EM 12c: emctl secure console -wallet Command in Enterprise Manager Cloud Control Fails with Error: Invalid Padding String (Doc ID 1935230.1)

Last updated on OCTOBER 10, 2015

Applies to:

Enterprise Manager Base Platform - Version 12.1.0.4.0 and later
Information in this document applies to any platform.

Symptoms

Requirement is to secure the Console and Upload URL's of the 12c OMS with a cwallet.sso wallet containing a custom SSL certificate.
But trying to secure the console using this wallet fails with:

$ /ora/app/oracle/product/12.1.0.4_OEM/middleware/oms/bin/emctl secure console -wallet /ora/app/oracle/admin/wallets
Oracle Enterprise Manager Cloud Control 12c Release 4
Copyright (c) 1996, 2014 Oracle Corporation. All rights reserved.
Securing Console... Started.
Enter Enterprise Manager Root (SYSMAN) Password :
Securing Console... Failed. Check the log /ora/app/oracle/product/12.1.0.4_OEM/gc_inst/em/EMGC_OMS1/sysman/log/secure.log

The <gc_inst>/em/EMGC_OMS1/sysman/log/secure.log reports

2014-09-25 11:59:42,566 [main] ERROR oms.SecureConsoleCmds main.187 - Failed to secure the Console: oracle.security.crypto.core.CipherException: Invalid padding string (or incorrect password)
java.io.IOException: oracle.security.crypto.core.CipherException: Invalid padding string (or incorrect password)
at oracle.security.pki.OracleWallet.open(Unknown Source)
at oracle.sysman.emctl.secure.oms.SecureOMSCmds.validateExtWallet(SecureOMSCmds.java:2036)
at oracle.sysman.emctl.secure.oms.SecureConsoleCmds.processSecureConsole(SecureConsoleCmds.java:312)
at oracle.sysman.emctl.secure.oms.SecureConsoleCmds.main(SecureConsoleCmds.java:168)
Caused by: oracle.security.crypto.asn1.ASN1FormatException: oracle.security.crypto.core.CipherException: Invalid padding string (or incorrect password)
at oracle.security.crypto.cert.PKCS12Safe.input(PKCS12Safe.java:210)
at oracle.security.crypto.cert.PKCS12Safe.<init>(PKCS12Safe.java:119)
at oracle.security.crypto.cert.PKCS12.input(PKCS12.java:179)
at oracle.security.crypto.cert.PKCS12.<init>(PKCS12.java:122)
at oracle.security.pki.OracleKeyStoreSpi.engineLoad(Unknown Source)
at oracle.security.pki.OracleSSOKeyStoreSpi.engineLoad(Unknown Source)
at oracle.security.pki.OracleSecretStore.load(Unknown Source)
at oracle.security.pki.OracleWallet.getSecretStore(Unknown Source)
... 4 more

The wallet with the custom SSL certificate can be opened by orapki without any password prompt and shows the below:

$ orapki wallet display -wallet /ora/app/oracle/admin/wallets
Oracle PKI Tool : Version 12.1.0.1
Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
Subject:        CN=omsmachine.domain,OU=EM,O=IP,L=Canberra,ST=ACT,C=AU
User Certificates:
Subject:        C=AU,L=Canberra,O=IP Australia,OU=BIMS,CN=omsmachine.domain
Trusted Certificates:
Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        CN=IP Certificate Authority,OU=Production,O=IP,L=Canberra,ST=ACT,C=AU
Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US
Subject:        C=AU,L=ACT,O=IP ,OU=BIMS,OU=Production,CN=IPA CA
Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms