Share the content if you found it is useful (You can share using 300 community websites) click "share" at the end of the post.

You are encouraged to leave a comment.








Wednesday, August 19, 2009

Configuring SSL in 12.1.1 (Step by Step) OpenSSL

Secure Sockets Layer (SSL)
SSL is a technology that defines the essential functions of mutual authentication, data encryption, and data integrity for secure transactions. Exchange of data between the client and server in such secure transactions is said to use the Secure Sockets Layer (SSL).
SSL uses 2 types of Certificates:
1. User certificates
These are Certificates issued to servers or users to prove their identity in a public key/private key exchange.
2. Trusted certificates
These are Certificates representing entities whom you trust - such as certificate authorities who sign the user certificates they issue.
How SSL works with Middle Tier Oracle HTTP Server:

1. The client sends a request to the server using HTTPS connection mode.
2. The server presents its certificate to the client. This certificate contains the server's identifying information.
3. The client checks its list of Trust points and compares the information in the certificate with the server's public key. If it matches, the server is authenticated as a trusted server.
4. The client sends the server a list of the encryption levels, or ciphers, that it can use.
5. The server receives the list and selects the strongest level of encryption that they have in common.
6. The client creates a session key which is used to encrypt the data and sends this session key to the server which can decrypt the data with its private key

How SSL works with Oracle Database Server:
1. The UTL_HTTP package is used for making HTTP callouts from SQL and PL/SQL to a Web Node (Oracle HTTP server).
2. When the package fetches data from a Web site using HTTPS, it specifies the location to the Oracle Wallet that resides on the database server. This wallet contains the certificate for the Certifying Authority (CA) who signed the Web node's server certificate.
Certificate Authority (CA)
A Certificate Authority is a trusted third party responsible for issuing, revoking, and renewing digital certificates. All digital certificates are signed with the Certificate Authority's private key to ensure authenticity. The Certificate Authority's Public Key is widely distributed.
Certificate Signing Request (CSR)
A Certificate Signing Request (CSR) is a digital file which contains your public key and your name. You send the CSR to a Certifying Authority (CA) to be converted into a real Certificate.
Digital Certificate (Public Key)
A digital certificate is an electronic document that binds an identity to a pair of electronic keys that can be used to encrypt and sign digital information. Certificates are issued by a trusted third party, called a Certification Authority (CA). The document is usually in a standard X509 format and contains three elements:
1. Entity attributes (information about your organization)
2. Public key (which is bound to your organization)
3. Digital signature of the trusted CA private key
Verisign (http://verisign.com/) will allow your organization to apply for a free trial certificate which will be valid for 2 weeks for testing purposes.
Private (Server) Key
The private key file is a digital file that you generate and for use to decrypt messages sent to you. The certificate request (CSR) that you send to your Certificate Authority (CA) is derived from this private key. Therefore, the resulting digital certificate (containing your public key) which is issued by your CA, is bound to this private key.
Secure Server Certificates
Secure Server Certificates are 128 bit certificates which provide 128 bit SSL encryption. If a browser has 128 bit support, then encryption is negotiated to 128 bits. However, if the browser only supports 40 bit encryption, the level of encryption, regardless of a 128 bit certificate, will be negotiated down to 40 bits.
Global Server Certificates
Global Server Certificates, also referred to as Server Gated Cryptography, are 128 bit certificates that enable all browsers to use 128 bit encryption, even if the browser only supports 40 bit encryption. A global server certificate usually has 2 parts: the certificate itself and an extra intermediate certificate which is used to provide the step-up. The marketing names of these certificates vary depending on the company that issues the certificate, for example, Thawte calls them 128 bit SuperCerts. It is not possible to get trial versions of global server certificates; therefore it is not possible to test unless one is purchased.
Secure Socket Layer Accelerators
Secure Socket Layer (SSL) Accelerators can be used to reduce the SSL traffic and workload off the web servers. Usually SSL accelerators are the primary targets for https requests from the user's desktop and thus are the initial target for all desktop client communication. They are responsible for converting "https" SSL requests to non-SSL "http" requests, directing the request to the http server which is running in non-SSL mode. Before sending the response back to the desktop they again convert the non-SSL requests to SSL requests.

Step – By – Step (SSL Configuration on 12.1.1) (with Demo Certificate)

Server: prod.chainsys.com
IP: 192.168.2.206

Step1:

Default Location of certificates in R12 is $INST_TOP/certs/Apache


Setup the environment (using the env file in $INST_TOP/ora/10.1.3)


Create a wallet
Navigate to $INST_TOP/certs/
Backup Apache Directory as Apache_ori
Run owm & (To run the process in the background, you add & at the end of the command)
On the Oracle Wallet Manager Menu
navigate to Wallet -New.
Answer NO to: “Your default wallet directory doesn't exist. Do you wish to create it now?”
The new wallet screen will now prompt you to enter a password for your wallet.
A Password should be having 8 characters
Should contain numbers, alphabetic characters. (I selected welcome123)
Click YES when prompted: “A new empty wallet has been created. Do you wish to create a certificate request at this time?”
Click YES






Submit the certificate created to Certificate Authority (CA) To do so, please follow the following:

a. Highlight on certificate (Requested) on the left pane
In the right side, you should get the certificate request Including beginning of the certificate and end of certificate particulars.
b. click operations -> export certificate request
c. Save as (anyname.csr) I saved like chainsys.csr
select the directory where to save the csr file and press ok.
Click on wallet again and check the Autologin
Exit. (This will ask to save the wallet created) press Yes

Now you submit the anyname.csr to the certification authority (CA)


To create our own digital certificate:
Download and unpack the ssl helper scripts named ssl.ca-0.1.tar.gz
1. Download ssl-ca-0.1.tar.gz
2. gunzip ssl-ca-0.1.tar.gz
this will create ssl-ca-0.1.tar
3. tar –xvf ssl-ca-0.1.tar
this will create a directory ssl-ca-0.1.tar

[oracle@prod certs]$ cd /oracle/PRODN/
apps/ inst/ ssl.ca-0.1.tar db/ ssl.ca-0.1/
[oracle@prod certs]$ cd /oracle/PRODN/
[oracle@prod PRODN]$ ls
apps db inst ssl.ca-0.1 ssl.ca-0.1.tar
[oracle@prod PRODN]$

Move the certificate request (anyname.csr) to the directory containing the openSSL certificate authority scripts

Create a self-signed root certificate by running the

new-root-ca.sh script. This will create a file called ca.crt

Create the self-signed server certificate by running the
sign-server-cert.sh script,
e.g. $ sign-server-cert.sh (certificate request filename).
This will create a file called (certificate request filename.crt )
Copy the ewallet.p12 and cwallet.sso files from the location where it has created to $INST_TOP/certs/Apache directory
Import the certificate generated using the scripts through owm to oracle wallet. To do so, please follow the following.

Run owm &

Click on open, then select the certificate you stored (Specify the location only) it will ask for the password to open, Please provide the password you given for creation of the request.
Click on operations,
Select import trusted certificate (browse the file ca.crt created inside the ssl-ca-0.1 directory)
Select import user certificate (Browse the file anyname.crt created by sign-server-cert.sh)
Typical certificate will be having the script as follows
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=IN, ST=TamilNadu, L=Chennai, O=chainsys, OU=chainsys, CN=chainsys/emailAddress=balaji.rs@chain-sys.com
Validity
Not Before: Aug 18 08:22:53 2009 GMT
Not After : Aug 18 08:22:53 2010 GMT
Subject: C=IN, ST=TamilNadu, L=Chennai, O=chainsys, OU=chainsys, CN=Chainsys
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:d6:aa:4d:cd:1b:4a:38:e8:d6:5b:50:12:d3:3f:
2c:82:97:55:c6:72:6b:70:bd:46:1b:f1:ca:4f:a9:
db:88:c0:86:22:38:9d:0e:ed:e5:75:1d:0a:aa:92:
63:13:85:1f:2b:41:41:8e:b6:3b:cd:0c:6d:d3:e2:
60:68:93:fc:19:ee:d1:9f:71:83:4d:94:07:a9:04:
b1:59:78:b3:db:b0:d3:31:eb:8c:ed:93:65:10:16:
a0:e9:8a:6e:9f:1b:10:41:82:1d:1a:22:6b:fe:0d:
ef:77:2d:77:84:b7:dc:ea:91:0c:82:3f:1d:3c:c8:
28:60:d9:67:cb:42:47:77:d1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:01:D0:98:47:0B:1C:34:2B:22:1B:86:43:E3:7A:FA:51:E9:E4:29:86

X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication, Microsoft Server Gated Crypto, Netscape Server Gated Crypto
X509v3 Basic Constraints: critical
CA:FALSE
Signature Algorithm: md5WithRSAEncryption
5a:bb:ca:94:c1:dd:4c:81:df:6d:1c:e2:38:25:bd:41:eb:3f:
3c:51:b4:c5:51:35:4c:29:d9:e5:94:27:72:2d:6d:cb:73:46:
75:96:91:ae:5b:18:45:1e:41:ee:c1:ae:b8:2c:be:fc:64:bf:
6d:d2:a4:87:81:3a:6a:84:8f:36:e3:4b:50:74:9b:6e:c5:20:
c5:e7:9b:e9:80:71:3a:3a:97:d0:76:3a:0d:98:a8:42:b8:35:
df:82:03:26:90:15:ae:44:a7:b5:a4:95:d6:b8:b0:0d:c1:3d:
66:3d:15:8f:b0:cd:4d:ea:f9:6c:98:94:ee:5f:1e:cb:53:61:
b1:1e
-----BEGIN CERTIFICATE-----
MIIC3jCCAkegAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBl
DELMAkGA1UEBhMCSU4xEjAQBgNVBAgTCVRhbWlsTmF
kdTEQMA4GA1UEBxMHQ2hlbm5haTERMA8GA1UEChMIY
2hhaW5zeXMxETAPBgNVBAsTCGNoYWluc3lzMREwDwYD
VQQDEwhjaGFpbnN5czEmMCQGCSqGSIb3DQEJARYXYm
FsYWppLnJzQGNoYWluLXN5cy5jb20wHhcNMDkwODE4M
DgyMjUzWhcNMTAwODE4MDgyMjUzWjBsMQswCQYDVQ
QGEwJJTjESMBAGA1UECBMJVGFtaWxOYWR1MRAwDgY
DVQQHEwdDaGVubmFpMREwDwYDVQQKEwhjaGFpbnN5
czERMA8GA1UECxMIY2hhaW5zeXMxETAPBgNVBAMTCE
NoYWluc3lzMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ
KBgQDWqk3NG0o46NZbUBLTPyyCl1XGcmtwvUYb8cpPqd
uIwIYiOJ0O7eV1HQqqkmMThR8rQUGOtjvNDG3T4mBok/
wZ7tGfcYNNlAepBLFZeLPbsNMx64ztk2UQFqDpim6fGxBB
gh0aImv+De93LXeEt9zqkQyCPx08yChg2WfLQkd30QIDAQ
ABo2cwZTAfBgNVHSMEGDAWgBQB0JhHCxw0KyIbhkPjev
pR6eQphjA0BgNVHSUELTArBggrBgEFBQcDAQYIKwYBBQ
UHAwIGCisGAQQBgjcKAwMGCWCGSAGG+EIEATAMBgNV
HRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBAFq7ypT
B3UyB320c4jglvUHrPzxRtMVRNUwp2eWUJ3ItbctzRnWWk
a5bGEUeQe7Brrgsvvxkv23SpIeBOmqEjzbjS1B0m27FIMXn
m+mAcTo6l9B2Og2YqEK4Nd+CAyaQFa5Ep7Wklda4sA3BP
WY9FY+wzU3q+WyYlO5fHstTYbEe
-----END CERTIFICATE-----
ERROR:
While importing user certificate you may encounter
User Certification Installation Failed
Possible Errors:
-
Input was not a valid certificate
- No matching certificate request was found
- CA certificate needed for certificate chain not found. Please install it first
.
Just remove the lines above the BEGIN CERTIFICATE line in the anyname.crt file and below the line END CERTIFICATE.

Just upload the certificate, it will be registered.

After Importing the certificate in the wallet, please be sure to check the Autologin from wallet menu

Exit the wallet manager (Save the wallet in desired location)

Modify OPMN Wallet:
Navigate to $INST_TOP/certs/opmn
Create a back directory and move the contents from the opmn directory to Backup directory
Move the ewallet.p12 and cwallet.sso files to the Backup directory just created.
Copy the ewallet.p12 and cwallet.sso files from the
$INST_TOP/certs/Apache directory to the $INST_TOP/certs/opmn directory

Update the JDK Cacerts file
Navigate to the $OA_JRE_TOP/lib/security directory
Backup the existing cacerts file.
Copy your ca.crt and server.crt files to this directory

Issue the following command to insure that cacerts has write permissions:
chmod u+w cacerts
Add your Apache ca.crt and anyname.crt to cacerts:

For this use the following syntax.


"keytool -import -alias ApacheRootCA -file ca.crt -trustcacerts -v -keystore cacerts"


When prompted present the password as 'changeit'


"keytool -import -alias ApacheServer -file (anyname.crt) -trustcacerts -v -keystore cacerts"


When prompted present the password as 'changeit'


If you want to delete a existing certificate from existing keystore, then use


"keytool -delete -alias ApacheServer -keystore cacerts"


If you want to delete a trusted certificate from exisiting keystore, then use


"keytool -delete -alias ApacheRootCA -keystore cacerts"


Issues during keytool Keystore


keytool error: java.lang.Exception: Input not an X.509 certificate
java.lang.Exception: Input not an X.509 certificate
at sun.security.tools.KeyTool.addTrustedCert(KeyTool.java:1913)
at sun.security.tools.KeyTool.doCommands(KeyTool.java:818)
at sun.security.tools.KeyTool.run(KeyTool.java:172)
at sun.security.tools.KeyTool.main(KeyTool.java:166)

Then,

backup the certificate (*.crt) erring out.

Edit the certificate and remove all the line above

----BEGIN CERTIFICATE ---

and the save and re-run the keytool to register the certificate.


Update the context file using the metalink ID 376700.1


Run the Autoconfig


Restart the Middle tier services (Not only the Apache)


DB Tier Configuration:
To enable SSL on the Database Tier you need only create a wallet. You do not need a server certificate for this wallet. If you were required to import your ca.crt into the middle tier wallet you will need to do it for this wallet also.


After setting your environment for the database tier, navigate to the

$ORACLE_HOME/appsutil directory.
Create a new wallet directory named: wallet


Navigate to the newly created wallet directory.
Open the Wallet Manager as a background process:

owm &

On the Oracle Wallet Manager Menu navigate to Wallet -> New.

Answer NO to: “Your default wallet directory doesn't exist. Do you wish to create it now?”

The new wallet screen will now prompt you to enter a password for your wallet.

Click NO when prompted: “A new empty wallet has been created. Do you wish to create a certificate request at this time?”

If you need to import ca.crt: On the Oracle Wallet Manager menu navigate to Operations -> Import Trusted Certificate. Click OK. Double click on ca.crt to import it.

Save the wallet: On the Oracle Wallet Manager Menu click Wallet.

Verify the Auto Login box is checked. Click Save.

To test that the wallet is properly set up and accessible, login to SQLPLUS as the apps user and execute the following:

select utl_http.request('https://prod.chainsys.com:4443',null, 'file:/oracle/PRODN/db/tech_st/10.2.0/appsutil/wallet', null) from dual;

here, first null refers to proxy server, second null refers to the password, the default is null.


The Output will be like this
SQL> select utl_http.request('https://prod.chainsys.com:4443',null,'file:/oracle/PRODN/db/tech_st/10.2.0/appsutil/wallet',null) from dual;

UTL_HTTP.REQUEST('HTTPS://PROD.CHAINSYS.COM:4443',NULL,'FILE:/ORACLE/PRODN/DB/TE
--------------------------------------------------------------------------------

$Header: index.html 120.3 2006/10/16 13:15:40 swkhande ship $ ###############################################################
This file is automatically generated by AutoConfig. It will be read and overwritten. If you were instructed to edit this file, or if you are not able to use the settings created by AutoConfig, refer to Metalink Note 387859.1 for assistance.
###############################################################
UTL_HTTP.REQUEST('HTTPS://PROD.CHAINSYS.COM:4443',NULL,'FILE:/ORACLE/PRODN/DB/TE

--------------------------------------------------------------------------------

Template /admin/template/index.html stored in /oracle/PRODN/inst/apps/PRODN_prod/portal

To customize this page, please refer to Oracle MetaLink Note 387859.1 dbdrv: none

If you get this output, then your configuration is succeeded.

If not, please revisit the setup once again.

Errors:
The https directory login page will error out with this page not found:
Look into the Error log from logs/ora/10.1.3/Apache/ from $INST_TOP
Error:1
[client 192.168.1.31] mod_security: Access denied with code 405. Pattern match "!(GETHEADPOST)" at REQUEST_METHOD. [uri ""] [unique_id SoqqQsCoAs4AAB2bEw0]
FIX:
Please look up HTTP error code 405. Please make sure that your s_webssl_port /s_active_webport/s_webport all agree to the task that you are trying to achive. Please also look at s_url_protocol and s_local_url_protocol and see that you have configured them correctly. suggest to go through the Doc 123718.1 carefully.

Error 2:
[Tue Aug 18 18:51:42 2009] [error] mod_ossl: SSL call to NZ function nzos_Handshake failed with error 29049 (server prod.chainsys.com:8000, client 192.168.1.31)


FIX:
Edit the $INST_TOP/ora/10.1.3/opmn/conf/opmn.xml and
change the following from:
(ssl enabled="true" wallet-file="$ORACLE_HOME/opmn/conf/ssl.wlt/default/" /)
to:
(ssl enabled="true" wallet-file="PATH TO YOUR OHS WALLET" /)

(ssl enabled="true" wallet-file="/oracle/PRODN/inst/apps/PRODN_prod/certs/opmn/")

2. Save the file.

Shut down the middle tier and restart.
Relogin with
https://prod.chainsys.com:4443/.

The Login page appeared normally and tested with https.




In the LOG_HOME, you will get another file called ssl_request_log will be having entries like this.

[19/Aug/2009:12:28:58 +0530] 192.168.1.31 SSLv3 SSL_RSA_WITH_RC4_128_MD5 "POST /forms/lservlet;jsessionid=9b60de453fcc0642d0fced47fd973245171f9aff8ebaac28eca64eb206a99ee7.e38Qa3yQah0Qci0Nbx8PbN8Mahz0 HTTP/1.1" 2
[19/Aug/2009:12:30:23 +0530] 192.168.1.31 SSLv3 SSL_RSA_WITH_RC4_128_MD5 "POST /forms/lservlet;jsessionid=9b60de453fcc0642d0fced47fd973245171f9aff8ebaac28eca64eb206a99ee7.e38Qa3yQah0Qci0Nbx8PbN8Mahz0 HTTP/1.1" 96
[19/Aug/2009:12:30:25 +0530] 192.168.1.31 SSLv3 SSL_RSA_WITH_RC4_128_MD5 "POST /forms/lservlet;jsessionid=9b60de453fcc0642d0fced47fd973245171f9aff8ebaac28eca64eb206a99ee7.e38Qa3yQah0Qci0Nbx8PbN8Mahz0 HTTP/1.1" 2
[19/Aug/2009:12:30:25 +0530] 192.168.1.31 SSLv3 SSL_RSA_WITH_RC4_128_MD5 "POST /forms/lservlet;jsessionid=9b60de453fcc0642d0fced47fd973245171f9aff8ebaac28eca64eb206a99ee7.e38Qa3yQah0Qci0Nbx8PbN8Mahz0 HTTP/1.1" 6
[19/Aug/2009:12:30:26 +0530] 192.168.1.31 SSLv3 SSL_RSA_WITH_RC4_128_MD5 "POST /forms/lservlet;jsessionid=9b60de453fcc0642d0fced47fd973245171f9aff8ebaac28eca64eb206a99ee7.e38Qa3yQah0Qci0Nbx8PbN8Mahz0 HTTP/1.1" 1482
[19/Aug/2009:12:30:27 +0530] 192.168.1.31 SSLv3 SSL_RSA_WITH_RC4_128_MD5 "POST /forms/lservlet;jsessionid=9b60de453fcc0642d0fced47fd973245171f9aff8ebaac28eca64eb206a99ee7.e38Qa3yQah0Qci0Nbx8PbN8Mahz0 HTTP/1.1" 0

Cheers!!!!

5 comments:

Unknown said...

I have done it with your steps and it is working fine for me...
Great work.
Keep it up.

Anonymous said...

Hi,

I m getting the below error while importing user certficate.

User Certification Installation Failed
Possible Errors:
- Input was not a valid certificate
- No matching certificate request was found
- CA certificate needed for certificate chain not found. Please install it first.

i have followed your given solution "Just remove the lines above the BEGIN CERTIFICATE line in the anyname.crt file and below the line END CERTIFICATE." but still it is giving same error.
Please help me,how to fix this issue.

Thanks in Advance.

Thanks,
Yakub

Anonymous said...

I am trying to ssl.ca-0.1.tar.gz, but got errors. It seems that the URL stops at ssl.ca-01.tar, could you please let me know how I can download the scripts?

Thanks,
Jerry

Balaji Srinivasan said...

Hi

You can download the same from

https://code.google.com/p/covpn/downloads/detail?name=ssl.ca-0.1.tar.gz&can=2&q=

Mr. F said...

java.lang.Exception: Input not an X.509 certificate

Solved.

I forgot to change my JAVA_HOME.
JAVA_HOME not pointing to jdk who has ca.crt and anyname.crt

Related Posts Plugin for WordPress, Blogger...

Let us be Friends...

Share |

Popular Posts

Recent Comments