Académique Documents
Professionnel Documents
Culture Documents
2
Here we would be looking at the detailed steps for Enabling TLS in Oracle Apps R12.2
Introduction:
The data between web browser and web server travels unencrypted in R12 application So the password and other information can
be tracked by sniffer. We are avoiding this by implementing SSL in R12.
With SSL implementation, the data travels in the encrypted forms and Only web browser and web server can decrypt it.
The implementation requires the SSL certificate and configuration in the R12 environment as per the configuration
What is SSL?
SSL and TLS are the cryptographic protocol that ensures privacy between communicating applications and their users on the
Internet
The ssl Implementation will depend on the topology of the R12 implementation. I am here highlighting all the major one.
In the case of Oracle E-Business Suite the Oracle HTTP Server can act as a TLS termination point. An alternate TLS termination
point, such as a reverse proxy or load balancer, can be configured in front of the Oracle HTTP Server.
This is pretty simple. We will need the digital certificate for the webserver. The steps are straight forward. The traffic between web
browser and webserver will be encrypted
Having a Load balancer which is serving to 2 or more webserver makes it little bit complicated
The entire traffic flow i.e. from browser to load balancer and from load balancer to web server is encrypted
a) Pass-through configuration: The load balance in this case does not decrypt/encrypt the message .it just passes through the
traffic to the webserver
b) Decryption/encryption: The load balance in this case decrypt the traffic at the load balancer level and then again encrypt it and
send it to web server which again decrypt it
2. SSL terminator(Alternate TLS termination point): The traffic between web browser and load balancer is only encrypted. The Load
balance acts as SSL terminator and terminate the SSL at the load balancer level and passes the unencrypted traffic to the
webserver.
Important Points
Oracle Workflow – Apply patch 22806350:R12.OWF.C to address an Oracle Workflow Notification Mailer issue.
Oracle iProcurement – Apply the patch(es) mentioned in My Oracle Support Knowledge Document 1937220.1, Oracle
iProcurement, Exchange and OSN Fail After Supplier Site Migrates From SSLv3 to TLS Protocol (with SSL Handshake
SSLIOClosedOverrideGoodbyeKiss), which corresponds to the appropriate application versions.
Step 1
The steps detailed in this section must be executed on the (running) run file system in order to ensure that during the next online
patching the TLS setup is then propagated to the patch file system. There should not be an active patching cycle at this point. In
order to check whether an Online Patching Cycle is already active or not, you can use the following command:
UNIX:
$ adop -status
1. Log on to the Oracle E-Business Suite Release 12.2 application tier as the OS user who owns the installation files.
2. The file system with the Applications context file variable s_file_edition_type set to ‘run’ denotes the run file system. Source
your application tier environment file (<sid_machine>.env), located in the APPL_TOP directory on the run file system. Do not
source the APPS<sid_machine>.env file, otherwise the 10.1.2 environment variables will be picked up and Oracle Wallet
Manager 11g will fail to start. After sourcing the environment file, the $FILE_EDITION environment variable should be ‘run’.
3. Set the PATH environment variable to include the Fusion Middleware location and DISPLAY variable for owm gui
For example
export PATH=$FMW_HOME/webtier/bin:$FMW_HOME/oracle_common/bin:$PATH
Step 2
Create a wallet
The s_web_ssl_directory location is still used by some Oracle E-Business Suite Release 12.2 components (for example, XML
Gateway Transportation Agent OXTA) and during the Oracle Fusion Middleware cloning process.
$ owm &
New.
Answer NO to: Your default wallet directory doesn’t exist. Do you wish to create it now?
The new wallet screen will now prompt you to enter a password for your wallet
After clicking “Yes” in the Create Certificate Request Screen will pop up:
Fill in the appropriate values where:
State/Province abbreviate.
Select your Country from the drop down list, and for the Key Size, select 2048 as a minimum. Click OK.
Click On certificate requested
You will need to export the Certificate Request before you can submit it to a Certifying Authority.
Be sure to make this password something you will remember. You will need to use the password whenever you open the wallet
with Oracle Wallet Manager or perform operations on the wallet using the Command Line Interface. With auto login enabled
processes submitted by the OS user who created the wallet will not need to supply the password to access the wallet.
cwallet.sso
ewallet.p12
server.csr
You may now submit server.csr to your Certifying Authority to request a Server Certificate
Save the wallet using wallet and save and give the directory path
Industry standards for encryption algorithms are constantly under review. Certificates issued with a SHA-1 based signature hash
algorithm as an industry standard are being phased out. Many certificate authorities are recommending or mandating SHA-2 as the
minimum signature algorithm for issuing certificates. The time frame for moving to SHA-2 varies depending upon the certificate
authority that is used. The requirement for SHA-2 also impacts intermediate certificates which must also be SHA-2 in order to chain
back to the end-entity SHA-2 certificate issued. Root certificates are not impacted.
Reference the following My Oracle Support Knowledge Documents for more information:
Document 1448161.1, How To Produce CSR With A SHA-1 Or Better Signature Algorithm
Document 1275428.1, Support Status for SHA-2 in Oracle Application Server (10.1.2.X.X/10.1.3.X.X) and Fusion Middleware 11g
(11.1.1.X)
Document 1939223.1, Is it Possible to Generate SHA-2 Certificate Signing Requests with Oracle Wallet Manager or ORAPKI in
FMW11g
Depending on your certificate provider, MD5 based certificate requests (CSR) generated by Oracle Wallet Manager (OWM) may
not be accepted.
For example, Symantec will now only accept SHA-1 2048-bit based CSRs or higher. Due to a current limitation in both OWM and
orapki, they are incapable of generating anything other than MD5 based CSRs. OWM can accept SHA-2 or above trusted
certificates and server certificates, it just cannot generate them.
In these cases, the workaround is to make use of OpenSSL to generate the CSR. An example of this process is provided below.
1. Use OpenSSL to take the existing wallet and save it as a new PEM format file:
At this point, OpenSSL will prompt you for the request attributes. Be sure to enter the same data you entered when creating the
CSR in OWM .Do not specify a ‘challenge password’ as this has been deemed to be insecure by most certifying authorities.
2. The csr should now be submitted to your certificate authority to request a server certificate.
3. Upon receiving your newly issued certificate, you can import this into your wallet using OWM continuing with the next step
below
Step 5
After you receive your Server Certificate from your Certifying Authority you will need to import it into your wallet. Copy the certificate
to server.crt in the wallet directory on your server by one of the following methods:
$ owm &
click OK
Note: If all trusted certificates that make up the chain of server.crt are not present in the wallet, then adding the certificate will fail.
When the wallet was created, the certificates for the most common CA’s (such as VeriSign, GTE, and Entrust) were included
automatically. Contact your certifying authority if you need to add their certificate, and save the provided file as ca.crt in the wallet
directory in a base64 format. Another option is to follow the instructions given below to create ca.crt from your server certificate
(server.crt). If your Certifying Authority provided an intermediate certificate (to complete the chain) then save the provided file as
intca.crt in a Base64 format, this will need to be imported into Oracle Wallet Manager prior to importing the server.crt. Certificates
that comprise several parts (such as the P7B type) would also fall into this category
To create ca.crt
1. Copy server.crt to your PC (if necessary) using one of the following methods:
ftp (in binary mode) ca.crt to your application tier wallet directory
copy the contents of ca.crt and paste into a new file in your application tier wallet directory using a text editor. Save the file as ca.crt
owm &
-wallet . \
-trusted_cert \
-cert ca.cer \
-pwd <pwd>
-wallet . \
-trusted_cert \
-cert intca.cer \
-pwd <pwd>
-wallet .\
-user_cert \
-cert tech.cer \
-pwd <pwd>
If you need to import the CA Certificate you will also need to add the contents of ca.crt file to b64InternetCertificate.txt file located in
the 10.1.2 ORACLE_HOME/sysman/config directory:
If you were also provided an Intermediate Certificate (intca.crt) then you will also need to add that to the b64InternetCertificate.txt:
The <s_web_ssl_directory>/Apache is still used by some Oracle E-Business Suite Release 12.2 components, but is not used by
the Oracle HTTP Server.
Step 7 – Modify the OPMN wallet and configure the cipher suites.
The default location for the OPMN wallet is in the <s_ohs_instance_loc>/config/OPMN/opmn/wallet directory.
We can find this location in below way
You must perform this configuration to enforce strong cipher suites on the OPMN remote port.
<ssl enabled=”true”
wallet-file=”<path to the wallet file>”/>
to
<ssl enabled=”true”
wallet-file=”<Path to the Wallet file>” ssl-versions=”TLSv1.0″
ssl-ciphers=”<Pick two ciphers from the list of valid ciphers below,separated by a comma>”/>
The following list specifies the valid cipher suites that can be used:
SSL_RSA_WITH_AES_256_CBC_SHA
SSL_RSA_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
For example:
<ssl enabled=”true”
wallet-file=”/EBS_web_EBSDB_OHS1/config/OPMN/opmn/wallet” ssl-versions=”TLSv1.0″
ssl-ciphers=”SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA”/>
SSLCipherSuite SSL_RSA_WITH_RC4_128_SHA
SSLProtocol nzos_Version_1_0 nzos_Version_3_0
to
SSLCipherSuite <pick a valid cipher from the list above>:<pick another valid cipher from the list above>
SSLProtocol nzos_Version_1_0 nzos_Version_1_1 nzos_Version_1_2
Fusion Middleware Control Console utilizes the functionality of OPMN to manage your Oracle Fusion Middleware Enterprise.
Move the existing wallet files to a backup directory in case you wish to use them again in the future.
$EBS_DOMAIN_HOME/opmn/<s_ohs_instance>/<s_ohs_component>/wallet
$EBS_DOMAIN_HOME/opmn/<s_ohs_instance>/wallet
$FMW_HOME/webtier/instances/<s_ohs_instance>/config/OHS/<s_ohs_component>/proxy-wallet
Copy the cwallet.sso file from the <s_ohs_instance_loc>/config/OPMN/opmn/wallet directory to all three locations mentioned
above.
Note: In the case of a shared file system and multinode configuration, updates to the first two directories are done on the primary
node, and updates to the third directory are done on the respective applications tier node where OHS is being configured for TLS.
The reason being is that the first two directories will only exist on the primary node, and the third directory will only exist on each
applications tier node where OHS is enabled.
Step 9
Use Oracle Fusion Middleware Control to make some additional configuration file changes:
1. Log in to Oracle Fusion Middleware Control Console (for example, http://<hostname>.<domain>:<AdminServer Port>/em).
2. Select Web Tier Target under EBS Domain.
3. Select Administration > Advanced Configuration.
4. Select ssl.conf file for edit.
5. Update the Listen <port> and the VirtualHost _default_:<port> directives to SSL port, for example Listen 4443.
6. Update the SSLProtocol and SSLCipherSuite entry to match the following:
7. Click Apply.
The following command should be run (on all application tier nodes) to propagate the changes made through the Oracle Fusion
Middleware Control Console to the context file variables:
Review the adSyncContext.log for the changes that have been picked up and made to the context file.
Use the Oracle E-Business Suite 12.2 – OAM Context Editor to change the TLS related variables shown in this table:
url constructed with http protocol and url constructed with https protocol and
s_login_page
s_webport s_webssl_port
url constructed with http protocol and url constructed with https protocol and
s_external_url
s_webport s_webssl_port
The value of the s_webport is based on the default port prior to any TLS configuration and remains unchanged when switching to
TLS
Autoconfig can be run by using the adautocfg.sh script in the Application Tier $ADMIN_SCRIPTS_HOME directory.
Use the adapcctl.sh script in the $ADMIN_SCRIPTS_HOME directory to stop and restart the Application Tier Apache services.
The following steps must be performed in order to synchronize the TLS setup between the two file systems:
1. Edit $APPL_TOP_NE/ad/custom/adop_sync.drv.
2. Assuming the rsynccommand is available on UNIX, the following directives must be copied and pasted between the <Begin
Customization> and <End Customization> section after the existing <#Copy Ends>:
Example commands:
#TLS SECTION – START
# Required for TLS setup migration from RUN to PATCH file-system.
# Please alter the commands in the event that rsync is not available or the platform does not support the example syntax.#10.1.2
b64InternetCertificate.txt
rsync -zr %s_current_base%/EBSapps/10.1.2/sysman/config/b64InternetCertificate.txt
%s_other_base%/EBSapps/10.1.2/sysman/config/b64InternetCertificate.txt#Oracle HTTP Server Wallet – cwallet.sso
rsync -zr
%s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/keystores/default/cwalle
t.sso
%s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/keystores/default/cwallet.
sso#OPMN Wallet – cwallet.sso
rsync -zr %s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OPMN/opmn/wallet/cwallet.sso
%s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OPMN/opmn/wallet/cwallet.sso#Fusion Middleware
Control Wallets – cwallet.sso
rsync -zr
%s_current_base%/FMW_Home/user_projects/domains/EBS_domain_%s_dbSid%/opmn/%s_ohs_instance%/%s_ohs_component
%/wallet/cwallet.sso
%s_other_base%/FMW_Home/user_projects/domains/EBS_domain_%s_dbSid%/opmn/%s_ohs_instance%/%s_ohs_component%
/wallet/cwallet.sso
rsync -zr
%s_current_base%/FMW_Home/user_projects/domains/EBS_domain_%s_dbSid%/opmn/%s_ohs_instance%/wallet/cwallet.sso
%s_other_base%/FMW_Home/user_projects/domains/EBS_domain_%s_dbSid%/opmn/%s_ohs_instance%/wallet/cwallet.sso
There is no need for certificate creation and installation on the web server. In this case, we just need to set the context file
parameter given below
Use Oracle Fusion Middleware Control to make some additional configuration file changes:
1. Log in to Oracle Fusion Middleware Control Console (for example, http://<hostname>.<domain>:<AdminServer Port>/em).
2. Select Web Tier Target under EBS Domain.
3. Select Administration > Advanced Configuration.
4. Select ssl.conf file for edit.
5. Update the ServerName directive to the TLS termination point setup <hostname>.<domain>.
6. Click Apply.
7. Select httpd.conf file for edit.
8. Update the ServerName directives to the TLS termination point setup <hostname>.<domain>.
9. Click Apply.
Use the Oracle E-Business Suite 12.2 – Oracle Applications Manager (OAM) Context Editor to change the TLS related variables
shown in this table:
url constructed with http Construct url with https protocol, s_webentryhost,
s_login_page
protocol and s_webport s_webentrydomain, s_active_webport
url constructed with http Construct url with https protocol, s_webentryhost,
s_external_url
protocol and s_webport s_webentrydomain, s_active_webport
The value of the s_webport is based on the default port prior to any TLS configuration, and remains unchanged when switching to
TLS.
Run Autoconfig
Autoconfig can be run by using the adautocfg.sh script in the Application Tier $ADMIN_SCRIPTS_HOME directory.
Use the adapcctl.sh script in the $ADMIN_SCRIPTS_HOME directory to stop and restart the Application Tier Apache services.
Steps for End to end encryption with Pass through configuration on Load Balancer
1) All the steps given for single web server need to be executed.
3) We can execute the certificate steps on one Node and then copy all the steps to the other nodes
url constructed with http protocol and url constructed with https protocol and
s_external_url
s_webport s_webssl_port
Run Autoconfig
Autoconfig can be run by using the adautocfg.sh script in the Application Tier $ADMIN_SCRIPTS_HOME directory.
Use the adapcctl.sh script in the $ADMIN_SCRIPTS_HOME directory to stop and restart the Application Tier Apache services.
1) All the steps given for single web server need to be executed.
2) The certificate need to be created at load balancer level and web node level also. It need to be created with load balancer Name
on both the side
3) We can execute the certificate steps on one Web Node and then copy all the steps to the other nodes
4) The Load balance should have the client SSL certificate for the Web node certificate
Context value changes
url constructed with http protocol and url constructed with https protocol and
s_login_page
s_webport s_webssl_port
url constructed with http protocol and url constructed with https protocol and
s_external_url
s_webport s_webssl_port
Both the ssl.conf and httpd.conf will have the ServerName pointing to the local host, rather than the web entry host of the TLS
termination point.
In the case of a TLS termination point used, the configuration will generally consist of two profiles: a client SSL profile and a server
SSL profile. Each profile will reference the corresponding certificate information of the other. Essentially, the TLS offloader needs to
be aware of the TLS certificate information on the EBS side and EBS in turn needs to be aware of the TLS certificate information of
the TLS termination point. Consult the documentation relevant to your TLS termination point for information on the proper
configuration.
SSL Client:
Parent Profile = clientssl
Certificate & Key = Subject Alternative Name (SAN) based certificate installed on BIG-IP
Chain = Intermediate chain certificate specified
SSL Server:
Parent Profile = serverssl
Certificate & Key = Basic certificate issued to the EBS instance
Chain = Intermediate chain certificate specified
We advise that both sides of the TLS configuration be tested independently. For example, test to make sure your EBS instance
works with the TLS termination point first, revert the change, and then test that TLS configured only for EBS works. Once it is
confirmed that both configurations work for TLS, you can commit to the end-to-end TLS configuration by re-introducing the TLS
termination point.
client https request > TLS Off-loader (https:443) > EBS TLS (https:4443)
There are two distinct TLS certificate chains in play, therefore the TLS handshake and negotiation must complete in order for the
communication to be successful. Any break in this flow will result in TLS protocol errors. In this example, the TLS termination point
is operating on the general default port of 443, while EBS is configured to operate on port 4443.
Run Autoconfig
Autoconfig can be run by using the adautocfg.sh script in the Application Tier $ADMIN_SCRIPTS_HOME directory.
Use the adapcctl.sh script in the $ADMIN_SCRIPTS_HOME directory to stop and restart the Application Tier Apache services.
Append the following JVM parameter to all managed servers and the WebLogic administration server:
-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2
1. Click on Save.
2. Repeat steps 3 and 4 for all remaining managed servers.
3. Click on Activate Changes.
If you need to import the CA Certificate, you will also need to add the contents of the ca.crt file to the b64InternetCertificate.txt file
located in the 10.1.2 ORACLE_HOME/sysman/config directory:
If you were also provided an Intermediate Certificate (intca.crt) then you will also need to add that to the cacerts
before adding the server.crt:
When you have completed the modifications to the cacerts, reset the permissions:
Note: This is a mandatory requirement for Oracle iStore storefront pages when the web tier is TLS enabled.
To enable the HTTPS client request from the database using UTL_HTTP, you need to establish a truststore in wallet format. You
do not need a server certificate for this wallet. You only need to import the root CA certificate for the root CAs that are the trust
anchor for the sites you need UTL_HTTP to connect to.
1. After setting your environment for the database tier, navigate to the $ORACLE_HOME/appsutil directory.
2. Create a new wallet directory named wallet.
3. Navigate to the newly created wallet directory.
4. Open the Oracle Wallet Manager as a background process.
owm &
To test that the wallet is properly set up and accessible, log in to SQLPLUS as the apps user and execute the following:
SQL>select utl_http.request(‘[address to access]’, ‘[proxy address]’, ‘file:[full path to wallet directory]’, null) from dual;
where:
‘[address to access]’ = the URL for your Oracle E-Business Suite Rapid Install Portal.
‘[proxy address]‘ = the URL of your proxy server, or NULL if not using a proxy server.
‘file:[full path to wallet directory]’ = the location of your wallet directory (do not specify the actual wallet files).