Syed Saad Ali
Syed Saad Ali

Oracle ACE Pro

Oracle Solution Architect

Oracle E-Business Suite

Oracle Cloud Infrastructure

Oracle Fusion Middleware

Oracle Database Administration

Oracle Weblogic Administration

Syed Saad Ali
Syed Saad Ali

Oracle ACE Pro

Oracle Solution Architect

Oracle E-Business Suite

Oracle Cloud Infrastructure

Oracle Fusion Middleware

Oracle Database Administration

Oracle Weblogic Administration

AppsDBA CV Download CV Contact Me
Blog Post

OPMNCTL startall Fails with status 4200

May 20, 2023 APPS DBA by Syed Saad Ali
OPMNCTL startall Fails with status 4200

OPMNCTL startall Fails with unexpected exit: status 4200

When attempting to initiate the opmnctl services in E-Busines Suite R12.2, an error with the code 4200 is encountered as shown below.

Error: 

opmnctl startall: starting opmn and all managed processes… 

[opmn] [ERROR:1] [] [internal] /u01/apps/fs1/FMW_Home/webtier/opmn/bin/opmn: unexpected exit: status 4200 

opmnctl startall: opmn failed to start. 

 

Reason:

The inability of OPMN and OHS to start is attributed to the default wallets generated by Oracle Fusion Middleware, which include self-signed certificates signed using md5WithRSA. However, the updated security library no longer supports certificates signed by md5WithRSA. To resolve this issue, the certificate signature algorithm must be sha256WithRSA or a more advanced algorithm.
 

FIX:

By following the below steps, you can generate a new wallet that includes a self-signed certificate meeting the required standards. Subsequently, you can deploy this wallet to the default locations, enabling the successful startup of OHS and OPMN.
 
 
Step 1: Begin by logging in as the user responsible for the application tier installation. Then, access the run file system environment and the $FMW_HOME/SetWebtier.env  file
 
$ source <EBS base install directory>/EBSapps.env run 
$ source $FMW_HOME/SetWebtier.env 
 
Step 2: Proceed with setting an alias for the appropriate orapki command.
 
$ alias orapki=$FMW_HOME/oracle_common/bin/orapki 
 
Step 3: In the third step, generate a new wallet with an acceptable self-signed certificate in the directory $HOME/ss  Here’s an example:
 
$ mkdir ~/ss 
$ cd ~/ss 
$ orapki wallet create -wallet ./ -auto_login_only 
$ orapki wallet add -wallet . -dn "CN=FMWSmallCircleOfTrust" -asym_alg RSA -keysize 2048 -sign_alg sha256 -self_signed -validity 3652 -auto_login_only 
$ orapki wallet display -wallet . 
 

To ensure the successful creation of the wallet, you can use the final command (orapki wallet display -wallet .) to verify its status.

Step 4: In the fourth step, identify the instanceName of the current environment and save it as an environment variable for future reference.
 
tr < $CONTEXT_FILE '<>' '  ' | awk '/"s_ohs_instance"/ {print $(NF-1)}' 
EBS_web_OHS1 
iName=$(tr < $CONTEXT_FILE '<>' '  ' | awk '/"s_ohs_instance"/ {print $(NF-1)}' ) 
 
Step  5: Proceed to navigate to the instance directory as part of the fifth step.
 
$ cd $FMW_HOME/webtier/instances/$iName
 

Locate the default wallets utilized by this instance.

$ find . -name cwallet.sso | fgrep -v /webgate/ 
./config/OPMN/opmn/wallet/cwallet.sso 
./config/OHS/EBS_web/proxy-wallet/cwallet.sso 
./config/OHS/EBS_web/keystores/default/cwallet.sso 
 
Step  6: As part of the sixth step, ensure that each wallet solely consists of the self-signed certificate for verification purposes.
 
$ find . -name cwallet.sso | fgrep -v /webgate/ | while read w ; do echo -e "n$w"; orapki wallet display -nologo -wallet $w ; done 
 

For default wallets, confirm that each wallet exhibits a single “User Certificate” and a matching “Trusted Certificate.” Refer to the following example for clarification:

./config/OPMN/opmn/wallet/cwallet.sso 
Requested Certificates: 
User Certificates: 
Subject: CN=Self-Signed Certificate for EBS_web_OHS120,OU=OAS,O=ORACLE,L=REDWOODSHORES,ST=CA,C=US 
Trusted Certificates: 
Subject: CN=Self-Signed Certificate for EBS_web_OHS120,OU=OAS,O=ORACLE,L=REDWOODSHORES,ST=CA,C=US 
 
Note: Please note that if a wallet is not a default wallet, it is advisable to create a backup copy of the wallet before proceeding further. 
 
Step  7:  Duplicate the newly created wallet with a SHA-256 signature and place it in all the designated default wallet locations
 
$ find . -name cwallet.sso | fgrep -v /webgate/ | while read w ; do echo $w; cp -p ~/ss/cwallet.sso $w ; done 
 

By completing the aforementioned step, you have successfully copied the newly generated self-signed wallet to the default locations within the run file system. This approach eliminates the need to modify the OPMN and OHS configuration files to reference an alternative wallet or wallet directory.

 
Step  8: In preparation for implementing the changes to the patch file system, proceed with the modification of the adop_sync.drv file located in $APPL_TOP_NE/ad/custom. Include the following updates:
 
#Oracle HTTP Server Wallet - cwallet.sso 
rsync -zr %s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/keystores/default/cwallet.sso %s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/keystores/default/cwallet.sso 
#OPMN Wallet - cwallet.sso 
rsync -zr %s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OPMN/opmn/wallet/cwallet.sso %s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OPMN/opmn/wallet/cwallet.sso 
rsync -zr %s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/proxy-wallet/cwallet.sso %s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/proxy-wallet/cwallet.sso 
 
Once you execute the steps outlined in Section 4 during the prepare phase (adop phase=prepare) of the online patching process, the aforementioned changes will be applied to the patch file system. These changes will come into effect following a successful cutover (adop phase=cutover).
 
Once you have completed this procedure, it is important to refrain from removing or modifying the updated adop_sync.drv file.
 
Step 9: Proceed with the re-registration of OHS if it is deemed necessary.
 
Retrieve the host, port, and user name variables for WLS Admin from CONTEXT_FILE.
 
$ aHost=$( tr < $CONTEXT_FILE '<>' '  ' | awk '/"s_wls_admin_host"/ {print $(NF-1)}' ) 
$ aPort=$( tr < $CONTEXT_FILE '<>' '  ' | awk '/"s_wls_adminport"/ {print $(NF-1)}' ) 
$ aUser=$( tr < $CONTEXT_FILE '<>' '  ' | awk '/"s_wls_admin_user"/ {print $(NF-1)}' ) 
 
Perform the re-registration of OHS by executing the following commands:
 
$ cd $FMW_HOME/webtier/instances/$iName/bin 
$ ./opmnctl unregisterinstance -adminHost $aHost -adminPort $aPort -adminUsername $aUser -instanceName $iName 
$ ./opmnctl registerinstance -adminHost $aHost -adminPort $aPort -adminUsername $aUser 
 

Once the new wallet is in place, OPMN and OHS should be able to initiate successfully.

To verify the startup of only OPMN and OHS, you can utilize the commands adopmnctl.sh start and adapcctl.sh start.

Alternatively, you have the option to execute adstrtal.sh, which will attempt to start all components simultaneously.

 
 
 

 

Related Posts
Write a comment