A while ago I deployed OEM 13c to manage and monitor our databases. We have a lot of different systems on different architectures and operating systems. For the most part the move from OEM12c to OEM 13c was pretty smooth. As part of this process we were instructed to lock everything down to TLSv1.2, which is a huge pain inside of OEM. All the internal connections from the different components and nothing was listed in the documentation together. It took a lot of trial and error, but once it was setup, the deployment of the agents went just fine.
At least until I got to our AIX hosts. This is one of the longest open tickets I have ever had with oracle. Bug:23708579. After 9 months Oracle finally got me a patch that resolved the problem this week.
$ ./emctl start agent Oracle Enterprise Manager Cloud Control 13c Release 2 Copyright (c) 1996, 2016 Oracle Corporation. All rights reserved. Starting agent ................ failed. SSL Configuration failed at Startup Consult emctl.log and emagent.nohup in: /u01/app/oracle/product/agent13c/agent_inst/sysman/log
From the log files
27656382 :: 2017-04-11 11:49:08,943::AgentLifeCycle.pm: Processing setproperty agent 27656382 :: 2017-04-11 11:49:08,943::AgentStatus.pm:Processing setproperty agent 27656382 :: 2017-04-11 11:49:12,411::AgentStatus.pm:/u01/app/oracle/product/agent13c/agent_13.2.0.0.0/bin/emdctl setproperty agent -name SSLCipherSuites -value TLS_RSA_WITH_AES_128_CBC_SHA returned 0 27656382 :: 2017-04-11 11:49:12,412::Cleaning up agent command lock 27656382 :: 2017-04-11 11:49:12,412::AgentCommandLock:closed file handle of emctl lockfile 25624672 :: 2017-04-11 11:49:23,995::Initializing the agent command locking system 25624672 :: 2017-04-11 11:49:24,039::AgentLifeCycle.pm: Processing stop agent 25624672 :: 2017-04-11 11:49:24,039::AgentLifeCycle.pm: ParentProcess id=9175258 25624672 :: 2017-04-11 11:49:26,815::AgentStatus.pm:emdctl status agent returned 1 25624672 :: 2017-04-11 11:49:26,815::Status Output:Status agent Failure:Unable to connect to the agent at https://myoemserver:3872/emd/lifecycle/main/ [Connection refused]
There was a lot of confusion over this issue and originally they told me it was a bug in AIX that we would need to get IBM to fix. It turns out the patch that was needed was an agent patch
After applying patch: 25237184 the agent can now be locked to TLSv1.2 by adding the following to emd.properties
_frameworkTlsProtocols=TLSv1.2 _frameworkSSLContextProtocol=TLSv1.2
and then by re-securing the agent with the “-protocol tlsv1.2” flag
./emctl secure agent "myPassword" -protocol tlsv1.2
After this the agent was able to start up and start communicating with the OMS.