8 Replies Latest reply on Nov 7, 2014 2:08 PM by 2612452

    Cloud Control SSL issue

    2612452

      Hello, oracle community!

       

      My problem is: when I try to open EM's homepage in browser, it tries to connect for about 5 or 6 minutes and after that drops the connection with sec_error_invalid_key (in Firefox) or ERR_TIMED_OUT in Chrome, or another certificate issue with IE.


      BUT!


      If I reload page several times, then it starts to work perfectly! This strange behavior remains on any workstation, doesn't matter which operating system or browser version I try to use. What can you suggest?


      Thank you!

      Eugene

        • 1. Re: Cloud Control SSL issue
          1323138

          Hello!

          We have the same problem after update FF to 33 version. On 32 version everything ok

          • 2. Re: Cloud Control SSL issue
            Sven W.

            1323138 wrote:

             

            Hello!

            We have the same problem after update FF to 33 version. On 32 version everything ok

            I have the same issue (sec_error_invalid_key) with EM - database control. Firefox 33 improved the security settings a bit. I guess it has to do with poodle or other vulnerabilities of the SSL protocol.

            See: https://developer.mozilla.org/en-US/Firefox/Releases/33/Site_Compatibility#Security

            RSA certificates using weak signatures less than 1024-bit are no longer accepted

            RSA 512, 1000 and 1023-bit certificates are now blocked by Firefox since they are not sufficient for security. Most certificates currently being issued should have a 2048-bit key length.

             

            Not sure which certificate is used by our EM, but it is now blocked by firefox.

            Does anyone know how to get and install a new certificate for EM?

            • 3. Re: Cloud Control SSL issue
              SubinDaniVarughese

              Hi,

               

              On which version of Cloud Control is this issue reported in ? Is it Cloud Control 12.1.0.3.0 ?

               

              Regards,

              Subin

              • 4. Re: Cloud Control SSL issue
                SubinDaniVarughese

                I was able to reproduce this issue with 11g EM and not with 12c EM.

                 

                $ openssl s_client -connect <OMS hostname>:<console port>

                ..

                Server public key is 512 bit

                ..

                 

                The solution I used is:

                 

                1. Apply the latest PSU for 11g Enterprise Manager Grid Control

                 

                2. Increase the key strength to 1024

                OMS OH/bin/emctl secure console -self_signed -key_strength 1024

                 

                3. Restart OMS

                 

                Verify if the key strength has increased.

                $ openssl s_client -connect <OMS hostname>:<console port>

                ..

                Server public key is 1024 bit

                ..

                 

                Try to access same page in FF, should be possible now.

                1 person found this helpful
                • 5. Re: Cloud Control SSL issue
                  SubinDaniVarughese

                  This is the solution for Oracle Enterprise Manager Database Control :

                   

                  1. Apply Patch 14503114

                   

                  2. Secure database console using following command:

                  emctl secure dbconsole -key_strength 1024 -reset

                   

                  3. Once above steps are done, issue following command to check whether Server public key is 1024 bit

                   

                  $ openssl s_client -connect dbconsolehost.com:7799

                  ..

                  Server public key is 1024 bit

                   

                  4. Restart DBConsole

                   

                  emctl stop dbconsole

                  emctl start dbconsole

                   

                  5. Try to access Enterprise Manager webpage using FF now.

                  • 6. Re: Cloud Control SSL issue
                    CSpireDBA

                    I am having a similar problem using 12c OEM with firefox 33.  I'm getting Error code: sec_error_invalid_key immediately when trying to go to the page.  When i run the below command I see 512 bit.

                     

                         openssl s_client -connect <our_oms>:xxxx | grep "Server public key"

                         Server public key is 512 bit

                     

                    Support told me to try to change it to 1024.  I guess I shouldn't have, but since I had mentioned this doc (1938128.1) to support, I tried this command and bounced OMS:

                     

                         emctl secure console -self_signed -key_strength 1024


                    It was still 512 and I still cannot access it via firefox.


                    I'd like to try this (1476567.1), but waiting for support to reply first.


                         emctl secure oms -key_strength <value> -console



                    • 7. Re: Cloud Control SSL issue
                      1323138

                      Hello!

                      I think it doesn't work because you use 1024 key. I done this with 2048 - all work fine

                       

                      emctl secure console -self_signed -key_strength 2048

                       

                      After recreate certificate i restart OMS(kill all processes if exist)

                       

                      openssl s_client -connect XXX:YYYY | grep "Server public key" returned me this:

                      Server public key is 2048 bit

                       

                      PS: version - 12.1.0.3

                      • 8. Re: Cloud Control SSL issue
                        2612452

                        Thank you  for all your replies!

                         

                        After a few tries I gave up. It was a trial install so I deinstalled it and installed latest version on a new home (lost repo, don't regret that). Bad decision but it helped Hope this thread will help someone in future.