Oracle VM Manager SSL Certificates ReGeneration with ovmkeytool.sh

Oracle VM Manager SSL Certificates ReGeneration with ovmkeytool.sh

Changing Oracle VM Manager certificates involves updating the SSL certificates used by the Oracle WebLogic Server that Oracle VM Manager runs on. It might be required when the certificates are expired as well.

1) Confirm if the below folder exists locally (/u01) on the Active Management Node.

# ll /u01/app/oracle/ovm-manager-3/domains/ovm_domain/security

# ll /u01/app/oracle/ovm-manager-3/domains/ovm_domain/config

2) Regenerate the certificates using the below command from root user

# export MW_HOME=/u01/app/oracle/Middleware

# /u01/app/oracle/ovm-manager-3/ovm_upgrade/bin/ovmkeytool.sh setup

Please make sure that you answer the setup questions as belowIit should always be pointing to the local storage(/u01) as per below:

# /u01/app/oracle/ovm-manager-3/ovm_upgrade/bin/ovmkeytool.sh setup

Dec 17, 2023 10:07:15 AM oracle.security.jps.JpsStartup start

INFO: Jps initializing.

Dec 17, 2023 10:07:17 AM oracle.security.jps.JpsStartup start

INFO: Jps started.

Oracle VM Manager is currently configured to use CA keystore at:

/u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmca.jks

Do you wish to generate a new key and/or specify a different keystore? [yes]

Generate new CA keystore (as opposed to specifying an existing keystore)? [yes]

Path for CA keystore:

[/u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmca.jks]

A file already exists at the path

/u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmca.jks

Is it ok to overwrite this file with your new keystore? [no] yes

Oracle VM Manager is currently configured to use the SSL Trust-store at:

/u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmtrust.jks

Do you wish to use this existing trust-store location? [yes]

Key distinguished name is "CN=OVM CA 0004fb0000010000536123bfa5c8aceb, OU=Oracle VM Manager, O=Oracle Corporation, L=Redwood City, ST=California, C=US". Use these values? [yes]

You may either specify passwords or use random passwords.

If you choose to use a random password, only WebLogic, the Oracle VM Manager, and this application will have access to the information stored in this keystore.

Use random passwords? [yes]

Generating CA key and certificate and persisting them to the keystore...

Oracle VM Manager is currently configured to use SSL keystore at:

/u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmssl.jks <== Note that this path could be pointing to /nfs but can be ignored

Do you wish to generate a new key and/or specify a different keystore? [yes]

Generate new SSL keystore (as opposed to specifying an existing keystore)? [yes]

Path for SSL keystore:

[/u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmssl.jks]

A file already exists at the path

/u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/ovmssl.jks

Is it ok to overwrite this file with your new keystore? [no] yes

The hostname should be the fully qualified hostname of the system (this is the hostname you'd use to access this system from outside the local domain).

Depending on your machine setup the value below may not be correct.

Fully qualified hostname: [ovcamn05r1] myhostname

Key distinguished name is "CN=myhostname, OU=Oracle VM Manager, O=Oracle Corporation, L=Redwood City, ST=California, C=US". Use these values? [yes]

Alternate hostnames (separated by commas): [myhostname]

Generating SSL key and certificate and persisting them to the keystore...

Updating keystore information in WebLogic

Oracle MiddleWare Home (MW_HOME): [/u01/app/oracle/Middleware]

WebLogic domain directory: [/u01/app/oracle/ovm-manager-3/domains/ovm_domain]

WebLogic server name: [AdminServer]

WebLogic username: [weblogic]

WebLogic password: [********]

WLST session logged at: /tmp/wlst-session5459692698762652173.log

3) Once the above is done there should be a fresh set of three .jks files generated under the below path, verify the same (ovmssl.jks, ovmtrust.jks, ovmca.jks) with recent timestamp:

# cd /u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/

# ll

4) Restart ovmm service

# service ovmm stop

# service ovmm start

5) Next the client side certificates should be regenerated, use the below command to do the same:

# /u01/app/oracle/ovm-manager-3/bin/configure_client_cert_login.sh

6) Certificate regeneration is now complete.

7) Restart ovmm service once again and verify if you are able to login to the Manager

# service ovmm stop

# service ovmm start

 

If you like please follow and comment