Friday, May 8, 2015

EBS/SSL-- support/certification for SHA2 and TLS 1.1,1.2 and above

Regarding SHA2

EBS , even the latest version EBS 12.2 does not support SHA2 certificates.
Oracle states this as follows;
Ref : Oracle Support
"At the present, there is no Oracle solution to this problem. An internal   Bug 8839166- support for sha2 at ssl level has been raised.
For Fusion Middleware 11g, the future plans are that these algorithms will be supported when a release of FMW is released that incorporated
11.2.0.3 Required Support Files or higher."

The workaround for using SHA2 certificates with EBS is using a proxy server or load balancer in  front of the EBS Application Server.

Here is the action plan for accomplishing that:

Option a) Proxy server:

1. Download and install vanilla Apache 2.2 and configure mod_ssl and openssl accordingly.
2. Configure Apache 2.2 as a proxy server to Oracle Application Server" See: Note 1275428.1 - Support Status for SHA2 in Oracle Application Server (10.1.2.X.X/10.1.3.X.X) and Fusion Middleware 11g (11.1.1.X)
The document can be followed for proxy based configuration is :380490.1 Oracle E-Business Suite R12 Configuration in a DMZ / 5.4.1: Update Oracle E-Business Suite Applications Context File

Option b) Load Balancer:

376700.1 Enabling SSL in Release 12 / Step 8 - Update the Context File / Changes when using an SSL Accelerator

Regarding TLS version > 1.0 

EBS does not support TLS versions above 1.0.. Only TLS 1.0 has been certified with EBS R12..
EBS cant support TLS versions above 1.0 due to a limitation in Oracle HTTP Server that comes bundled with EBS installations. On the other hand; Oracle development have plans to certify TLS version > 1.0 with EBS 12.1 and 12.2 ... Unfortuneatly, planned release dates of these certifications are not publicly available yet.
To get the latest certifications about TLS versions, following blog can be followed: Please continue to review the Steve Chan 's blog : https://blogs.oracle.com/stevenChan/entry/out_with_the_old_ssl

So, if you disable TLS version 1.0 in the client browsers due to security issues, you can't use an SSL enabled EBS properly..

The workarounds for using TLS versions above 1.0 with EBS can be using a Reverse Proxy or a Load Balancer in front of EBS Application tier.

Full path ssl, or partially ssl should work , altough it is not tested..


Client --- TLS 1.2 -- Proxy -- TLS 1.0 -- EBS Application Server
Client --- TLS 1.2 -- Load Balancer -- TLS 1.0 -- EBS Application Server


For using Proxy, following action plan can be used:

1. Enable SSL/TLS for EBS  "Enabling SSL or TLS in Oracle E-Business Suite Release 12" ( Doc ID 376700.1 ) 

2. Configure Reverse Proxy according to your Proxy  documentation

3. Configure EBS to point to the Reverse Proxy by following note: "Oracle E-Business Suite R12 Configuration in a DMZ" ( Doc ID 380490.1 )

In conclusion,
As EBS does not support SHA2 and TLS > 1.0 , Reverse Proxy and Load Balancer configurations are needed .. These type of configurations modify the general topology, require installation&configuration work and maintanence..
So, the choice is yours.. Using SHA1 can be an alternative for SHA2 and continuing with TLS 1.0 can be an alternative for TLS versions > 1.0.. 
Maybe Oracle will certify both SHA2 and TLS soon.. Maybe it will not be certified, we dont know yet.. 
So, the choice is yours..
The reason of this blog post is to show you the workarounds which can be used if you must use TLS > 1.0 or SHA2 certificates with your EBS environments..

Lastly, I will share the following picture(ref:https://technology.amis.nl) to show you what the topology looks like when using a proxy server to supply one of these workarounds...


So, The EBS web entry point is the Reverse Proxy URL.
The Clients are speaking TLS 1.2 and the proxy ( configured  properly to start a new separate conversation with EBS server) is speaking  TLS 1.0 with EBS Application Servers.. This configuration should work even if TLS 1.0 is disabled in the client browsers..
For SHA2 certificates, the situation is the same..
I mean [Client]--HTTPS (443)-->[Reverse Proxy] --HTTPS (443 or 4443) --> [EBS Application Tier] will work..

I would appreciate your comments on the paper including the acceptance or rejection on the basis of the things described above.

10 comments :

  1. I heard that sha-2 has been certified to be used with R12.1.3; however, I can't find any doc or blogs that confirms that. Do you know anything about it?

    Many thanks!

    ReplyDelete
  2. No . It is not certified .

    ReplyDelete
    Replies
    1. As EBS does not support SHA2 and TLS > 1.0, a Reverse Proxy or a Load Balancer configurations is needed ..

      Delete
  3. SHA-2 is certified now.

    https://blogs.oracle.com/stevenChan/entry/sha_2_signed_pki_certificates


    But , a lot of people including us are facing issues and complaining. Just FYI.

    ReplyDelete
  4. Thank you for your feedback, Karan. I will take a look...

    ReplyDelete
  5. Hi Erman,

    Great work on your blogs!!! Still trying to figure out, running a reverse proxy server, still have old version of Apache 2.0.63, can this be upgraded directly to Apache 2.4.x or must this be upgraded to 2.2.x?

    Thanks Mahomed

    ReplyDelete
  6. Web server should be in front. It should not be a part of EBS. We are not talking about EBS's own Web Server here.

    Put a webserver in front, do SSL work there, configure it as a reverse proxy and make it speak SSL with clients and speak non-SSL with EBS 's web server.

    ReplyDelete
  7. Check this out, it can give you some idea.
    https://ermanarslan.blogspot.com.tr/2016/08/reverse-proxy-enabling-ssl-on-jira.html

    ReplyDelete

If you will ask a question, please don't comment here..

For your questions, please create an issue into my forum.

Forum Link: http://ermanarslan.blogspot.com.tr/p/forum.html

Register and create an issue in the related category.
I will support you from there.