If your Oracle Management Service (OMS) suddenly refuses to start, and you see errors related to the WebTier or Oracle HTTP Server (OHS) failing to initialize, the culprit is often an expired default SSL certificate within the OHS wallet.
When the default self-signed certificate in the OHS keystore expires, the OHS component—which acts as the WebTier for your EM console—can no longer initialize the secure (HTTPS) environment. This failure prevents the OHS from starting, which in turn causes the entire OMS startup sequence to fail with errors like below:
This guide provides the exact steps to replace the expired self-signed certificate with a new, valid self-signed certificate to restore your EM service quickly.
Before proceeding, ensure you have:
Stopped the OMS:
emctl stop oms -all
Access: You must be logged in as the Oracle software owner (e.g., oracle user).
Environment Variables: Your environment should be set up to use the necessary Oracle Fusion Middleware binaries (e.g., the path to orapki).
The process involves backing up the old wallet (optional but recommended), creating a new auto-login wallet, generating a new self-signed certificate within it, and copying the new wallet file to the necessary configuration location.
Note: The Oracle Wallet utility (orapki) is located in the ORACLE_HOME/oracle_common/bin directory.
While we are replacing it, exporting the existing certificate is a good practice for historical record and reference, though it's optional for the fix itself.
$ /oracle/software/product/oem13.4/oracle_common/bin/orapki wallet display -wallet /oracle/software/product/gc_inst/user_projects/domains/GCDomain/config/fmwconfig/components/OHS/ohs1/keystores/default
First, we will initialize a brand new wallet in the required location, ensuring it is an auto-login wallet (cwallet.sso). This means the password is not required when the OHS tries to access it at startup.
$ /oracle/software/product/oem13.4/oracle_common/bin/orapki wallet create -wallet /oracle/software/product/gc_inst/user_projects/domains/GCDomain/config/fmwconfig/components/OHS/ohs1/keystores/default -auto_login_only
Now, we generate the new self-signed certificate with a long validity period (e.g., 3650 days, or 10 years) and add it to the newly created wallet. Ensure the Distinguished Name (DN) matches your configuration.
/oracle/software/product/oem13.4/oracle_common/bin/orapki wallet add -wallet /oracle/software/product/gc_inst/user_projects/domains/GCDomain/config/fmwconfig/components/OHS/ohs1/keystores/default -dn 'CN=localhost,OU=GCDomain ohs1,O=FOR TESTING ONLY' -keysize 2048 -self_signed -validity 3650 -sign_alg sha256 -auto_login_only
The OHS instance uses a copy of the wallet file (cwallet.sso) from the configuration location. We must copy the newly created auto-login wallet file to the active OHS instance directory.
$ cp /oracle/software/product/gc_inst/user_projects/domains/GCDomain/config/fmwconfig/components/OHS/ohs1/keystores/default/cwallet.sso /oracle/software/product/gc_inst/user_projects/domains/GCDomain/config/fmwconfig/components/OHS/instances/ohs1/keystores/default
Reference: EM13c: WebTier Could Not Be Started Due To The Default OHS Keystore Certificate Expired (Doc ID 3070848.1)