On Windows using Safari to access Oracle VM Manager results in a blank page. This is due to a failure that occurs during the SSL handshake when the server has enabled two-way SSL. Since Oracle VM Manager uses two-way SSL for client certificate authentication, the Safari browser is not supported on Windows. Bug 18025985
If that is so, let's make it work, let's enable two-way-SSL for Safari!
Problem
Indeed, the server requests the browser to - optionally - send a browser certificate. If Safari has one, it sends it. But the one sent to the OVMM server, is not accepted by OVMM.
An infinite loop starts, as the server rejects the certificate, and the browser prompts the user to select a new certificate to send to the server.
Solution
OVM has a certificate for this purpose! The only thing we need to do is export it, and import it in Safari. Now we have the added problem that no passwords to the certificate stores are saved. Documentation explains:In some scenarios, you may also want to configure Oracle WebLogic Server's SSL truststore to provide additional trusted CAs. To do this you may use the changepass command to change the truststore password, since the default password for the keystore is randomized and it would not be possible to modify the keystore without the correct password. Once you have reset the password, you can modify the keystore using the Java keytool, as required.
Let's set the new password then!
su - oracle cd /u01/app/oracle/ovm-manager-3/ovm_upgrade/bin ./ovmkeytool.sh changepass
Specify the following input, most important NOT to use random passwords, and reset the ssl keystore:
- Use random passwords? [yes] no
- Change CA Keystore and Key passwords? [yes] no
- Change SSL Keystore and Key passwords? [yes]
- SSL Keystore password: your_ovm_admin_password
- Verify SSL Keystore password: your_ovm_admin_password
- SSL Key password: your_ovm_admin_password
- Verify SSL Key password: your_ovm_admin_password
- Change SSL Trustore password? [yes] no
- Oracle MiddleWare Home (MW_HOME): /u01/app/oracle/Middleware
- WebLogic domain directory: [/u01/app/oracle/ovm-manager-3/domains/ovm_domain]
- WebLogic server name: [AdminServer]
- WebLogic username: [weblogic]
- WebLogic password: [********] your_ovm_admin_password
Create a certificate store for import into Safari:
cd /u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/
my_ovm_admin_pass=your_ovm_admin_password
my_ovm3_trustcert_pass=Welcome1
keytool -importkeystore \
-srckeystore ovmssl.jks \
-destkeystore ovmssl.p12 \
-srcstoretype JKS \
-deststoretype PKCS12 \
-srcstorepass $my_ovm_admin_pass \
-deststorepass $my_ovm3_trustcert_pass \
-srcalias ovm3 \
-destalias ovm3 \
-srckeypass $my_ovm_admin_pass \
-destkeypass $my_ovm3_trustcert_pass \
-noprompt
Copy the new ovmssl.p12 certificate to your Desktop/Laptop, and start keychain to import the certificate:
- File > Import Items... >
- Select file: ovmssl.p12
- Destination keychain: Login
- Specify password: Welcome1
In keychain, under certificates, we have the OVM3 certificate:
Let's start Safari, and redirect the browser to OVM3. Safari prompt us again to select a client certificate. Select the correct client certificate:
That's it. A record now gets associated with the ovm3 client certificate for this url. Safari will select this certificate automatically upon next time.
