Share the content if you found it is useful (You can share using 300 community websites) click "share" at the end of the post.

You are encouraged to leave a comment.








Monday, July 06, 2009

Oracle - APPS Configuring SSL on R12 (10gAS)

Today, i need to blog out the configuration of SSL in R12 Environment. The process and steps are as follows. It contains both Middle Tier and DB Tier configurations:

SSL stands for Secure Socket Layer. Data Transferred between Server & Client is secured (Encrypted).Usually data transmitted between client machine & server (Web Server on http protocol & Forms Server on Sockets ) is clear text packets. Any one can put Packet Sniffer between Client machine & Server & can open & read all data transaction between your machine & Server (If he/she has network access) Hacker can get your Username/Password or any sensitive data. This become critical when you have Internet access to Oracle Applications 11i (Usually Self Service Implementation)
The Communication Process between the Tiers:
Communication between Client & Oracle Applications happens via three components.
Oracle Web Server (Initial Connection & all self service access is via Web Server/Apache). If your Form Server is in servlet Mode then Core Applications are also accessed via Web Server (oacore Component)
Oracle Form Server: For Core Oracle Application Access (Forms)
Database : You access web server which in turn talks to database Server via UTL_HTTP package via dad (/pls/$SID)
So You enable SSL on particular component depending on your requirement & component which is accessible over Internet & should be secured. You can Implement across all three component or only one or any two.
Further...
SSL is a technology that defines the essential functions of mutual authentication, data encryption, and data integrity for secure transactions. Exchange of data between the client and server in such secure transactions is said to use the Secure Sockets Layer (SSL).
SSL uses 2 types of Certificates:
1. User certificates:
These are Certificates issued to servers or users to prove their identity in a public key/private key exchange.
2. Trusted certificates:
These are Certificates representing entities that you trust – such as certificate authorities that sign the user certificates they issue.
How SSL works with Middle Tier Oracle HTTP Server:
The client sends a request to the server using HTTPS connection mode.
The server presents its certificate to the client. This certificate contains the server’s identifying information.
The client checks its list of Trust points and compares the information in the certificate with the server’s public key. If it matches, the server is authenticated as a trusted server.
The client sends the server a list of the encryption levels, or ciphers, that it can use.
The server receives the list and selects the strongest level of encryption that they have in common.
The client creates a session key which is used to encrypt the data and sends this session key to the server which can decrypt the data with its private key
How SSL works with Oracle Database Server:
The UTL_HTTP package is used for making HTTP callouts from SQL and PL/SQL to a Web Node (Oracle HTTP server).
When the package fetches data from a Web site using HTTPS, it specifies the location to the Oracle Wallet that resides on the database server. This wallet contains the certificate for the Certifying Authority (CA) who signed the Web node’s server certificate.
Process:
For converting the application into SSL we need to have a Digital certificate. A Certificate Authority is a trusted third party responsible for issuing, revoking, and renewing digital certificates. All digital certificates are signed with the Certificate Authority’s private key to ensure authenticity. The Certificate Authority’s Public Key is widely distributed.
A Certificate Signing Request (CSR) is a digital file, which contains your public key and your name. You send the CSR to a Certifying Authority (CA) to be converted into a real Certificate.
A digital certificate is an electronic document that binds an identity to a pair of electronic keys that can be used to encrypt and sign digital information. A trusted third party, called a Certification Authority (CA), issues certificates. The document is usually in a standard X509 format and contains three elements:
Entity attributes (information about your organization)
Public key (which is bound to your organization)
Digital signature of the trusted CA private key

Verisign (http://verisign.com/) will allow your organization to apply for a free trial certificate, which will be valid for 2 weeks for testing purposes.
Private (Server) Key:
The private key file is a digital file that you generate and for use to decrypt messages sent to you. The certificate request (CSR) that you send to your Certificate Authority (CA) is derived from this private key. Therefore, the resulting digital certificate (containing your public key), which is issued by your CA, is bound to this private key.
We will now look into the actual procedure for enabling the application with SSL. Not that below explanation is based on metalink note ID 376700.1.
Middle tier setup
To start with SSL setup we have to create a certification request through Oracle wallet manager.
Step 1) Create wallet on the apps side
Login to application tier with applmgr user ID and navigate to $INST_TOP/ora/10.1.3 directory and source .env file present at that location. This will make 10.1.3 (IAS_ORACLE_HOME) as your ORACLE_HOME.
Navigate to $INST_TOP/certs/Apache directory.
Backup Apache directory
Start Oracle wallet manager
$ owm &
Navigate Wallet -> NewAnswer No to: “Your default wallet directory doesn’t exist. Do you wish to create it now?”Set the wallet manager password (example. Welcome)
Click Yes when prompted “A new empty wallet has been created. Do you wish to create a certificate request at this time”.
Following screen appears
Common Name – Your hostnameOrganization Unit – Your department nameOrganization – Your company nameLocation/City – Your city nameState/Province – Your state nameCountry - Your country name
Press OK once you fill all information.
Save wallet in $INST_TOP/certs/Apache folder with name (server_name).cer
Once saved, it will ask, “A wallet already exist, you want to override”. You can say yes.Click on certificate Request in the list provided on left side of Oracle wallet manager window and you can see your request contents on right side as seen in below screen.
Wallet -> Autologin (Enable)
Wallet -> Save
Once you get the request content, you have to get the certificates from certifying Authority like verisign. Currently the certificate request that you created is your .cer file. Using this file you can get the actual certificate file, which will be .crt file. Along with that file you will also get your private key file (.key). So after getting certificate you will have 3 files with you
Certificate request file (.cer)
Actual certificate file (.crt)
Private Key file (.key)
Once you get the certificate, you have to generate CA certification file. Since for any SSL certificate we need to have CA(Certifying Authority) file. Some of the certifying authority companies also provide CA files. But here we will see how to generate CA file from certificate file (.crt).
Step 2) Creating your certifying authority’s certificate
Copy/ftp (binary mode) .crt to the your PC desktop
Double-click the file and go to Certification Path tab
Double click on VeriSign/RSA Secure Server CA
Go to Details tab and press Copy to File…
Press Next and select “Base-64 encoded X.509(.CER)” and press next
Give the name as ca
Press Finish
A new ca.cer file will be present in your local PC. FTP back ca.cer file to your UNIX host.
Step 3) Converting the existing cert files
Source the .env file again present at location $INST_TOP/ora/10.1.3
Change dir to $INST_TOP/certs/Apache
Copy .crt, ca.crt, servername.key to the current dir.
Execute the following command:$ORACLE_HOME/Apache/Apache/bin/ssl2ossl -cert ./.crt -key ./.key -cafile ./ca.cer -wallet . -ssowallet yes
Step 4) Appstier setup

Edit the context xml file in $APPL_TOP/admin, change the SSL related variables to SSL values
SSL Related Variables in the Context File
Variable Non-SSL Value SSL Value
s_url_protocol http https
s_local_url_protocol http https
s_webentryurlprotocol http https
s_active_webport same as s_webport same as s_webssl_port
s_webssl_port N/A default is 4443
s_https_listen_parameter N/A same as s_webssl_port

s_help_web_agent url constructed with http protocol and s_webport for both
non-SSL and SSL
s_login_page url constructed with http protocol url constructed with
and s_webport https protocol and
s_webssl_port


  • Execute autoconfig
  • Bounce the mid-tier services

ERROR:

Ssl Nzos_handshake Failed With Error 28860 From Localhost When Using SSL Only Port For OHS

edit opmn.xml from $ORACLE_HOME/opmn/conf

Locate for ssl

Please update the wallet file location in my case, it was in the $INST_TOP/certs/opmn
Step 5)

DB Tier Setup
Once you run autoconfig on Apps Tier, you need to do wallet setup on DB tier as well. Since R12 is autoconfig enabled, there will be a directory called appsutil in ORACLE_HOME on database side. Follow below steps to carry out the setup on database side.
Login to DB tier as oracle user
Change dir to $ORACLE_HOME/appsutil
Create a new dir with name as wallet

$mkdir wallet
Start Oracle Wallet Manager (owm &)
Wallet -> New
Answer No to: “Your default wallet directory doesn’t exist. Do you wish to create it now?”
Click No when prompted “A new empty wallet has been created. Do you wish to create a certificate request at this time”
Save Wallet
Copy ca.crt from the appl_top to $ORACLE_HOME/appsutil/wallet
Navigate Operations-> Import Trusted Certificate
Navigate to ca.crt
Once import completed. Save wallet
Navigate wallet-> autologin (enable)
Save wallet
Step 6) Sanity check
New Appslogin url: https://(hostname):(port)/OA_HTML/AppsLogin
Notice the lock sign in the statusbar (bottom) of the browser. Click on the sign to verify the certificate
Sanity check all the components.
Login to db as sqlplus apps/(apps password)
select utl_http.request(’https://(hostname):(port)’,null,’file:(path to ORACLE_HOME/appsutil/wallet)’, null) from dual;
It should display the first 2000 Chars of the html page.

No comments:

Related Posts Plugin for WordPress, Blogger...

Let us be Friends...

Share |

Popular Posts

Labels

11.5.1. to 11.5.5 Cloning Procedure. 11g 11i 11i and R12 11i Autoconfig 11i Cloning 12.1.1 SSL 2 Node RAC Adconfig.sh errors out adgennls.pl adop Advanced Replication Apache version Apex Apex for Oracle database Apex Installation Apex Installation on Oracle E Business Suite. 11i with Apex Apex on 11i Apex on Oracle 11i Apex402 apexins.sql APPL_TOP Character Application Express Application server Issue APPLSYS password Apps Password Asynchronous Replication Autoconfig Autoconfig Managed Beehive Bit of operating system Block block media corrupt BPEL Central Inventory Character Set Conversion Cloning of 11i Cloning of Oracle Applications Clusterware Concurrent CPU 2011 CPU 2012 April CPU 2012 January. CPU 2012 October CRS custom top Custom Top Creation Database . Database Query Dataguard DBMS_REPAIR Demantra . Domain Name E Business Suite Migration EBS 12.2 EPM exp/imp Oracle Applications Flashback table flows_020200 FND_TOP/resource FNDCPASS FNDCPUCF Forms server upgrade Forms startup FRM-92101 Fusion Middleware Hostname Hot Backup Hot cloning HotBackup Hotbackup Cloning of Oracle Apps hrglobal.drv. NLS Saudi Arabian HRMS hyperion Import and Export Oracle Applications Install Oracle Installation of R12 Installation Steps integration Oracle EBS Issues Database issues Oracle EBS Issues with Upgrade 12.1.1 Java Mission Control Java Upgrade java/sql/SavePoint JInitiator Junk Characters Language Translation Linux Linux Migration listener trace Listner version Local Inventory Login Page Master-Master Replication Memory Tuning Multiple Language NLS Non-Autoconfig Enabled OBIEE 11g Installation OBIEE Issues OIM Opatch version OpenSSL ora-01031 Oracle oracle 11g Oracle Announcement Oracle Application servers Oracle Application services Oracle Applications Oracle Applications 11i oracle applications 12.2 Oracle Applications Cloning Oracle Applications Upgrade Oracle Applications. Oracle Apps cloning Oracle BPEL oracle certifications oracle database Oracle Database RMAN Oracle Database upgradation Oracle DB oracle E Business suite 12.2 Oracle EBS oracle EPM Oracle Forms Logo oracle Fusion Applications Oracle Inventory oracle news Oracle OUI Oracle R12 oracle Sun Solaris Oracle Tuning Oracle Virtual Box Oracle Webgate Oracle WMA configuration orcladmin password for Oracle Applications Pasta Configuration pasta.cfg patch PDF Performance Physical Standby Platform migration Printer Configuration Profile Option R12 RAC Rapid Install Rapidwiz Real Application Clusters 10g Recovery RMAN RMAN Recovery SA Gosi Service Oriented Architecture SOA SQLTXPLAIN SSL Configuration step-by-step upgrade Sun solaris Swap Tablespace Trace Enable Trace file Translation Synchronization Patch transport tablespace tuning Tuning SGA uifont.ali Underscore Universal Content Management updates.oracle.com Upgradation of 12.0.5 to 12.1.1 Upgrade Upgrade 11g Upgrade Apps Upgrade DB Upgrade to 11g UTF8 version of oracle applications versions Web server upgrade weblogic windows workflow version XML Publisher version