Sunday, October 26, 2008

Enable SSL with Oracle Applications 11i

Implementing SSL with Oracle Applications 11i

What is http?

Hypertext Transfer Protocol (HTTP) is a communications protocol for the transfer of information on the intranet and the World Wide Web. Its original purpose was to provide a way to publish and retrieve hypertext pages over the Internet.

What is Https?

Hypertext Transfer Protocol over Secure Socket Layer or HTTPS is a URI scheme used to indicate a secure HTTP connection. It is syntactically identical to the http:// scheme normally used for accessing resources using HTTP. Using an https: URL indicates that HTTP is to be used, but with a different default TCP port (443) and an additional encryption/authentication layer between the HTTP and TCP. This system was designed by Netscape Communications Corporation to provide authentication and encrypted communication and is widely used on the World Wide Web for security-sensitive communication such as payment transactions and corporate logons


Overview

This Document contains information for implementing SSL with Oracle E-Business Suite Release 11i. It implementation steps for configuring SSL with Oracle HTTP Server, Oracle Forms 6i server, and Oracle Database server.

Secure Sockets Layer (SSL) is an encrypted communication protocol that is designed to securely send messages across the Internet. It resides between Oracle HTTP Server on the application layer and the TCP/IP layer, transparently handling encryption and decryption when a secure connection is made by a client.

One common use of SSL is to secure Web HTTP communication between a browser and a Web server. This case does not preclude the use of non-secured HTTP. The secure version is simply HTTP over SSL (named HTTPS). The differences are that HTTPS uses the URL scheme https:// rather than http://, and its default communication port is 4443 on UNIX or 443 on Windows.


SSL Implementation with Oracle HTTP Server

The implementation of SSL for the Oracle HTTP server, is based on mod_ssl (http://www.modssl.org) and openssl (http://www.openssl. org) technology. The Oracle HTTP server installation under Oracle E-Business Suite Release 11i includes the mod_ssl and openssl components. Once openssl has been used to generate your digital certificate and the proper directives for Oracle HTTP server have been defined, the Oracle HTTP server is capable of starting and running in SSL mode.

1.How SSL works with Oracle HTTP ServerThe client sends a request to the server using HTTPS connection mode.
2.The server presents its certificate to the client. This certificate contains the server's identifying information.
3.The client checks its list of Trust points and compares the information in the certificate with the server's public key. If it matches, the server is authenticated as a trusted server.
4.The client sends the server a list of the encryption levels, or ciphers, that it can use.
5.The server receives the list and selects the strongest level of encryption that they have in common.
6.The client creates a session key which is used to encrypt the data and sends this session key to the server which can decrypt the data with its private key.


Step 1

SQL> select HOME_URL from icx_parameters;
HOME_URL
--------------------------------------------------
http://sys43.doyen.in:8000/oa_servlets/AppsLogin





In Apps node
cd $APPL_TOP/admin
cat VIS_sys43.xml grep login_page
http://sys43.doyen.in:8000/oa_servlets/AppsLogin



Step 2

Set ths following environment varibles
export SCRIPT_TOP=$COMMON_TOP/admin/scripts/sar_sys45
export APACHE_TOP=/oracle/app/apps/sarora/iAS/Apache
export OPENSSL_TOP=/oracle/app/apps/sarora/iAS/Apache/open_ssl
export OPENSSL_CONF=$OPENSSL_TOP/bin


Backup the context xml file in $APPL_TOP/admin
Edit the context xml file in $APPL_TOP/admin, change the SSL related variables to SSL values




Step 3

Using self signed certificate with Applications genereted by OpenSSL for WebSever

Certificate request file (.cer)
Actual certificate file (.crt)
Private Key file (.key)


OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards required by them. The openssl program is a command line tool for using the various cryptography functions of OpenSSL<80><99>s crypto library from the shell.

It can be used for

o Creation of RSA, DH and DSA key parameters
o Creation of X.509 certificates, CSRs and CRLs
o Calculation of Message Digests
o Encryption and Decryption with Ciphers
o SSL/TLS Client and Server Tests
o Handling of S/MIME signed or encrypted mail


$openssl req -x509 -newkey rsa:1024 -keyout cakey.pem -out cacert.pem -days 10000 -config openssl.cnf

Using configuration from openssl.cnf
Generating a 1024 bit RSA private key
.............................++++++
...........++++++
writing new private key to 'cakey.pem'
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Tamil Nadu
Locality Name (eg, city) []:Chennai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Doyensys
Organizational Unit Name (eg, section) []:ERP
Common Name (eg, YOUR name) []:sys43.doyen.in
Email Address []:erp@doyensys.com


$openssl req -nodes -new -x509 -keyout apache.key -out apache_request.pem -days 3650 -config openssl.cnf

Using configuration from openssl.cnf
Generating a 1024 bit RSA private key
....++++++
.................................................................................................++++++
writing new private key to 'apache.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Tamil Nadu
Locality Name (eg, city) []:Chennai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Doyensys
Organizational Unit Name (eg, section) []:ERP
Common Name (eg, YOUR name) []:sys43.doyen.in
Email Address []:erp@doyensys.com

# Note : give common name your url name (for example sys43.doyen.in)


$openssl x509 -x509toreq -in apache_request.pem -signkey apache.key -out apache.csr
Getting request Private Key
Generating certificate request

$openssl x509 -req -days 3650 -in apache.csr -signkey apache.key -out apache.crt
Signature ok
subject=/C=IN/ST=Tamil Nadu/L=Chennai/O=Doyensys/OU=ERP/CN=sys43.doyen.in/Email=erp@doyensys.com
Getting Private key



cp -f apache.crt $APACHE_TOP/Apache/conf/ssl.crt/server.crt
cp -f apache.key $APACHE_TOP/Apache/conf/ssl.key/server.key
cp -f cacert.pem $APACHE_TOP/Apache/conf/ssl.crt/ca.crt



Step 4

Stop Apps services.

Run Autoconfig.

Check Apache status


Step 5

SQL> select HOME_URL from icx_parameters;
HOME_URL
--------------------------------------------------
https://sys43.doyen.in:4443/oa_servlets/AppsLogin

In Apps node

cd $APPL_TOP/admin
cat VIS_sys43.xml grep login_page
https://sys43.doyen.in:4443/oa_servlets/AppsLogin







Troubleshooting SSL Certificate

Use the following commands to check the validity of the certificate.

1. openssl x509 -subject -in server.crt
This command will give the content of the certificate.

2. openssl x509 -noout -text -in server.crt
This command will check the validity of the certificate which will list out validity period.

3. openssl s_client -connect host.domain:sslport
This command will check whether ssl configuration works fine through command prompt.

Troubleshooting common SSL errors

1. Check out the following error,
[Tue Mar 15 21:37:25 2005] [notice] FastCGI: process manager initialized (pid 8951)
[Tue Mar 15 21:37:26 2005] [notice] Oracle HTTP Server Powered by Apache/1.3.19 configured -- resuming normal operations
[Tue Mar 15 21:37:59 2005] [error] mod_ssl: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System error follows)
[Tue Mar 15 21:37:59 2005] [error] System: Connection reset by peer (errno: 104)
[Tue Mar 15 21:38:02 2005] [error] mod_ssl: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System error follows)
[Tue Mar 15 21:38:02 2005] [error] System: Connection reset by peer (errno: 104)
[Tue Mar 15 21:38:03 2005] [error] mod_ssl: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System error follows)
[Tue Mar 15 21:38:03 2005] [error] System: Connection reset by peer (errno: 104)

This is encountered when using browsers which are not compatable with the certificate file.

If this happens only with IE not with Netscape then the issue is with Certificate Chain file.
Comment SSLCertificateChainFile in httpd.conf.



2. Check the following error

RSA server certificate CommonName (CN) '' does NOT match server name!?
This error is usually found in ssl_engine_log. This occurs if a certificate obtained/created for one host is used for a different host.

This error can be ignored if there are no issues with applications.



Create Certificate and Configuring SSL in Oracle Apps 11i


OS : Redhat Linux 4.5
Apps : 11i(11.5.10.2)
Webserver : Apache

Set ths following environment varibles
export SCRIPT_TOP=$COMMON_TOP/admin/scripts/sar_sys45
export APACHE_TOP=/oracle/app/apps/sarora/iAS/Apache
export OPENSSL_TOP=/oracle/app/apps/sarora/iAS/Apache/open_ssl
export OPENSSL_CONF=$OPENSSL_TOP/bin

Edit in XML file ===> APPL_TOP/admin
set the %s_url_protocol variable to https
set the %s_local_url_protocol variable to https
set the %s_webentryurlprotocol variable to https
set the %s_frmConnectMode variable to https
set the %s_webssl_port variable to the Apache SSL port required
set the %s_active_webport variable to the same value as that for the %s_webssl_port variable
set the %s_webport variable to the same value as that for the %s_webssl_port variable
set the %s_web_ssl_directory variable to point to the full directory path of the directory that is to contain the .crt and .key files that you are using for Apache
eg <$COMMON_TOP>/admin/certs/apache
set %s_apps_portal_url variable to https

Stop Apps services

Run AutoConfig


mkdir sslcert
chmod 0700 sslcert
cd sslcert
mkdir certs private
echo '100001' >serial
touch certindex.txt


openssl req -x509 -newkey rsa:1024 -keyout private/cakey.pem -out cacert.pem -days 10000 -config openssl.cnf

ls -lrt
-rw-r--r-- 1 applmgr dba 963 Apr 17 20:24 cakey.pem
-rw-r--r-- 1 applmgr dba 1273 Apr 17 20:24 cacert.pem
openssl req -nodes -new -x509 -keyout apache.key -out apache_request.pem -days 3650 -config openssl.cnf
# Note : give common name your url name (for example sys43.doyen.in)
-rw-r--r-- 1 applmgr dba 1273 Apr 17 20:26 apache_request.pem
-rw-r--r-- 1 applmgr dba 891 Apr 17 20:26 apache.key
openssl x509 -x509toreq -in apache_request.pem -signkey apache.key -out apache.csr
-rw-r--r-- 1 applmgr dba 2180 Apr 17 20:26 apache.csr
openssl ca -config openssl.cnf -policy policy_anything -out apache.crt -infiles apache.csr
-rw-r--r-- 1 applmgr dba 920 Apr 18 14:36 apache.crt


cp -f apache.crt /oracle/app/apps/testora/iAS/Apache/Apache/conf/ssl.crt/server.crt
cp -f apache.key /oracle/app/apps/testora/iAS/Apache/Apache/conf/ssl.key/server.key
cp -f cacert.pem /oracle/app/apps/testora/iAS/Apache/Apache/conf/ca.crt

Start apps services

Run root user for appache start for https

sh $COMMON_TOP/admin/scripts/_/adapcctl.sh start

ex : sh /oracle/app/apps/testcomn/admin/scripts/TEST_sys43/adapcctl.sh start


----------------------------------------------------------------------------------------
openssl x509 -subject -in apache.crt
openssl x509 -noout -text -in apache.crt
openssl s_client -connect host.domain:sslport

Refer Metalink Doc
123718.1 ==> 11i: A Guide to Understanding and Implementing SSL for Oracle Applications
300969.1 ==> Troubleshooting SSL with Oracle Applications 11i

No comments: