Enabling SSL in Oracle E-Business Suite Release 12.2

-

Oracle E-Business Suite Release 12.2 uses the Oracle Fusion Middleware infrastructure to secure communication between components using SSL (Secure Sockets Layer).

Oracle HTTP Server (web tier) is the web server component for Oracle Fusion Middleware and enables strong cryptography using mod_ossl and mod_wl_ohs modules.

Web tier certificates can still be managed by 

1)    Oracle Wallet Manager (OWM) GUI Tool

2)   orapki command line interface (CLI)

3)   Oracle Enterprise Manager Fusion Middleware Control (Fusion Middleware Control)

Components running under Java 

1)   JKS-based keystores to store keys and certificates.

Set Your Environment for SSL 

1)  You need to Configure SSL on RUN file System, So you require Application down Time 

2)   Apply the latest AD and TXK Delta Release Update Packs (Always Recommend)

3) If you are using clients (JRE 8, some modern browsers) or Oracle Database 12c, you must perform the following:

- Apply either patch 17555224 or patch 19849290 to FMW 11.1.1.7.

OR

- Upgrade to FMW 11.1.1.9. 

Create Certificate Signing request  using orapki command line interface (CLI)

1)   Set the PATH environment variable to include the Fusion Middleware location 

export PATH=$FMW_HOME/webtier/bin:$FMW_HOME/oracle_common/bin:$PATH

2)     Navigate to the s_web_ssl_directory>/Apache directory. If it does not exist, create 
Create Directory "Apache" under s_web_ssl_directory

[appluat@myserver Apache]$ grep s_web_ssl_directory $CONTEXT_FILE
<web_ssl_directoryoa_var="s_web_ssl_directory">/U01/app/uat/fs_ne/inst/UAT_myserver/certs</web_ssl_direct>

3)     Below comment will create  wallet, and request certificate

Note : CN you need to give your EBS application URL , it may be internal URL or External URL , otherwise you may get certificate Invalid Error.

mkwallet -r Password . "CN= mywebiste.shoukisoft.com, OU=BS, O= shoukisoft, ST=muscat, C=OM" 2048 server-md5.csr

The wallet directory will contain the following files:

server-md5.csr (Certificate Signing request)
ewallet.p12 - Oracle PKCS#12 wallet
cwallet.sso- auto_login_only Wallet

4)  Convert Certificate request CSR to  SHA-1 2048-bit based CSRs or higher using OPENSSL Tool 
 Depending on your certificate provider, MD5 based certificate requests (CSR) generated by Oracle Wallet Manager (OWM) may not be accepted. For example, VeriSign will now only accept SHA-1 2048-bit based CSRs or higher

[appluat@myserver Apache]$ openssl req -new -key nonoracle_wallet.pem -sha256 -out serveruat.csr

5) The wallet directory will contain the following files: ,you need to copy "serveruat.csr" and submit to third party certificate authority 

server-md5.csr
ewallet.p12
cwallet.sso
nonoracle_wallet.pem
 serveruat.csr- Certificate Signing request
Certificate Authority will provide below Three Certificates 

root Certificate - TrustedRoot.cer
Intermediate Certificate - XXX2.cer
User Certificate - star_shouki_com.cer

Import Server Certificate to the Wallet using orapki command line interface (CLI)

Set the PATH environment variable to include the Fusion Middleware location 

export PATH=$FMW_HOME/webtier/bin:$FMW_HOME/oracle_common/bin:$PATH

a) Add Root Certificate 

[appluat@myserver Apache]$ export PATH=$FMW_HOME/webtier/bin:$FMW_HOME/oracle_common/bin:$PATH
Add root Certificate
 [appluat@myserver certs]$ orapki wallet add \
  -wallet /U01/app/uat/fs_ne/inst/UAT_myserver/certs/Apache \
 -trusted_cert \
  -cert TrustedRoot.cer \
-pwd xxxx123

b) Add intermediate Certificate

 [appluat@myserver certs]$ orapki wallet add \

-wallet /U01/app/uat/fs_ne/inst/UAT_myserver/certs/Apache \

  -trusted_cert \

  -cert XXXXCA2.cer \

  -pwd xxxx123

c) Add user Certificate 

 [appluat@myserver certs]$ orapki wallet add \
 -wallet /U01/app/uat/fs_ne/inst/UAT_myserver/certs/Apache \
  -user_cert \
  -cert star_shouki_com.cer \
  -pwd xxx123

d)  Display Certificate:-

[appluat@mc1bshws001 Apache]$ orapki wallet display -wallet /U01/app/uat/fs_ne/inst/UAT_myserver/certs/Apache

Application Configuration Change 

If you need to import the CA certificate, you'll also need to add the contents of root certificate (ca.crt) file to the b64InternetCertificate.txt file located in the 10.1.2 ORACLE_HOME/sysman/config directory.

cat TrustedRoot.cer >> /U01/app/uat/fs1/EBSapps/10.1.2/sysman/config/b64InternetCertificate.txt

If you were also provided an intermediate certificate (intca.crt), then you will also need to add that to the b64InternetCertificate.txt:

cat intca.crt >>/U01/app/uat/fs1/EBSapps/10.1.2/sysman/config/b64InternetCertificate.txt

Modify the Oracle HTTP Server Wallet

a)  Identify s_ohs_instance_loc

[appluat@myserver Apache]$ egrep 's_ohs_instance_loc|s_ohs_component' $CONTEXT_FILE

b)  Move the existing wallet files to a backup directory in case you wish to use them again in the future.

c)  Copy the cwallet.sso from <s_web_ssl_directory>/Apache into the current directory (s_ohs_instance_loc)

Modify the OPMN wallet

a) Navigate to the <s_ohs_instance_loc>/config/OPMN/opmn/wallet directory 

b) Move the existing wallet files to a backup directory in case you wish to use them again in the future.

c) Copy cwallet.sso from <s_web_ssl_directory>/Apache into <s_ohs_instance_loc>/config/OPMN/opmn/wallet directory

Fusion Middleware Control Console

Move the existing wallet files to a backup directory in case you wish to use them again in the future
  • $EBS_DOMAIN_HOME/opmn/<s_ohs_instance>/<s_ohs_component>/wallet
  • $EBS_DOMAIN_HOME/opmn/<s_ohs_instance>/wallet
  • $FMW_HOME/webtier/instances/<s_ohs_instance>/config/OHS/<s_ohs_component>/proxy-wallet

Primary Application  node

Copy the cwallet.sso file from the <s_ohs_instance_loc>/config/OPMN/opmn/wallet directory to below location 
  • $EBS_DOMAIN_HOME/opmn/<s_ohs_instance>/<s_ohs_component>/wallet
  • $EBS_DOMAIN_HOME/opmn/<s_ohs_instance>/wallet
DMZ node 

Copy the cwallet.sso file from the <s_ohs_instance_loc>/config/OPMN/opmn/wallet directory to below location 

$FMW_HOME/webtier/instances/<s_ohs_instance>/config/OHS/<s_ohs_component>/proxy-wallet

Update the JDK Cacerts File

Oracle Fusion Middleware components (including Oracle WebLogic Server, Oracle Web Services) requires the certificate of the certificate authority who issued your root certificate (ca.crt from the previous step) to be present in the JDK cacerts file. 

Follow the steps below for all application tier nodes:

Navigate to the <s_fmw_jdktop>/jre/lib/security directory

Copy your ca.crt (ROOT) and server.crt (Intermediate ) files to this directory, and issue the following command to ensure that cacerts has write permissions:

$ chmod u+w cacerts

Import ROOT CA

[appluat@my server security]$ keytool -import -alias OHSRootCA -file /home/appluat/certs/TrustedRoot.cer -v -keystore cacerts
Enter keystore password:
Certificate already exists in keystore under alias <digicertglobalrootca [jdk]>
Do you still want to add it? [no]: yes
Certificate was added to keystore
[Storing cacerts]

Import Intermediate CA

[appluat@myserver security]$ keytool -import -alias OHSIntCA -file /home/appluat/certs/XXXtCA2.cer -v -keystore cacerts
Enter keystore password:
Certificate was added to keystore
[Storing cacerts]

Import Server CA

[appluat@myserver security]$ keytool -import -alias OHSServer -file /home/appluat/certs/star_shouki_com.cer -v -keystore cacerts
Enter keystore password:
Certificate was added to keystore
[Storing cacerts]

When you have completed the modifications to the cacerts, reset the permissions:

 chmod u-w cacerts

For Oracle E-Business Suite Release 12.2 installations that use 64-bit JDK for Oracle Fusion Middleware, the steps in this section must be repeated for the 32-bit JDK keystore location that is still in use by some products. If the Application context file <s_fmw_java_use_64> variable is set to 'true', then repeat the steps for the 32-bit cacerts in $OA_JRE_TOP/lib/security.

Standard SSL Setup

In case your SSL port is going to be changed from default, then update following lines

1) edit ssl.conf file :- Update the Listen <port> and the VirtualHost _default_:<port> directives to SSL port, for example Listen 4443.

2) Start only Admin Server $ADMIN_SCRIPTS_HOME/adadminsrvctl.sh start

3) The following command should be run (on all application tier nodes)

perl $AD_TOP/bin/adSyncContext.pl contextfile=$CONTEXT_FILE
Enter the APPS user password:
Enter the WebLogic AdminServer password:

Synchronization Between Run and Patch File Systems

The following steps must be performed in order to synchronize the SSL setup between the two file systems:

Edit $APPL_TOP_NE/ad/custom/adop_sync.drv.
between the <Begin Customization> and <End Customization> section after the existing <#Copy Ends>:
#SSL SECTION - START
# Required for SSL setup migration from RUN to PATCH file-system.
# Please alter the commands in the event that rsync is not available or the platform does not support the example syntax.
#10.1.2 b64InternetCertificate.txt
rsync -zr %s_current_base%/EBSapps/10.1.2/sysman/config/b64InternetCertificate.txt %s_other_base%/EBSapps/10.1.2/sysman/config/b64InternetCertificate.txt
#Oracle HTTP Server Wallet - cwallet.sso
rsync -zr %s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/keystores/default/cwallet.sso %s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/keystores/default/cwallet.sso
#OPMN Wallet - cwallet.sso
rsync -zr %s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OPMN/opmn/wallet/cwallet.sso %s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OPMN/opmn/wallet/cwallet.sso
#Fusion Middleware Control Wallets - cwallet.sso
rsync -zr %s_current_base%/FMW_Home/user_projects/domains/EBS_domain_%s_dbSid%/opmn/%s_ohs_instance%/%s_ohs_component%/wallet/cwallet.sso %s_other_base%/FMW_Home/user_projects/domains/EBS_domain_%s_dbSid%/opmn/%s_ohs_instance%/%s_ohs_component%/wallet/cwallet.sso
rsync -zr %s_current_base%/FMW_Home/user_projects/domains/EBS_domain_%s_dbSid%/opmn/%s_ohs_instance%/wallet/cwallet.sso %s_other_base%/FMW_Home/user_projects/domains/EBS_domain_%s_dbSid%/opmn/%s_ohs_instance%/wallet/cwallet.sso
rsync -zr %s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/proxy-wallet/cwallet.sso %s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/proxy-wallet/cwallet.sso

Load balancer Config :- you need change below Context value and Run AutoConfig


Try to access application using HTTPS



Comments

Post a Comment

Popular posts from this blog

Enabling TLS 1.2 with Backward Compatibility in Oracle E-Business Suite Release 12.2 using Elliptic Curve Cryptography (ECC) certificate

-
Image
  Introduction TLS  Transport Layer Security ( TLS) is the successor  protocol to  SSL .  TLS  is an improved version of  SSL . Elliptic Curve Cryptography (ECC) certificate   ECC offers equivalent security with smaller key sizes, which results in faster computations, lower power consumption, and memory and bandwidth savings. Oracle Fusion Middleware supports the use of an Elliptic Curve Cryptography (ECC) certificate if the entire chain is ECC and the server cert is signed using ecdsasha256. Oracle E-Business Suite connections fall into the following three categories: Inbound connections Inbound connections are from a client to the Oracle HTTP Server (OHS) delivered with the Oracle E-Business Suite applications technology stack Example :  User accesses Oracle E-Business Suite applications pages through the network using a browser User accesses Oracle E-Business Suite application through Oracle Forms when using Forms Servlet mode An XML Gatew...
Read more

Mask sensitive data in cloned (non-production) EBS 12.2 environments using EBS 12.2 Data Masking Template with EM 13C.

-
Image
Due to data dependencies, scrambling E-Business Suite data is very time consuming and difficult task, because application functionality should work after Data Mask .  Oracle Provides Pre defined Data Masking Pack ( EBSMaskingPack 2.0.7) it is   Certified     with EBS R12.2 , We can easily do Data Masking on Test environment   using OEM 13 C with  Pre defined Data Masking Pack.    Data Masking Template certified with EBS R12.2 does the following. De-identifies the data : Scrambles identifiers of individuals, also known as personally identifiable information (PII).  Examples include information such as name, account, and address. Masks sensitive data : Masks data that, if associated with PII, would cause privacy concerns.  Examples include compensation, health and employment information.   Maintains data validity : Provides a functional application. Below Steps Demonstrate How to Mask -Oracle E-Bu...
Read more