维护的系统增加,导致对应需要维护的开发数据库环境也增加了,为了简化管理和监控,搭建图形化管理平台,是一种不错的解决方案,我们知道,11g就有了GC(Grid Control),发展到现在,已经有了12c CC和13c CC(Cloud Control)。
这两篇文章,介绍了安装12c CC的整个流程。
这次要说的是,由于机房搬迁,需要用新的机器来搭建,但即使安装步骤,和之前一样,运行到62%的时候,总是会出错,
看下日志,报的是未连接Node Manager,还有一些General SSLEngine problem的错误,
......
Connecting to Node Manager ...
This Exception occurred at Thu Jul 13 14:33:03 CST 2017.
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
Thu Jul 13 14:33:03 CST 2017
Node Manager is not running
......
Jul 13, 2017 2:33:04 PM oracle.sysman.omsca.util.CoreOMSConfigAssistantUtil execCommand
INFO: error messages of the command :
SEVERE: Exception: during Admin Server start
Name of Exception: main.WLSTException
Code of Exception: Error occured while performing nmConnect : Cannot connect to Node Manager. : General SSLEngine problem
Use dumpStack() to view the full stacktrace
<traceback object at 87>
SEVERE: Exception: during create_em_infra
Name of Exception: exceptions.SystemExit
Code of Exception: 5
<traceback object at 88>
SEVERE: Exception: during stop of admin server
Name of Exception: main.WLSTException
Code of Exception: Error occured while performing nmConnect : Cannot connect to Node Manager. : General SSLEngine problem
Use dumpStack() to view the full stacktrace
<traceback object at 89>
......
Jul 13, 2017 2:33:04 PM oracle.sysman.omsca.adapter.wls.OMSWLSAdapter adapterCreateInfra
FINE: Done Executing the command...5
Jul 13, 2017 2:33:04 PM oracle.sysman.omsca.adapter.wls.OMSWLSAdapter adapterCleanup
SEVERE: OMSWLSAdapter::Unable to backup the instance home log files
java.io.FileNotFoundException: /DATA/app/oracle/gc_inst/em/null (No such file or directory)
at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.<init>(FileInputStream.java:146)
at oracle.sysman.omsca.util.CoreOMSConfigAssistantUtil.copy(CoreOMSConfigAssistantUtil.java:505)
at oracle.sysman.omsca.util.CoreOMSConfigAssistantUtil.copyDir(CoreOMSConfigAssistantUtil.java:2626)
at oracle.sysman.omsca.adapter.wls.OMSWLSAdapter.adapterCleanup(OMSWLSAdapter.java:4412)
at oracle.sysman.omsca.framework.OMSCAFreshInstall.execute(OMSCAFreshInstall.java:137)
at oracle.sysman.omsca.framework.OMSConfigAssistantDriver.main(OMSConfigAssistantDriver.java:240)
at oracle.sysman.omsca.framework.OMSCAFreshInstall.execute(OMSCAFreshInstall.java:137)
at oracle.sysman.omsca.framework.OMSConfigAssistantDriver.main(OMSConfigAssistantDriver.java:240)
使用ps可以看出Node Manager的进程存在,之前的准备工作,未报任何错误。
无论是从MOS,还是互联网,未找到非常针对性的一些资料和建议,于是乎就在OTN上发了一个帖子,非常感谢handat和Martien两位的协助,虽然问题不是直接解决,但还是workaround解决了,问题完整版,可参考https://community.oracle.com/thread/4062966?start=0&tstart=0
以下是一些主要回复信息,
handat首先建议确认,安装前是否设置了ORACLE_HOSTNAME参数,确保hostname可以解析为需要连接Node Manager和OEM WLS所在机器IP。
Martien指出了可能有权限问题,
But the hostname that it tries to connect to should match the certificate, because of the hostname validation in the SSL handshake.
同时说了ORACLE_HOSTNAME不是安装的必要前提,确实如此。
multi-homed is a networking definition for when your machine has more than one network address: https://en.wikipedia.org/wiki/Multihoming Don't confuse it with multiple ORACLE_HOMEs. ORACLE_HOSTNAME isn't mandatory to be set prior to installation, but the installer will just pick the first network interface it finds and use that. If you are lucky, it might pick the right one and all goes well. However, in some cases, you might want to tell it which one to use in which case you set the ORACLE_HOSTNAME environment variable before you run the installer. In your case, you want to do it since the installer picked the wrong one.
排除了HOSTNAME问题,handat接着问了使用的jdk版本,因为certificate_unknown错误意味着使用cipher的认证,不再被支持,什么鬼。。。
A certificate_unknown error could mean that the certificate is using a cipher that is not supported anymore. You might need to use a older JDK that allows those ciphers or change the java policy file to allow it. Refer to this for more info: https://www.java.com/en/configure_crypto.html
Martien补充了下,
Or add the unlimited strengths policies: Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for JDK/JRE 8 Download(http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html?printOnly=1)
这里我用的jdk 1.7.0_79这个版本。于是乎下载针对jdk 1.7的JCE文件,http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html,
根据JCE说明,需要备份US_export_policy.jar和local_policy.jar这两个本地jar,然后用下载包中的这两个文件,替换一下,路径是<JAVA_HOME>/lib/security文件夹,
Install the unlimited strength policy JAR files.
In case you later decide to revert to the original "strong" but
limited policy versions, first make a copy of the original JCE
policy files (US_export_policy.jar and local_policy.jar). Then
replace the strong policy files with the unlimited strength
versions extracted in the previous step.
The standard place for JCE jurisdiction policy JAR files is:
<java-home>/lib/security [Unix]
<java-home>\lib\security [Windows]
但是重新安装,报错,
和之前一样,无法连接Node Manager,提示certificate_unknown错误。
handat指出,需要替换java.security文件中两个位置,
You need to update java.security and do the following changes:
replace:
jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
jdk.tls.disabledAlgorithms=SSLv3, MD5withRSA, DH keySize < 768
with:
jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
看了下我的文件,原始配置如下,
改为(第二行未变),
和之前一样,继续报错,handat说明如下,并指出应该用-D参数来启动Node Manager,
Your node manager it most likely misconfigured (the out of the box config is wrong since it defaults to the Certicom provider instead of JSSE for handling SSL/TLS) so unless the OEM installer changes it during the install, then it won't be able to handshake which is what you are getting.
Assuming there is a retry option where it failed, try making the node manager use JSSE and restart it and click on retry so it can reattempt to handshake with the node manager.
I would try to see if there is a patch or later release which has a better installer.
I can't remember which one, but one of them will make the node manager use JSSE:
-Dweblogic.ssl.JSSEEnabled=true
-Dweblogic.security.SSL.enableJSSE=true
Adding both should work, but one of them will be ignored.
但实际我的Node Manager启动的时候,已经带了-D参数,
奇怪的是,之前我用旧机器,就可以安装,这次步骤相同,就报错了?handat的解释非常到位,虽然相同的OS版本,但patch补丁可能不同,针对CVE(Common Vulnerabilities & Exposure),可能需要新的SSL库,新的更严格的安全标准,
You may had had the same OS version, but the patch level is probably different, the SSL libraries back then were much more lenient, while the newer SSL libraries after all the patching for the CVEs, will enforce the new security standards much more strictly and new sha1 certificates were rejected after December.
以上一系列方法,均未能解决,只能尝试大招,换一下jdk版本,用了最新的jdk 1.8版本,安装顺利完成了,可以使用12c CC来集成不同库,通过GUI做一些管理和监控工作,
总结:
1. 12c CC的安转过程,即使操作系统版本相同,一些patch补丁不同,都有可能由于需要新的SSL库,或者新的认证方式,导致安装失败,因此保证软件环境的更新(jdk),是非常重要。
2. 对于Oracle任何组件的安装,相应的日志,记录的错误信息,是我们排查问题的关键,一般会比较详细,当然碰见一些冷门错误,解决起来就需要一番周折。
如果您觉得此篇文章对您有帮助,欢迎关注微信公众号:bisal的个人杂货铺,您的支持是对我最大的鼓励!共同学习,共同进步:)