Share the content if you found it is useful (You can share using 300 community websites) click "share" at the end of the post.

You are encouraged to leave a comment.

Wednesday, August 19, 2009

Configuring SSL in 12.1.1 (Step by Step) OpenSSL

Secure Sockets Layer (SSL)
SSL is a technology that defines the essential functions of mutual authentication, data encryption, and data integrity for secure transactions. Exchange of data between the client and server in such secure transactions is said to use the Secure Sockets Layer (SSL).
SSL uses 2 types of Certificates:
1. User certificates
These are Certificates issued to servers or users to prove their identity in a public key/private key exchange.
2. Trusted certificates
These are Certificates representing entities whom you trust - such as certificate authorities who sign the user certificates they issue.
How SSL works with Middle Tier Oracle HTTP Server:

1. The client sends a request to the server using HTTPS connection mode.
2. The server presents its certificate to the client. This certificate contains the server's identifying information.
3. The client checks its list of Trust points and compares the information in the certificate with the server's public key. If it matches, the server is authenticated as a trusted server.
4. The client sends the server a list of the encryption levels, or ciphers, that it can use.
5. The server receives the list and selects the strongest level of encryption that they have in common.
6. The client creates a session key which is used to encrypt the data and sends this session key to the server which can decrypt the data with its private key

How SSL works with Oracle Database Server:
1. The UTL_HTTP package is used for making HTTP callouts from SQL and PL/SQL to a Web Node (Oracle HTTP server).
2. When the package fetches data from a Web site using HTTPS, it specifies the location to the Oracle Wallet that resides on the database server. This wallet contains the certificate for the Certifying Authority (CA) who signed the Web node's server certificate.
Certificate Authority (CA)
A Certificate Authority is a trusted third party responsible for issuing, revoking, and renewing digital certificates. All digital certificates are signed with the Certificate Authority's private key to ensure authenticity. The Certificate Authority's Public Key is widely distributed.
Certificate Signing Request (CSR)
A Certificate Signing Request (CSR) is a digital file which contains your public key and your name. You send the CSR to a Certifying Authority (CA) to be converted into a real Certificate.
Digital Certificate (Public Key)
A digital certificate is an electronic document that binds an identity to a pair of electronic keys that can be used to encrypt and sign digital information. Certificates are issued by a trusted third party, called a Certification Authority (CA). The document is usually in a standard X509 format and contains three elements:
1. Entity attributes (information about your organization)
2. Public key (which is bound to your organization)
3. Digital signature of the trusted CA private key
Verisign ( will allow your organization to apply for a free trial certificate which will be valid for 2 weeks for testing purposes.
Private (Server) Key
The private key file is a digital file that you generate and for use to decrypt messages sent to you. The certificate request (CSR) that you send to your Certificate Authority (CA) is derived from this private key. Therefore, the resulting digital certificate (containing your public key) which is issued by your CA, is bound to this private key.
Secure Server Certificates
Secure Server Certificates are 128 bit certificates which provide 128 bit SSL encryption. If a browser has 128 bit support, then encryption is negotiated to 128 bits. However, if the browser only supports 40 bit encryption, the level of encryption, regardless of a 128 bit certificate, will be negotiated down to 40 bits.
Global Server Certificates
Global Server Certificates, also referred to as Server Gated Cryptography, are 128 bit certificates that enable all browsers to use 128 bit encryption, even if the browser only supports 40 bit encryption. A global server certificate usually has 2 parts: the certificate itself and an extra intermediate certificate which is used to provide the step-up. The marketing names of these certificates vary depending on the company that issues the certificate, for example, Thawte calls them 128 bit SuperCerts. It is not possible to get trial versions of global server certificates; therefore it is not possible to test unless one is purchased.
Secure Socket Layer Accelerators
Secure Socket Layer (SSL) Accelerators can be used to reduce the SSL traffic and workload off the web servers. Usually SSL accelerators are the primary targets for https requests from the user's desktop and thus are the initial target for all desktop client communication. They are responsible for converting "https" SSL requests to non-SSL "http" requests, directing the request to the http server which is running in non-SSL mode. Before sending the response back to the desktop they again convert the non-SSL requests to SSL requests.

Step – By – Step (SSL Configuration on 12.1.1) (with Demo Certificate)



Default Location of certificates in R12 is $INST_TOP/certs/Apache

Setup the environment (using the env file in $INST_TOP/ora/10.1.3)

Create a wallet
Navigate to $INST_TOP/certs/
Backup Apache Directory as Apache_ori
Run owm & (To run the process in the background, you add & at the end of the command)
On the Oracle Wallet Manager Menu
navigate to Wallet -New.
Answer NO to: “Your default wallet directory doesn't exist. Do you wish to create it now?”
The new wallet screen will now prompt you to enter a password for your wallet.
A Password should be having 8 characters
Should contain numbers, alphabetic characters. (I selected welcome123)
Click YES when prompted: “A new empty wallet has been created. Do you wish to create a certificate request at this time?”
Click YES

Submit the certificate created to Certificate Authority (CA) To do so, please follow the following:

a. Highlight on certificate (Requested) on the left pane
In the right side, you should get the certificate request Including beginning of the certificate and end of certificate particulars.
b. click operations -> export certificate request
c. Save as (anyname.csr) I saved like chainsys.csr
select the directory where to save the csr file and press ok.
Click on wallet again and check the Autologin
Exit. (This will ask to save the wallet created) press Yes

Now you submit the anyname.csr to the certification authority (CA)

To create our own digital certificate:
Download and unpack the ssl helper scripts named
1. Download ssl-ca-0.1.tar.gz
2. gunzip ssl-ca-0.1.tar.gz
this will create ssl-ca-0.1.tar
3. tar –xvf ssl-ca-0.1.tar
this will create a directory ssl-ca-0.1.tar

[oracle@prod certs]$ cd /oracle/PRODN/
apps/ inst/ db/
[oracle@prod certs]$ cd /oracle/PRODN/
[oracle@prod PRODN]$ ls
apps db inst
[oracle@prod PRODN]$

Move the certificate request (anyname.csr) to the directory containing the openSSL certificate authority scripts

Create a self-signed root certificate by running the script. This will create a file called ca.crt

Create the self-signed server certificate by running the script,
e.g. $ (certificate request filename).
This will create a file called (certificate request filename.crt )
Copy the ewallet.p12 and cwallet.sso files from the location where it has created to $INST_TOP/certs/Apache directory
Import the certificate generated using the scripts through owm to oracle wallet. To do so, please follow the following.

Run owm &

Click on open, then select the certificate you stored (Specify the location only) it will ask for the password to open, Please provide the password you given for creation of the request.
Click on operations,
Select import trusted certificate (browse the file ca.crt created inside the ssl-ca-0.1 directory)
Select import user certificate (Browse the file anyname.crt created by
Typical certificate will be having the script as follows
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=IN, ST=TamilNadu, L=Chennai, O=chainsys, OU=chainsys, CN=chainsys/
Not Before: Aug 18 08:22:53 2009 GMT
Not After : Aug 18 08:22:53 2010 GMT
Subject: C=IN, ST=TamilNadu, L=Chennai, O=chainsys, OU=chainsys, CN=Chainsys
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:

X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication, Microsoft Server Gated Crypto, Netscape Server Gated Crypto
X509v3 Basic Constraints: critical
Signature Algorithm: md5WithRSAEncryption
While importing user certificate you may encounter
User Certification Installation Failed
Possible Errors:
Input was not a valid certificate
- No matching certificate request was found
- CA certificate needed for certificate chain not found. Please install it first
Just remove the lines above the BEGIN CERTIFICATE line in the anyname.crt file and below the line END CERTIFICATE.

Just upload the certificate, it will be registered.

After Importing the certificate in the wallet, please be sure to check the Autologin from wallet menu

Exit the wallet manager (Save the wallet in desired location)

Modify OPMN Wallet:
Navigate to $INST_TOP/certs/opmn
Create a back directory and move the contents from the opmn directory to Backup directory
Move the ewallet.p12 and cwallet.sso files to the Backup directory just created.
Copy the ewallet.p12 and cwallet.sso files from the
$INST_TOP/certs/Apache directory to the $INST_TOP/certs/opmn directory

Update the JDK Cacerts file
Navigate to the $OA_JRE_TOP/lib/security directory
Backup the existing cacerts file.
Copy your ca.crt and server.crt files to this directory

Issue the following command to insure that cacerts has write permissions:
chmod u+w cacerts
Add your Apache ca.crt and anyname.crt to cacerts:

For this use the following syntax.

"keytool -import -alias ApacheRootCA -file ca.crt -trustcacerts -v -keystore cacerts"

When prompted present the password as 'changeit'

"keytool -import -alias ApacheServer -file (anyname.crt) -trustcacerts -v -keystore cacerts"

When prompted present the password as 'changeit'

If you want to delete a existing certificate from existing keystore, then use

"keytool -delete -alias ApacheServer -keystore cacerts"

If you want to delete a trusted certificate from exisiting keystore, then use

"keytool -delete -alias ApacheRootCA -keystore cacerts"

Issues during keytool Keystore

keytool error: java.lang.Exception: Input not an X.509 certificate
java.lang.Exception: Input not an X.509 certificate


backup the certificate (*.crt) erring out.

Edit the certificate and remove all the line above


and the save and re-run the keytool to register the certificate.

Update the context file using the metalink ID 376700.1

Run the Autoconfig

Restart the Middle tier services (Not only the Apache)

DB Tier Configuration:
To enable SSL on the Database Tier you need only create a wallet. You do not need a server certificate for this wallet. If you were required to import your ca.crt into the middle tier wallet you will need to do it for this wallet also.

After setting your environment for the database tier, navigate to the

$ORACLE_HOME/appsutil directory.
Create a new wallet directory named: wallet

Navigate to the newly created wallet directory.
Open the Wallet Manager as a background process:

owm &

On the Oracle Wallet Manager Menu navigate to Wallet -> New.

Answer NO to: “Your default wallet directory doesn't exist. Do you wish to create it now?”

The new wallet screen will now prompt you to enter a password for your wallet.

Click NO when prompted: “A new empty wallet has been created. Do you wish to create a certificate request at this time?”

If you need to import ca.crt: On the Oracle Wallet Manager menu navigate to Operations -> Import Trusted Certificate. Click OK. Double click on ca.crt to import it.

Save the wallet: On the Oracle Wallet Manager Menu click Wallet.

Verify the Auto Login box is checked. Click Save.

To test that the wallet is properly set up and accessible, login to SQLPLUS as the apps user and execute the following:

select utl_http.request('',null, 'file:/oracle/PRODN/db/tech_st/10.2.0/appsutil/wallet', null) from dual;

here, first null refers to proxy server, second null refers to the password, the default is null.

The Output will be like this
SQL> select utl_http.request('',null,'file:/oracle/PRODN/db/tech_st/10.2.0/appsutil/wallet',null) from dual;


$Header: index.html 120.3 2006/10/16 13:15:40 swkhande ship $ ###############################################################
This file is automatically generated by AutoConfig. It will be read and overwritten. If you were instructed to edit this file, or if you are not able to use the settings created by AutoConfig, refer to Metalink Note 387859.1 for assistance.


Template /admin/template/index.html stored in /oracle/PRODN/inst/apps/PRODN_prod/portal

To customize this page, please refer to Oracle MetaLink Note 387859.1 dbdrv: none

If you get this output, then your configuration is succeeded.

If not, please revisit the setup once again.

The https directory login page will error out with this page not found:
Look into the Error log from logs/ora/10.1.3/Apache/ from $INST_TOP
[client] mod_security: Access denied with code 405. Pattern match "!(GETHEADPOST)" at REQUEST_METHOD. [uri ""] [unique_id SoqqQsCoAs4AAB2bEw0]
Please look up HTTP error code 405. Please make sure that your s_webssl_port /s_active_webport/s_webport all agree to the task that you are trying to achive. Please also look at s_url_protocol and s_local_url_protocol and see that you have configured them correctly. suggest to go through the Doc 123718.1 carefully.

Error 2:
[Tue Aug 18 18:51:42 2009] [error] mod_ossl: SSL call to NZ function nzos_Handshake failed with error 29049 (server, client

Edit the $INST_TOP/ora/10.1.3/opmn/conf/opmn.xml and
change the following from:
(ssl enabled="true" wallet-file="$ORACLE_HOME/opmn/conf/ssl.wlt/default/" /)
(ssl enabled="true" wallet-file="PATH TO YOUR OHS WALLET" /)

(ssl enabled="true" wallet-file="/oracle/PRODN/inst/apps/PRODN_prod/certs/opmn/")

2. Save the file.

Shut down the middle tier and restart.
Relogin with

The Login page appeared normally and tested with https.

In the LOG_HOME, you will get another file called ssl_request_log will be having entries like this.

[19/Aug/2009:12:28:58 +0530] SSLv3 SSL_RSA_WITH_RC4_128_MD5 "POST /forms/lservlet;jsessionid=9b60de453fcc0642d0fced47fd973245171f9aff8ebaac28eca64eb206a99ee7.e38Qa3yQah0Qci0Nbx8PbN8Mahz0 HTTP/1.1" 2
[19/Aug/2009:12:30:23 +0530] SSLv3 SSL_RSA_WITH_RC4_128_MD5 "POST /forms/lservlet;jsessionid=9b60de453fcc0642d0fced47fd973245171f9aff8ebaac28eca64eb206a99ee7.e38Qa3yQah0Qci0Nbx8PbN8Mahz0 HTTP/1.1" 96
[19/Aug/2009:12:30:25 +0530] SSLv3 SSL_RSA_WITH_RC4_128_MD5 "POST /forms/lservlet;jsessionid=9b60de453fcc0642d0fced47fd973245171f9aff8ebaac28eca64eb206a99ee7.e38Qa3yQah0Qci0Nbx8PbN8Mahz0 HTTP/1.1" 2
[19/Aug/2009:12:30:25 +0530] SSLv3 SSL_RSA_WITH_RC4_128_MD5 "POST /forms/lservlet;jsessionid=9b60de453fcc0642d0fced47fd973245171f9aff8ebaac28eca64eb206a99ee7.e38Qa3yQah0Qci0Nbx8PbN8Mahz0 HTTP/1.1" 6
[19/Aug/2009:12:30:26 +0530] SSLv3 SSL_RSA_WITH_RC4_128_MD5 "POST /forms/lservlet;jsessionid=9b60de453fcc0642d0fced47fd973245171f9aff8ebaac28eca64eb206a99ee7.e38Qa3yQah0Qci0Nbx8PbN8Mahz0 HTTP/1.1" 1482
[19/Aug/2009:12:30:27 +0530] SSLv3 SSL_RSA_WITH_RC4_128_MD5 "POST /forms/lservlet;jsessionid=9b60de453fcc0642d0fced47fd973245171f9aff8ebaac28eca64eb206a99ee7.e38Qa3yQah0Qci0Nbx8PbN8Mahz0 HTTP/1.1" 0



deva said...

I have done it with your steps and it is working fine for me...
Great work.
Keep it up.

Anonymous said...


I m getting the below error while importing user certficate.

User Certification Installation Failed
Possible Errors:
- Input was not a valid certificate
- No matching certificate request was found
- CA certificate needed for certificate chain not found. Please install it first.

i have followed your given solution "Just remove the lines above the BEGIN CERTIFICATE line in the anyname.crt file and below the line END CERTIFICATE." but still it is giving same error.
Please help me,how to fix this issue.

Thanks in Advance.


Anonymous said...

I am trying to, but got errors. It seems that the URL stops at, could you please let me know how I can download the scripts?


Balaji Srinivasan said...


You can download the same from

Mr. F said...

java.lang.Exception: Input not an X.509 certificate


I forgot to change my JAVA_HOME.
JAVA_HOME not pointing to jdk who has ca.crt and anyname.crt

Related Posts Plugin for WordPress, Blogger...

Let us be Friends...

Share |

Popular Posts


11.5.1. to 11.5.5 Cloning Procedure. 11g 11i 11i and R12 11i Autoconfig 11i Cloning 12.1.1 SSL 2 Node RAC errors out adop Advanced Replication Apache version Apex Apex for Oracle database Apex Installation Apex Installation on Oracle E Business Suite. 11i with Apex Apex on 11i Apex on Oracle 11i Apex402 apexins.sql APPL_TOP Character Application Express Application server Issue APPLSYS password Apps Password Asynchronous Replication Autoconfig Autoconfig Managed Beehive Bit of operating system Block block media corrupt BPEL Central Inventory Character Set Conversion Cloning of 11i Cloning of Oracle Applications Clusterware Concurrent CPU 2011 CPU 2012 April CPU 2012 January. CPU 2012 October CRS custom top Custom Top Creation Database . Database Query Dataguard DBMS_REPAIR Demantra . Domain Name E Business Suite Migration EBS 12.2 EPM exp/imp Oracle Applications Flashback table flows_020200 FND_TOP/resource FNDCPASS FNDCPUCF Forms server upgrade Forms startup FRM-92101 Fusion Middleware Hostname Hot Backup Hot cloning HotBackup Hotbackup Cloning of Oracle Apps hrglobal.drv. NLS Saudi Arabian HRMS hyperion Import and Export Oracle Applications Install Oracle Installation of R12 Installation Steps integration Oracle EBS Issues Database issues Oracle EBS Issues with Upgrade 12.1.1 Java Mission Control Java Upgrade java/sql/SavePoint JInitiator Junk Characters Language Translation Linux Linux Migration listener trace Listner version Local Inventory Login Page Master-Master Replication Memory Tuning Multiple Language NLS Non-Autoconfig Enabled OBIEE 11g Installation OBIEE Issues OIM Opatch version OpenSSL ora-01031 Oracle oracle 11g Oracle Announcement Oracle Application servers Oracle Application services Oracle Applications Oracle Applications 11i oracle applications 12.2 Oracle Applications Cloning Oracle Applications Upgrade Oracle Applications. Oracle Apps cloning Oracle BPEL oracle certifications oracle database Oracle Database RMAN Oracle Database upgradation Oracle DB oracle E Business suite 12.2 Oracle EBS oracle EPM Oracle Forms Logo oracle Fusion Applications Oracle Inventory oracle news Oracle OUI Oracle R12 oracle Sun Solaris Oracle Tuning Oracle Virtual Box Oracle Webgate Oracle WMA configuration orcladmin password for Oracle Applications Pasta Configuration pasta.cfg patch PDF Performance Physical Standby Platform migration Printer Configuration Profile Option R12 RAC Rapid Install Rapidwiz Real Application Clusters 10g Recovery RMAN RMAN Recovery SA Gosi Service Oriented Architecture SOA SQLTXPLAIN SSL Configuration step-by-step upgrade Sun solaris Swap Tablespace Trace Enable Trace file Translation Synchronization Patch transport tablespace tuning Tuning SGA uifont.ali Underscore Universal Content Management Upgradation of 12.0.5 to 12.1.1 Upgrade Upgrade 11g Upgrade Apps Upgrade DB Upgrade to 11g UTF8 version of oracle applications versions Web server upgrade weblogic windows workflow version XML Publisher version