Friday Dec 28, 2012

Workaround for bug 15878716 - Oracle VM Manager HTTPS connections fail with Microsoft Internet Explorer 7, 8, and 9

Please note that this bug is fixed with Oracle VM Manager 3.1.1.544 officialy released on December 10, 2012.

If your Oracle VM architecture is based on 3.1.1 release ignore this workaround and proceed patching your environment; you can download the patch here

The problem could be presented with this simple screenshot:

As you can see while connecting to Oracle VM Console with two different browsers achieves different results; Internet Explorer problem is due to a Microsoft fix that update the minimum certificate length ( so the problem is only on https ) to 1024 bits.

You can find all the details on this official Microsoft techsite.

Here you will find a step-by-step guide on how to modify the certificate of your Oracle VM Manager (Oracle Weblogic) creating a new > 1024 bits self-signed certificate; this workaound could be useful if you have an Oracle VM Manager 3.0.x installation while for OVM 3.1.1 you can install the patch reported above.

1. Generating certificate
[root@ovmm ~]# su - oracle
[oracle@ovmm ~]$ cd /u01/app/oracle/ovm-manager-3/
[oracle@ovmm ovm-manager-3]$ mkdir certificates
[oracle@ovmm ovm-manager-3]$ cd certificates/
[oracle@ovmm certificates]$ export JAVA_HOME=/u01/app/oracle/java
[oracle@ovmm certificates]$ export PATH=$JAVA_HOME/bin:$PATH
[oracle@ovmm certificates]$ keytool -genkey -alias selfsignedcert -keyalg RSA -keypass privatepassword -keystore identity.jks -storepass password -keysize 2048 -validity 3650
What is your first and last name?
  [Unknown]:  ovmm
What is the name of your organizational unit?
  [Unknown]:  Consulting
What is the name of your organization?
  [Unknown]:  Oracle
What is the name of your City or Locality?
  [Unknown]:  Milan  
What is the name of your State or Province?
  [Unknown]:  Milan
What is the two-letter country code for this unit?
  [Unknown]:  IT
Is CN=ovmm, OU=Consulting, O=Oracle, L=Milan, ST=Milan, C=IT correct?
  [no]:  yes

2. Export the certificate from the identity keystore into a file
[oracle@ovmm certificates]$ ls -ltr
total 8
-rw-r--r-- 1 oracle dba 1351 Dec 27 16:01 identity.jks
[oracle@ovmm certificates]$ keytool -export -alias selfsignedcert -file root.cer -keystore identity.jks
Enter keystore password:  
Certificate stored in file <root.cer>

3. Import the certificate you exported into trustovm.jks
[oracle@ovmm certificates]$ keytool -import -alias selfsignedcert -trustcacerts -file root.cer -keystore trustovm.jks
Enter keystore password:  
Re-enter new password: 
Owner: CN=ovmm, OU=Consulting, O=Oracle, L=Milan, ST=Milan, C=IT
Issuer: CN=ovmm, OU=Consulting, O=Oracle, L=Milan, ST=Milan, C=IT
Serial number: 50dce167
Valid from: Thu Dec 27 16:01:43 PST 2012 until: Sun Dec 25 16:01:43 PST 2022
Certificate fingerprints:
MD5:  04:46:F3:10:B7:4C:BF:A1:E3:BD:46:03:16:29:12:DE
SHA1: 3A:57:7C:D5:6D:F7:F0:4A:CC:59:E0:6C:91:2B:7E:66:F7:18:BC:1A
Signature algorithm name: SHA1withRSA
Version: 3
Trust this certificate? [no]:  yes
Certificate was added to keystore
[oracle@ovmm certificates]$ ls -l
total 24
-rw-r--r-- 1 oracle dba 1351 Dec 27 16:01 identity.jks
-rw-r--r-- 1 oracle dba  575 Dec 27 16:03 root.cer
-rw-r--r-- 1 oracle dba  646 Dec 27 16:07 trustovm.jks

4. Take a full cold Oracle VM Manager backup.
# service ovmm stop 

# stop your Oracle and/or MySql database 

# tar cvfz <your_backup_path>/ovmm_backup_full.tgz /u01 
5. (if needed) Temporarily enable Oracle VM Manager / Weblogic Console http access ( port 7001 ) and restart Oracle VM Manager.

Open Weblogic Server console at this URL:
https://<your_weblogic_ip_address>:7002/console
Go to Environment => Servers => AdminServer
Flag "Listen Port Enabled" for http connection on port 7001, then "Save" and "Activate Changes".

after that, restart your ovm-manager service:

# service ovmm stop
# service ovmm start

6. Add the new certificate by weblogic console.

Connect to your Oracle VM Manager Weblogic console:

http://<your_ip_address>:7001/console 

and login with user "weblogic" and its password. 

Go to Environment => Servers => Admin Server

Click on the left-size "Lock & Edit" button, Keystores tab => Change => select "Custom Identity and Custom Trust" and then "Save".

Fill in the fields with the following information:

Custom Identity Keystore: /u01/app/oracle/ovm-manager-3/certificates
Custom Identity Keystore Type: jks
Custom Identity Keystore Passphrase: password
Confirm Custom Identity Keystore Passphrase: password
Custom Trust Keystore: /u01/app/oracle/ovm-manager-3/certificates/trustovm.jks
Custom Trust Keystore Type: jks
Custom Trust Keystore Passphrase: password
Confirm Custom Trust Keystore Passphrase: password
Save configuration and click on activate changes ( on the left side )

On the SSL Tab, fill in the files with the following information:

Private Key Alias: selfsignedcert
Private Key Passphrase: privatepassword
Confirm Private Key Passphrase: privatepassword

Then Click "Save" and "Activate Changes"

7. Restart your Oracle VM Manager and (if needed) close http connection ( port 7001 )

Restart Oracle VM Manager and check that connection to port 7002 is available:

# service ovmm stop
# service ovmm start

Open Weblogic Server console at this URL:
https://<your_weblogic_ip_address>:7002/console
Go to Environment => Servers => AdminServer
Unflag "Listen Port Enabled" for http connection on port 7001, then "Save" and "Activate Changes" ( here we will close http connection )

Restart Oracle VM Manager and check that connection to port 7001 is not available while port 7002 (https) is correctly opened:

# service ovmm stop
# service ovmm start

[root@ovmm ~]# netstat -anp |grep 7001

[root@ovmm ~]# netstat -anp |grep 7002
tcp        0      0 128.0.0.100:7002            0.0.0.0:*                   LISTEN      6258/java           
tcp        0      0 127.0.0.1:7002              0.0.0.0:*                   LISTEN      6258/java           
tcp        0      0 192.168.56.100:7002         0.0.0.0:*                   LISTEN      6258/java           

Now you will be able (by accepting the self-signed certificate) to connect to your Oracle VM Manager on https port, both with Internet Explorer and other browsers:

Please Note that this bug is fixed with latest Oracle VM Manager 3.1.1 release ( 544 ) and will be also fixed with the new 3.2.1 release of the product. 

Comments and corrections are welcome. 

Simon COTER 

About

Simon Coter is a Technical Expert Core Technology consultant for Oracle. He works on projects covering more Oracle products such as Oracle Database, eBusiness Suite, Oracle VM, Oracle Linux, Oracle ExaData and much more.

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today