EM 13c: Agent Secure Fails with "javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated" After Importing Third Party SSL Certificate at the SLB (Doc ID 2169380.1)

Last updated on OCTOBER 04, 2016

Applies to:

Enterprise Manager Base Platform - Version 13.1.0.0.0 and later
Information in this document applies to any platform.

Symptoms

Attempting to secure 13c Agent with an SLB upload URL at the OMS, fails with:

./emctl secure agent -emdWalletSrcUrl https://slbhost.domain:4903/em
Oracle Enterprise Manager Cloud Control 13c Release 1
Copyright (c) 1996, 2015 Oracle Corporation. All rights reserved.
Agent successfully stopped... Done.
Securing agent... Started.
Enter Agent Registration Password :
Agent successfully restarted... Done.
Securing agent... Failed.

-  Upload and pingOMS works fine:

$ ./emctl pingOMS
Oracle Enterprise Manager Cloud Control 13c Release 1
Copyright (c) 1996, 2015 Oracle Corporation. All rights reserved.
---------------------------------------------------------------
EMD pingOMS completed successfully
$ ./emctl upload
Oracle Enterprise Manager Cloud Control 13c Release 1
Copyright (c) 1996, 2015 Oracle Corporation. All rights reserved.
---------------------------------------------------------------
EMD upload completed successfully

-  The <AGENT_INST>/sysman/log/secure.log reports the below error at the last stage of the secure activity, when attempting to validate the SLB upload URL connectivity:

2016-07-15 09:07:50,296 [main] INFO agent.SecureAgentCmd secureAgent.441 - Computed Upload url :https://slbhost.domain:4903/empbs/upload
2016-07-15 09:07:50,296 [main] INFO agent.SecureAgentCmd secureAgent.442 - Checking if HTTPS Upload URL is accessible from the agent...
2016-07-15 09:07:50,296 [main] INFO agent.SecureAgentCmd secureAgent.443 - Accessing: https://slbhost.domain:4903/empbs/upload
2016-07-15 09:07:50,300 [main] ERROR agent.SecureAgentCmd main.348 - Failed to secure the Agent:
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificateChain(SSLSessionImpl.java:470)
at oracle.sysman.emctl.secure.agent.SecureAgentCmd.checkUpload(SecureAgentCmd.java:660)
at oracle.sysman.emctl.secure.agent.SecureAgentCmd.secureAgent(SecureAgentCmd.java:445)
at oracle.sysman.emctl.secure.agent.SecureAgentCmd.main(SecureAgentCmd.java:341)
2016-07-15 09:07:50,301 [main] INFO agent.SecureAgentCmd main.350 - Re-trying. Trials left:0

-  The agent is pointing to a multi-OMS setup with a SLB configured.
-  Third party signed SSL Certificate has been configured at the SLB. The SLB certificate has been imported into the OMS using the steps in
   <Note 1481192.1> : How to Import Third Party/Custom SSL Certificates Used at SLB to OMS and Agents?

Changes

<Patch 23208577> or the 13c agent bundled patch has been applied to the agent as mentioned in <Document 2144775.1>.
If the patch is rolled back, it is possible to secure the agent successfully.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms