Saturday, February 7, 2015

SSO 10G -- Enabling SSL on EBS integrated SSO 10g-- watch out for Browser Security! , TLS

Recently, I was enabling SSL on a SSO 10g environment..
SSO was integrated to OID and EBS was a partnera application.
I have done all the steps in the following document and configured SSO to use SSL properly.
http://ermanarslan.blogspot.com.tr/2014/09/ebssso-enabling-ssl-on-sso-due-to.html
Besides , I have obtained the approval of Oracle Support for the action plan I followed for this.

1)
Create a wallet , export certificate request and send them to the security admins who are responsible for producing the corresponding certificate files. Once you got the certificate files, import them to your wallet.
Note that: you need to use the owm binary located in your SSO 10G Oracle Home.. So set your path accordingly.. If you use owm binary located in another Oracle Home ,for example: OID 11g Home(suppose you have OID 11g and SSO 10G running on the same server), you ll encounter problems..

2)
In SSO Server;
In opmn.xml, change the value for the start-mode parameter to ssl-enabled.

<ias-component id="HTTP_Server">
<process-type id="HTTP_Server" module-id="OHS">
<module-data>
<category id="start-parameters">
<data id="start-mode" value="ssl-enabled"/>
</category>
</module-data>
<process-set id="HTTP_Server" numprocs="1"/>
</process-type>
</ias-component>

3)
In SSO Server;
Note that: If you are using Distributed Configuration Management; update your distributed cluster management database using -> $ORACLE_HOME/dcm/bin/dcmctl updateconfig -ct opmn

Reload the modified opmn configuration file:
$ORACLE_HOME/opmn/bin/opmnctl reload

4)
In SSO Server;
Restart Oracle HTTP Server.

$ORACLE_HOME/opmn/bin/opmnctl stopproc process-type=HTTP_Server
$ORACLE_HOME/opmn/bin/opmnctl startproc process-type=HTTP_Server

5)
In SSO Server;
Change single server urls using ssocfg.sh
$ORACLE_HOME/sso/bin/ssocfg.sh protocol host ssl_port
For ex: ssocfg.sh https ermanhost.domain 4443

Check, OID odsm;open cn=OracleContext>cn=Products>cn=DA and select cn=OperationURLs, The right hand pane will display a number of fields or attributes. The last field will be orcldasurlbase and will
should be set to sso server and its https port.
Clear the cache of OID, just in case;

Clear oid cache by connecting to OID database using sqlplus.. (with orasso user) and executing the following;
sqlplus orasso/(orasso_password) --> find it first
wwsec_oid.refresh_local_cache(true);
commit;

-To find Orasso Password:

echo "enter username :\c "
read username
echo "enter orcladmin password :\c "
read orclpass
echo "enter oid port :\c "
read oid_port
host=`uname -n`
ldapsearch -D cn=orcladmin -w $orclpass -p $oid_port -h $host \
-b "cn=IAS,cn=Products,cn=OracleContext" \
-s sub -v OrclresourceName=$username | grep orclpasswordattribute |cut -d= -f

6)
In SSO Server;
update $ORACLE_HOME/sysman/emd/targets.xml file.

Update the three attributes this way:
<Property NAME="HTTPMachine" VALUE="ermanhost.domain"/>
<Property NAME="HTTPPort" VALUE="4443"/>
<Property NAME="HTTPProtocol" VALUE="HTTPS"/>

and reload the conf.. -> $ORACLE_HOME/bin/emctl reload

7)
In SSO Server;
Restart your HTTP Server and OC4J Security processes..
$ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
$ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY

8)
From the client's browser;
Check and see that you can reach the SSO server using https.. https://host:ssl_port.
Once you are able to reach the SSO Server using https without any certificate errors or warnings, continue with the next step

9)
In EBS Server;
Deregister and register your EBS;
“txkrun.pl -script=SetSSOReg -deregister=Yes”
“txkrun.pl -script=SetSSOReg -removereferences=Yes”
Scripts above, will deregister SSO & OID from Apps & 10g AS Infrastructure Tier.

$FND_TOP/bin/txkrun.pl -script=SetSSOReg , and this script will register SSO again.



Anyways, after enabling SSL on SSO, I tried to reach the SSO server using its https port, but I could not reached.
No matter what, SSO server was encountering errors after enabling SSL..
I have increased the log level of Apache, but it didnt help , because the errors were in SSL level..
The situation was exactly the same as explained in the following document.

TLS 1.0 Handshake Fails With "SSL call to NZ function nzos_Handshake failed with error 29014" ( Doc ID 470123.1 )

Also suddenly, a guy from the security team said that they disabled SSL on the client browser due to some security reasons, and also said "please use TLS" ..

The problem was obvious.. Our configuration was okay, but browsers was not speak ssl..
Then we checked reaching the SSO server from its ssl port using a Firefox Browser.
There was not configuration done in Firefox browsers to disable ssl protocol..
Yes.. The problem was in the browser level.. 
Our SSO server should speak TLS not SSL.. Because SSL was disabled in all the clients browsers using a Domain Policy.

So, as an action plan;
We will apply the CPU patches on to of 10.1.4.3.0 and retest.
It seems, 10g SSO server cant use TLS properly without these CPU patches.
The document for obtaining the CPU patches is again : TLS 1.0 Handshake Fails With "SSL call to NZ function nzos_Handshake failed with error 29014" ( Doc ID 470123.1 )

The fix should be patch 6370967.. We will apply this patch in SSO Oracle Home and retest..

I will update this post after resolving the issue.

Yes! patch 6370967 is the fix..

No comments :

Post a Comment