SSL Implementation in R12

Middle Tier Setup

The default location for the wallet in Oracle E-Business Suite Release 12 is $INST_TOP/certs/Apache. This directory contains a wallet with demo certificates. If you wish to use these certificates for testing start with Step 8 below to configure SSL, and then do Steps 1 through 7 when you are ready to switch to real certificates.

The main steps for setting up SSL on the Middle Tier are:

1. Set Your Environment.

2. Create a wallet.

3. Create a Certificate Request.

4. Submit the Certificate Request to a Certifying Authority.

5. Import your Server Certificate to the Wallet.

6. Copy the Apache Wallet to the OPMN Wallet.

7. Update the JDK Cacerts File.

8. Update the Context File.

9. Run Autoconfig.

Step 1 - Set Your Environment

1. Logon to the application middle tier as the OS user who owns the middle tier files.

2. Source your middle tier environment file (APPS<sid_machine>.env) located in the APPL_TOP directory.

3. Navigate to the $INST_TOP/ora/10.1.3 and source the <sid_machine>.env file to set your 10.1.3 ORACLE_HOME variables.

Note: When working with wallets and certificates you must use the 10.1.3 executables.

Step 2 - Create a wallet

1. Navigate to the $INST_TOP/certs/Apache directory.

2. Move the existing wallet files to a backup directory in case you wish to use them again in the future.

3. Open the Wallet manager as a background process:

owm &

4. On the Oracle Wallet Manager Menu navigate to Wallet -> New.

Answer NO to: “Your default wallet directory doesn't exist. Do you wish to create it now?”

The new wallet screen will now prompt you to enter a password for your wallet.

Click YES when prompted:

“A new empty wallet has been created. Do you wish to create a certificate request at this time?”

Step 3 - Create a Certificate Request

Create Certificate Request Screen will pop up:

Fill in the appropriate values where:

Common Name: is the name of your server including the domain.(hostname.domainname)

Organizational Unit: (optional) The unit within your organization.

.

Organization: is the name of your organization.

Locality/City: is your locality or city.

State/Province: is the full name of your State or Province - do not abbreviate.

Select your Country from the drop down list.

Click OK.

Step 4 - Submit the Certificate Request to a Certifying Authority

You will need to export the Certificate Request before you can submit it to a Certifying Authority.

1. Click on Certificate [Requested] to Highlight it.

2. From the menu click Operations -> Export Certificate Request

3. Save the file as server.csr

4. From the menu click Wallet and then click Save.

5. On the Select Directory screen change the Directory to your fully qualified wallet directory.

6. Click OK.

7. From the menu click Wallet and check the Auto Login box.

Be sure to make this password something you will remember. You will need to use the password whenever you open the wallet with Oracle Wallet Manager or perform operations on the wallet using the Command Line Interface. With auto login enabled processes submitted by the OS user who created the wallet will not need to supply the password to access the wallet.

8. Exit the Wallet Manager.

The wallet directory will now contain the following files:

· cwallet.sso

· ewallet.p12

· server.csr

You may now submit server.csr to your Certifying Authority to request a Server Certificate.

FOr testing purpose you can download the trail certificate from the http://www.symantec.com/ssl-certificates?inid=vrsn_symc_ssl_index

Select any one from the list and Upload the server.csr content.

Verisign will send a mail with content like

-----BEGIN CERTIFICATE-----

MIIE0DCCBDmgAwIBAgIQJQzo4DBhLp8rifcFTXz4/TANBgkqhkiG9w0BAQUFADBf

MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT

LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw

HhcNMDYxMTA4MDAwMDAwWhcNMjExMTA3MjM1OTU5WjCByjELMAkGA1UEBhMCVVMx

FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz

dCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZv

ciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAz

IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwggEi

MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8

RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbext0uz/o9+B1fs70Pb

ZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIzSdhDY2pSS9KP6HBR

TdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO+QueQA5N06tRn/

Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+rCpSx4/VBEnkjWNH

iDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/NIeWiu5T6CUVAgMB

AAGjggGbMIIBlzAPBgNVHRMBAf8EBTADAQH/MDEGA1UdHwQqMCgwJqAkoCKGIGh0

dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA4GA1UdDwEB/wQEAwIBBjA9

BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVy

aXNpZ24uY29tL2NwczAdBgNVHQ4EFgQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwbQYI

KwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQU

j+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24uY29t

L3ZzbG9nby5naWYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v

b2NzcC52ZXJpc2lnbi5jb20wPgYDVR0lBDcwNQYIKwYBBQUHAwEGCCsGAQUFBwMC

BggrBgEFBQcDAwYJYIZIAYb4QgQBBgpghkgBhvhFAQgBMA0GCSqGSIb3DQEBBQUA

A4GBABMC3fjohgDyWvj4IAxZiGIHzs73Tvm7WaGY5eE43U68ZhjTresY8g3JbT5K

lCDDPLq9ZVTGr0SzEK0saz6r1we2uIFjxfleLuUqZ87NMwwq14lWAyMfs77oOghZ

tOxFNfeKW/9mz1Cvxm1XjRl4t7mi0VfqH5pLr7rJjhJ+xr3/

-----END CERTIFICATE-----

Step 5 - Import your Server Certificate to the Wallet.

After you receive your Server Certificate from your Certifying Authority you will need to import it into your wallet. Copy the certificate to server.crt in the wallet directory on your server by one of the following methods:

1. ftp the certificate (in binary mode)

2. copy and paste the contents into server.crt

Follow these steps to import server.crt into your wallet:

Open the Wallet Manager as a background process:

owm &

2. From the menu click Wallet then Open.

3. Answer Yes when prompted:

Your default wallet directory does not exist.

Do you want to continue?

4. On the Select Directory screen change the Directory to your fully qualified wallet directory and click OK

5. Enter your wallet password and click OK.

6. If your Certifying Authority provided an intermediate certificate (to complete the chain) then save the provided file as intca.crt, this will need to be imported into Oracle Wallet Manager prior to importing the server.crt.

On the Oracle Wallet Manager Menu navigate to Operations - Import Trusted User Certificate for importing the ca.crt and intca.crt certificate.

7. Click OK.

8. On the Oracle Wallet Manager Menu navigate to Operations - Import User Certificate for importing the CA certificates.Double Click on server.crt to import it.

Server certificates are a type of user certificate. Since the Certifying Authority issued a certificate for the server, placing its distinguished name (DN) in the Subject field, the server is the certificate owner, thus the "user" for this user certificate.

9. Save the wallet:

On the Oracle Wallet Manager Menu click Wallet.

Verify the Auto Login box is checked.

Click Save

Note: If all trusted certificates that make up the chain of server.crt are not present in the wallet then adding the certificate will fail. When the wallet was created the certificates for the most common CA’s such as Verisign, GTE, and Entrust were included automatically. Contact your certifying authority if you need to add their certificate, and save the provided file as ca.crt in the wallet directory. Another option is to follow the instructions in Section 7 to create ca.crt from your server certificate (server.crt).

If you need to import the CA Certificate you'll also need to add the contents of ca.crt file to b64InternetCertificate.txt file located in the 10.1.2 ORACLE_HOME/sysman/config directory:

$ cat ca.crt >> <10.1.2 ORACLE_HOME>/sysman/config/b64InternetCertificate.txt

If you were also provided an Intermediate Certificate (intca.crt) then you will also need to add that to the b64InternetCertificate.txt:

$ cat intca.crt >> <10.1.2 ORACLE_HOME>/sysman/config/b64InternetCertificate.txt

Step 6 - Modify the OPMN wallet.

The E-Business Suite Rapid Install process creates a default "demo" opmn wallet in the $INST_TOP/certs/opmn directory that can be used in test instances for basic SSL testing. Now that the Apache wallet has been created you will need to use these same certificates for opmn. Use the following steps to backup and copy the wallets:

1. Navigate to the $INST_TOP/certs/opmn directory.

2. Create a new directory named BAK

3. Move the ewallet.p12 and cwallet.sso files to the BAK directory just created.

4. Copy the ewallet.p12 and cwallet.sso files from the $INST_TOP/certs/Apache directory to the $INST_TOP/certs/opmn directory.

Step 7 - Update the JDK Cacerts File.

Oracle Web Services requires the Certificate of the Certifying Authority who issued your server certificate (ca.crt from the previous step) to be present in the JDK cacerts file. In addition, some features of XML Publisher and BI Publisher require the server certficate (server.crt from previous step) to be present, Follow these steps to be sure these requirements are met:

1. Navigate to the $OA_JRE_TOP/lib/security directory

2. Backup the existing cacerts file.

3. Copy your ca.crt and server.crt files to this directory and issue the following command to insure that cacerts has write permissions:

$ chmod u+w cacerts

4. Add your Apache ca.crt and server.crt to cacerts:

$ keytool -import -alias ApacheRootCA -file ca.crt -trustcacerts -v -keystore cacerts

$ keytool -import -alias ApacheServer -file server.crt -trustcacerts -v -keystore cacerts

If you were also provided an Intermediate Certificate (intca.crt) then you will also need to add that to the cacerts before adding the server.crt:

$ keytool -import -alias ApacheRootCA -file ca.crt -trustcacerts -v -keystore cacerts

$ keytool -import -alias ApacheIntCA -file intca.crt -trustcacerts -v -keystore cacerts

$ keytool -import -alias ApacheServer -file server.crt -trustcacerts -v -keystore cacerts

When prompted enter the keystore password (default password is "changeit").

Step 8 - Update the Context File.

Use the E-Business Suite - Oracle Applications Manager (OAM) Context Editor to change the SSL related variables as shown in this table:

Step 9 - Run Autoconfig

Autoconfig can be run by using the adautocfg.sh script in the Middle Tier $ADMIN_SCRIPTS_HOME directory.