My Oracle Support Banner

EM 12c: Securing the Enterprise Manager 12.1.0.2 Cloud Control Management Agent with Custom Certificate Fails with Error: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure (Doc ID 1532269.1)

Last updated on JUNE 20, 2023

Applies to:

Enterprise Manager Base Platform - Version 12.1.0.2.0 and later
Information in this document applies to any platform.

Symptoms

The Enterprise Manager (EM) 12.1.0.2.0 Cloud Control OMS is secured with a third party certificate, but securing the agent fails with these errors:

From the <Agent Base>/agent_inst/sysman/log/secure.log


2013-01-16 10:37:00,387 [main] ERROR agent.SecureAgentCmd main.214 - Failed to secure the Agent:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1720)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:954)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:632)
    at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
    at java.io.ByteArrayOutputStream.writeTo(ByteArrayOutputStream.java:109)
    at HTTPClient.HTTPConnection.sendRequest(HTTPConnection.java:3366)
    at HTTPClient.HTTPConnection.handleRequest(HTTPConnection.java:3281)
    at HTTPClient.HTTPConnection$9.run(HTTPConnection.java:3032)
    at HTTPClient.HTTPConnection$9.run(HTTPConnection.java:3023)
    at HTTPClient.HttpClientConfiguration.doAction(HttpClientConfiguration.java:666)
    at HTTPClient.HTTPConnection.doAction(HTTPConnection.java:5401)
    at HTTPClient.HTTPConnection.setupRequest(HTTPConnection.java:3023)
    at HTTPClient.HTTPConnection.Get(HTTPConnection.java:878)
    at oracle.sysman.emctl.secure.agent.SecureAgentCmd.openPage(SecureAgentCmd.java:865)
    at oracle.sysman.emctl.secure.agent.SecureAgentCmd.getOMSSecurePort(SecureAgentCmd.java:811)
    at oracle.sysman.emctl.secure.agent.SecureAgentCmd.secureAgent(SecureAgentCmd.java:238)
    at oracle.sysman.emctl.secure.agent.SecureAgentCmd.main(SecureAgentCmd.java:207)
[16-01-2013 10:37:00] USERINFO ::Securing agent...   Failed.

 

Revealing a key process error:


openssl s_client -host <HOSTNAME> -port <PORT>|grep issuer
10185:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:583:

 

From the command session:


./emctl secdiag openurl -url https://<HOSTNAME>:<PORT>/empbs/upload
Oracle Enterprise Manager Cloud Control 12c Release 2
Copyright (c) 1996, 2012 Oracle Corporation.  All rights reserved.

Log file: /tmp/OpenPage_2013_02_08_09_16_029112911131616887348.log

Opening page: https://<HOSTNAME>:<PORT>/empbs/upload
Using protocol: ssl
Using non-validating trust manager; all certificates will be blindly accepted.
Proxy server is not set

Getting the certificate chain
Following exception occurred when running OpenPage
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
        at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(SSLSessionImpl.java:401)
        at oracle.sysman.emctl.secdiag.OpenURL.main(OpenURL.java:223)


 

Additionally:

Opening the wallet using OWM shows the status as Requested, which means there is a open certificate request but the signed user certificate has not been imported into the wallet

 

Changes

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.