Steps to Re-configure Oracle Fusion Middleware 11.1.1.9 Components for Oracle E-Business Suite specially after clone

 

Overview

OPMN will log the following errors when attempting to start the patched opmn process with a default MD5withRSA signed certificate:

[opmn] [ERROR:1] [] [ons-secure] Connection server SSL set credentials failed (43084)
[opmn] [ERROR:1] [222] [ons-secure] SSL initialization failed

Generating and Deploying a New Wallet for TLS Enabled Release 12.2 Environments


Log in as the user that owns the application tier installation (this is usually applmgr or oracle).

Source the run file system environment and the $FMW_HOME/SetWebtier.env file.
  • $ source <EBS base install directory>/EBSapps.env run
  • $ source $FMW_HOME/SetWebtier.env
For a new Oracle E-Business Suite Release 12.2 installation, all steps must be performed on the run edition file system, which is sourced by running the following command:
  • $ source <EBS base install directory>/fs1/EBSapps/appl/APPS<CONTEXT_NAME>.env

Set an alias for the correct orapki.
  • $ alias orapki=$FMW_HOME/oracle_common/bin/orapki

Create a new wallet with an acceptable self-signed certificate in $HOME/ss. For example:


$ mkdir ~/ss
$ cd ~/ss
$ orapki wallet create -wallet ./ -auto_login_only
$ orapki wallet add -wallet . -dn "CN=FMWSmallCircleOfTrust" -asym_alg RSA -keysize 2048 -sign_alg sha256 -self_signed -validity 3652 -auto_login_only
$ orapki wallet display -wallet .


The last command (orapki wallet display -wallet .) allows you to verify that the wallet was properly created.

Find the instanceName of this environment and save in an environment variable for later use.


tr < $CONTEXT_FILE '<>' '  ' | awk '/"s_ohs_instance"/ {print $(NF-1)}'
EBS_web_OHS1
iName=$(tr < $CONTEXT_FILE '<>' '  ' | awk '/"s_ohs_instance"/ {print $(NF-1)}' )
cd $FMW_HOME/webtier/instances/$iName
Find the default wallets used by this instance.
find . -name cwallet.sso | fgrep -v /webgate/
./config/OPMN/opmn/wallet/cwallet.sso
./config/OHS/EBS_web/proxy-wallet/cwallet.sso
./config/OHS/EBS_web/keystores/default/cwallet.sso
Verify that each wallet only contains the self-signed certificate.
find . -name cwallet.sso | fgrep -v /webgate/ | while read w ; do echo -e "\n$w"; orapki wallet display -nologo -wallet $w ; done
If it is a default wallet, each wallet should list one "User Certificate" and an identical "Trusted Certificate", as shown in the following example:
./config/OPMN/opmn/wallet/cwallet.sso
Requested Certificates:
User Certificates:
Subject: CN=Self-Signed Certificate for EBS_web_OHS1\20,OU=OAS,O=ORACLE,L=REDWOODSHORES,ST=CA,C=US
Trusted Certificates:
Subject: CN=Self-Signed Certificate for EBS_web_OHS1\20,OU=OAS,O=ORACLE,L=REDWOODSHORES,ST=CA,C=US

Note: If a wallet is not a default wallet, make a backup copy of that wallet before proceeding.
Copy the new SHA-256 signed wallet to all default wallet locations.

find . -name cwallet.sso | fgrep -v /webgate/ | while read w ; do echo $w; cp -p ~/ss/cwallet.sso $w ; done
You have now copied the new self-signed wallet to the default locations in the run file system. This avoids modifying the OPMN and OHS configuration files to point to a different wallet (or wallet directory).
Prepare to make the changes to the patch file system by modifying adop_sync.drv located under $APPL_TOP_NE/ad/custom to include the following:
#Oracle HTTP Server Wallet - cwallet.sso
rsync -zr %s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/keystores/default/cwallet.sso %s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/keystores/default/cwallet.sso
#OPMN Wallet - cwallet.sso
rsync -zr %s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OPMN/opmn/wallet/cwallet.sso %s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OPMN/opmn/wallet/cwallet.sso
rsync -zr %s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/proxy-wallet/cwallet.sso %s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/proxy-wallet/cwallet.sso

The changes will be propagated to the patch file system when you perform the steps in Section 3 during the prepare phase (adop phase=prepare) of online patching and will take effect after a successful cutover (adop phase=cutover).


After this procedure is complete, do not remove or alter the updated adop_sync.drv file.


To use the Oracle Fusion Middleware Control Enterprise Manager (EM) Console at http://<app01>:7001/em to manage OHS, you may have to re-register OHS and its new certificate with Fusion Middleware Control. This must be done on both the run and patch file systems.


To use the Oracle Fusion Middleware Control Enterprise Manager (EM) Console at http://<app01>:7001/em to manage OHS, you may have to re-register OHS and its new certificate with Fusion Middleware Control. This must be done on both the run and patch file systems.





If you have determined that OHS reports as down in the Oracle Fusion Middleware EM Console, perform these steps to re-register OHS

a. Obtain the host, port, and user name variables for WLS Admin from CONTEXT_FILE:

aHost=$( tr < $CONTEXT_FILE '<>' '  ' | awk '/"s_wls_admin_host"/ {print $(NF-1)}' )
aPort=$( tr < $CONTEXT_FILE '<>' '  ' | awk '/"s_wls_adminport"/ {print $(NF-1)}' )
aUser=$( tr < $CONTEXT_FILE '<>' '  ' | awk '/"s_wls_admin_user"/ {print $(NF-1)}' )


b. Re-register OHS using the following commands:

cd $FMW_HOME/webtier/instances/$iName/bin
./opmnctl unregisterinstance -adminHost $aHost -adminPort $aPort -adminUsername $aUser -instanceName $iName
./opmnctl registerinstance -adminHost $aHost -adminPort $aPort -adminUsername $aUser




For ref
erence Oracle Metalink Doc ID:  2555355.1

Comments

Popular posts from this blog

How to fix Oracle SQL Developer connection issue "Got minus one from a read call"

How to drop index and before dropping it how to get the DDL.

How to troubleshoot Long Running Concurrent Request in EBS 12.2

How to autopopulate user_guid in fnd_user table ( EBS Blank Page)

Opatch is getting faild for GI patch with error code 2 while doing prereq

Few Important steps of Oracle Database Clone

How to Check AD and TXK code levels in your EBS environment

The Server is not able to service this request: [Socket:000445]Connection rejected, filter blocked Socket, weblogic.security.net.FilterException

CPU Patch Analysis

PRVG-11250 : The check "RPM Package Manager database" was not performed because