After ICS POD upgraded to, ICS agent will not come up and throw an error “Agent Group Existence Check Failed, Recheck ICS Username, ICS Password and Proxy Username, Proxy Password or Contact Customer Support“.

The reason being of the issue is, ICS certificate has been changed. Certificate changes for ICS happened on the Cloud (outside of Agent). It can be mapped to 18.2.3 MLR 00.

This is known Bug 28242477 logged by Oracle.

To resolve this issue, the user needs to re-import the CA certs from ICS on to agent keystore. Ensure that entire certificate chain is imported to agent keystore.

Follow below steps to resolve the issue:

1) Download Certificate Chain from ICS

  • Login into ICS console using Firefox browser
  • Click on Security Report and More Information
  • Go to Security Tab and Click on View Certificate button
  • Click on Details tab. Once click on Details tab, you will notice Certificate Chain (Root, Intermediate & Leaf)
  • Download all three (Root, Intermediate & Leaf) Certificate one by one
  • Click on Root Certificate and Click on Export button
  • Save the certificate with .crt extension
  •  Repeat last two steps for Intermediate and Leaf certificate
2) Import Certificate Chain into keystore
  • Login to ICS agent server
  • Move certificates to /tmp/cert directory
  • Go to <AgentHome>/cert/ directory
  • Take backup of keystore.jks file
  • Ensure JAVA_HOME is set to run keytool command
  • Import leaf certificate first by issuing following command
keytool -import -trustcacerts -keystore keystore.jks -file /tmp/cert/integration.us2.oraclecloud.cer -alias
  • Once promoted for keystore password, enter “changeit”. This is default password of keystore.jks
Note: You may get a prompt like an alias or certificate already exists. Ignore and proceed.
  • Run below command to import root certificate
keytool -import -trustcacerts -keystore keystore.jks -file /tmp/cert/DigiCertGlobalRootCA.cer -alias
  • Run below command to import intermediate certificate
keytool -import -trustcacerts -keystore keystore.jks -file /tmp/cert/DigiCertSHA2SecureServerCA.cer -alias

Above three commands will import certificate chain into keystore

3) Start ICS Agent
  • Run below command to start ICS agent
nohup ./ -p=TEST@123 &
Now ICS Agent should be started successfully without any issue.