Configuring Oracle HTTP Server to Support SSL#

Implementing and Configuring SSL#

Step 1: Configuring Oracle Wallet Manager#

The first step in implementing and configuring SSL is to create an Oracle wallet. The Oracle wallet is used to securely store certificates.

On the Oracle application server, open the Oracle wallet and configure it to support trusted and user certificates by performing the below steps:

1. From the start menu select: All Programs >Oracle-Home >Integrated Management Tool >Wallet Manager

2. In Oracle Wallet Manager select: Wallet >New

3. You will be prompted with a dialog box informing you that your default wallet directory does not exist and asked if you wish to create it. Answer, ‘Yes’.

4. Enter a password for the new wallet and re-enter it again to confirm. Leave the wallet type to ‘Standard’ (default).

5. After entering the password, you will be prompted with a dialog box indicating that a new wallet has been created and asked if you wish to create a certificate request at this time. Answer, ‘Yes’.

You will need to generate a certificate request to send to a certificate authority such as VeriSign, RSA, Entrust, etc. The below information will need to be filled out.

  • Common Name: <fully qualified server name>
  • Organization Unit: <department name or region>
  • Organization: <name of company>
  • Locality/City: <self explanatory>
  • State/Province: <self explanatory>
  • Country: <self explanatory>
  • Key Size: 1024bits (user define)

Note: Typically, Certificate Authorities (CA) use key sizes of 1024 or 2048. When certificate owners wish to keep their keys for a longer duration, they choose 3072 or 4096 bit keys. (The higher the value the more secure.)

Once you have entered the required information, click OK. You will receive a message informing you that the certificate request has been created; submit that request to a CA.

6. Click OK. You will notice in the Wallet panel on the left of your screen there is a Certificate: [Requested] icon.

At this stage you are ready to send your request to a certificate authority for them to issue you a valid certificate.

7. Save your current settings in the Oracle Wallet Manager. Select: >Wallet >Save as Oracle-Home\Apache\Apache\conf\ssl.wlt\default

You will need to contact the certificate authority and submit your request to them. The simplest way to go about this would be to open your browser and go to the certificate authority website then cut and paste into the online submittal form, the certificate request that you generated in the previous step.

You will be required to fill in your company information and a contact email and phone number. Depending on your relationship with the certificate authority, it could take as long as two to five business days to receive your certificate and in addition, there is a cost of obtaining a valid certificate.

Once your company has been validated, you will receive an email notification from the certificate authority that will include the certificate either in the body of the message or as an attachment.

For those customers who want to implement SSL using a self-sign certificate or an in-house certificate, you MUST import the root certificate of the CA first before importing the user certificate. Using the self-sign or in-house certificate is a cost effective way to secure internal traffic without having to purchase a real certificate from a CA. However, you should not implement a self-sign or in-house certificate if your application server will be access from the internet.

8. Copy the contents of the certificate; starting at: ----Begin Certificate Request--- and ending at ---End Certificate Request---

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIByzCCATQCAQAwgYoxCzAJBgNVBAYTAkNBMRAwDgYDVQQIEwdPbnRhcmlvMRAwDgYDVQQHEwdNYXJraGFtMRcwFQY
DVQQKEw5IaWdoIExpbmUgQ29ycDEbMBkGA1UECxMSVGVjaG5pY2FsIFNlcnZpY2VzMSEwHwYDVQQDExh0ZWNocm5kLm
hpZ2hsaW5lY29ycC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAO4R0gKtW2/XH/+/cQv6KGKCe4Lzm6xIx
RK4dko38YZWk7kDEDxRasvBmYbdb+v-----END NEW CERTIFICATE REQUEST-----

9. Paste the content into the Oracle Wallet Manager by right clicking the Certificate :[Requested] icon.

10. #Select Import User Certificate

11. Paste the certificate into the Import Certificate box and click OK

Once the certificate as been imported successfully, the Certificate:[Requested] icon will change to Certificate:[Ready].

12. From the menu select: Wallet > Save As

13. Browse to: Oracle-Home\Apache\Apache\conf\ssl.wlt\default

At this point Oracle wallet will inform you that a wallet already exists in this location and will ask if you wish to overwrite.

14. Select Yes.

15. Select: Wallet > AutoLogin

16. Place a check mark in this field.

17. Close Oracle wallet

Step 2: Configuring SSL Port#

On Microsoft Windows installations, Oracle Universal Installer assigns port 4443 to the HTTP Server for SSL communication. In a production environment this would not be ideal, as it would require your users to specify the port in the http header. Therefore, it is recommended to change the port to 443.

18. Open the SSL.conf file and change all port 4443 reference to 443 The configuration file is located at: Oracle-Home\Apache\Apache\conf\

19. You will need to restart the HTTP Server for the changes to take effect.

21. From the command line enter the following command:

opmnctl restartproc process-type=HTTP_Server

Step 3: Testing SSL#

22. Open a browser and enter: https://server-name/

At this stage your server is now ready to handle SSL communication.