12c:Securing WLS with Custom Keystores Fails on Additional OMS Setup (Doc ID 1568715.1)

Last updated on JULY 12, 2013

Applies to:

Enterprise Manager Base Platform - Version 12.1.0.2.0 and later
Information in this document applies to any platform.

Symptoms

OEM 12c Setup with one Primary OMS and one or more Additional OMS Servers.Secured WLS on primary OMS with custom keystores as per the steps in ID 1527874.1. Securing WLS was successful and Primary OMS was restarted successfully.
Now Securing WLS on Additional OMS with custom keystores fail with error below

$emctl secure wls -jks_loc /u01/app/em12cps1/custom_keystores/keystore.jks
-jks_pvtkey_alias server_cert
Oracle Enterprise Manager Cloud Control 12c Release 2
Copyright (c) 1996, 2012 Oracle Corporation. All rights reserved.
Securing WLS... Started.
Enter JKS Password :
Enter Private Key Password :
<Jul 11, 2013 11:43:29 PM IST> <Warning> <Security> <BEA-090542> <Certificate chain received from <Primary OMS Hostname> - <Primary OMS IP> was not trusted
causing SSL handshake failure. Check the certificate chain to determine if it should be trusted or not. If it should be trusted, then update the client trusted CA configuration
to trust the CA certificate that signed the peer certificate chain. If you are connecting to a WLS server that is using demo certificates (the default WLS server behavior), and you want this client to trust demo certificates, then specify -Dweblogic.security.TrustKeyStore=DemoTrust on the command line for this client.>
Securing WLS... Failed. Check the log
/u01/app/em12cps1/Middleware/gc_inst/em/EMGC_OMS3/sysman/log/secure.log

 

Error below is logged in secure.log

2013-07-11 23:43:29,281 [main] ERROR oms.SecureWLSCmd processSecureWLS.446 - Securing of WLS failed with following error: 
java.io.IOException
at weblogic.management.remote.common.ClientProviderBase.makeConnection(ClientProviderBase.java:196)
at weblogic.management.remote.common.ClientProviderBase.newJMXConnector(ClientProviderBase.java:84)
at javax.management.remote.JMXConnectorFactory.newJMXConnector(JMXConnectorFactory.java:338)
at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:247)
at oracle.sysman.util.jmx.JMXUtil.getMBeanServerConn(JMXUtil.java:103)
at oracle.sysman.emctl.util.EmctlUtil.getMBeanServerConn(EmctlUtil.java:671)
at oracle.sysman.emctl.secure.oms.SecureWLSCmd.processSecureWLS(SecureWLSCmd.java:361)
at oracle.sysman.emctl.secure.oms.SecureWLSCmd.main(SecureWLSCmd.java:199)
Caused by: javax.naming.CommunicationException [Root exception is java.net.ConnectException: t3s://<Primary OMS Hostname>:<AS PORT>: Destination unreachable; nested exception is: 
javax.net.ssl.SSLKeyException: [Security:090542]Certificate chain received from <Primary OMS Hostname> - <Primary OMS IP> was not trusted causing SSL handshake failure. Check the certificate chain to determine if it should be trusted or not. If it should be trusted, then update the client trusted CA configuration to trust the CA certificate that signed the peer certificate chain. If you are connecting to a WLS server that is using demo certificates (the default WLS server behavior), and you want this client to trust demo certificates, then specify -Dweblogic.security.TrustKeyStore=DemoTrust on the command line for this client.; No available router to destination]

 



Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms