1/13/2015

Document1425103.1

SSLPrimer:EnablingSSLinOracleEBusinessSuiteRelease12(TrialCertificateExample)
(DocID1425103.1)
InthisDocument
Abstract
History
Details

Introduction

ConfiguringtheEBSWebTierforDirectHTTPSCommunication

1.SetYourEnvironment

2.CreateaWebTierWallet

3.CreateaCertificateRequest

4.ExporttheCertificateRequest

5.SubmittheCertificateRequesttoaCertifyingAuthority

5.ImportyourCertificatetotheWallet

6.CopytheApacheWallettotheOPMNWallet

7.AutoConfig

ClientConfigurations

Introduction

ClientBrowserConfiguration

MozillaFirefoxSecurityException

MicrosoftInternetExplorerSecurityException

RetrievingthePublicFacingSSLCertificatesUsingtheClientBrowser

Introduction

RetrievingtheCertificatesusingMozillaFirefox

RetrievingtheCertificatesusingInternetExplorer

ImportingSSLCertificatesintotheJDK'sTrustedCertificateStore

CreatingaDatabaseWalletandImportingTrustedSSLCertificates

Summary
References

APPLIESTO:
OracleApplicationsTechnologyStackVersion12.0.6to12.1.3[Release12.0to12.1]
Informationinthisdocumentappliestoanyplatform.

ABSTRACT
ThisnoteisanillustratedcompaniontotheprimaryNote:376700.1EnablingSSLinOracleEBusinessSuiteRelease12
andcoverstheimplementationofaVerisignTrialCertificateasanexample.Thedauntinglengthisprimarilydueto
thedepthofexplanationandthenumberofillustrations.

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=ewbsr79se_191&id=1425103.1

1/35

1/13/2015

Document1425103.1

HISTORY
Author:DCOLLIER
CreateDate28FEB2012
UpdateDate06Nov2012
ExpireDatedistantfuture

DETAILS
Introduction
ThereareseveralplaceswithintheEBSR12instancethatrequirechangestoproperlyworkwithSSLasdocumentedin
Note:376700.1EnablingSSLinRelease12.Theseseveralplacesareconfiguredusingdifferentmethodsandquite
oftenthestepsaredoneinitiallybyonepersonandthenlaterneedtoberevisitedbyanotherpersonyearslaterwhen
astepisdiscoveredtohavebeenskippedoracertificateneedstobeupdated.Thissimplifiedguideprovidesan
illustratedwalkthroughofeachstepoftheprocessusingatrialcertificateasanexample.Theprocessissimilarfor
selfsigned,internallysigned,andpaidforcertificates.
Thisguideiswrittenasaverydetailedandillustratedprimerandeachstepisillustratedintwoways.Theorapki
commandlineinterfaceexamplesillustrateandaccomplishthetaskinaverydirectandcurtfashion,whereasthe
abundanceofscreenshotsfromtheOracleWalletManager'sgraphicaluserinterfaceshouldappealtonewerusers.
Thedesiredresultofcreatingawalletcanbedonebyeithermethod,butfirsttimeusersshouldchooseEITHERorapki
ORowmandconsiderthealternateexamplesasanillustrationofaconcept.

SSLOffloadingversusSSLRunningNatively
SSLusesahandshakeprotocoltonegotiateandestablishasessionbetweentheclientmachinesandtheHTTPS
enabledwebservers.Duringthehandshakeprocess,digitalcertificatesareusedtoauthenticateidentityand
negotiatehowtoencrypttheinformationfortheremainderofthesession.TheOracleEBSwebtierisquite
capableofthis,butmanycustomersopttooffloadtheSSLprocessingtoareverseproxyorloadbalancer.TheSSL
offloaderthatactsasanSSLterminatordecryptstheSSLencrypteddatafromtheclientandthenproxiesthatdata
totheEBStierinanunencryptedstate.Asthetermimplies,theoverheadofSSLprocessingistakencompletely
offoftheEBSwebtiersothattheEBSwebtierisdedicatedtoEBSspecificprocessing.Thisimproves
performanceandsecuritybecausetheSSLoffloadertendstorunonspecializedSSLaccelerationhardware
separatefromtheEBSwebtierandcanmoreeasilyintegratewithintrusiondetectionsystems,virusdetection
systems,applicationlayerfirewalls,etc.IntegrationofEBSwithoneofthesethirdpartydevicesisgenerallya
simplematterofupdatingsixAutoConfigcontextfileparametersandthenrunningAutoConfigafterthatthirdparty
deviceisconfigured.
WhilethespecificconfigurationofthethirdpartySSLhardwareissupportedanddocumentedbythethirdparty
vendor,theintegrationwithEBSisdetailedintheprimaryNote:376700.1.SSLoffloadingismentionedhereonly
asanimportantconsiderationbeforeproceedingtorunSSLdirectlyontheEBSwebtierwhichiscoveredinthe
nextsectionasastartingpointfortheillustrationoffurtherEBSconfigurationdetailsthatfollow.Notethatevenif
anSSLOffloaderisusedasawebentrypoint,theJDK(s)anddatabasestillrequireanSSLconfigurationoftheir
ownbecausetheyactasSSLclientstothatwebentrypoint.

ConfiguringtheEBSWebTierforDirectHTTPSCommunication
1.SetYourEnvironment
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=ewbsr79se_191&id=1425103.1

2/35

1/13/2015

Document1425103.1

ThewebtiersetuponEBSR12instancesmakesuseoftheutilitieswithinthe10.1.3ORACLE_HOME.Thetypical
applmgrenvironmentisbasedontheenvironmentfilesfromtheAPPL_TOPwhichrefertothe10.1.2ORACLE_HOME,
sothereforeanalternateenvironmentfilemustbesourcedbeforeattemptingtostart.Navigatetothe10.1.3
ConfigurationHomeandsourcethe10.1.3environmentfile.Thefilewillbenamedafterthe$CONTEXT_NAMEwhich
istypicallytheSID($TWO_TASK)followedbythehostname.
Forexample:
>cd$ORA_CONFIG_HOME/10.1.3
>lsl*.env
rwrr1appv1211dba3202Dec3101:13V1211_myserver.env
>../*.env

Checkyourwork.Theabove"dotspacedotslashstardotenv"shouldhaveexecutedthesingleenvironmentfileinthe
$ORA_CONFIG_HOME/10.1.3directoryandresetseveralenvironmentvariablesinthecurrentshell.The
ORACLE_HOMEshouldnowbethe10.1.3ORACLE_HOMEandtheavailableOracleWalletManager(owm)executable
shouldbefromthatsameORACLE_HOME.
Forexample:
>echo$ORACLE_HOME
/space/r1211/apps/tech_st/10.1.3
>whichowm
/space/r1211/apps/tech_st/10.1.3/bin/owm

2.CreateaWebTierWallet
TheOracleWalletManager(owm)isanXWindowsapplication,sothereforeanXWindowsdisplayisrequiredtouse
it.TherearenumerousXWindowsclientsavailableforthePC,thechoiceofwhichisleftentirelytotheuser.
Alternatively,UNIX/LinuxmachinesareoftensetupwithVNCorsimilarremotedesktopsifyouchoosenottorunthe
walletmanagerdirectlyfromtheconsole.Asanotheralternative,youcanusetheorapkicommandlineinterface
whichneedsnoXWindowsclient.Bothmethodsarecoveredherebecausethewalletmanageroffersbetter
illustrationofconceptsandtheorapkitooloffersanelegantlysimpleanddirectmeanstoanend.Tosomeextentthe
implementationprocesscanbeamixtureoforapkiandowm,butitislessconfusingtopickonemethodfortheentire
walletsetup.
Theorapkimethodforcreatingawalletissimply:
>orapkiwalletcreatewallet$INST_TOP/certs/Apacheauto_login
Enterwalletpassword:

Therequiredoptionofauto_loginisenabledandthewalletiscreatedintheEBSpreferreddirectoryviathe'wallet'
option.ThisdirectoryisthedefaultvaluespecifiedwithintheAutoConfigparameterss_ssl_keystoreand
s_ssl_truststore.Also,inthisexample,thewalletpasswordofchoiceforthenewlycreatedwalletisquietlyspecified
atthecommandprompt,butcouldhavejustaseasilybeenspecifiedas"welcome1"usingthe"pwd"optionsuchas"
pwdwelcome1".We'llpromptforpasswordsfromthispointforwardasthisisamoresecurepracticethanleaving
scriptswithplaintextpasswordslyingaround.
Theequivalentstepwiththewalletmanagerisasfollows:
2a.SettheUNIXDISPLAYvariableasneeded.ThisdependsonyourchoiceofXWindowsclients.
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=ewbsr79se_191&id=1425103.1

3/35

1/13/2015

Document1425103.1

2b.Navigateto$INST_TOP/certs/Apache.Backupanyexistingwalletsthatmaybethere.Ifyourantheaboveorapki
example(youdidnotneedto),youalreadyhaveanewwalletpreloadedwithsometrustedcertificatesthatyoucould
examinewiththewalletmanager:
>cd$INST_TOP/certs/Apache
>lsl
rw1appv1211dba7940Aug1208:59cwallet.sso
rw1appv1211dba7912Aug1208:59ewallet.p12

2c.Startthewalletmanagerasabackgroundprocess:
>owm&

TheOracleWalletManagershouldstartanddisplayitsbeginningpages:

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=ewbsr79se_191&id=1425103.1

4/35

1/13/2015

Document1425103.1

2d.OntheOracleWalletManagermenu,selectWalletandthenNew.Answer"No"tothequestion"Yourdefault
walletdirectorydoesnotexist.Doyouwanttocreateit?"

2e.Inthe"NewWallet"windowthatappears,enterthepasswordyouwouldliketouseforthenewwallet.The
orapkiexampleused"welcome1",butanypasswordcanbeused.ChoosethewallettypeofStandard,thenclickOK.
Thiswillcreatetheinitialwalletandthenaskaboutcreatingacertificaterequest.

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=ewbsr79se_191&id=1425103.1

5/35

1/13/2015

Document1425103.1

2f.Conveniently,thewalletmanagerasksifyouwouldliketocreateacertificaterequestatthistime.Youcansay
"Yes"atthispointandskiptostepthree.Ifyouselect"No",youcanstillcreateacertificaterequestviathemenu
navigationof"Operations"/"AddCertificateRequest".We'llpauseheretoemphasizetheimportanceofsavingthe
walletandhighlighttheworkaroundforaproblemthatoccurswhensavingthewalletforthefirsttime.
Atthispoint,youhavecreatedawallet.YoucanchooseWallet/Saveandselectthe$INST_TOP/certs/Apache
directoryastheplacetosave.Thenextimportantstepistocheckthe"AutoLogin"boxandthensavethewallet
again.Thereasonforthisdoublestepworkaroundisthatifthisisthefirsttimeyouarecreatingawalletanddidnot
createadefaultwalletdirectory,thenattemptingtosavethewalletwith"AutoLogin"checkedwillresultintheerror
"SavingSSOwalletfailedin:(blank)".Savingthewalletwithout"AutoLogin"checkedgivestheopportunitytospecifya
directorytosaveto,but"AutoLogin"isarequirement.

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=ewbsr79se_191&id=1425103.1

6/35

1/13/2015

Document1425103.1

Savingthewalletwithout"AutoLogin"checkedcreatesthefile"ewallet.p12":
>lsl
rw1appv1211dba7917Aug1209:48ewallet.p12

Savingthewalletwith"AutoLogin"checked(aftersuccessfullysavingitoncewithoutthecheck)createstheadditional
andnecessaryfile"cwallet.sso":
>lsl
rw1appv1211dba7917Aug1209:48ewallet.p12
rw1appv1211dba7945Aug1209:49cwallet.sso

TheAutoLoginfeatureallowsthewallettobereadbytheOSuserthatownsthewallet(typicallyapplmgr)without
requiringanexplicitpasswordentry.ThisisrequiredforEBS.Youwillcontinuetoneedthewalletpasswordforallof
theupcomingstepsthatrequiremodificationstothewallet.

3.CreateaCertificateRequest

Withorapki,youcansimplyaddaCertificateRequesttothewalletcreatedaboveusingthefollowingexamplewhich
we'llalso/insteaddoviaowm.
orapkiwalletadd\
wallet.\
dn"CN=mymachine.us.oracle.com,OU=ATGSpecialty,O=Support,L=Denver,ST=Colorado,C=US"
keysize2048\
pwdwelcome1

ThedndirectivespecifiestheDistinguishedNamewhere:
CN=CommonNamewhichcanbeaserver(includingdomain)oranindividual.I've
hiddenmyactualservernameinthisexample.
OU=OrganizationalUnit
O=Organization
L=LocalityorCity
ST=StateorProvince(fullname,donotabbreviate)
C=CountryCode
ThekeysizeparameterspecifiesthebitlengthoftheRSAprivatekey(moreonthislater)andasbeforethepwd
directivespecifiesthewalletpassword.
Theequivalentstepwiththewalletmanagerisasfollowsandassumesthewalletmanagerisrunningandstillhasthe
walletopenfromthepreviousstep.
Select"Operations",then"AddCertificateRequest".Thisbringsupaformsimilartotheparameterlistdescribed
abovefororapki.

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=ewbsr79se_191&id=1425103.1

7/35

1/13/2015

Document1425103.1

Chooseakeysizegreaterthan2048bits
Theformforcreatingthecertificaterequestshowsadefaultkeysizeof1024bits,butyoushouldchoose2048or
higher.StartingJanuary1,2014,theindustryisrequiringtheuseof2048bitkeylengthonSSLcertificates.Thisis
incompliancewithUSNationalInstituteofStandardsandTechnology(NIST)SpecialPublication800131A.Per
NIST,theuseof1024bitRSAkeysisnolongerapplicableand2048bitkeysshouldbeimplemented.Accordingto
NIST,2048bitkeysshouldbeapplicableuntil2030.InOctober2012,Microsoftisplanningtoreleaseanew
serviceupdatethatblocksRSAkeysunder1024bitsonallofitsOperatingSystems.Formoreinformation,see:
MicrosoftSecurityAdvisoryisavailableherehttp://technet.microsoft.com/enus/security/advisory/2661254.
Additionally,mostcertificateauthoritiesarenowrejectingCertificateSigningRequestsfor1024bitcertificates.
NoticeintheabovepicturethatpriortocompletingtheCreateCertificateRequestformthewalletshowsastatusof
"Certifcate:[Empty]".Assoonasyoupress[OK]onthatform,thestatuswillchangeto"Certificate:[Requested]"as
seenbelowtoindicatethatthewalletnowhasavalidCSR:

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=ewbsr79se_191&id=1425103.1

8/35

1/13/2015

Document1425103.1

4.ExporttheCertificateRequest
OncetheCertificateRequesthasbeencreatedyouwillneedtoexportitsoyoucansubmittherequesttoaCertifying
Authority.Viaorapki,youcanenterthefollowingcommandbeingsuretosubstitutetheparametervalueswiththe
parametervaluesusedtocreatetheCertificateRequest.

orapkiwalletexport\
wallet.\
dn"CN=mymachine.us.oracle.com,OU=ATGSpecialty,O=Support,L=Denver,ST=Colorado,C=US"\
requestserver.csr\
pwdwelcome1

Rememberwiththissyntaxthat"wallet."referstothewalletinthepresentworkingdirectoryandthatthe
"server.csr"isthenameofthefilethatwillholdthecontentsofthecertificatesigningrequestandissomewhat
arbitrary.Iforapkiwassuccessfulitwillsaynothing,butthe"server.csr"filewillbecreated.

Theequivalentstepwiththewalletmanagerisasfollows.
Clickthemousecursortohighlightwhereitsays"Certificate:[Requested]",thenfromthemenuchoose"Operations"
andthen"ExportCertificateRequest".Adialogboxwillpopuprequestingwheretosavethefileandwhattonameit.
Thenameissomewhatarbitrary,butitiscommonpracticetonameitaftertheserverandwitha".csr"extensionas
seenbelow.Notethatthetoplineinthisformisusedfornavigatingtoapath,whereasthebottomlineisfor
specifyingthefilename.

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=ewbsr79se_191&id=1425103.1

9/35

1/13/2015

Document1425103.1

Ifyousuccessfullyexportedthecertificate,youwillquietlynoticethe"Certificaterequestexportsuccessful"atthe
bottomofthewalletmanagerscreen.Moreimportantly,thefileasyounameditwillbeinthedirectoryyouspecified.

SAVETHEWALLET
Atthispointyoucanexitthewalletmanager,butdonotforgettosavethewallet.Thereisnoreasonablewayto
takeanexportedcertificatesigningrequestandforceitbackintoawallet.Inthestepsthatfollowyouwillsubmit
theexportedcertificatesigningrequestfiletoasigningauthorityandthatsigningauthoritywillreplywithauser
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=ewbsr79se_191&id=1425103.1

10/35

1/13/2015

Document1425103.1

certificatetoimport.YouwillNOTbeabletoimportthisusercertificateunlessthewalletisinastateof
"Certificate:[Requested]"withtheidenticalcertificaterequestthatyousubmittedtothesigningauthority.Ifyou
createanewcertificatesigningrequest,evenwithidenticalfieldparameters,itwillnotbethesameasany
previouslycreatedCSRandthereforewillnotmatchtheusercertificateandowmwillrefusetoimportit.
Ifthisisthesecondtimeyouaresavingthewallet,thenthisshouldgoverysmoothlyviatheWallet/Savemenu
selectiondescribedinstep2.Ifyouattempttoexitowmwithoutsaving,youaregivenjustone,finalchance.Click
[Yes].Clicking[X]willclosethewalletwithoutsavingjustassurelyasclicking[No].

5.SubmittheCertificateRequesttoaCertifyingAuthority
Thenumberofcertificateauthoritiesavailabletosignyourcertificaterequestaretoonumeroustomention.Theprice
rangesfromfreetoveryexpensive,dependingonthesophisticationofthecertificateandotherfactors.Each
certificatevendormakestheirowncaseontheirwebsiteforwhytheircertificateisthebest.Inthisexample,I've
chosenthefamiliarVerisigntrialcertificatebecauseitisbothfree(forashortperiod)andcommon.
Asaquicknote,ifyouhavejustaninternaltestinstance,youcoulduseorapkitoaddaselfsignedcertificate.Self
signingenablesgoodSSLencryption,butoffersessentiallynothingtoconfirmtheidentityoftheserver.Acertificate
purchasedfromavendorisanalogoustoastateissuedIDcard,suchasadriver'slicense.Aselfsignedcertificateis
analogoustoanIDcardyoumadeyourselfthatmaybetrustedbyyourfriends,butnotlikelybyanyoneelse.Ionly
mentionthishereasasidenoteforthosethatprefertoquicklycreateacertificateforfreewithoutinvolvingathird
party.Ifyourunthebelowcommand,thewalletwillimmediatelyhaveacertificateinreadystatusandyoucanskip
thesteponsubmittingtheCSRandimportingthethirdpartysuppliedcertificates.

Toaddaselfsignedcertrunthefollowingcommand,butchangetheDNlisttoyourserver'svalues.Skipthisifyou
arecontinuingwiththestepstoobtainacertificatefromavendor.
>orapkiwalletadd\
wallet$INST_TOP/certs/Apache\
dn"CN=myserver.us.oracle.com,OU=ATGSpecialty,O=Support,L=Denver,ST=Colorado,C=US"\
keysize2048\
self_signed\
validity365\
pwdwelcome1

Thisselfsignedexampleusesthesameparametersexplainedpreviously,butalsoaddsthatthecertificateistobe
validforoneyear(validity365).Thisgivesmuchmoretimethanthetypical14or30daytrialcertificateperiod.
IfyouareNOTgoingwithaselfsignedcertificate,thensubmityourcertificatetoasigningauthority.I'veoptednotto
putscreenshotsforthissectionbecausethewebsitesupdatetheirpagesoftenandthereforescreenshotsbecomestale
almostimmediately.Fortheremainderofthisguide,I'musingtheVerisignTrialCertificate(akaNorton,aka
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=ewbsr79se_191&id=1425103.1

11/35

1/13/2015

Document1425103.1

Symantec)whichisreadilyvisiblefromtheirhomepage.Theprocessforthesetypicalwebsitesstartswithgiving
contactinformationandthenaformwhereyoucaneitheruploadtheCSRasafileorpasteitdirectlyintoagiven
field.Whenpasting,besuretopastetheentirecontentsofthefile,includingtheBegin/End(forexample):
BEGINNEWCERTIFICATEREQUEST
MIICwzCCAasCAQAwfjELMAkGA1UEBhMCVVMxETAPBgNVBAgTCENvbG9yYWRvMQ8wDQYDVQQHEwZE
ZW52ZXMub3JhY2xlLmNvbTCCASIwDQYJKoZIIxEDAOBgNVBAoTB1N1cHBvcnQxFjAUBgNVBAsTDU
GGRjb2xsMTIxeGUudXMub3JhY2xlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
ALunGNjzWoXteHJK6Xnddp2BHtjZxrvaRdj3L1YB9nokyCHJQykpqbOWehz/Ft1jzi7HkBat6BjO
34lBl33msse/gWMQ8bb0+tQgFEfBKJ5GxhKR/Fh5G6sezAWaKteesexANEkqh91nfQrbF7fDrgY+
ylLiUUVBH349ThisisjustanexampletoshowwhataCSRlooksPGA6PMqsxzjNc
AZB4kJHuYiqClike,ingeneral.Thisoneisnotentirelyreal.EBggt9dj+18n1
KYEKuAqSUZ4NMJG0CrZwCcyeLwtD6S9apwicHU0CAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4IBAQAk
TKZYvVzWSH7AMXzo/WcWuDUx6bxuln1ujGtEwYBD33DfNDBos0kjJZ17c3aZ/fnHhfJAusZ6aiQu
6CKECCcgLaksidnM5sviGsEwdWHmxX8A+15/QqvDTinv8j/q/kpLTxODnZxEaYi8IrWKPsMC3z/j
EB93DJLN3sa5KcF9Qf5sBwkSecvWIjqPIrbAFDz2L5Djsr+DxrjIXhYAJ8YKn0fu5lYUQNebqxey
OkOSdYrj4KHz8V64OGf2dseTjqLGCXOTuuXcdSJRKuHbvBYDcoW1V/3Ug2flGroqxASzkZgCA1I1
U8dA1gGl97CbFdVv6O9n//gkMvGvPi/Osv6/
ENDNEWCERTIFICATEREQUEST

Aftersubmittingthecertificaterequest,yourcertificatevendorshouldrespondwithanSSLcertificateviaemailfairly
quickly.Trialcertificatesgenerallycomealmostimmediately,butproductioncertificatesgenerallytakelonger.While
selfsignedcertificatesenabledataencryption,theydonothingtoassureusersofthelegitimacyofagivenwebsite.In
contrast,productioncertificates(andtrialcertificatestoalesserextent)generallyincludeavettingprocesswherethe
certificateauthoritymustverifytheidentificationandotheraspectsofthewebsiteownerandcertificaterequestor.
Theemailfromthecertificateauthorityshouldalsoexplainthatalmosteverycertificatecommonlyissuedtodayisan
EV(extendedvalidation)certificatewhichrequiresbothanintermediateandarootcertificatetoaccompanyyournewly
createdservercertificate.InthecaseoftheVerisignTrialCertificate,thereisaspecial"TestRootCACertificate"and
a"TrialSSLIntermediateCertificate"thatisdifferentfromtheproductioncertificates.Fortheservercertificate(aka
"usercertificate")tobeimported,youmustfirstimporttheselowercertificatesintothewalletas"trustedcertificates".
Thisisillustratedbelowwithanorapkiexampleandagraphicalowmexample.

5.ImportyourCertificatetotheWallet
GiventhetypicalexampleoftheVerisignTrialcertificate,thereareatotalofthreecertificatesthatneedtobe
importedintothewallet.Therootandintermediatecertificateswillbeimportedintothewalletastrustedcertificates
andtheservercertificatewillbeimportedintothewalletasausercertificate.Thesecertificatesaredownloaded
accordingtotheinstructionsinthecertificatevendoremail.Generally,theemailprovidestheservercertificateinthe
textoftheemailandthenprovideslinkstothevendorwebsitewherethetrialandintermediatecertificatescaneither
bedownloadedasafileorcopy/pastedoffthewebpages.Therefore,thefilenamesforthesecertificatesareentirely
arbitrary,butshouldbenamedsensibly.
Iusedthefollowing:
TrialRoot.cer
TrialIntermediate.cer
server.cer

Toillustrateapoint,hereisanattempttoimporttheservercertificatewithouttherootandintermediate:

>orapkiwalletadd\
wallet$INST_TOP/certs/Apache\
user_cert\
certserver.cer\
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=ewbsr79se_191&id=1425103.1

12/35

1/13/2015

Document1425103.1

pwdwelcome1
orapkireplieswith:
Couldnotinstallusercertatserver.cer.
Pleaseaddalltrustedcertificatesbeforeaddingtheusercertificate

Thefollowingsequencedoeswork(orapkireplieswithnomessagewhenalliswell):

>orapkiwalletadd\
wallet$INST_TOP/certs/Apache\
trusted_cert\
certTrialRoot.cer\
pwdwelcome1
>orapkiwalletadd\
wallet$INST_TOP/certs/Apache\
trusted_cert\
certTrialIntermediate.cer\
pwdwelcome1
>orapkiwalletadd\
wallet$INST_TOP/certs/Apache\
user_cert\
certserver.cer\
pwdwelcome1

Youcanverifythesuccessfulimportofthecertificatesintothewalletbyusingthefollowing.Notethelackof
"RequestedCertificates",thepresenceofthe"UserCertificate",andtheadditional"TrustedCertificates"(example
reformattedforclarity):

>orapkiwalletdisplaywallet$INST_TOP/certs/Apache
RequestedCertificates:

UserCertificates:
Subject:CN=myserver.us.oracle.com,
OU=Termsofuseatwww.verisign.com/cps/testca(c)05,
OU=ATGSpecialty,
O=Support,
L=Denver,
ST=Colorado,
C=US
TrustedCertificates:
Subject:CN=VeriSignTrialSecureServerRootCAG2,
OU=ForTestPurposesOnly.Noassurances.,
O=VeriSign\,Inc.,
C=US
Subject:CN=VeriSignTrialSecureServerCAG2,
OU=Termsofuseathttps://www.verisign.com/cps/testca(c)09,
OU=ForTestPurposesOnly.Noassurances.,
O=VeriSign\,Inc.,
C=US
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=ewbsr79se_191&id=1425103.1

13/35

1/13/2015

Document1425103.1

Theequivalentstepwiththewalletmanagerisasfollows:
Startowmandopenthewalletasbeforeandselect"Operations","ImportUserCertificate".If"ImportUser
Certificate"isgrayedout,thatindicatesthatthereisnocertificatesigningrequestasindicatedby"Certificate
[Requested]".Ifyouarefollowingthesestepsinorder,thisoptionshouldbeavailable.

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=ewbsr79se_191&id=1425103.1

14/35

1/13/2015

Document1425103.1

Youwillbegiventheoptionofeitherpastingthecertificateorselectingafilethatcontainsthecertificate.Ifyouwish
toselectafilethatcontainsthecertificate,notethatthewalletmanagerdialogwilllookontheserverwhereowmis
running(notyourlocalPC)sothereforeyoumusttaketheextrastepofcopying/ftpingyourcertificatetotheserver.
The"ImportCertificate"selectionboxcanbetricky.Ifyouknowthecompletepathandnameofthecertificatefile,
youcanenterthisonthebottomlineunder"Enterfilename".Ifyouneedtobrowseforthefile,youmustusethetop
twolinesandtheFolders/Filesselectionboxes.

Similartotheorapkiexample,youcanimportthetrustedcertificatesfirst,butthewalletmanagerismoreforgiving
thanorapki.Afterselectingtheservercertificateforimportasausercertificate,thefollowingerrorisseen:

Ifyouclick[Yes],youcanneatlyimportthefirsttrustedcertificate(TrialIntermediate.cerinthisexample)usingthe
similarfileselectiondialogasabove.TheservercertificateisanEV(extendedvalidation)certificate,soimmediately
youwillseethepromptagaintoimport"CAcertificatenow",butnoticeinthebackgroundthatthefirstCAcertificate
(TrialIntermediate.cerinthisexample)wasimported:

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=ewbsr79se_191&id=1425103.1

15/35

1/13/2015

Document1425103.1

Atthispoint,click[Yes]onceagainandimporttheremainingcertificate(TrialRoot.cerinthisexample).Thisresultsin
"Certificate:[Ready]"andbothoftheCAcertificateslistedinthetrustedcertificatessection.

Asbefore,becertaintosavethewalletwithAutoLoginenabled.

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=ewbsr79se_191&id=1425103.1

16/35

1/13/2015

Document1425103.1

6.CopytheApacheWallettotheOPMNWallet
Asapplmgr:
>cp$INST_TOP/certs/Apache/*wallet*$INST_TOP/certs/opmn

7.AutoConfig
Asaquicktest,we'llimplementSSLviaAutoConfigandthencontinuewiththerestofthesetupafterwardsforreasons
thatwillbemadeclearlater.WhiletheOracleApplicationsManager(OAM)contexteditoristherecommendedmethod
forupdatingtheEBSconfiguration,thevastmajorityofcustomerssimplyedittheAutoConfigcontextfiledirectly.Itis
alwaysagoodpracticetomakeabackupcopyofthecontextfilebeforeeditingbecausetheXMLsyntaxcanbetricky
andasingle,misplacedcharactercanmakethefileentirelymeaninglesstotheAutoConfigengine.
Inthisexample,I'mtakingtheoriginalwebentryURLofhttp://myserver.us.oracle.com:8010andchangingitto
https://myserver.us.oracle.com:4443.ThechangesaredocumentedinNote:376700.1withthefollowingmatrixand
detailedbelow:
Variable

NonSSLValue

SSLValue

s_url_protocol

http

https

s_local_url_protocol

http

https

s_webentryurlprotocol

http

https

s_active_webport

sameass_webport

sameass_webssl_port

s_webssl_port

notapplicable

defaultis4443

s_https_listen_parameter

notapplicable

sameass_webssl_port

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=ewbsr79se_191&id=1425103.1

17/35

1/13/2015

Document1425103.1

urlconstructedwithhttpprotocoland
s_webport

urlconstructedwithhttpsprotocoland
s_webssl_port

s_login_page

urlconstructedwithhttpprotocoland
s_webport

urlconstructedwithhttpsprotocoland
s_webssl_port

s_external_url

urlconstructedwithhttpprotocoland
s_webport

urlconstructedwithhttpsprotocoland
s_webssl_port

s_help_web_agent

Theoriginalandeditedcontextfile($CONTEXT_FILE)parameters,indetail,were:
ORIGINAL:<url_protocoloa_var="s_url_protocol">http</url_protocol>
CHANGED:<url_protocoloa_var="s_url_protocol">https</url_protocol>
ORIGINAL:<local_url_protocoloa_var="s_local_url_protocol">http</local_url_protocol>
CHANGED:<local_url_protocoloa_var="s_local_url_protocol">https</local_url_protocol>
ORIGINAL:<webentryurlprotocoloa_var="s_webentryurlprotocol">http</webentryurlprotocol>
CHANGED:<webentryurlprotocoloa_var="s_webentryurlprotocol">https</webentryurlprotocol>
ORIGINAL:<activewebportoa_var="s_active_webport"oa_type="DUP_PORT"base="8000"step="1"
range="1"label="ActiveWebPort">8010</activewebport>
CHANGED:<activewebportoa_var="s_active_webport"oa_type="DUP_PORT"base="8000"step="1"
range="1"label="ActiveWebPort">4443</activewebport>
ORIGINAL:<web_ssl_portoa_var="s_webssl_port"oa_type="PORT"base="4443"step="1"range="1"
label="WebSSLPort">4443</web_ssl_port>
CHANGED:<web_ssl_portoa_var="s_webssl_port"oa_type="PORT"base="4443"step="1"range="1"
label="WebSSLPort">4443</web_ssl_port>
ORIGINAL:<httpslistenparameteroa_var="s_https_listen_parameter">4443</httpslistenparameter>
CHANGED:<httpslistenparameteroa_var="s_https_listen_parameter">4443</httpslistenparameter>
ORIGINAL:<HELP_WEB_AGENToa_var="s_help_web_agent"/>
CHANGED:<HELP_WEB_AGENToa_var="s_help_web_agent"/>
ORIGINAL:<login_page
oa_var="s_login_page">http://myserver.us.oracle.com:8010/OA_HTML/AppsLogin</login_page>
CHANGED:<login_page
oa_var="s_login_page">https://myserver.us.oracle.com:4443/OA_HTML/AppsLogin</login_page>
ORIGINAL:<externURLoa_var="s_external_url">http://myserver.us.oracle.com:8010</externURL>
CHANGED:<externURLoa_var="s_external_url">https://myserver.us.oracle.com:4443</externURL>

ThereareothernoteworthycontextentriesthatareNOTchangedbecausethedefaultsaregenerallyassumed.These
assumedvaluesarewhythewebtierwalletwascreatedinthedirectorythatitwas:

<websrvwallet
oa_var="s_websrv_wallet_file">/space/r1211/inst/apps/V1211_myserver/certs</websrvwallet>
<ssl_truststore
oa_var="s_ssl_truststore">/space/r1211/inst/apps/V1211_myserver/certs/Apache/cwallet.sso</ssl_truststo

<ssl_keystore
oa_var="s_ssl_keystore">/space/r1211/inst/apps/V1211_myserver/certs/Apache/cwallet.sso</ssl_keystore>

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=ewbsr79se_191&id=1425103.1

18/35

1/13/2015

Document1425103.1

ThefollowingisusedwhenthereverseproxyisSSL,buttheunderlyingwebtierisHTTP.Theexampleforthis
documentwaswithoutareverseproxyandwiththewebtierasSSLsothereforethesslterminatormustremainas'#':
<sslterminatoroa_var="s_enable_sslterminator">#</sslterminator>

Afterthesechanges,stopthewebtierservices,runAutoConfig,andthenstartthewebtierservicesonceagain.
Forexample:

>cd$ADMIN_SCRIPTS_HOME
>adstpall.shapps/apps
>adautocfg.sh
>adstrtal.shapps/apps

ClientConfigurations
Introduction
Atthispoint,itwillseemthattheSSLsetupiscompletebecausemostfunctionalitywillwork.Thisisacommon
mistakethatreturnstohaunttheinstancelater.I'mreferringtothissectionas"clientconfigurations"andstartwith
theconfigurationoftheclientbrowser.Theclientbrowseristhemostobviouscaseofaclientconnectingtotheweb
entryURL.ThelessobviousclientconnectionscomefromwithintheEBSinstance.
ItisverycommonforthevariousbitsoffunctionalitywithinEBStomakeURLcallstothewebentryURL.Forexample,
thejavabasedWorkflowmailerontheconcurrentmanagertiermayusetheJDK(JavaDevelopmentKit)onthe
concurrentmanagertiertomaketheHTTPSURLcalltoretrieveframeworkcontentforworkflowemailsviatheweb
entryURL.WithiRecruitment,URLcallsmaybegeneratedfromthewebtierJDKandalsofromthedatabaseviathe
OWA_UTILpackage.Therefore,itisjustasnecessarytopopulatethetrustedcertificatestoreoftheJDKsandthe
databaseasitistopopulatethetrustedcertificatestoreoftheclientbrowser.TheJDKanddatabaseclient
configurationdissertationfollowstheclientbrowserconfigurationdissertation.
Onarelatedpoint,ifyouimplementSSLwithapaidforcertificate,theclientbrowserislikelytoalreadyhavetheroot
andintermediatecertificatesthatworkwiththeservercertificatejustinstalledandthereforetheinitialconnectionfrom
thebrowserwillsimplyworkwhereasclientconnectionsfromtheJDKorthedatabasewillnot.Thetrialcertificateis
agoodexampleofwhathappenswhenanonstandardcertificateisusedandillustratesthispointfurther.

ClientBrowserConfiguration
OninitialconnectionwiththeHTTPSwebentryURLpresentingatrialcertificate,mostbrowserswillimmediatelywant
torejecttheconnectionbecausetheconnectionisnottrusted.Asbrowserversionsvary,theappearanceofthese
screenswilldiffer,butarecentMozillaFirefoxexampleandInternetExplorerexampleappearsasthefollowing.
Forexample,atypicalscreenfromMozillaFirefox:

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=ewbsr79se_191&id=1425103.1

19/35

1/13/2015

Document1425103.1

Similarly,theequivalentMicrosoftInternetExplorerexampleis:

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=ewbsr79se_191&id=1425103.1

20/35

1/13/2015

Document1425103.1

MozillaFirefoxSecurityException
WiththeMozillaFirefoxexample,youcansimplyclickon"ConfirmSecurityException"andchoosetopermanentlystore
theexception.

Beforeacceptingtheexception,thisisagoodtimetointroducetheratherexcellentcertificatevieweravailableviathe
Viewbuttonwhichwillbeusedlater:

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=ewbsr79se_191&id=1425103.1

21/35

1/13/2015

Document1425103.1

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=ewbsr79se_191&id=1425103.1

22/35

1/13/2015

Document1425103.1

FromtheGeneraltab,youcanseethatthisisindeedthecertificatethatwasjustinstalled.FromtheDetailstab,you
canseethecertificatechainiscomprisedofthe"VerisignTrialSecureServerRootCAG2",the"VerisignTrialSecure
ServerCAG2",andthenamedservercertificate.ThereisalsotheExportbuttonwhichcanbeusedtocreatethree
filesfromeachofthethreecertificatesthatareverysimilartothethreefilesthatwereinstalledearlierintotheweb
tierwallet.ThisisveryusefullaterbecausethesefilescanbeimportedintotheJDKanddatabasetrustedcertificate
stores.

MicrosoftInternetExplorerSecurityException
WithInternetExplorer,theconceptisthesame,butthenavigationdiffers.InthiscaseyouDOwantto"Continueto
thiswebsite(notrecommended)"sincethatistheonlywaytoproceedtotheloginpage.TheURLlinewillbepainted
redandtherewillcontinuetobeawarningasshownbelow.Youcanclickonwhereitsays"CertificateError"toview
thecertificatessimilartotheearlierillustration:

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=ewbsr79se_191&id=1425103.1

23/35

1/13/2015

Document1425103.1

WiththeInternetExplorercertificateviewer,youcanalsoseethechainofcertificatesandhere(abovescreenshot)it
ishighlightedthattheproblemcertificateistheroottrialcertificate.Othercertificatesforothervendorsmayvary,but
thetrialcertificatefromVerisignisaspecialonethatisnotincludedinmostbrowsercertificatestores.Ifyouclickon
theoffendingcertificate,youcanviewitandclickthebuttontoinstallthecertificateviathecertificateimportwizard
andfollowingthedefaults.ThenexttimeyouvisittheEBSloginpageforthisinstance(afterrestartingthebrowser),
youwillnolongerseeacertificateerrorbecausethecertificatespresentedarenowtrusted.

Itwasimportanttoillustratetheconceptofimportingtrustedcertificatestwicebecauseitillustratestheclient
conceptsinthenextsectionwherewe'llbeimportingthesesamecertificatesintotheJDKandtheDatabasewallet.

RetrievingthePublicFacingSSLCertificatesUsingtheClientBrowser
Introduction
Asdescribedearlierinthisdocument,therewerethreefilesreturnedfromthecertificateauthoritythatwereimported
intothewebtier'swallet:
TrialRoot.cer
TrialIntermediate.cer
server.cer
Ifyoustillhavethesefiles(theactualfilenamesarearbitrary)thenyoucanskipthisstep,butasalludedtoearlieritis
quitecommontoneedthesefilesfortheJDKandthedatabasewalletandnothavethem.Thisisespeciallycommonif
theSSLisbeinghandledbyanSSLoffloadersuchasahardwareloadbalancercontrolledbyadivisionofalarge
corporationdifferentfromthedivisionthathandlestheEBSinstance.
Ifyoudonothavethesefiles,theyareeasilyretrieved.Whenabrowser(oranySSLclient)connectstoanSSLURL,
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=ewbsr79se_191&id=1425103.1

24/35

1/13/2015

Document1425103.1

thefollowinggeneralsequenceofstepsoccur:
1.Thebrowserrequeststhatthewebserveridentifyitself.
2.TheserversendsthebrowseracopyofitsSSLCertificate.
3.ThebrowsercheckswhetherittruststheSSLCertificate.Ifso,itsendsamessagetotheserver.(Ifnot,theSSL
connectionfails.)
4.TheserversendsbackadigitallysignedacknowledgementtostartanSSLencryptedsession.
5.Encrypteddataissharedbetweenthebrowserandtheserver
Step2isthereasonyoucanusethebrowsertorecoverthethreeoriginalfiles(moreorlessfilesifyouareusing
someothercertificate).Step3isthereasonthecertificateshadtobeacceptedinthebrowser'strustedcertificate
storeandwhytheJDKanddatabasewalletwillalsoneedthecertificates.

RetrievingtheCertificatesusingMozillaFirefox

JustafterinvokingtheURLtoconnecttotheSSLenabledEBSinstance,theMozillaFirefoxbrowserwillindicatethe
acceptanceoftheSSLcertificatepresentedbyaddingapadlockicontotheURLintheaddressbar(locationbar).
Clickingthemouseonthatpadlockwilldisplaythewindowwiththebuttonfor[MoreInformation...].Thescreen
followingthatdisplaytheratherexcellentcertificateviewerillustratedearlier.Fromthiscertificateviewer,youcan
saveeachoneofthethreecertificatesbyusingthe[Export]button.
Highlighteachoneofthethreecertificates,onebyone,andexportthemasX509PEMcertificateformat.Onceagain,
thefilenamesarearbitrary,butchoosenamesthataremeaningful.

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=ewbsr79se_191&id=1425103.1

25/35

1/13/2015

Document1425103.1

RetrievingtheCertificatesusingInternetExplorer

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=ewbsr79se_191&id=1425103.1

26/35

1/13/2015

Document1425103.1

JustafterinvokingtheURLtoconnecttotheSSLenabledEBSinstance,theInternetExplorerbrowserwillindicatethe
acceptanceoftheSSLcertificatepresentedbyaddingapadlockicontotheURLintheaddressbar(locationbar).
Clickingthemouseonthatpadlockwilldisplaythewindowwiththehyperlinkto"ViewCertificates"whichwillthen
bringuptheInternetExplorerversionofthecertificateviewer.ThisissubstantiallymorecumbersomethantheMozilla
Firefoxcertificateviewer.

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=ewbsr79se_191&id=1425103.1

27/35

1/13/2015

Document1425103.1

Clickingonthe[CopytoFile]buttonwillstarttheCertificateExportWizard.Usethistosavetheservercertificatein
X509Base64format.

ToretrievetheIntermediateandRootcertificates,navigatebacktothemaincertificateviewerwindowandclickthe
"CertificatePath"tab.Ifyouhighlighttheservercertificate,the[ViewCertificate]buttonwillgrayoutandthisiswhy
thepreviousstepwasusedtoretrieveit.IfyouhighlighttheremainingIntermediateorRootCertificate,the[View
Certificate]buttonwillbeenabled.Clickingonthe[ViewCertificate]buttonwillopenanewinstanceofthecertificate
viewerthatisspecifictothecertificateyouhighlighted.Asbefore,clicktheDetailstab,clickthe[CopytoFile]button,
andnavigatethroughtheCertificateExportWizardtoexportthecertificate.

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=ewbsr79se_191&id=1425103.1

28/35

1/13/2015

Document1425103.1

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=ewbsr79se_191&id=1425103.1

29/35

1/13/2015

Document1425103.1

Repeatthesestepsforeachcertificate.

ImportingSSLCertificatesintotheJDK'sTrustedCertificateStore
Atthisstep,basedontheinitialsectionwherethecertificatefileswerecreatedortheprevioussectionwherethe
certificatefileswererecreated,youwillhavethreecertificatefilesrepresentingtheservercertificate,theintermediate
certificate,andtherootcertificate.ThisisthetypicalcertificatechainprovidedbytheVerisignTrialcertificatewhichis
usedastheexampleinthisdocument.Selfsignedandinternallysignedcertificateswillhavemoreorlesscertificates
inthechain.Nevertheless,allcertificatesshouldbeimportedintotheJDK.Regardlessofthenumberofcertificates,
theconceptofimportingthecertificatesintotheJDKisthesame.
ContinuingwiththeexampleoftheVerisignTrialCertificate,thereare/werethreecertificateswhichwereFTP'dtothe
appstier(applicationtier)server:
TrialRoot.cer
TrialIntermediate.cer
server.cer
WithinEBS,theJDKisoftencalledupontoactasanSSLclient,similartothewaythebrowseractsasanSSLclient
whenconnectingtotheEBSinstance.Thereasonforthisisthatitisverycommonforjavabasedproductfunctionality
tomakeURLcallstothesamewebentrypointtheclientbrowserconnectedto.FortheJDKtosuccessfullymakethis
SSLconnection,itissimilartotheclientbrowserinthatitmusthaveastoreoftrustedcertificates.TheJDKis
differentfromthebrowserinthatitwillnotinteractivelyactwiththeusertoacceptcertificates.Thesecertificates
mustbeloadedintotheJDK'strustedcertificatestorebeforetheSSLconnectionisattempted.Ifthecertificatesare
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=ewbsr79se_191&id=1425103.1

30/35

1/13/2015

Document1425103.1

notinplace,theSSLconnectionwillfailandthatfailurewillnotbereadilyapparentontheuserinterface.
ThedefaultcertificatestorefortheJDKoneachEBSapplicationstieris$AF_JRE_TOP/lib/security/cacertsandthe
defaultpasswordforcacertsis"changeit".Thekeyandcertificatemanagementutilityformanagingpublic/privatekey
pairsandcertificatesisthekeytoolcommand($AF_JRE_TOP/bin/keytool).Toimporteachofthethreecertificatesin
thisexample,thekeytoolcommandisrunthreetimes:
Forexample:
keytoolimportaliasTrialRoot\
file/home/applmgr/mycerts/TrialRoot.cer\
trustcacertsvkeystore$AF_JRE_TOP/lib/security/cacerts
keytoolimportaliasTrialIntermediate\
file/home/applmgr/mycerts/TrialIntermediate.cer\
trustcacertsvkeystore$AF_JRE_TOP/lib/security/cacerts
keytoolimportaliasServername\
file/home/applmgr/mycerts/server.cer\
trustcacertsvkeystore$AF_JRE_TOP/lib/security/cacerts

Piecebypiece,thekeytoolcommandstringwe'reusingmeans:
keytoolThecertificatemanagementutilityforJava
($AF_JRE_TOP/bin/keytool).
importImportthespecifiedcertificateintothespecifiedkeystore
($AF_JRE_TOP/lib/security/cacertsforEBS).
aliasInthecaseofEBS,thisnameisarbitrary,butmustbedifferent
fromanyotheraliasentryinthekeystore.
filethenameofthecertificatefile(X509Base64PEMformat)to
import
trustcacertsimportthecertificatefileasatrustedcertificatesuchasfrom
acertificateauthority
vverboseshowtheuserdetailedoutput
keystorethenameofthekeystoreinwhichtoimportthetrusted
certificate
ThefollowingexampleisfortheTrialRootcertificate,butbesuretorepeatthisforallcertificatesinthechain
(TrialRoot.cer,TrialIntermediate.cer,Server.cerinthisexample).Additionally,youshouldrepeatthisprocessforeach
webtierJDKandeachconcurrentmanagernodeJDK(incasetheconcurrentmanagernodeisnotonthesame
appstierasthewebnode):

>lsl
total12
rwrr1appv1211dba2009Sep2306:40server.cer
rwrr1appv1211dba1964Sep2306:41TrialIntermediate.cer
rwrr1appv1211dba1566Sep2306:39TrialRoot.cer
>whichkeytool
/space/r1211/apps/tech_st/10.1.3/appsutil/jdk/jre/bin/keytool
>lsl$AF_JRE_TOP/lib/security/cacerts
rwrr1appv1211dba64251Jun52011
/space/r1211/apps/tech_st/10.1.3/appsutil/jdk/jre/lib/security/cacerts
>keytoolimportaliasTrialRoot\
file/home/applmgr/mycerts/TrialRoot.cer\
trustcacertsvkeystore$AF_JRE_TOP/lib/security/cacerts
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=ewbsr79se_191&id=1425103.1

31/35

1/13/2015

Document1425103.1

Enterkeystorepassword:changeit
Owner:CN=VeriSignTrialSecureServerRootCAG2,OU="ForTestPurposesOnly.No
assurances.",O="VeriSign,Inc.",C=US
Issuer:CN=VeriSignTrialSecureServerRootCAG2,OU="ForTestPurposesOnly.No
assurances.",O="VeriSign,Inc.",C=US
Serialnumber:168164a428ca12dfab12f19fb1b93554
Validfrom:TueMar3118:00:00MDT2009until:SatMar3117:59:59MDT2029
Certificatefingerprints:
MD5:E0:19:F5:FC:C0:9A:13:0E:38:B7:BF:0D:02:40:D3:C2
SHA1:51:51:B8:63:8A:4C:1F:15:54:56:ED:37:C9:10:35:CA:D3:01:B9:36
Signaturealgorithmname:SHA1withRSA
Version:3
Extensions:...
Trustthiscertificate?[no]:yes
Certificatewasaddedtokeystore
>lsl$AF_JRE_TOP/lib/security/cacerts
rwrr1appv1211dba65400Oct512:26
/space/r1211/apps/tech_st/10.1.3/appsutil/jdk/jre/lib/security/cacerts

Enterkeystorepassword:changeitunlessyoudidchangeit
Ifyouarepromptedto"Enterkeystorepassword",thedefaultpasswordforanOracleinstalledJDKis"changeit".
Ifthatpassworddoesnotwork,itisreasonablysimpletodelete/movetheexistingkeystoreandcreateanew
keystorewithapasswordofyourchoosing.
>mv$AF_JRE_TOP/lib/security/cacerts$AF_JRE_TOP/lib/security/cacerts.old
Then,whenyouruneitheroftheabovekeytoolcommandstoimportacertificateforthefirsttime,anewcacerts
willbecreatedandyouwillbepromptedforapasswordofyourchoiceinsteadofbeingaskedforjustthecurrent
password:
Enterkeystorepassword:whatever
Reenternewpassword:whatever

RepeattheimportforallcertificatesinthecertificatechainandforeachJDK.
ThebestwaytobecertainthattheJDKhasallofthecertificatesnecessarytocompletetheSSLnegotiationwithyour
webentryURListosimplyseparatewhatthatURLpresentsintoseparateSSLcertificatesasdescribedabove
(RetrievingthePublicFacingSSLCertificatesUsingtheClientBrowser)andthenimporteachoneintotheJDK.Itis
rarelyorneveraproblemtohavetoomanycertificates,butalwaysaproblemtohavetoofew.Furthermore,ina
typicalEBSinstallationitiscommontohavemorethanoneappstier(applicationstier).Eachappstierwillhaveitsown
JDKandeachJDKshouldhaveacompletesetoftrustedcertificates.
Youcanreviewwhatisalreadyinthekeystorewiththefollowingcommand.
>keytoollisttrustcacertsvkeystore$AF_JRE_TOP/lib/security/cacerts
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=ewbsr79se_191&id=1425103.1

32/35

1/13/2015

Document1425103.1

YoucanoptionallyaddagreptolookforspecificSHA1certificatefingerprints,suchastheVeriSignTrialSecureServer
RootCAimportedabove,toconfirmtheyareinthekeystore:
>keytoollisttrustcacertsvkeystore$AF_JRE_TOP/lib/security/cacertsv|grep"SHA1:"|
grepE'51:51:B8:63:8A:4C:1F:15:54'
Enterkeystorepassword:changeit
SHA1:51:51:B8:63:8A:4C:1F:15:54:56:ED:37:C9:10:35:CA:D3:01:B9:36

Forfurtherinformationonthekeytoolutility,see:
http://docs.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html

CreatingaDatabaseWalletandImportingTrustedSSLCertificates
ForreasonssimilartotheaboveJDKexplanation,thedatabaseisoftencalledupontoactasanSSLclientsimilarto
thewaythebrowseractsasanSSLclientwhenconnectingtotheEBSinstance.Themostcommonmethodistohave
theproductcodemakeuseoftheOWA_UTILpackageandmakeaURLcallfromPL/SQL.IfthisURLstartswithhttps,
thenthedatabasewillhavetonegotiatetheSSLconnectionjustlikeanySSLclientbrowserandwillthereforeneeda
setoftrustedcertificatesinaprivatestore.Forthedatabase,theprivatestoreoftrustedcertificatesisthedatabase
wallet.Bydefault,thiswalletdoesnotexistatallsothereforethereisnopreexistingsetofcommoncertificates
availablebydefault.Instead,adatabasewalletmustbecreatedandthenloadedwiththespecificcertificatesthatare
tobetrusted.SimilartothecasewiththeJDK,thecompletechainofcertificatespresentedbytheURLbeingcalled
shouldbeimportedintothedatabasewalletandthesearetheverysamecertificatesthatcanbeobtainedusingthe
methoddescribedaboveundertheheading"RetrievingthePublicFacingSSLCertificatesUsingtheClientBrowser".
ForEBS,theexpectedlocationforthedatabasewalletisdescribedbytheprofileoption"DatabaseWalletDirectory"
(FND_DB_WALLET_DIR)whichisenabledonlyatthesitelevel.Thissingularlocationistypicallythedatabasetier's
$ORACLE_HOME/appsutil/walletdirectory.
Forexample,fromsqlplus:
selectfnd_profile.value('FND_DB_WALLET_DIR')fromdual
FND_PROFILE.VALUE('FND_DB_WALLET_DIR')

/space/r1211/db/tech_st/11.1.0/appsutil/wallet

ContinuingwiththeexampleoftheVerisignTrialCertificate,thereare/werethreecertificateswhichwereFTP'dtothe
dbtier(databasetier)serverwhichareneededinthecommoncasewherethedatabasemakesaURLcalltotheEBS
webentrypoint:
TrialRoot.cer
TrialIntermediate.cer
server.cer
1.LogintothedatabaseastheOracleuserandsourcetheappropriateEBSenvironment.Thisistypicallytheonlyenv
fileinthedatabaseORACLE_HOMEdirectoryandsetsthe$ORACLE_HOMEandthePATHtothedatabasewallet
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=ewbsr79se_191&id=1425103.1

33/35

1/13/2015

Document1425103.1

manager(owm).
Forexample:
>orav1211:dc12a:/space/r1211/db/tech_st/11.1.0>ls*.env
V1211_dc12a.env
>orav1211:dc12a:/space/r1211/db/tech_st/11.1.0>../V1211_dc12a.env
>whichowm
/space/r1211/db/tech_st/11.1.0/bin/owm
>whichorapki
/space/r1211/db/tech_st/11.1.0/bin/orapki

2.Confirmthevaluefortheprofileoption"DatabaseWalletDirectory"asabove.Ifthewalletdirectorydoesnotexist,
createit.
>mkdir$ORACLE_HOME/appsutil/wallet

3.Ifyoudonotalreadyhaveawallet,thefastestwaytocompletethistaskisviatheorapkiutilityillustratedingreat
detailearlier.
Createyournewwallet:
orapkiwalletcreate\
wallet$ORACLE_HOME/appsutil/wallet\
auto_login
pwdwelcome1

Importthecertificatesintothenewwalletastrusted:
orapkiwalletadd\
wallet$ORACLE_HOME/appsutil/wallet\
trusted_cert\
certTrialRoot.cer\
pwdwelcome1
orapkiwalletadd\
wallet$ORACLE_HOME/appsutil/wallet\
trusted_cert\
certTrialIntermediate.cer\
pwdwelcome1
orapkiwalletadd\
wallet$ORACLE_HOME/appsutil/wallet\
trusted_cert\
certserver.cer\
pwdwelcome1

Therearetwoquickwaystonowtestthewallet,borrowedfromNote:416619.1.Thefirstistheverydirectmethod
withmanuallyenteredparametersbasedonthevaluesforthisinstance:
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=ewbsr79se_191&id=1425103.1

34/35

1/13/2015

Document1425103.1

Theparameterlistforutl_http.requestis:
URL:WebEntryURL,typicallythevaluefortheprofileoption"ApplicationsFrameworkAgent"
Additionally,I'veaddedaresumetemplatefileassomethinginterestingtoretrieve.
Proxy:Proxyprofileoptionsyoumayormaynothaveorneedaforwardproxy
WalletPath:"DatabaseWalletDirectory"profileoptionvalue
WalletPassword:Thisisthewalletpassword,suchastheonechosenwhenthewalletwascreated.
Forexample:

selectutl_http.request
(
'https://serverxxx.us.oracle.com:4443/OA_HTML/IRCRESUMEUK1.xsl',
null,
'file:/space/r1211/db/tech_st/11.1.0/appsutil/wallet',
'welcome1'
)
fromdual

Anotherexampleistoautomaticallyretrievethevaluefortheprofileoptions,includingtheproxies.TheURListaken
directlyasthesitelevelvaluefor"ApplicationsFrameworkAgent",theproxyisacomputedvaluebasedonthevalues
oftheprofileoptions"ApplicationsServerSideProxyHostAndDomain","ApplicationsProxyPort",and"Applications
ProxyBypassDomains"whichidentifytheforwardproxythatislikelythesameastheonedefinedintheclientbrowser
locatedonthesamenetwork.Thewalletpathiscomputedbaseduponthe"DatabaseWalletDirectory"described
earlier.Thewalletpasswordiscomputedhereusinganinternalprocedure.WithinEBS,thewalletpasswordisset
usingthescript$FND_TOP/patch/115/sql/txkSetWalletPass.sql.Ifyoufindthatthehardcodedutl_httpcallworks,but
theversionfromEBScodedoesnot,txkSetWalletPass.sqlislikelytheanswer.Thescriptisshortandselfexplanatory:
selectUTL_HTTP.REQUEST
(url=>fnd_profile.value('APPS_FRAMEWORK_AGENT')||'/OA_HTML/IRCRESUMEUK1.xsl',
proxy=>hr_util_web.proxyForURL(fnd_profile.value('APPS_FRAMEWORK_AGENT')),
wallet_path=>'file:'||fnd_profile.value('FND_DB_WALLET_DIR'),
wallet_password=>fnd_preference.eget('#INTERNAL','WF_WEBSERVICES','EWALLETPWD','WFWS_PWD')
)
fromdual

SUMMARY
ThispapercoveredtheimplementationofSSLusingasingleEBSwebtierusingtheVerisignTrialCertificateasan
example.Thisisversion1.0ofthispaper.Inupcomingreleases,theauthorintendstocovertopicssuchasexpired
certificaterenewal/replacementandcommonSSLsetuptests.Customercommentsandsuggestionsarecertainly
welcome.

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrlstate=ewbsr79se_191&id=1425103.1

35/35