EM 12c: Securing the Enterprise Manager 12.1.0.2 Cloud Control Management Agent with Custom Certificate Fails with Error: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure (Doc ID 1532269.1)

Last updated on FEBRUARY 19, 2019

Applies to:

Symptoms

The Enterprise Manager (EM) 12.1.0.2.0 Cloud Control OMS is secured with a third party certificate, but securing the agent fails with these errors:

From the <Agent Base>/agent_inst/sysman/log/secure.log

2013-01-16 10:37:00,387 [main] ERROR agent.SecureAgentCmd main.214 - Failed to secure the Agent:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1720)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:954)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:632)
    at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
    at java.io.ByteArrayOutputStream.writeTo(ByteArrayOutputStream.java:109)
    at HTTPClient.HTTPConnection.sendRequest(HTTPConnection.java:3366)
    at HTTPClient.HTTPConnection.handleRequest(HTTPConnection.java:3281)
    at HTTPClient.HTTPConnection$9.run(HTTPConnection.java:3032)
    at HTTPClient.HTTPConnection$9.run(HTTPConnection.java:3023)
    at HTTPClient.HttpClientConfiguration.doAction(HttpClientConfiguration.java:666)
    at HTTPClient.HTTPConnection.doAction(HTTPConnection.java:5401)
    at HTTPClient.HTTPConnection.setupRequest(HTTPConnection.java:3023)
    at HTTPClient.HTTPConnection.Get(HTTPConnection.java:878)
    at oracle.sysman.emctl.secure.agent.SecureAgentCmd.openPage(SecureAgentCmd.java:865)
    at oracle.sysman.emctl.secure.agent.SecureAgentCmd.getOMSSecurePort(SecureAgentCmd.java:811)
    at oracle.sysman.emctl.secure.agent.SecureAgentCmd.secureAgent(SecureAgentCmd.java:238)
    at oracle.sysman.emctl.secure.agent.SecureAgentCmd.main(SecureAgentCmd.java:207)
[16-01-2013 10:37:00] USERINFO ::Securing agent...   Failed.

Revealing a key process error:

openssl s_client -host <HOSTNAME> -port <PORT>|grep issuer
10185:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:583:

From the command session:

./emctl secdiag openurl -url https://<HOSTNAME>:<PORT>/empbs/upload
Oracle Enterprise Manager Cloud Control 12c Release 2
Copyright (c) 1996, 2012 Oracle Corporation.  All rights reserved.

Log file: /tmp/OpenPage_2013_02_08_09_16_029112911131616887348.log

Opening page: https://<HOSTNAME>:<PORT>/empbs/upload
Using protocol: ssl
Using non-validating trust manager; all certificates will be blindly accepted.
Proxy server is not set

Getting the certificate chain
Following exception occurred when running OpenPage
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
        at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(SSLSessionImpl.java:401)
        at oracle.sysman.emctl.secdiag.OpenURL.main(OpenURL.java:223)

Additionally:

Opening the wallet using OWM shows the status as Requested, which means there is a open certificate request but the signed user certificate has not been imported into the wallet

Changes

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.