0 Replies Latest reply: May 10, 2012 4:05 PM by user939188 RSS

    avca secure_agent fails with 'No trusted certificate found'

    user939188
      1) AV server keystore content
      ===================
      [oracle@veelaoav001 ~]$ $ORACLE_HOME/jdk/bin/keytool -list -v -keystore /home/oracle/SSL/avkey/avkeystore
      Enter keystore password: welcome1

      Keystore type: jks
      Keystore provider: SUN

      Your keystore contains 3 entries

      Alias name: avkey
      Creation date: May 7, 2012
      Entry type: keyEntry
      Certificate chain length: 1
      Certificate[1]:
      Owner: CN=avserver, O=oracle, C=UK
      Issuer: CN=avserver, O=oracle, C=UK
      Serial number: 4fa828c2
      Valid from: Mon May 07 15:55:46 EDT 2012 until: Tue May 07 15:55:46 EDT 2013
      Certificate fingerprints:
      MD5: D7:49:34:93:35:7F:55:FC:70:08:F3:9F:03:AA:41:A9
      SHA1: 23:88:9C:F6:12:48:C1:55:79:2D:2D:71:B5:E4:66:07:A7:1E:AA:A1


      *******************************************
      *******************************************


      Alias name: cacert
      Creation date: May 7, 2012
      Entry type: trustedCertEntry

      Owner: CN=rootAV, O=oracle, C=UK
      Issuer: CN=rootAV, O=oracle, C=UK
      Serial number: 0
      Valid from: Mon May 07 15:54:58 EDT 2012 until: Thu May 05 15:54:58 EDT 2022
      Certificate fingerprints:
      MD5: 8A:30:0B:09:27:1E:F9:0C:54:29:01:5E:5C:0F:56:F2
      SHA1: 83:1C:09:24:BF:F6:FC:B4:62:AC:04:B5:9C:CC:28:E3:4C:B4:25:BF


      *******************************************
      *******************************************


      Alias name: mykey
      Creation date: May 7, 2012
      Entry type: trustedCertEntry

      Owner: CN=avserver, O=oracle, C=UK
      Issuer: CN=rootAV, O=oracle, C=UK
      Serial number: 0
      Valid from: Mon May 07 15:56:18 EDT 2012 until: Tue May 07 15:56:18 EDT 2013
      Certificate fingerprints:
      MD5: 43:B4:B3:97:E0:88:34:7C:E9:D1:68:CC:48:32:8B:CC
      SHA1: 50:7A:1C:1E:19:AB:E4:34:3A:64:82:A6:B2:B2:32:9C:F2:F9:94:45


      *******************************************
      *******************************************


      2) AV agent keystore content
      =================
      [oracle@veelaora001 ~]$ $ORACLE_HOME/jdk/bin/keytool -list -v -keystore /home/oracle/SSL/agkey/agkeystore
      Enter keystore password: welcome1

      Keystore type: jks
      Keystore provider: SUN

      Your keystore contains 3 entries

      Alias name: agkey
      Creation date: May 7, 2012
      Entry type: keyEntry
      Certificate chain length: 1
      Certificate[1]:
      Owner: CN=avagent, O=oracle, C=UK
      Issuer: CN=avagent, O=oracle, C=UK
      Serial number: 4fa82925
      Valid from: Mon May 07 15:57:25 EDT 2012 until: Tue May 07 15:57:25 EDT 2013
      Certificate fingerprints:
      MD5: C4:9C:FE:D1:D0:04:19:65:F9:C0:CE:A9:6A:5E:7F:B6
      SHA1: 9A:D4:9B:15:D0:B1:10:45:FD:D1:F1:F2:75:46:A9:78:E3:2A:5C:DE


      *******************************************
      *******************************************


      Alias name: cacert
      Creation date: May 7, 2012
      Entry type: trustedCertEntry

      Owner: CN=rootAV, O=oracle, C=UK
      Issuer: CN=rootAV, O=oracle, C=UK
      Serial number: 0
      Valid from: Mon May 07 15:54:58 EDT 2012 until: Thu May 05 15:54:58 EDT 2022
      Certificate fingerprints:
      MD5: 8A:30:0B:09:27:1E:F9:0C:54:29:01:5E:5C:0F:56:F2
      SHA1: 83:1C:09:24:BF:F6:FC:B4:62:AC:04:B5:9C:CC:28:E3:4C:B4:25:BF


      *******************************************
      *******************************************


      Alias name: mykey
      Creation date: May 7, 2012
      Entry type: trustedCertEntry

      Owner: CN=avagent, O=oracle, C=UK
      Issuer: CN=rootAV, O=oracle, C=UK
      Serial number: 0
      Valid from: Mon May 07 15:59:46 EDT 2012 until: Tue May 07 15:59:46 EDT 2013
      Certificate fingerprints:
      MD5: 10:D2:D2:44:A9:AB:89:22:C6:FC:E8:61:A1:5D:B3:A0
      SHA1: 62:BF:B9:52:29:F7:89:AF:F1:70:D8:75:AB:15:D4:55:BC:AB:9F:48


      *******************************************
      *******************************************

      3) Credentials added for XDB:
      $ avca generate_csr -certdn "cn=seclin2,O=Oracle,C=UK" -out /home/oracle/SSL/XDB/certXDB.csr
      Generating Certificate request...
      Certificate request generated successfully.
      $ orapki cert create -wallet /home/oracle/SSL/rootCA -request /home/oracle/SSL/XDB/certXDB.csr -cert /home/oracle/SSL/XDB/certXDB.pem -validity 365 -pwd "welcome1"
      $ avca import_cert -cert /home/oracle/SSL/rootCA/trustedROOTcertificate.txt -trusted
      Importing Certificate...
      Certificate imported successfully.
      $ avca import_cert -cert /home/oracle/SSL/XDB/certXDB.pem
      Importing Certificate...
      Certificate imported successfully.

      4) avca secure_av -avkeystore $ORACLE_HOME/network/admin/avkey/avkeystore -avtruststore $ORACLE_HOME/network/admin/avkey/avkeystore
      Checking for SSL Certificate...
      done.
      Enter Audit Vault Server keystore password:
      Stopping OC4J...
      OC4J stopped successfully.
      Securing XDB services...
      Identified XDB http(s) Port...
      Stopping Listeners...
      done.
      Starting Listeners...
      done.
      done.
      Starting OC4J...
      OC4J started successfully.

      5) avca secure_agent -agentkeystore $ORACLE_HOME/network/admin/agkey/agkeystore -avdn "CN=avserver, O=oracle, C=UK" -agentdn "CN=avagent, O=oracle, C=UK"
      Enter Audit Vault Agent keystore password:
      Stopping agent...
      Agent stopped successfully.
      Starting agent...
      Agent started successfully.

      avca.log on agent shows:
      Executing command secure_agent, -agentkeystore, /u01/app/oracle/oracle/product/10.2.3/av_agent/network/admin/agkey/agkeystore, -avdn, CN=avserver, O=oracle, C=UK, -agentdn, CN=avagent, O=oracle, C=UK
      SECURE_AGENT - get agent info
      xml - /u01/app/oracle/oracle/product/10.2.3/av_agent/oc4j/j2ee/home/config/rmi.xml
      xml URL - file:/u01/app/oracle/oracle/product/10.2.3/av_agent/oc4j/j2ee/home/config/rmi.xml
      Stopping agent...
      Agent stopped successfully.
      SERCURE_AGENT - update /u01/app/oracle/oracle/product/10.2.3/av_agent/oc4j/j2ee/home/config/av-agent-web-site.xml
      xml - /u01/app/oracle/oracle/product/10.2.3/av_agent/oc4j/j2ee/home/config/av-agent-web-site.xml
      xml URL - file:/u01/app/oracle/oracle/product/10.2.3/av_agent/oc4j/j2ee/home/config/av-agent-web-site.xml
      SECURE_AGENT - modify /u01/app/oracle/oracle/product/10.2.3/av_agent/oc4j/j2ee/home/config/server.xml
      xml - /u01/app/oracle/oracle/product/10.2.3/av_agent/oc4j/j2ee/home/config/server.xml
      xml URL - file:/u01/app/oracle/oracle/product/10.2.3/av_agent/oc4j/j2ee/home/config/server.xml
      SECURE_AGENT - use /u01/app/oracle/oracle/product/10.2.3/av_agent/oc4j/j2ee/home/applications/AVAgent/AVAgent/WEB-INF/web.xml.secure
      Starting agent...
      xml - /u01/app/oracle/oracle/product/10.2.3/av_agent/oc4j/j2ee/home/config/server.xml
      xml URL - file:/u01/app/oracle/oracle/product/10.2.3/av_agent/oc4j/j2ee/home/config/server.xml
      xml - /u01/app/oracle/oracle/product/10.2.3/av_agent/oc4j/j2ee/home/config/av-agent-web-site.xml
      xml URL - file:/u01/app/oracle/oracle/product/10.2.3/av_agent/oc4j/j2ee/home/config/av-agent-web-site.xml
      xml - /u01/app/oracle/oracle/product/10.2.3/av_agent/oc4j/j2ee/home/config/http-web-site.xml
      xml URL - file:/u01/app/oracle/oracle/product/10.2.3/av_agent/oc4j/j2ee/home/config/http-web-site.xml
      Error while checking agent status - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found