OEM 13c custom certificate drama

For years I have so much of questionable syntax, partial automation support, and non-human design in Oracle products, so I could get anything with the perfect poker face. However, Oracle always has a way to give a little bit of fun, for example, with the long-lasting Oracle wallet compatibility saga. In general, Oracle Wallet is nothing more than PKCS#12 keystore with the proprietary implementation of passwordless access to the key and certificates, yet Oracle customers struggle with the wallet compatibility for years.

Quite a recent example: Oracle Fusion Middleware 12.2.1.3 infrastructure has no issues with the create Wallet from the PKCS#12 or import OpenSSL PKCS#12 keystore into a new wallet. Inside the platform, all products can use it with no issues.  The situation is quite the opposite for the previous release. Oracle HTTP Server 12.1.3  doesn't tolerate anything but "true born" Oracle Wallets. If you did a wallet conversion or private key import of any kind, OHS wouldn't accept it; although any other component can open such a wallet in autologin mode.

In strange synchronicity, I have run into the same issue in multiple projects about the same time and have tried multiple approaches, so there is the most painless one for OEM 13c or any other OHS 12.1.2.3.

The bare minimum for the Oracle Wallet manipulations is Oracle JDK and Oracle PKI utility 12.2.1.3. If you have no 12.2.1.3 products installed, download WebLogic Server proxy plugin 12.2.1.3 binaries. The single archive contains plugins for all platforms and HTTP servers. It's bulky, but it's only half of the WebLogic installer and only fraction of the Oracle Fusion Middleware Infrastructure binaries. What's even better: WebLogic proxy plugin does not require any installation and has Oracle PKI tool ready to use.

Let's check that you have everything:

  • Oracle JDK, I have used JDK8, but higher versions should work too.
  • Oracle PKI 12.2.1.3 is available.  In example below, java and OraclePKI are in the PATH list, but you can use $JAVA_HOME and $ORACLE_HOME  variables
  • Your certificate file, key file and trust chain certificates are in the same place.  
# Prepare trust chain 
$ cat sub-ca.cer root-ca.cer >ca-chain.cer
# Create new PKCS file 
$ openssl pkcs12 -export -in em13host.domain.com.cer -inkey em13host.domain.com.key  -out ewallet.p12 -certfile ca-chain.cer
# Create  new auto login only wallet
$ orapki wallet create -wallet oem01/ -auto_login_only
# import PKCS12 storage
$ orapki wallet import_pkcs12 -wallet oem01/ -auto_login_only  -pkcs12file ewallet.p12 -pkcs12pwd welcome1
# Check the new wallet status 
$ orapki wallet display -wallet oem01/

Adjust file names and as a result you should have oem01/ wallet folder with the single cwallet.sso file in it. Now, you can run OEM configuration commands and use this wallet for the console, servers and agent configurations with no issues.


Image source: https://www.flickr.com/photos/sidelong/3878741556