My post Re-new R12.2 ssl certificate has details on how to renew a certificate. A shell script helps a lot when there are many EBS instances waiting for renewal. I wrote below script which takes only one minute to renew the cert on each node after the certificate is renewed on Venafi website and downloaded/copied to Linux server.
As of today, we still have difficulties using .yaml file to extract certificate from Venafi server to Linux server automatically. We tried to set up a "push" way on Venafi website to do the automation. But if the password is changed on the Linux account, the push will fail.
$ vi renew_cert.sh
# Script for renewing ssl certificate after new cert file is saved to Linux server
walletpwd='putPWDhere'
# walletpwd='tttest'
walletloc=$HOME/temp/Certs_Renew # path where the Venafi cert file is saved
walletname='ewallet.p12' # Must rename the file from Venafi to this name
certname='cwallet.sso'
echo "cert at: $walletloc"
echo "cert name: $walletname"
echo $walletpwd
cd $walletloc
errorC=`env| grep RUN_BASE | wc -l`
if [ $errorC -lt 1 ]; then
echo "No R12.2 environment"
exit 1
# . $HOME/AEBSQA2/EBSapps.env RUN
fi
alias orapki=$FMW_HOME/oracle_common/bin/orapki
orapki wallet display -wallet $walletloc/$walletname -pwd $walletpwd > viewCert.log
errorC=`egrep -i 'PKI-' viewCert.log | wc -l`
echo "Error: $errorC"
if [ $errorC -gt 0 ]; then
echo "The password is incorrect or the Venafi cert file is incorrect."
exit 2
fi
DT=`date +"%h_%d_%y_%H%M"`
if [ -f $certname ]; then
mv $certname ${certname}_${DT}
fi
orapki wallet create -wallet $walletloc/$walletname -pwd $walletpwd -auto_login
if [ ! -f $certname ]; then
echo "Failure in getting new cert file. Exiting."
exit 3
fi
echo " "
echo "Copy cert file to directories ..."
cd $NE_BASE/inst/$CONTEXT_NAME/certs # save a copy in this folder
if [ -d Apache ]; then
mv Apache Apache_${DT}
fi
mkdir Apache
cd Apache
pwd
cp -p $walletloc/$walletname ${walletname}
cp -p $walletloc/$certname ${certname}
iName=$(tr < $CONTEXT_FILE '<>' ' ' | awk '/"s_ohs_instance"/ {print $(NF-1)}' )
SUBiName=${iName%?????}
cd $FMW_HOME/webtier/instances/$iName/config/OPMN/opmn/wallet
pwd
if [ -f $certname ]; then
mv $certname ${certname}_${DT}
fi
cp -p $walletloc/$certname ${certname}
cd $FMW_HOME/webtier/instances/$iName/config/OHS/$SUBiName/keystores/default
pwd
if [ -f $certname ]; then
mv $certname ${certname}_${DT}
fi
cp -p $walletloc/$certname ${certname}
cd $FMW_HOME/webtier/instances/$iName/config/OHS/$SUBiName/proxy-wallet
pwd
if [ -f $certname ]; then
mv $certname ${certname}_${DT}
fi
cp -p $walletloc/$certname ${certname}
echo " "
echo "Recycle Apache service..."
cd $ADMIN_SCRIPTS_HOME
./adopmnctl.sh stop
sleep 10
./adopmnctl.sh status
./adapcctl.sh start
./adopmnctl.sh status
echo "Paths for log files:"
echo $FMW_HOME/webtier/instances/$iName/diagnostics/logs/OHS/$SUBiName
echo $FMW_HOME/webtier/instances/$iName/diagnostics/logs/OPMN/opmn
cd
==== Run the script ====
$ ./renew_cert.sh
cert at: $HOME/temp/Certs_Renew
cert name: ewallet.p12
putPWDhere
Error: 0
Oracle PKI Tool : Version 11.1.1.9.0
Copyright (c) 2004, 2015, Oracle and/or its affiliates. All rights reserved.
Copy cert file to directories ...
/u04/app/EBSQA/fs_ne/inst/EBSQA_nodeName/certs/Apache
$FMW_HOME/webtier/instances/EBS_web_EBSQA_OHS1/config/OPMN/opmn/wallet
$FMW_HOME/webtier/instances/EBS_web_EBSQA_OHS1/config/OHS/EBS_web_EBSQA/keystores/default
$FMW_HOME/webtier/instances/EBS_web_EBSQA_OHS1/config/OHS/EBS_web_EBSQA/proxy-wallet
Recycle Apache service ...
You are running adopmnctl.sh version 120.0.12020000.2
Stopping Oracle Process Manager (OPMN) and the managed processes ...
opmnctl stopall: stopping opmn and all managed processes...
adopmnctl.sh: exiting with status 0
adopmnctl.sh: check the logfile $LOG_HOME/appl/admin/log/adopmnctl.txt for more information ...
You are running adopmnctl.sh version 120.0.12020000.2
Checking status of OPMN managed processes...
opmnctl status: opmn is not running.
adopmnctl.sh: exiting with status 0
adopmnctl.sh: check the logfile $LOG_HOME/appl/admin/log/adopmnctl.txt for more information ...
You are running adapcctl.sh version 120.0.12020000.6
Starting OPMN managed Oracle HTTP Server (OHS) instance ...
adapcctl.sh: exiting with status 0
adapcctl.sh: check the logfile $LOG_HOME/appl/admin/log/adapcctl.txt for more information ...
You are running adopmnctl.sh version 120.0.12020000.2
Checking status of OPMN managed processes...
Processes in Instance: EBS_web_ARQA_OHS1
--------------------------------+--------------------+---------+---------
ias-component | process-type | pid | status
--------------------------------+--------------------+---------+---------
EBS_web_EBSQA | OHS | 14542 | Alive
adopmnctl.sh: exiting with status 0
adopmnctl.sh: check the logfile $LOG_HOME/appl/admin/log/adopmnctl.txt for more information ...
Paths for log files:
$FMW_HOME/webtier/instances/EBS_web_EBSQA_OHS1/diagnostics/logs/OHS/EBS_web_EBSQA
$FMW_HOME/webtier/instances/EBS_web_EBSQA_OHS1/diagnostics/logs/OPMN/opmn
==== Files in the folder ====
$ ls
renew_cert.sh
ewallet.p12
ewallet.p12.lck
cwallet.sso.lck
viewCert.log
cwallet.sso
