Enabling SSL in Release 12 [ID 376700.

1] Modified 22-JUL-2011 Type WHITE PAPER Status PUBLISHED

Enabling SSL in Oracle Applications Release 12
Last Updated: August 12, 2010
In This Document Section 1: Section 2: Section 3: Section 4: Section 5: Section 6: Section 7: Section 8: Section 9: Introduction Concepts and Terminology Middle Tier Setup Database Tier Setup Advanced SSL Setup Converting Existing Certificates Creating your Certifying Authority's Certificate Oracle Application Server Certifcate Authority Disabling SSL v2 and Weak Ciphers

This document explains the setup steps for enabling SSL. The most current version of this document can be obtained in Oracle MetaLink Note 376700.1. There is a change log at the end of this document.

Section 1: Introduction

The most significant change for Secure Sockets Layer (SSL) support in E-Business Suite Release 12 is the use of the mod_ossl module for the Oracle HTTP Server. Like mod_ssl, the mod_ossl pl cryptography for Oracle HTTP Server. In contrast to the OpenSSL module, mod_ossl is based on the Oracle implementation of SSL, which supports SSL 3, and is based on Certicom and RSA Sec

In Release 12 SSL certificates will be managed by the Oracle Wallet Manager 10g, which will be accessible via the familiar OWM graphical user interface (GUI) or the new ORAPKI command line in Release 12 will be using the Forms Listener Servlet a separate certificate is no longer needed for Forms. Forms will share the same wallet as the Oracle HTTP Server.

Note: document Rate thisThe use of the Forms Server Listener with ConnectMode=https is not supported. ConnectMode=https only work s with JInitiator which includes the Oracle SSL libraries. Release 12 uses th and if you need to use https for the forms communication layer, you must use the servlet architecture.

Section 2: Concepts and Terminology
Secure Sockets Layer (SSL)

SSL is a technology that defines the essential functions of mutual authentication, data encryption, and data integrity for secure transactions. Exchange of data between the client and server in such said to use the Secure Sockets Layer (SSL).

SSL uses 2 types of Certificates:
1. User certificates These are Certificates issued to servers or users to prove their identity in a public key/private key exchange. 2. Trusted certificates These are Certificates representing entities whom you trust - such as certificate authorities who sign the user certificates they issue.

How SSL works with Middle Tier Oracle HTTP Server:
1. 2. 3. 4. 5. 6. The client sends a request to the server using HTTPS connection mode. The server presents its certificate to the client. This certificate contains the server's identifying information. The client checks its list of Trust points and compares the information in the certificate with the server's public key. If it matches, the server is authenticated as a trusted server. The client sends the server a list of the encryption levels, or ciphers, that it can use. The server receives the list and selects the strongest level of encryption that they have in common. The client creates a session key which is used to encrypt the data and sends this session key to the server which can decrypt the data with its private key

How SSL works with Oracle Database Server:

1. The UTL_HTTP package is used for making HTTP callouts from SQL and PL/SQL to a Web Node (Oracle HTTP server). 2. When the package fetches data from a Web site using HTTPS, it specifies the location to the Oracle Wallet that resides on the database server. This wallet contains the certificate for the Ce who signed the Web node's server certificate.

Certificate Authority (CA)
A Certificate Authority is a trusted third party responsible for issuing, revoking, and renewing digital certificates. All digital certificates are signed with the Certificate Authority's private key to ensure Certificate Authority's Public Key is widely distributed.

Certificate Signing Request (CSR)
A Certificate Signing Request (CSR) is a digital file which contains your public key and your name. You send the CSR to a Certifying Authority (CA) to be converted into a real Certificate.

Digital Certificate (Public Key)

A digital certificate is an electronic document that binds an identity to a pair of electronic keys that can be used to encrypt and sign digital information. Certificates are issued by a trusted third party Authority (CA). The document is usually in a standard X509 format and contains three elements: 1. Entity attributes (information about your organization) 2. Public key (which is bound to your organization) 3. Digital signature of the trusted CA private key Verisign (http://verisign.com/) will allow your organization to apply for a free trial certificate which will be valid for 2 weeks for testing purposes.

Private (Server) Key

2. When work ing with wallets and certificates you MUST use the 10.1. The marketing names of these certificates vary depending on the compa certificate. Do you wish to create a certificate request at this time?” Step 3 . If a browser has 128 bit support. Thawte calls them 128 bit SuperCerts. directing the request to the http server which is running in Before sending the response back to the desktop they again convert the non-SSL requests to SSL requests.Quick Start to Configure Discoverer Plus/Viewer/Portlet Provider 10. However.1 . If you have unexpired certificates from your Release 11i SSL instance you can convert them using the instructions in Section 5 .Create a wallet Navigate to the $INST_TOP/certs/Apache directory. 4. Move the existing wallet files to a backup directory in case you wish to use them again in the future. Please refer to the following documents: Oracle Application Server Business Intelligence documentation Metalink Note 338071. 6. These instructions involve the use of the Oracle Wallet Manager Graphical User Interface.2 in SSL + SSO This document is for users who have installed Discoverer with Portal and/or Single SignOn (SSO). 9. Secure Socket Layer Accelerators Secure Socket Layer (SSL) Accelerators can be used to reduce the SSL traffic and workload off the web servers. Click YES when prompted: “A new empty wallet has been created.The private key file is a digital file that you generate and for use to decrypt messages sent to you.1. are 128 bit certificates that enable all browsers to use 128 bit encryption. Section 3: Middle Tier Setup The default location for the wallet in Release 12 is $INST_TOP/certs/Apache. Copy the Apache Wallet to the OPMN Wallet.env) located in the APPL_TOP directory. Update the JDK Cacerts File. 10.3 ORACLE_HOME variables. therefore it is not possible to test unless one is purchased. Import your Server Certificate to the Wallet. Create a wallet. It is not possible to get trial versions of global server certificates. Restart the middle tier services. The certificate request (CSR) that you send to your Certificate Authority (CA) is derived from this p the resulting digital certificate (containing your public key) which is issued by your CA. and then do Steps 1 through 7 when you are ready to switch to real certificates.Create a Certificate Request After clicking "Yes" in step 2 the Create Certificate Request Screen will pop up: .1. Submit the Certificate Request to a Certifying Authority.1.2) Plus/Viewer For HTTPS (SSL) Access This document is for users who have installed Discoverer without Portal or Single SignOn (SSO). The demo certificates are not secure and should never be used in a production environment. Navigate to the $INST_TOP/ora/10. 7. Step 1. then encryption is negotiated to 128 bits. Set Your Environment. Do you wish to create it now?” The new wallet screen will now prompt you to enter a password for your wallet. Create a Certificate Request. Open the Wallet manager as a background process: owm & On the Oracle Wallet Manager Menu navigate to Wallet -> New. Run Autoconfig. 2.env file to set your 10. Global Server Certificates Global Server Certificates.1 . even if the browser only supports 40 bit encryptio certificate usually has 2 parts: the certificate itself and an extra intermediate certificate which is used to provide the step-up. 5.Set Your Environment Logon to the application middle tier as the OS user who owns the middle tier files. If you would prefer to use the Oracle Wallet Manager Command Line Interface refer to Note 376694. Source your middle tier environment file (APPS<sid_machine>.0.1. also referred to as Server Gated Cryptography. They are responsible for converting "https" SSL requests to non-SSL "http" requests. for example.3 executables. If you wish to use these certificates for testing start with SSL.How To Configure Discoverer 10g (10. will be negotiated down to 40 bits. regardless of a 128 bit certificate. 8. Note: DISCOVERER USERS who enable SSL for the E-Business Suite must also enable SSL for Discoverer. Usually SSL accelerators are the primary targets for https requests from the user's the initial target for all desktop client communication. This directory contains a wallet with demo certificates. Step 2 . Secure Server Certificates Secure Server Certificates are 128 bit certificates which provide 128 bit SSL encryption.3 and source the <sid_machine>. is bound to this private key. Update the Context File. Metalink Note 339448. The main steps for setting up SSL on the Middle Tier are: 1. if the browser only supp the level of encryption. Answer NO to: “Your default wallet directory doesn't exist. 3.1: Usin Manager Command Line Interface in Release 12.

Copy the certificate to server.Import User Certificate.2 ORACLE_HOME/sysman/config directory: cat ca. The wallet directory will now contain the following files: cwallet. and Entrust were included automatically.Fill in the appropriate values where: Common Name: is the name of your server including the domain.crt in the wallet directory on your server by one methods: 1. If you need to import the CA Certificate you'll also need to add the contents of ca.crt to import it.crt Follow these steps to import server. Step 4 . On the Oracle Wallet Manager Menu navigate to Operations . Use the following steps to backup and copy the wallets: .p12 server.1. Organizational Unit: (optional) The unit within your organization. On the Select Directory screen change the Directory to your fully qualified wallet directory. Click Save. Locality/City: is your locality or city. Note: If all trusted certificates that make up the chain of server.crt). State/Province: is the full name of your State or Province .do not abbreviate. Now th wallet has been created you will need to to use these same certificates for opmn. .crt file to b64InternetCertificate. From the menu click Wallet and check the Auto Login box. the server is th owner.txt file located in the 10. Click OK.1. Contact your certifying authority if you need to add their certificate. placing its distinguished name (DN) in the Subject field.csr From the menu click Wallet and then click Save. Organization: is the name of your organization. ftp the certificate (in binary mode) 2. After you receive your Server Certificate from your Certifying Authority you will need to import it into your wallet.crt into your wallet: Open the Wallet Manager as a background process: owm & From the menu click Wallet then Open. Save the wallet: On the Oracle Wallet Manager Menu click Wallet. Do you want to continue? On the Select Directory screen change the Directory to your fully qualified wallet directory and click OK Enter your wallet password and click OK. thus the "user" for this user certificate. Click OK. GTE. Click OK.Modify the OPMN wallet. and save the provided file as ca. Exit the Wallet Manager. Server certificates are a type of user certificate.Import your Server Certificate to the Wallet. Anoth the instructions in Section 7 to create ca. From the menu click Operations -> Export Certificate Request Save the file as server. When the wallet was created the certificates for the most Verisign.sso ewallet. Since the Certifying Authority issued a certificate for the server.csr to your Certifying Authority to request a Server Certificate. Step 5 .Submit the Certificate Request to a Certifying Authority You will need to export the Certificate Request before you can submit it to a Certifying Authority.2 ORACLE_HOME>/sysman/config/b64InternetCertificate. With auto login enabled processes submitted by the OS user who created the wallet will not need to supply the password to access the wallet.crt are not present in the wallet then adding the certificate will fail. Double Click on server. You will need to use the password whenever you open the wallet with Oracle Wallet Manager or perform operations on t the Command Line Interface. The Oracle Applications Rapid Install process creates a default "demo" opmn wallet in the $INST_TOP/certs/opmn directory that can be used in test instances for basic SSL testing.crt >> <10.crt in the wallet directory. copy and paste the contents into server.csr You may now submit server. To do so: Click on Certificate [Requested] to Highlight it.txt Step 6 .crt from your server certificate (server. Be sure to make this password something you will remember. Select your Country from the drop down list. Answer Yes when prompted: Your default wallet directory does not exist. Verify the Auto Login box is checked.

In addition.L] Any updates you make to the custom.sh script in the $ADMIN_SCRIPTS_HOME directory to stop and restart the middle tier Apache services. iStore. s_active_webport url constructed with https protocol. Section 4: Database Tier Setup Oracle products such as Oracle Configurator.conf file will be preserved when Autoconfig is run.conf file.crt from the previous step) to be present in the JDK cacerts file. Order Management.Restart the middle tier services.domain:<port>/OA_HTML/AppsLogin [R. Order Capture.crt to cacerts: keytool -import -alias ApacheRootCA -file ca.crt and server.crt -trustcacerts -v -keystore cacerts keytool -import -alias ApacheServer -file server. iPayment. Quoting. Use the adapcctl.Run Autoconfig Autoconfig can be run by using the adautocfg. Step 11 .L]: RewriteRule ^/$ https://<servername.p12 and cwallet. Follow these steps to be sure these requirements are met: Navigate to the $OA_JRE_TOP/lib/security directory Backup the existing cacerts file.sso files to the BAK directory just created.conf in ssl terminated url constructed with https protocol.Update the Context File.sh script in the Middle Tier $ADMIN_SCRIPTS_HOME directory. RewriteRule ^/$ https://<servername. som XML Publisher and BI Publisher require the server certficate (server.domain:<port>/OA_HTML/AppsLogin [R.crt files to this directory Issue the following command to insure that cacerts has write permissions: chmod u+w cacerts Add your Apache ca. Copy the ewallet. SSL for the Oracle Database Server (which acts as a client sending requests to the Web server) makes use of the Oracle Wallet Manager for setting up an Oracle wallet. Step 8 . s_webentryhost. s_webentryhost.sso files from the $INST_TOP/certs/Apache directory to the $INST_TOP/certs/opmn directory. as well as the Oracle Applications Help System.1.crt -trustcacerts -v -keystore cacerts When prompted enter the keystore password (default password is changeit). Oracle Web Services requires the Certificate of the Certifying Authority who issued your server certificate (ca. Step 10 . .p12 and cwallet. Use the Oracle Applications Manager (OAM) Context Editor to change the SSL related variables as shown in this table: SSL Related Variables in the Context File Variable s_url_protocol s_local_url_protocol s_webentryurlprotocol s_active_webport s_webssl_port s_https_listen_parameter s_help_web_agent s_login_page s_external_url Non-SSL Value http http http same as s_webport not applicable not applicable url constructed with http protocol and s_webport url constructed with http protocol and s_webport url constructed with http protocol and s_webport Changes when using an SSL Accelerator Variable s_url_protocol s_local_url_protocol s_webentryurlprotocol s_active_webport s_webentryhost s_webentrydomain s_enable_sslterminator s_login_page s_external_url Non-SSL Value http http http same as s_webport same as s_webhost same as s_domainname # url constructed with http protocol and s_webport url constructed with http protocol and s_webport SSL Value http http https value of the SSL Accelerator's external interfacing port SSL Accelerator hostname SSL Accelerator domain name remove the '#' to use ssl_terminator. iStore.Navigate to the $INST_TOP/certs/opmn directory. and Pricing access data over the Internet in HTTP or HTTPS connection mode.Customizations (optional) In Release 12 we keep a non-ssl port open for those products which need to access some of their pages via the http protocol.3/Apache/Apache/conf/custom. If you wish to port and force all users to access your pages via the https protocol you can add a redirect rule to $INST_TOP/ora/10.crt and server.crt from previous step) to be present. Copy your ca.Update the JDK Cacerts File. Step 7 . Create a new directory named BAK Move the ewallet. s_active_webport SSL Value https https https same as s_webssl_port default is 4443 same as s_webssl_port url constructed with https protocol and s_webssl_port url constructed with https protocol and s_webssl_port url constructed with https protocol and s_webssl_port Step 9 .

request('https://www. select utl_http. Certificates signed by a Certificate Authority such as Verisign.null.Create your java keystore .1. etc) be sure to follow the steps in the appropriate section.com:4443'. navigate to the $ORACLE_HOME/appsutil directory.3 executables. Be sure you understand the limitations of self-signed certificates when using them in any environment.oracle.env) located in the APPL_TOP directory. Navigate to the $INST_TOP/ora/10. 2. Part 1 . Both parts are option interdependent. If you were required to import your ca. null) from dual.3 ORACLE_HOME variables. 2. Double click on ca. Both Oracle Application Server and Encrypting Network Traffic using Advanced Security. The instructions in this section are divided into 2 parts. Section 5: Advanced SSL Configuration (Optional) In Release 12 the Oracle Application Server environment is managed by OPMN (Oracle Process Monitoring and Notification services) which is a set of processes that include the Oracle HTTP Serve containers (where J2EE processes run). not the actual wallet files. If the wallet has been properly set up. you will be returned the first 2. Oracle Application Server only.crt to import it. Create a new wallet directory named: wallet Navigate to the newly created wallet directory. This advanced configuration on top of the basic SSL configuration. 'file:/d1/oracle/db/tech_st/10.ORACLE APPLICATION SERVER OC4J supports SSL communication between Oracle HTTP Server and OC4J using AJPS.3 and source the <sid_machine>. The first part is for Oracle Application Server. NOTE: You must use the prefix 'file:' and only the directory is specified. etc. Step 2.1.0/appsutil/wallet'. Click OK. These certificates are appropriate for use in any environment and provide the highest level of security. Certificates signed by the OracleAS Certificate Authority (see Section 8) . 3.000 characters of the html page. 'file:[full path to wallet directory]' = the location of your wallet directory. Thawte. Answer NO to: “Your default wallet directory doesn't exist. where: '[address to access]' = the url for your Oracle Applications Rapid Install Portal. or NULL if not using a proxy server. 'file:/d1/oracle/db/tech_st/10.crt: On the Oracle Wallet Manager menu navigate to Operations -> Import Trusted Certificate.env file to set your 10. 3. Step 1. Remember: When work ing with wallets and certificates you MUST use the 10. The final parameter is the wallet password. '[proxy address]'. These certificates were designed to be used within your Oracle Application Server environment.oracle. Source your middle tier environment file (APPS<sid_machine>.request('[address to access]'. Save the wallet: On the Oracle Wallet Manager Menu click Wallet.com:4443'. You do not need a server certificate for this wallet. These are sometimes also used for Advanced SSL Configuration in a production environmen effectively your own client.2. After setting your environment for the database tier. This gives you three options for advanced SSL configuration: 1. In Release 12. null) from dual. login to SQLPLUS as the apps user and execute the following: select utl_http. the second part is for Encrypting Network Traffic using Advance Security. null) from dual.1 we have introduced support for secure communication between these layers as well as for the SQL*Net layer. Do you wish to create a certificate request at this time?” If you need to import ca.1. Some steps will be slightly different if you are using Self-Signed Certificates. Open the Wallet Manager as a background process: owm & On the Oracle Wallet Manager Menu navigate to Wallet -> New. This is the secure version of Apache JServ Protocol which is the protocol that Oracle HTTP Server uses to OC4J.2. To test that the wallet is properly set up and accessible. Self-Signed Certificates Self-signed certificates are appropriate to use for testing the Advanced SSL configurations. Verify the Auto Login box is checked.'http://proxy. 'file:[full path to wallet directory]'.request('https://www. Do you wish to create it now?” The new wallet screen will now prompt you to enter a password for your wallet.Set Your Environment Logon to the application middle tier as the OS user who owns the middle tier files.0/appsutil/wallet'.com:80'. Versign. which is set to null by default.To enable SSL on the Database Tier you need only create a wallet. When a step contains a section for both Self-Signed Certificates and Certificates Signed by a Certificate Authority (incl Certificate Authority. '[proxy address]' = the url of your proxy server. Note: the AJPS protocol used between Oracle HTTP Server and OC4J is not visible to the end user There are 3 certificate options available to you when you creating your keystore for the Advanced SSL Configuration: 1. Click NO when prompted: “A new empty wallet has been created. Click Save. Thawte.crt into the middle tier wallet you will n wallet also. Encrypting Network Traffic using Advanced Security only. Examples: select utl_http.

If using self-signed certificates proceed to Step 4. C=C" You should now see the file <server>.domain.jk s -k eypass password -storepass password -dname "cn=server.including Tomcat and Jetty.crt using your jks_server.jks -file server.csr to your Certificate Authority.domain.crt file you can do so by following the directions in Section 7: Creating your Certifying Authority's Certificate Step 4 .crt If you want to create jks_ca. Since we have not specified an alias the default alias "myk ey" will be used. You will sign the certificate in the keystore using the keytool's selfcert command. Step 3.jks in your directory. Create a new directory with the name j2ee and then change to this directory. If your certificates were signed by a Certifying Authority continue with Step 4 B. OU=JKS. 2007 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: -----BEGIN CERTIFICATE----MIICCzCCAXSgAwIBAgIER0SUrjANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEMMAoGA1UE ChMDVFhLMQwwCgYDVQQLEwCBDAcxHzAdBgNVBAMTFmFwNjY2d2dzLnVzLm9yYWNsZS5jb20wHhcN MDcxMTIxMjAyNzI2WhcNMDgwMjE5MjAyNzI2WjBKMQswCQYDVQQGEwJVUzEMMAoGA1UEChMDVFhL MQwwCgYDVQQLEwNBVEcxHzAdBgNVBAMTFmFwNjY2d2dzLnVzLm9yYWNsZS5jb20wgZ8wDQYJKoZI hvcNAQEBBQADgY0AMIGJAoGBALaNY6QpChZPem7nXF7NJ5tmW1UFNqOgVW37fW4YiJH10yHKMLhB zx6z9QxuJiNKiNzjckJ4KfnLp8xG58lZlubKPSei7yz1KJxeM8j39NbbIifsPYfqtT/EPdDDGK+B kg0lK4c09TvxL93y0mFW7IG0PyqB0/ZTnBAcv2Fdyrg/AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEA .crt and/or jks_intca. mk dir j2ee cd j2ee Determine the values for the following parameters which will be used when you create the keystore for your instance: Parameter server domain password O l ST C Value name of the server where you are creating the keystore the fully qualified domain of the server In Release 12 the default keystore password is "changeit". B.csr Submit the file server.Create your Certificate Request A.jk s -k eypass password -storepass password -validity 365 -dname "CN=server. o=O. Self-Signed Certificates This step is applicable only if you are using self-signed certificates. After signing the certificate you will need to extract the certificate so it can be imported into the Apache and OPMN wallets This will be done using the keytool list command: keytool -list -rfc -k eystore server. Note: we are naming the certificate jks_server. Self-Signed Certificates This step is not applicable for self-signed certificates.jk s -storepass password This command will return the following information: Alias name: myk ey Creation date: Nov 21. O=O. You will not have a signed certficate to add to the keystore. Note: if using Thawte as your Certificate Authortiy you should check the box: PKCS #7 Select this option for servers that use Java JDK k eystore .crt to distinquish it from the Apache server.crt. name of your Organization your City or Locality your State or Province your 2 letter Country Code Create your keystore by entering the following command all on 1 line substituting the appropriate parameters (in bold) for your instance: k eytool -genk ey -k eyalg "RSA" -k eystore server." When you receive your signed certificate copy it to this directory ($INST_TOP/certs/j2ee) as jks_server. 1. ST=ST. Please make note of your password as you will need it when changing the default password in Step 5. Note: We are using OU=JKS to distinquish this certificate from the Apache certficate.crt along with the Certificate Authority's root certificate which should be re-nam and the Authorities intermediate certifcate (if applicable) which should be renamed jks_intca.Navigate to the web ssl directory as defined in the context file: grep s_web_ssl_directory $CONTEXT_FILE Note: Unless you have change the default settings this should be the same directory as $INST_TOP/certs which we will use in subsequent steps to identify this directory.Add your Signed Certificate to the Keystore A. ou=OU. Enter the following all on 1 line s appropriate parameters (in bold) for your instance: k eytool -selfcert -k eystore server. Certificates Signed by a Certificate Authority To generate a certificate request enter the following command all on 1 line substituting the appropriate parameters (in bold) for your instance: k eytool -certreq -k eystore server. c=C" 2.

com/j2se/1. Add jks_ca.3/j2ee/forms/config/system-jazn-data. Either Type Certificate This step is applicable for both self-signed certificates and certificates which have been signed by a certifying authority.crt to the keystore: keytool -import -alias ApacheCA -file ca. We are not specifying an alias when importing jks_server.sun.crt. etc) be sure to back the files up before deleting so you can re-add your customizations to the new files.crt -pwd <your wallet password> Step 7 .3/j2ee/oacore/config/system-jazn-data. Use the adstpall. Copy the $INST_TOP/certs/Apache/ca.sh script in the Middle Tier $ADMIN_SCRIPTS_HOME directory.Update the Context File Use the Oracle Applications Manager (OAM) Context Editor to change the SSL related variables as shown in this table: Advanced SSL Related Variables in the Context File Variable s_oc4j_secure s_ajp_protocol s_forms_tracking_cookies s_oc4j_ssl Non-SSL Value false ajp disabled off Advanced SSL Value true ajps enabled on Step 8 .crt.sh script in the Middle Tier $ADMIN_SCRIPTS_HOME directory to stop all services.xml $ORA_CONFIG_HOME/10. Using the text editor of your choice. Step 9.Run Autoconfig If you have upgraded to Release 12.xml Note: Deleting these 3 files is not necessary if you used the 12.crt to both the $INST_TOP/certs/Apache and $INST_TOP/certs/opmn directories. Copy $INST_TOP/certs/j2ee/jks_ca. Run autoconfig using the adautocfg.1 by applying the 12. Now you will use the import command to add it to the keystore substituting t parameters (in bold) for your instance : keytool -import -alias myca -keystore server.continue with "C. -trusted_cert -cert jks_ca.2/docs/tooldocs/solaris/keytool.Update the Keystore Password in the system-jazn-data.crt file to the $INST_TOP/certs/j2ee directory.to -----END CERTIFICATE----. If the -v option is sp the certificate is printed in human-readable format: k eytool -list -k eystore <k eystore> -storepass <password> k eytool -list -v -k eystore <k eystore> -storepass <password> For more information on the keytool see:http://java. jks_intca. If you used a different Certificate Authority for your Apache Wallet than you used for the j2ee Java Keystore you will need to import the Apache Wallet's root CA Certificate into the key be recognized as a trusted Certifying Authority.jks -storepass password -file jks_ca.jks -storepass password -file jks_server. The -list command by default prints the MD5 fingerprint of a certificate. save these lines as jks_ca.1. If this is not done not.jks -storepass password Enter "yes" when prompted with: Trust this certificate? [no]: yes Step 5 . . It will depend on the Certifying Authority and certficate type.xml files.) You can use either of the following commands to see the contents of your keystore. To import a the certificate for a Certifying Authority into your keystore: 1. Either Type Certificate" In Step 3 you copied jks_ca. (This is because the -dname on the certifcate matches the -dname on the key when the keystore was created. $ORA_CONFIG_HOME/10. 2.crt keytool -import -alias myintca -keystore server.1 patchset to a previous release you will need to delete the following files so that the new versions will be instantiated when autocon made any customizations to these files (custom user credentials. Update the newly instantiated files with your previous customizations if required.Add the Keystore CA Certificates to the Apache and OPMN Wallets (conditional) This step is only necessary if you have used self-signed certificates to create the keystore OR you used different Certifying Authorities for the keystore and Apache Wallet. you will get handshake errors.crt Enter "yes" when prompted with: Trust this certificate? [no]: yes Note: You may not have an intermediate ca certificate.crt to the $INST_TOP/certs/j2ee directory.crt.html C.as indicated in bold.jks -storepass password -file jks_intca.1 Rapid Install.1. Certificates Signed by a Certificate Authority This step is not applicable if you are using self-signed certificates .3/j2ee/oafm/config/system-jazn-data.4. B.1.crt it to each wallet using the orapki command line interface: orapki wallet add -wallet .R/EeD4iJXuYV5eQmkp64D/aguNeyGu4qn67tU+iGDjDNtaO1qTPbTiDngD/H8WpPjmxPcJxszp6z fcKsFVgNmUC4js5U3DGA8Bcdl1ZGYvP7PUU0wZceHjD+KBB1sdV8KzL94OW41/RPXXUxIW6/UHRP huFcDlIK2ExiXu7c5vw= -----END CERTIFICATE----Copy the lines from -----BEGIN CERTIFICATE----. and jks_server.xml $ORA_CONFIG_HOME/10.crt.crt keytool -import -keystore server. The default alias "mykey" will be used. Use the keytool import command to add ca.crt -trustcacerts -v -keystore server.

ora file on client and server. The remainder of this section will help you enable the encryption in each of the different ORACLE_HOME’s in an EBS deployment.this ensures that all EBS TNS network traffic is being encrypted. Save the file and exit. 2. shut down the database listener: $ORACLE_HOME/appsutil/scripts/<sid_machine>/addlnctl.sh script to restart the middle tier services.3/j2ee/oacore/config directory and follow these steps: 1. If there are any issues logging into Oracle Applications or launching Forms these should be resolved before proceed have chosen to also implement SQL*Net Encryption.1 E-Business Suite Technology Suite.Shutdown Middle Tier Server Processes and Database Listener On the database server node. For Release 12 certification the the server's preference is set to AES256. Navigate to the $ORA_CONFIG_HOME/10. Client REJECTED REJECTED S e ACCEPTED r v e REQUESTED r REQUIRED OFF OFF OFF No Connection ACCEPTED OFF OFF ON ON REQUESTED OFF ON ON ON REQUIRED No Connection ON ON ON Oracle has certified EBS Release 12 with the server parameter set to REQUIRED . shut down all processes or services: . Navigate to the $ORA_CONFIG_HOME/10. Open the system-jazn-data. REQUESTED or REQUIRED.sh stop <ORACLE_SID> On each middle tier server. Example: <user> < name>oc4jstore</name> <display-name>OC4J keystore admin user</display-name> < guid>7D1943D0AF0411DC8F65CFCE4073EF3D</guid> <description>E-Business OC4J keystore admin user</description> < credentials>!password< credentials> < /user> B. Advanced SSL Configuration for the Oracle Application Server is now complete. The following matrix . the supported algorithms are version dependent.1. and the Types of Encryptions Allowed and Supported.taken from the database documentation . TNS (Transparent Networking Substrate) is an Oracle protocol running on top of a number of supported network protocols . This will encrypt the password the next time the service is started.Using Network Traffic Encryption contains information on Enabling Trace.3/j2ee/oafm/config directory and repeat steps 1-4. ACCEPTED. Find the lines in the <users> section that read: <user> < name>oc4jkeystoreadmin</name> <display-name>OC4J keystore admin user</display-name> <guid>7D1943D0AF0411DC8F65CFCE4073EF3D</guid> <description>E-Business OC4J keystore admin user</description> < credentials>{903}Gfqv+nvfuUrfiQpcW7XcpptrOknyC0nj< credentials> </user> Note: the guid and credentials will be different on your system. Navigate to the $ORA_CONFIG_HOME/10.3/j2ee/forms/config directory and repeat steps 1-4.shows how a connection attempt will succeed or fail to provide an encrypted connection with various combinations of the ENCRYPTIO sqlnet.1. 4. Step 1 .1.typically TCP/IP. based on a combination of client and server configuration parameters as REJECTED. ANO/ASO encryption prevents sending TNS traffic "in-the-clear" over a network connection. Appendix A . Part 2 . CERTIFICATION: This configuration is certified for Oracle Applications Release 12 using Forms listener Servlet (the default mode) on the following platforms: Linux-x86 Windows-32 Solaris-32 AIX4-32 Advanced security encryption can be configured. Verifying ANO is Functioning Correctly.A. C.xml file in the editor of your choice. Step 10 . Be sure to include the !. Change the < credentials> line to read: < credentials>!password< credentials> where password = the password you assigned when you created your keystore.ENCRYPTING NETWORK TRAFFIC USING ADVANCED SECURITY To configure the E-Business Suite Release 12 to encrypt network traffic sent over the TNS protocol we use the Advanced Networking Option (ANO) that is part of the Advanced Security Option (ASO database and included with the Release 12. Although ANO/ASO supports a number of different encryption algorithms. 3.Restart the Middle Tier Services Use the $ADMIN_SCRIPTS_HOME/adstrtal.

restart the listener: $ORACLE_HOME/appsutil/scripts/<sid_machine>/addlnctl. SQLNET. Use the editor of you choice to create the sqlnet.ENCRYPTION_TYPES_CLIENT=(AES256.Run Autoconfig (conditional) If you updated the context file in Step 4 you now need to run autoconfig on each middle tier server: $ADMIN_SCRIPTS_HOME/adautocfg. restart all processes and services: $ADMIN_SCRIPTS_HOME/adstrtall. Step 2 .ora file for middle tier sqlnet encryption with Advanced SSL Configuration # ############################################################### IFILE = <full path to TNS_ADMIN>/sqlnet_ifile. Take a backup of the $TNS_ADMIN/sqlnet_ifile. up to 70. By default. We keep the ANO/ASO directives in the sqlnet isolate it from any future autoconfig updates that affect the sqlnet. If the value is not set and the parameter on the DB server is set to REQUIRED.ora and sqlnet_ifile.ora for middle tier sqlnet encryption with Advanced SSL Configuration # ############################################################### SQLNET. for the crypto seed to mak e the resulting k ey more random and therefore After the changes have been made.ora file.ora or sqlnet_ifile. AES192.70 alphanumeric characters of you characters that form the value fo this parameter will be used when generating cryptographic keys. Logon to the Middle Tier server as the file system owner.sh <apps user> / <apps password> .Update the Context File Use the Oracle Applications Manager (OAM) Context Editor to change the SSL related variables on each middle tier server as shown in this table: Advanced SSL Related Variables in the Context File Variable s_custom_dbc_params Non-SSL Value Advanced SSL Value ENCRYPTION_CLIENT=REQUIRED ENCRYPTION_TYPES_CLIENT=(3DES168) Note: This step sets the configuration for JDBC client connections and is OPTIONAL.env) located in the APPL_TOP directory. Step 6 .$ADMIN_SCRIPTS_HOME/adstpall. the stronger the keys are.ora files on each Middle Tier. Open the $TNS_ADMIN/sqlnet_ifile.sh <apps user> / <apps password> The Applications will be unavailable to users until the remaining tasks in this section are completed. The connection will cont error and the security service enabled as long as an encryption or integrity algorithm match is found.CRYPTO_SEED=[crytpo seed] Note: Oracle Corporation recommends that you enter as many characters as possible. AES192.DB Tier Changes Logon to the DB Tier server as the file system owner.ENCRYPTION_TYPES_SERVER=(AES256. the Oracle Applications Middle Tier installations do not have either a sqlnet.sh appspass=<apps password> Check the autoconfig log file for errors.ENCRYPTION_SERVER=REQUIRED SQLNET.sh start <ORACLE_SID> Step 3 . Step 4 . The more random the characters entered into this field are.Restart the Middle Tier Services On each middle tier server. Source the DB Tier environment file located in Oracle Home directory.ora file with the following lines: ############################################################### # # sqlnet. 3DES168) SQLNET.ora file.ora file with the editor of your choice and add the following lines replacing [crypto seed] with a string consisting of 10 . 3DES168) SQLNET. Navigate to the $TNS_ADMIN directory. Source your middle tier environment file (APPS<sid_machine>.ora file so we will need create these.ora Use the editor of you choice to create the sqlnet_ifile. the JDBC client connection value will be ACCEPTED (which is the default value).CRYPTO_SEED=somelongandrandomstringfordeploymentUpTo70characters Note: the SQLNET.CRYPTO_SEED does not need to be the same as used on the db tier.ENCRYPTION_CLIENT=REQUIRED SQLNET.Create $TNS_ADMIN/sqlnet. Step 5 .ora file with the following lines: ############################################################### # # sqlnet_ifile.

and ca. On Details tab click Copy to File. Create a new directory called custom c. Step 2 . On the Certification Path tab click on the first (top) line and then View Certificate. Click Next to continue.conf file .key.1.1 . d.only TLS v1. Select Base-64 encoded X.crt -key .3/Apache/Apache/conf/ssl.CER) and click next. Navigate to the $FND_TOP/admin/template directory b.txt file located in the ORACLE_HOME/sysman/config directory: cat ca.0 protocol is no longer enabled .Set Your Environment Logon to the application middle tier as the OS user who owns the middle tier files. Copy ca. Step 3 . #SSLCipherSuite ALL:!ADH:!EXPORT56:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP # # Adding the following directives per recommendation from apps security # SSLProtocol -all +TLSv1 +SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM e. When work ing with wallets and certificates you MUST use the 10.delta. -ssowallet yes If your server certificate was issued by a Certifying Authority other than Verisign. or RSA Data Security you'll also need to add it to b64InternetCertificate.Using AutoConfig to Manage System Configurations in Oracle E-Business Suite Release 12 and be sure you are comfortable with and understand the concepts befor 2. Copy either ssl_conf_1013.crt to your PC (if necessary) using one of the following methods: ftp (in binary mode) server.TXK. We now permit only strong ciphers (minimum of 12 v2.crt and paste into notepad on the PC. this will start the export wizard./ca.tmp (Unix) or ssl_conf_1013_nt.env file to set your 10.B. GTE. It can also be licensed separately as an option for the Oracle Application Server 10g Standard For more information please refer to the Oracle Application Server Certificate Authority 10g White Paper.Copy your Certificates Copy server. On the Middle Tier(s): a.Issue the command: $ORACLE_HOME/Apache/Apache/bin/ssl2ossl -cert .TXK./server.2 ORACLE_HOME>/sysman/config/b64InternetCertificate.0 and SSL v3.delta.1. server.3 ORACLE_HOME variables.B. Save the file as ca.crt to the $INST_TOP/certs/Apache directory.crt -wallet . Save the file as server.0 are allowed. I Identity Management option and is bundled with the Oracle Application Server 10g Enterprise Edition. Click Browse and navigate to the directory of your choice.crt as the name and click ok to export the certificate. Close the wizard. Navigate to the $INST_TOP/ora/10.3 (patch 8919489) we have modifed the configuration files according to recommendations made by the APPS Security Team.crt Double click on server.1.3 you may do instructions: 1.key -cafile .crt to your middle tier wallet directory copy the contents of ca.1. Review Note 387859.1.crt >> <10.crt Copy server. Entrust.crt.3 and source the <sid_machine>. Enter ca.509 (.crt back to your wallet directory (if necessary) using one of the following methods: ftp (in binary mode) ca.crt Section 8: Oracle Application Server Certificate Authority The Oracle Application Server Certificate Authority is a Certificate Authority (CA) for use within your Oracle Application Server environment where you are essentially both the client and the server.crt to your pc copy the contents of server.crt and paste into a new file in your middle tier wallet directory using a text editor. Section 9: Disabling SSLv2 and Weak Ciphers In R12.3 executables.Section 6: Converting Existing Certificates If you have existing un-expired certificates from a previous implementation of SSL in Release 11i they can be converted and imported into a Release 12 wallet using the tools: SSL2OSSL (Unix) SSLCONVERT (Windows NT/2000) Step 1.tmp (Windows) to the $FND_TOP/admin/template/custom directory. Edit the file in the $FND_TOP/admin/template/custom directory and make these changes: Find and comment (using #) the line that reads: SSLCipherSuite ALL:!ADH:!EXPORT56:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP Immediately below add these lines: # # Adding the following directives per recommendation from apps security # SSLProtocol -all +TLSv1 +SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM Your file should now look like this: # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. Run autoconfig f./server. If you wish to take advantage of this increased security before you ready to upgrade to R12.txt Section 7: Creating your Certifying Authority's Certificate To create ca.crt to open it with the Cyrpto Shell Extension. Verify the change is present in your $INST_TOP/ora/10.

using AES256 The connections using AES256 are generated by the executables linked to the OCI C libraries (sqlplus. You will see these files getting generated even when only the database and its tnslistener are running.1 oracle dba 70609051 Sep 24 14:20 svr_29270. using 3DES168 exit Note: If you have not defined a tnsnav. na_tns: na_tns: na_tns: .. using 3DES168 svr_29144. then the following message will appear in the sqlnet trace (. Stop and restart the Mid Tier services. If one side of not specify an algorithm list. Note(s): We have not tested which clients (browsers) do not work with stronger ciphers or SSLv3 / TLSv1.ora file. These files are generated for connections originating from the da database instance itself.ora Some of the trace files are small.trc svr_29144. Once satisfied that TNS traffic is encrypted.ora file on the clients and the servers on the network.ORA file. and thus do not traverse the network.. and picks the first algorithm in its own list that also appears in the client list./trace $ ls -ltr | -rw-r--r--rw-r--r--rw-r--r-awk '$5 > 3000 && $5 1 oracle dba 3601 1 oracle dba 3062 1 oracle dba 3062 < 4000' | tail -3 Sep 24 13:57 svr_13815.1 oracle dba 763726186 Sep 24 14:20 svr_29144. if any.ora file.... it is possible for both the client and server to each support more than one encryption algorithm and more than one integrity algorithm.. The server searches for a match between the algorithms available on both the client and the server. from those algorithms specified in its sqlnet.trc Sep 24 13:58 svr_13817. Types of Encryptions that are Allowed and Supported This section provides you with background information – taken from the database documentation – that will help you understand now the selection of encryption algorithms takes place on a p You do not have to use this information. Note: tracing at this level generates many large files in the trace directory. You may have to mak e changes to your client (browser) settings to enable the use of SSLv3 and TLSv1.1 oracle dba 28427064 Sep 24 14:20 svr_11547. Verifying that ANO is Functioning Correctly After enabling tracing. You can choose to configure any or all of the available Oracle Advanced Security encryption algorithms and either or both of the available integrity algorithms Only one encryption algorithm a . and they will contain "encryption is active. In the trace directory you will see a number of trace files with names such as svr_NNNNN.trc:[20-SEP-2007 16:47:20:369] na_tns: encryption is active. $ cd $TNS_ADMIN/. check the trace files in the appropriate directories to verify that ANO functionality is in use: Review the resulting sqlnet trace (. and they do not contain any information concerning enabled encryption. Below is section of a trace file where encryption is being successful used: .." messages./. approximately 3kb.trc) files. There will be two different algorithms in use.trc) file and can be safely ignored: nrigbni: Unable to get data from navigation file tnsnav..ora file and bounce the tnslistener.) and the 3DES168 connections originate from the connection interface. using CRYPTOALGORITHM.Using Network Traffic Encryption 1. the following SQLNET parameters should be added to the SQLNET. TRACE_DIRECTORY_SERVER= < a valid directory to which the OS user running the listener can write to> TRACE_LEVEL_SERVER= 16 TRACE_UNIQUE_SERVER= ON TRACE LEVEL can be set to the level of tracing required.... FNDLIBR. 2. When a connection is made which algorithm to use. 3DES168 and AES256 $ cd $TNS_ADMIN/trace $ ls -ltr | tail -3 -rw-r--r-.trc $ grep 'encryption is active' svr_29270.trc Other files are larger. you can use the sample configuration examples earlier in the document.trc Sep 24 13:59 svr_13819.trc:[20-SEP-2007 16:47:20:369] na_tns: encryption is active. using 3DES168 svr_29270.trc -rw-r--r-. uncomment (or remove) the lines relating to tracing from sqlnet. RCVOLTM. all the algorithms installed on that side are acceptable. ACTIVATING ENCRYPTION AND INTEGRITY In any network connection.trc -rw-r--r-.. How to Enable Tracing Tracing is a helpful tool that will enable you to verify that encryption is active and/or help diagnose where errors are ocurring during the transactions. The connection fails with error message ORA-12650 if either side specifies an algorithm that is not instal Encryption and integrity parameters are defined by modifying the sqlnet.. some quite large. You should only run in tracing mode while verifying that encryption takes place. However if you wish to use different algorithms or have 3rd party tools that do encryption you will have to create your own configuration files. To enable tracing.trc svr_29270.trc.trc svr_29270. Appendix A .g.trc:[20-SEP-2007 16:46:48:914] na_tns: encryption is active. 3. The tns listener must be bounced for the trace setting to take effect. authentication is not active encryption is active.

. The four value of increasing security.o. The security service is enabled if the other side specifies ACCEPTED. but it is enabled if the other side is set to REQUIRED or REQUESTED. If the other side is set to REQUIRED and no algorithm connection terminates with error message ORA-12650. this side of the connection does not require the security service. REQUESTED There must be a matching algorithm available on the other side--otherwise the service is not enabled. this side of the connection specifies that the security service must be enabled. In this scenario. Installed Oracle Net transport protocols b. this side of the connection specifies that the security service is not permitted. NEGOTIATING ENCRYPTION AND INTEGRITY To negotiate whether to turn on encryption or integrity. the connection continues without error and with the security service enabled.may be safely ignored: Error!!! SDP/IB is not completely installed! Present in libntcp10. $ORACLE_HOME/bin/adapters will display a list of the encryption options available for the following: a. Error!!! Oracle Names Server Naming is not completely installed! Change Log . Displaying the encryption options available from the Tools and Database ORACLE_HOME. Installed Oracle Advanced Security options Note: The following errors -if received . Oracle Corporation recommends that you select algorit lengths in the order in which you prefer negotiation--probably with the strongest k ey length first. If the other side is set to REQUIRED an encryption or integrity algorithm match is found. this side of the connection specifies that the security service is desired but not required. the connection continues without error and with service enabled. In this scenario. Installed Oracle Net naming methods c. you can specify four possible values for the Oracle Advanced Security encryption and integrity configuration parameters. REQUESTED Select this value to enable the security service if the other side permits it. In this scenario.algorithm is used for each connect session. but missing from ntcontab. NOTE: Advanced Security selects the first encryption algorithm and the first integrity algorithm enabled on the client and the server. If either the server or client has specified REQUIRED algorithm causes the connection to fail. the REQUIRED Select this value to enable the security service or preclude the connection. After setting your environment to either the Tools or Database ORACLE_HOME using the "adapters" command: . REJECTED Select this value if you do not elect to enable the security service. or if the other side is set to ACCEPTED or REJECTED. ACCEPTED. If the other side specifies REQUIRED and there is no matching algorithm.. The connection fails if the other side specifies REJECTED or if there is no compatible algorith The following table shows whether the security service is enabled. In this scenario. and the value REQUIRED provides the maximum REJECTED ACCEPTED REQUESTED REQUIRED The default value for each of the parameters is ACCEPTED. based on a combination of client and server configuration parameters. the connection terminates with error message ORA-1265 set to REQUESTED. Encryption and Data Integrity Negotiation Table Client REJECTED S e r v e r REJECTED ACCEPTED REQUESTED REQUIRED OFF OFF OFF Connection fails ACCEPTED REQUESTED REQUIRED OFF OFF ON ON OFF ON ON ON Connection fails ON ON ON 4. The value REJECTED provides the minimum amount of security between client and server communications. the connection continues without error and without the security service enabled. ACCEPTED Select this value to enable the security service if required or requested by the other side. If the other side is set to REQUESTED and no algorithm match is found. lack of a common service algorithm results in the service being disabled. or REJECTED. even if required by the other side. If the other side is set to REQUIRED. if the service is enabled. Otherwise.

Added custom.1 by Oracle E-Business Suite Development Copyright 2008 Oracle Corporation Last updated: August 12. 2007 Oct 4. Note 376700.1 and Advanced SSL Configuration. All rights reserved. Modified SSL Accelerator changes.conf section. 2009 May 1. 2007 July 20. Initial creation. 2010 Attachments Create CSR jpg (35.54 KB) Related Products Oracle E-Business Suite > Applications Technology > Technology Components > Oracle Applications Technology Stack Oracle E-Business Suite > Applications Technology > Application Object Library > Oracle Application Object Library Keywords R12 Errors ORA-12650 Back to top Copyright (c) 2007. 2008 Nov 5. Added note that use of the Forms Server Listener with ConnectMode=https is not supported. 2010 Oct 28. Updated for Release 12. 2008 July 17. Published 12. 2007 Description Added Section 9 . 2007 Jan 24. 2009 Dec 23. 2008 Nov 3.1 updates to Metalink Processed remarks and added Certificate Provisioning for XML Publisher or Business Intelligence Publisher.Date Aug 12. 2008 Oct 7. 2010.Disabling SSL v2 and Weak Ciphers Updated iHelp url settings. Legal Notices and Terms of Use | Privacy Statement . Added ANO/ASO and Appendix A Added Discoverer Notes. Oracle.