How to import certificates for monitoring Oracle database with SSL authentication?

How to import certificates for monitoring Oracle database with SSL authentication?

For users using Applications Manager version 14250 and below:

One-way SSL: (Client authentication disabled)


1. Open the command prompt using 'Run as administrator' option and navigate to the Applications Manager installation directory.

2. Import your trusted CA certificate(s) to AppManager_Home\working\Cert\apm.keystore

      Navigate to AppManager_Home\working\jre\bin, execute the following command

      keytool -importcert -file [FILE PATH TO CERTIFICATE] -keystore [AppManager_Home\working\Cert\apm.keystore] -alias alias

       Example:
       keytool -importcert -file C:\myFiles\clientCertificate.cer -keystore AppManager_Home\working\Cert\apm.keystore -alias apmClient

3. Restart Applications Manager to verify SSL connectivity while using Oracle database monitor.

You need to replace AppManager_Home with the actual directory path where AppManager is installed.

Alternatively, you can use KeyStore explorer. KeyStore Explorer is an open-source GUI replacement for the Java command-line utilities like keytool.

Two-way SSL:


1. Open the command prompt using 'Run as administrator' option and navigate to the Applications Manager installation directory.

2. Import your client certificate(s) to AppManager_Home\working\Cert\apm.keystore
      Navigate to AppManager_Home\working\jre\bin, execute the following command

      keytool -importcert -file [FILE PATH TO CERTIFICATE] -keystore [AppManager_Home\working\Cert\apm.keystore] -alias alias

       Example:
       keytool -importcert -file C:\myFiles\clientCertificate.cer -keystore AppManager_Home\working\Cert\apm.keystore -alias apmClient

      If the client's certificate is in PKCS12 format, first set certificate password to appmanager. Then execute the following command to import the certificate in Keystore.

      keytool -v -importkeystore -srckeystore [PATHTOCERTIFICATE] -srcstoretype PKCS12 -destkeystore             AppManager_Home\working\Cert\apm.keystore -deststoretype JKS

            Enter destination keystore password: (by default it is appmanager)
              Enter source keystore password: appmanager
              Entry for alias orakey successfully imported.

      Example:
        keytool -v -importkeystore -srckeystore C:\myFiles\orakey.p12 -srcstoretype PKCS12 -destkeystore             AppManager_Home\working\Cert\apm.keystore -deststoretype JKS

3. Restart Applications Manager to verify SSL connectivity while using Oracle database monitor.

You need to replace AppManager_Home with the actual directory path where AppManager is installed.

Certificate password and Keystore password should match, which must be set to appmanager.


For users using Applications Manager version 14260 and above:


A new option to import SSL certificates from GUI was introduced with version 14260 release.

To import certificates with "Manage Certificates", follow the steps given below:

  1. Go to Admin--> Tools--> Manage Certificates.
  2. Once you enter, details of the "Certificate currently being used by Applications Manager" will be displayed under SSL configuration tab.
  3. If you want to import a new SSL certificate, click "Import new SSL certificate" button. You will be prompted to choose whether you want to Generate CSR or Import certificate.  
    1. In case you choose Generate CSR, the following details need to be entered.
    2. After entering the details, click Generate to generate the certificate. If you want to reset the details you've entered, click Reset. On clicking the Generate button your CSR and private key files will be downloaded as a ZIP. Extract the file and use the "AppManager.csr" file to get a signed certificate from a CA of your choice.
    3.  If you already have a valid certificate and key files (or) a keystore or a PFX file with the certificate, choose Import certificate and click choose file.
      1.  Select the appropriate certificate and the key file.
      2. Verify the details and choose Import.
      3. If the certificate cannot be validated with trusted sources, you will be asked to provide the intermediate certificates and root certificate files. On successful import, you will be prompted to restart Applications Manager.
    4. If you are using a Keystore or a PFX file, you will be prompted to input the password for opening the file.
      1. On clicking Fetch, you will be provided with a list of Key-entries present in the Keystore.  Choose a specific alias which is to be used to enable SSL in Applications Manager.
      2. You will be shown a preview of the certificate information, verify and click on Import for using the certificate.
      3. Finally you will be prompted to restart Applications Manager for the changes to take effect.
  4. If you want to import Trust Certificates, click on the "Trust Certificates" tab. Here you have 3 options to import certificates into trusted sources.
    1. Fetch certificate from a URL reachable from Applications Manager server.
      1. If you choose URL and provide the url of the service you want to trust, you will be prompted to verify and import the fetched certificate.
      2. Choose the SSL version from the drop-down menu. By default, it is set as auto. 
      3. Click Import and it will be added to the trusted sources.
    2. Directly upload certificates from a Keystore/Truststore.
      1. If you choose this option, then you will have to browse and select the appropriate keystore/truststore/pfx file. 
      2. Input the password and click Fetch.
      3. You will be shown a list of aliases availale in the truststore you can choose the ones you want and click Import.
    3. Directly upload certificates as files.
      1. Choose the necessary file.
      2. On clicking Import, it will be added to Applications Manager's trust store.
  5. Click List certificates tab to view the Keystore Password and List of certificates.