Two main things when expired will significantly affect the operations of Fusion Applications. These are database passwords and certificates. As such these expiration dates need to be checked and maintained properly.
Check for expiring database account passwords
Fusion Applications have many schema users in the Fusion Application database. Many of these schema users by default have no expiry date, however some do. You can check the expiration date for these passwords using sqlplus and connecting to the FA database as sys. Use the following command to check the expiry_date:
select username, account_status, expiry_date, sysdate from dba_users where expiry_date is not null;
TODO: Keep track of when database accounts will expire. When the database accounts will soon expire, update the accounts and reset the expiry_date according to your established corporate security policy requirements. Note: You can reuse the existing password when resetting these schema accounts.
Check for expiring certificates
Fusion Application will fail when certificates expire. It’s important to check all certificate stores (JKS for WebLogic and PKCS#12 for OHS) for expiring keys and certificates so that they can be renewed in a controlled and timely manner.
For Fusion JKS Certificates Stores
You should maintain a list of all certificate stores so that they can be located easily.
The fusion jks stores are fusion_trust.jksand <hostname>_fusion_identity.jks in APPLICATIONS_BASE/fusionapps/wlserver_10.3/server/lib.
For each JKS store, use keytool to examine the contents, noting the expiration date for each key and certificate:
$JAVA_HOME/bin/keytool -list -v -keystore <keystore filename>
Note: fusion_trust.jks contains the keys and certificates in each of the <hostname>_fusion_identity.jks. When replacing the key and certificates, you must replace each <hostname>_fusion_identity.jks and fusion_trust.jks separately.
For Webgate Certificate
You should note down the expiration date of the webgate certificate and replace them as appropriate. The webgate certificate is in APPLICATIONS_CONFIG/CommonDomain_webtier/config/OHS/ohs1/webgate/config/simple. To check the certificate expiration date, use keytool to examine the contents:
$JAVA_HOME/bin/keytool -printcert -v -file aaa_cert.pem
For PKCS#12 Certificates Stores
The location of the certificate stores used by FA OHS instances can be found in the OHS configuration files. The following example shows how to determine this:
cd APPLICATIONS_CONFIG/CommonDomain_webtier/config/OHS/ohs1
cat *.conf ./moduleconf/*.conf | grep SSLWallet filename
Each of these should be opened with the orapki utility to examine the content and verify the certificate expiration. The orapki utility is described in detail here: