(Re)Securing Oracle Application Server Control

OracleIf you’re running an Oracle Application Server 10g instance you are probably familiar with Oracle Enterprise Manager Application Server Control. If not, go back to the manual. This is not a how-to on setting it up or using it. If you want to know how to secure it and refresh the certificate when it expires, read on.

Application Server Control is installed with Application Server 10g and typically runs on a port like 1810. By default it uses the non-secure http protocol. Since your whole application server is controlled through this interface, you probably want to secure it. The instructions below will generate a self signed certificate and get your Application Server Control up and running with https.

As usual this post is written for Oracle Application Server 10g on UNIX. Always review the documentation for your release before trying any of these steps.

Securing Application Server Control

Oracle has provided a simple way to secure Application Server Control.

Note: If $ORACLE_HOME/bin is not in your path you will need to provide this path to emctl.

1. Connect to the command line on the application server and set all the appropriate environment variables for your application instance.

2. Run the command emctl stop iasconsole to stop Application Server Control.

3. Run the command emctl secure em to secure Application Server control. This will perform a few steps including generating a self-signed secure certificate.

4. Run emctl start iasconsole to start Application Server Control.

If all goes well you will now be able to connect to your Application Server Control instance on the same port as before but now with the https protocol. In most browsers you will need to specify ‘https://’ in the URL.

Depending on your browser settings you may get a warning when accessing the site that the secure certificate was not issued by a trusted company. That is normal with a self-signed certificate. You can either tell your browser to trust the certificate or simply disregard the warning when it appears.

Renewing the Certificate

By default the certificate created in the steps above will only be good for six months. Once the cert goes stale you will probably get a warning that the certificate date is invalid. You may additionally get some java errors like below.

When this happens you can simply re-secure Application Server Control with the same steps above. This will create a new certificate which will be valid for another six months.

Some Potential Problems

If the certificate has expired you will likely get a java error like this:

IOException in sending Request :: javax.net.ssl.SSLException: SSL handshake failed: X509CertExpiredErr

If this happens simply re-secure Application Server Control with the instructions above.

Sometimes Application Server Control will not shut down properly and you may get an error like this:

IOException in sending Request :: javax.net.ssl.SSLException: SSL handshake failed: SSLIOClosedOverrideGoodbyeKiss

If this happens you will probably have to kill the enterprise manager process (look for a process called emagent) and re-secure again.

oracle, oracle application server, oracle security

4 thoughts on “(Re)Securing Oracle Application Server Control”

  1. Hi,
    I have a problem with the agent. Sometime it down and Notification from the OEM said ‘Message=Agent is Unreachable (REASON = javax.net.ssl.SSLException: SSL handshake failed: SSLIOClosedOverrideGoodbyeKiss) but the host is UP.’
    I have to kill first and make it up again, but about 10 hours or 20 hours it down again. I have to kill and the process ‘/u0/app/oracle/agent10g/perl/bin/perl /u0/app/oracle/agent10g/bin/emwd.pl agent /u0/app/oracle/agent10g/sysman/log/emagent.nohup’ and start agent over and over.
    I’m trying to do your suggestion to make agent unsecure, but error occur ‘OMS Upload URL – http://spoem.semenpadang.co.id:4889/em/upload/ is locked or unavailable.
    Unsecuring Agent… Failed.’
    What I have to do?

  2. Not that I know of Rat. There are ways to import a commercial certificate if you want to go that route. Alternately you could schedule a cron job to build a new certificate every few months.

    Hope this helps.

  3. Hi Jon

    Thanks for your helpful summary. Just wanted to add that the following document – available via My Oracle Support (formerly known as Metalink) – has recently been revamped / improved.

    How to Secure and Unsecure OracleAS 10g Rel 2 (10.1.2) AS Console and Agent? (Document 280034.1)

    https://support.us.oracle.com/oip/faces/secure/km/DocumentDisplay.jspx?id=280034.1

    There are two gotchas – a new one and one you have mentioned:

    a) Unfortunately the Root CA used by AS Console expired at end of 2010. This means an interim patch has to be applied. Without the patch the ’emctl secure iasconsole’ command will work, but ’emctl start iasconsole’ will fail thereafter. Note: the interim patch can only be applied on top of 10.1.2.3.

    Reference:
    OracleAS 10g Rel 2 AS (EM) Console Fails to Start If Secured After 1-JAN-2011 (Document 1282281.1)

    https://support.us.oracle.com/oip/faces/secure/km/DocumentDisplay.jspx?id=1282281.1

    b) The ’emctl secure iasconsole’ command generates a self signed certificate. This certificate expires after six months. So, every six months you will have to unsecure and resecure the AS Console to effectively renew the self signed certificate. There is no other work-around. An enhancement was logged, requesting that users be allowed to use their own SSL certificate. But given that error correction (bug fix) support for AS10g 10.1.2 ends Dec 2011 I can’t see this enhancement request being fulfilled.

    Reference:
    Application Server Control Startup Hangs With SSL Error 29024 Few Months After Secure Iasconsole (Document 396641.1)

    https://support.us.oracle.com/oip/faces/secure/km/DocumentDisplay.jspx?id=396641.1

Leave a Reply

Your email address will not be published. Required fields are marked *