Configuring SSL in 12.1.1 (Step by Step) OpenSSL
Secure Sockets Layer (SSL)
SSL is a technology that defines the essential functions of mutual authentication, data encryption, and data integrity for secure transactions. Exchange of data between the client and server in such secure transactions is said to use the Secure Sockets Layer (SSL).
SSL uses 2 types of Certificates:
1. User certificates
These are Certificates issued to servers or users to prove their identity in a public key/private key exchange.
2. Trusted certificates
These are Certificates representing entities whom you trust - such as certificate authorities who sign the user certificates they issue.
SSL is a technology that defines the essential functions of mutual authentication, data encryption, and data integrity for secure transactions. Exchange of data between the client and server in such secure transactions is said to use the Secure Sockets Layer (SSL).
SSL uses 2 types of Certificates:
1. User certificates
These are Certificates issued to servers or users to prove their identity in a public key/private key exchange.
2. Trusted certificates
These are Certificates representing entities whom you trust - such as certificate authorities who sign the user certificates they issue.
How
SSL works with Middle Tier Oracle HTTP Server:
1. The client sends a request to the server using HTTPS connection mode.
2. The server presents its certificate to the client. This certificate contains the server's identifying information.
3. The client checks its list of Trust points and compares the information in the certificate with the server's public key. If it matches, the server is authenticated as a trusted server.
4. The client sends the server a list of the encryption levels, or ciphers, that it can use.
5. The server receives the list and selects the strongest level of encryption that they have in common.
6. The client creates a session key which is used to encrypt the data and sends this session key to the server which can decrypt the data with its private key
How SSL works with Oracle Database Server:
1. The UTL_HTTP package is used for making HTTP callouts from SQL and PL/SQL to a Web Node (Oracle HTTP server).
2. When the package fetches data from a Web site using HTTPS, it specifies the location to the Oracle Wallet that resides on the database server. This wallet contains the certificate for the Certifying Authority (CA) who signed the Web node's server certificate.
Certificate Authority (CA)
A Certificate Authority is a trusted third party responsible for issuing, revoking, and renewing digital certificates. All digital certificates are signed with the Certificate Authority's private key to ensure authenticity. The Certificate Authority's Public Key is widely distributed.
Certificate Signing Request (CSR)
A Certificate Signing Request (CSR) is a digital file which contains your public key and your name. You send the CSR to a Certifying Authority (CA) to be converted into a real Certificate.
Digital Certificate (Public Key)
A digital certificate is an electronic document that binds an identity to a pair of electronic keys that can be used to encrypt and sign digital information. Certificates are issued by a trusted third party, called a Certification Authority (CA). The document is usually in a standard X509 format and contains three elements:
1. Entity attributes (information about your organization)
2. Public key (which is bound to your organization)
3. Digital signature of the trusted CA private key
Verisign (http://verisign.com/) will allow your organization to apply for a free trial certificate which will be valid for 2 weeks for testing purposes.
Private (Server) Key
The private key file is a digital file that you generate and for use to decrypt messages sent to you. The certificate request (CSR) that you send to your Certificate Authority (CA) is derived from this private key. Therefore, the resulting digital certificate (containing your public key) which is issued by your CA, is bound to this private key.
Secure Server Certificates
Secure Server Certificates are 128 bit certificates which provide 128 bit SSL encryption. If a browser has 128 bit support, then encryption is negotiated to 128 bits. However, if the browser only supports 40 bit encryption, the level of encryption, regardless of a 128 bit certificate, will be negotiated down to 40 bits.
Global Server Certificates
Global Server Certificates, also referred to as Server Gated Cryptography, are 128 bit certificates that enable all browsers to use 128 bit encryption, even if the browser only supports 40 bit encryption. A global server certificate usually has 2 parts: the certificate itself and an extra intermediate certificate which is used to provide the step-up. The marketing names of these certificates vary depending on the company that issues the certificate, for example, Thawte calls them 128 bit SuperCerts. It is not possible to get trial versions of global server certificates; therefore it is not possible to test unless one is purchased.
Secure Socket Layer Accelerators
Secure Socket Layer (SSL) Accelerators can be used to reduce the SSL traffic and workload off the web servers. Usually SSL accelerators are the primary targets for https requests from the user's desktop and thus are the initial target for all desktop client communication. They are responsible for converting "https" SSL requests to non-SSL "http" requests, directing the request to the http server which is running in non-SSL mode. Before sending the response back to the desktop they again convert the non-SSL requests to SSL requests.
Step – By – Step (SSL Configuration on 12.1.1) (with Demo Certificate)
Server: prod.chainsys.com
IP: 192.168.2.206
Step1:
Default Location of certificates in R12 is $INST_TOP/certs/Apache
Setup the environment (using the env file in $INST_TOP/ora/10.1.3)
Create a wallet
Navigate to $INST_TOP/certs/
Backup Apache Directory as Apache_ori
Run owm & (To run the process in the background, you add & at the end of the command)
On the Oracle Wallet Manager Menu
navigate to Wallet -New.
Answer NO to: “Your default wallet directory doesn't exist. Do you wish to create it now?”
The new wallet screen will now prompt you to enter a password for your wallet.
A Password should be having 8 characters
should contain numbers, alphabetic characters. (I selected welcome123)
Click YES when prompted: “A new empty wallet has been created. Do you wish to create a certificate request at this time?”
Click YES
1. The client sends a request to the server using HTTPS connection mode.
2. The server presents its certificate to the client. This certificate contains the server's identifying information.
3. The client checks its list of Trust points and compares the information in the certificate with the server's public key. If it matches, the server is authenticated as a trusted server.
4. The client sends the server a list of the encryption levels, or ciphers, that it can use.
5. The server receives the list and selects the strongest level of encryption that they have in common.
6. The client creates a session key which is used to encrypt the data and sends this session key to the server which can decrypt the data with its private key
How SSL works with Oracle Database Server:
1. The UTL_HTTP package is used for making HTTP callouts from SQL and PL/SQL to a Web Node (Oracle HTTP server).
2. When the package fetches data from a Web site using HTTPS, it specifies the location to the Oracle Wallet that resides on the database server. This wallet contains the certificate for the Certifying Authority (CA) who signed the Web node's server certificate.
Certificate Authority (CA)
A Certificate Authority is a trusted third party responsible for issuing, revoking, and renewing digital certificates. All digital certificates are signed with the Certificate Authority's private key to ensure authenticity. The Certificate Authority's Public Key is widely distributed.
Certificate Signing Request (CSR)
A Certificate Signing Request (CSR) is a digital file which contains your public key and your name. You send the CSR to a Certifying Authority (CA) to be converted into a real Certificate.
Digital Certificate (Public Key)
A digital certificate is an electronic document that binds an identity to a pair of electronic keys that can be used to encrypt and sign digital information. Certificates are issued by a trusted third party, called a Certification Authority (CA). The document is usually in a standard X509 format and contains three elements:
1. Entity attributes (information about your organization)
2. Public key (which is bound to your organization)
3. Digital signature of the trusted CA private key
Verisign (http://verisign.com/) will allow your organization to apply for a free trial certificate which will be valid for 2 weeks for testing purposes.
Private (Server) Key
The private key file is a digital file that you generate and for use to decrypt messages sent to you. The certificate request (CSR) that you send to your Certificate Authority (CA) is derived from this private key. Therefore, the resulting digital certificate (containing your public key) which is issued by your CA, is bound to this private key.
Secure Server Certificates
Secure Server Certificates are 128 bit certificates which provide 128 bit SSL encryption. If a browser has 128 bit support, then encryption is negotiated to 128 bits. However, if the browser only supports 40 bit encryption, the level of encryption, regardless of a 128 bit certificate, will be negotiated down to 40 bits.
Global Server Certificates
Global Server Certificates, also referred to as Server Gated Cryptography, are 128 bit certificates that enable all browsers to use 128 bit encryption, even if the browser only supports 40 bit encryption. A global server certificate usually has 2 parts: the certificate itself and an extra intermediate certificate which is used to provide the step-up. The marketing names of these certificates vary depending on the company that issues the certificate, for example, Thawte calls them 128 bit SuperCerts. It is not possible to get trial versions of global server certificates; therefore it is not possible to test unless one is purchased.
Secure Socket Layer Accelerators
Secure Socket Layer (SSL) Accelerators can be used to reduce the SSL traffic and workload off the web servers. Usually SSL accelerators are the primary targets for https requests from the user's desktop and thus are the initial target for all desktop client communication. They are responsible for converting "https" SSL requests to non-SSL "http" requests, directing the request to the http server which is running in non-SSL mode. Before sending the response back to the desktop they again convert the non-SSL requests to SSL requests.
Step – By – Step (SSL Configuration on 12.1.1) (with Demo Certificate)
Server: prod.chainsys.com
IP: 192.168.2.206
Step1:
Default Location of certificates in R12 is $INST_TOP/certs/Apache
Setup the environment (using the env file in $INST_TOP/ora/10.1.3)
Navigate to $INST_TOP/certs/
Backup Apache Directory as Apache_ori
Run owm & (To run the process in the background, you add & at the end of the command)
On the Oracle Wallet Manager Menu
navigate to Wallet -New.
Answer NO to: “Your default wallet directory doesn't exist. Do you wish to create it now?”
The new wallet screen will now prompt you to enter a password for your wallet.
A Password should be having 8 characters
should contain numbers, alphabetic characters. (I selected welcome123)
Click YES when prompted: “A new empty wallet has been created. Do you wish to create a certificate request at this time?”
Click YES
a. Highlight on certificate (Requested) on the left pane
In the right side, you should get the certificate request Including beginning of the certificate and end of certificate particulars.
b. click operations -> export certificate request
c. Save as (anyname.csr) I saved like chainsys.csr
select the directory where to save the csr file and press ok.
Click on wallet again and check the Autologin
Exit. (This will ask to save the wallet created) press Yes
Now you submit the anyname.csr to the certification authority (CA)
Download and unpack the ssl helper scripts named ssl.ca-0.1.tar.gz
1. Download
ssl-ca-0.1.tar.gz
2. gunzip ssl-ca-0.1.tar.gz
this will create ssl-ca-0.1.tar
3. tar –xvf ssl-ca-0.1.tar
this will create a directory ssl-ca-0.1.tar
[oracle@prod certs]$ cd /oracle/PRODN/
apps/ inst/ ssl.ca-0.1.tar db/ ssl.ca-0.1/
[oracle@prod certs]$ cd /oracle/PRODN/
[oracle@prod PRODN]$ ls
apps db inst ssl.ca-0.1 ssl.ca-0.1.tar
[oracle@prod PRODN]$
Move the certificate request (anyname.csr) to the directory containing the openSSL certificate authority scripts
Create a self-signed root certificate by running the
new-root-ca.sh script. This will create a file called ca.crt
Create the self-signed server certificate by running the
sign-server-cert.sh script,
e.g. $ sign-server-cert.sh (certificate request filename).
This will create a file called (certificate request filename.crt )
Copy the ewallet.p12 and cwallet.sso files from the location where it has created to $INST_TOP/certs/Apache directory
2. gunzip ssl-ca-0.1.tar.gz
this will create ssl-ca-0.1.tar
3. tar –xvf ssl-ca-0.1.tar
this will create a directory ssl-ca-0.1.tar
[oracle@prod certs]$ cd /oracle/PRODN/
apps/ inst/ ssl.ca-0.1.tar db/ ssl.ca-0.1/
[oracle@prod certs]$ cd /oracle/PRODN/
[oracle@prod PRODN]$ ls
apps db inst ssl.ca-0.1 ssl.ca-0.1.tar
[oracle@prod PRODN]$
Move the certificate request (anyname.csr) to the directory containing the openSSL certificate authority scripts
Create a self-signed root certificate by running the
new-root-ca.sh script. This will create a file called ca.crt
Create the self-signed server certificate by running the
sign-server-cert.sh script,
e.g. $ sign-server-cert.sh (certificate request filename).
This will create a file called (certificate request filename.crt )
Copy the ewallet.p12 and cwallet.sso files from the location where it has created to $INST_TOP/certs/Apache directory
Import the certificate generated using the scripts through owm
to oracle wallet. To do so, please follow the following.
Run owm &
Run owm &
Click on open, then select the certificate you stored (Specify the location only) it will ask for the password to open, Please provide the password you given for creation of the request.
Click on operations,
Select import trusted certificate (browse the file ca.crt created inside the ssl-ca-0.1 directory)
Select import user certificate (Browse the file anyname.crt created by sign-server-cert.sh)
Typical certificate will be having the script as follows
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=IN, ST=TamilNadu, L=Chennai, O=chainsys, OU=chainsys, CN=chainsys/emailAddress=balaji.rs@chain-sys.com
Validity
Not Before: Aug 18 08:22:53 2009 GMT
Not After : Aug 18 08:22:53 2010 GMT
Subject: C=IN, ST=TamilNadu, L=Chennai, O=chainsys, OU=chainsys, CN=Chainsys
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:d6:aa:4d:cd:1b:4a:38:e8:d6:5b:50:12:d3:3f:
2c:82:97:55:c6:72:6b:70:bd:46:1b:f1:ca:4f:a9:
db:88:c0:86:22:38:9d:0e:ed:e5:75:1d:0a:aa:92:
63:13:85:1f:2b:41:41:8e:b6:3b:cd:0c:6d:d3:e2:
60:68:93:fc:19:ee:d1:9f:71:83:4d:94:07:a9:04:
b1:59:78:b3:db:b0:d3:31:eb:8c:ed:93:65:10:16:
a0:e9:8a:6e:9f:1b:10:41:82:1d:1a:22:6b:fe:0d:
ef:77:2d:77:84:b7:dc:ea:91:0c:82:3f:1d:3c:c8:
28:60:d9:67:cb:42:47:77:d1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:01:D0:98:47:0B:1C:34:2B:22:1B:86:43:E3:7A:FA:51:E9:E4:29:86
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication, Microsoft Server Gated Crypto, Netscape Server Gated Crypto
X509v3 Basic Constraints: critical
CA:FALSE
Signature Algorithm: md5WithRSAEncryption
5a:bb:ca:94:c1:dd:4c:81:df:6d:1c:e2:38:25:bd:41:eb:3f:
3c:51:b4:c5:51:35:4c:29:d9:e5:94:27:72:2d:6d:cb:73:46:
75:96:91:ae:5b:18:45:1e:41:ee:c1:ae:b8:2c:be:fc:64:bf:
6d:d2:a4:87:81:3a:6a:84:8f:36:e3:4b:50:74:9b:6e:c5:20:
c5:e7:9b:e9:80:71:3a:3a:97:d0:76:3a:0d:98:a8:42:b8:35:
df:82:03:26:90:15:ae:44:a7:b5:a4:95:d6:b8:b0:0d:c1:3d:
66:3d:15:8f:b0:cd:4d:ea:f9:6c:98:94:ee:5f:1e:cb:53:61:
b1:1e
-----BEGIN CERTIFICATE-----
MIIC3jCCAkegAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBl
DELMAkGA1UEBhMCSU4xEjAQBgNVBAgTCVRhbWlsTmF
kdTEQMA4GA1UEBxMHQ2hlbm5haTERMA8GA1UEChMIY
2hhaW5zeXMxETAPBgNVBAsTCGNoYWluc3lzMREwDwYD
VQQDEwhjaGFpbnN5czEmMCQGCSqGSIb3DQEJARYXYm
FsYWppLnJzQGNoYWluLXN5cy5jb20wHhcNMDkwODE4M
DgyMjUzWhcNMTAwODE4MDgyMjUzWjBsMQswCQYDVQ
QGEwJJTjESMBAGA1UECBMJVGFtaWxOYWR1MRAwDgY
DVQQHEwdDaGVubmFpMREwDwYDVQQKEwhjaGFpbnN5
czERMA8GA1UECxMIY2hhaW5zeXMxETAPBgNVBAMTCE
NoYWluc3lzMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ
KBgQDWqk3NG0o46NZbUBLTPyyCl1XGcmtwvUYb8cpPqd
uIwIYiOJ0O7eV1HQqqkmMThR8rQUGOtjvNDG3T4mBok/
wZ7tGfcYNNlAepBLFZeLPbsNMx64ztk2UQFqDpim6fGxBB
gh0aImv+De93LXeEt9zqkQyCPx08yChg2WfLQkd30QIDAQ
ABo2cwZTAfBgNVHSMEGDAWgBQB0JhHCxw0KyIbhkPjev
pR6eQphjA0BgNVHSUELTArBggrBgEFBQcDAQYIKwYBBQ
UHAwIGCisGAQQBgjcKAwMGCWCGSAGG+EIEATAMBgNV
HRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBAFq7ypT
B3UyB320c4jglvUHrPzxRtMVRNUwp2eWUJ3ItbctzRnWWk
a5bGEUeQe7Brrgsvvxkv23SpIeBOmqEjzbjS1B0m27FIMXn
m+mAcTo6l9B2Og2YqEK4Nd+CAyaQFa5Ep7Wklda4sA3BP
WY9FY+wzU3q+WyYlO5fHstTYbEe
-----END CERTIFICATE-----
ERROR:
While importing user certificate you may encounter
User Certification Installation Failed
Possible Errors:
- Input was not a valid certificate
- No matching certificate request was found
- CA certificate needed for certificate chain not found. Please install it first.
-----END CERTIFICATE-----
ERROR:
While importing user certificate you may encounter
User Certification Installation Failed
Possible Errors:
- Input was not a valid certificate
- No matching certificate request was found
- CA certificate needed for certificate chain not found. Please install it first.
Just upload the certificate, it will be registered.
After Importing the certificate in the wallet, please be sure to check the Autologin from wallet menu
Exit the wallet manager (Save the wallet in desired location)
Modify OPMN Wallet:
Navigate to $INST_TOP/certs/opmn
Create a back directory and move the contents from the opmn directory to Backup directory
Move the ewallet.p12 and cwallet.sso files to the Backup directory just created.
Copy the ewallet.p12 and cwallet.sso files from the
$INST_TOP/certs/Apache
directory to the $INST_TOP/certs/opmn directory
Update the JDK Cacerts file
Navigate to the $OA_JRE_TOP/lib/security directory
Backup the existing cacerts file.
Copy your ca.crt and server.crt files to this directory
Issue
the following command to insure that cacerts has write permissions:
chmod u+w cacerts
Add your Apache ca.crt and anyname.crt to cacerts:
For this use the following syntax.
chmod u+w cacerts
Add your Apache ca.crt and anyname.crt to cacerts:
For this use the following syntax.
"keytool -import -alias ApacheRootCA -file ca.crt -trustcacerts -v -keystore cacerts"
When
prompted present the password as 'changeit'
"keytool
-import -alias ApacheServer -file (anyname.crt) -trustcacerts -v -keystore
cacerts"
When
prompted present the password as 'changeit'
If you want to delete a existing certificate from existing keystore,
then use
"keytool
-delete -alias ApacheServer -keystore cacerts"
If
you want to delete a trusted certificate from exisiting keystore, then use
"keytool
-delete -alias ApacheRootCA -keystore cacerts"
Issues during keytool Keystore
keytool
error: java.lang.Exception: Input not an X.509 certificate
java.lang.Exception: Input not an X.509 certificate
at sun.security.tools.KeyTool.addTrustedCert(KeyTool.java:1913)
at sun.security.tools.KeyTool.doCommands(KeyTool.java:818)
at sun.security.tools.KeyTool.run(KeyTool.java:172)
at sun.security.tools.KeyTool.main(KeyTool.java:166)
java.lang.Exception: Input not an X.509 certificate
at sun.security.tools.KeyTool.addTrustedCert(KeyTool.java:1913)
at sun.security.tools.KeyTool.doCommands(KeyTool.java:818)
at sun.security.tools.KeyTool.run(KeyTool.java:172)
at sun.security.tools.KeyTool.main(KeyTool.java:166)
Then,
backup
the certificate (*.crt) erring out.
Edit
the certificate and remove all the line above
----BEGIN
CERTIFICATE ---
and
the save and re-run the keytool to register the certificate.
Update the context file using the metalink ID
376700.1
Run the Autoconfig
Restart the Middle tier services (Not only the Apache)
DB Tier Configuration:
To enable SSL on the Database Tier you need only create a wallet. You do not need a server certificate for this wallet. If you were required to import your ca.crt into the middle tier wallet you will need to do it for this wallet also.
After setting your environment for the database tier, navigate to the
$ORACLE_HOME/appsutil
directory.
Create a new wallet directory named: wallet
Create a new wallet directory named: wallet
Navigate to the newly created wallet directory.
Open the Wallet Manager as a background process:
owm
&
On
the Oracle Wallet Manager Menu navigate to Wallet -> New.
Answer
NO to: “Your default wallet directory doesn't exist. Do you wish to create it
now?”
The
new wallet screen will now prompt you to enter a password for your wallet.
Click
NO when prompted: “A new empty wallet has been created. Do you wish to create a
certificate request at this time?”
If
you need to import ca.crt: On the Oracle Wallet Manager menu navigate to
Operations -> Import Trusted Certificate. Click OK. Double click on ca.crt
to import it.
Save
the wallet: On the Oracle Wallet Manager Menu click Wallet.
Verify
the Auto Login box is checked. Click Save.
To
test that the wallet is properly set up and accessible, login to SQLPLUS as the
apps user and execute the following:
select
utl_http.request('https://prod.chainsys.com:4443',null,
'file:/oracle/PRODN/db/tech_st/10.2.0/appsutil/wallet', null) from dual;
here,
first null refers to proxy server, second null refers to the password, the
default is null.
The Output will be like this
SQL> select utl_http.request('https://prod.chainsys.com:4443',null,'file:/oracle/PRODN/db/tech_st/10.2.0/appsutil/wallet',null) from dual;
UTL_HTTP.REQUEST('HTTPS://PROD.CHAINSYS.COM:4443',NULL,'FILE:/ORACLE/PRODN/DB/TE
--------------------------------------------------------------------------------
$Header:
index.html 120.3 2006/10/16 13:15:40 swkhande ship $
###############################################################
This file is automatically generated by AutoConfig. It will be read and overwritten. If you were instructed to edit this file, or if you are not able to use the settings created by AutoConfig, refer to Metalink Note 387859.1 for assistance.
###############################################################
UTL_HTTP.REQUEST('HTTPS://PROD.CHAINSYS.COM:4443',NULL,'FILE:/ORACLE/PRODN/DB/TE
This file is automatically generated by AutoConfig. It will be read and overwritten. If you were instructed to edit this file, or if you are not able to use the settings created by AutoConfig, refer to Metalink Note 387859.1 for assistance.
###############################################################
UTL_HTTP.REQUEST('HTTPS://PROD.CHAINSYS.COM:4443',NULL,'FILE:/ORACLE/PRODN/DB/TE
--------------------------------------------------------------------------------
Template /admin/template/index.html stored in
/oracle/PRODN/inst/apps/PRODN_prod/portal
To
customize this page, please refer to Oracle MetaLink Note 387859.1 dbdrv: none
If you get this output, then your configuration is succeeded.
If not, please revisit the setup once again.
Errors:
The https directory login page will error out with this page not found:
Look into the Error log from logs/ora/10.1.3/Apache/ from $INST_TOP
Error:1
[client 192.168.1.31] mod_security: Access denied with code 405. Pattern match "!(GETHEADPOST)" at REQUEST_METHOD. [uri ""] [unique_id SoqqQsCoAs4AAB2bEw0]
FIX:
Please look up HTTP error code 405. Please make sure that your s_webssl_port /s_active_webport/s_webport all agree to the task that you are trying to achive. Please also look at s_url_protocol and s_local_url_protocol and see that you have configured them correctly. suggest to go through the Doc 123718.1 carefully.
If you get this output, then your configuration is succeeded.
If not, please revisit the setup once again.
Errors:
The https directory login page will error out with this page not found:
Look into the Error log from logs/ora/10.1.3/Apache/ from $INST_TOP
Error:1
[client 192.168.1.31] mod_security: Access denied with code 405. Pattern match "!(GETHEADPOST)" at REQUEST_METHOD. [uri ""] [unique_id SoqqQsCoAs4AAB2bEw0]
FIX:
Please look up HTTP error code 405. Please make sure that your s_webssl_port /s_active_webport/s_webport all agree to the task that you are trying to achive. Please also look at s_url_protocol and s_local_url_protocol and see that you have configured them correctly. suggest to go through the Doc 123718.1 carefully.
Error 2:
[Tue Aug 18 18:51:42 2009] [error] mod_ossl: SSL call to NZ function nzos_Handshake failed with error 29049 (server prod.chainsys.com:8000, client 192.168.1.31)
[Tue Aug 18 18:51:42 2009] [error] mod_ossl: SSL call to NZ function nzos_Handshake failed with error 29049 (server prod.chainsys.com:8000, client 192.168.1.31)
FIX:
Edit the $INST_TOP/ora/10.1.3/opmn/conf/opmn.xml and
change the following from:
(ssl enabled="true" wallet-file="$ORACLE_HOME/opmn/conf/ssl.wlt/default/" /)
to:
(ssl enabled="true" wallet-file="PATH TO YOUR OHS WALLET" /)
(ssl enabled="true" wallet-file="/oracle/PRODN/inst/apps/PRODN_prod/certs/opmn/")
2. Save the file.
Shut down the middle tier and restart.
Relogin with
https://prod.chainsys.com:4443/.
The Login page appeared normally and tested with https.
In the LOG_HOME, you
will get another file called ssl_request_log will be having entries like this.
[19/Aug/2009:12:28:58 +0530] 192.168.1.31 SSLv3 SSL_RSA_WITH_RC4_128_MD5 "POST /forms/lservlet;jsessionid=9b60de453fcc0642d0fced47fd973245171f9aff8ebaac28eca64eb206a99ee7.e38Qa3yQah0Qci0Nbx8PbN8Mahz0 HTTP/1.1" 2
[19/Aug/2009:12:30:23 +0530] 192.168.1.31 SSLv3 SSL_RSA_WITH_RC4_128_MD5 "POST /forms/lservlet;jsessionid=9b60de453fcc0642d0fced47fd973245171f9aff8ebaac28eca64eb206a99ee7.e38Qa3yQah0Qci0Nbx8PbN8Mahz0 HTTP/1.1" 96
[19/Aug/2009:12:30:25 +0530] 192.168.1.31 SSLv3 SSL_RSA_WITH_RC4_128_MD5 "POST /forms/lservlet;jsessionid=9b60de453fcc0642d0fced47fd973245171f9aff8ebaac28eca64eb206a99ee7.e38Qa3yQah0Qci0Nbx8PbN8Mahz0 HTTP/1.1" 2
[19/Aug/2009:12:30:25 +0530] 192.168.1.31 SSLv3 SSL_RSA_WITH_RC4_128_MD5 "POST /forms/lservlet;jsessionid=9b60de453fcc0642d0fced47fd973245171f9aff8ebaac28eca64eb206a99ee7.e38Qa3yQah0Qci0Nbx8PbN8Mahz0 HTTP/1.1" 6
[19/Aug/2009:12:30:26 +0530] 192.168.1.31 SSLv3 SSL_RSA_WITH_RC4_128_MD5 "POST /forms/lservlet;jsessionid=9b60de453fcc0642d0fced47fd973245171f9aff8ebaac28eca64eb206a99ee7.e38Qa3yQah0Qci0Nbx8PbN8Mahz0 HTTP/1.1" 1482
[19/Aug/2009:12:30:27 +0530] 192.168.1.31 SSLv3 SSL_RSA_WITH_RC4_128_MD5 "POST /forms/lservlet;jsessionid=9b60de453fcc0642d0fced47fd973245171f9aff8ebaac28eca64eb206a99ee7.e38Qa3yQah0Qci0Nbx8PbN8Mahz0 HTTP/1.1" 0
Cheers!!!!
You might
What happens
when we enable SSL in Oracle Web Server ?
I am assuming that SSL is already enabled at web server , so you type url with protocol as https (where s stands for Secure ), web server understand that this is SSL request so Web Server sends its certificates back to client stating its identity & with that its send a Public key which your browser use to encrypt & decrypt message send by Web Server . Web Server uses its private key(known to itself only, stored in either wallet or ssl directory discussed later in this post) & public key(key which is known to everyone) to encrypt & decrypt messages. SSL has build in feature which assures that data is not tempered with its from valid source . If you don't understand all this at this minute don't worry you still can configure SSL. This entire concept is called as PKI (Publick Key Infrastructure)
Myth about SSL Port in webserver ?
Do I need to only Use on port 443 for Web Server SSL Port ?? not at all , port 443 is standard port for HTTPS as port 80 for HTTP. You can use HTTPS on any port as long as port is listening for HTTPS requests .
Overview of Steps in configuring SSL over Web Server in Oracle Apps 11i ?
I am mentioning over view of configuring SSL on web server in Oracle Applications (If you wish to configure SSL for Forms Server & Database Servers ) Steps mentioned here are for Autoconfig Enabled system & Apache 1.0.2.2.2 and higher (If you are not aware of your Apache/httpd version check here http://teachmeoracle.com/version.html)
1. Create your SSL Certificates (I'll cover later how to generate SSL certificates for Web Server)
2. Configure SSL parameters for web server variables via OAM or by changing Context File (xml file in APPL_TOP) These parameters I'll discuss shortly.
3. Copy SSL Certificates created in step1 above, in SSL directories (Discussed Later) or Wallets (If you are using Oracle Wallets to store your certificates)
4. Run Autoconfig to take new parameters to take into effect
5. Test Applications with SSL
Please note that above steps are for implementing SSL only on Web Server there are additional steps if you want to configure SSL on Form Server & Database Server . (I am not mentioning them here as this is not common)
What is meant by creating SSL Certificates ?
You remember above I discussed that server sends its certificates (public) to browser & uses private key to encrypt & decrypt messages . So steps in creating Certificates are
1. Create Private key using openssl
2. Create certificate request using private key created above
3. Submit request file to Certifying Authority like verisign
4. Get Certificates from certifying Authority (CA)
If you are testing SSL you can use test certificates supplied with Web Server
What are various parameters in XML file (CONTEXT File) w.r.t. SSL ?
s_web_ssl_directory - Directory where SSL certificates are stored
s_url_protocol - https means you are using ssl (Default is http)
s_local_url_protocol - change it to https for SSL
s_webssl_port - Apache SSL port
s_active_webport - same as s_webssl_port
s_webport - same as s_webssl_port
Lot more coming in next post on configure SSL with Oracle Apps 11i....
I am assuming that SSL is already enabled at web server , so you type url with protocol as https (where s stands for Secure ), web server understand that this is SSL request so Web Server sends its certificates back to client stating its identity & with that its send a Public key which your browser use to encrypt & decrypt message send by Web Server . Web Server uses its private key(known to itself only, stored in either wallet or ssl directory discussed later in this post) & public key(key which is known to everyone) to encrypt & decrypt messages. SSL has build in feature which assures that data is not tempered with its from valid source . If you don't understand all this at this minute don't worry you still can configure SSL. This entire concept is called as PKI (Publick Key Infrastructure)
Myth about SSL Port in webserver ?
Do I need to only Use on port 443 for Web Server SSL Port ?? not at all , port 443 is standard port for HTTPS as port 80 for HTTP. You can use HTTPS on any port as long as port is listening for HTTPS requests .
Overview of Steps in configuring SSL over Web Server in Oracle Apps 11i ?
I am mentioning over view of configuring SSL on web server in Oracle Applications (If you wish to configure SSL for Forms Server & Database Servers ) Steps mentioned here are for Autoconfig Enabled system & Apache 1.0.2.2.2 and higher (If you are not aware of your Apache/httpd version check here http://teachmeoracle.com/version.html)
1. Create your SSL Certificates (I'll cover later how to generate SSL certificates for Web Server)
2. Configure SSL parameters for web server variables via OAM or by changing Context File (xml file in APPL_TOP) These parameters I'll discuss shortly.
3. Copy SSL Certificates created in step1 above, in SSL directories (Discussed Later) or Wallets (If you are using Oracle Wallets to store your certificates)
4. Run Autoconfig to take new parameters to take into effect
5. Test Applications with SSL
Please note that above steps are for implementing SSL only on Web Server there are additional steps if you want to configure SSL on Form Server & Database Server . (I am not mentioning them here as this is not common)
What is meant by creating SSL Certificates ?
You remember above I discussed that server sends its certificates (public) to browser & uses private key to encrypt & decrypt messages . So steps in creating Certificates are
1. Create Private key using openssl
2. Create certificate request using private key created above
3. Submit request file to Certifying Authority like verisign
4. Get Certificates from certifying Authority (CA)
If you are testing SSL you can use test certificates supplied with Web Server
What are various parameters in XML file (CONTEXT File) w.r.t. SSL ?
s_web_ssl_directory - Directory where SSL certificates are stored
s_url_protocol - https means you are using ssl (Default is http)
s_local_url_protocol - change it to https for SSL
s_webssl_port - Apache SSL port
s_active_webport - same as s_webssl_port
s_webport - same as s_webssl_port
Lot more coming in next post on configure SSL with Oracle Apps 11i....
What is SSL ?
SSL stands for Secure Socket Layer which is protocol developed by Netscape. Data Transferred between Server & Client is Secured (Encrypted)
SSL stands for Secure Socket Layer which is protocol developed by Netscape. Data Transferred between Server & Client is Secured (Encrypted)
Why I need a SSL in
Oracle Applications ?
Usually data transmitted between client machine & server (Web Server on httpprotocol & Forms Server on Sockets ) is clear text packets. Any one can put Packet Sniffer between Client machine & Server & can open & read all data transaction between your machine & Server (If he/she has network access) Hacker can get your Username/Password or any sensitive data. This become critical when you have Internet access to Oracle Applications 11i (Usually Self Service Implementation)
Usually data transmitted between client machine & server (Web Server on httpprotocol & Forms Server on Sockets ) is clear text packets. Any one can put Packet Sniffer between Client machine & Server & can open & read all data transaction between your machine & Server (If he/she has network access) Hacker can get your Username/Password or any sensitive data. This become critical when you have Internet access to Oracle Applications 11i (Usually Self Service Implementation)
Where I need to
configure SSL in Apps ?
Communication between Client & Oracle Applications happens via three components.
–Oracle Web Server (Initial Connection & all self service access is via Web Server/Apache). If your Form Server is in servlet Mode then Core Applications are also accessed via Web Server (Jserv Component)
–Oracle Form Server : For Core Oracle Application Access (Forms)
–Database : You access web server which in turn talks to database Server via UTL_HTTP package via dad (/pls/$SID)
Communication between Client & Oracle Applications happens via three components.
–Oracle Web Server (Initial Connection & all self service access is via Web Server/Apache). If your Form Server is in servlet Mode then Core Applications are also accessed via Web Server (Jserv Component)
–Oracle Form Server : For Core Oracle Application Access (Forms)
–Database : You access web server which in turn talks to database Server via UTL_HTTP package via dad (/pls/$SID)
So You enable SSL on
particular component depending on your requirement & component which is
accessible over Internet & should be secured. You can Implement across all
three component or only one or any two.
What is
common deployment for Internet Facing Oracle Applications?
Though you can configure SSL for Web, Forms & database for extra Security but Usually most prone & Internet facing component is Web Server (For Self Service Applications) so common trend is to Enable SSL between Client Machine & Web Server (Apache) in Oracle Applications.
Though you can configure SSL for Web, Forms & database for extra Security but Usually most prone & Internet facing component is Web Server (For Self Service Applications) so common trend is to Enable SSL between Client Machine & Web Server (Apache) in Oracle Applications.
What will happen w.r.t.
Data communication after enabling SSL ?
By default you access Applications over HTTP (Hyper Text Transfer Protocol) but after enabling SSL on web server you will access via HTTPS (Secure) . Data will be encrypted at one end & decrypted at other end.
By default you access Applications over HTTP (Hyper Text Transfer Protocol) but after enabling SSL on web server you will access via HTTPS (Secure) . Data will be encrypted at one end & decrypted at other end.
Superb. You have covered almost everything about ssl certificates in this article. This post is a complete learning guide to help everyone to learn about this useful technique.
ReplyDeletedigital certificate
I saw your solution to the error:
ReplyDeleteError 2:
[Tue Aug 18 18:51:42 2009] [error] mod_ossl: SSL call to NZ function nzos_Handshake failed with error 29049 (server prod.chainsys.com:8000, client 192.168.1.31)
FIX:
Edit the $INST_TOP/ora/10.1.3/opmn/conf/opmn.xml and
change the following from:
(ssl enabled="true" wallet-file="$ORACLE_HOME/opmn/conf/ssl.wlt/default/" /)
to:
(ssl enabled="true" wallet-file="PATH TO YOUR OHS WALLET" /)
(ssl enabled="true" wallet-file="/oracle/PRODN/inst/apps/PRODN_prod/certs/opmn/")
But that file is already setup correctly. We are still getting thousands of entries with this erro. Any other ideas?