2017-06-08 OAUG E-Business Suite Security SIG Webinar Slideshow

TLS 1.
2 Configuration for
Oracle E-Business Suite 12.2 and 12.1
Eric Bing, Senior Director, Security

Elke Phelps, Senior Principal Product Manager, Applications Technology
E-Business Suite Development
Oracle
OAUG EBS Security SIG Webinar

May 24, 2017
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

TLS 1.2 for Oracle E-Business Suite 12.2 and 12.1
1. Migrating from SSL/TLS 1.0 to TLS 1.2
2. Enabling TLS for the first time
Steps performed for both scenarios may differ depending upon

• Enabling/Migrating is the same for EBS 12.1 for inbound
connections due to OpenSSL
• Special considerations for inbound, outbound & loopback
• Optional configurations
MOS Note 1367293.1 and 376700.1
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 2

Program Agenda
1 Review Key Terminology and Concepts

2 TLS 1.2 Certification with EBS 12.2 and 12.1
3 Overview of Key Prerequisites and Configuration Steps
4 Optional Configurations
5 TLS 1.2 Configuration Checklist

Program Agenda

5 TLS 1.2 Checklist for Support

Program Agenda
A SSL vs TLS
B HTTPS Connections in Oracle E-Business Suite

Program Agenda
A SSL vs TLS

Transport Layer Security (TLS) vs Secure Socket Layer (SSL)
Review
• TLS is the successor to SSL; HTTPS is HTTP working on top of TLS
• TLS (1.2) is what we will talk about for Oracle E-Business Suite going forward
• SSL 3.0 is no longer recommended (dead)
• TLS creates an encrypted connection between two machines allowing for private
information to be transmitted without the problems of eavesdropping, data tampering,
or message forgery
• Industry standards mandating the move to TLS 1.2
– OMB NIST mandate (800-52 rev1) to move to TLS 1.2
– PCI council (PCI DSS v3.1) requires new implementations to be on at least TLS 1.1
• Migrate to a minimum of TLS 1.1, preferably TLS 1.2 by June 2018
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

“everything less than TLS 1.2 … is
cryptographically broken”
– Adam Langley, Google Chrome

TLS Addresses Recent Security Vulnerabilities
• POODLE • FREAK, Logjam, RC4-NO-MORE
– Padding Oracle On Downgraded Legacy Encryption – Factoring Attack on RSA-EXPORT Keys
– Migration to TLS (SSLv3 is turned off) – Weak DH parameters (<2048), RC4)
– Disable weak cipher suites
– Strong cipher suites
• For example, EBS R12.2 (FMW 11.1.1.9):
[000a] RSA_DES_192_CBC3_SHA
[002f] RSA_WITH_AES_128_SHA
[0035] RSA_WITH_AES_256_SHA Available
[003c] RSA_WITH_AES_128_CBC_SHA256 with
[003d] RSA_WITH_AES_256_CBC_SHA256 TLS 1.2
[009c] RSA_WITH_AES_128_GCM_SHA256
[009d] RSA_WITH_AES_256_GCM_SHA384
EBS 12.2 Roadmap: Elliptic curve cipher suites

Program Agenda
A SSL vs TLS

HTTPS Connections in Oracle E-Business Suite
• Inbound Connections • Loopback connections • Outbound connections
from a client to the Oracle from Oracle E-Business from Oracle E-Business
HTTP Server Suite to itself Suite to External Site(s)
External Internal
Internet Application Node Application Node Intranet
User EBS Database User
External
Site
DMZ

Examples of HTTPS Connections in Oracle E-Business Suite
Inbound Connections Loopback Connections Outbound Connections

• Browser access • Workflow notification • Punchout in iProcurement
• Forms access emails from Concurrent • XML Gateway connection
• Incoming XML Gateway Manager tier to a partner application
message • Payment call back from • Payments credit card
• Mobile access via a database tier processing
REST service • OAM log viewer

Program Agenda


Program Agenda
A What’s New with the Certification of EBS with TLS 1.2?

B Special Considerations for Inbound, Outbound & Loopback

Program Agenda
A What’s New with the Certification of EBS with TLS 1.2?


What’s New with the Certification of EBS and TLS 1.2?
• Oracle E-Business Suite Release 12.2 and 12.1 Certified with TLS 1.2
– “TLS 1.2 with Backward Compatibility” aka “TLS 1.2 w/BC”
– Mandatory prerequisites and configuration
• Oracle E-Business Suite Release 12.1 Uses OpenSSL
– Provides TLS 1.2 support in OHS
• Optional Configurations
– Configuring “TLS 1.2 Only”
– Disabling HTTP Port
– Enabling TLS from Oracle HTTP Server (OHS) to Application Server (WLS/OC4J)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 16
What’s New with the Certification of EBS and TLS 1.2?
For Reference Only for
Existing SSL/TLS 1.0 Customers
EBS 12.2 EBS 12.2

MOS Note 1367293.1 MOS Note 2143101.1 New
Note ID
New Structure and Content for TLS 1.2 Content for SSLv3 and TLS 1.0
EBS 12.1 EBS 12.1

MOS Note 376700.1 MOS Note 2143099.1 New
Note ID
New Structure and Content for TLS 1.2 Content for SSLv3 and TLS 1.0

Program Agenda
A What’s New with this Certification?


Special Considerations - Inbound Connections
TLS Termination
A TLS termination point is the end-point server for the encrypted

connection that has been initiated by a client
Option 1: OHS as the TLS Termination Point

Option 2: Alternate TLS Termination Point
(eg, load balancer or reverse proxy)

Option 1
• OHS is the TLS termination point

• Configuration requirements
– OHS as the TLS Termination Point
Web
Node 2

Option 2
• Alternate TLS termination point

– Load Balancer
– Reverse proxy
Load Balancer
• Configuration requirements
– Load balancer must behave as TLS
Termination Point
• You should also encrypt the connection to OHS,
referred to as End-to-End Encryption Web Web Web
Node 1 Node 2 Node 3
– Certified for EBS 12.2 and EBS 12.1

Outbound & Loopback Connections – Client Truststores
A truststore is a collection of root CA certificates – indicating who the client
trusts to issue trusted server certificates
– Need root certificate information of all servers they are communicating with
– Database calls via UTL_HTTP use a wallet as truststore
– Java Apptier use a variety of truststores (JKS files,PEM file)
• Loopback connection clients must trust the rootCA certificate configured
on EBS's web entry point
• Outbound connection clients (punchout, XML gateway…) must trust the
rootCA certificate configured on the remote site
MOS Note 1367293.1 and 376700.1

Program Agenda


Program Agenda
A EBS 12.2: Migrating/Enabling TLS 1.2 w/BC

B EBS 12.1: Migrating/Enabling TLS 1.2 w/BC

How EBS Works After Enabling/Migrating to TLS 1.2 w/BC
• EBS 12.2 and 12.1 is configured to use TLS 1.2, 1.1 or 1.0
• Connection will use the highest version of TLS enabled by the two parties
Connection
Established External Internal
Internet Using TLS 1.2 Application Node Application Node Intranet
Browser supports
Browser supports
TLS 1.2
TLS 1.2
Connection
External Established
Site Using TLS 1.2
External Site
supports TLS 1.2 Connection
Established DMZ
Using TLS 1.2
MOS Note 1367293.1 and 376700.1, Section 4.2

How EBS Works After Enabling/Migrating to TLS 1.2 w/BC
• EBS 12.2 and 12.1 is configured to use TLS 1.2, 1.1 or 1.0
• Connection will use the highest version of TLS enabled by the two parties
Connection
Browser supports
Browser supports
TLS 1.2
TLS 1.1
Connection
Site Using TLS 1.1
External Site
Established DMZ
Using TLS 1.0

Program Agenda


EBS 12.2: Migrating from SSL/TLS1.0 to TLS 1.2 w/BC
• Upgrade Technology Stack
– FMW 11.1.1.9
– JDK 7 or JDK 6u121 (July 2016 CPU)
– Apply required patches
• Make configuration changes in the middle tier
– Inbound (Section 5.2)
• Specify TLS protocol versions and cipher suites in opmn.xml, admin.conf , and ssl.conf
– Loopback and outbound (Section 5.3)
• JVM parameter for all managed servers and the WebLogic administration server
– “-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2”
MOS Note 1367293.1

EBS 12.2: Enabling TLS w/BC
Customer implementing encryption for the first time should follow section 5
– FMW 11.1.1.9
• Create a wallet and request a server certificate
• Make configuration changes in the middle tier for
inbound/loopback/outbound connections
• Setup a wallet in the database tier
MOS Note 1367293.1

Program Agenda


EBS 12.1: Migrating from SSL/TLS 1.0 to TLS 1.2 w/BC
– FMW 10.1.3.5
• Create an openssl configuration file and request a server certificate
– Inbound (Section 5.2)
• Specify TLS protocol versions and cipher suites in a few custom templates
– Loopback and outbound (Section 5.3)
• Set https.protocols=TLSv1,TLSv1.1,TLSv1.2 in a few custom templates
MOS Note 376700.1

EBS 12.1: Enabling TLS 1.2 w/BC
Customer implementing encryption for the first time should follow section 5
– FMW 10.1.3.5
• Create an OpenSSL configuration file and request a server certificate
• Make configuration changes in the middle tier for
inbound/loopback/outbound connections
• Setup a wallet in the database tier
MOS Note 376700.1

EBS 12.1: Key Requirements for TLS 1.2 and OpenSSL
• FMW 10.1.3.5 One Off Patches
– OHS patch 24483815 and OPMN patch 24484104 contain new FMW code as well as
the OpenSSL (version 1.0.2) binary
....
22447165/files/Apache/Apache/libexec/mod_ssl.so
22447165/files/Apache/Apache/libexec/mod_oc4j.so
22447165/files/Apache/open_ssl/bin/openssl
....
MOS Note 376700.1

EBS 12.1: Switching To OpenSSL
All EBS 12.1 customers must get a new certificate or ask CA to rekey their existing certificate
SSL/ TLS1.0 TLS1.2
New
10g NZ Library OpenSSL 1.0.2
%s_web_ssl_directory%/opmn/ewallet.p12 openssl-certfile - opmn.crt

%s_web_ssl_directory%/opmn/cwallet.sso openssl-keyfile - server.key
%s_web_ssl_directory%/Apache/ewallet.p12
%s_web_ssl_directory%/Apache/cwallet.sso SSLCertificateFile - server.crt
SSLCertificateKeyFile - server.key
SSLCertificateChainFile - intermediate.crt
Oracle Wallet Manager (owm) OpenSSL (openssl)
Note: See Section 5.2.1, Step 2

• Make sure to use the openssl delivered with the FMW patches
• Prepend the OpenSSL directory to your PATH. For example:
PATH=(<10.1.3 OH>/Apache/open_ssl/bin):$PATH
EBS 12.1 Inbound Connections
TLS 1.2 Key Configuration – AutoConfig Customizations
• Create the custom template directory <FND_TOP>/admin/template/custom
• Copy the following template files from <FND_TOP>/admin/template to the
custom template directory:
opmn_xml_1013.tmp, httpd_conf_1013.tmp, ssl_conf_1013.tmp
• Known Issues
If a patch is applied to EBS that updates the above template files, AutoConfig will fail with the following error:
"Version Conflicts among development maintained and customized templates encountered;
aborting AutoConfig run."
Solution: Copy the newer template to the custom folder and re-apply the modification listed in this document.
MOS Note 376700.1

EBS 12.1 Outbound/Loopback Connections
TLS 1.2 Key Configuration –AutoConfig Customizations
• Copy the following files from <FND_TOP>/admin/template to the custom
directory, <FND_TOP>/admin/template/custom:
oc4j_properties_1013.tmp, oafm_oc4j_properties_1013.tmp,
forms_oc4j_properties_1013.tmp
• Known Issues
– Same AutoConfig known issue as with the inbound connection configuration
MOS Note 376700.1

Program Agenda


Program Agenda
A Configuring TLS 1.2 Only

B Disabling HTTP Port
C EBS 12.2: TLS for OHS to WLS
D EBS 12.1: TLS for OHS to OC4J

Program Agenda


How EBS Works When Configured with TLS 1.2 Only
• EBS 12.2 and 12.1 is configured to only connect with TLS 1.2
• Connection will use TLS 1.2
Connection
Browser supports
Browser supports
TLS 1.2
TLS 1.2
Connection
Site Using TLS 1.2
External Site
Established DMZ
Using TLS 1.2

How EBS Works When Configured with TLS 1.2 Only
• EBS 12.2 and 12.1 is configured to only connect with TLS 1.2
• Connection will use TLS 1.2
Connection
Browser supports
TLS 1.2
X Browser supports
TLS 1.1
ERROR!
External Connection
Site
External Site
X Not Established
supports TLS 1.0 ERROR!

Connection DMZ
Not Established

Additional Considerations When Configuring TLS 1.2 Only
• Products verisons with TLS 1.2
– Mobile Applications V6 (minimum)
– Oracle E-Business Suite Information Discovery V7 (minimum)
• JRE Versions
– JRE 8 : TLS1.2 enabled by default
– JRE 7 : TLS1.2 is enabled by default as of January 2017 JAVA CPU, 1.2.
– JRE 6: TLS1.2 is enabled by default as of January 2017 JAVA CPU, 1.2.
Note: If you are on an earlier JAVA CPU version, you need to manually enable TLS 1.2.
Java Control Panel > Advanced tab > Advanced Security Settings section > Use TLS 1.2.
• Browser Enabled TLS1.2 by Default
– IE 11/Firefox ESR 45.x/Chrome v49

EBS 12.2: Migrating from SSL/TLS 1.0 to TLS 1.2 Only
– FMW 11.1.1.9
– Database 12.1.0.2
– Inbound: Same as in section 5.2 for TLS 1.2 w/BC except for the following:
• Step 7: Set SSLProtocol nzos_Version_1_0 nzos_Version_1_1 nzos_Version_1_2
in admin.conf
Set ssl-versions=”TLSv1.0” in opmn.xml
• Step 9: Set SSLProtocol TLSv1.2 in ssl.conf
MOS Note 1367293.1

• Make configuration changes in the middle tier (continued)

– Loopback and outbound (section 5.3): Same as TLS 1.2 w/BC except for the following:
• Step 1: Set JVM parameter “-Dhttps.protocols=TLSv1.2” for all managed
servers and the WebLogic administration server
MOS Note 1367293.1

– FMW 10.1.3.5
– Database 12.1.0.2
– Inbound, Same as in section 5.2 for TLS 1.2 w/BC except for the following:
• Section 5.2.1, Step 6: Use the value listed in Section 6.1.2, Step 1 instead
– Loopback and Outbound: Same as in Section 5.3 except for the following:
• Section 5.3.1, Step 1: Set https.protocols=TLSv1.2 in a few custom template files
MOS Note 376700.1

Program Agenda


Disabling HTTP Port
• EBS 12.2 and 12.1 are now certified with only the HTTPS port accessible.
• After HTTPS (e.g. port 4443) is enabled, the HTTP port (e.g., port 8000) is
still accessible. You now may manually disable the HTTP port.
• All communication to OHS now has to be encrypted

– For example: OPMN, WLS Admin Console
MOS Note 1367293.1 & 376700.1 Section 6.2

EBS 12.2: Disabling HTTP Port
• TXK and FMW minimum requirement
– Requirements from section 5.1 and section 6.2 “Required Patches”
• TXK Delta 7 bundle patch 21846184 (enable JSSE)
• OPMN patch 20493440
• FMW 11.1.1.9 patch 22288381
– Recommend to apply the latest FMW CPU patch
• Update httpd.conf through FMW Control Console
– Comment out the “listen ####” line
– Switch the order of the include statement so that the ssl.conf is before admin.conf
• Known Issues
– iHELP search failure (Bug 20472035)
MOS Note 1367293.1

EBS 12.1: Disabling HTTP Port
• TXK and FMW minimum requirement
– Requirements from section 5.1
• Copy the template file, httpd_conf_1013.tmp, to the
<FND_TOP>/admin/template/custom directory
• Comment out "Listen %s_http_listen_parameter%“
• Known Issues
– iHELP search failure (20472035)
MOS Note 376700.1

Program Agenda


EBS 12.2: Enable TLS for OHS To WLS Connection New
• Enabling TLS for OHS to WLS connection is certified

• Apply required AD/TXK Delta 9 patches
• Overview of required steps (see MOS note for details)
– Create WLS keystores
– Configure TLS on WLS
– Modify OHS configuration
– Configure mod_wls_ohs
– Run fs_clone
MOS Note 1367293.1, Section 6.3

Program Agenda


EBS 12.1: Enable TLS for OHS To OC4J Connection
• Enabling TLS for OHS to OC4J connection is certified
• Edit txkChkFormsDeployment.pl to comment a line of code
#instantiateNewConfigFile($template_config_file, $actual_config_file)
–Known Issues : Bug 23645824
• If other modifications (via a patch application or rollback or manual) needs
to happen to $ORA_CONFIG_HOME/10.1.3/j2ee/forms/config/system-jazn-
data.xml, then need to repeat the modification and reset the password for
the oc4jadmin user – see the MOS Note for details
MOS Note 376700.1, Section 6.3

Program Agenda

5 TLS 1.2 Configuration Checklist

TLS Configuration Checklist
What to Do What to Review
Source the apps environment and execute the following: Sample output:
$OA_JRE_TOP/bin/java –version java version “1.7.0_141”

or
java version “1.6.0_151”
Note:
• Minimum requirement for TLS 1.2 is JDK 1.6.0_121 (July
2016 update) or 1.7.0_xx.
• Follow the steps in MOS Note 455492.1 to upgrade to
JDK 6 or MOS Note 1530033.1 to upgrade to JDK 1.7

For EBS 12.2, execute the following in the FMW 11g Under ‘Installed Top-level Products’,
WebTier Oracle Home: look for ' Oracle WebTier and Utilities CD‘
$opatch lsinventory –detail The version should show ‘11.1.1.9.0’.
For EBS 12.1, execute the following in the FMW 10g Check the FMW inventory for the required patches
WebTier Oracle Home: TLS 1.2
• FMW 10.1.3.5 20080288, 22447165 and 22458773.
$opatch lsinventory –detail SHA-2
• FMW 10.1.3.5 Oct 2015 CPU patch: 20080288
and
• For AIX/HP: 21948197
• For Windows: 22251660

To research errors with an inbound connections (see Review the configuration in the ssl.conf file.
Section 4.1 for definition), check the following file:
If you are enabling “TLS 1.2 w/BC” the following lines are
ssl.conf required:
Located in the following directory SSLProtocol TLSv1 TLSv1.1 TLSv1.2
<s_ohs_instance_loc>/config/OHS/<s_ohs_ SSLCipherSuite
component> HIGH:MEDIUM:!aNULL:!RC4:+HIGH:+MEDIUM
If you are enabling “TLS 1.2 Only” the following lines are
required:
SSLProtocol TLSv1.2
SSLCipherSuite
HIGH:MEDIUM:!aNULL:!RC4:+HIGH:+MEDIUM

To research errors with inbound connections (see The following lines should be in the
Section 4.1 for definition), check the following file: httpd_conf_1013.tmp file:
httpd_conf_1013.tmp , located in the <IfDefine SSL>

<FND_TOP>/admin/template/custom #LoadModule ossl_module
directory libexec/mod_ossl.so
LoadModule ssl_module
libexec/mod_ssl.so
</IfDefine>

References

Documentation
Title Doc ID
FAQ: Oracle E-Business Suite Security 2063486.1
Oracle E-Business Suite Security Guide, Release 12.2 – Secure Configuration Chapter N/A
Secure Configuration for Oracle E-Business Suite Release 12 403537.1
Enabling TLS in Oracle E-Business Suite Release 12.2 1367293.1
Enabling SSL or TLS in Oracle E-Business Suite Release 12.2 2143101.1
Enabling TLS in Oracle E-Business Suite Release 12.1 376700.1
Enabling SSL or TLS in Oracle E-Business Suite Release 12 2143099.1
CVE-2014-3566 - Instructions to Mitigate the SSLv3 Vulnerability ("POODLE Attack") in Oracle E-Business Suite 1937646.1

Where to Find More Information
Oracle E-Business Suite Release 12.2
• EBS Documentation and Training EBS 12.2 Information Center
– EBS 12.2 Information Center

MOS Note 1581299.1
Includes link to the EBS Documentation Web Library
– EBS Release Content Documents

MOS Note 1302189.1
– EBS Transfer of Info (TOI) Online Training

MOS Note 807319.1

Transfer of Information (TOI) Online Training
Learn More About Oracle E-Business Suite 12.2 New Features
• Implement and Use Application Object Library - SECURITY: Redirect Filter

• Implement and Use E-Business Suite Secure Configuration - Allowed JSPs
• Implement and Use E-Business Suite Secure Configuration - Cookie Domain
Scoping
MOS Note 807319.1

Oracle E-Business Suite Learning Subscription
Stay Up-to-Date on Everything Oracle E-Business Suite
• Free access to hundreds of videos

– Virtual Conference, What’s New, User
Experience, Advice from Development
• Paid subscription access to over 500
technical and functional training sessions
– In-depth courses with hands-on labs
– Supplemental learning modules with demos
– 12.2 solution overviews with demos
• Continuous updates and additions
education.oracle.com/subscriptions/ebs
Oracle E-Business Suite Learning Subscription
Applications Technology Channel
Here you will find the

following recordings:
• Managing Oracle E-
Business Suite Security and
Auditing
• Ready or Not: Applying
Secure Configuration to
Oracle E-Business Suite
• TLS 1.2 Configuration for
Oracle E-Business Suite
• …and more technology
related sessions
education.oracle.com/subscriptions/ebs

Oracle E-Business Suite Technology Blog
blogs.oracle.com/stevenchan
• Direct from EBS Development

• Latest news
• Certification announcements
• Primers, FAQs, tips
• Desupport reminders
• Latest upgrade recommendations
• Statements of Direction
• Subscribe via email or RSS

Education: E-Business Suite Learning Subscription
Oracle E-Business Suite and Oracle Cloud
Dedicated Channel
• Channel Dedicated to “EBS and Oracle Cloud” Oracle E-Business Suite and Oracle Cloud
• Available Today:
– Running EBS on Oracle Cloud: Why, What and How?
– Deploying EBS on Oracle Cloud: Getting Started
– Deploying EBS on Oracle Cloud: Multi-Node Topologies
– Advanced Architectures for Oracle E-Business Suite
– Oracle E-Business Suite on Oracle Cloud - Technical Insight
– Leverage Integration Cloud Service for Oracle E-Business Suite
– Secure Configuration for Oracle E-Business Suite in Oracle Cloud
– Enterprise Manager 13c Cloud Control for Managing E-Business Suite
– Oracle E-Business Information Discovery: Your Journey to The Cloud
– Oracle E-Business Suite Coexistence with Oracle HCM Cloud
– Financial Accounting Hub (FAH) Reporting Cloud Coexistence with EBS GL
– Oracle Sales Cloud Coexistence with E-Business Suite Quotes
– Oracle Service Cloud (RightNow) Coexistence with EBS Field Service education.oracle.com/subscriptions/ebs
– OTM/GTM in the Cloud for E-Business Suite Customers
– More to come…..

Blog: Oracle E-Business Suite and Oracle Cloud
https://blogs.oracle.com/EBSandOracleCloud/
• Live since 1st June 2016

• 40+ Articles since 1st June 2016
• Dedicated to EBS and Oracle Cloud Topics
• Sponsored by EBS Development Executives
Subscribe by Email

Oracle E-Business Suite: Applications Technology
facebook.com/groups/EBS.SysAdmin
Join us on Facebook

2017-06-08 OAUG E-Business Suite Security SIG Webinar Slideshow

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2017-06-08 OAUG E-Business Suite Security SIG Webinar Slideshow

Uploaded by

Copyright:

Available Formats

TLS 1.

Eric Bing, Senior Director, Security

OAUG EBS Security SIG Webinar

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

1. Migrating from SSL/TLS 1.0 to TLS 1.2

2. Enabling TLS for the first time

Steps performed for both scenarios may differ depending upon

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 2

1 Review Key Terminology and Concepts

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 3

1 Review Key Terminology and Concepts

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 4

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 5

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 6

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

– Adam Langley, Google Chrome

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 8

EBS 12.2 Roadmap: Elliptic curve cipher suites

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 9

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 10

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 11

Inbound Connections Loopback Connections Outbound Connections

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 12

1 Review Key Terminology and Concepts

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 13

A What’s New with the Certification of EBS with TLS 1.2?

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 14

A What’s New with the Certification of EBS with TLS 1.2?

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 15

EBS 12.2 EBS 12.2

EBS 12.1 EBS 12.1

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 18

A What’s New with this Certification?

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 19

A TLS termination point is the end-point server for the encrypted

Option 1: OHS as the TLS Termination Point

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 20

• OHS is the TLS termination point

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 21

• Alternate TLS termination point

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 22

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 23

1 Review Key Terminology and Concepts

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 24

A EBS 12.2: Migrating/Enabling TLS 1.2 w/BC

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 25

MOS Note 1367293.1 and 376700.1, Section 4.2

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 26

MOS Note 1367293.1 and 376700.1, Section 4.2

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 27

A EBS 12.2: Migrating/Enabling TLS 1.2 w/BC

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 28

MOS Note 1367293.1

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 29

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 30

A EBS 12.2: Migrating/Enabling TLS 1.2 w/BC

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 31

MOS Note 376700.1

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 32

MOS Note 376700.1

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 33

MOS Note 376700.1

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 34

%s_web_ssl_directory%/opmn/ewallet.p12 openssl-certfile - opmn.crt