Regarding SHA2
EBS , even the latest version EBS 12.2 does not support SHA2 certificates.
Oracle states this as follows;
Ref : Oracle Support
"At the present, there is no Oracle solution to this problem. An internal Bug 8839166- support for sha2 at ssl level has been raised.
For Fusion Middleware 11g, the future plans are that these algorithms will be supported when a release of FMW is released that incorporated
11.2.0.3 Required Support Files or higher."
In conclusion,
So, The EBS web entry point is the Reverse Proxy URL.
I would appreciate your comments on the paper including the acceptance or rejection on the basis of the things described above.
EBS , even the latest version EBS 12.2 does not support SHA2 certificates.
Oracle states this as follows;
Ref : Oracle Support
"At the present, there is no Oracle solution to this problem. An internal Bug 8839166- support for sha2 at ssl level has been raised.
For Fusion Middleware 11g, the future plans are that these algorithms will be supported when a release of FMW is released that incorporated
11.2.0.3 Required Support Files or higher."
The workaround for using SHA2 certificates with EBS is using a proxy server or load balancer in front of the EBS Application Server.
Here is the action plan for accomplishing that:
Option a) Proxy server:
1. Download and install vanilla Apache 2.2 and configure mod_ssl and openssl accordingly.
2. Configure Apache 2.2 as a proxy server to Oracle Application Server" See: Note 1275428.1 - Support Status for SHA2 in Oracle Application Server (10.1.2.X.X/10.1.3.X.X) and Fusion Middleware 11g (11.1.1.X)
The document can be followed for proxy based configuration is :380490.1 Oracle E-Business Suite R12 Configuration in a DMZ / 5.4.1: Update Oracle E-Business Suite Applications Context File
Option b) Load Balancer:
376700.1 Enabling SSL in Release 12 / Step 8 - Update the Context File / Changes when using an SSL Accelerator
Here is the action plan for accomplishing that:
Option a) Proxy server:
1. Download and install vanilla Apache 2.2 and configure mod_ssl and openssl accordingly.
2. Configure Apache 2.2 as a proxy server to Oracle Application Server" See: Note 1275428.1 - Support Status for SHA2 in Oracle Application Server (10.1.2.X.X/10.1.3.X.X) and Fusion Middleware 11g (11.1.1.X)
The document can be followed for proxy based configuration is :380490.1 Oracle E-Business Suite R12 Configuration in a DMZ / 5.4.1: Update Oracle E-Business Suite Applications Context File
Option b) Load Balancer:
376700.1 Enabling SSL in Release 12 / Step 8 - Update the Context File / Changes when using an SSL Accelerator
Regarding TLS version > 1.0
So, if you disable TLS version 1.0 in the client browsers due to security issues, you can't use an SSL enabled EBS properly..
Client --- TLS 1.2 -- Proxy -- TLS 1.0 -- EBS Application Server
Client --- TLS 1.2 -- Load Balancer -- TLS 1.0 -- EBS Application Server
For using Proxy, following action plan can be used:
1. Enable SSL/TLS for EBS "Enabling SSL or TLS in Oracle E-Business Suite Release 12" ( Doc ID 376700.1 )
2. Configure Reverse Proxy according to your Proxy documentation
3. Configure EBS to point to the Reverse Proxy by following note: "Oracle E-Business Suite R12 Configuration in a DMZ" ( Doc ID 380490.1 )
EBS does not support TLS versions above 1.0.. Only TLS 1.0 has been certified with EBS R12..
EBS cant support TLS versions above 1.0 due to a limitation in Oracle HTTP Server that comes bundled with EBS installations. On the other hand; Oracle development have plans to certify TLS version > 1.0 with EBS 12.1 and 12.2 ... Unfortuneatly, planned release dates of these certifications are not publicly available yet.
To get the latest certifications about TLS versions, following blog can be followed: Please continue to review the Steve Chan 's blog : https://blogs.oracle.com/stevenChan/entry/out_with_the_old_ssl
The workarounds for using TLS versions above 1.0 with EBS can be using a Reverse Proxy or a Load Balancer in front of EBS Application tier.
Full path ssl, or partially ssl should work , altough it is not tested..
Client --- TLS 1.2 -- Load Balancer -- TLS 1.0 -- EBS Application Server
2. Configure Reverse Proxy according to your Proxy documentation
3. Configure EBS to point to the Reverse Proxy by following note: "Oracle E-Business Suite R12 Configuration in a DMZ" ( Doc ID 380490.1 )
As EBS does not support SHA2 and TLS > 1.0 , Reverse Proxy and Load Balancer configurations are needed .. These type of configurations modify the general topology, require installation&configuration work and maintanence..
So, the choice is yours.. Using SHA1 can be an alternative for SHA2 and continuing with TLS 1.0 can be an alternative for TLS versions > 1.0..
Maybe Oracle will certify both SHA2 and TLS soon.. Maybe it will not be certified, we dont know yet..
So, the choice is yours..
The reason of this blog post is to show you the workarounds which can be used if you must use TLS > 1.0 or SHA2 certificates with your EBS environments..
Lastly, I will share the following picture(ref:https://technology.amis.nl) to show you what the topology looks like when using a proxy server to supply one of these workarounds...
So, The EBS web entry point is the Reverse Proxy URL.
The Clients are speaking TLS 1.2 and the proxy ( configured properly to start a new separate conversation with EBS server) is speaking TLS 1.0 with EBS Application Servers.. This configuration should work even if TLS 1.0 is disabled in the client browsers..
For SHA2 certificates, the situation is the same..
I mean [Client]--HTTPS (443)-->[Reverse Proxy] --HTTPS (443 or 4443) --> [EBS Application Tier] will work..
I mean [Client]--HTTPS (443)-->[Reverse Proxy] --HTTPS (443 or 4443) --> [EBS Application Tier] will work..
I heard that sha-2 has been certified to be used with R12.1.3; however, I can't find any doc or blogs that confirms that. Do you know anything about it?
ReplyDeleteMany thanks!
No . It is not certified .
ReplyDeleteAs EBS does not support SHA2 and TLS > 1.0, a Reverse Proxy or a Load Balancer configurations is needed ..
DeleteSHA-2 is certified now.
ReplyDeletehttps://blogs.oracle.com/stevenChan/entry/sha_2_signed_pki_certificates
But , a lot of people including us are facing issues and complaining. Just FYI.
Thank you for your feedback, Karan. I will take a look...
ReplyDeleteHi Erman,
ReplyDeleteGreat work on your blogs!!! Still trying to figure out, running a reverse proxy server, still have old version of Apache 2.0.63, can this be upgraded directly to Apache 2.4.x or must this be upgraded to 2.2.x?
Thanks Mahomed
Web server should be in front. It should not be a part of EBS. We are not talking about EBS's own Web Server here.
ReplyDeletePut a webserver in front, do SSL work there, configure it as a reverse proxy and make it speak SSL with clients and speak non-SSL with EBS 's web server.
Check this out, it can give you some idea.
ReplyDeletehttps://ermanarslan.blogspot.com.tr/2016/08/reverse-proxy-enabling-ssl-on-jira.html
Digital Marketing Online Training in India
ReplyDeleteCloud Computing Online Training in India
Hadoop online training in INDIA
Javascript Training In Noida
Industrial Training in Noida
Aws online training in india
ReplyDeleteSalesforce online training in india
SAS Online Training in india
Salesforce admin online training in india
Linux Online
training in India