Saw an error in Internet Explorer 11 when I tried to connect to Oracle Enterprise Manager Database Express (EM Express) of Oracle 19c. Which means it's not working.
This page can’t be displayed
Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://192.168.10.11:5500 again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator.
Rationale
This is because the listener is owned by grid, but the wallet (xdb_wallet) is owned by oracle. When the listener tried to read the wallet, it got permission denied. Therefore, we should make xdb_wallet readable to grid.
Solution
We have to know the location of xdb_wallet before assigning proper permission on it.
1. For Single-instance Databases
Just add READ permission to group on keystores.
[oracle@test ~]$ cd $ORACLE_BASE/admin/ORCLCDB/xdb_wallet/
[oracle@test xdb_wallet]$ pwd
/u01/app/oracle/admin/ORCLCDB/xdb_wallet
[oracle@test xdb_wallet]$ ll
total 8
-rw------- 1 oracle oinstall 3880 Jul 14 2020 cwallet.sso
-rw------- 1 oracle oinstall 3835 Jul 14 2020 ewallet.p12
[oracle@test xdb_wallet]$ chmod g+r *
[oracle@test xdb_wallet]$ ll
total 8
-rw-r----- 1 oracle oinstall 3880 Jul 14 2020 cwallet.sso
-rw-r----- 1 oracle oinstall 3835 Jul 14 2020 ewallet.p12
2. For RAC Databases
We add READ permission to group on keystores of all nodes if you were using a RAC database.
[oracle@primary01 ~]$ cd $ORACLE_HOME/admin/ORCLCDB/xdb_wallet/
[oracle@primary01 xdb_wallet]$ pwd
/u01/app/oracle/product/19.0.0/db_1/admin/ORCLCDB/xdb_wallet
[oracle@primary01 xdb_wallet]$ ll
total 8
-rw------- 1 oracle asmadmin 3880 Oct 14 11:56 cwallet.sso
-rw------- 1 oracle asmadmin 3835 Oct 14 11:56 ewallet.p12
[oracle@primary01 xdb_wallet]$ chmod g+r *
[oracle@primary01 xdb_wallet]$ ll
total 8
-rw-r----- 1 oracle asmadmin 3880 Oct 14 11:56 cwallet.sso
-rw-r----- 1 oracle asmadmin 3835 Oct 14 11:56 ewallet.p12
Then refresh EM Express once again. Is it a bug? Please leave your comment if you know that.
In our case, we used IP address to connect to EM Express. In fact, the formal way to access EM Express of a RAC database is to connect Single Client Access Name (SCAN). For example:
Which means, let SCAN decide where to go. Also, direct access to any node server or IP address is alright, especially you can't or don't want to resolve the hostname.