If you’re running an Oracle Application Server 10g instance you are probably familiar with Oracle Enterprise Manager Application Server Control. If not, go back to the manual. This is not a how-to on setting it up or using it. If you want to know how to secure it and refresh the certificate when it expires, read on.
Application Server Control is installed with Application Server 10g and typically runs on a port like 1810. By default it uses the non-secure http protocol. Since your whole application server is controlled through this interface, you probably want to secure it. The instructions below will generate a self signed certificate and get your Application Server Control up and running with https.
As usual this post is written for Oracle Application Server 10g on UNIX. Always review the documentation for your release before trying any of these steps.
Securing Application Server Control
Oracle has provided a simple way to secure Application Server Control.
Note: If $ORACLE_HOME/bin is not in your path you will need to provide this path to emctl.
1. Connect to the command line on the application server and set all the appropriate environment variables for your application instance.
2. Run the command
emctl stop iasconsole to stop Application Server Control.
3. Run the command
emctl secure em to secure Application Server control. This will perform a few steps including generating a self-signed secure certificate.
emctl start iasconsole to start Application Server Control.
If all goes well you will now be able to connect to your Application Server Control instance on the same port as before but now with the https protocol. In most browsers you will need to specify ‘https://’ in the URL.
Depending on your browser settings you may get a warning when accessing the site that the secure certificate was not issued by a trusted company. That is normal with a self-signed certificate. You can either tell your browser to trust the certificate or simply disregard the warning when it appears.
Renewing the Certificate
By default the certificate created in the steps above will only be good for six months. Once the cert goes stale you will probably get a warning that the certificate date is invalid. You may additionally get some java errors like below.
When this happens you can simply re-secure Application Server Control with the same steps above. This will create a new certificate which will be valid for another six months.
Some Potential Problems
If the certificate has expired you will likely get a java error like this:
IOException in sending Request :: javax.net.ssl.SSLException: SSL handshake failed: X509CertExpiredErr
If this happens simply re-secure Application Server Control with the instructions above.
Sometimes Application Server Control will not shut down properly and you may get an error like this:
IOException in sending Request :: javax.net.ssl.SSLException: SSL handshake failed: SSLIOClosedOverrideGoodbyeKiss
If this happens you will probably have to kill the enterprise manager process (look for a process called
emagent) and re-secure again.