!!!Configuring Oracle HTTP Server to Support SSL

!!Implementing and Configuring SSL
!Step 1: Configuring Oracle Wallet Manager

The first step in implementing and configuring SSL is to create an Oracle wallet. The Oracle wallet is used to securely store certificates.  

On the Oracle application server, open the Oracle wallet and configure it to support trusted and user certificates by performing the below steps:
1. From the start menu select: __''All Programs >Oracle-Home >Integrated Management Tool >Wallet Manager''__

2. In Oracle Wallet Manager select: ''__Wallet >New ''__

3. You will be prompted with a dialog box informing you that your default wallet directory does not exist and asked if you wish to create it.  Answer, ‘Yes’.

4. Enter a password for the new wallet and re-enter it again to confirm. Leave the wallet type to ‘Standard’ (default).

5. After entering the password, you will be prompted with a dialog box indicating that a new wallet has been created and asked if you wish to create a certificate request at this time.  Answer, ‘Yes’.

You will need to generate a certificate request to send to a certificate authority such as VeriSign, RSA, Entrust, etc. The below information will need to be filled out.

*__Common Name: ''__<fully qualified server name>  ''
*__Organization Unit:__ ''<department name or region>''
*__Organization:__ ''<name of company>''	
*__Locality/City:__ ''<self explanatory>''
*__State/Province: ''__<self explanatory>''
*__Country: ''__<self explanatory>''
*__Key Size: ''__1024bits (user define)''

__Note:__ Typically, Certificate Authorities (CA) use key sizes of 1024 or 2048. When certificate owners wish to keep their keys for a longer duration, they choose 3072 or 4096 bit keys. (The higher the value the more secure.) 

Once you have entered the required information, click __OK__. You will receive a message informing you that the certificate request has been created; submit that request to a CA.

6. Click __OK__. You will notice in the Wallet panel on the left of your screen there is a ''__Certificate: [Requested]''__ icon.

At this stage you are ready to send your request to a certificate authority for them to issue you a valid certificate. 

7. Save your current settings in the Oracle Wallet Manager. Select:
__''>Wallet >Save as ''__
''Oracle-Home\Apache\Apache\conf\ssl.wlt\default''

You will need to contact the certificate authority and submit your request to them. The simplest way to go about this would be to open your browser and go to the certificate authority website then cut and paste into the online submittal form, the certificate request that you generated in the previous step.

You will be required to fill in your company information and a contact email and phone number. Depending on your relationship with the certificate authority, it could take as long as two to five business days to receive your certificate and in addition, there is a cost of obtaining a valid certificate. 

Once your company has been validated, you will receive an email notification from the certificate authority that will include the certificate either in the body of the message or as an attachment.

For those customers who want to implement SSL using a self-sign certificate or an in-house certificate, you __MUST__ import the root certificate of the CA first __before__ importing the user certificate.  Using the self-sign or in-house certificate is a cost effective way to secure internal traffic without having to purchase a real certificate from a CA. However, you should __not implement__ a self-sign or in-house certificate if your application server will be access from the internet.

8. Copy the contents of the certificate; starting at: ''__----Begin Certificate Request---''__ and ending at                  ''__---End Certificate Request---''__ 

''-----BEGIN NEW CERTIFICATE REQUEST-----\\
MIIByzCCATQCAQAwgYoxCzAJBgNVBAYTAkNBMRAwDgYDVQQIEwdPbnRhcmlvMRAwDgYDVQQHEwdNYXJraGFtMRcwFQYDVQQKEw5IaWdoIExpbmUgQ29ycDEbMBkGA1UECxMSVGVjaG5pY2FsIFNlcnZpY2VzMSEwHwYDVQQDExh0ZWNocm5kLmhpZ2hsaW5lY29ycC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAO4R0gKtW2/XH/+/cQv6KGKCe4Lzm6xIxRK4dko38YZWk7kDEDxRasvBmYbdb+v-----END NEW CERTIFICATE REQUEST-----''

9. Paste the content into the Oracle Wallet Manager by right clicking the ''__Certificate''__ ''__:[Requested]''__ icon.

10. #Select ''__Import User Certificate'' __

11. Paste the certificate into the Import Certificate box and click ''__OK''__

Once the certificate as been imported successfully, the ''__Certificate:[Requested]''__ icon will change to ''__Certificate:[Ready].'' __

12. From the menu select: ''__Wallet ''__> ''__Save As''__

13. Browse to: ''Oracle-Home\Apache\Apache\conf\ssl.wlt\default''

At this point Oracle wallet will inform you that a wallet already exists in this location and will ask if you wish to overwrite. 

14. Select ''__Yes.''__

15. Select: ''__Wallet''__ > ''__AutoLogin''__ 

16. Place a check mark in this field.

17. Close Oracle wallet

!Step 2: Configuring SSL Port
On Microsoft Windows installations, Oracle Universal Installer assigns port 4443 to the HTTP Server for SSL communication. In a production environment this would not be ideal, as it would require your users to specify the port in the http header. Therefore, it is recommended to change the port to 443. 

18. Open the SSL.conf file and change all port 4443 reference to 443
The configuration file is located at: Oracle-Home\Apache\Apache\conf\

19. You will need to restart the HTTP Server for the changes to take effect.

21. From the command line enter the following command: 

__''opmnctl restartproc process-type=HTTP_Server''__

!Step 3: Testing SSL
22. Open a browser and enter: https://server-name/

At this stage your server is now ready to handle SSL communication.