EM 12c: Securing the Enterprise Manager 12.1.0.2 Cloud Control Management Agent with Custom Certificate Fails with Error: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure (Doc ID 1532269.1)

Last updated on OCTOBER 08, 2016

Applies to:

Enterprise Manager Base Platform - Version 12.1.0.2.0 and later
Information in this document applies to any platform.

Symptoms

The OMS is secured with a third party certificate, but securing the agent fails with these errors:

From the .../agent_inst/sysman/log/secure.log


2013-01-16 10:37:00,387 [main] ERROR agent.SecureAgentCmd main.214 - Failed to secure the Agent:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1720)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:954)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:632)
    at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
    at java.io.ByteArrayOutputStream.writeTo(ByteArrayOutputStream.java:109)
    at HTTPClient.HTTPConnection.sendRequest(HTTPConnection.java:3366)
    at HTTPClient.HTTPConnection.handleRequest(HTTPConnection.java:3281)
    at HTTPClient.HTTPConnection$9.run(HTTPConnection.java:3032)
    at HTTPClient.HTTPConnection$9.run(HTTPConnection.java:3023)
    at HTTPClient.HttpClientConfiguration.doAction(HttpClientConfiguration.java:666)
    at HTTPClient.HTTPConnection.doAction(HTTPConnection.java:5401)
    at HTTPClient.HTTPConnection.setupRequest(HTTPConnection.java:3023)
    at HTTPClient.HTTPConnection.Get(HTTPConnection.java:878)
    at oracle.sysman.emctl.secure.agent.SecureAgentCmd.openPage(SecureAgentCmd.java:865)
    at oracle.sysman.emctl.secure.agent.SecureAgentCmd.getOMSSecurePort(SecureAgentCmd.java:811)
    at oracle.sysman.emctl.secure.agent.SecureAgentCmd.secureAgent(SecureAgentCmd.java:238)
    at oracle.sysman.emctl.secure.agent.SecureAgentCmd.main(SecureAgentCmd.java:207)
[16-01-2013 10:37:00] USERINFO ::Securing agent...   Failed.

 

Revealing a key process error:


openssl s_client -host xxx -port 4900|grep issuer
10185:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:583:

 

From the command session:


./emctl secdiag openurl -url https://xxx.xxx.xxx:4900/empbs/upload
Oracle Enterprise Manager Cloud Control 12c Release 2
Copyright (c) 1996, 2012 Oracle Corporation.  All rights reserved.

Log file: /tmp/OpenPage_2013_02_08_09_16_029112911131616887348.log

Opening page: https://xxx.xxx.xxx:4900/empbs/upload
Using protocol: ssl
Using non-validating trust manager; all certificates will be blindly accepted.
Proxy server is not set

Getting the certificate chain
Following exception occurred when running OpenPage
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
        at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(SSLSessionImpl.java:401)
        at oracle.sysman.emctl.secdiag.OpenURL.main(OpenURL.java:223)


 

Additionally:

Opening the wallet using OWM shows the status as Requested, which means there is a open certificate request but the signed user certificate has not been imported into the wallet



Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms