11.14 Certificate Management and Expiry

This section explains how to manage SSL certificates that are due to expire.

The certificates used by the OAA installation are stored in PKCS files in the <NFS_CREDS_PATH>. These files are:
  • cert.p12 - contains the server certificate and key
  • trust.p12 - contains the trusted certificate authority certificate(s)
These files were generated either by yourself if using a commercial certificate authority, or by the installation if using self-signed certificates. See, Generating Server Certificates and Trusted Certificates.

Note:

Administrators should be aware of the following:
  • Self-signed certificates are only generated automatically by installations performed using the January 25 release or later. If you installed prior to January 25 you will have generated the self signed certificates, and cert.p12 and trust.p12 manually.
  • Self-signed certificates generated by the installation, using January 25 release or later, have a validity of 6 months.

The trust.p12 also contains the certificates used by OAM. This includes the server certificate used by OAM, and it's full chain of trust. If you installed OAA from January 25 onwards, the original installation retrieved these certificates for you and imported them into the trust.p12. Prior to January 25 this was manual task and Administrators had to import them prior to installation.

Administrators should be aware of the following:
  • If you are renewing third party certificates that were originally generated following Using a Third Party CA for Generating Certificates, you must recreate the cert.p12 and trust.p12 with the new certificate. The same instructions can be followed but you must rename your existing files before proceeding.
  • If you were using self-signed certificates and now want to generate your own third party certificates, you must follow Using a Third Party CA for Generating Certificates to create a cert.p12 and trust.p12.
  • If you are renewing self-signed certificates, the cert.p12 and trust.p12 will be automatically regenerated with new certificates during the deployment update.
  • If you are renewing OAM certificates, the certificate must first be renewed on the OAM server. During the deployment update, the OAM certificates will be retrieved automatically and added to the trust.p12.

Updating the Deployment

To update the deployment with new certificates:
  1. Enter the management pod, for example:
    kubectl exec -n oaans -ti oaamgmt-oaa-mgmt-84955fdf8f-x22k4 -- /bin/bash
  2. If using third party certificates and have generated your own cert.p12 and trust.p12 files, you must do the following:
    1. Navigate to the /u01/oracle/scripts/creds directory and rename the existing files:
      cd /u01/oracle/scripts/creds
mv trust.p12 trust.p12.old
mv cert.p12 cert.p12.old
    2. Outside the container, on the <INSTALL_HOST>, navigate to the <WORKDIR> where the new trust.p12 and cert.p12 files are located. For example:
      cd /workdir
    3. Run the following commands to copy the new files to the /u01/oracle/scripts/creds/ which maps to the <NFS_CREDS_PATH>:
      kubectl cp <WORKDIR>/cert.p12 <NAMESPACE>/<OAAMGMTPOD>:/u01/oracle/scripts/creds/cert.p12
kubectl cp <WORKDIR>/trust.p12 <NAMESPACE>/<OAAMGMTPOD>:/u01/oracle/scripts/creds/trust.p12
      For example:
      kubectl cp /workdir/cert.p12 oaans/oaamgmt-oaa-mgmt-84955fdf8f-x22k4:/u01/oracle/scripts/creds/cert.p12
kubectl cp /workdir/trust.p12 oaans/oaamgmt-oaa-mgmt-84955fdf8f-x22k4:/u01/oracle/scripts/creds/trust.p12
  3. Inside the management container, edit the /u01/oracle/scripts/settings/installOAA.properties and ensure the following parameters are set:

    Note:

    These parameters should be already set from the original installation, unless you are moving from self-signed certificates to third party certificates.
    Variable Sample Value Description
    common.deployment.keystorepassphrase=<USER_CERT_P12_PWD> password

    If using your own certificates, you must set this to <USER_CERT_P12_PWD>.

    If you are going to use the self-signed certificates generated by OAA during installation, then set to a password of your choice.
    common.deployment.truststorepassphrase=<TRUST_CERT_P12_PWD> password

    If using your own certificates, you must set this to <TRUST_CERT_P12_PWD>.

    If you are going to use the self-signed certificates generated by OAA during installation, then set to a password of your choice.
  4. Edit the /u01/oracle/logs/status.info and change the following two parameters to FALSE
    CERTIFICATEINSTALL=false
VAULTINSTALL=false
  5. Run the following command to update the deployment:
    cd ~
./OAA.sh -f installOAA.properties

    This command will update the deployment with the new certificates.

    During the deployment update, progress is shown on the screen. If you need more detailed information, you can view the install.log. The log is accessible from within the management container at /u01/oracle/logs, or outside the container at <NFS_LOGS_PATH>.

    If the deployment update is successful you will see output similar to Printing Deployment Details.

    Note:

    If you encounter problems with the deployment update, see Troubleshooting the Installation.