Enabling TLS 1.2 with Backward Compatibility in Oracle E-Business Suite Release 12.2 using Elliptic Curve Cryptography (ECC) certificate

-

 


Introduction


TLS 

Transport Layer Security (TLS) is the successor protocol to SSLTLS is an improved version of SSL.

Elliptic Curve Cryptography (ECC) certificate 

ECC offers equivalent security with smaller key sizes, which results in faster computations, lower power consumption, and memory and bandwidth savings.

Oracle Fusion Middleware supports the use of an Elliptic Curve Cryptography (ECC) certificate if the entire chain is ECC and the server cert is signed using ecdsasha256.

Oracle E-Business Suite connections fall into the following three categories:

Inbound connections
Inbound connections are from a client to the Oracle HTTP Server (OHS) delivered with the Oracle E-Business Suite applications technology stack
Example : 
  • User accesses Oracle E-Business Suite applications pages through the network using a browser
  • User accesses Oracle E-Business Suite application through Oracle Forms when using Forms Servlet mode
  • An XML Gateway message originating from a customer is sent to Oracle E-Business Suite
  • A mobile phone communications with the Oracle E-Business Suite through a REST service
Loopback connections
Loopback connections are from Oracle E-Business Suite back to the Oracle HTTP Server (OHS) delivered with the Oracle E-Business Suite applications technology stack.   
Example :-
  • Workflow notification emails from the concurrent manager tier
  • Payments call back from the database tier
  • Oracle Process Manager and Notification (OPMN)
  • Oracle Applications Manager Log Viewer
Outbound connection 
Outbound connections are from Oracle E-Business Suite to external site(s). ,Oracle E-Business Suite is acting as an HTTPS client.
Example 
  • Punchout in Oracle iProcurement
  • XML Gateway connection to a partner applications
  • Payments credit card processing
  • Dunn & Bradstreet (HZ)
  • International Trade Management (ITM) for screening orders and deliveries
  • CIS Tax Module

Enabling TLS 1.2 with Backward Compatibility :-

  • Oracle E-Business Suite inbound, outbound, and loopback connections are currently certified with TLS 1.2, 1.1, and 1.0
  • TLS 1.2 with Backward Compatibility allows for the handshake between the client and server to negotiate and use the highest version of TLS (1.2, 1.1, or 1.0) supported end-to-end by both parties.. 

Step 1 - Upgrade to latest Java Development Kit (JDK) 7.

The specific minimum versions are JDK 1.7.0_131

Step 2 - Upgrade Oracle Fusion Middleware.
  • Oracle Fusion Middleware 11.1.1.9 is required for TLS 1.2
  • On top of FMW 11.1.1.9, it is required that you apply the July 2016 Critical Patch Update (CPU) or later
  • Apply FMW patch 23630525 and patch 26045188 version 11.1.1.9
After applying patch 26045188,  remove the NonJ2EEManagement deployment from the WebLogic console and then proceed with redeployment 
  1. Navigation: From the Domain Structure panel, choose Deployments.
  2. Locate in the list of deployments NonJ2EEManagement (11.1.1).
  3. Stop the application “NonJ2EEManagement (11.1.1)”.
  4. In the Change Center panel click 'Lock & Edit'.
  5. Click the check box beside the deployed application NonJ2EEManagement (11.1.1).
  6. Delete the NonJ2EEManagement (11.1.1) application.
  7. Click 'Activate Changes'.
  8. Redeploy the $ORACLE_HOME/opmn/applications/NonJ2EEManagement.ear file delivered by this patch:
    $ $ORACLE_HOME/opmn/bin/opmnctl redeploy -adminHost <ADMINSERVER_HOST> -adminPort <ADMINSERVER_PORT>
Step 3 - Apply AD and TXK patches

apply the latest AD and TXK Delta Release Update Packs

Step 4 - Apply product specific patches.
  • Oracle Workflow - Apply patch 22806350:R12.OWF.C to address an Oracle Workflow Notification Mailer issue.
  • Oracle iProcurement - Apply the patch(es) mentioned in My Oracle Support Knowledge Document 1937220.1Punchout in Oracle iProcurement and Exchange Fails After Supplier Site Migrates From SSLv3 to TLS Protocol (with SSL Handshake SSLIOClosedOverrideGoodbyeKiss), which corresponds to the appropriate application versions.
  • Oracle XML Gateway - Apply patch 22326911:R12.ECX.C.
  • Oracle iPayment - Apply patch 22522877:R12.IBY.C

 Prerequisites for Implementing TLS for ECC Certification

Customers on database version 11.2.0.4 are required to apply Oct 2018 PSU or later to support ECC certificates. Customers on 12c database can skip this step.

Configure Inbound Connections

1) Create a  Empty wallet

 Navigate to the <s_web_ssl_directory>/Apache directory, if there is no Apache directory, create the same 

2) Instead of using the Oracle Wallet Manager, perform the following to create an empty wallet:


3)  Create a certificate request.

If using a CA-signed ECC certificate, perform the following:

If you use wildcard certificate to protect multiple servers, specify the server name as an asterisk (*) plus the domain in Common Name. For example: *.example.com 

Follow Below Steps to generate ECC  certificate 

[applmgr@mc1bsdevapp01 dev]$ cd /u01/app/dev/fs_ne/inst/DEVDB_mc1bsdevapp01/certs/Apache/

[applmgr@mc1bsdevapp01 Apache]$ DN="CN=*.ShoukiSoft.com,O=ShoukiSoft,OU=BS,L=Muscat,ST=Muscat,C=OMAN"

[applmgr@mc1bsdevapp01 Apache]$ $FMW_HOME/oracle_common/bin/orapki wallet add -wallet ./ -dn "$DN" -sign_alg ecdsasha256 -asym_alg ECC -eccurve secp256r1 -auto_login_only -jsafe
Oracle PKI Tool : Version 11.1.1.9.0
Copyright (c) 2004, 2015, Oracle and/or its affiliates. All rights reserved.

Follow below Steps to Export certificate request "server.csr" submit to CA Authority 

[applmgr@mc1bsdevapp01 Apache]$ $FMW_HOME/oracle_common/bin/orapki wallet export -wallet ./ -dn "$DN" -request server.csr -jsafe
Oracle PKI Tool : Version 11.1.1.9.0
Copyright (c) 2004, 2015, Oracle and/or its affiliates. All rights reserved.

[applmgr@mc1bsdevapp01 Apache]$ ls -ltr
total 8
-rw-rw-rw-. 1 applmgr oinstall   0 Oct 22 15:10 cwallet.sso.lck
-rw-------. 1 applmgr oinstall 797 Oct 22 15:45 cwallet.sso
-rw-------. 1 applmgr oinstall 495 Oct 22 15:47 server.csr


4) Import the server certificate to the wallet.

 Certificate Authority provide below certificates

1) Root Certificate - rootca.crt

2) Intermediate Certificate - intca.crt

3) Server Certificate - server.crt

Import the root certificate into the wallet:
$FMW_HOME/oracle_common/bin/orapki wallet add -wallet ./ -trusted_cert -cert rootca.crt -auto_login_only -jsafe

If your certificate authority provides an intermediate certificate, then perform the following to import that certificate into the wallet:
$FMW_HOME/oracle_common/bin/orapki wallet add -wallet ./ -trusted_cert -cert intca.crt -auto_login_only –jsafe
Import the server certificate into the wallet:
$FMW_HOME/oracle_common/bin/orapki wallet add -wallet ./ -user_cert -cert server.crt -auto_login_only -jsafe

5) Modify the Oracle HTTP Server Wallet

a)  Identify s_ohs_instance_loc

[appluat@myserver Apache]$ egrep 's_ohs_instance_loc|s_ohs_component' $CONTEXT_FILE

b)  Move the existing wallet files to a backup directory in case you wish to use them again in the future.

c)  Copy the cwallet.sso from <s_web_ssl_directory>/Apache into the current directory (s_ohs_instance_loc)

6) Modify the OPMN wallet

a) Navigate to the <s_ohs_instance_loc>/config/OPMN/opmn/wallet directory 

b) Move the existing wallet files to a backup directory in case you wish to use them again in the future.

c) Copy cwallet.sso from <s_web_ssl_directory>/Apache into <s_ohs_instance_loc>/config/OPMN/opmn/wallet directory

7) Configure the OPMN Cipher Suites

Ensure All the services are down 

NOTE :- ECC certificate, no need to specify any ciphers. You must remove the ssl-ciphers line from opmn.xml

Open the opmn.xml file located under your web tier instance directory $FMW_HOME/webtier/instances/<s_ohs_instance>/config/OPMN/opmn

<ssl enabled="true"
    wallet-file="/EBS_web_EBSDB_OHS1/config/OPMN/opmn/wallet" ssl-versions="TLSv1.0,TLSv1.1,TLSv1.2"

Modify Fusion Middleware Control Console

Move the existing wallet files to a backup directory in case you wish to use them again in the future
  • $EBS_DOMAIN_HOME/opmn/<s_ohs_instance>/<s_ohs_component>/wallet
  • $EBS_DOMAIN_HOME/opmn/<s_ohs_instance>/wallet
  • $FMW_HOME/webtier/instances/<s_ohs_instance>/config/OHS/<s_ohs_component>/proxy-wallet

Primary Application  node

Copy the cwallet.sso file from the <s_ohs_instance_loc>/config/OPMN/opmn/wallet directory to below location 
  • $EBS_DOMAIN_HOME/opmn/<s_ohs_instance>/<s_ohs_component>/wallet
  • $EBS_DOMAIN_HOME/opmn/<s_ohs_instance>/wallet
DMZ node 

Copy the cwallet.sso file from the <s_ohs_instance_loc>/config/OPMN/opmn/wallet directory to below location 

$FMW_HOME/webtier/instances/<s_ohs_instance>/config/OHS/<s_ohs_component>/proxy-wallet


8) Update the context file and config files.

OHS as the TLS Termination Point

Note :- If using an ECC certificate, no need to specify any ciphers.

  1. Log in to Oracle Fusion Middleware Control Console (for example, http://<hostname>.<domain>:<AdminServer Port>/em).
  2. Select Web Tier Target under EBS Domain.
  3. Select Administration > Advanced Configuration.
  4. Select ssl.conf file for edit.
  5. Update the Listen <port> and the VirtualHost _default_:<port> directives to SSL port, for example Listen 4443.
  6. Update the SSLProtocol and SSLCipherSuite entry to match the following:
 SSLProtocol TLSv1 TLSv1.1 TLSv1.2

Edit admin.conf file

Edit the admin.conf file located under the $FMW_HOME/webtier/instances/<s_ohs_instance>/config/OHS/<s_ohs_component> directory

If using an ECC certificate, no need to specify any ciphers. You must comment out the SSLCipherSuite line or delete it because the RSA ciphersuites we used for the RSA certificate will not work with the ECC certificate

SSLProtocol nzos_Version_1_0 nzos_Version_1_1 nzos_Version_1_2

The following command should be run (on all application tier nodes) to propagate the changes made through the Oracle Fusion Middleware Control Console to the context file variables:

$ perl $AD_TOP/bin/adSyncContext.pl contextfile=$CONTEXT_FILE
Enter the APPS user password:
Enter the WebLogic AdminServer password:

Configure Loopback and Outbound Connections



Step 1 - Update the AdminServer and the managed server (WLS) configuration

Note: If you have NOT already applied the April 2017 or later JDK patch to your application tier, then you will also need to add the -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 parameter. The JDK April 2017 patch and later do not require this additonal parameter.

Append the following JVM parameter to all managed servers:

  1. Log in to Oracle Fusion Middleware Administration Console (for example, http://<hostname>.<domain>:<AdminServer Port>/console)
  2. Click on Lock & Edit.
  3. Under Domain Structure > your EBS domain > Environment and Servers, select one of the managed servers. (Note that you will need to repeat this for all managed servers in your environment.)
    Then under the Server Start tab in the Arguments section, add the following:
    -DUseSunHttpHandler=true
  4. Click on Save.
  5. Repeat steps 3 and 4 for all remaining managed servers.
  6. For each of the managed servers and the AdminServer, under the SSL tab, click on Advanced, and set the Hostname Verification to Custom Hostname Verifier and the Custom Hostname Verifier field to weblogic.security.utils.SSLWLSWildcardHostnameVerifier.
  7. Click on Activate Changes

For Admin Server :-

For the WebLogic administration server, add the JVM parameter to the s_nm_jvm_startup_properties context variable.

Step 2-Update the b64InternetCertificate.txt Truststores

If you need to import the CA certificate, you'll also need to add the contents of root certificate (ca.crt) file to the b64InternetCertificate.txt file located in the 10.1.2 ORACLE_HOME/sysman/config directory.

cat TrustedRoot.cer >> /U01/app/uat/fs1/EBSapps/10.1.2/sysman/config/b64InternetCertificate.txt

If you were also provided an intermediate certificate (intca.crt), then you will also need to add that to the b64InternetCertificate.txt:

cat intca.crt >>/U01/app/uat/fs1/EBSapps/10.1.2/sysman/config/b64InternetCertificate.txt

Step 3- Update the cacerts Truststore

If you purchased your server certificate from a commercial CA, you will most likely not have to perform this step as the root CA certificate will already be present in cacerts. The keytool command will let you know if you attempt to add a certificate already present in cacerts.

Navigate to the <s_fmw_jdktop>/jre/lib/security directory

Copy your ca.crt (ROOT) and server.crt (Intermediate ) files to this directory, and issue the following command to ensure that cacerts has write permissions:

$ chmod u+w cacerts

Import ROOT CA

[appluat@my server security]$ keytool -import -alias OHSRootCA -file /home/appluat/certs/TrustedRoot.cer -v -keystore cacerts
Enter keystore password:
Certificate already exists in keystore under alias <digicertglobalrootca [jdk]>
Do you still want to add it? [no]: yes
Certificate was added to keystore
[Storing cacerts]

For Oracle E-Business Suite Release 12.2 installations that use 64-bit JDK for Oracle Fusion Middleware, the steps in this section must be repeated for the 32-bit JDK keystore location that is still in use by some products. If the Application context file <s_fmw_java_use_64> variable is set to 'true', then repeat the steps for the 32-bit cacerts in $OA_JRE_TOP/lib/security.


Oracle E-Business Suite 12.2 - OAM Context Editor to change the TLS related variables shown in this table:

TLS-Related Variables in the Context File
VariableNon-TLS ValueTLS Value
s_url_protocolhttphttps
s_local_url_protocolhttphttps
s_webentryurlprotocolhttphttps
s_active_webportsame as s_webportsame as s_webssl_port
s_webssl_portnot applicabledefault is 4443
s_https_listen_parameternot applicablesame as s_webssl_port
s_login_pageurl constructed with http protocol and s_webporturl constructed with https protocol and s_webssl_port
s_external_urlurl constructed with http protocol and s_webporturl constructed with https protocol and s_webssl_port

Synchronization Between Run and Patch File Systems

The following steps must be performed in order to synchronize the SSL setup between the two file systems:

Edit $APPL_TOP_NE/ad/custom/adop_sync.drv.
between the <Begin Customization> and <End Customization> section after the existing <#Copy Ends>:
#SSL SECTION - START
# Required for SSL setup migration from RUN to PATCH file-system.
# Please alter the commands in the event that rsync is not available or the platform does not support the example syntax.
#10.1.2 b64InternetCertificate.txt
rsync -zr %s_current_base%/EBSapps/10.1.2/sysman/config/b64InternetCertificate.txt %s_other_base%/EBSapps/10.1.2/sysman/config/b64InternetCertificate.txt
#Oracle HTTP Server Wallet - cwallet.sso
rsync -zr %s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/keystores/default/cwallet.sso %s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/keystores/default/cwallet.sso
#OPMN Wallet - cwallet.sso
rsync -zr %s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OPMN/opmn/wallet/cwallet.sso %s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OPMN/opmn/wallet/cwallet.sso
#Fusion Middleware Control Wallets - cwallet.sso
rsync -zr %s_current_base%/FMW_Home/user_projects/domains/EBS_domain_%s_dbSid%/opmn/%s_ohs_instance%/%s_ohs_component%/wallet/cwallet.sso %s_other_base%/FMW_Home/user_projects/domains/EBS_domain_%s_dbSid%/opmn/%s_ohs_instance%/%s_ohs_component%/wallet/cwallet.sso
rsync -zr %s_current_base%/FMW_Home/user_projects/domains/EBS_domain_%s_dbSid%/opmn/%s_ohs_instance%/wallet/cwallet.sso %s_other_base%/FMW_Home/user_projects/domains/EBS_domain_%s_dbSid%/opmn/%s_ohs_instance%/wallet/cwallet.sso
rsync -zr %s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/proxy-wallet/cwallet.sso %s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/proxy-wallet/cwallet.sso

Run AutoConfig.

Run AutoConfig using the adautocfg.sh script in the application tier $ADMIN_SCRIPTS_HOME directory.

 Restart the application tier services.

Use the adstpall.sh/adstrtal.sh script in the $ADMIN_SCRIPTS_HOME directory to stop and restart all services.

Try to access application using HTTPS



 



 




Comments

Post a Comment

Popular posts from this blog

Mask sensitive data in cloned (non-production) EBS 12.2 environments using EBS 12.2 Data Masking Template with EM 13C.

-
Image
Due to data dependencies, scrambling E-Business Suite data is very time consuming and difficult task, because application functionality should work after Data Mask .  Oracle Provides Pre defined Data Masking Pack ( EBSMaskingPack 2.0.7) it is   Certified     with EBS R12.2 , We can easily do Data Masking on Test environment   using OEM 13 C with  Pre defined Data Masking Pack.    Data Masking Template certified with EBS R12.2 does the following. De-identifies the data : Scrambles identifiers of individuals, also known as personally identifiable information (PII).  Examples include information such as name, account, and address. Masks sensitive data : Masks data that, if associated with PII, would cause privacy concerns.  Examples include compensation, health and employment information.   Maintains data validity : Provides a functional application. Below Steps Demonstrate How to Mask -Oracle E-Bu...
Read more

Enabling SSL in Oracle E-Business Suite Release 12.2

-
Image
Oracle E-Business Suite Release 12.2 uses the Oracle Fusion Middleware infrastructure to secure communication between components using SSL (Secure Sockets Layer). Oracle HTTP Server (web tier) is the web server component for Oracle Fusion Middleware  and enables strong cryptography using mod_ossl and mod_wl_ohs modules. Web tier certificates can still be managed by   1)    Oracle Wallet Manager (OWM) GUI Tool 2)   orapki command line interface (CLI) 3)   Oracle Enterprise Manager Fusion Middleware Control (Fusion Middleware Control) Components running under Java  1)   JKS-based keystores to store keys and certificates. Set Your Environment for SSL  1)  You need to Configure SSL on RUN file System, So you require Application down Time  2)    Apply the latest AD and TXK Delta Release Update Packs (Always Recommend) 3) If you are using clients (JRE 8, some modern browsers) or Oracle Database 12c, you must ...
Read more