My Oracle Support Banner

Troubleshooting Issues with Enterprise Manager Cloud Control Agent to OMS Communication Due to SSL Handshake Failure (Doc ID 2127656.1)

Last updated on FEBRUARY 19, 2019

Applies to:

Enterprise Manager Base Platform - Version 12.1.0.1.0 and later
Information in this document applies to any platform.

Purpose

The Enterprise Manager (EM) 12c Cloud Control OMS and Agents are configured to run in secure mode (https) out-of-the -box. The EM Agent communicates and uploads to the OMS only after a successful SSL handshake between the OMS and Agent.
When the Agent sends a ping or upload request to the OMS, the OMS provides its certificate chain (user or server certificate, intermediate certificates, if any, and root certificate) to the Agent. The Agent confirms the trusted certificates of the OMS (intermediate certificates, if any, and Root certificate) are present in the trust store of Agent which is <AGENT INST HOME>/sysman/config/server/ewallet.p12 by default.

AN SSL handshake will be successful, and the Agent will be able to communicate with the OMS, only if the trusted certificates of the OMS (intermediate certificates if any and root certificate) are present in the Agent's trust store. The Agent must be secured successfully with the OMS, so that trusted certificates of the OMS are updated to the trust store of the Agent.

If the Agent fails to ping or upload to the OMS due to SSL Handshake failure, then the error below will be reported. This document provides the steps to collect diagnostic data and solve the issue with Agent to OMS communication due to SSL Handshake failure:

$ emctl pingOMS
Oracle Enterprise Manager Cloud Control 12c Release 4
Copyright (c) 1996, 2014 Oracle Corporation. All rights reserved.
---------------------------------------------------------------
EMD pingOMS error: unable to connect to http server at https://myhost.mycompany.com:<PORT>/empbs/upload. [peer not authenticated]

 

$ emctl upload
Oracle Enterprise Manager Cloud Control 12c Release 4
Copyright (c) 1996, 2014 Oracle Corporation. All rights reserved.
---------------------------------------------------------------
EMD upload error:full upload has failed: uploadXMLFiles skipped :: OMS version not checked yet. If this issue persists check trace files for ping to OMS related errors. (OMS_DOWN)

 

$ emctl status agent
Oracle Enterprise Manager Cloud Control 12c Release 4
Copyright (c) 1996, 2014 Oracle Corporation. All rights reserved.
---------------------------------------------------------------
Agent Version : 12.1.0.4.0
OMS Version : (unknown)
Protocol Version : 12.1.0.1.0
Agent Home : <PATH>/agent/agent_inst
Agent Log Directory : <PATH>/agent/agent_inst/sysman/log
Agent Binaries : <PATH>/agent/core/12.1.0.4.0
Agent Process ID : <PIC>
Parent Process ID : <PID>
Agent URL : https://myhost2.mycompany.com:<PORT>/emd/main/
Local Agent URL in NAT : https://myhost2.mycompany.com:<PORT/emd/main/
Repository URL : https://myhost.mycompany.com:<PORT>/empbs/upload
Started at : 2016-04-12 18:49:23
Started by user : oracle
Operating System : Linux version 2.6.32-431.el6.x86_64 (amd64)
Last Reload : (none)
Last successful upload : (none)
Last attempted upload : (none)
Total Megabytes of XML files uploaded so far : 0
Number of XML files pending upload : 617
Size of XML files pending upload(MB) : 0.52
Available disk space on upload filesystem : 36.14%
Collection Status : Collections enabled
Heartbeat Status : OMS is unreachable
Last attempted heartbeat to OMS : 2016-04-12 19:15:27
Last successful heartbeat to OMS : (none)
Next scheduled heartbeat to OMS : 2016-04-12 19:15:57
---------------------------------------------------------------
Agent is Running and Ready

 

Error below is logged in <AGENT INST HOME>/sysman/log/gcagent.log

2016-04-12 19:18:57,100 [461:79272CFC] INFO - attempting initial heartbeat
2016-04-12 19:18:57,106 [461:79272CFC] WARN - Ping communication error
o.s.emSDK.agent.comm.exception.VerifyConnectionException [unable to connect to http server at https://myhost.mycompany.com:4903/empbs/upload. [peer not authenticated]]
javax.net.ssl.SSLPeerUnverifiedException [peer not authenticated]

 

You should still be able to perform ping, telnet,wget and openssl to OMS Upload port to confirm that there is no network issue between Agent and OMS server

 

Troubleshooting Steps

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Purpose
Troubleshooting Steps
 Diagnostics:

 Solution:
References

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.