OEM Agent error with [handshake has no peer]

At a client, there is OEM 13.4 running without problems, being patched every three months with the latest PSU.

Some old VMs have old Agents, like OEM Agent 13.2.

Recently we noticed one corrective action failed with:

Corrective action output=Step aborted after 30 failed attempts to run. Last captured error message was: Caught agent exception[unable to connect to http server at https://srv01234.domain.com:3872/emd/main/. [handshake has no peer](oracle.sysman.emSDK.agent.comm.exception.VerifyConnectionException)]
Error communicating with agent. Please also check incident console for possible job-system related problems.

The problem is that OEM Agent 13.2 uses by default the following Ciphers to communicate:

$ <AGENT_HOME>/bin/emctl getproperty agent -name SSLCipherSuites
Oracle Enterprise Manager Cloud Control 13c Release 2
Copyright (c) 1996, 2016 Oracle Corporation.  All rights reserved.
SSLCipherSuites is unset; default value is SSL_RSA_WITH_RC4_128_MD5:SSL_RSA_WITH_RC4_128_SHA:SSL_RSA_WITH_3DES_EDE_CBC_SHA

But currently none of those Ciphers is supported with latest OEM 13.4.

There is a Metalink note: EM 13c: OMS Communication to all Agents Failing with “[handshake has no peer]” but Agents are able to Upload Successfully to the OMS (Doc ID 2381313.1) which does not really bring the solution.

One needs to check on 13c: How to Disable Weak SSLCipherSuites in Enterprise Manager 13c Cloud Control (Doc ID 2138391.1), under Agent, to see how to configure Ciphers that are acceptable for both Agent 13.2 and OEM 13.4.

The solution is then:

$ <AGENT_HOME>/bin/emctl setproperty agent -name SSLCipherSuites -value  TLS_RSA_WITH_AES_128_CBC_SHA:TLS_RSA_WITH_AES_256_CBC_SHA:RSA_WITH_AES_256_CBC_SHA256
$ <AGENT_HOME>/bin/emctl stop agent
$ <AGENT_HOME>/bin/emctl start agent

Of course a better solution would be to upgrade the OEM Agent to 13.4. 🙂

Leave a comment

Your email address will not be published. Required fields are marked *