLogic password: [********] 
WLST session logged at: /tmp/wlst-session178461015146984067.log

WebLogic SSL Keystore File: /u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmssl.jks
WebLogic SSL Key Alias: ovmm
WebLogic SSL Trust Keystore File: /u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmtrust.jks

2.2.3 Validating the Certificate Configuration

Use the check command to verify the current CA and SSL configuration. If any issues exist with the configuration, the command displays information to help you resolve them.

The following is an example of the check command:

# ./ovmkeytool.sh check
time_stamp oracle.security.jps.JpsStartup start
INFO: Jps initializing.
time_stamp oracle.security.jps.JpsStartup start
INFO: Jps started.
 Oracle MiddleWare Home (MW_HOME): [/u01/app/oracle/Middleware] 
 WebLogic domain directory: [/u01/app/oracle/ovm-manager-3/domains/ovm_domain] 
 Oracle WebLogic Server name: [AdminServer]
 WebLogic username: [weblogic] 
 WebLogic password: [********] 
 WLST session logged at: /tmp/wlst-session178461015146984067.log
           
 The Oracle VM Manager CA and SSL configuration appears to be valid.

2.2.4 Exporting the CA Certificate

Oracle VM Manager contains an internal CA that performs certificate-based authentication and signs the default SSL certificate. Use the exportca command to export the CA certificate in PEM format. You can then add it as a trusted CA in a browser or use as required.

The following is an example of the exportca command:

# ./ovmkeytool.sh exportca

time_stamp oracle.security.jps.JpsStartup start
INFO: Jps initializing.
time_stamp oracle.security.jps.JpsStartup start
INFO: Jps started.
----BEGIN CERTIFICATE-----
MIID+zCCAuOgAwIBAgIUamdPKrCAl4O1yD8QlywkYhmh0l8wDQYJKoZIhvcNAQEL
BQAwgaQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRUwEwYDVQQH
EwxSZWR3b29kIENpdHkxGzAZBgNVBAoTEk9yYWNsZSBDb3Jwb3JhdGlvbjEaMBgG
A1UECxMRT3JhY2xlIFZNIE1hbmFnZXIxMDAuBgNVBAMTJ09WTSBDQSAwMDA0ZmIw
MDAwMDEwMDAwN2RiZmM3M2UyYTFkNjY3ZTAeFw0xMzExMDYxNDU5MjBaFw0yMzEx
MDcxNDU5MjBaMIGkMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEV
MBMGA1UEBxMMUmVkd29vZCBDaXR5MRswGQYDVQQKExJPcmFjbGUgQ29ycG9yYXRp
b24xGjAYBgNVBAsTEU9yYWNsZSBWTSBNYW5hZ2VyMTAwLgYDVQQDEydPVk0gQ0Eg
MDAwNGZiMDAwMDAxMDAwMDdkYmZjNzNlMmExZDY2N2UwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCKEekWsegMBt6aAPLAq+riDX8TS6ssr6NNjdDNy0mQ
32NZRyoR8K85T0O0KoFJ9lkgJOH8Ll4Q4219S2xey0obnqMqt5byW/XhXjiDLgpF
ESg/p2IGic8MubElhOQI3V71SeIcMHGk2b6sdS12T583uZD+FxvzCZoSTod4l4Pw
KvmAWV0FJQHaeOlGxj2tUaAWyVGbw66IzXZM4WlmNFH/2SNdx7XK4lXtPD/QiMVB
7bXaP/wCTc1vQlXgP550idwRQi5ol2ly7IO2fbflfX5wdnkuJWFOKzJfnkclsMHo
DW1FX5FEj34dEd/97wXvfAfYXRtC1DIq91mrF4vxD3lzAgMBAAGjIzAhMA8GA1Ud
EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgAFMA0GCSqGSIb3DQEBCwUAA4IBAQAe
JK82gdNA/7tftEAgON7GlzJ0BSgu/3e1Luali+xOt2FFGAvrDtTdLxJjEEWM0OU4
Bhoc/6kjQ71nFs9Q/xxP9qC3YQPXa447Q1i9RZql5g2S5aQBr18ZHqeXp6HannLo
iwLBfSpbACgAhZwpzo7ZS38yENir6u1LKAnFAP/6D55Jgx7/UnbHNcFTSXc2u4cI
N3MHJ+0p8umz4+HrqqhFChNYZF2XhmuPawgL8TmRB2FNlQUcbmH19Nwb4UeOxEuD
isAf90p/GlTdtwzbNbm6Mv3rPEK2GtIL5YcIwLyKYKZ07P5VW6tGuzJTMipN0cLo
ij8FtceX5tmLGxlGQoKN
-----END CERTIFICATE-----

2.2.5 Generating a New SSL Key

By default, Oracle VM Manager generates and signs an SSL certificate that is valid for ten years from the date of installation. If necessary, you can use the genssl command to generate a new SSL certificate that is signed by the Oracle VM Manager internal CA.

The following is an example of the genssl command:

# ./ovmkeytool.sh gensslkey
Path for SSL keystore: [/u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmssl.jks] 
The hostname should be the fully qualified hostname of the system
(this is the hostname you'd use to access this system from outside the
local domain).  Depending on your machine setup the value below may not be
correct.
Fully qualified hostname: [myserver.example.com]
Validity in months: [120] 
Key distinguished name is "CN=myserver.example.com, OU=Oracle VM Manager, 
  O=Oracle Corporation, L=Redwood City, ST=California, C=US".  Use these values? [yes] 
Alternate hostnames (separated by commas): [myserver.example.com,myserver]    
You may either specify passwords or use random passwords.
If you choose to use a random password, only WebLogic, the Oracle VM Manager,
and this application will have access to the information stored in this
keystore.
Use random passwords? [yes] 
Generating SSL key and certificate and persisting them to the keystore...
Updating keystore information in WebLogic
Oracle MiddleWare Home (MW_HOME): [/u01/app/oracle/Middleware] 
WebLogic domain directory: [/u01/app/oracle/ovm-manager-3/domains/ovm_domain] 
Oracle WebLogic Server name: [AdminServer] 
WebLogic username: [weblogic] 
WebLogic password: [********] 
WLST session logged at: /tmp/wlst-session178461015146984067.log

Note that the command prompts you to provide the values for various steps through the procedure as the new SSL certificate is generated. Notably, you must enter a valid fully qualified domain name for the server. This value is used for the hostname in the SSL certificate and must match the hostname that is used to access the Oracle VM Manager web-based user interface.

2.2.6 Changing the Default SSL Certificate

You can change the default SSL certificate that Oracle VM Manager serves for authentication. For example, you can configure Oracle VM Manager to use an SSL certificate that has been signed by a third-party CA.

This section describes how to use the Java keytool and the Oracle VM Key Tool to change the default SSL certificate.

Note

You should modify the example commands for the Java keytool to suit your business needs. Refer to the appropriate Java keytool documentation for more information.

Creating a Keystore on Oracle VM Manager

If you do not already have a third-party CA certificate and SSL certificate, you can create a new keystore on Oracle VM Manager. The keystore you create contains one entry for a private key. After you create the keystore, you generate a certificate signing request (CSR) for that private key and submit the CSR to a third-party CA. The third-party CA then signs the CSR and returns a signed SSL certificate and a copy of the CA certificate. You then import the CA certificate and SSL certificate into the keystore and configure Oracle VM Manager to use it as the SSL keystore.

Create a new keystore.

# keytool -genkeypair -alias alias -keyalg RSA -keysize key_size \
-dname distinguished_name -keypass private_key_password \
-storetype jks -keystore keystore.jks -storepass keystore_password

Generate a certificate signing request (CSR).

# keytool -certreq -alias alias -file certreq.csr -keypass private_key_password \
 -storetype jks -keystore keystore.jks -storepass keystore_password

Submit the CSR file to the relevant third-party CA for signing.

Import the CA certificate into the keystore.

# keytool -importcert -trustcacerts -noprompt -alias alias -file ca_cert_file \
  -storetype jks -keystore keystore.jks -storepass keystore_password

Import the SSL certificate into the keystore.

# keytool -importcert -trustcacerts -noprompt -alias alias -file ssl_cert_file \
  -keypass private_key_password -storetype jks -keystore keystore.jks \
  -storepass keystore_password

Use the setsslkey command to configure Oracle VM Manager to use the new keystore.

# ./ovmkeytool.sh setsslkey
Path for SSL keystore: [/u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmssl.jks] 
  /path/to/keystore.jks
Keystore password: 
Alias of key to use as SSL key: alias
Key password: 
Updating keystore information in WebLogic
Oracle MiddleWare Home (MW_HOME): [/u01/app/oracle/Middleware] 
WebLogic domain directory: [/u01/app/oracle/ovm-manager-3/domains/ovm_domain] 
Oracle WebLogic Server name: [AdminServer] 
WebLogic username: [weblogic] 
WebLogic password: [********] 
WLST session logged at: /tmp/wlst-session5820685079094897641.log

As the root user, configure the client certificate login.
```
# su -c "/u01/app/oracle/ovm-manager-3/bin/configure_client_cert_login.sh /path/to/cacert"
```
Where /path/to/cacert is the absolute path to the CA certificate. You must provide the path to the CA certificate if you used a CA other than the default Oracle VM Manager CA to sign the SSL certificate.

Importing a Keystore into Oracle VM Manager

If you already have a CA certificate and SSL certificate, use the SSL certificate to create a keystore. You can then import that keystore into Oracle VM Manager and configure it as the SSL keystore.

Import the keystore into Oracle VM Manager.

keytool -importkeystore -noprompt -srckeystore source_keystore \
  -srcstoretype source_format -srcstorepass source_keystore_password \
  -destkeystore destination_keystore.jks -deststoretype JKS \
  -deststorepass destination_keystore_password

Use the setsslkey command to configure Oracle VM Manager to use the new keystore.

# ./ovmkeytool.sh setsslkey
Path for SSL keystore: [/u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmssl.jks] 
  /path/to/keystore.jks
Keystore password: 
Alias of key to use as SSL key: alias
Key password: 
Updating keystore information in WebLogic
Oracle MiddleWare Home (MW_HOME): [/u01/app/oracle/Middleware] 
WebLogic domain directory: [/u01/app/oracle/ovm-manager-3/domains/ovm_domain] 
Oracle WebLogic Server name: [AdminServer] 
WebLogic username: [weblogic] 
WebLogic password: [********] 
WLST session logged at: /tmp/wlst-session5820685079094897641.log

As the root user, configure the client certificate login.
```
# su -c "/u01/app/oracle/ovm-manager-3/bin/configure_client_cert_login.sh /path/to/cacert"
```
Where /path/to/cacert is the absolute path to the CA certificate. You must provide the path to the CA certificate if you used a CA other than the default Oracle VM Manager CA to sign the SSL certificate.

2.2.7 Changing the Keystore Password

In some scenarios, you may also want to configure Oracle WebLogic Server's SSL truststore to provide additional trusted CAs. To do this you may use the changepass command to change the truststore password, since the default password for the keystore is randomized and it would not be possible to modify the keystore without the correct password. Once you have reset the password, you can modify the keystore using the Java keytool, as required. It is imperative that the existing internal Oracle VM Manager CA certificate is not removed from the keystore.

An example of setting the keystore password and then accessing trust information using the Java keytool command is shown below:

# ./ovmkeytool.sh changepass
You may either specify passwords or use random passwords.
If you choose to use a random password, only WebLogic, the Oracle VM Manager,
and this application will have access to the information stored in this
keystore.
Use random passwords? [yes] no
Change CA Keystore and Key passwords? [yes] no

Change SSL Keystore and Key passwords? [yes] no

Change SSL Trustore password? [yes]  
SSL Trust Keystore password: 
Verify SSL Trust Keystore password: 
Updating trust-store information in WebLogic
Oracle MiddleWare Home (MW_HOME): [/u01/app/oracle/Middleware] 
WebLogic domain directory: [/u01/app/oracle/ovm-manager-3/domains/ovm_domain] 
Oracle WebLogic Server name: [WLS1] AdminServer
WebLogic username: [weblogic] 
WebLogic password: [********] 
WLST session logged at: /tmp/wlst-session6297528751781822860.log

# keytool -list -keystore /u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmtrust.jks
Enter keystore password:  

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

ovmmgr_ca_key_entry, Nov 7, 2013, trustedCertEntry,
Certificate fingerprint (MD5): 65:31:9C:17:35:59:6C:A7:A3:93:C8:93:F0:A7:81:6A