Step 1: Begin by logging in as the user responsible for the application tier installation. Then, access the run file system environment and the $FMW_HOME/SetWebtier.env file
$ source <EBS base install directory>/EBSapps.env run
$ source $FMW_HOME/SetWebtier.env
Step 2: Proceed with setting an alias for the appropriate orapki command.
$ alias orapki=$FMW_HOME/oracle_common/bin/orapki
Step 3: In the third step, generate a new wallet with an acceptable self-signed certificate in the directory$HOME/ss Here’s an example:
$ mkdir ~/ss
$ cd ~/ss
$ orapki wallet create -wallet ./ -auto_login_only
$ orapki wallet add -wallet . -dn "CN=FMWSmallCircleOfTrust" -asym_alg RSA -keysize 2048 -sign_alg sha256 -self_signed -validity 3652 -auto_login_only
$ orapki wallet display -wallet .
To ensure the successful creation of the wallet, you can use the final command (orapki wallet display -wallet .) to verify its status.
Step 4: In the fourth step, identify the instanceName of the current environment and save it as an environment variable for future reference.
tr < $CONTEXT_FILE '<>' ' ' | awk '/"s_ohs_instance"/ {print $(NF-1)}'
EBS_web_OHS1
iName=$(tr < $CONTEXT_FILE '<>' ' ' | awk '/"s_ohs_instance"/ {print $(NF-1)}' )
Step 5: Proceed to navigate to the instance directory as part of the fifth step.
$ cd $FMW_HOME/webtier/instances/$iName
Locate the default wallets utilized by this instance.
$ find . -name cwallet.sso | fgrep -v /webgate/
./config/OPMN/opmn/wallet/cwallet.sso
./config/OHS/EBS_web/proxy-wallet/cwallet.sso
./config/OHS/EBS_web/keystores/default/cwallet.sso
Step 6: As part of the sixth step, ensure that each wallet solely consists of the self-signed certificate for verification purposes.
$ find . -name cwallet.sso | fgrep -v /webgate/ | while read w ; do echo -e "n$w"; orapki wallet display -nologo -wallet $w ; done
For default wallets, confirm that each wallet exhibits a single “User Certificate” and a matching “Trusted Certificate.” Refer to the following example for clarification:
./config/OPMN/opmn/wallet/cwallet.sso
Requested Certificates:
User Certificates:
Subject: CN=Self-Signed Certificate for EBS_web_OHS120,OU=OAS,O=ORACLE,L=REDWOODSHORES,ST=CA,C=US
Trusted Certificates:
Subject: CN=Self-Signed Certificate for EBS_web_OHS120,OU=OAS,O=ORACLE,L=REDWOODSHORES,ST=CA,C=US
Note: Please note that if a wallet is not a default wallet, it is advisable to create a backup copy of the wallet before proceeding further.
Step 7: Duplicate the newly created wallet with a SHA-256 signature and place it in all the designated default wallet locations
$ find . -name cwallet.sso | fgrep -v /webgate/ | while read w ; do echo $w; cp -p ~/ss/cwallet.sso $w ; done
By completing the aforementioned step, you have successfully copied the newly generated self-signed wallet to the default locations within the run file system. This approach eliminates the need to modify the OPMN and OHS configuration files to reference an alternative wallet or wallet directory.
Step 8: In preparation for implementing the changes to the patch file system, proceed with the modification of the adop_sync.drv file located in $APPL_TOP_NE/ad/custom. Include the following updates:
#Oracle HTTP Server Wallet - cwallet.sso
rsync -zr %s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/keystores/default/cwallet.sso %s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/keystores/default/cwallet.sso
#OPMN Wallet - cwallet.sso
rsync -zr %s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OPMN/opmn/wallet/cwallet.sso %s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OPMN/opmn/wallet/cwallet.sso
rsync -zr %s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/proxy-wallet/cwallet.sso %s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/proxy-wallet/cwallet.sso
Once you execute the steps outlined in Section 4 during the prepare phase (adop phase=prepare) of the online patching process, the aforementioned changes will be applied to the patch file system. These changes will come into effect following a successful cutover (adop phase=cutover).
Once you have completed this procedure, it is important to refrain from removing or modifying the updated adop_sync.drv file.
Step 9: Proceed with the re-registration of OHS if it is deemed necessary.
Retrieve the host, port, and user name variables for WLS Admin from CONTEXT_FILE.
$ aHost=$( tr < $CONTEXT_FILE '<>' ' ' | awk '/"s_wls_admin_host"/ {print $(NF-1)}' )
$ aPort=$( tr < $CONTEXT_FILE '<>' ' ' | awk '/"s_wls_adminport"/ {print $(NF-1)}' )
$ aUser=$( tr < $CONTEXT_FILE '<>' ' ' | awk '/"s_wls_admin_user"/ {print $(NF-1)}' )
Perform the re-registration of OHS by executing the following commands:
$ cd $FMW_HOME/webtier/instances/$iName/bin
$ ./opmnctl unregisterinstance -adminHost $aHost -adminPort $aPort -adminUsername $aUser -instanceName $iName
$ ./opmnctl registerinstance -adminHost $aHost -adminPort $aPort -adminUsername $aUser
