EM Grid Control Agent - The Culprit of Renewing Weblogic Server SSL Certificates

We were using VeriSign SSL certificates for our Weblogic admin and managed servers. It seemed easy to enable the SSL: create the keystore -> generate then send the SSL certificate requests of the servers -> receive the SSL certificates -> import the Verisign CA, issuing as well as the server certificates into the keystore -> import the Verisign CA and issuing certificates to update the keystore configuration from the Weblogic admin console to point to the keystore for the servers -> restart the servers

Then it was time to renew the SSL certificates. However my company decided to switch to Microsoft certificates using internal CA and issuing certificates, since these servers are only used inside the company. Following above steps I renewed the certificates, but on starting the Weblogic servers, I got CERTIFICATE UNKNOWN warning messages in the logs.

 

It turned out that I also need to import the Microsoft CA and issuing certificates to EM Grid Control agent keystore, which is under $AGENT_HOME/sysman/config/montrust/AgentTrust.jks and the keystore password is welcome by default. It is because the EM Grid Control agent keystore does have the VeriSign CA certificate by default, but doesn’t have Microsoft CA certificate.

EM Grid Control - The Culprit of Changing Weblogic Admin Password

I am sure different people have different experience on changing Weblogic Admin Password – it depends on your Weblogic server and domain configuration. There is a very good step by step note on how to change Weblogic Admin Password, which lists all possible issues and gives solutions:


http://weblogicserveradministration.blogspot.in/2012/10/how-to-change-reset-weblogic-admin-user.html

However in my case, I faced an issue that no matter what I tried, I got an error: 5 invalid login attempts, locking account for 30 minutes. Eventually I figured out there is a preferred credential configured in EM Grid Control that uses Weblogic admin account to monitor the Weblogic domain. After also changing the password in the EM Grid Control preferred credential, the issue was resolved.

Another note is to make sure you take a cold backup before trying to change the Weblogic admin password, so you can also restore back if things go wrong. Cheers!