Expiration Checklist for Fusion Applications

Introduction

When running Fusion Applications, as with any software there are a number of operational tasks that need to be performed on a routine basis.  One such task is to proactiviley check for accounts or certificates that will expire soon.  This blog will explore the key areas to check to ensure your implementation continues to run uninterrupted.

Main Article

Two main things, when expired, will significantly affect the operations of Fusion Applications. These are database passwords and certificates. As such these expiration dates need to be checked and maintained properly.

Checking for Expiring Database Account Passwords

Fusion Applications has many schema users in the Fusion Application database.  Many of these schema users by default have no expiry date, however some do.  You can check the expiration date for these passwords using sqlplus and connecting to the FA database as sys.  Use the following command to check the expiry_date:

select username, account_status, expiry_date, sysdate from dba_users where expiry_date is not null;

TODO:  Keep track of when database accounts will expire.  When the database accounts will soon expire, update the accounts and reset the expiry_date according to your established corporate security policy requirements.  Note: You can reuse the existing password when resetting these schema accounts.

Check for Expiring Certificates

Fusion Application will fail when certificates expire.  It’s important to check all certificate stores (JKS for WebLogic and PKCS#12 for OHS) for expiring keys and certificates so that they can be renewed in a controlled and timely manner.

For Fusion JKS Certificates Stores

You should maintain a list of all certificate stores so that they can be located easily.

The fusion jks stores are: fusion_trust.jks and <hostname>_fusion_identity.jks in APPLICATIONS_BASE/fusionapps/wlserver_10.3/server/lib.

For each JKS store, use keytool to examine the contents, noting the expiration date for each key and certificate:

$JAVA_HOME/bin/keytool -list -v -keystore <keystore filename>

fusion_trust.jks contains the keys and certificates in each of the <hostname>_fusion_identity.jks.  When replacing the key and certificates, you must replace each <hostname>_fusion_identity.jks and fusion_trust.jks separately.

For Webgate Certificate

You should note down the expiration date of the webgate certificate and replace them as appropriate.  The webgate certificate is in APPLICATIONS_CONFIG/CommonDomain_webtier/config/OHS/ohs1/webgate/config/simple. To check the certificate expiration date, use keytool to examine the contents:

For PKCS#12 Certificates Stores

The location of the certificate stores used by FA OHS instances can be found in the OHS configuration files. The following example shows how to determine this:

cat *.conf ./moduleconf/*.conf | grep SSLWallet filename

Each of these should be opened with the orapki utility to examine the content and verify the certificate expiration. The orapki utility is described in detail here:

http://docs.oracle.com/cd/E16340_01/core.1111/e10105/walletmgr.htm#CDEFHBGA

 

Add Your Comment