8 Replies Latest reply: Oct 18, 2012 1:12 PM by user13454469 RSS

    Invalid SSL Certificate

      Let me start by laying out some system info:
      Windows 2008
      Oracle DB

      I have recently been unable to log in to my previously functioning Enterprise Manager due to an "Invalid Certificate" error message in the browser (I have tried both IE and Chrome and had other users verify this is not a local browser issue).

      I started by verifying that my OMS and Agent were good with the below commands:

      D:\oracle\Middleware\oms11g\BIN>emctl status oms -details
      Oracle Enterprise Manager 11g Release 1 Grid Control
      Copyright (c) 1996, 2010 Oracle Corporation. All rights reserved.
      Enter Enterprise Manager Root (SYSMAN) Password :
      Console Server Host : server.host.com
      HTTP Console Port : 7788
      HTTPS Console Port : 7799
      HTTP Upload Port : 4889
      HTTPS Upload Port : 1159
      OMS is not configured with SLB or virtual hostname
      Agent Upload is unlocked.
      OMS Console is unlocked.
      Active CA ID: 1

      D:\oracle\Middleware\oms11g\BIN>emctl status oms
      Oracle Enterprise Manager 11g Release 1 Grid Control
      Copyright (c) 1996, 2010 Oracle Corporation. All rights reserved.
      WebTier is Up
      Oracle Management Server is Up

      D:\oracle\Middleware\oms11g\BIN>cd ../../agent11g/bin

      D:\oracle\Middleware\agent11g\BIN>emctl status agent -detail
      Oracle Enterprise Manager 11g Release 1 Grid Control
      Copyright (c) 1996, 2010 Oracle Corporation. All rights reserved.
      Agent Version :
      OMS Version :
      Protocol Version :
      Agent Home : D:\Oracle\Middleware\agent11g
      Agent binaries : D:\Oracle\Middleware\agent11g
      Agent Process ID : 8604
      Agent URL : https://server.host.com:3872/emd/main/
      Repository URL : https://server.host.com:1159/em/upload
      Started at : 2012-10-15 14:46:51
      Started by user : SYSTEM
      Last Reload : 2012-10-15 14:46:51
      Last successful upload : 2012-10-16 08:11:18
      Total Megabytes of XML files uploaded so far : 100.93
      Number of XML files pending upload : 0
      Size of XML files pending upload(MB) : 0.00
      Available disk space on upload filesystem : 22.68%
      Last successful heartbeat to OMS : 2012-10-16 08:22:06
      Agent is Running and Ready

      I then checked the status of the dbconsole:

      D:\oracle\product\11.2.0\dbhome_1\BIN>emctl status dbconsole
      OC4J Configuration issue. D:\oracle\product\11.2.0\dbhome_1/oc4j/j2ee/OC4J_DBConsole_server.host.com_SID not found.

      I should also tell you that the ORACLE_HOME and ORACLE_UNQNAME variables are set to the appropriate values.

      Since receiving this error I have been searching for a fix and have only been able to come up with recreate the repository, which leads me to my actual questions...

      What are the repercussions of recreating the repository for an existing OEM database? Will I have to recreate all the jobs that currently exist in my unreachable OEM instance? Is there a "better" way for me to resolve this issue?
        • 1. Re: Invalid SSL Certificate
          Before you actually begin to recreate your repository, could your problem be similar to mine? A recent Microsoft update changed the minimum certificate strength requirement from 512 to a minumum of 1024 bits. Perhaps all you need to do is recreate your certificate with a key strength of 1024 or greater.

          I have this problem as well, however, I am running EM and it seems I can't change the strength of our certificate key.

          • 2. Re: Invalid SSL Certificate
            Thank you! You were exactly right about the Microsoft update.

            Now that I know my certificate isn't 1024 bit how do I go about recreating it with the appropriate encryption? Also, is it the OEM key or the server's certificate that is the issue?
            • 3. Re: Invalid SSL Certificate
              Now we are in the same spot. Which certificate it is I'm not sure. There are several Oracle Support Notes that discuss the OMS certificate...which is where the problem is I believe.
              Try looking at the following note in Oracle Support: 1476567.1

              Perhaps this will help.

              Now I just have to figure out if upgrading to 12c will prevent me from managing an 8.1.7 database....
              • 4. Re: Invalid SSL Certificate
                After reading the note you listed it seems as though I am about to undertake and OEM upgrade to 12c.

                Thanks for your help and Good Luck.
                • 5. Re: Invalid SSL Certificate
                  We are running OEM

                  We try to recreate the certificate using:

                  emctl secure oms -key_strength 1024 -console

                  and get the following. Can you help with the command syntax?

                  Oracle Enterprise Manager 10g Release 5 Grid Control
                  Copyright (c) 1996, 2009 Oracle Corporation.  All rights reserved.
                  Securing OMS... Started.
                  Invalid Input.*
                  Secure OMS Usage :
                  +emctl secure oms [-sysman_pwd <sysman password>] [-reg_pwd <registration password>] [-host <hostname>]+
                  +[-reset] [-secure_port <secure_port>] [-upload_http_port <upload_http_port>] [-slb_port <slb port>]+
                  +[-slb_console_port <slb console port>] [-root_dc <root_dc>] [-root_country <root_country>]+
                  +[-root_state <root_state>] [-root_loc <root_loc>] [-root_org <root_org>] [-root_unit <root_unit>]+
                  +[-root_email <root_email>] [-wallet <wallet_loc> -trust_certs_loc <certs_loc>] [-wallet_pwd <pwd>]+
                  +[-key_strength <strength>] [-cert_validity <validity>]+
                  +emctl secure setpwd [authpasswd] [newpasswd]+
                  emctl secure sync
                  +emctl secure lock [-console] [-upload]+
                  +emctl secure unlock [-console] [-upload]+
                  +emctl secure console -wallet <wallet_loc> [-wallet_pwd <pwd>]+
                  • 6. Re: Invalid SSL Certificate
                    The emctl command the you are trying not a valid command in (it is supported in 12c).

                    "emctl secure oms -key_strength 1024 -console " is not supported in

                    From (PSU5 onwards), there is a special script SecureConosle that is available for securing the console with a given key strength. You should use that.

                    Check the follow note for more details about how to secure console with a given key strength
                    • 7. Re: Invalid SSL Certificate
                      Thanks for replying.
                      I am unable to see that document in MOS

                      We are not running PSU5 - and it will take a few weeks to get approval to apply it. In the meantime, we are unable to view our GRID console since the microsoft security hotfix (KB2661254) was applied.

                      Would you be able to paste the content of the support doc into this forum post?

                      Edited by: kirky on Oct 18, 2012 11:57 AM
                      • 8. Re: Invalid SSL Certificate
                        This is just an update, so others can Benefit from it...after researching it over...

                        we had to apply the latest PSU to our OMS(Patch 13248190 ).... once we applied the patch we were able to run below command

                        emctl secure console -self_signed -key_strength 1024

                        and after above run successfully, and we brought up OMS....we were able to login to OEM from IE....