Sun Microsystems, Inc.  Oracle System Handbook - ISO 7.0 May 2018 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-72-2317046.1
Update Date:2017-10-20
Keywords:
Solution Type  Problem Resolution Sure

Solution  2317046.1 :   Oracle ILOM Remote System Console/Oracle ILOM Remote System Console Plus Failure After Uploading a Custom Certification Authority (CA) SSL Certificate.  

Related Items 
    

  • Integrated Lights Out Manager (ILOM)
    •  
  • Sun Server X3-2
    •  
Related Categories 
    

  • PLA-Support>Sun Systems>x86>Server>SN-x86: Sun Server X3
    •  






In this Document


Symptoms


Changes


Cause


Solution


References

Created from <SR 3-15741316481>


Applies to:  

Sun Server X3-2 - Version All Versions and later
Integrated Lights Out Manager (ILOM) - Version 3.0 and later
Information in this document applies to any platform.

Oracle Integrated Lights Out Manager (ILOM) - Version 3.2.10.x (JUL17CPU).



This note applies to Oracle ILOM Remote System Console and Oracle ILOM Remote System Console Plus applications on Oracle ILOM versions 3.2.10.x and later. The affected versions were released starting July, 2017.



Use Oracle ILOM CLI "version" command to display the version and the date of Oracle ILOM currently running on the SP. This information is also available on the "Versions" tab under "System Information" via the Oracle ILOM Web interface.



The Oracle ILOM Remote System Console and Oracle ILOM Remote System Console Plus are Java Web Start applications that you can launch from the Oracle ILOM web interface. When you use the Oracle ILOM Remote System Consoles, you can redirect and control the following remote KVMS features:



- Keyboard

- Mouse

- Video and/or Serial Console Display

- Storage devices or images (CD/DVD, floppy device)



For more information, see:



Using Remote KVMS Console for Host Server Redirection at: https://docs.oracle.com/cd/E37444_01/html/E37446/cjcdfddd.html#scrolltoc



Using Remote KVMS Securely at: https://docs.oracle.com/cd/E37444_01/html/E37451/z4002aeb1392373.html#ILMSGz4002aeb1392373



Symptoms


 When a custom Certificate Authority (CA) SSL certificate is uploaded to Oracle ILOM, the remote console fails to start and displays an error message. The Remote System Console Plus displays:


 JRCplus error dialog


The Remote System Console displays:


JRC error dialog


Changes


 Additional SSL certificate validation checks have been introduced in Oracle ILOM as of firmware version 3.2.10.x.


Cause


This problem occurs when the Java client is not properly configured to validate a custom CA SSL certificate currently being used by Oracle ILOM.


The Java client uses a keystore to validate CA certificates. In cases where the required root CA certificate or intermediate root CA certificate is not in the Java keystore, the validation will fail. To view the Java keystore, use the keytool command with the -list option, for example:


For Windows: > keytool -list -keystore "c:\Program Files (x86)\Java\jre\lib\security\cacerts"


For Linux: % keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts


Look for the alias and/or fingerprint of the root CA certificate or intermediate root CA certificate required by the custom CA certificate loaded to Oracle ILOM.


Solution


Add the missing root CA certificate or intermediate root CA certificate to the Java keystore using the keytool command with the -importcert option, for example:


For Windows: > keytool -importcert -alias certalias -file root-ca-cert -keystore "c:\Program Files (x86)\Java\jre\lib\security\cacerts"


On Windows, this command needs to be run as administrator. To start a command prompt as an administrator on Windows: Click Start, click All Programs, and then click Accessories. Right-click Command prompt, and then click Run as administrator.


For Linux: % keytool -importcert -alias certalias -file root-ca-cert -keystore $JAVA_HOME/jre/lib/security/cacerts


Verify that the required root CA certificate or intermediate root CA certificate is now available in the Java keystore using the keytool command with the -list and -alias options, for example:


For Windows: > keytool -list -alias certalias -keystore "c:\Program Files (x86)\Java\jre\lib\security\cacerts"


For Linux: % keytool -list -alias certalias -keystore $JAVA_HOME/jre/lib/security/cacerts


References
Uploading a Custom SSL Certificate to Oracle ILOM: http://docs.oracle.com/cd/E37444_01/html/E37451/z40000061640193.html#scrolltoc 
Keytool for Windows: https://docs.oracle.com/javase/8/docs/technotes/tools/windows/keytool.html 
Keytool for Linux: https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html 



Attachments

This solution has no attachment


















       

Copyright © 2018 Oracle, Inc.  All rights reserved.

 Feedback