For security reasons Oracle Cloud Control often has no direct connection to the internet, means the DBA must setup a proxy configuration i.e. to be able to download patches directly via OMS to the software library or raise service request.
Normally, the SSL-Termination take place on proxy-server. The (security-) reasons are countless, to inspect the content or generally to enhance the security due ensuring the usage of secure cipher suites etc. For the communication between the proxy and server a new certificate will be used – this can result in an error if the server does not trust this certificate or certificate-chain.
Configuring the usage of the proxy for MOS communication is done quite fast by entering the proxy-data in Setup -> Proxy Settings -> My Oracle Support. A small connection-test looks good too.
The next step is to enter the MOS credentials which is located in another menu (who knows why…) Setup -> My Oracle Support -> Set Credentials.
When you get an error like „Authentication Error: Please check your credentials“ and you have verified your credentials – check the trace-file
$> tail <MW_HOME>/gc_inst*/em/EMGC_OMS*/sysman/log/emoms.trc
[EMUI_12_18_51_/console/pref/mosCredentials] ERROR mos.MOSARUOAuthLoginHelper logp.251 -
Exception during OAuth loginsun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
When the check of emoms.trc shows a certificate-related issue like the message above the root-cause is probably a missing root- or intermediate-certificate. this can be the officially one from Oracle or the certificate used by the proxy-server.
The key- or trust-store used by OEM is located under:
${ORACLE_HOME}/oracle_common/jdk/jre/lib/security/cacerts
This Keystore contains already the root- and intermediate-certificates of the official and well known certificate issuer like DigiCert or Verisign. The certificates of internal CAs must be added there manually.
The CAs already registered in the Keystore can be displayed with the following command (yes, the default password is really changeit ;-)):
$> ${ORACLE_HOME}/oracle_common/jdk/bin/keytool -list -keystore \
${ORACLE_HOME}/oracle_common/jdk/jre/lib/security/cacerts \
-storepass changeit
Check certificate returned by the authentication provider of MOS (oauth-e.oracle.com) or by the proxy-server:
$> export https_proxy=proxy.gabrielkeusen.com:8080
$> curl --insecure -vvI https://oauth-e.oracle.com 2>&1 | \
awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=US; O=Oracle Corporation; CN=*.oracle.com
* start date: Jan 8 00:00:00 2020 GMT
* expire date: Mar 8 12:00:00 2021 GMT
* issuer: C=CH; O=gabrielkeusen; OU=gabrielkeusen.com; CN=gabrielkeusen proxy ca 01
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
Download the certificates from proxy-server by using openssl.
Note: openssl >= 1.1 is needed for using the argument -proxy in the command.
$> openssl-1_1 s_client -connect oauth-e.oracle.com:443 \
-proxy proxy.gabrielkeusen.com:8080 \
-showcerts
Save all returned certificates in dedicated files to prepare the import in the keystore. i.e. /tmp/proxy_root_cert and /tmp/proxy_intermediate_cert.
Import them to the keystore and restart the whole OEM. Note: In a MultiOMS Environment – you must do this on every node.
### the certs returned by the openssl-command
$> cat <<_EOF >/tmp/proxy_root_cert
-----BEGIN CERTIFICATE-----
xxxxxxx
-----END CERTIFICATE-----
_EOF
$> cat <<_EOF >/tmp/proxy_intermediate_cert
-----BEGIN CERTIFICATE-----
yyyyyyy
-----END CERTIFICATE-----
_EOF
### Import certificates
$> ${ORACLE_HOME}/oracle_common/jdk/bin/keytool -importcert -alias proxy_root_cert -file /tmp/proxy_root_cert-keystore ${ORACLE_HOME}/oracle_common/jdk/jre/lib/security/cacerts -storepass changeit
$> ${ORACLE_HOME}/oracle_common/jdk/bin/keytool -importcert -alias proxy_intermediate_cert-file /tmp/proxy_intermediate_cert-keystore ${ORACLE_HOME}/oracle_common/jdk/jre/lib/security/cacerts -storepass changeit
### Verify
$> ${ORACLE_HOME}/oracle_common/jdk/bin/keytool -list -keystore ${ORACLE_HOME}/oracle_common/jdk/jre/lib/security/cacerts -storepass changeit
### Restart OMS
$> emctl stop oms -all -force; emctl start oms
Retest the connection to MOS –> SUCCESS! 🙂
gabrielkeusen.com 