Posts

Showing posts from March, 2011

Securing OHS layer and disabling the non-ssl port of management server (EMGC_OMSx) when using self-signed certificates (in Oracle Grid Control 11g)

Make sure that we have: Server certificate (which will correspond to identity of our OHS server). This certificate should be contained in "new" custom oracle wallet file named as "ewallet.p12". This certificate can be self-signed/3rd party signed (details of creating such a wallet are out of scope of this document). I will call this wallet as "OHS identity wallet" and the server certificate within it as OHS identity certificate from this point onwards. Root certificate of CA(Certifying authority) who signed OHS identity certificate. Say this is in file "CA_of_ohs.cer". Root certificate of CA who signed weblogic certificate. If you have used 3rd party signed certificate on weblogic, then this will be ROOT certificate of the corresponding CA. If you have used self-signed certificates on weblogic, then our "CA certificate" will be public certificate corresponding to self-signed keypair. We can get this by exporting it from

Disabling the non-ssl port of management server (EMGC_OMSx) when using self-signed certificates ( and OHS is already secured) (in Oracle Grid Control 11g)

Goal : Goal of this document is to help disabling the non-ssl port of EMGC_OMS1 in 11g Grid Control environment such that communication to this server is limited to secure port only come what may. Sounds easy!!! Nope, it is not. Agents (for uploading the data) and browsers (for accessing EM console) used to connect  to this server via front-end OHS server. This OHS server used to talk to our EMGC_OMS1 server over non-secure port (confirm this for you in mod_wl_weblogic.conf ). By disabling non-secure port, we have effectively disabled this access. This document assumes that WebLogic is already running using self-signed certificates. OHS layer is secured (using 3 rd part/self-signed/default certificates) If OHS is secured with default certificates, and you want to secure OHS with self signed and disable OMS non-secure port  side-by-side, please wait for my next post. How : These are the colors your brain will intercept while reading this article: This background color is for com