EM 13c: OMS Communication to all Agents Failing with "[handshake has no peer]" but Agents are able to Upload Successfully to the OMS

(Doc ID 2381313.1)

Last updated on APRIL 20, 2018

Applies to:

Enterprise Manager Base Platform - Version 13.2.0.0.0 and later
Information in this document applies to any platform.

Symptoms

Agents are able to upload to the OMS but the OMS to Agent Communication is failing.

The <gc_inst>/em/EMGC_OMS1/sysman/log/emoms.trc file reports errors such as below:

2018-03-28 02:51:19,921 [RJob Step 59146235] ERROR target.CollectionUtil logp.251 - unable to connect to http server at https://agenthost.domain:3872/emd/main/. [handshake has no peer]
oracle.sysman.emSDK.emd.comm.CommException: unable to connect to http server at https://agenthost.domain:3872/emd/main/. [handshake has no peer]
at oracle.sysman.emSDK.emd.comm.ExceptionTranslator.throwAsCommException(ExceptionTranslator.java:1040)
at oracle.sysman.emSDK.emd.comm.ExceptionTranslator.rethrowGetActiveTargetCollection(ExceptionTranslator.java:303)

Similar errors are seen for all the agents.

-  Third party certificates have not been configured at the OMS / agents, hence <Note 1580282.1> does not apply.

-  From the OMS, attempting to verify the communication to the Agent url using the below command, also fails:

emctl secdiag openurl -url https://agenthost.domain:3872/emd/main/
Oracle Enterprise Manager Cloud Control 13c Release 2
Copyright (c) 1996, 2016 Oracle Corporation. All rights reserved.
Log file: /tmp/OpenPage_2018_03_28_06_32_332576799103167120926.log
Opening page: https://agenthost.domain:3872/emd/main/
Using non-validating trust manager; all certificates will be blindly accepted.
Proxy server is not set
Using protocol: TLSv1
Negotiated protocol: NONE
Getting the certificate chain
Following exception occurred when running OpenPage
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificateChain(SSLSessionImpl.java:470)
at oracle.sysman.emctl.secdiag.OpenURL.main(OpenURL.java:261)

 

-  However, connection to the Agent URL works fine via the openssl command:

$ openssl s_client -host agenthost.domain -port 3872
CONNECTED(00000003)
depth=1 O = EnterpriseManager on omshost.domain, OU = EnterpriseManager on omshost.domain, L = EnterpriseManager on omshost.domain, ST = CA, C = US, CN = omshost.domain
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
0 s:/CN=agenthost.domain
i:/O=EnterpriseManager on omshost.domain/OU=EnterpriseManager on omshost.domain/L=EnterpriseManager on omshost.domain/ST=CA/C=US/CN=omshost.domain
1 s:/O=EnterpriseManager on omshost.domain/OU=EnterpriseManager on omshost.domain/L=EnterpriseManager on omshost.domain/ST=CA/C=US/CN=omshost.domain
i:/O=EnterpriseManager on omshost.domain/OU=EnterpriseManager on omshost.domain/L=EnterpriseManager on omshost.domain/ST=CA/C=US/CN=omshost.domain
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICvTCCAiagAwIBAgIIubzdULCGqnAwDQYJKoZIhvcNAQEEBQAwgd0xNDAyBgNV
BAoTK0VudGVycHJpc2VNYW5hZ2VyIG9uIHNsNzNvZW1pcmNwMDIudmlzYS5jb20x

The output indicates that there is no issue with the hostname / IP address resolution or the access to agent port.

-  The Cipher suite and TLS protocols set at the OMS and the agent match.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms