Friday, July 25, 2014

EBS 12.2 -- Configuring SSL in Oracle E-Business Suite Release 12.2

Lets demonstrate a SSL implementation process in EBS 12.2.
What I mean by SSL implementation is configuring Clients Browser and EBS Web Services communicate through SSL.  EBS uses FMW to communicate over ssl between its components.


Info:
Oracle Fusion Middleware supports SSL version 3, TLS version 1 and JKS-based keystores for components running under Java and Oracle Wallets for other components, such as the Oracle HTTP Server.

In the Web tier, We still use Oracle Wallet to store and manage our certification.. On the other hand; Java keystores can be used for building a secure communication to and from weblogic servers.

Info:
Oracle Fusion Middleware uses JKS keystore (the default JDK implementation of Java keystores used by Oracle WebLogic Server) to store keys and certificates.
Other components (such as Oracle HTTP Server) continue to use the Oracle wallet as their storage mechanism.

Info:
Using Widcard is now certified with EBS 12.2.


Okay lets start;
  • We start by creating a Wallet.We open Oracle Wallet Manager by using the Applications's OS user account and ovm command; set your environment first, -- dont use owm from the Oracle 10.1.2 home..We need to use the owm in FMW home.

applmgr> export PATH=$FMW_HOME/webtier/bin:$FMW_HOME/oracle_common/bin:$PATH
applmgr> owm & (open the wallet manager in background .. note that you must have X window privileges , I mean with root xclock + ,and you must have necessary rpms installed on your system for example: LibXrender 32 bit :))
On the Oracle Wallet Manager Menu navigate to Wallet -> New.
Answer No to: “Your default wallet directory doesn't exist. Do you wish to create it now?” 
The new wallet screen will now prompt you to enter a password for your wallet. Be sure to make the password something you will remember. You will need to use the password whenever you open the wallet with Oracle Wallet Manager, or perform operations on the wallet using the Command Line Interface. With auto login enabled processes submitted by the OS user who created the wallet, there is no need to supply the password to access the wallet. Click YES when prompted: “A new empty wallet has been created. Do you wish to create a certificate request at this time?”




  • Once we created our wallet, the OWM asks us if we want to create a certificate request.. We answer yes, and fill the form accordingly. ( We use the information that our customer provides, I mean OU, State,Country, Key Size etc..)





  • After creating our certificate request, we need to export it.



  • While exporting, note the directory name when prompted. This is the default directory of our wallet..

  • Declare a name for your csr , for example: server.crs and save.. It will create a server.csr file in your wallet directory: For example under : /apps/fs2/EBSapps/10.1.2/owm/wallets/applmgr. It will report the file as saved as below..


  • Okay, now we should send this to our customer , as they should submit this Certificate Authority to request a Server Certificate.
The process should be like this. It is documented like this, but sometimes we need to go beyond the documents..
I mean, if the customer has already acquired certification in .P12 file / format; we need to convert it.
We need convert P12 to JKS and then convert JKS to Wallet ..
Here is the method to do that:

keytool -v -importkeystore -srckeystore yourcert.p12 -srcstoretype PKCS12 -destkeystore yournewkeystore.jks -deststoretype JKS
--You must use the same password for the new jks and the private key = "mypassword"

keytool -import -alias Root -keystore yournewkeystore.jks -trustcacerts -file root.cer
keytool -import -alias Intermediate -keystore yournewkeystore.jks -trustcacerts -file intermediate.cer
mw_home\oracle_common\bin\orapki wallet create -wallet ./ -pwd "mypassword"

mw_home\oracle_common\bin\orapki wallet jks_to_pkcs12 -wallet ./ -pwd "mypassword" -keystore ./yournewkeystore.jks -jkspwd "mypassword"

--Make sure the private key password and the wallet password match = "mypassword"
open the newly created ewallet.p12 with Oracle wallet manager and in wallet menu, tick "autologin", then save. This creates cwallet.sso along side ewallet.p12.

  • So once we have a walid wallet (ewallet.p12 and an autologin file (cwallet.sso) ), we can continue with the SSL configuration.
  • While we are making our wallet autologin using Wallet Manager,  we should also save our wallet in to the directory -> {s_web_ssl_directory}/Apache
  • Note that : curly braces are for the Autoconfig variables. You can find the value of them using ;cat $CONTEXT_FILE |grep variable_name
  • Note: If all trusted certificates that make up the chain of Server Certificate are not present in the wallet, adding the certificate will fail. When the wallet was created only the certificates for the most common CA’s were included automatically. Contact your Certificate Authority if you need to add their certificate, and save the provided file (for example as ca.crt) in the wallet directory. If your Certificate Authority provided an intermediate certificate (to complete the chain) then save the provided file (for example as intca.crt), this will need to be imported into Oracle Wallet Manager prior to importing the Server Certificate (server.crt if you used the example name).Okay, then we import our root and intermediate certificates in to the b64InternetCertificate.txt file..
  • So in this case; we add our certificates to the related file..
  • cat ca.crt >> <10.1.2 ORACLE_HOME>/sysman/config/b64InternetCertificate.txt
    cat intca.crt >> <10.1.2 ORACLE_HOME>/sysman/config/b64InternetCertificate.txt
  • Then we copy cwallet.sso file from {s_web_ssl_directory}/Apache directory(where we saved)
  • to the following directories ;
--note that : we take a backup of cwallet.sso in that directories before copying/overwriting it..

{s_ohs_instance_loc}/config/OHS/{s_ohs_component}/keystores/default
{s_ohs_instance_loc}/config/OPMN/opmn/wallet
$EBS_DOMAIN_HOME/opmn/{s_ohs_instance}/{s_ohs_component}/wallet
$EBS_DOMAIN_HOME/opmn/{s_ohs_instance}/wallet
$FMW_HOME/webtier/instances/{s_ohs_instance}/config/OHS/{s_ohs_component}/proxy-wallet

  • Then, we update cacert file;(Oracle WebLogic Server, Oracle Web Services etc uses this file..)
cd {s_fmw_jdktop}/jre/lib/security
chmod u+w cacerts
keytool -import -alias OHSRootCA -file ca.crt -trustcacerts -v -keystore cacerts
keytool -import -alias OHSIntCA -file intca.crt -trustcacerts -v -keystore cacerts
keytool -import -alias OHSServer -file server.crt -trustcacerts -v -keystore cacerts

On a UNIX system the TCP/IP port numbers below 1024 are special in that only processes with root privileges are allowed to listen on those ports..
So, opening a privileged port requires extra steps, but we dont use privileged port normally.. We choose to have a unknown port which is above port 1024..

So , our cacerts and wallet files are configured. We continue with application configuration to use this files to supply SSL communication;

  • We first, start with the Web tier configurations;

Login to Oracle Fusion Middleware Control Console (for example http://<hostname>.<domain>:<AdminServer Port>/em)
Select Web Tier Target under EBS Domain
Select Administration > Advanced Configuration
Select ssl.conf file for edit
Update the Listen <port> and the VirtualHost _default_:<port> directives to SSL port, for example Listen 4443   --> your choice -- ssl port
Click Apply

Then run following command by Application Owner OS 'user with Application environment set..
perl $AD_TOP/bin/adSyncContext.pl contextfile=$CONTEXT_FILE
Enter the APPS user password:
Enter the WebLogic AdminServer password:


adSyncContext.pl will propogate the changes, we just did from the Oracle Fusion Middleware Control Console to the context file variables.

  • Secondly , we open OAM(it can be done using vi editor from the OS) and control & change the following autoconfig variables if necessary;

SSL Related Variables in the Context File
VariableNon-SSL ValueSSL Value
s_url_protocolhttphttps
s_local_url_protocolhttphttps
s_webentryurlprotocolhttphttps
s_active_webportsame as s_webportVerify the port, correct if required.
s_webssl_portnot applicableVerify the port, correct if required.
s_https_listen_parameternot applicableVerify the port, correct if required.
s_login_pageurl constructed with http protocol and s_webportVerify the protocol and port, correct if required.
s_external_urlurl constructed with http protocol and s_webportVerify the protocol and port, correct if required.

  • Lastly, we shutdown our application services, and run autoconfig to make the system configured by considering the new variable values.. Autoconfig makes the SSL configurations System wide.. When the autoconfig is completed, we start our services..
So that's it.. We configured our EBS 12.2 environment to work with SSL.

Some importants notes about the SSL configuration in EBS 12.2:

After this configuration , we will reach our login page using https://hostname:ssl_port
  • Even if we use http://hostname:non_ssl_port to reach our login page, it will be redirected to the ssl enabled url https://hostname:ssl_port..
  • That is , Our non-ssl tcp port will be open. Note that : We can close it. We can change httpd.conf and comment out line starting with Listen , and restart Apache to do that.. On the other hand, I dont recommend it , because that port is kept open for those products that need to access some of their pages via the HTTP, and for the Oracle E-Business Suite Help System. 
  • So in short , you will not be able to use EBS Help pages, if you close that non-ssl tcp port.
  • One last thing; With this configuration, our forms will be working in ssl, too.. It is becuase EBS uses servlet architecture in Forms communication layer .. So we dont need to do anything about the Forms. Forms will be communicating in https...
  • Wildcards can be used in the Certificates! .. Tested & Verified. A certificate with a servername *.ermandom.com works very well..
  • Oracle E-Business Suite Release 12.2 currently supports securing the communication between the end users browser and the data center. Securing OPMN wallet with Fusion Middleware Control Console is detailed in this document but securing the internal communication (Oracle Weblogic Managed Server and other components with Oracle HTTP Server) will be supported in a later release and detailed in this section when they become available.

17 comments :

  1. Hello Erman Arslan,

    Have you ever use wildcard certificate for SSL implementation in EBS 12.2 ?

    We are trying to do however getting error. While checking opnn.log it is keep on complaining

    [2017-02-09T14:16:21-07:00] [opmn] [ERROR:1] [] [ons-secure] Connection 9;10.21.1.174;23154 SSL handshake failed (29039) and not able to access EBS.

    We follow all steps as per 1367293.1

    What we did create wallet and imported wildcard certificate in the trusted certificate. As we are not generating certificate request therefore nothing to import at user certificate level.

    Could you please advise where it is going wrong. We check with oracle they are saying wildcard certificate is not supported for EBS12.2.

    If you can help us it will be grate.

    thanks

    ReplyDelete
  2. I have used wildcard in EBS 12.2..
    It is supported to use wildcard for enabling SSL on EBS 12.2
    Oracle E-Business Suite Release 12.2 deployment of Oracle WebLogic Server includes an enhancement to allow wildcard certificates.
    However, in order to make a wildcard certificate to work with the Oracle Wallet side, you need to do a different approach, as we did..

    Reference Documents:

    How to Import a Third Party Wallet into FMW 11g (11.1.1.X) (Doc ID 1268793.1) and How to Convert a Third Party Wallet to an Oracle Wallet in AS 10g (Doc ID 603622.1).

    Importing wildcard certificate as Trusted certificate is not what you need to do.
    Your wildcard certificate should be imported as User certificate and its status should be ready.

    The different approach that I mentioned above is->

    get all your certificates imported to a pfx file and then convert yhe pfx file to Oracle Wallet.

    In other words,
    get a .pfx file which includes all the certificates.
    Create oracle wallet from this pfx file (convert pfx to wallet)

    Note that, this is working, we tested it.!

    ReplyDelete
  3. Hi Erman,

    Thanks for the input.

    I will make the change as you suggested.

    thanks


    ReplyDelete
  4. Hi Erman,
    As we are using EBS 12.2 following the note ID- How to Import a Third Party Wallet into FMW 11g (11.1.1.X) (Doc ID 1268793.1).

    1) got the pfx file with all certificate.
    2) Created the oracle wallet under- s_web_ssl_directory>/Apache.
    3) imported the pfx file still it is not importing as user certificate.

    Could you please advise where I am missing.

    Do you have any steps how to import the pfx file.

    ReplyDelete
  5. Your wildcard certificate should be imported as User certificate and its status should be ready..

    So if you see it as a user certificate and if its status is ready, then you are okay.

    ReplyDelete
  6. But, you say your wildcard certificate is not imported as user certificate .
    Aha.. Then the issue should be that, your pfx file has only the wildcard certificate but it misses the trusted certificate..

    For this to work the pfx file has to contain the private key, the server certificate and "all the Trusted Root CA Certificates" that signed the server certificate

    ReplyDelete
  7. Is it supported to use wildcard for enabling SSL on EBS 12.1.3 ?

    ReplyDelete
  8. For EBS 12.1.3 , it is not.
    For 12.2, it is supported.

    ReplyDelete
  9. Hi Erman,
    It is still not working in our 12.2.5 ebs env.

    Could you please advise steps how to import the pfx file.

    thanks

    ReplyDelete
    Replies
    1. Kishor,

      Give me the details (method/document you followed, error you are getting an so on), so I can help.

      Delete
  10. Hi Emran,

    I am trying to implement SSL in R12.1.1 but I am not able to move ahead after performing step 2.,we have a wild card certificate..how to move ahead,kindly help me on this.

    ReplyDelete
  11. It is not supported to use wildcard certificates for 12.1.1.
    If you want to use a wildcard certificate, offload the SSL processing to a Load Balancer or a frontend web server that can do wildcard based SSL processing.

    ReplyDelete
    Replies
    1. How to do this?.. can you provide me the steps to do this..

      Delete
  12. Hi Erman


    can you suggest, is it possible to import wildcard certificate (third party) for EBS 12.1.3, we badly need this as we cant upgrade our EBS as of now. we are working for EBS DMZ and i have 2 node for application tier.

    Thanks.
    Karthick

    ReplyDelete
  13. For EBS 12.1.3 , it is not.
    For 12.2, it is supported.

    If you need it so badly, then put a Reverse proxy(which is capable of working with wildcard certificates) in front of the apps tier nodes and configure it to be used with EBS.. Make Reverse Proxy deal with the SSL work.. a Load Balancer can also do the same job.. I mean, you can use SSL offloading.

    ReplyDelete
    Replies
    1. Thanks.

      if i make a reverse proxy, how about the https for the DMZ apps tier. since i can install another web server infront of apps tier and configure the wildcard certificate. but when i reverse proxy, still i need to reverse with http. correct me if i am wrong.

      thanks once again...

      Delete
  14. For reverse proxy, you can use https to https as well. However, your EBS apps tier certificates should not be wildard. (since you are on EBS 12.1).. This should be tested..

    But, if you use load balancer, then you don't install ssl certificates on EBS.. so, Load balancer does the SSL thing.. So if you use wildcard certificates on Load Balancer side, that should work.

    ReplyDelete