This page (revision-24) was last changed on 26-Nov-2021 10:22 by kparrott

This page was created on 26-Nov-2021 10:22 by Administrator

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note
24 26-Nov-2021 10:22 9 KB kparrott to previous
23 26-Nov-2021 10:22 9 KB JMyers to previous | to last
22 26-Nov-2021 10:22 9 KB JMyers to previous | to last
21 26-Nov-2021 10:22 9 KB JMyers to previous | to last

Page References

Incoming links Outgoing links

Version management

Difference between version and

At line 1 changed one line
[{TableOfContents }]
!!!Configuring Oracle HTTP Server to Support SSL
At line 3 changed 4 lines
!!!Configuring Professional and Self-Service to Support SSL
!!Implementing and Configuring SSL\\
----
!!Implementing and Configuring SSL
At line 13 changed 7 lines
#From the start menu select: {{__''All Programs >Oracle-Home >Integrated Management Tool >Wallet Manager''__}}\\ \\
#In Oracle Wallet Manager select: ''__Wallet >New __''\\ \\
#You will be prompted with a dialog box informing you that your default wallet directory does not exist and asked if you wish to create it. Answer, ‘Yes’.\\ \\
#Enter a password for the new wallet and re-enter it again to confirm. Leave the wallet type to ‘Standard’ (default).\\ \\
#After entering the password, you will be prompted with a dialog box indicating that a new wallet has been created and asked if you wish to create a certificate request at this time. Answer, ‘Yes’.\\ \\You will need to generate a certificate request to send to a certificate authority such as VeriSign, RSA, Entrust, etc. The below information will need to be filled out.\\ \\*__Common Name:__ ''<fully qualified server name> ''\\*__Organization Unit:__ ''<department name or region>''\\*__Organization:__ ''<name of company>''\\*__Locality/City:__ ''<self explanatory>''\\*__State/Province:__ ''<self explanatory>''\\*__Country:__ ''<self explanatory>''\\*__Key Size:__ ''1024bits (user define)''\\ \\%%information:Typically, Certificate Authorities (CA) use key sizes of 1024 or 2048. When certificate owners wish to keep their keys for a longer duration, they choose 3072 or 4096 bit keys. (The higher the value the more secure.)%%\\ \\Once you have entered the required information, click __OK__. You will receive a message informing you that the certificate request has been created; submit that request to a CA.\\ \\
#Click __OK__. You will notice in the Wallet panel on the left of your screen there is a __''Certificate: ~[Requested]''__ icon.\\ \\At this stage you are ready to send your request to a certificate authority for them to issue you a valid certificate.\\ \\
#Save your current settings in the Oracle Wallet Manager. Select:\\__''>Wallet >Save as ''__''Oracle-Home\Apache\Apache\conf\ssl.wlt\default''
1. From the start menu select: {{__''All Programs >Oracle-Home >Integrated Management Tool >Wallet Manager''__}}
At line 12 added 30 lines
2. In Oracle Wallet Manager select: ''__Wallet >New ''__
3. You will be prompted with a dialog box informing you that your default wallet directory does not exist and asked if you wish to create it. Answer, ‘Yes’.
4. Enter a password for the new wallet and re-enter it again to confirm. Leave the wallet type to ‘Standard’ (default).
5. After entering the password, you will be prompted with a dialog box indicating that a new wallet has been created and asked if you wish to create a certificate request at this time. Answer, ‘Yes’.
You will need to generate a certificate request to send to a certificate authority such as VeriSign, RSA, Entrust, etc. The below information will need to be filled out.
*__Common Name: ''__<fully qualified server name> ''
*__Organization Unit:__ ''<department name or region>''
*__Organization:__ ''<name of company>''
*__Locality/City:__ ''<self explanatory>''
*__State/Province: ''__<self explanatory>''
*__Country: ''__<self explanatory>''
*__Key Size: ''__1024bits (user define)''
__Note:__ Typically, Certificate Authorities (CA) use key sizes of 1024 or 2048. When certificate owners wish to keep their keys for a longer duration, they choose 3072 or 4096 bit keys. (The higher the value the more secure.)
Once you have entered the required information, click __OK__. You will receive a message informing you that the certificate request has been created; submit that request to a CA.
6. Click __OK__. You will notice in the Wallet panel on the left of your screen there is a ''__Certificate: ~[Requested]''__ icon.
At this stage you are ready to send your request to a certificate authority for them to issue you a valid certificate.
7. Save your current settings in the Oracle Wallet Manager. Select:
__''>Wallet >Save as ''__
''Oracle-Home\Apache\Apache\conf\ssl.wlt\default''
At line 29 changed 52 lines
#Copy the contents of the certificate; starting at: ''__----Begin Certificate Request---__'' and ending at ''__---End Certificate Request---__''\\%%information -----BEGIN NEW CERTIFICATE REQUEST-----MIIByzCCATQCAQAwgYoxCzAJBgNVBAYTAkNBMRAwDgYDVQQIEwdPbnRhcmlvMRAwDgYDVQQHEwdNYXJraGFtMRcwFQY\\DVQQKEw5IaWdoIExpbmUgQ29ycDEbMBkGA1UECxMSVGVjaG5pY2FsIFNlcnZpY2VzMSEwHwYDVQQDExh0ZWNocm5kLm\\hpZ2hsaW5lY29ycC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAO4R0gKtW2/XH/+/cQv6KGKCe4Lzm6xIx\\RK4dko38YZWk7kDEDxRasvBmYbdb+v-----END NEW CERTIFICATE REQUEST-----%%
#Paste the content into the Oracle Wallet Manager by right clicking the ''__Certificate:~[Requested]__'' icon.\\ \\
#Select ''__Import User Certificate __''\\ \\
#Paste the certificate into the Import Certificate box and click ''__OK__''\\Once the certificate as been imported successfully, the ''__Certificate:~[Requested]__'' icon will change to ''__Certificate:~[Ready]. __''\\ \\
#From the menu select: ''__Wallet__'' > ''__AutoLogin__''\\ \\
#Place a check mark in this field.\\ \\
#From the menu select: ''__Wallet__'' > ''__Save As__''\\ \\
#Browse to: ''Oracle-Home\Apache\Apache\conf\ssl.wlt\default''\\ \\At this point Oracle wallet will inform you that a wallet already exists in this location and will ask if you wish to overwrite. The above location overrides the default certificate that is deployed when your installed the application server – you do not have to store your certificate in this location.\\ \\
#Close Oracle wallet\\
----
!Step 2: Import Above Certificate into Java Keystore
#For those customers who want to implement SSL using a self-sign certificate or an in-house certificate, you MUST import the root certificate of the CA first before importing the user certificate. The below steps will import the root certificate and the user certificate into the Java keystore.\\The default keystore is stored in the following location: ''ORACLE-HOME\jdk\jre\lib\security\cacerts''\\%%information __Note__ The default password is __changeit’__. We strongly recommend changing it once your configuration is complete.%%\\
#To simplify the configuration, I recommend saving the root and user certificate in a file with a cer extension. For example root.cer\\ \\
#From the command prompt navigate to the following directory: ''ORACLE-HOME\jdk\jre\lib\security\'' and issue the following command:\\ \\''__Keytool –import –alias rootca –keystore cacerts –trustcacerts –file rootca.cer keypass changeit__''\\ \\
__Note:__\\*alias rootca, uniquately identifies the key,\\*keystore cacerts, is the name of the default keystore\\*trustcacerts, allow us to match the root and use certificates\\*file is the name of the certificate your are importing\\*keypass is the password for the change keystore\\ \\
#Hit enter and follow the prompt\\ \\
#Once you have imported the rootca, the final step is to import the user certificate. Enter the following commands from the command prompt:\\''__Keytool –import –alias Personality –keystore cacerts –trustcacerts –file Personality.cer keypass changeit__''\\ \\
#Hit enter and follow the prompt and exit the command prompt.\\ \\
----
!Step 3: Assign Static RMIS Port
#Open the OPMN.XML file using notepad or Wordpad. The configuration file is located at: ''Oracle-Home\opmn\conf''\\ \\
#Assign a static RMIS port to your OC4J instance as follows: \\ \\<ias-component id="OC4J"> \\
<process-type id="home" module-id="OC4J"> \\
<port id="default-web-site" range="12501-12600" protocol="ajp" /> \\
<port id="rmi" range="12401-12500" /> \\
<port id="rmis" range="12702" /> \\
<port id="jms" range="12601-12700" /> \\
<process-set id="default_group" numprocs="1"/> \\
</process-type> \\</ias-component>\\%%information __Note__ The RMIS port range is 12701-12800. When choosing a port, ensure that the port is free.%%
#Save and close the file\\ \\
#From the command line navigate to the following director: ''ORACLE-HOME\opmn\bin''\\ \\
#Reload the opmn.xml file by entering the following command: ''__opmnctl reload__''\\ \\
#Restart the OC4J instance by entering the following command: ''__opmnctl restartproc process-type=OC4J__''\\%%information __Note__ OC4J refers to the name of the OC4J instance you want to restart.%%
\\ \\
----
!Step 4: Modify Personality.jnlp
#Open the Personality.jnlp file using notepad or Wordpad.\\The configuration file is located at: ''Oracle-Home\Apache\Apache\htdocs\HLAppResource_xxxx''\\ \\
#Change the argument port to the RMIS port you assigned to the OC4J instance in Step 3\\ \\
#Add an argument __SERVER_TYPE=SSL__\\The above changes should look similar to this:\\{{<argument>PORT=12702</argument>\\<argument>SERVER_IP=http://server.domain./Personality_xxxx<argument>\\<argument>SERVER_TYPE=SSL/argument>}}\\ \\
#Change all references of http to __https__\\ \\
#Save and close the file
\\ \\
----
!Step 5: Change the Admin Console Resource Server URL to HTTPS
#Open the browser and navigate to the admin console. For example: {{http://myserver.mydomain.com/Personality_PILOT/adminConsole}}\\ \\
#Fill in all the columns with their respective entries, make sure to change the ‘Resources Server URL to https://...\\ \\
#Restart the container and test your application.
\\ \\
----
!Step 6: Testing SSL
#Open a browser and enter: ''https://server-name/''
%%information __Note__ If you are using an index page to access the Professional and Self Service application, be sure to change the http references to https.%%
8. Copy the contents of the certificate; starting at: ''__----Begin Certificate Request---''__ and ending at ''__---End Certificate Request---''__
At line 82 changed 3 lines
----
![Notes|Edit:Internal.CONFIGURING SSL]
[{InsertPage page='Internal.CONFIGURING SSL' default='Click to create a new notes page'}]
{{{
''-----BEGIN NEW CERTIFICATE REQUEST-----
MIIByzCCATQCAQAwgYoxCzAJBgNVBAYTAkNBMRAwDgYDVQQIEwdPbnRhcmlvMRAwDgYDVQQHEwdNYXJraGFtMRcwFQY
DVQQKEw5IaWdoIExpbmUgQ29ycDEbMBkGA1UECxMSVGVjaG5pY2FsIFNlcnZpY2VzMSEwHwYDVQQDExh0ZWNocm5kLm
hpZ2hsaW5lY29ycC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAO4R0gKtW2/XH/+/cQv6KGKCe4Lzm6xIx
RK4dko38YZWk7kDEDxRasvBmYbdb+v-----END NEW CERTIFICATE REQUEST-----''
}}}
At line 60 added 40 lines
9. Paste the content into the Oracle Wallet Manager by right clicking the ''__Certificate''__ ''__:~[Requested]''__ icon.
10. #Select ''__Import User Certificate'' __
11. Paste the certificate into the Import Certificate box and click ''__OK''__
Once the certificate as been imported successfully, the ''__Certificate:~[Requested]''__ icon will change to ''__Certificate:~[Ready].'' __
12. From the menu select: ''__Wallet ''__> ''__Save As''__
13. Browse to: ''Oracle-Home\Apache\Apache\conf\ssl.wlt\default''
At this point Oracle wallet will inform you that a wallet already exists in this location and will ask if you wish to overwrite.
14. Select ''__Yes.''__
15. Select: ''__Wallet''__ > ''__AutoLogin''__
16. Place a check mark in this field.
17. Close Oracle wallet
!Step 2: Configuring SSL Port
On Microsoft Windows installations, Oracle Universal Installer assigns port 4443 to the HTTP Server for SSL communication. In a production environment this would not be ideal, as it would require your users to specify the port in the http header. Therefore, it is recommended to change the port to 443.
18. Open the SSL.conf file and change all port 4443 reference to 443
The configuration file is located at: Oracle-Home\Apache\Apache\conf\
19. You will need to restart the HTTP Server for the changes to take effect.
21. From the command line enter the following command:
__''opmnctl restartproc process-type=HTTP_Server''__
!Step 3: Testing SSL
22. Open a browser and enter: https://server-name/
At this stage your server is now ready to handle SSL communication.
[CLEANUP]