Enabling SSL in Oracle E-Business Suite Release 12

1/13/2015
Document1425103.1
SSLPrimer:EnablingSSLinOracleEBusinessSuiteRelease12(TrialCertificateExample)
(DocID1425103.1)
InthisDocument
Abstract
History
Details
Introduction
ConfiguringtheEBSWebTierforDirectHTTPSCommunication
1.SetYourEnvironment
2.CreateaWebTierWallet
3.CreateaCertificateRequest
4.ExporttheCertificateRequest
5.SubmittheCertificateRequesttoaCertifyingAuthority
5.ImportyourCertificatetotheWallet
6.CopytheApacheWallettotheOPMNWallet
7.AutoConfig
ClientConfigurations
Introduction
ClientBrowserConfiguration
MozillaFirefoxSecurityException
MicrosoftInternetExplorerSecurityException
RetrievingthePublicFacingSSLCertificatesUsingtheClientBrowser
Introduction
RetrievingtheCertificatesusingMozillaFirefox
RetrievingtheCertificatesusingInternetExplorer
ImportingSSLCertificatesintotheJDK'sTrustedCertificateStore
CreatingaDatabaseWalletandImportingTrustedSSLCertificates
Summary
References
APPLIESTO:
OracleApplicationsTechnologyStackVersion12.0.6to12.1.3[Release12.0to12.1]
Informationinthisdocumentappliestoanyplatform.
ABSTRACT
ThisnoteisanillustratedcompaniontotheprimaryNote:376700.1EnablingSSLinOracleEBusinessSuiteRelease12
andcoverstheimplementationofaVerisignTrialCertificateasanexample.Thedauntinglengthisprimarilydueto
thedepthofexplanationandthenumberofillustrations.
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=ewbsr79se_191&id=1425103.1
1/35
1/13/2015
Document1425103.1
HISTORY
Author:DCOLLIER
CreateDate28FEB2012
UpdateDate06Nov2012
ExpireDatedistantfuture
DETAILS
Introduction
ThereareseveralplaceswithintheEBSR12instancethatrequirechangestoproperlyworkwithSSLasdocumentedin
Note:376700.1EnablingSSLinRelease12.Theseseveralplacesareconfiguredusingdifferentmethodsandquite
oftenthestepsaredoneinitiallybyonepersonandthenlaterneedtoberevisitedbyanotherpersonyearslaterwhen
astepisdiscoveredtohavebeenskippedoracertificateneedstobeupdated.Thissimplifiedguideprovidesan
illustratedwalkthroughofeachstepoftheprocessusingatrialcertificateasanexample.Theprocessissimilarfor
selfsigned,internallysigned,andpaidforcertificates.
Thisguideiswrittenasaverydetailedandillustratedprimerandeachstepisillustratedintwoways.Theorapki
commandlineinterfaceexamplesillustrateandaccomplishthetaskinaverydirectandcurtfashion,whereasthe
abundanceofscreenshotsfromtheOracleWalletManager'sgraphicaluserinterfaceshouldappealtonewerusers.
Thedesiredresultofcreatingawalletcanbedonebyeithermethod,butfirsttimeusersshouldchooseEITHERorapki
ORowmandconsiderthealternateexamplesasanillustrationofaconcept.
SSLOffloadingversusSSLRunningNatively
SSLusesahandshakeprotocoltonegotiateandestablishasessionbetweentheclientmachinesandtheHTTPS
enabledwebservers.Duringthehandshakeprocess,digitalcertificatesareusedtoauthenticateidentityand
negotiatehowtoencrypttheinformationfortheremainderofthesession.TheOracleEBSwebtierisquite
capableofthis,butmanycustomersopttooffloadtheSSLprocessingtoareverseproxyorloadbalancer.TheSSL
offloaderthatactsasanSSLterminatordecryptstheSSLencrypteddatafromtheclientandthenproxiesthatdata
totheEBStierinanunencryptedstate.Asthetermimplies,theoverheadofSSLprocessingistakencompletely
offoftheEBSwebtiersothattheEBSwebtierisdedicatedtoEBSspecificprocessing.Thisimproves
performanceandsecuritybecausetheSSLoffloadertendstorunonspecializedSSLaccelerationhardware
separatefromtheEBSwebtierandcanmoreeasilyintegratewithintrusiondetectionsystems,virusdetection
systems,applicationlayerfirewalls,etc.IntegrationofEBSwithoneofthesethirdpartydevicesisgenerallya
simplematterofupdatingsixAutoConfigcontextfileparametersandthenrunningAutoConfigafterthatthirdparty
deviceisconfigured.
WhilethespecificconfigurationofthethirdpartySSLhardwareissupportedanddocumentedbythethirdparty
vendor,theintegrationwithEBSisdetailedintheprimaryNote:376700.1.SSLoffloadingismentionedhereonly
asanimportantconsiderationbeforeproceedingtorunSSLdirectlyontheEBSwebtierwhichiscoveredinthe
nextsectionasastartingpointfortheillustrationoffurtherEBSconfigurationdetailsthatfollow.Notethatevenif
anSSLOffloaderisusedasawebentrypoint,theJDK(s)anddatabasestillrequireanSSLconfigurationoftheir
ownbecausetheyactasSSLclientstothatwebentrypoint.
ConfiguringtheEBSWebTierforDirectHTTPSCommunication
1.SetYourEnvironment
2/35
1/13/2015
Document1425103.1
ThewebtiersetuponEBSR12instancesmakesuseoftheutilitieswithinthe10.1.3ORACLE_HOME.Thetypical
applmgrenvironmentisbasedontheenvironmentfilesfromtheAPPL_TOPwhichrefertothe10.1.2ORACLE_HOME,
sothereforeanalternateenvironmentfilemustbesourcedbeforeattemptingtostart.Navigatetothe10.1.3
ConfigurationHomeandsourcethe10.1.3environmentfile.Thefilewillbenamedafterthe$CONTEXT_NAMEwhich
istypicallytheSID($TWO_TASK)followedbythehostname.
Forexample:
>cd$ORA_CONFIG_HOME/10.1.3
>lsl*.env
rwrr1appv1211dba3202Dec3101:13V1211_myserver.env
>../*.env
Checkyourwork.Theabove"dotspacedotslashstardotenv"shouldhaveexecutedthesingleenvironmentfileinthe
$ORA_CONFIG_HOME/10.1.3directoryandresetseveralenvironmentvariablesinthecurrentshell.The
ORACLE_HOMEshouldnowbethe10.1.3ORACLE_HOMEandtheavailableOracleWalletManager(owm)executable
shouldbefromthatsameORACLE_HOME.
Forexample:
>echo$ORACLE_HOME
/space/r1211/apps/tech_st/10.1.3
>whichowm
/space/r1211/apps/tech_st/10.1.3/bin/owm
2.CreateaWebTierWallet
TheOracleWalletManager(owm)isanXWindowsapplication,sothereforeanXWindowsdisplayisrequiredtouse
it.TherearenumerousXWindowsclientsavailableforthePC,thechoiceofwhichisleftentirelytotheuser.
Alternatively,UNIX/LinuxmachinesareoftensetupwithVNCorsimilarremotedesktopsifyouchoosenottorunthe
walletmanagerdirectlyfromtheconsole.Asanotheralternative,youcanusetheorapkicommandlineinterface
whichneedsnoXWindowsclient.Bothmethodsarecoveredherebecausethewalletmanageroffersbetter
illustrationofconceptsandtheorapkitooloffersanelegantlysimpleanddirectmeanstoanend.Tosomeextentthe
implementationprocesscanbeamixtureoforapkiandowm,butitislessconfusingtopickonemethodfortheentire
walletsetup.
Theorapkimethodforcreatingawalletissimply:
>orapkiwalletcreatewallet$INST_TOP/certs/Apacheauto_login
Enterwalletpassword:
Therequiredoptionofauto_loginisenabledandthewalletiscreatedintheEBSpreferreddirectoryviathe'wallet'
option.ThisdirectoryisthedefaultvaluespecifiedwithintheAutoConfigparameterss_ssl_keystoreand
s_ssl_truststore.Also,inthisexample,thewalletpasswordofchoiceforthenewlycreatedwalletisquietlyspecified
atthecommandprompt,butcouldhavejustaseasilybeenspecifiedas"welcome1"usingthe"pwd"optionsuchas"
pwdwelcome1".We'llpromptforpasswordsfromthispointforwardasthisisamoresecurepracticethanleaving
scriptswithplaintextpasswordslyingaround.
Theequivalentstepwiththewalletmanagerisasfollows:
2a.SettheUNIXDISPLAYvariableasneeded.ThisdependsonyourchoiceofXWindowsclients.
3/35
1/13/2015
Document1425103.1
2b.Navigateto$INST_TOP/certs/Apache.Backupanyexistingwalletsthatmaybethere.Ifyourantheaboveorapki
example(youdidnotneedto),youalreadyhaveanewwalletpreloadedwithsometrustedcertificatesthatyoucould
examinewiththewalletmanager:
>cd$INST_TOP/certs/Apache
>lsl
rw1appv1211dba7940Aug1208:59cwallet.sso
rw1appv1211dba7912Aug1208:59ewallet.p12
2c.Startthewalletmanagerasabackgroundprocess:
>owm&
TheOracleWalletManagershouldstartanddisplayitsbeginningpages:
4/35
1/13/2015
Document1425103.1
2d.OntheOracleWalletManagermenu,selectWalletandthenNew.Answer"No"tothequestion"Yourdefault
walletdirectorydoesnotexist.Doyouwanttocreateit?"
2e.Inthe"NewWallet"windowthatappears,enterthepasswordyouwouldliketouseforthenewwallet.The
orapkiexampleused"welcome1",butanypasswordcanbeused.ChoosethewallettypeofStandard,thenclickOK.
Thiswillcreatetheinitialwalletandthenaskaboutcreatingacertificaterequest.
5/35
1/13/2015
Document1425103.1
2f.Conveniently,thewalletmanagerasksifyouwouldliketocreateacertificaterequestatthistime.Youcansay
"Yes"atthispointandskiptostepthree.Ifyouselect"No",youcanstillcreateacertificaterequestviathemenu
navigationof"Operations"/"AddCertificateRequest".We'llpauseheretoemphasizetheimportanceofsavingthe
walletandhighlighttheworkaroundforaproblemthatoccurswhensavingthewalletforthefirsttime.
Atthispoint,youhavecreatedawallet.YoucanchooseWallet/Saveandselectthe$INST_TOP/certs/Apache
directoryastheplacetosave.Thenextimportantstepistocheckthe"AutoLogin"boxandthensavethewallet
again.Thereasonforthisdoublestepworkaroundisthatifthisisthefirsttimeyouarecreatingawalletanddidnot
createadefaultwalletdirectory,thenattemptingtosavethewalletwith"AutoLogin"checkedwillresultintheerror
"SavingSSOwalletfailedin:(blank)".Savingthewalletwithout"AutoLogin"checkedgivestheopportunitytospecifya
directorytosaveto,but"AutoLogin"isarequirement.
6/35
1/13/2015
Document1425103.1
Savingthewalletwithout"AutoLogin"checkedcreatesthefile"ewallet.p12":
>lsl
Savingthewalletwith"AutoLogin"checked(aftersuccessfullysavingitoncewithoutthecheck)createstheadditional
andnecessaryfile"cwallet.sso":
>lsl
rw1appv1211dba7945Aug1209:49cwallet.sso
TheAutoLoginfeatureallowsthewallettobereadbytheOSuserthatownsthewallet(typicallyapplmgr)without
requiringanexplicitpasswordentry.ThisisrequiredforEBS.Youwillcontinuetoneedthewalletpasswordforallof
theupcomingstepsthatrequiremodificationstothewallet.
3.CreateaCertificateRequest
Withorapki,youcansimplyaddaCertificateRequesttothewalletcreatedaboveusingthefollowingexamplewhich
we'llalso/insteaddoviaowm.
orapkiwalletadd\
wallet.\
dn"CN=mymachine.us.oracle.com,OU=ATGSpecialty,O=Support,L=Denver,ST=Colorado,C=US"
keysize2048\
pwdwelcome1
ThedndirectivespecifiestheDistinguishedNamewhere:
CN=CommonNamewhichcanbeaserver(includingdomain)oranindividual.I've
hiddenmyactualservernameinthisexample.
OU=OrganizationalUnit
O=Organization
L=LocalityorCity
ST=StateorProvince(fullname,donotabbreviate)
C=CountryCode
ThekeysizeparameterspecifiesthebitlengthoftheRSAprivatekey(moreonthislater)andasbeforethepwd
directivespecifiesthewalletpassword.
Theequivalentstepwiththewalletmanagerisasfollowsandassumesthewalletmanagerisrunningandstillhasthe
walletopenfromthepreviousstep.
Select"Operations",then"AddCertificateRequest".Thisbringsupaformsimilartotheparameterlistdescribed
abovefororapki.
7/35
1/13/2015
Document1425103.1
Chooseakeysizegreaterthan2048bits
Theformforcreatingthecertificaterequestshowsadefaultkeysizeof1024bits,butyoushouldchoose2048or
higher.StartingJanuary1,2014,theindustryisrequiringtheuseof2048bitkeylengthonSSLcertificates.Thisis
incompliancewithUSNationalInstituteofStandardsandTechnology(NIST)SpecialPublication800131A.Per
NIST,theuseof1024bitRSAkeysisnolongerapplicableand2048bitkeysshouldbeimplemented.Accordingto
NIST,2048bitkeysshouldbeapplicableuntil2030.InOctober2012,Microsoftisplanningtoreleaseanew
serviceupdatethatblocksRSAkeysunder1024bitsonallofitsOperatingSystems.Formoreinformation,see:
MicrosoftSecurityAdvisoryisavailableherehttp://technet.microsoft.com/enus/security/advisory/2661254.
Additionally,mostcertificateauthoritiesarenowrejectingCertificateSigningRequestsfor1024bitcertificates.
NoticeintheabovepicturethatpriortocompletingtheCreateCertificateRequestformthewalletshowsastatusof
"Certifcate:[Empty]".Assoonasyoupress[OK]onthatform,thestatuswillchangeto"Certificate:[Requested]"as
seenbelowtoindicatethatthewalletnowhasavalidCSR:
8/35
1/13/2015
Document1425103.1
4.ExporttheCertificateRequest
OncetheCertificateRequesthasbeencreatedyouwillneedtoexportitsoyoucansubmittherequesttoaCertifying
Authority.Viaorapki,youcanenterthefollowingcommandbeingsuretosubstitutetheparametervalueswiththe
parametervaluesusedtocreatetheCertificateRequest.
orapkiwalletexport\
wallet.\
dn"CN=mymachine.us.oracle.com,OU=ATGSpecialty,O=Support,L=Denver,ST=Colorado,C=US"\
requestserver.csr\
pwdwelcome1
Rememberwiththissyntaxthat"wallet."referstothewalletinthepresentworkingdirectoryandthatthe
"server.csr"isthenameofthefilethatwillholdthecontentsofthecertificatesigningrequestandissomewhat
arbitrary.Iforapkiwassuccessfulitwillsaynothing,butthe"server.csr"filewillbecreated.
Theequivalentstepwiththewalletmanagerisasfollows.
Clickthemousecursortohighlightwhereitsays"Certificate:[Requested]",thenfromthemenuchoose"Operations"
andthen"ExportCertificateRequest".Adialogboxwillpopuprequestingwheretosavethefileandwhattonameit.
Thenameissomewhatarbitrary,butitiscommonpracticetonameitaftertheserverandwitha".csr"extensionas
seenbelow.Notethatthetoplineinthisformisusedfornavigatingtoapath,whereasthebottomlineisfor
specifyingthefilename.
9/35
1/13/2015
Document1425103.1
Ifyousuccessfullyexportedthecertificate,youwillquietlynoticethe"Certificaterequestexportsuccessful"atthe
bottomofthewalletmanagerscreen.Moreimportantly,thefileasyounameditwillbeinthedirectoryyouspecified.
SAVETHEWALLET
Atthispointyoucanexitthewalletmanager,butdonotforgettosavethewallet.Thereisnoreasonablewayto
takeanexportedcertificatesigningrequestandforceitbackintoawallet.Inthestepsthatfollowyouwillsubmit
theexportedcertificatesigningrequestfiletoasigningauthorityandthatsigningauthoritywillreplywithauser
10/35
1/13/2015
Document1425103.1
certificatetoimport.YouwillNOTbeabletoimportthisusercertificateunlessthewalletisinastateof
"Certificate:[Requested]"withtheidenticalcertificaterequestthatyousubmittedtothesigningauthority.Ifyou
createanewcertificatesigningrequest,evenwithidenticalfieldparameters,itwillnotbethesameasany
previouslycreatedCSRandthereforewillnotmatchtheusercertificateandowmwillrefusetoimportit.
Ifthisisthesecondtimeyouaresavingthewallet,thenthisshouldgoverysmoothlyviatheWallet/Savemenu
selectiondescribedinstep2.Ifyouattempttoexitowmwithoutsaving,youaregivenjustone,finalchance.Click
[Yes].Clicking[X]willclosethewalletwithoutsavingjustassurelyasclicking[No].
5.SubmittheCertificateRequesttoaCertifyingAuthority
Thenumberofcertificateauthoritiesavailabletosignyourcertificaterequestaretoonumeroustomention.Theprice
rangesfromfreetoveryexpensive,dependingonthesophisticationofthecertificateandotherfactors.Each
certificatevendormakestheirowncaseontheirwebsiteforwhytheircertificateisthebest.Inthisexample,I've
chosenthefamiliarVerisigntrialcertificatebecauseitisbothfree(forashortperiod)andcommon.
Asaquicknote,ifyouhavejustaninternaltestinstance,youcoulduseorapkitoaddaselfsignedcertificate.Self
signingenablesgoodSSLencryption,butoffersessentiallynothingtoconfirmtheidentityoftheserver.Acertificate
purchasedfromavendorisanalogoustoastateissuedIDcard,suchasadriver'slicense.Aselfsignedcertificateis
analogoustoanIDcardyoumadeyourselfthatmaybetrustedbyyourfriends,butnotlikelybyanyoneelse.Ionly
mentionthishereasasidenoteforthosethatprefertoquicklycreateacertificateforfreewithoutinvolvingathird
party.Ifyourunthebelowcommand,thewalletwillimmediatelyhaveacertificateinreadystatusandyoucanskip
thesteponsubmittingtheCSRandimportingthethirdpartysuppliedcertificates.
Toaddaselfsignedcertrunthefollowingcommand,butchangetheDNlisttoyourserver'svalues.Skipthisifyou
arecontinuingwiththestepstoobtainacertificatefromavendor.
>orapkiwalletadd\
wallet$INST_TOP/certs/Apache\
dn"CN=myserver.us.oracle.com,OU=ATGSpecialty,O=Support,L=Denver,ST=Colorado,C=US"\
keysize2048\
self_signed\
validity365\
pwdwelcome1
Thisselfsignedexampleusesthesameparametersexplainedpreviously,butalsoaddsthatthecertificateistobe
validforoneyear(validity365).Thisgivesmuchmoretimethanthetypical14or30daytrialcertificateperiod.
IfyouareNOTgoingwithaselfsignedcertificate,thensubmityourcertificatetoasigningauthority.I'veoptednotto
putscreenshotsforthissectionbecausethewebsitesupdatetheirpagesoftenandthereforescreenshotsbecomestale
almostimmediately.Fortheremainderofthisguide,I'musingtheVerisignTrialCertificate(akaNorton,aka
11/35
1/13/2015
Document1425103.1
Symantec)whichisreadilyvisiblefromtheirhomepage.Theprocessforthesetypicalwebsitesstartswithgiving
contactinformationandthenaformwhereyoucaneitheruploadtheCSRasafileorpasteitdirectlyintoagiven
field.Whenpasting,besuretopastetheentirecontentsofthefile,includingtheBegin/End(forexample):
BEGINNEWCERTIFICATEREQUEST
MIICwzCCAasCAQAwfjELMAkGA1UEBhMCVVMxETAPBgNVBAgTCENvbG9yYWRvMQ8wDQYDVQQHEwZE
ZW52ZXMub3JhY2xlLmNvbTCCASIwDQYJKoZIIxEDAOBgNVBAoTB1N1cHBvcnQxFjAUBgNVBAsTDU
GGRjb2xsMTIxeGUudXMub3JhY2xlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
ALunGNjzWoXteHJK6Xnddp2BHtjZxrvaRdj3L1YB9nokyCHJQykpqbOWehz/Ft1jzi7HkBat6BjO
34lBl33msse/gWMQ8bb0+tQgFEfBKJ5GxhKR/Fh5G6sezAWaKteesexANEkqh91nfQrbF7fDrgY+
ylLiUUVBH349ThisisjustanexampletoshowwhataCSRlooksPGA6PMqsxzjNc
AZB4kJHuYiqClike,ingeneral.Thisoneisnotentirelyreal.EBggt9dj+18n1
KYEKuAqSUZ4NMJG0CrZwCcyeLwtD6S9apwicHU0CAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4IBAQAk
TKZYvVzWSH7AMXzo/WcWuDUx6bxuln1ujGtEwYBD33DfNDBos0kjJZ17c3aZ/fnHhfJAusZ6aiQu
6CKECCcgLaksidnM5sviGsEwdWHmxX8A+15/QqvDTinv8j/q/kpLTxODnZxEaYi8IrWKPsMC3z/j
EB93DJLN3sa5KcF9Qf5sBwkSecvWIjqPIrbAFDz2L5Djsr+DxrjIXhYAJ8YKn0fu5lYUQNebqxey
OkOSdYrj4KHz8V64OGf2dseTjqLGCXOTuuXcdSJRKuHbvBYDcoW1V/3Ug2flGroqxASzkZgCA1I1
U8dA1gGl97CbFdVv6O9n//gkMvGvPi/Osv6/
ENDNEWCERTIFICATEREQUEST
Aftersubmittingthecertificaterequest,yourcertificatevendorshouldrespondwithanSSLcertificateviaemailfairly
quickly.Trialcertificatesgenerallycomealmostimmediately,butproductioncertificatesgenerallytakelonger.While
selfsignedcertificatesenabledataencryption,theydonothingtoassureusersofthelegitimacyofagivenwebsite.In
contrast,productioncertificates(andtrialcertificatestoalesserextent)generallyincludeavettingprocesswherethe
certificateauthoritymustverifytheidentificationandotheraspectsofthewebsiteownerandcertificaterequestor.
Theemailfromthecertificateauthorityshouldalsoexplainthatalmosteverycertificatecommonlyissuedtodayisan
EV(extendedvalidation)certificatewhichrequiresbothanintermediateandarootcertificatetoaccompanyyournewly
createdservercertificate.InthecaseoftheVerisignTrialCertificate,thereisaspecial"TestRootCACertificate"and
a"TrialSSLIntermediateCertificate"thatisdifferentfromtheproductioncertificates.Fortheservercertificate(aka
"usercertificate")tobeimported,youmustfirstimporttheselowercertificatesintothewalletas"trustedcertificates".
Thisisillustratedbelowwithanorapkiexampleandagraphicalowmexample.
5.ImportyourCertificatetotheWallet
GiventhetypicalexampleoftheVerisignTrialcertificate,thereareatotalofthreecertificatesthatneedtobe
importedintothewallet.Therootandintermediatecertificateswillbeimportedintothewalletastrustedcertificates
andtheservercertificatewillbeimportedintothewalletasausercertificate.Thesecertificatesaredownloaded
accordingtotheinstructionsinthecertificatevendoremail.Generally,theemailprovidestheservercertificateinthe
textoftheemailandthenprovideslinkstothevendorwebsitewherethetrialandintermediatecertificatescaneither
bedownloadedasafileorcopy/pastedoffthewebpages.Therefore,thefilenamesforthesecertificatesareentirely
arbitrary,butshouldbenamedsensibly.
Iusedthefollowing:
TrialRoot.cer
TrialIntermediate.cer
server.cer
Toillustrateapoint,hereisanattempttoimporttheservercertificatewithouttherootandintermediate:
>orapkiwalletadd\
user_cert\
certserver.cer\
12/35
1/13/2015
Document1425103.1
pwdwelcome1
orapkireplieswith:
Couldnotinstallusercertatserver.cer.
Pleaseaddalltrustedcertificatesbeforeaddingtheusercertificate
Thefollowingsequencedoeswork(orapkireplieswithnomessagewhenalliswell):
>orapkiwalletadd\
trusted_cert\
certTrialRoot.cer\
pwdwelcome1
>orapkiwalletadd\
trusted_cert\
certTrialIntermediate.cer\
pwdwelcome1
>orapkiwalletadd\
user_cert\
certserver.cer\
pwdwelcome1
Youcanverifythesuccessfulimportofthecertificatesintothewalletbyusingthefollowing.Notethelackof
"RequestedCertificates",thepresenceofthe"UserCertificate",andtheadditional"TrustedCertificates"(example
reformattedforclarity):
>orapkiwalletdisplaywallet$INST_TOP/certs/Apache
RequestedCertificates:
UserCertificates:
Subject:CN=myserver.us.oracle.com,
OU=Termsofuseatwww.verisign.com/cps/testca(c)05,
OU=ATGSpecialty,
O=Support,
L=Denver,
ST=Colorado,
C=US
TrustedCertificates:
Subject:CN=VeriSignTrialSecureServerRootCAG2,
OU=ForTestPurposesOnly.Noassurances.,
O=VeriSign\,Inc.,
C=US
Subject:CN=VeriSignTrialSecureServerCAG2,
OU=Termsofuseathttps://www.verisign.com/cps/testca(c)09,
OU=ForTestPurposesOnly.Noassurances.,
O=VeriSign\,Inc.,
C=US
13/35
1/13/2015
Document1425103.1
Theequivalentstepwiththewalletmanagerisasfollows:
Startowmandopenthewalletasbeforeandselect"Operations","ImportUserCertificate".If"ImportUser
Certificate"isgrayedout,thatindicatesthatthereisnocertificatesigningrequestasindicatedby"Certificate
[Requested]".Ifyouarefollowingthesestepsinorder,thisoptionshouldbeavailable.
14/35
1/13/2015
Document1425103.1
Youwillbegiventheoptionofeitherpastingthecertificateorselectingafilethatcontainsthecertificate.Ifyouwish
toselectafilethatcontainsthecertificate,notethatthewalletmanagerdialogwilllookontheserverwhereowmis
running(notyourlocalPC)sothereforeyoumusttaketheextrastepofcopying/ftpingyourcertificatetotheserver.
The"ImportCertificate"selectionboxcanbetricky.Ifyouknowthecompletepathandnameofthecertificatefile,
youcanenterthisonthebottomlineunder"Enterfilename".Ifyouneedtobrowseforthefile,youmustusethetop
twolinesandtheFolders/Filesselectionboxes.
Similartotheorapkiexample,youcanimportthetrustedcertificatesfirst,butthewalletmanagerismoreforgiving
thanorapki.Afterselectingtheservercertificateforimportasausercertificate,thefollowingerrorisseen:
Ifyouclick[Yes],youcanneatlyimportthefirsttrustedcertificate(TrialIntermediate.cerinthisexample)usingthe
similarfileselectiondialogasabove.TheservercertificateisanEV(extendedvalidation)certificate,soimmediately
youwillseethepromptagaintoimport"CAcertificatenow",butnoticeinthebackgroundthatthefirstCAcertificate
(TrialIntermediate.cerinthisexample)wasimported:
15/35
1/13/2015
Document1425103.1
Atthispoint,click[Yes]onceagainandimporttheremainingcertificate(TrialRoot.cerinthisexample).Thisresultsin
"Certificate:[Ready]"andbothoftheCAcertificateslistedinthetrustedcertificatessection.
Asbefore,becertaintosavethewalletwithAutoLoginenabled.
16/35
1/13/2015
Document1425103.1
6.CopytheApacheWallettotheOPMNWallet
Asapplmgr:
>cp$INST_TOP/certs/Apache/*wallet*$INST_TOP/certs/opmn
7.AutoConfig
Asaquicktest,we'llimplementSSLviaAutoConfigandthencontinuewiththerestofthesetupafterwardsforreasons
thatwillbemadeclearlater.WhiletheOracleApplicationsManager(OAM)contexteditoristherecommendedmethod
forupdatingtheEBSconfiguration,thevastmajorityofcustomerssimplyedittheAutoConfigcontextfiledirectly.Itis
alwaysagoodpracticetomakeabackupcopyofthecontextfilebeforeeditingbecausetheXMLsyntaxcanbetricky
andasingle,misplacedcharactercanmakethefileentirelymeaninglesstotheAutoConfigengine.
Inthisexample,I'mtakingtheoriginalwebentryURLofhttp://myserver.us.oracle.com:8010andchangingitto
https://myserver.us.oracle.com:4443.ThechangesaredocumentedinNote:376700.1withthefollowingmatrixand
detailedbelow:
Variable
NonSSLValue
SSLValue
s_url_protocol
http
https
s_local_url_protocol
http
https
s_webentryurlprotocol
http
https
s_active_webport
sameass_webport
sameass_webssl_port
s_webssl_port
notapplicable
defaultis4443
s_https_listen_parameter
notapplicable
sameass_webssl_port
17/35
1/13/2015
Document1425103.1
urlconstructedwithhttpprotocoland
s_webport
urlconstructedwithhttpsprotocoland
s_webssl_port
s_login_page
s_webport
s_webssl_port
s_external_url
s_webport
s_webssl_port
s_help_web_agent
Theoriginalandeditedcontextfile($CONTEXT_FILE)parameters,indetail,were:
ORIGINAL:<url_protocoloa_var="s_url_protocol">http</url_protocol>
CHANGED:<url_protocoloa_var="s_url_protocol">https</url_protocol>
ORIGINAL:<local_url_protocoloa_var="s_local_url_protocol">http</local_url_protocol>
CHANGED:<local_url_protocoloa_var="s_local_url_protocol">https</local_url_protocol>
ORIGINAL:<webentryurlprotocoloa_var="s_webentryurlprotocol">http</webentryurlprotocol>
CHANGED:<webentryurlprotocoloa_var="s_webentryurlprotocol">https</webentryurlprotocol>
ORIGINAL:<activewebportoa_var="s_active_webport"oa_type="DUP_PORT"base="8000"step="1"
range="1"label="ActiveWebPort">8010</activewebport>
CHANGED:<activewebportoa_var="s_active_webport"oa_type="DUP_PORT"base="8000"step="1"
range="1"label="ActiveWebPort">4443</activewebport>
ORIGINAL:<web_ssl_portoa_var="s_webssl_port"oa_type="PORT"base="4443"step="1"range="1"
label="WebSSLPort">4443</web_ssl_port>
CHANGED:<web_ssl_portoa_var="s_webssl_port"oa_type="PORT"base="4443"step="1"range="1"
label="WebSSLPort">4443</web_ssl_port>
ORIGINAL:<httpslistenparameteroa_var="s_https_listen_parameter">4443</httpslistenparameter>
CHANGED:<httpslistenparameteroa_var="s_https_listen_parameter">4443</httpslistenparameter>
ORIGINAL:<HELP_WEB_AGENToa_var="s_help_web_agent"/>
CHANGED:<HELP_WEB_AGENToa_var="s_help_web_agent"/>
ORIGINAL:<login_page
oa_var="s_login_page">http://myserver.us.oracle.com:8010/OA_HTML/AppsLogin</login_page>
CHANGED:<login_page
oa_var="s_login_page">https://myserver.us.oracle.com:4443/OA_HTML/AppsLogin</login_page>
ORIGINAL:<externURLoa_var="s_external_url">http://myserver.us.oracle.com:8010</externURL>
CHANGED:<externURLoa_var="s_external_url">https://myserver.us.oracle.com:4443</externURL>
ThereareothernoteworthycontextentriesthatareNOTchangedbecausethedefaultsaregenerallyassumed.These
assumedvaluesarewhythewebtierwalletwascreatedinthedirectorythatitwas:
<websrvwallet
oa_var="s_websrv_wallet_file">/space/r1211/inst/apps/V1211_myserver/certs</websrvwallet>
<ssl_truststore
oa_var="s_ssl_truststore">/space/r1211/inst/apps/V1211_myserver/certs/Apache/cwallet.sso</ssl_truststo
<ssl_keystore
oa_var="s_ssl_keystore">/space/r1211/inst/apps/V1211_myserver/certs/Apache/cwallet.sso</ssl_keystore>
18/35
1/13/2015
Document1425103.1
ThefollowingisusedwhenthereverseproxyisSSL,buttheunderlyingwebtierisHTTP.Theexampleforthis
documentwaswithoutareverseproxyandwiththewebtierasSSLsothereforethesslterminatormustremainas'#':
<sslterminatoroa_var="s_enable_sslterminator">#</sslterminator>
Afterthesechanges,stopthewebtierservices,runAutoConfig,andthenstartthewebtierservicesonceagain.
Forexample:
>cd$ADMIN_SCRIPTS_HOME
>adstpall.shapps/apps
>adautocfg.sh
>adstrtal.shapps/apps
ClientConfigurations
Introduction
Atthispoint,itwillseemthattheSSLsetupiscompletebecausemostfunctionalitywillwork.Thisisacommon
mistakethatreturnstohaunttheinstancelater.I'mreferringtothissectionas"clientconfigurations"andstartwith
theconfigurationoftheclientbrowser.Theclientbrowseristhemostobviouscaseofaclientconnectingtotheweb
entryURL.ThelessobviousclientconnectionscomefromwithintheEBSinstance.
ItisverycommonforthevariousbitsoffunctionalitywithinEBStomakeURLcallstothewebentryURL.Forexample,
thejavabasedWorkflowmailerontheconcurrentmanagertiermayusetheJDK(JavaDevelopmentKit)onthe
concurrentmanagertiertomaketheHTTPSURLcalltoretrieveframeworkcontentforworkflowemailsviatheweb
entryURL.WithiRecruitment,URLcallsmaybegeneratedfromthewebtierJDKandalsofromthedatabaseviathe
OWA_UTILpackage.Therefore,itisjustasnecessarytopopulatethetrustedcertificatestoreoftheJDKsandthe
databaseasitistopopulatethetrustedcertificatestoreoftheclientbrowser.TheJDKanddatabaseclient
configurationdissertationfollowstheclientbrowserconfigurationdissertation.
Onarelatedpoint,ifyouimplementSSLwithapaidforcertificate,theclientbrowserislikelytoalreadyhavetheroot
andintermediatecertificatesthatworkwiththeservercertificatejustinstalledandthereforetheinitialconnectionfrom
thebrowserwillsimplyworkwhereasclientconnectionsfromtheJDKorthedatabasewillnot.Thetrialcertificateis
agoodexampleofwhathappenswhenanonstandardcertificateisusedandillustratesthispointfurther.
ClientBrowserConfiguration
OninitialconnectionwiththeHTTPSwebentryURLpresentingatrialcertificate,mostbrowserswillimmediatelywant
torejecttheconnectionbecausetheconnectionisnottrusted.Asbrowserversionsvary,theappearanceofthese
screenswilldiffer,butarecentMozillaFirefoxexampleandInternetExplorerexampleappearsasthefollowing.
Forexample,atypicalscreenfromMozillaFirefox:
19/35
1/13/2015
Document1425103.1
Similarly,theequivalentMicrosoftInternetExplorerexampleis:
20/35
1/13/2015
Document1425103.1
MozillaFirefoxSecurityException
WiththeMozillaFirefoxexample,youcansimplyclickon"ConfirmSecurityException"andchoosetopermanentlystore
theexception.
Beforeacceptingtheexception,thisisagoodtimetointroducetheratherexcellentcertificatevieweravailableviathe
Viewbuttonwhichwillbeusedlater:
21/35
1/13/2015
Document1425103.1
22/35
1/13/2015
Document1425103.1
FromtheGeneraltab,youcanseethatthisisindeedthecertificatethatwasjustinstalled.FromtheDetailstab,you
canseethecertificatechainiscomprisedofthe"VerisignTrialSecureServerRootCAG2",the"VerisignTrialSecure
ServerCAG2",andthenamedservercertificate.ThereisalsotheExportbuttonwhichcanbeusedtocreatethree
filesfromeachofthethreecertificatesthatareverysimilartothethreefilesthatwereinstalledearlierintotheweb
tierwallet.ThisisveryusefullaterbecausethesefilescanbeimportedintotheJDKanddatabasetrustedcertificate
stores.
MicrosoftInternetExplorerSecurityException
WithInternetExplorer,theconceptisthesame,butthenavigationdiffers.InthiscaseyouDOwantto"Continueto
thiswebsite(notrecommended)"sincethatistheonlywaytoproceedtotheloginpage.TheURLlinewillbepainted
redandtherewillcontinuetobeawarningasshownbelow.Youcanclickonwhereitsays"CertificateError"toview
thecertificatessimilartotheearlierillustration:
23/35
1/13/2015
Document1425103.1
WiththeInternetExplorercertificateviewer,youcanalsoseethechainofcertificatesandhere(abovescreenshot)it
ishighlightedthattheproblemcertificateistheroottrialcertificate.Othercertificatesforothervendorsmayvary,but
thetrialcertificatefromVerisignisaspecialonethatisnotincludedinmostbrowsercertificatestores.Ifyouclickon
theoffendingcertificate,youcanviewitandclickthebuttontoinstallthecertificateviathecertificateimportwizard
andfollowingthedefaults.ThenexttimeyouvisittheEBSloginpageforthisinstance(afterrestartingthebrowser),
youwillnolongerseeacertificateerrorbecausethecertificatespresentedarenowtrusted.
Itwasimportanttoillustratetheconceptofimportingtrustedcertificatestwicebecauseitillustratestheclient
conceptsinthenextsectionwherewe'llbeimportingthesesamecertificatesintotheJDKandtheDatabasewallet.
RetrievingthePublicFacingSSLCertificatesUsingtheClientBrowser
Introduction
Asdescribedearlierinthisdocument,therewerethreefilesreturnedfromthecertificateauthoritythatwereimported
intothewebtier'swallet:
TrialRoot.cer
server.cer
Ifyoustillhavethesefiles(theactualfilenamesarearbitrary)thenyoucanskipthisstep,butasalludedtoearlieritis
quitecommontoneedthesefilesfortheJDKandthedatabasewalletandnothavethem.Thisisespeciallycommonif
theSSLisbeinghandledbyanSSLoffloadersuchasahardwareloadbalancercontrolledbyadivisionofalarge
corporationdifferentfromthedivisionthathandlestheEBSinstance.
Ifyoudonothavethesefiles,theyareeasilyretrieved.Whenabrowser(oranySSLclient)connectstoanSSLURL,
24/35
1/13/2015
Document1425103.1
thefollowinggeneralsequenceofstepsoccur:
1.Thebrowserrequeststhatthewebserveridentifyitself.
2.TheserversendsthebrowseracopyofitsSSLCertificate.
3.ThebrowsercheckswhetherittruststheSSLCertificate.Ifso,itsendsamessagetotheserver.(Ifnot,theSSL
connectionfails.)
4.TheserversendsbackadigitallysignedacknowledgementtostartanSSLencryptedsession.
5.Encrypteddataissharedbetweenthebrowserandtheserver
Step2isthereasonyoucanusethebrowsertorecoverthethreeoriginalfiles(moreorlessfilesifyouareusing
someothercertificate).Step3isthereasonthecertificateshadtobeacceptedinthebrowser'strustedcertificate
storeandwhytheJDKanddatabasewalletwillalsoneedthecertificates.
RetrievingtheCertificatesusingMozillaFirefox
JustafterinvokingtheURLtoconnecttotheSSLenabledEBSinstance,theMozillaFirefoxbrowserwillindicatethe
acceptanceoftheSSLcertificatepresentedbyaddingapadlockicontotheURLintheaddressbar(locationbar).
Clickingthemouseonthatpadlockwilldisplaythewindowwiththebuttonfor[MoreInformation...].Thescreen
followingthatdisplaytheratherexcellentcertificateviewerillustratedearlier.Fromthiscertificateviewer,youcan
saveeachoneofthethreecertificatesbyusingthe[Export]button.
Highlighteachoneofthethreecertificates,onebyone,andexportthemasX509PEMcertificateformat.Onceagain,
thefilenamesarearbitrary,butchoosenamesthataremeaningful.
25/35
1/13/2015
Document1425103.1
RetrievingtheCertificatesusingInternetExplorer
26/35
1/13/2015
Document1425103.1
JustafterinvokingtheURLtoconnecttotheSSLenabledEBSinstance,theInternetExplorerbrowserwillindicatethe
acceptanceoftheSSLcertificatepresentedbyaddingapadlockicontotheURLintheaddressbar(locationbar).
Clickingthemouseonthatpadlockwilldisplaythewindowwiththehyperlinkto"ViewCertificates"whichwillthen
bringuptheInternetExplorerversionofthecertificateviewer.ThisissubstantiallymorecumbersomethantheMozilla
Firefoxcertificateviewer.
27/35
1/13/2015
Document1425103.1
Clickingonthe[CopytoFile]buttonwillstarttheCertificateExportWizard.Usethistosavetheservercertificatein
X509Base64format.
ToretrievetheIntermediateandRootcertificates,navigatebacktothemaincertificateviewerwindowandclickthe
"CertificatePath"tab.Ifyouhighlighttheservercertificate,the[ViewCertificate]buttonwillgrayoutandthisiswhy
thepreviousstepwasusedtoretrieveit.IfyouhighlighttheremainingIntermediateorRootCertificate,the[View
Certificate]buttonwillbeenabled.Clickingonthe[ViewCertificate]buttonwillopenanewinstanceofthecertificate
viewerthatisspecifictothecertificateyouhighlighted.Asbefore,clicktheDetailstab,clickthe[CopytoFile]button,
andnavigatethroughtheCertificateExportWizardtoexportthecertificate.
28/35
1/13/2015
Document1425103.1
29/35
1/13/2015
Document1425103.1
Repeatthesestepsforeachcertificate.
ImportingSSLCertificatesintotheJDK'sTrustedCertificateStore
Atthisstep,basedontheinitialsectionwherethecertificatefileswerecreatedortheprevioussectionwherethe
certificatefileswererecreated,youwillhavethreecertificatefilesrepresentingtheservercertificate,theintermediate
certificate,andtherootcertificate.ThisisthetypicalcertificatechainprovidedbytheVerisignTrialcertificatewhichis
usedastheexampleinthisdocument.Selfsignedandinternallysignedcertificateswillhavemoreorlesscertificates
inthechain.Nevertheless,allcertificatesshouldbeimportedintotheJDK.Regardlessofthenumberofcertificates,
theconceptofimportingthecertificatesintotheJDKisthesame.
ContinuingwiththeexampleoftheVerisignTrialCertificate,thereare/werethreecertificateswhichwereFTP'dtothe
appstier(applicationtier)server:
TrialRoot.cer
server.cer
WithinEBS,theJDKisoftencalledupontoactasanSSLclient,similartothewaythebrowseractsasanSSLclient
whenconnectingtotheEBSinstance.Thereasonforthisisthatitisverycommonforjavabasedproductfunctionality
tomakeURLcallstothesamewebentrypointtheclientbrowserconnectedto.FortheJDKtosuccessfullymakethis
SSLconnection,itissimilartotheclientbrowserinthatitmusthaveastoreoftrustedcertificates.TheJDKis
differentfromthebrowserinthatitwillnotinteractivelyactwiththeusertoacceptcertificates.Thesecertificates
mustbeloadedintotheJDK'strustedcertificatestorebeforetheSSLconnectionisattempted.Ifthecertificatesare
30/35
1/13/2015
Document1425103.1
notinplace,theSSLconnectionwillfailandthatfailurewillnotbereadilyapparentontheuserinterface.
ThedefaultcertificatestorefortheJDKoneachEBSapplicationstieris$AF_JRE_TOP/lib/security/cacertsandthe
defaultpasswordforcacertsis"changeit".Thekeyandcertificatemanagementutilityformanagingpublic/privatekey
pairsandcertificatesisthekeytoolcommand($AF_JRE_TOP/bin/keytool).Toimporteachofthethreecertificatesin
thisexample,thekeytoolcommandisrunthreetimes:
Forexample:
keytoolimportaliasTrialRoot\
file/home/applmgr/mycerts/TrialRoot.cer\
trustcacertsvkeystore$AF_JRE_TOP/lib/security/cacerts
keytoolimportaliasTrialIntermediate\
file/home/applmgr/mycerts/TrialIntermediate.cer\
keytoolimportaliasServername\
file/home/applmgr/mycerts/server.cer\
Piecebypiece,thekeytoolcommandstringwe'reusingmeans:
keytoolThecertificatemanagementutilityforJava
($AF_JRE_TOP/bin/keytool).
importImportthespecifiedcertificateintothespecifiedkeystore
($AF_JRE_TOP/lib/security/cacertsforEBS).
aliasInthecaseofEBS,thisnameisarbitrary,butmustbedifferent
fromanyotheraliasentryinthekeystore.
filethenameofthecertificatefile(X509Base64PEMformat)to
import
trustcacertsimportthecertificatefileasatrustedcertificatesuchasfrom
acertificateauthority
vverboseshowtheuserdetailedoutput
keystorethenameofthekeystoreinwhichtoimportthetrusted
certificate
ThefollowingexampleisfortheTrialRootcertificate,butbesuretorepeatthisforallcertificatesinthechain
(TrialRoot.cer,TrialIntermediate.cer,Server.cerinthisexample).Additionally,youshouldrepeatthisprocessforeach
webtierJDKandeachconcurrentmanagernodeJDK(incasetheconcurrentmanagernodeisnotonthesame
appstierasthewebnode):
>lsl
total12
rwrr1appv1211dba2009Sep2306:40server.cer
rwrr1appv1211dba1964Sep2306:41TrialIntermediate.cer
rwrr1appv1211dba1566Sep2306:39TrialRoot.cer
>whichkeytool
/space/r1211/apps/tech_st/10.1.3/appsutil/jdk/jre/bin/keytool
>lsl$AF_JRE_TOP/lib/security/cacerts
rwrr1appv1211dba64251Jun52011
/space/r1211/apps/tech_st/10.1.3/appsutil/jdk/jre/lib/security/cacerts
>keytoolimportaliasTrialRoot\
file/home/applmgr/mycerts/TrialRoot.cer\
31/35
1/13/2015
Document1425103.1
Enterkeystorepassword:changeit
Owner:CN=VeriSignTrialSecureServerRootCAG2,OU="ForTestPurposesOnly.No
assurances.",O="VeriSign,Inc.",C=US
Issuer:CN=VeriSignTrialSecureServerRootCAG2,OU="ForTestPurposesOnly.No
assurances.",O="VeriSign,Inc.",C=US
Serialnumber:168164a428ca12dfab12f19fb1b93554
Validfrom:TueMar3118:00:00MDT2009until:SatMar3117:59:59MDT2029
Certificatefingerprints:
MD5:E0:19:F5:FC:C0:9A:13:0E:38:B7:BF:0D:02:40:D3:C2
SHA1:51:51:B8:63:8A:4C:1F:15:54:56:ED:37:C9:10:35:CA:D3:01:B9:36
Signaturealgorithmname:SHA1withRSA
Version:3
Extensions:...
Trustthiscertificate?[no]:yes
Certificatewasaddedtokeystore
>lsl$AF_JRE_TOP/lib/security/cacerts
rwrr1appv1211dba65400Oct512:26
/space/r1211/apps/tech_st/10.1.3/appsutil/jdk/jre/lib/security/cacerts
Enterkeystorepassword:changeitunlessyoudidchangeit
Ifyouarepromptedto"Enterkeystorepassword",thedefaultpasswordforanOracleinstalledJDKis"changeit".
Ifthatpassworddoesnotwork,itisreasonablysimpletodelete/movetheexistingkeystoreandcreateanew
keystorewithapasswordofyourchoosing.
>mv$AF_JRE_TOP/lib/security/cacerts$AF_JRE_TOP/lib/security/cacerts.old
Then,whenyouruneitheroftheabovekeytoolcommandstoimportacertificateforthefirsttime,anewcacerts
willbecreatedandyouwillbepromptedforapasswordofyourchoiceinsteadofbeingaskedforjustthecurrent
password:
Enterkeystorepassword:whatever
Reenternewpassword:whatever
RepeattheimportforallcertificatesinthecertificatechainandforeachJDK.
ThebestwaytobecertainthattheJDKhasallofthecertificatesnecessarytocompletetheSSLnegotiationwithyour
webentryURListosimplyseparatewhatthatURLpresentsintoseparateSSLcertificatesasdescribedabove
(RetrievingthePublicFacingSSLCertificatesUsingtheClientBrowser)andthenimporteachoneintotheJDK.Itis
rarelyorneveraproblemtohavetoomanycertificates,butalwaysaproblemtohavetoofew.Furthermore,ina
typicalEBSinstallationitiscommontohavemorethanoneappstier(applicationstier).Eachappstierwillhaveitsown
JDKandeachJDKshouldhaveacompletesetoftrustedcertificates.
Youcanreviewwhatisalreadyinthekeystorewiththefollowingcommand.
>keytoollisttrustcacertsvkeystore$AF_JRE_TOP/lib/security/cacerts
32/35
1/13/2015
Document1425103.1
YoucanoptionallyaddagreptolookforspecificSHA1certificatefingerprints,suchastheVeriSignTrialSecureServer
RootCAimportedabove,toconfirmtheyareinthekeystore:
>keytoollisttrustcacertsvkeystore$AF_JRE_TOP/lib/security/cacertsv|grep"SHA1:"|
grepE'51:51:B8:63:8A:4C:1F:15:54'
Enterkeystorepassword:changeit
SHA1:51:51:B8:63:8A:4C:1F:15:54:56:ED:37:C9:10:35:CA:D3:01:B9:36
Forfurtherinformationonthekeytoolutility,see:
http://docs.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html
CreatingaDatabaseWalletandImportingTrustedSSLCertificates
ForreasonssimilartotheaboveJDKexplanation,thedatabaseisoftencalledupontoactasanSSLclientsimilarto
thewaythebrowseractsasanSSLclientwhenconnectingtotheEBSinstance.Themostcommonmethodistohave
theproductcodemakeuseoftheOWA_UTILpackageandmakeaURLcallfromPL/SQL.IfthisURLstartswithhttps,
thenthedatabasewillhavetonegotiatetheSSLconnectionjustlikeanySSLclientbrowserandwillthereforeneeda
setoftrustedcertificatesinaprivatestore.Forthedatabase,theprivatestoreoftrustedcertificatesisthedatabase
wallet.Bydefault,thiswalletdoesnotexistatallsothereforethereisnopreexistingsetofcommoncertificates
availablebydefault.Instead,adatabasewalletmustbecreatedandthenloadedwiththespecificcertificatesthatare
tobetrusted.SimilartothecasewiththeJDK,thecompletechainofcertificatespresentedbytheURLbeingcalled
shouldbeimportedintothedatabasewalletandthesearetheverysamecertificatesthatcanbeobtainedusingthe
methoddescribedaboveundertheheading"RetrievingthePublicFacingSSLCertificatesUsingtheClientBrowser".
ForEBS,theexpectedlocationforthedatabasewalletisdescribedbytheprofileoption"DatabaseWalletDirectory"
(FND_DB_WALLET_DIR)whichisenabledonlyatthesitelevel.Thissingularlocationistypicallythedatabasetier's
$ORACLE_HOME/appsutil/walletdirectory.
Forexample,fromsqlplus:
selectfnd_profile.value('FND_DB_WALLET_DIR')fromdual
FND_PROFILE.VALUE('FND_DB_WALLET_DIR')
/space/r1211/db/tech_st/11.1.0/appsutil/wallet
ContinuingwiththeexampleoftheVerisignTrialCertificate,thereare/werethreecertificateswhichwereFTP'dtothe
dbtier(databasetier)serverwhichareneededinthecommoncasewherethedatabasemakesaURLcalltotheEBS
webentrypoint:
TrialRoot.cer
server.cer
1.LogintothedatabaseastheOracleuserandsourcetheappropriateEBSenvironment.Thisistypicallytheonlyenv
fileinthedatabaseORACLE_HOMEdirectoryandsetsthe$ORACLE_HOMEandthePATHtothedatabasewallet
33/35
1/13/2015
Document1425103.1
manager(owm).
Forexample:
>orav1211:dc12a:/space/r1211/db/tech_st/11.1.0>ls*.env
V1211_dc12a.env
>orav1211:dc12a:/space/r1211/db/tech_st/11.1.0>../V1211_dc12a.env
>whichowm
/space/r1211/db/tech_st/11.1.0/bin/owm
>whichorapki
/space/r1211/db/tech_st/11.1.0/bin/orapki
2.Confirmthevaluefortheprofileoption"DatabaseWalletDirectory"asabove.Ifthewalletdirectorydoesnotexist,
createit.
>mkdir$ORACLE_HOME/appsutil/wallet
3.Ifyoudonotalreadyhaveawallet,thefastestwaytocompletethistaskisviatheorapkiutilityillustratedingreat
detailearlier.
Createyournewwallet:
orapkiwalletcreate\
wallet$ORACLE_HOME/appsutil/wallet\
auto_login
pwdwelcome1
Importthecertificatesintothenewwalletastrusted:
orapkiwalletadd\
trusted_cert\
certTrialRoot.cer\
pwdwelcome1
orapkiwalletadd\
trusted_cert\
certTrialIntermediate.cer\
pwdwelcome1
orapkiwalletadd\
trusted_cert\
certserver.cer\
pwdwelcome1
Therearetwoquickwaystonowtestthewallet,borrowedfromNote:416619.1.Thefirstistheverydirectmethod
withmanuallyenteredparametersbasedonthevaluesforthisinstance:
34/35
1/13/2015
Document1425103.1
Theparameterlistforutl_http.requestis:
URL:WebEntryURL,typicallythevaluefortheprofileoption"ApplicationsFrameworkAgent"
Additionally,I'veaddedaresumetemplatefileassomethinginterestingtoretrieve.
Proxy:Proxyprofileoptionsyoumayormaynothaveorneedaforwardproxy
WalletPath:"DatabaseWalletDirectory"profileoptionvalue
WalletPassword:Thisisthewalletpassword,suchastheonechosenwhenthewalletwascreated.
Forexample:
selectutl_http.request
(
'https://serverxxx.us.oracle.com:4443/OA_HTML/IRCRESUMEUK1.xsl',
null,
'file:/space/r1211/db/tech_st/11.1.0/appsutil/wallet',
'welcome1'
)
fromdual
Anotherexampleistoautomaticallyretrievethevaluefortheprofileoptions,includingtheproxies.TheURListaken
directlyasthesitelevelvaluefor"ApplicationsFrameworkAgent",theproxyisacomputedvaluebasedonthevalues
oftheprofileoptions"ApplicationsServerSideProxyHostAndDomain","ApplicationsProxyPort",and"Applications
ProxyBypassDomains"whichidentifytheforwardproxythatislikelythesameastheonedefinedintheclientbrowser
locatedonthesamenetwork.Thewalletpathiscomputedbaseduponthe"DatabaseWalletDirectory"described
earlier.Thewalletpasswordiscomputedhereusinganinternalprocedure.WithinEBS,thewalletpasswordisset
usingthescript$FND_TOP/patch/115/sql/txkSetWalletPass.sql.Ifyoufindthatthehardcodedutl_httpcallworks,but
theversionfromEBScodedoesnot,txkSetWalletPass.sqlislikelytheanswer.Thescriptisshortandselfexplanatory:
selectUTL_HTTP.REQUEST
(url=>fnd_profile.value('APPS_FRAMEWORK_AGENT')||'/OA_HTML/IRCRESUMEUK1.xsl',
proxy=>hr_util_web.proxyForURL(fnd_profile.value('APPS_FRAMEWORK_AGENT')),
wallet_path=>'file:'||fnd_profile.value('FND_DB_WALLET_DIR'),
wallet_password=>fnd_preference.eget('#INTERNAL','WF_WEBSERVICES','EWALLETPWD','WFWS_PWD')
)
fromdual
SUMMARY
ThispapercoveredtheimplementationofSSLusingasingleEBSwebtierusingtheVerisignTrialCertificateasan
example.Thisisversion1.0ofthispaper.Inupcomingreleases,theauthorintendstocovertopicssuchasexpired
certificaterenewal/replacementandcommonSSLsetuptests.Customercommentsandsuggestionsarecertainly
welcome.
35/35

Enabling SSL in Oracle E-Business Suite Release 12

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Enabling SSL in Oracle E-Business Suite Release 12

Transféré par

Droits d'auteur :

Formats disponibles

1/13/2015

Vous aimerez peut-être aussi