Enabling SSL in Oracle E-Business Suite Release 12
Enabling SSL in Oracle E-Business Suite Release 12
Overview
SSL stands for Secure Socket Layer which is protocol
developed by Netscape. Data Transferred between Server & Client is secured
(Encrypted).
Usually data transmitted between client machine & server
(Web Server on http protocol & Forms Server on Sockets ) is clear text
packets. Any one can put Packet Sniffer between Client machine & Server
& can open & read all data transaction between your machine &
Server (If he/she has network access) Hacker can get your Username/Password or
any sensitive data. This become critical when you have Internet access to
Oracle Applications 11i (Usually Self Service Implementation)
Communication between Client & Oracle Applications
happens via three components.
· Oracle Web
Server (Initial Connection & all self service access is via Web
Server/Apache). If your Form Server is in servlet Mode then Core Applications
are also accessed via Web Server (oacore Component)
· Oracle Form
Server: For Core Oracle Application Access (Forms)
· Database :
You access web server which in turn talks to database Server via UTL_HTTP
package via dad (/pls/$SID)
So You enable SSL on particular component depending on your
requirement & component which is accessible over Internet & should be
secured. You can Implement across all three component or only one or any two.
Concept:
SSL is a technology that defines the essential functions of
mutual authentication, data encryption, and data integrity for secure
transactions. Exchange of data between the client and server in such secure
transactions is said to use the Secure Sockets Layer (SSL).
SSL uses 2 types of Certificates:
1. User certificates:
These are Certificates issued to servers or users to prove
their identity in a public key/private key exchange.
2. Trusted
certificates:
These are Certificates representing entities that you trust
– such as certificate authorities that sign the user certificates they issue.
How SSL works with Middle Tier Oracle HTTP Server:
1. The client
sends a request to the server using HTTPS connection mode.
2. The server
presents its certificate to the client. This certificate contains the server’s
identifying information.
3. The client
checks its list of Trust points and compares the information in the certificate
with the server’s public key. If it matches, the server is authenticated as a
trusted server.
4. The client sends
the server a list of the encryption levels, or ciphers, that it can use.
5. The server
receives the list and selects the strongest level of encryption that they have
in common.
6. The client
creates a session key which is used to encrypt the data and sends this session
key to the server which can decrypt the data with its private key
How SSL works with Oracle Database Server:
1. The UTL_HTTP
package is used for making HTTP callouts from SQL and PL/SQL to a Web Node
(Oracle HTTP server).
2. When the package
fetches data from a Web site using HTTPS, it specifies the location to the
Oracle Wallet that resides on the database server. This wallet contains the
certificate for the Certifying Authority (CA) who signed the Web node’s server
certificate.
Process:
For converting the application into SSL we need to have a
Digital certificate. A Certificate Authority is a trusted third party
responsible for issuing, revoking, and renewing digital certificates. All
digital certificates are signed with the Certificate Authority’s private key to
ensure authenticity. The Certificate Authority’s Public Key is widely
distributed.
A Certificate Signing Request (CSR) is a digital file, which
contains your public key and your name. You send the CSR to a Certifying
Authority (CA) to be converted into a real Certificate.
A digital certificate is an electronic document that binds
an identity to a pair of electronic keys that can be used to encrypt and sign
digital information. A trusted third party, called a Certification Authority
(CA), issues certificates. The document is usually in a standard X509 format
and contains three elements:
1. Entity
attributes (information about your organization)
2. Public key
(which is bound to your organization)
3. Digital
signature of the trusted CA private key
Verisign (http://verisign.com/) will allow your organization
to apply for a free trial certificate, which will be valid for 2 weeks for
testing purposes.
Private (Server) Key:
The private key file is a digital file that you generate and
for use to decrypt messages sent to you. The certificate request (CSR) that you
send to your Certificate Authority (CA) is derived from this private key.
Therefore, the resulting digital certificate (containing your public key),
which is issued by your CA, is bound to this private key.
We will now look into the actual procedure for enabling the
application with SSL. Not that below explanation is based on metalink note
ID376700.1.
Middle tier setup
To start with SSL setup we have to create a certification
request through Oracle wallet manager.
Step 1) Create wallet on the apps side
· Login to application
tier with applmgr user ID and navigate to $INST_TOP/ora/10.1.3 directory and
source .env file present at that location. This will make 10.1.3
(IAS_ORACLE_HOME) as your ORACLE_HOME.
· Navigate to
$INST_TOP/certs/Apache directory.
· Backup Apache
directory
· Start Oracle
wallet manager
bash-2.05$ owm &
[1] 16555
· Navigate
Wallet -> New
Answer No to: “Your default wallet directory doesn’t exist.
Do you wish to create it now?”
Set the wallet manager password (example. Welcome)
· Click Yes
when prompted “A new empty wallet has been created. Do you wish to create a
certificate request at this time”.
Following screen appears
Common Name
– Your hostname
Organization Unit
– Your department name
Organization
– Your company name
Location/City
– Your city name
State/Province
– Your state name
Country
– Your country name
Press OK once you fill all information. Save wallet in
$INST_TOP/certs/Apache folder with name (server_name).cer
Once saved, it will ask, “A wallet already exist, you want
to override”. You can say yes.
Click on certificate Request in the list provided on left
side of Oracle wallet manager window and you can see your request contents on
right side as seen in below screen.
· Wallet ->
Autologin (Enable)
· Wallet ->
Save
Once you get the request content, you have to get the
certificates from certifying Authority like verisign. Currently the certificate
request that you created is your .cer file. Using this file you can get the
actual certificate file, which will be .crt file. Along with that file you will
also get your private key file (.key). So after getting certificate you will
have 3 files with you
1. Certificate
request file (.cer)
2. Actual
certificate file (.crt)
3. Private Key file
(.key)
Once you get the certificate, you have to generate CA
certification file. Since for any SSL certificate we need to have CA(Certifying
Authority) file. Some of the certifying authority companies also provide CA
files. But here we will see how to generate CA file from certificate file
(.crt).
Step 2) Creating your certifying authority’s certificate
· Copy/ftp
(binary mode) .crt to the your PC desktop
· Double-click the file and go to
Certification Path tab
· Double click
on VeriSign/RSA Secure Server CA
· Go to Details
tab and press Copy to File…
· Press Next
and select “Base-64 encoded X.509(.CER)” and press next
· Give the name
as ca
· Press Finish
A new ca.cer file will be present in your local PC. FTP back
ca.cer file to your UNIX host.
Step 3) Converting the existing cert files
· Source the
.env file again present at location $INST_TOP/ora/10.1.3
· Change dir to
$INST_TOP/certs/Apache
· Copy .crt,
ca.crt, servername.key to the current dir.
· Execute the
following command:
$ORACLE_HOME/Apache/Apache/bin/ssl2ossl -cert ./.crt -key
./.key -cafile ./ca.cer -wallet . -ssowallet yes
Step 4) Appstier setup
Edit the context xml file in $APPL_TOP/admin, change the SSL
related variables to SSL values
|
SSL RELATED
VARIABLES IN THE CONTEXT FILE
|
||
|
Variable
|
Non-SSL Value
|
SSL Value
|
|
s_url_protocol
|
http
|
https
|
|
s_local_url_protocol
|
http
|
https
|
|
s_webentryurlprotocol
|
http
|
https
|
|
s_active_webport
|
same as s_webport
|
same as s_webssl_port
|
|
s_webssl_port
|
not applicable
|
default is 4443
|
|
s_https_listen_parameter
|
not applicable
|
same as s_webssl_port
|
|
s_help_web_agent
|
url constructed with http protocol and s_webport for both
non-SSL and SSL
|
|
|
s_login_page
|
url constructed with http protocol and s_webport
|
url constructed with https protocol and s_webssl_port
|
SSL RELATED VARIABLES IN THE CONTEXT FILE
· Execute
autoconfig
· Bounce the
mid-tier services
Step 5) DB Tier Setup
Once you run autoconfig on Apps Tier, you need to do wallet
setup on DB tier as well. Since R12 is autoconfig enabled, there will be a
directory called appsutil in ORACLE_HOME on database side. Follow below steps
to carry out the setup on database side.
Login to DB tier as oracle user
Change dir to
$ORACLE_HOME/appsutil
Create a new
dir with name as wallet
Start Oracle
Wallet Manager (owm &)
Wallet ->
New
Answer No to:
“Your default wallet directory doesn’t exist. Do you wish to create it now?”
Click No when
prompted “A new empty wallet has been created. Do you wish to create a
certificate request at this time”
Save Wallet
Copy ca.crt from the appl_top to
$ORACLE_HOME/appsutil/wallet
Navigate
Operations-> Import Trusted Certificate
Navigate to
ca.crt
Once import
completed. Save wallet
Navigate
wallet-> autologin (enable)
Save wallet
Step 6) Sanity check
New Appslogin
url: https://(hostname):(port)/OA_HTML/AppsLogin
Notice the lock
sign in the statusbar (bottom) of the browser. Click on the sign to verify the certificate
Sanity check
all the components.
Login to db as
sqlplus apps/(apps password)
select
utl_http.request(‘https://(hostname):(port)’,null,’file:(path to ORACLE_HOME/appsutil/wallet)’, null)
from dual;
It should display
the first 2000 Chars of the html page.
Comments
Post a Comment