DBA Catalog: OEM stopped working and start failed with webtier could not be started

Suddenly Oracle Enterprise Manager - oem stopped working and when we are trying to start it appears error:

$emctl start oms
Oracle Enterprise Manager Cloud Control 13c Release 5
Copyright (c) 1996, 2021 Oracle Corporation. All rights reserved.
Starting Oracle Management Server...
WebTier Could Not Be Started.
Error Occurred: WebTier Could Not Be Started.

Oracle provides a default wallet and self-signed certificate Out-Of-The-Box that is used to test the functionality of SSL.

These Self-Signed Certificates will expire after some time and can prevent OHS from starting. This document is provided

to provide a simple method to recreate this wallet.

Solution:

1. Stop OHS(and AdminServer if collocated. Next, move ${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/default/cwallet.sso

to cwallet.sso.expired. Basically rename it as it will be recreated.

Example:

$ pwd
$DOMAIN_HOME_PATH/config/fmwconfig/components/OHS/ohs1/keystores/default

$ mv cwallet.sso cwallet.sso.expired

2. Make sure orapki is in the $PATH variable.

Check to see if orapki is in the $PATH Environment Variable:

$ which orapki

Add it to the beginning of the $PATH environmental variable:

$ export PATH=$OMS_HOME/oracle_common/bin:$PATH

4. Execute the following commands from the directory where the old one was renamed. i.e. ${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/default/

$ orapki wallet create -wallet . -auto_login_only (NOTE: The dot (.) is specified here as the Present Working Directory.)
Example output:

Oracle PKI Tool : Version 12.2.1.2.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.

- $ ls
cwallet.sso cwallet.sso.expired cwallet.sso.lck

5. Now recreate the self-signed certificate using the same DN used in the original wallet.

$ orapki wallet add -wallet . -dn 'CN=localhost,OU=FOR TESTING ONLY,O=FOR TESTING ONLY' -keysize 2048 -self_signed -validity 3650 -auto_login_only
(NOTE: The dot (.) is specified here as the Present Working Directory.)
Example output:

Oracle PKI Tool : Version 12.2.1.2.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.

6. Now check the wallet with the display command:

$ orapki wallet display -wallet . (NOTE: The dot (.) is specified here as the Present Working Directory.)
Example output:

Oracle PKI Tool : Version 12.2.1.2.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
User Certificates:
Subject: CN=localhost,OU=FOR TESTING ONLY,O=FOR TESTING ONLY
Trusted Certificates:
Subject: CN=localhost,OU=FOR TESTING ONLY,O=FOR TESTING ONLY

$ openssl x509 -in server.cer -noout -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
9a:a0:bb:e2:f5:ff:3b:e8:8d:46:7a:ac:18:f3:89:39
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=FOR TESTING ONLY, OU=FOR TESTING ONLY, CN=localhost
Validity
Not Before: Nov 17 15:45:08 2020 GMT
Not After : Nov 15 15:45:08 2030 GMT

7. Now that a new, self-signed certificate/wallet has been created, in the same directory where the old one was renamed, OHS(and AdminServer if Collocated) can be restarted successfully.

DBA Catalog

Friday, June 27, 2025

OEM stopped working and start failed with webtier could not be started

No comments:

Post a Comment