OEM Database Control: security certificate

Symptoms
Oracle Enterprise Manager Database Control has a web front end that can be accessed through HTTPS. By default, the certificate used will not be trusted by any web browsers.
Solution
You can change the certificate, provided you have command-line access on the database server as the user Oracle was installed with. This will cause no downtime on the database, though Enterprise Manager itself will need to be restarted.
Assumptions
- You are running Oracle database 11g1
- You are running on Linux or Unix2
- You have not implemented Grid Control, but are using the out of the box version of Oracle Enterprise Manager (also known as Database Control).
- You have access to the Oracle server and can log in as the user Oracle was installed with (usually: user oracle).
- You can run graphical programs on the Oracle server3.
- You can process a CSR (Certificate Signing Request).
- You know the SYSMAN password.
Changing the HTTP(S) port on which the web interface listens is described elsewhere on this site. Changing the protocol from HTTP to HTTPS or vice versa is also described in its own article.
Theory
If you create a new database instance and choose to add Database Control for local management 4 you will get a web-based management console for just this database instance. It actually consists of several parts, just like the full-blown Grid Control option. The important part here is the database console (dbconsole), which acts as a web server.
Oracle puts its certificates in a wallet: basically, a directory with a binary file in PKCS #12 format. It can actually be read using openssl:
openssl pkcs12 -in ewallet.p12
Procedure
The first part of the procedure will consist of creating an Oracle wallet containing the certificate you want to use. Next is convincing Oracle to use this wallet.
You will need the CA certificate(s)5 you are going to sign your certificate with, in PEM format (starting with ------ BEGIN CERTIFICATE ------), both in separate files and concatenated into one big file.
Creating the wallet
Start the wallet manager owm6.
Create a new wallet by selecting in the main menu Wallet and New. Give in a password to protect the wallet. This password will only be used during this procedure.
You will now get the option to create a certificate request; alternatively, select in the main menu Operations and Add Certificate Request. Fill in the fields; the Common Name should be the host name part of the URL you will use to access Enterprise Manager7, all other fields can be filled in more or less as you want. Set the Key Size to at least 2048.
Navigate to the Certiticate Request in the tree in the left pane. Either copy and paste the request or export it to file by selecting in the main menu Operations and Export Certificate Request8.
Now you will have to process the Certificate Request (CSR) to get it signed.
To import the certificate, we will first have to import the certificates it was signed by. Starting with the topmost certificate, import them one by one as trusted certificates by selecting in the main menu Operations and Import Trusted Certificate. You will get the choice of either pasting the certificate text or specifying a file.
Now we can import the certificate itself. Select in the main menu Operations and Import User Certificate. Again, you will get the choice of either pasting the certificate text or specifying a file.
Finally, save the wallet to a temporary location, for example somewhere in /tmp. Select in the main menu Wallet and Save As. Use an empty directory.
Using the wallet
To enable the certificates in the wallet, try:
# You should probably be user oracle
# Replace SID with the SID of your database
# WALLET is the just created wallet files, called ewallet.p12
# CACERTS is a file containing the certificate chain which signed your certificate
ORACLE_SID=SID emctl secure dbconsole -wallet WALLETFILE -trust_certs_loc CACERTS
You will be asked for two passwords: the repository password is the password of the Oracle user SYSMAN, the wallet password is the password you entered when creating the wallet.
This will automatically restart Enterprise Manager. Port numbers will remain unchanged.
If all went well, you will be able to access Enterprise Manager through HTTPS in your browser and see that the new certificate is in use.
- 1. This procedure will probably also work on 10i or 12c, but has not been tested
- 2. This procedure will probably also work on Windows, but has not been tested
- 3. This is only needed to create the wallet
- 4. In dbca, this is step 4
- 5. Not their private keys, just the public certificate parts
- 6. This should be in your path; it can be found in $ORACLE_HOME/bin
- 7. For example, if your URL is https://machine.example.com:1158/em you should use machine.example.com here.
- 8. Or by right-clicking on the request in the tree and selecting this option
 
    