Table of Contents
- Configuring Professional and Self-Service to Support SSL
- Implementing and Configuring SSL
- Step 1: Configuring Oracle Wallet Manager
- Step 2: Import Above Certificate into Java Keystore
- Step 3: Assign Static RMIS Port
- Step 4: Modify Personality.jnlp
- Step 5: Change the Admin Console Resource Server URL to HTTPS
- Step 6: Testing SSL
- Notes
Configuring Professional and Self-Service to Support SSL#
Implementing and Configuring SSL
#
Step 1: Configuring Oracle Wallet Manager#
The first step in implementing and configuring SSL is to create an Oracle wallet. The Oracle wallet is used to securely store certificates.
On the Oracle application server, open the Oracle wallet and configure it to support trusted and user certificates by performing the below steps:
- From the start menu select: All Programs >Oracle-Home >Integrated Management Tool >Wallet Manager
- In Oracle Wallet Manager select: Wallet >New
- You will be prompted with a dialog box informing you that your default wallet directory does not exist and asked if you wish to create it. Answer, ‘Yes’.
- Enter a password for the new wallet and re-enter it again to confirm. Leave the wallet type to ‘Standard’ (default).
- After entering the password, you will be prompted with a dialog box indicating that a new wallet has been created and asked if you wish to create a certificate request at this time. Answer, ‘Yes’.
You will need to generate a certificate request to send to a certificate authority such as VeriSign, RSA, Entrust, etc. The below information will need to be filled out.
*Common Name: <fully qualified server name>
*Organization Unit: <department name or region>
*Organization: <name of company>
*Locality/City: <self explanatory>
*State/Province: <self explanatory>
*Country: <self explanatory>
*Key Size: 1024bits (user define)
Certificate Authorities (CA) use key sizes of 1024 or 2048. When certificate owners wish to keep their keys for a longer duration, they choose 3072 or 4096 bit keys. (The higher the value the more secure.)
Once you have entered the required information, click OK. You will receive a message informing you that the certificate request has been created; submit that request to a CA.
- Click OK. You will notice in the Wallet panel on the left of your screen there is a Certificate: [Requested] icon.
At this stage you are ready to send your request to a certificate authority for them to issue you a valid certificate.
- Save your current settings in the Oracle Wallet Manager. Select:
>Wallet >Save as Oracle-Home\Apache\Apache\conf\ssl.wlt\default
You will need to contact the certificate authority and submit your request to them. The simplest way to go about this would be to open your browser and go to the certificate authority website then cut and paste into the online submittal form, the certificate request that you generated in the previous step.
You will be required to fill in your company information and a contact email and phone number. Depending on your relationship with the certificate authority, it could take as long as two to five business days to receive your certificate and in addition, there is a cost of obtaining a valid certificate.
Once your company has been validated, you will receive an email notification from the certificate authority that will include the certificate either in the body of the message or as an attachment.
For those customers who want to implement SSL using a self-sign certificate or an in-house certificate, you MUST import the root certificate of the CA first before importing the user certificate. Using the self-sign or in-house certificate is a cost effective way to secure internal traffic without having to purchase a real certificate from a CA. However, you should not implement a self-sign or in-house certificate if your application server will be access from the internet.
- Copy the contents of the certificate; starting at: ----Begin Certificate Request--- and ending at ---End Certificate Request---
-----BEGIN NEW CERTIFICATE REQUEST-----MIIByzCCATQCAQAwgYoxCzAJBgNVBAYTAkNBMRAwDgYDVQQIEwdPbnRhcmlvMRAwDgYDVQQHEwdNYXJraGFtMRcwFQY
DVQQKEw5IaWdoIExpbmUgQ29ycDEbMBkGA1UECxMSVGVjaG5pY2FsIFNlcnZpY2VzMSEwHwYDVQQDExh0ZWNocm5kLm
hpZ2hsaW5lY29ycC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAO4R0gKtW2/XH/+/cQv6KGKCe4Lzm6xIx
RK4dko38YZWk7kDEDxRasvBmYbdb+v-----END NEW CERTIFICATE REQUEST----- - Paste the content into the Oracle Wallet Manager by right clicking the Certificate:[Requested] icon.
- Select Import User Certificate
- Paste the certificate into the Import Certificate box and click OK
Once the certificate as been imported successfully, the Certificate:[Requested] icon will change to Certificate:[Ready].
- From the menu select: Wallet > AutoLogin
- Place a check mark in this field.
- From the menu select: Wallet > Save As
- Browse to: Oracle-Home\Apache\Apache\conf\ssl.wlt\default
At this point Oracle wallet will inform you that a wallet already exists in this location and will ask if you wish to overwrite. The above location overrides the default certificate that is deployed when your installed the application server – you do not have to store your certificate in this location.
- Close Oracle wallet
Step 2: Import Above Certificate into Java Keystore#
- For those customers who want to implement SSL using a self-sign certificate or an in-house certificate, you MUST import the root certificate of the CA first before importing the user certificate. The below steps will import the root certificate and the user certificate into the Java keystore.
The default keystore is stored in the following location: ORACLE-HOME\jdk\jre\lib\security\cacerts
Note The default password is changeit’. We strongly recommend changing it once your configuration is complete.
- To simplify the configuration, I recommend saving the root and user certificate in a file with a cer extension. For example root.cer
- From the command prompt navigate to the following directory: ORACLE-HOME\jdk\jre\lib\security\ and issue the following command:
Keytool –import –alias rootca –keystore cacerts –trustcacerts –file rootca.cer keypass changeit
Note:
*alias rootca, uniquately identifies the key,
*keystore cacerts, is the name of the default keystore
*trustcacerts, allow us to match the root and use certificates
*file is the name of the certificate your are importing
*keypass is the password for the change keystore
- Hit enter and follow the prompt
- Once you have imported the rootca, the final step is to import the user certificate. Enter the following commands from the command prompt:
Keytool –import –alias Personality –keystore cacerts –trustcacerts –file Personality.cer keypass changeit
- Hit enter and follow the prompt and exit the command prompt.
Step 3: Assign Static RMIS Port#
- Open the OPMN.XML file using notepad or Wordpad. The configuration file is located at: Oracle-Home\opmn\conf
- Assign a static RMIS port to your OC4J instance as follows:
<ias-component id="OC4J">
<process-type id="home" module-id="OC4J">
<port id="default-web-site" range="12501-12600" protocol="ajp" />
<port id="rmi" range="12401-12500" />
<port id="rmis" range="12702" />
<port id="jms" range="12601-12700" />
<process-set id="default_group" numprocs="1"/>
</process-type>
</ias-component>
Note The RMIS port range is 12701-12800. When choosing a port, ensure that the port is free. - Save and close the file
- From the command line navigate to the following director: ORACLE-HOME\opmn\bin
- Reload the opmn.xml file by entering the following command: opmnctl reload
- Restart the OC4J instance by entering the following command: opmnctl restartproc process-type=OC4J
Note OC4J refers to the name of the OC4J instance you want to restart.
Step 4: Modify Personality.jnlp#
- Open the Personality.jnlp file using notepad or Wordpad.
The configuration file is located at: Oracle-Home\Apache\Apache\htdocs\HLAppResource_xxxx
- Change the argument port to the RMIS port you assigned to the OC4J instance in Step 3
- Add an argument SERVER_TYPE=SSL
The above changes should look similar to this:
<argument>PORT=12702</argument>
<argument>SERVER_IP=http://server.domain./Personality_xxxx<argument>
<argument>SERVER_TYPE=SSL/argument>
- Change all references of http to https
- Save and close the file
Step 5: Change the Admin Console Resource Server URL to HTTPS#
- Open the browser and navigate to the admin console. For example: http://myserver.mydomain.com/Personality_PILOT/adminConsole
- Fill in all the columns with their respective entries, make sure to change the ‘Resources Server URL to https://...
- Restart the container and test your application.
Step 6: Testing SSL#
- Open a browser and enter: https://server-name/