Oracle Applications DBA Blog

Configuring SSL For Your Oracle Applications HTTP Server

SSL or the Secure Sockets Layer is a protocol developed by Netscape for transmitting private 
documents via the Internet.
SSL in Oracle Applications can be implemented at three level, the web server level, at the forms  server level or at the database level. The current post talks about implementing SSL (Secure Sockets  Layer) with Oracle Applications HTTP server. You must however remember to obtain a digital  certificate by raising a certificate signing request (CSR) with a third party certificate authority  (CA).
The version of Oracle Applications is 11.5.10 on Redhat Linux.

Set up environment variables.
Set the following environment variables in the .bash_profile of the applications user.
export SCRIPTS_TOP=$COMMON_TOP/admin/scripts/SAM_samlxa;
export APACHE_TOP=$IAS_ORACLE_HOME/Apache;
export OPENSSL_TOP=$APACHE_TOP/open_ssl;
export OPENSSL_CONF=$OPENSSL_TOP/bin/openssl.cnf;

Create a working directory
Create a working directory that will eventually hold the private key file and certificate files 
after logging on as the applications user and setting the environment.
# su - applsam
$ mkdir $COMMON_TOP/admin/certs
$ mkdir $COMMON_TOP/admin/certs/apache
In an AutoConfig-enabled environment, the above directory is the value pointed to by the context 
variable 's_web_ssl_directory'.

Create directories for your certificate and private key
Create two other subdirectories under the above directory as the applications user.
# su - applsam
$ mkdir $COMMON_TOP/admin/certs/apache/ssl.crt
$ mkdir $COMMON_TOP/admin/certs/apache/ssl.key
The above directories hold the certificate file and private key, respectively.
Make the change in s_web_ssl_directory via Oracle Applications Manager, it will also update the 
other dependent variables and then run auto config.

Restart middle tier services
At this stage you must stop you application tier services and the start them again.

Create a random number file
The file $OPENSSL_CONF will have a parameter RANDFILE in the folowing format
RANDFILE = $ENV::HOME/.rnd
Create a random file as follows
Change to a directory that contains some binary files such as ORACLE_HOME/bin of your Oracle 8.0.6  home
$ cd $ORACLE_HOME/bin
Execute the following command to generate the random character file
$ $OPENSSL_TOP/bin/openssl md5 or* > $HOME/.rnd

Create the Server PEM-encoded Private Key file (apache_1024.key)
Change to the working directory
$ cd $COMMON_TOP/admin/certs/apache
Type the following command to generate your RSA private key (apache_1024.key)
$ $OPENSSL_TOP/bin/openssl genrsa -des3 -out apache_1024.key 1024
Choose a PEM password this will be required everytime you start the Apache Server, though you do 
have an option to unencrypt the Apache password.

Edit the default openssl configuration file
Edit the default openssl configuration file, $OPENSSL_CONF, so that it can be used to generate the 
certificate signing request.
Locate the line that reads dir = ./demoCA and modify this line to point to the full directory path 
where the directory of your key and request file are located.

Generate the certificate signing request (CSR)
From the working directory, $COMMON_TOP/admin/certs/apache, type the following command to generate  your CSR (apache_1024.csr) derived from the private key (apache_1024.key).
$ $OPENSSL_TOP/bin/openssl req -config $OPENSSL_CONF -new -key apache_1024.key -out apache_1024.csr.
You will be prompted for the following
   1. Enter PEM pass phrase: Enter the pass phrase you choose in the above step.
   2. Country Name (2 letter code) [AU]:
          State or Province Name (full name) [Some-State]:
          Locality Name (e.g., city) [MO]:
          Organization Name (e.g., company) [Vision Demo Lc]:
          Organizational Unit Name (e.g., section) [IT]:
   3. Common Name (e.g., YOUR name) []: Enter the fully qualified name of your server.
      [samlxa.appsdbablog.com]
   4. E-mail Address []: Enter your e-mail address. This is where the certificate will be sent.
   5. Please enter the following 'extra' attributes: These questions are optional.

Submit your certificate request (CSR) to your certificate authority (CA)
As discussed above you need to obtain the trail certificate for a certificate authority like 
Verisign.You must navigate to the trial certificate section and paste everything you have in the 
begin certificate and end certificate request section.
-----BEGIN CERTIFICATE REQUEST-----

and ending with and including

-----END CERTIFICATE REQUEST-----

After you have submitted the certificate request you should recieve the certificate in the email 
within a few horus time.

Create the Server PEM-encoded Certificate file
Once you have received your certificate, use your e-mail application to save the entire e-mail 
message to a text file under $COMMON_TOP/admin/certs/apache.
Name the file apache_1024.crt and ensure that it is located under $COMMON_TOP/admin/certs/apache.
Make sure you remove everything except what is between.
-----BEGIN CERTIFICATE-----

and ending with and including

-----END CERTIFICATE-----
Be careful while doing a copy,paste or cut and if you are using a text editor make sure to use 
notepad or vi instead of a word processor.

Once your changes are made, save the file with the name apache_1024.crt.

Global Server Certificate
In case you use a global server certificate, you can get that certificate from a url which should be 
in the email from your certifing authority which contained your certificate.
FTP this file in binary mode to the $COMMON_TOP/admin/certs/apache and save it as intermediate.crt

Create the file of PEM-encoded Server Certificates (ca.crt)
Execute the following commands step by step
Login as the application User
# su - applsam
Change directory to the working directory
$ cd $COMMON_TOP/admin/certs/apache
Backup the existing file, if any, under $COMMON_TOP/admin/certs/apache/ssl.crt
$ cp $COMMON_TOP/admin/certs/apache/ssl.crt/ca.crt $COMMON_TOP/admin/certs/apache/ssl.crt/ca.crt.bak
Use FTP (in binary mode) to transfer apache_1024.crt to your PC and open it with Internet Explorer.
On the Certification Path tab click on the first line and then View Certificate. This will open a 
new window showing the certificate for the root Certifying Authority (CA).
Select the Details tab in the new window. Click Copy to File to start the export wizard.
Click Next to continue.
Select Base-64 encoded X.509 (.CER) and click next.
Enter ca1 as the name and click ok to export the certificate.  After the certificate is exported, 
you can close this window.
Repeat steps d through h for each line on the Certification Path tab. Incrementing the file name 
each time by 1, i.e. ca2, ca3.
Close the wizard and IE.
Use FTP (in binary mode) to transfer the files you created back to the server under 
$COMMON_TOP/admin/certs/apache.
On the server under $COMMON_TOP/admin/certs/apache, concatenate the files in reverse order (ca2.cer,ca1.cer) and save as ca.crt

Copy server key and certificate file to final destination
Change directory to the working directory
$ cd %COMMON_TOP/admin/certs/apache
Copy the certificate file to $COMMON_TOP/admin/certs/ssl.crt with a different file name
$ cp apache_1024.crt %COMMON_TOP/admin/certs/apache/ssl.crt/server.crt
Copy the private key file to $COMMON_TOP/admin/certs/ssl.key with a different name
$ cp apache_1024.key %COMMON_TOP/admin/certs/apache/ssl.key/server.key
Copy the concatenated PEM-encoded CA Certificate file to $COMMON_TOP/admin/certs/apache/ssl.crt
$ cp $APACHE_TOP/Apache/conf/ssl.crt/ca-bundle.crt 
$COMMON_TOP/admin/certs/apache/ssl.crt/ca-bundle.crt
Copy the PEM-encoded Server Certificate Chain file to $COMMON_TOP/admin/certs/apache/ssl.crt
$ cp ca.crt $COMMON_TOP/admin/certs/apache/ssl.crt/ca.crt
If you received the file of global server certificates, copy this file to 
$COMMON_TOP/admin/certs/apache/ssl.crt
$ cp intermediate.crt $COMMON_TOP/admin/certs/apache/ssl.crt/intermediate.crt

Implementing Forms Listener Servlet
To implement Forms Listener Servlet, you can use the Configuration Wizards utility. This utility is 
available as a command-line interface and also from Oracle Applications Manager (OAM). You must run  autoconfig after this and restart your application tier services.