Nov 30

13C OMS and TLSv1.2

A while ago I deployed OEM 13c to manage and monitor our databases. We have a lot of different systems on different architectures and operating systems. For the most part the move from OEM12c to OEM 13c was pretty smooth. As part of this process we were instructed to lock everything down to TLSv1.2, which is a huge pain inside of OEM. All the internal connections from the different components and nothing was listed in the documentation together. It took a lot of trial and error, but once it was setup, the deployment of the agents went just fine.

At least until I got to our AIX hosts. This is one of the longest open tickets I have ever had with oracle. Bug:23708579. After 9 months Oracle finally got me a patch that resolved the problem this week.


$ ./emctl start agent 
Oracle Enterprise Manager Cloud Control 13c Release 2 
Copyright (c) 1996, 2016 Oracle Corporation. All rights reserved. 
Starting agent ................ failed. 
SSL Configuration failed at Startup 
Consult emctl.log and emagent.nohup in: /u01/app/oracle/product/agent13c/agent_inst/sysman/log

From the log files

27656382 :: 2017-04-11 11:49:08,943::AgentLifeCycle.pm: Processing setproperty agent 
27656382 :: 2017-04-11 11:49:08,943::AgentStatus.pm:Processing setproperty agent 
27656382 :: 2017-04-11 11:49:12,411::AgentStatus.pm:/u01/app/oracle/product/agent13c/agent_13. setproperty agent -name SSLCipherSuites -value TLS_RSA_WITH_AES_128_CBC_SHA returned 0 
27656382 :: 2017-04-11 11:49:12,412::Cleaning up agent command lock 
27656382 :: 2017-04-11 11:49:12,412::AgentCommandLock:closed file handle of emctl lockfile 
25624672 :: 2017-04-11 11:49:23,995::Initializing the agent command locking system 
25624672 :: 2017-04-11 11:49:24,039::AgentLifeCycle.pm: Processing stop agent 
25624672 :: 2017-04-11 11:49:24,039::AgentLifeCycle.pm: ParentProcess id=9175258 
25624672 :: 2017-04-11 11:49:26,815::AgentStatus.pm:emdctl status agent returned 1 
25624672 :: 2017-04-11 11:49:26,815::Status Output:Status agent Failure:Unable to connect to the agent at https://myoemserver:3872/emd/lifecycle/main/ [Connection refused] 

There was a lot of confusion over this issue and originally they told me it was a bug in AIX that we would need to get IBM to fix. It turns out the patch that was needed was an agent patch

After applying patch: 25237184 the agent can now be locked to TLSv1.2 by adding the following to emd.properties


and then by re-securing the agent with the “-protocol tlsv1.2” flag

./emctl secure agent "myPassword" -protocol tlsv1.2 

After this the agent was able to start up and start communicating with the OMS.


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>