SSL stands for Secure Socket Layer which is protocol developed by Netscape. Data Transferred between Server & Client is secured (Encrypted).
Usually data transmitted between client machine & server (Web Server on http protocol & Forms Server on Sockets ) is clear text packets. Any one can put Packet Sniffer between Client machine & Server & can open & read all data transaction between your machine & Server (If he/she has network access) Hacker can get your Username/Password or any sensitive data. This become critical when you have Internet access to Oracle Applications 11i (Usually Self Service Implementation)
Communication between Client & Oracle Applications happens via three components.
- Oracle Web Server (Initial Connection & all self service access is via Web Server/Apache). If your Form Server is in servlet Mode then Core Applications are also accessed via Web Server (oacore Component)
- Oracle Form Server: For Core Oracle Application Access (Forms)
- Database : You access web server which in turn talks to database Server via UTL_HTTP package via dad (/pls/$SID)
So You enable SSL on particular component depending on your requirement & component which is accessible over Internet & should be secured. You can Implement across all three component or only one or any two.
SSL is a technology that defines the essential functions of mutual authentication, data encryption, and data integrity for secure transactions. Exchange of data between the client and server in such secure transactions is said to use the Secure Sockets Layer (SSL).
SSL uses 2 types of Certificates:
1. User certificates:
These are Certificates issued to servers or users to prove their identity in a public key/private key exchange.
2. Trusted certificates:
These are Certificates representing entities that you trust – such as certificate authorities that sign the user certificates they issue.
How SSL works with Middle Tier Oracle HTTP Server:
- The client sends a request to the server using HTTPS connection mode.
- The server presents its certificate to the client. This certificate contains the server’s identifying information.
- The client checks its list of Trust points and compares the information in the certificate with the server’s public key. If it matches, the server is authenticated as a trusted server.
- The client sends the server a list of the encryption levels, or ciphers, that it can use.
- The server receives the list and selects the strongest level of encryption that they have in common.
- The client creates a session key which is used to encrypt the data and sends this session key to the server which can decrypt the data with its private key
How SSL works with Oracle Database Server:
- The UTL_HTTP package is used for making HTTP callouts from SQL and PL/SQL to a Web Node (Oracle HTTP server).
- When the package fetches data from a Web site using HTTPS, it specifies the location to the Oracle Wallet that resides on the database server. This wallet contains the certificate for the Certifying Authority (CA) who signed the Web node’s server certificate.
For converting the application into SSL we need to have a Digital certificate. A Certificate Authority is a trusted third party responsible for issuing, revoking, and renewing digital certificates. All digital certificates are signed with the Certificate Authority’s private key to ensure authenticity. The Certificate Authority’s Public Key is widely distributed.
A Certificate Signing Request (CSR) is a digital file, which contains your public key and your name. You send the CSR to a Certifying Authority (CA) to be converted into a real Certificate.
A digital certificate is an electronic document that binds an identity to a pair of electronic keys that can be used to encrypt and sign digital information. A trusted third party, called a Certification Authority (CA), issues certificates. The document is usually in a standard X509 format and contains three elements:
- Entity attributes (information about your organization)
- Public key (which is bound to your organization)
- Digital signature of the trusted CA private key
Verisign (http://verisign.com/) will allow your organization to apply for a free trial certificate, which will be valid for 2 weeks for testing purposes.
Private (Server) Key:
The private key file is a digital file that you generate and for use to decrypt messages sent to you. The certificate request (CSR) that you send to your Certificate Authority (CA) is derived from this private key. Therefore, the resulting digital certificate (containing your public key), which is issued by your CA, is bound to this private key.
We will now look into the actual procedure for enabling the application with SSL. Not that below explanation is based on metalink note ID376700.1.
Middle tier setup
To start with SSL setup we have to create a certification request through Oracle wallet manager.
Step 1) Create wallet on the apps side
- Login to application tier with applmgr user ID and navigate to $INST_TOP/ora/10.1.3 directory and source .env file present at that location. This will make 10.1.3 (IAS_ORACLE_HOME) as your ORACLE_HOME.
- Navigate to $INST_TOP/certs/Apache directory.
- Backup Apache directory
- Start Oracle wallet manager
bash-2.05$ owm &
- Navigate Wallet -> New
Answer No to: “Your default wallet directory doesn’t exist. Do you wish to create it now?”
Set the wallet manager password (example. Welcome)
- Click Yes when prompted “A new empty wallet has been created. Do you wish to create a certificate request at this time”.
Following screen appears
Common Name – Your hostname
Organization Unit – Your department name
Organization – Your company name
Location/City – Your city name
State/Province – Your state name
Country – Your country name
Press OK once you fill all information. Save wallet in $INST_TOP/certs/Apache folder with name (server_name).cer
Once saved, it will ask, “A wallet already exist, you want to override”. You can say yes.
Click on certificate Request in the list provided on left side of Oracle wallet manager window and you can see your request contents on right side as seen in below screen.
- Wallet -> Autologin (Enable)
- Wallet -> Save
Once you get the request content, you have to get the certificates from certifying Authority like verisign. Currently the certificate request that you created is your .cer file. Using this file you can get the actual certificate file, which will be .crt file. Along with that file you will also get your private key file (.key). So after getting certificate you will have 3 files with you
- Certificate request file (.cer)
- Actual certificate file (.crt)
- Private Key file (.key)
Once you get the certificate, you have to generate CA certification file. Since for any SSL certificate we need to have CA(Certifying Authority) file. Some of the certifying authority companies also provide CA files. But here we will see how to generate CA file from certificate file (.crt).
Step 2) Creating your certifying authority’s certificate
- Copy/ftp (binary mode) .crt to the your PC desktop
- Double-click the file and go to Certification Path tab
- Double click on VeriSign/RSA Secure Server CA
- Go to Details tab and press Copy to File…
- Press Next and select “Base-64 encoded X.509(.CER)” and press next
- Give the name as ca
- Press Finish
A new ca.cer file will be present in your local PC. FTP back ca.cer file to your UNIX host.
Step 3) Converting the existing cert files
- Source the .env file again present at location $INST_TOP/ora/10.1.3
- Change dir to $INST_TOP/certs/Apache
- Copy .crt, ca.crt, servername.key to the current dir.
- Execute the following command:
$ORACLE_HOME/Apache/Apache/bin/ssl2ossl -cert ./.crt -key ./.key -cafile ./ca.cer -wallet . -ssowallet yes
Step 4) Appstier setup
Edit the context xml file in $APPL_TOP/admin, change the SSL related variables to SSL values
SSL Related Variables in the Context File
|Variable||Non-SSL Value||SSL Value|
|s_active_webport||same as s_webport||same as s_webssl_port|
|s_webssl_port||not applicable||default is 4443|
|s_https_listen_parameter||not applicable||same as s_webssl_port|
|s_help_web_agent||url constructed with http protocol and s_webport for both non-SSL and SSL|
|s_login_page||url constructed with http protocol and s_webport||url constructed with https protocol and s_webssl_port|
- Execute autoconfig
- Bounce the mid-tier services
Step 5) DB Tier Setup
Once you run autoconfig on Apps Tier, you need to do wallet setup on DB tier as well. Since R12 is autoconfig enabled, there will be a directory called appsutil in ORACLE_HOME on database side. Follow below steps to carry out the setup on database side.
- Login to DB tier as oracle user
- Change dir to $ORACLE_HOME/appsutil
- Create a new dir with name as wallet
- Start Oracle Wallet Manager (owm &)
- Wallet -> New
- Answer No to: “Your default wallet directory doesn’t exist. Do you wish to create it now?”
- Click No when prompted “A new empty wallet has been created. Do you wish to create a certificate request at this time”
- Save Wallet
- Copy ca.crt from the appl_top to $ORACLE_HOME/appsutil/wallet
- Navigate Operations-> Import Trusted Certificate
- Navigate to ca.crt
- Once import completed. Save wallet
- Navigate wallet-> autologin (enable)
- Save wallet
Step 6) Sanity check
- New Appslogin url: https://(hostname):(port)/OA_HTML/AppsLogin
- Notice the lock sign in the statusbar (bottom) of the browser. Click on the sign to verify the certificate
- Sanity check all the components.
- Login to db as sqlplus apps/(apps password)
- select utl_http.request(‘https://(hostname):(port)’,null,’file:(path to ORACLE_HOME/appsutil/wallet)’, null) from dual;
- It should display the first 2000 Chars of the html page.