SSL in Oracle Apps 11i

7/16/2014 Document 123718.1

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=oet6dfkxn_107&id=123718.1 1/40

11i: A Guide to Understanding and Implementing SSL for Oracle Applications (Doc ID123718.1)

Modified: 20-Mar-2014 Type: WHITE PAPER

A Guide to Understanding and Implementing SSL with Oracle Applications 11i

This document contains information for implementing SSL with Oracle E-Business Suite Release 11i. It provides guidelines for asuccessful implementation and covers specific steps for configuring SSL with Oracle HTTP Server, Oracle Forms 6i server, and OracleDatabase server. The most current version of these notes is 123718.1 (http://metalink.oracle.com/epmos/faces/DocumentDisplay?

id=123718.1) on Oracle MetaLink. There is a change log at the end of this document.

Chapter 1. Overview

Concepts and Terminology SSL Implementations with the Applications Technology Stack

Chapter 2. Certificate Provisioning

Common Set-up StepsCertificate Provisioning for Oracle HTTP ServerCertificate Provisioning for Oracle Forms 6i ServerCertificate Provisioning for XML Publisher or Business Intelligence Publisher Certificate Provisioning for Oracle Database ServerWorking with Unrecognized CA Root Certificates

Chapter 3. Configuring SSL for AutoConfig-enabled System

Common Configuration StepsConfiguring SSL with Oracle HTTP ServerConfiguring SSL with Oracle Forms 6i ServerConfiguring SSL with Oracle Database Server

Chapter 4. Configuring SSL for non AutoConfig-enabled System

Common Configuration StepsConfiguring SSL with Oracle HTTP ServerConfiguring SSL with Oracle Forms 6i ServerConfiguring SSL with Oracle Database Server Additional Configuration Steps

Chapter 5. Verifying SSL Configuration

Verifying SSL Set-up for Oracle HTTP ServerVerifying SSL Set-up for Oracle Forms 6i Server Verifying SSL Set-up for Oracle Database Server

Chapter 6. Troubleshooting

Client ConnectionsStartup/Connection to Oracle HTTP ServerConnection to Oracle Forms Server Use of SSL with Oracle Portal

Appendices

A. Current Limitations and ConsiderationsB. Firewalls C. Use of the Forms Listener Servlet D. Converting OpenSSL Certificates to Wallet Format for use with Web Cache

Related Documentation

Chapter 1. Overview

This document describes procedures for configuring SSL with Oracle E-Business Suite Release 11i. It provides guidelines for a successful

https://support.oracle.com/epmos/faces/DocumentDisplay?id=123718.1

https://support.oracle.com/epmos/faces/AppendixD

7/16/2014 Document 123718.1


implementation and covers specific steps for configuring SSL with Oracle HTTP Server, Oracle Forms 6i Server, and Oracle DatabaseServer. You MUST configure SSL for both the Oracle HTTP Server and Oracle Forms (either the the Forms 6i Server or the Forms Listener

Servlet), these cannot be configured independently.

Oracle XML Gateway's Transport Agent and Oracle Workflow's Web services are the other two components that support both ClientAuthentication and Server Authentication and require manual steps for SSL configurations. For detailed SSL configuration steps, see thefollowing Oracle MetaLink notes:

Oracle Transport Agent

For 11.5.10, see the Oracle XML Gateway's User Guide Release 11i in the Virtual Applications DocumentationLibrary (http://www.oracle.com/technology/documentation/applications.html) .For 11.5.9 or earlier, see Oracle MetaLink Note 152775.1 Installing Oracle XML Gateway and Oracle Workflowwith Oracle Applications 11i. (http://metalink.oracle.com/epmos/faces/DocumentDisplay?id=152775.1)

Oracle Web Services

Oracle XML Gateway's User Guide Release 11i, in the Virtual Applications Documentation Libra(http://www.oracle.com/technology/documentation/applications.html)

Concepts and Terminology

Secure Sockets Layer (SSL)

SSL is a technology that defines the essential functions of mutual authentication, data encryption, and data integrity for securetransactions. Exchange of data between the client and server in such secure transactions is said to use the Secure Sockets Layer (SSL).

Transport Layer Security (TLS)

Transport Layer Security is a cryptographic protocol that ensures privacy between communicating applications and their users on theInternet. While SSL is supported with all versions of the Oracle Application Server, TLS requires a minimum of Application Server 10.1.2.0. Oracle Applications Release 11i supports the use of SSL.Oracle Applications Release 12 supports the use of both SSL and TLS.

Certificate Authority (CA)

A Certificate Authority is a trusted third party responsible for issuing, revoking, and renewing digital certificates. All digital certificates aresigned with the Certificate Authority's private key to ensure authenticity. The Certificate Authority's Public Key is widely distributed.

Private (Server) Key

The private key file is a digital file that you generate and for use to decrypt messages sent to you. The certificate request (CSR) that yousend to your Certificate Authority (CA) is derived from this private key. Therefore, the resulting digital certificate (containing the your publickey) which is issued by your CA, is bound to this private key.

Certificate Signing Request (CSR)

A Certificate Signing Request (CSR) is a digital file which contains your public key and your name. You send the CSR to a CertifyingAuthority (CA) to be converted into a real Certificate.

Digital Certificate (Public Key)

A digital certificate is an electronic document that binds an identity to a pair of electronic keys that can be used to encrypt and sign digitalinformation. Certificates are issued by a trusted third party, called a Certification Authority (CA). The document is usually in a standardX509 format and contains three elements:

Entity attributes (information about your organization)Public key (which is bound to your organization)Digital signature of the trusted CA private key

Secure Server Certificates

Secure Server Certificates are 128 bit certificates which provide 128 bit SSL encryption. If a browser has 128 bit support, then encryption isnegotiated to 128 bits. However, if the browser only supports 40 bit encryption, the level of encryption, regardless of a 128 bit certificate,will be negotiated down to 40 bits.

Global Server Certificates

Global Server Certificates, also referred to as Server Gated Cryptography, are 128 bit certificates that enable all browsers to use 128 bitencryption, even if the browser only supports 40 bit encryption. A global server certificate usually has 2 parts: the certificate itself and an

http://www.oracle.com/technology/documentation/applications.html


http://www.oracle.com/technology/documentation/applications.html

7/16/2014 Document 123718.1


extra intermediate certificate which is used to provide the step-up. The marketing names of these certificates vary depending on thecompany that issues the certificate, for example, Thawte call them 128 bit SuperCerts.

Note that it is not possible to get trial versions of global server certificates, therefore it is not possible to test unless one is purchased.

SSL Implementations with the Applications Technology Stack

Oracle E-Business Suite Release 11i has three interfaces for transactions between client and server:

Oracle HTTP Server for all communicationsOracle HTTP Server for initial connection, and Oracle Forms 6i Server for subsequent connections.Oracle Database Server for communication with Oracle HTTP Server using UTL_HTTP package

This chapter illustrates the SSL implementations - based on the three interfaces listed above - with the Applications Technology stack.

Section 1.1 . SSL Implementation with Oracle HTTP ServerSection 1.2 . SSL Implementation with Oracle Forms 6i ServerSection 1.3 . SSL Implementation with Oracle Database Server

Note: Throughout this document 1024 key size has been used as an example as it represented the most common secure key size whenthis document was initially written. In more recent years the recommendation has moved to a much higher key size, as part of Oracle E-Business Suite Releases 11i Critical Patch Update (July 2012) CPU 2048 key size was tested and supported.

Section 1.1. SSL Implementation with Oracle HTTP Server

The implementation of SSL for the Oracle HTTP server, is based on mod_ssl (http://www.modssl.org) and openssl (http://www.openssl.org) technology. The Oracle HTTP server installation under Oracle E-Business Suite Release 11i includes the mod_ssl and opensslcomponents. Once openssl has been used to generate your digital certificate and the proper directives for Oracle HTTP server have beendefined, the Oracle HTTP server is capable of starting and running in SSL mode.

How SSL works with Oracle HTTP Server

1. The client sends a request to the server using HTTPS connection mode.2. The server presents its certificate to the client. This certificate contains the server's identifying information.3. The client checks its list of Trust points and compares the information in the certificate with the server's public key. If it matches,

the server is authenticated as a trusted server.4. The client sends the server a list of the encryption levels, or ciphers, that it can use.5. The server receives the list and selects the strongest level of encryption that they have in common.6. The client creates a session key which is used to encrypt the data and sends this session key to the server which can decrypt the

data with its private key.

Section 1.2. Oracle 6i Forms 6i Server

Oracle Form 6i Server can operate in three separate modes: socket, HTTP and HTTPS. HTTP or HTTPS connection mode can be used forinternet transactions (outside the firewall), whereas socket mode can only be used for an organization's intranet (inside the firewall).HTTPS corresponds with SSL and is strongly recommended if a company is to allow transactions over the internet.

The implementation of SSL for the Oracle Forms 6i Server makes use of Oracle Wallet Manager, which is included in the Developer 6iServer install under the application server Oracle home from version 8.0.6 onwards. The tool is Java-based.

How SSL works with Oracle Forms 6i Server

1. The client sends a request to the server using the HTTPS protocol.2. The applet is downloaded and connects to the Forms Server Listener through HTTPS using the connectMode parameter of HTTPS.3. The server sends its certificate to the client and the client searches its list of Trust points. The list of Trust points is stored in the

certdb.txt file.4. The server is identified and authenticated.5. The client sends the server its list of encryption levels and the server chooses the strongest common level of encryption for

communication.6. Communication can now take place between the client and server.

Section 1.3. Oracle Database Server

Oracle products such as Oracle Configurator, Order Management, Order Capture, Quoting, iPayment, iRecruitment, iStore, and Pricingaccess data over the Internet in HTTP or HTTPS connection mode. The implementation of SSL for the Oracle database server which actsas a client sending requests to the Web server makes use of the Oracle Wallet Manager for setting up an Oracle wallet.

7/16/2014 Document 123718.1


How SSL works with Oracle Database Server

1. The UTL_HTTP package is used for making HTTP callouts from SQL and PL/SQL to a Web node (Oracle HTTP server).2. When the package fetches data from a Web site using HTTPS, it needs to specify the location to the Oracle wallet that resides on

the database server. This wallet contains the certificate for the Certifying Authority (CA) who signed the Web node's servercertificate.

Chapter 2. Certificate Provisioning

The SSL configuration includes two major steps: the acquisition of the necessary certificates, and the modifications to the variousconfiguration files maintained by the E-Business Suite Release 11i system. This chapter contains detailed instructions for provisioningcertificates that are required by the E-Business Suite Technology stack. Oracle MetaLink Note 119873.1(http://metalink.oracle.com/epmos/faces/DocumentDisplay?id=119873.1) explains the implementation of self-signed certificates. Thisdocument expands on that information and provides guidance for third-party CA certificates, and non-default naming port conventions.

In April 2006 Verisign began issuing Extended Validation (EV) certificates. Please see Note 436312.1 - Information on using new 3 tiercertificates issued by VeriSign with Applications 11i and be sure you understand the implications before using this type of certificate.

Common Set-up StepsOption 2.1 . Certificate Provisioning for Oracle HTTP ServerOption 2.2 . Certificate Provisioning for Oracle Forms 6i ServerOption 2.3 . Certificate Provisioning for XML Publisher or Business Intelligence Publisher Option 2.4 . Certificate Provisioning for Oracle Database ServerWorking with Unrecognized CA Root Certificate

Common Set-up Steps

Before proceeding with any set-up steps, you must review the information in Appendix A (Current Limitations and Considerations). Ifyou have read this, you understand the following:

You will be using two different certificates, one for the Oracle HTTP Server and one for the Oracle Forms 6i Server.If you are not on Oracle Forms version 6.0.8.10.3, at least one of your certificates (for Oracle Forms) will be limited to a size of 512bits.If you have not upgraded the version of JInitiator 1.1.8.3, the initial download of jar files for Forms (Core) Applications files will be overthe non-SSL Web server port.

For testing purposes, Verisign will allow your organization to apply for multiple free trial certificates. Each time you generate a certificaterequest (CSR), however, you must supply an Organizational Unit Name that is different. For example, to trial two certificates for yourorganization, one for the Oracle HTTP server and one for Oracle Forms server, you could call your Organizational Unit "My Unit - Apache"for the first CSR and "My Unit - Forms" for the second CSR.

The following instructions frequently reference the objects described below. Please set appropriate values for these variables in theenvironment that you are working in. You MUST use the directory structure and naming conventions contained herein to avoid problemswithin the SSL infrastructure.

Variable Value

COMMON_TOP refers to the common top directory containing the administration scripts with a default name in the form of [SID]comn

SCRIPT_TOP refers to the directory in the common top directory tree that contains the server administration scripts with a defaultname in the form of $COMMON_TOP/admin/scripts or $COMMON_TOP/admin/scripts/[SID] in later releases

APACHE_TOP refers to the installation location for the Oracle HTTP Server (powered by Apache). Before 11i.2, the default for thiswas $COMMON_TOP/util/apache/1.3.9/Apache, but from 11i.2 onwards this is held within the iAS Oracle Home witha default name in the form of ../[SID]ora/iAS/Apache

OPENSSL_TOP refers to the open_ssl directory which will be found in the $APACHE_TOP directory

OPENSSL_CONF refers to the openssl.cnf file which will be found in the $OPENSSL_TOP/bin directory

Option 2.1. Certificate Provisioning for Oracle HTTP Server

Follow the steps listed below to provision the necessary private key and certificate files for the SSL implementation for the Oracle HTTP


7/16/2014 Document 123718.1


Server.

Create the certificate using openssl

1. Create a working directory

a. Create a working directory that will eventually hold the private key file and certificate files. Listed below are commands for Unix.

% mkdir $COMMON_TOP/admin/certs

% mkdir $COMMON_TOP/admin/certs/apache

In an AutoConfig-enabled environment, the above directory is the value pointed to by the context variable 's_web_ssl_directory'.

b. Create two other subdirectories under the above directory.

% mkdir $COMMON_TOP/admin/certs/apache/ssl.crt

% mkdir $COMMON_TOP/admin/certs/apache/ssl.key

The above directories hold the certificate file and private key, respectively.

2. Create a random number file

The value of the RANDFILE parameter in the $OPENSSL_CONF file is the file that is used as a source of random characters whengenerating the private key. On UNIX the default value is:

RANDFILE = $ENV::HOME/.rnd

If you want to use this file to assist with the encryption algorithm, you should ensure that this file exists in the specified location.

If this file does not already exist, follow the steps listed in the example below to create it:

a. Change to a directory that contains some binary files such as ORACLE_HOME/bin of your Oracle 8.0.6 installation:

% cd $ORACLE_HOME/bin

b. Execute the following command to generate the random character file:

% $OPENSSL_TOP/bin/openssl sha1 or* > $HOME/.rnd

3. Create the Server PEM-encoded Private Key file (apache_1024.key)

a. Change to the working directory:

% cd $COMMON_TOP/admin/certs/apache

b. Type the following command to generate your RSA private key (apache_1024.key):

% $OPENSSL_TOP/bin/openssl genrsa -des3 -out apache_1024.key 1024

You will be prompted to enter the PEM pass phrase, which must be at least 4 characters in length. Remember this pass phrase; unlessyou decide to unencrypt your server key using step 4 below, you will be prompted to enter in the next step and each time you start upApache in SSL mode.

4. Optionally, unencrypt the value of the Server PEM-encoded Private Key file

If this is done, you will not be prompted for the PEM pass phrase every time you start up the Oracle HTTP server (Note that if anyone getsthis key they will be able to impersonate you on the net, so consider leaving it encrypted and entering the PEM pass phrase each timeyou start the Oracle HTTP server).

Copy the private key (apache_1024.key) that you created in step 3 above to a backup file (apache_1024.key.bak) then type the followingcommand to invoke the RSA key processing tool:

% $OPENSSL_TOP/bin/openssl rsa -in apache_1024.key.bak -out apache_1024.key

Note on Windows NT/2000 you must perform this step. This limitation will be fixed in Apache 2.0.

5. Edit the default openssl configuration file

Edit the default openssl configuration file, $OPENSSL_CONF, so that it can be used to generate the certificate signing request.

7/16/2014 Document 123718.1


a. Locate the line that reads dir = ./demoCA and modify this line to point to the full directory path where the directory of your key andrequest file are located (the full path to $COMMON_TOP/admin/certs/apache as created in step 1 above).

b. On NT, comment out the lines that set the RANDFILE, oid_file and oid_section variables:

#RANDFILE =$ENV::HOME/.rnd

#oid_file=$ENV::HOME/.oid #oid_section=new_oids

6. Generate the certificate signing request (CSR)

From the working directory, $COMMON_TOP/admin/certs/apache, type the following command to generate your CSR (apache_1024.csr)derived from the private key (apache_1024.key).

% $OPENSSL_TOP/bin/openssl req -config $OPENSSL_CONF -new -key apache_1024.key -outapache_1024.csr

You will be prompted for the following:

a. Enter PEM pass phrase: Enter the pass phrase chosen in step 4.b. Country Name (2 letter code) [AU]:

State or Province Name (full name) [Some-State]: Locality Name (e.g., city) []: Organization Name (e.g., company) [Internet Widgits Pty Ltd]: Organizational Unit Name (e.g., section) []:

c. Common Name (e.g., YOUR name) []: Enter the fully qualified name of your server. For example: orl-sun.oracle.com

d. E-mail Address []: Enter your e-mail address. This is where the certificate will be sent.e. Please enter the following 'extra' attributes: These questions are optional.

Now the working directory contains a private key (apache_1024.key) and a certificate request (apache_1024.csr). Both are text filescontaining encrypted information and can be viewed. The contents of certificate request be used in the next step.

7. Submit your certificate request (CSR) to your certificate authority (CA)

The request process is generally explained in detail by your CA of choice. Go to the web site of your CA to follow their specific process forrequesting a certificate. This document was written based on experience requesting a trial certificate from Verisign.

Go to www.verisign.com, to request a trial certificate. From Verisign's home page, there should be a link for getting a trial certificate (if thisis not obvious, search on "trial certificate").

The Verisign web site will lead you through the steps of requesting your certificate. When asked to submit your CSR, paste the contents ofyour certificate request (apache_1024.csr) beginning with and including

-----BEGIN CERTIFICATE REQUEST-----

and ending with and including

-----END CERTIFICATE REQUEST-----

Click Submit, then enter the additional requested information, including your e-mail address again for the certificate. You should receive thecertificate via e-mail within a couple of hours.

8. Create the Server PEM-encoded Certificate file

Once you have received your certificate, use your e-mail application to save the entire e-mail message to a text file under$COMMON_TOP/admin/certs/apache.

Name the file apache_1024.crt and ensure that it is located under $COMMON_TOP/admin/certs/apache.

It is very important to do this so that you do not corrupt your certificate by cutting and pasting from your e-mail application. In addition, youmust use a text editor, rather than a word processing application for your editions to the resulting text file.

If you have saved your e-mail message to a machine that is not your server, transfer the file over to the server and into the working directory($COMMON_TOP/admin/certs/apache), for example, using ftp in binary mode.

In the working directory, open the file in a text editor and delete all the lines except for the certificate. The certificate consists of all linesbeginning with and including

7/16/2014 Document 123718.1


-----BEGIN CERTIFICATE-----


-----END CERTIFICATE-----

Once your changes are made, save the file with the name apache_1024.crt.

At this stage, if you are using a global server certificate, you will also have to retrieve the intermediate certificate which should beaccessible via a URL in the e-mail that you receive containing your certificate. Transfer the file over to the server and into the workingdirectory ($COMMON_TOP/admin/certs/apache), for example, using ftp in binary mode.

Save this intermediate certificate in a file named intermediate.crt.

9. Create the file of PEM-encoded Server Certificates (ca.crt)

a. Change directory to the working directory:

% cd $COMMON_TOP/admin/certs/apache

b. Backup the existing file, if any, under $COMMON_TOP/admin/certs/apache/ssl.crt:

% cp $COMMON_TOP/admin/certs/apache/ssl.crt/ca.crt $COMMON_TOP/admin/certs/apache/ssl.crt/ca.crt.bak

c. Use FTP (in binary mode) to transfer apache_1024.crt to your PC and open it with Internet Explorer.d. On the Certification Path tab click on the first line and then View Certificate. This will open a new window showing the certificate for

the root Certifying Authority (CA).e. Select the Details tab in the new window. Click Copy to File to start the export wizard.f. Click Next to continue.

g. Select Base-64 encoded X.509 (.CER) and click next.h. Enter ca1 as the name and click ok to export the certificate. After the certificate is exported, you can close this window.i. Repeat steps d through h for each line on the Certification Path tab. Incrementing the file name each time by 1, i.e. ca2, ca3.

NOTE:

It is important that you do the lines in order. You will not be able to view the certificate for the last line. In most casesthere will be only 1 certificate for you to view.

j. Close the wizard and IE.k. Use FTP (in binary mode) to transfer the files you created back to the server under $COMMON_TOP/admin/certs/apache.l. On the server under $COMMON_TOP/admin/certs/apache, concatenate the files in reverse order (ca2.cer, ca1.cer) and save as

ca.crt

NOTE:

The first certificate in the file will be for the CA signing the server certificate. The next certificate is for the CAwho issued the first certificate, and so on down to the last certificate which is of the root CA. When there isonly 1 certificate created in step h, it means that the root CA was the one who signed the server certificate.

10. Copy server key and certificate file to final destination

a. Change directory to the working directory:

% cd %COMMON_TOP/admin/certs/apache

b. Copy the certificate file to $COMMON_TOP/admin/certs/ssl.crt with a different file name:

% cp apache_1024.crt %COMMON_TOP/admin/certs/apache/ssl.crt/server.crt

c. Copy the private key file to $COMMON_TOP/admin/certs/ssl.key with a different name:

% cp apache_1024.key %COMMON_TOP/admin/certs/apache/ssl.key/server.key

d. Copy the concatenated PEM-encoded CA Certificate file to $COMMON_TOP/admin/certs/apache/ssl.crt:

% cp $APACHE_TOP/Apache/conf/ssl.crt/ca-bundle.crt $COMMON_TOP/admin/certs/apache/ssl.crt/ca-bundle.crt

NOTE: The ca-bundle.crt contains the Root Certificates for Certifying Authorities. You should download and applypatch 5946797 which will update your ca-bundle.crt to the latest version. This will help to avoid issues caused byexpiring certificates.

7/16/2014 Document 123718.1


e. Copy the PEM-encoded Server Certificate Chain file to $COMMON_TOP/admin/certs/apache/ssl.crt

% cp ca.crt $COMMON_TOP/admin/certs/apache/ssl.crt/ca.crt

a. If you received the file of global server certificates, copy this file to $COMMON_TOP/admin/certs/apache/ssl.crt

% cp intermediate.crt $COMMON_TOP/admin/certs/apache/ssl.crt/intermediate.crt

Multiple Web Server Nodes

If you have multiple Web Server nodes where each node contains an Oracle HTTP Server, you must request a unique certificate for eachmachine. If you try to use the same certificate on all machines, you will see the following type of error in the ssl_engine_log:

[11/Dec/2000 22:25:48 01283] [warn] Init: (sundial:443) RSA server certificate CommonName (CN) ̀otclnx1.us.oracle.com' does NOT match server name! ?

To use a unique certificate on each machine, perform all of the implementation steps in this chapter for each Web Server node running inHTTPS mode.

Web Server Wallet (Optional)

If you will be connecting to a LDAP server (e.g. OID) from the iAS 1.0.2.2.2 Oracle Home and that LDAP server is SSL enabled you willneed to create a webserver wallet to successfully connect to the LDAP server. Oracle Wallet Manger includes the certificates for the mostcommon CA's every time a new wallet is created. If you are not able to connect to your ldap server after creating this wallet refer to thesection below titled "Working with Unrecognized CA Root Certificate".

a. Navigate the to iAS Oracle Home (cd $IAS_ORACLE_HOME)b. Source the env file.c. Be sure your DISPLAY environment variable is pointing to a valid display.d. cd $IAS_ORACLE_HOME/Apache/Apache/confe. For LINUX only - set the environment variable THREADS_FLAG=native. (export THREADS_FLAG=native)f. Launch Oracle Wallet Manager: owm&

1. Select Wallet > New2. Select No when prompted with the message: "Your default directory doesn't exist. Do you wish to create it now?"3. In the New Wallet dialogue box, create a Wallet Password and click OK. (Make sure you remember this password. You will

be prompted for the password each time you open this wallet with Oracle Wallet Manager).4. Select No when prompted with the message: "A new empty wallet has been created. Do you wish to create a certificate

request at this time?"5. Select Wallet and ensure that the Auto Login checkbox is checked.6. Select Wallet > Save and save the new wallet in $IAS_ORACLE_HOME/Apache/Apache/conf.7. Exit Wallet Manager

You should now see 2 new files: ewallet.der and cwallet.sso

Option 2.2. Certificate Provisioning for Oracle Forms 6i Server

Starting with Forms / Reports 6i patchset 4 the Forms Listener Servlet is introduced as an alternative architecture to theoriginal Forms Listener Server. Running the Forms Listener Servlet, you still have the f60webmx processes, but they are nowmanaged by a servlet rather than a dedicated listener process. All communication between the client PC and the formsserver is routed via the apache port and forms servlet eliminating the need for the additional certificate required by the FormsListener Server architecture. HTTPS Users wishing to use J2SE 1.4.2.x or higher must use the Forms Listener Servlet. SeeAppendix C for more information on the Forms Listener Servlet.

The following steps are necessary only if you are using the Forms Listener Server

Step 2.2.1. Use Wallet Manager to create certificate

In order for the forms server to run in https mode, you must use the Oracle Wallet Manager utility delivered with Developer 6i. Developer 6iis installed in the Oracle 8.0.6 Oracle Home on your application server. All references to ORACLE_HOME in this Part refer to the home forOracle 8.0.6 on the application server.

1. Create a working directory

Create a working directory to hold the Oracle Forms 6i Wallet:

% mkdir $COMMON_TOP/admin/certs/forms

7/16/2014 Document 123718.1


2. Start Wallet Manager

On UNIX, as the oracle user,

a. Change to the directory of ORACLE_HOME of your Oracle 8.0.6 installation

% cd $ORACLE_HOME

b. Source the environment file [sid].env.c. Set the DISPLAY variable to display to the IP address from where you are working. For example:

% export DISPLAY=138. 22.155.16:0.0

where 138.22.155.16 is the IP address of your workstation.

d. For LINUX only - set the environment variable THREADS_FLAG=native. For example:

% export THREADS_FLAG=native

e. Run owm, which is located in $ORACLE_HOME/bin directory of your Oracle 8.0.6 installation.

On Windows NT/2000, run Oracle Wallet Manager using Start > Programs > Oracle for Windows NT > Oracle Wallet Manager

3. Create a new wallet and certificate request (CSR)

NOTE: When you create a new wallet in Wallet Manager, this step of creating a CSR is the only way to enable the function of importing aUser Certificate. (Operations > Import User Certificate). If a CSR has not been generated within a specific wallet, the option to import aUser Certificate will remain disabled. (See comments in Appendix A, Incompatibility of Apache / Oracle Forms 6i Certificateformats).

Follow the steps listed below to create a new wallet and certificate request (CSR):

a. Select Wallet > Newb. Select No when prompted with the message:

"Your default directory doesn't exist. Do you wish to create it now?"

c. In the New Wallet dialogue box, create a Wallet Password and click OK.

Make sure you remember this password. You will be prompted for the password each time you open this wallet with Oracle WalletManager.

d. Select Yes when prompted with the message:

"A new empty wallet has been created. Do you wish to create a certificate request at this time?"

e. Fill out the fields in the Create Certificate Request dialogue box, for example:

Common Name: Fully qualified host name of your server Organizational Unit: Organization: Locality/City: State/Province: Country: Key Size: 512

Note that as discussed in Appendix A (Current Limitations & Considerations), if you are not on Oracle Formsversion 6.0.8.10.3 or higher, the list of values for Key Size will only contain 512 bits.

f. Select OK when prompted with the message:

"A certificate was created. Please submit this to a Certificate Authority or you can use "Export Certificate Request" to export it intoa file."

4. Select Wallet and ensure that the Auto Login checkbox is checked

This ensures that the wallet is open to connect via SSL.

5. Save the new wallet

Select Wallet > Save to save the new wallet.

7/16/2014 Document 123718.1


Save the wallet files to the working directory chosen for the wallet, for example:

% $COMMON_TOP/admin/certs/forms

(Use the value of $COMMON_TOP, rather than the variable.)

Two new files will be created in your wallet directory:

cwallet.sso -- Auto Login is checked; wallet is open ewallet.der -- stores your certificate once imported

6. Submit your certificate request (CSR) to your certificate authority(CA)

Within the Wallet Manager navigator window, highlight the Certificate: [Requested] branch of the Wallet. On the right hand side you willsee your CSR in the Certificate Request window. This is the window you will cut and paste from when prompted by your CA.

The request process is generally explained in detail by your CA of choice. Go to the web site of your CA to follow their specific process forrequesting a certificate. This document was written based on experience requesting a trial certificate from Verisign. The process forrequesting a production certificate is almost identical.

To request a trial certificate go to www.verisign.com. There should be a link for getting a trial certificate (if this is not obvious, search on"trial certificate").

The Verisign web site will lead you through the steps for requesting your certificate. When asked to submit your CSR, paste the contentsof your CSR from Wallet Manager beginning with and including

-----BEGIN CERTIFICATE REQUEST-----


-----END CERTIFICATE REQUEST-----

Click Submit.

If you have created the certificate request with a 512 bit key size, Verisign will warn you that it has detected a 512 bit key size. Asexplained in Appendix A (Current Limitations & Considerations), the 512 key size is the only option in Release 11i for Forms 6iversion below 6.0.8.10.3.

Click Continue, then enter the additional requested information, including your e-mail address again for the certificate. You should receivethe certificate via e-mail within a couple of hours.

7. Create the certificate file

Once you have received your certificate, use your e-mail application to save the entire e-mail message to a text file. Based on theconvention in this document, name the file forms_[key_size].crt, where [key_size] is the number of bits chosen in Wallet Manager whencreating the certificate request. As an example, forms_1024.crt, if 1024-bit key size was chosen. It is very important to save the messageas a text file so that you do not corrupt your certificate by cutting and pasting from your e-mail application. In addition, you must use a texteditor, rather than a word processing application for your editions to the resulting text file.

If you have saved your e-mail message to a machine that is not your server, transfer the file over to the server and into the working directory($COMMON_TOP/admin/certs/forms) , for example using binary ftp.

In the working directory, open the file in a text editor (for example, vi) and delete all the lines except for the certificate. The certificateconsists of all lines beginning with and including

-----BEGIN CERTIFICATE-----


-----END CERTIFICATE-----

Once your editions are made, save the file, again with the name forms_[key_size].crt, for example, forms_1024.crt.

8. Import your User Certificate into Wallet Manager

Back in Wallet Manager,

a. Operations > Import User Certificateb. Select the radio button for

Select a file that contains the certificate and click OK

7/16/2014 Document 123718.1


c. Enter the full path of your working directory where you have stored your certificate file (forms_[key_size].crt), for example:

/u08/app/oracle/viscomn/admin/certs/forms

(Assuming that COMMON_TOP is /u08/app/oracle/viscomn).

d. Highlight the certificate file (forms_[key_size].crt) and click OK.

e. The bottom status bar of Wallet Manager should display the message

Your certificate has been successfully imported.

f. In the navigator window under Wallet, you can highlight the Certificate: [Ready]

to see the unencrypted values of your certificate.

NOTE: The following error message when attempting to import the User Certificate indicates that you are working with anunrecognized CA root certificate:

User certificate import has failed because the CA certificate doesn't exist. Do you want to import a CA certificate now?

This error occurs when Wallet Manager attempts to import your User Certificate, but does not recognize the digital signature of the CA whoissued this certificate to you. Wallet Manager then offers you the option to import the CA certificate under the "Trusted Certificates" branchof this Wallet, so that it can finish the proper import of your User Certificate. This message will be received when using Trial Certificatesand if you have chosen a Certifying Authority whose root certificate wasn't included as one of the Oracle Wallet Manager default rootcertificates.

At this point, it is best to leave the error message above open on the terminal and continue with the installation of the CA root certificatethat is a pre-requisite of importing the user certificate in Oracle Wallet Manager by following the certificate authority?s instructions toobtain an X.509 format *.cer file (as documented in Section Working with Unrecognized CA Root Certificate / Phase 1 - Webbrowser below) then using it to import the digital certificate of your CA as trusted to successfully finish the import of your User Certificate(as documented in Section Working with Unrecognized CA Root Certificate / Phase 2- Oracle Forms, steps 1c onwards)

The bottom status bar of Wallet Manager should display the message:


You should now be able to highlight Certificate: [Ready] in the navigator window under Wallet to see the unencrypted values of yourcertificate.

2.2.2 Multiple Forms Server nodes

If you have multiple Forms Server nodes, you can request a unique certificate for each node, or you can use the same certificate on all thenodes.

Unique Certificate for each Forms Server node

To use a unique certificate on each machine, perform all of the implementation tasks in Step 2.2.1 for each Forms Server node running inHTTPS mode.

Identical Certificate for all Forms Server nodes

To use the same certificate on all the Forms server nodes, perform all of the procedures in Step 2.2.1 on one of the Forms Servermachines to create a wallet that contains a certificate. Then, copy the wallet file, ewallet.der, to the other Forms Server machines runningin HTTPS mode. Copy the file to the directory specified in the FORMS60_WALLET environment variable. Use this wallet to completeChapter Two on all additional machines. Be sure that Auto Login is set to ON for all machines.

Option 2.3. Certificate Provisioning for XML Publisher or Business Intelligence Publisher

If you are using XML or BI Publisher you will need to install your server certificate into the cacerts file on the Concurrent Manager (CCM)node. This step is necessary whether you are using demo, self-signed, or production certificates.

1. FTP the HTTP server certificate server.crt and ca.crt ( from Option 2.1 step 10) to the CCM node.2. Source your envirorment file.

7/16/2014 Document 123718.1


3. Copy server.crt to the $OA_JRE_TOP directory.4. Change to the $OA_JRE_TOP directory and issue the following commands:

./jre/bin/keytool -import -alias ApacheCA -file ./ca.crt -trustcacerts -v -keystore $OA_JRE_TOP/jre/lib/security/cacerts ./jre/bin/keytool -import -alias ApacheServer -file ./server.crt -trustcacerts -v -keystore $OA_JRE_TOP/jre/lib/security/cacerts

For the password enter -> changeit Trust this certificate? -> Yes

5. Bounce the CCM node for the change to the cacerts file to take effect.

Option 2.4. Certificate Provisioning for Oracle Database Server

Oracle products such as Oracle Configurator, Order Management, iStore, Order Capture, Quoting, iPayment, iStore, and Pricing rely onthe Oracle Wallet to establish a successful connection in SSL mode from the Database tier. This section contains instructions for the SSLSet-up for Oracle Database Server using the Oracle Wallet Manager.

Use Wallet Manager to create the wallet on the database server

E-Business Suite 11i10 customers using the Oracle Configurator batch validation feature (Order Management, iStore, Order Capture andQuoting) as well as all E-Business Suite 11i customers using iPayment (since 11i9) and Pricing need to create a wallet on the databasetier containing the certificate for the Certifying Authority (CA) who signed the Middle Tier's server certificate and have auto login enabled.

This section contains instructions to modify configuration files and profiles that may be maintained by the AutoConfig infrastructure.

(Note: MetaLink Note 165195.1 (http://metalink.oracle.com/epmos/faces/DocumentDisplay?id=165195.1) explains how to determine if youare AutoConfig enabled).

1. Apply any pre-requisite patches

If your E-Business Suite system is 11.5.9 or below and you are using AutoConfig to manage your system, apply the Techstack AdvancedUtilities patch (bug ref 2864765) and any pre-requisite patches.

If your E-Business Suite system is 11.5.9 or below and you are not using AutoConfig, you will need to apply the patch for bug ref 3797160and any pre-requisite patches.

These patches are shipped with 11.5.10.

PatchNo

Description Comments

3797160 Provides new profile definition forFND_DB_WALLET_DIR

for non AutoConfig-enabled

2864765 Advanced Utilities Patch for AutoConfig-enabled

2. Create a wallet directory on the database tier

Log on to the database tier as the user that owns the oracle files

Source the environment on the database tier.

Create a directory under $ORACLE_HOME/appsutil to hold the new wallet using the following command:

% $ORACLE_HOME/appsutil/wallet

3. Start Wallet Manager

On UNIX, as the oracle user on the database-tier node,

a. Change to the wallet directory that you have just created.

% cd $ORACLE_HOME/appsutil/wallet

b. Ensure that your environment is correctly sourced.c. Set the DISPLAY variable to display to the IP address from where you are working. For example:

% export DISPLAY=138. 22.155.16:0.0



https://updates.oracle.com/download/2864765.html




7/16/2014 Document 123718.1


d. For LINUX only - set the environment variable THREADS_FLAG=native. For example:

% export THREADS_FLAG=native

e. Run owm, which is located under the $ORACLE_HOME/bin directory of the Database tier. For example:

% $ORACLE_HOME/bin/owm &

f. On Windows NT/2000, run Oracle Wallet Manager using Start > Programs > Oracle for Windows NT > Oracle Wallet Manager

or Start > Programs > Oracle for Windows NT > Integrated Management Tools > Wallet Manager.

4. Create a new wallet

a. On the Oracle Wallet Manger Menu:

Navigate to Wallet -> New.

b. Select No when prompted with the message:

"Your default directory doesn't exist. Do you wish to create it now?"

c. In the New Wallet dialogue box, create a Wallet Password and click OK.

Make sure you remember this password. You will be prompted for the password each time you open this wallet withOracle Wallet Manager.

d. Select No when prompted with the message:

"A new empty wallet has been created. Do you wish to create a certificate request at this time?"

Oracle Wallet Manger includes the certificates for the most common CA's every time a new wallet is created. If the CA who signed yourserver certificate is not in the default listing follow these instructions to include CA Certificates:

a. Access your web page.b. Double-click on the padlock at the bottom of the page to view the Certificates.

NOTE:

if there is no padlock, then on the top toolbar select File->Properties->Certificates

c. Click on the Certification Path Tab.d. For each certificate listed:

Click View Certificate

Click Details Tab

Click Copy to File - follow directions and export in the Base 64 encoded X.509 (.CER) format.

e. FTP these files in binary mode to the db tier and import into your wallet.

5. Be sure the AutoLogin feature is checked.

When the AutoLogin feature is checked the wallet can be accessed by OS processes (i.e. sqlplus) that are owned by the same owner whocreated the wallet. To open the wallet using Oracle Wallet Manager a password will still be required.

NOTE: On Windows NT/2000, the wallet files must be generated and owned by the same user that starts up both theDatabase and Listener services.

6. Save the wallet

Save the wallet in $ORACLE_HOME/appsutil/wallet and exit Wallet Manager.

Continue with the configuration

After completing the above steps successfully, proceed to one of the following chapters to complete the configuration:

If you are using AutoConfig to manage your system, proceed to Chapter 3.3 - Configuring SSL for AutoConfig-enabled System

7/16/2014 Document 123718.1


/ Configuring SSL with Oracle Database Server for AutoConfig-enabled environment.

If you are not using AutoConfig to manage your system, proceed to Chapter 4.3 - Configuring SSL for non AutoConfig-enabledSystem / Configuring SSL with Oracle Database Server for non AutoConfig-enabled environment.

Working with Unrecognized CA Root Certificate

Your certificate is digitally signed by your CA. If your browser & JInitiator recognize the CA's signature, they will accept the securecommunication. For practical purposes, you can think of the CA's digital signature as the CA root certificate. A particular CA can havemore than one digital signature or CA root certificate. For example, Verisign's trial certificates are digitally signed differently than theirpermanent certificates. In other words the CA root for Verisign's trial certificates is different from the CA root for Verisign's permanentcertificates.

Note: This Section is only necessary if you have created a Verisign Trial certificate or you are otherwise using a certificate authority rootthat is not already contained in the database of trusted CA roots in your browser or in JInitiator. For permanent certificates with the mostrecognized CA's, no client side steps are necessary. These steps will be necessary if you were prompted " Do you want to import a CAcertificate now?" when importing your user certificate into the Oracle Wallet Manager.

Phase 1 - Web Browsers

Typically your CA will give you instructions for installing the necessary CA root in your browser, if it is not commonly contained in MSInternet Explorer's (MSIE's) or Netscape's seeded database of trusted CA root certificates. This document was written based onexperience using a trial certificate from Verisign, which required that the trial CA root be installed in each browser and JInitiator.

In the e-mail that is received from Verisign, it will specify that you must install the Test CA Root in each browser you plan to use as part ofyour test of SSL Trial SSL Server ID. The URL from which to complete this step will be given in e-mail.

Currently you must use MS Internet Explorer (MSIE) in order to complete the task of installing a trial or non-recognized CA root certificatefor JInitiator. This is because Netscape does not have the ability of exporting trusted CA Root certificates. Therefore, if your preferredbrowser is Netscape, you will need to install the CA root into Netscape as your preferred browser and also into MSIE for the purpose ofexporting the CA root certificate in the format needed by JInitiator.

1. Install in the browser

Using your browser, go to the URL that your CA instructs for installing it's root certificate. For Verisign, the page describes how to installthe Test CA Root for either browser Netscape or MSIE. Typically the CA will have a link that you click to install the CA root in yourbrowser. Follow the instructions for the browser you are currently using. The install may go very smoothly but if not, see the step below forthe specific browser you are currently working with.

a. Netscape

Currently Netscape only allows you to view, install or delete trusted CA root certificates.

When installing the CA root from the CA's web site, you should have no trouble in just clicking on the linkinstructed by your CA. Netscape's New Certificate Authority Wizard will spawn and lead you through theprocess. When asked for the purpose of accepting this CA, select the option for Certifying Network Sites.

- You can give it a friendly name, for example, "Verisign Test CA Root"

To view the trusted CA roots in the Netscape's database, select Tools > Security Info. In the navigator treeunder Certificates, select Signers. The list of trusted CA root certificates appears in the window.

b. Microsoft Internet Explorer (MSIE)

MSIE allows you to view, import, export and delete trusted CA root certificates.

When installing the CA root from the CA's web site (eg http://www.verisign.com/server/trial/faq/index.html), youmay see a File Download dialogue box when you click on the link instructed by your CA. Go ahead and saveto a file with the following specifications:

File name: CA_root Save as type: All Files (*.*)

To work with trusted CA roots in the MSIE database, select Tools > Internet Options. Click Content tab. In theCertificates block, click the Certificates button, then Click the Trusted Root Certification Authorities. This is theMSIE Certificate Manager. From here you can import the file you saved as CA_root into the database.

Click the import button to allow the Certificate Manager Import Wizard to lead you through selecting the file you

7/16/2014 Document 123718.1


saved from the CA web site (CA_root) for import.

This process, documented in full, is as follows:

From Microsoft Internet Explorer 5.0:

Click on the Accept Button at the top of the page to accept the conditions of useA Dialog Box will appear that says "You have chosen to download a file from this location: "getcacertfrom digitalid.verisign.com" Click the option that says "Save this file to Disk." Click OKSelect the location of the file, leave name and file type to defaultPrompt will appear: Download Complete, click Close.Open IE 5.0 BrowserGo to Tools/Internet Options/ Content/ Certificates (trusted root authorities tab)/ ImportCertificate Manager Import Wizard: click NextBrowse to the location of the recently stored root (done in step 3), select ALL files for file type.Select "getcacert" and click openClick NextSelect "place all certificates in the following store" optionHighlight "Trusted Root Certification Authorities" and click OKClick NextClick FinishUser will be prompted and asked if they wish to add the following certificate to the root store, click Yes.To Verify the installation of the "Intermediate Root CA" into your browser, go into:Go to Tools/Internet Options/ Content/ Certificates (trusted root authorities tab) It should read as "ForVeriSign Authorized Testing Only".

2. Export the certificate for use with Oracle Forms components

Now that you have the CA root certificate installed in MSIE, you can export it in a format that is recognized by Wallet Manager & JInitiator.

In MSIE,

Select Open the Certificate Manager, then Tools > Internet OptionsClick on the Content tabClick on the Certificates button in the Certificates blockClick on the Trusted Root Certification Authorities tabHighlight the entry for your CA's root certificateClick on the export button to allow the Certificate Manager Export Wizard to lead you through theexport.Select Base64 encoded X.509(.CER) as the format you want to exportUse the browse tab to select an appropriate directory to save the file with an extension of .cer as itsname. root for example, CA_root.cerTransfer the CA_root.cer file over to the server and into the working directory($COMMON_TOP/admin/certs/forms), for example using ftp.

The Base64 encoded CA root certificate will be used in the following Part for Wallet Manager.

Phase 2 - Oracle Forms

The Wallet Manager error message:


received when importing your user certificate in Section 2.2.1 (Certificate Provisioning for Oracle Forms 6i Server - Use WalletManager to create certificate) above indicates that the user certificate is a trial certificate or that you are using a certificate for which thesignature is not already contained in Wallet Manager's database of trusted CA root certificates. If you did not complete the steps inSection 2.2.1, you must do so now. Once these steps are complete, continue the steps below to successfully complete the import ofyour user certificate into Wallet Manager.

1. Import CA root certificate into Wallet Manager's database

If you have exited Wallet Manager since attempting Section 2.2.1 (Certificate Provisioning for Oracle Forms 6i Server- Use WalletManager to create certificate) above, you will need to start up Wallet Manager again and open the wallet which you saved earlier:

a. Start Wallet Manager.

On UNIX, as the oracle user, change to the directory of your Oracle 8.0.6 $ORACLE_HOME and source the

7/16/2014 Document 123718.1


environment file [sid].env. Set the UNIX environment variable DISPLAY for Wallet Manager to display to the IPaddress from where you are working. For example:

$ export DISPLAY=138.22.155.16:0.0


Run owm, which is located in the 8.0.6 $ORACLE_HOME/bin directory.

On Windows NT/2000, run Oracle Wallet Manager using Start > Programs > Oracle for Windows NT > OracleWallet Manager

b. Open the wallet you saved in Section 2.2.1, Step 4.

Select Wallet > Open

Select Yes when prompted with the message:

"Your default directory doesn't exist. Do you wish to continue?"

In the Select A Directory dialogue box, navigate to the directory name you chose for your wallet, for example:

$COMMON_TOP/admin/certs/forms


In the Open Wallet dialogue box, enter your wallet password and click OK.

c. Attempt to import your user certificate into this wallet again.

Operations > Import User Certificate

Select the radio button for

Select a file that contains the certificate and click OK.

Enter the full path of your working directory where you have stored your certificate (forms_[key_size].crt), forexample:

$COMMON_TOP/admin/certs/forms


Highlight the certificate file (forms_[key_size].crt) and click OK.

Answer yes to Wallet Manager's question:


Select the option:

Select a file that contains the certificate

Enter the path and filename for the CA root certificate, for example:

$COMMON_TOP/admin/certs/forms/CA_root.cer


Click OK to finish the import of the CA root certificate as well as your user certificate.

The bottom status bar of Wallet Manager should display the message:


In the navigator window under Wallet, you can highlight Certificate: [Ready] to see the unencrypted values ofyour certificate.

2. Update JInitiator's CA root certificate database

Now you must inform JInitiator on the client that there is a new CA root certificate that it should consider as trusted. Follow the steps

7/16/2014 Document 123718.1


below to complete this task:

a. Select Operations > Export All Trusted Certificatesb. Select your working directory on the server ($COMMON_TOP/admin/certs/forms)

Specify the file name JInit_certdb.txt

Click OK.

c. Exit Wallet Managerd. Transfer the file from the server over to the client PC that has JInitiator installed, using binary mode ftp. Even though it is an ASCII

file, it is very important that the file be transferred in binary mode for JInitiator to be able to read it properly.e. On the client PC, backup certdb.txt file for the version of Jinitiator that is being invoked.

For example:

c:\Program Files\Oracle\JInitiator 1.1.8.16\lib\security\certdb.txt

f. Copy the new database file, JInit_certdb.txt into this directory with the file name certdb.txt.

Now JInitiator will recognize your CA root certificate as trusted. This must be done for every client PC. For more information see MetalinkNote 147836.1 (http://metalink.oracle.com/epmos/faces/DocumentDisplay?id=147836.1) .

3. Continue with the configuration

If you are using AutoConfig to manage your system, proceed to Section 3.2. Configuring SSL with Oracle Forms 6i Server forAutoConfig-enabled environmentIf you are not using AutoConfig to manage your system, proceed to Section 4.2. Configuring SSL with Oracle Forms 6i Serverfor non AutoConfig-enabled environment.

Chapter 3. Configuring SSL for AutoConfig-enabled System

This section contains instructions to modify configuration files and profiles of systems that are managed by AutoConfig. If you are notusing AutoConfig to manage your system, you must follow the instructions described in Chapter 4. Configuring SSL for nonAutoConfig-enabled System.

Common Configuration StepsOption 3.1 . Configuring SSL with Oracle HTTP ServerOption 3.2 . Configuring SSL with Oracle Forms 6i ServerOption 3.3 . Configuring SSL with Oracle Database Server

Common Configuration Steps

The following instructions frequently reference the objects described below. Please set appropriate values for these variables in theenvironment that you are working in.

Variable Value






Option 3.1 Configuring SSL with Oracle HTTP Server


7/16/2014 Document 123718.1


Prerequisite

A prerequisite of implementing SSL with Oracle HTTP server is to successfully set-up Apache as the single web listener for the Release11i Applications instance. Although this single listener configuration is the default in 11i.2 and later Rapid installs, maintenance packs donot update the web server configuration. If installation of Oracle Applications Release 11i was originally done using version 11i.1 of Rapidinstall, then administrators will have to configure Apache as the single web listener for the implementation regardless of the currentmaintenance pack level. Manual configuration can be performed using the steps in sections I through IV of the 119873.1(http://metalink.oracle.com/epmos/faces/DocumentDisplay?id=119873.1) Apache Single Listener Configuration for Applications 11.5.1.(Section V of this note contains basic information on the Apache portion of SSL implementation).

Step 3.1.1. Configuring SSL with Oracle HTTP Server using Configuration Wizards

The configuration of SSL with the Oracle HTTP server can be performed by using the Configuration Wizards utility. This utility is availableas a command-line interface and also from OAM. This utility is shipped with the E-Business Suite Release 11.5.10.

If you are using 11.5.9 or lower and would like to use this utility, apply the following prerequisite patches to all Web, Forms, andConcurrent Processing nodes:

PatchNo


3258830 OAMPatchset H

About Oracle Applications Manager Mini-pack 11i.OAM.H(http://metalink.oracle.com/epmos/faces/DocumentDisplay?id=258330.1) - Note258330.1

2864765 AdvancedUtilitiesPatch

Running Configuration Wizards from the Command Line in OracleApplications 11i (http://metalink.oracle.com/epmos/faces/DocumentDisplay?

id=277574.1) - Note 277574.1

The Configuration Wizards utility automates the configuration process described in this section. The utility is available as a command-lineinterface and also from the Oracle Applications Manager (OAM). For additional information on the usage of this utility, please refer to thefollowing documents:

1. Oracle MetaLink Note 277574.1 (http://metalink.oracle.com/epmos/faces/DocumentDisplay?id=277574.1) - "RunningConfiguration Wizards from the Command Line in Oracle Applications 11i"

2. OAM On-line Help: Help -> Oracle Applications Manager -> System Configuration -> AutoConfig -> Configuration Wizards

After completing the configuration of SSL with Oracle HTTP server using the Configuration wizards utility, run AutoConfig asdescribed in MetaLink Note 165195.1 (http://metalink.oracle.com/epmos/faces/DocumentDisplay?id=165195.1) .

Step 3.1.2. Testing

You should now proceed to Chapter 5.1 - Verifying SSL Set-up for Oracle HTTP Server to test the Applications sign-on process.

No more steps are required in the current section 3.1.

Step 3.1.3. Configuring SSL with Oracle HTTP Server

You can skip this step if you already used the Configuration Wizards to configure SSL with Oracle HTTP server as described in step 3.1.1.

If your E-Business Suite 11i instance is managed by AutoConfig, run AutoConfig as described in MetaLink Note 165195.1(http://metalink.oracle.com/epmos/faces/DocumentDisplay?id=165195.1) or in the AD utilities manual after ensuring that the latestAutoConfig Template Rollup Patch (TXK (FND) Patch O:5478710) has been applied and that the following parameters are correctly set inyour context xml file:

a. set the %s_url_protocol variable to httpsb. set the %s_local_url_protocol variable to httpsc. set the %s_webentryurlprotocol variable to httpsd. set the %s_frmConnectMode variable to httpse. set the %s_webssl_port variable to the Apache SSL port requiredf. set the %s_active_webport variable to the same value as that for the %s_webssl_port variable

g. set the %s_webport variable to the same value as that for the %s_webssl_port variable Note: prior to TXK (FND) AutoConfig Template Rollup Patch F (3104607 December 2003) this value was set to the non-sslApache Port.

h. set the %s_web_ssl_directory variable to point to the full directory path of the directory that is to contain the .crt and .key files thatyou are using for Apache eg <$COMMON_TOP>/admin/certs/apache









7/16/2014 Document 123718.1


i. set %s_apps_portal_url variable to httpsj. run AutoConfig as described in MetaLink Note 165195.1 (http://metalink.oracle.com/epmos/faces/DocumentDisplay?id=165195.1)

k. If Single Sign-On is enabled:1. Run $OAD_TOP/admin/install/<context-name>/ssodatan.sh apps <apps-passwd>2. Re-register the partner application.

Using a SSL Accelerator (Optional)

If either of the following conditions are true:

Your HTTP load-balancer also acts as a SSL AcceleratorYou use an SSL Accelerator as your Primary Web Entry point which is the initial target of interfacing client communication

Then you must complete the following steps:

1. Set the %s_webentryhost variable to the SSL Accelerator hostname.2. Set the %s_webentrydomain variable to the SSL Accelerator domain name3. Set the %s_webentryurlprotocol variable to "https".4. Set the %s_active_webport variable to the value of the SSL Accelerator's external interfacing port.5. Set the %s_webssl_port variable to the same value as the "Active Web Port".6. Set the %s_login_page variable to "https://<'Web Host entry point'>.<'Web domain entry point'>:<'Active Web Port'>"

Step 3.1.4. Testing

You should now proceed to Chapter 5.1 - Verifying SSL Set-up for Oracle HTTP Server to test the Applications sign-on process.

Option 3.2 Configuring SSL with Oracle Forms 6i Server

Step 3.2.1. Configuring SSL with Oracle Forms 6i Server

This section contains instructions to modify configuration files and profiles that may be maintained by the AutoConfig infrastructure. Pleasenote that in order to configure SSL with the Oracle Forms 6i Server you must have already configured SSL for the Oracle HTTP Server..

NOTE: This step is not necessary if you are using the Forms Listener Servlet architecture.

If you are AutoConfig enabled, run AutoConfig as described in MetaLink Note 165195.1(http://metalink.oracle.com/epmos/faces/DocumentDisplay?id=165195.1) or in the 11i AD Utilities Manual after ensuring that the variablesthat enable forms to connect in https mode are correctly set in your context xml file.

Note that if you are using version 11.5.7 or earlier of the context xml files and autoconfig, you will require a patch to access these variablesas described in bug ref 2340379 (http://webiv.oraclecorp.com/cgi-bin/webiv/do.pl/Get?WwwID=Bug:2340379)

Step 3.2.2. Testing

You should now proceed to Option 5.2 - Verifying SSL Set-up for Oracle Forms 6i Server to test the Forms startup and Applicationssign-on process.

Option 3.3 Configuring SSL with Oracle Database Server

Step 3.3.1. Required Patches and Prerequisite Steps

If your E-Business Suite system is 11.5.9 or below and you are using AutoConfig to manage your system, apply the following prerequisitepatches to all Web, Forms, Admin, and Concurrent Processing nodes. The following patches are shipped with the E-Business SuiteRelease 11.5.10.

Patch No Description Comments

2864765 Advanced Utilities Patch for AutoConfig-enabled

Before proceeding with the configuration, you must also have completed Chapter 2, Option 2.3 - Certificate Provisioning for OracleDatabase Server to create the necessary wallet files.

Step 3.3.2. Configuring SSL with Oracle Database Server



http://webiv.oraclecorp.com/cgi-bin/webiv/do.pl/Get?WwwID=Bug:2340379


7/16/2014 Document 123718.1


Update the Database Wallet Directory profile option using AutoConfig

Perform the steps listed below to update the Database Wallet Directory profile option value. Note that the Techstack Advanced UtilitiesPatch Rollup A (bug ref 2864765) and any pre-requisite patches must have been applied as required in step 3.3.1.

a. Follow Oracle MetaLink Note 165195.1 (http://metalink.oracle.com/epmos/faces/DocumentDisplay?id=165195.1) to copy AutoConfigto the RDBMS ORACLE_HOME under the section titled "Section 5: Maintaining System Configurations".

b. Run AutoConfig on the database-tier node as per Oracle MetaLink Note 165195.1(http://metalink.oracle.com/epmos/faces/DocumentDisplay?id=165195.1) .

Step 3.3.3. Testing

You should now proceed to Chapter 5.3 - Verifying SSL Set-up for Oracle Database Server to test the wallet set-up.

Chapter 4. Configuring SSL for non AutoConfig-enabled System

If you are not using AutoConfig to manage your system, please proceed with the manual steps described in this chapter. If you are usingAutoConfig to manage your system, you must follow the instructions described in Chapter 3. Configuring SSL for AutoConfig-enabledSystem.

Common Configuration StepsOption 4.1 . Configuring SSL with Oracle HTTP ServerOption 4.2 . Configuring SSL with Oracle Forms 6i ServerOption 4.3 . Configuring SSL with Oracle Database ServerAdditional Configuration Steps

Common Configuration Steps

The following instructions frequently reference the objects described below. Please set appropriate values for these variables in theenvironment that you are working in.

Variable Value






Option 4.1 Configuring SSL with Oracle HTTP Server

Prerequisite

A prerequisite of implementing SSL with Oracle HTTP server is to successfully set-up Apache as the single web listener for the Release11i Applications instance. Although this single listener configuration is the default in 11i.2 and later Rapid installs, maintenance packs donot update the web server configuration. If installation of Oracle Applications Release 11i was originally done using version 11i.1 of Rapidinstall, then administrators will have to configure Apache as the single web listener for the implementation regardless of the currentmaintenance pack level. Manual configuration can be performed using the steps in sections I through IV of the 119873.1(http://metalink.oracle.com/epmos/faces/DocumentDisplay?id=119873.1) Apache Single Listener Configuration for Applications 11.5.1.(Section V of this note contains basic information on the Apache portion of SSL implementation).

Step 4.1.1. Configuring SSL with Oracle HTTP Server




7/16/2014 Document 123718.1


This section contains manual instructions for configuring SSL with Oracle HTTP Server for non AutoConfig-enabled systems.

Determine which configuration file Apache is currently using

By default, E-Business Suite installations that were created using Rapid Install 11i.1 through 11i.5 originally installed Oracle HTTP Server1.3.9 from iAS 1.0.0. In these environments on unix, either the httpds or the httpd executable may be used. To determine which of these isin use, open the file $APACHE_TOP/Apache/bin/apachectl and check the parameter HTTPD. If HTTPD is pointing to the httpdsexecutable, then httpds.conf is being used as the configuration file, if HTTPD is pointing to the httpd executable, then httpd.conf is beingused.

E-Business Suite installations created with Rapid Install 11i.7 and higher versions use the Oracle HTTP Server 1.3.19 from iAS 1.0.2.2.This uses the httpd executable for both SSL and normal http which is based on the parameters that are set in the httpd.conf configurationfile. For these versions, the script httpdsctl is the standard script for starting Apache in SSL mode.

Windows NT/2000 does not use the apachectl file. On these platforms, Apache is implemented through use of services. By default theapache service points to the httpd.conf file during startup. This is defined in an Oracle Applications environment through use of theadsvapc.cmd file in the admin\install directory in the Oracle Applications common top directory tree. If you are not sure which configurationfile Apache is currently using, open the adsvapc.cmd file and check the value of the -f variable in the call to invoke Apache.exe.

Backup the current configuration file (either httpd.conf or httpds.conf) before making any changes

You should back up the current configuration file: httpd.conf or httpds.conf before making any changes:

$ cd $APACHE_TOP/Apache/conf $ cp httpd.conf httpd.conf.BAK

or

$ cp httpds.conf httpds.conf.BAK

Edit the SSL directives for Apache in your environment's configuration file

Decide on the port that you want Apache to use for SSL communication.

The standard port for SSL communication is 443, but it need only be a free port on your server. Keep in mind that on UNIX, if you havechosen port 443 (or any port under 1024) for your SSL port, you will have to start Apache as root, otherwise you should connect as theoracle user.

Assuming that COMMON_TOP is /u08/app/oracle/viscomn.

Open httpds.conf in an editor.

a. Find the main section:

### Section 2: 'Main' server configuration

Find the subsection:

## SSL Support

Ensure the <IfDefine SSL> block reflects your original non-SSL port for the first Listen directive and the chosen SSL port forthe second Listen directive.

For example:

<IfDefine SSL> Listen 8800 Listen 443 </IfDefine>

b. Find the main section:

### Section 3: Virtual Hosts

Ignore the first (commented out) reference to VirtualHost _default_:, but change the second reference to ensure your truechoice for the SSL port is reflected in the line beneath the SSL Virtual Host Context Section:

<VirtualHost _default_:443>

7/16/2014 Document 123718.1


Find the subsection:

## SSL Virtual Host Context

Find and edit the DocumentRoot directive to point to your portal. For example (note the trailing slash):

DocumentRoot "/u08/app/oracle/viscomn/portal/"

Find and edit the SSLCertificateFile directive to point to your server certificate (server.crt). For example:

SSLCertificateFile /u08/app/oracle/viscomn/admin/certs/apache/ssl.crt/server.crt

Find and edit the SSLCertificateKeyFile directive to point to your private key (server.key). For example:

SSLCertificateKeyFile /u08/app/oracle/viscomn/admin/certs/apache/ssl.key/server.key

If you are using global server certificates, find and edit the SSLCertificateChainFile directive to point to your intermediatecertificate (intermediate.crt). For example:

SSLCertificateChainFile /u08/app/oracle/viscomn/admin/certs/apache/ssl.crt/intermediate.crt

If you are not using global server certificates, and you previously created the file of PEM-encoded Server Certificates (ca.crt),find and edit the SSLCertificateChainFile directive to point to your file of PEM-encoded Server Certificates (ca.crt). Forexample:

SSLCertificateChainFile /u08/app/oracle/viscomn/admin/certs/apache/ssl.crt/ca.crt

On NT, if you are using an earlier version of Oracle Applications than 11i.4, you will also need to change the line that definesSSLMutex file:<APACHE dir>\Apache\logs\ssl_mutex to read

SSLMutex sem

Save and close the file httpds.conf

Modify the Apache service to start up in SSL mode

On UNIX, to start Apache in SSL mode, the Apache control script (adapcctl.sh) in $COMMON_TOP/admin/scripts should be altered toinvoke the httpdsctl script instead of the default apachectl script. Before this change can be made, it is necessary to customize and testthe httpdsctl script as follows:

a. Backup the httpdsctl file before making any changes:

$ cd $APACHE_TOP/Apache/bin $ cp httpdsctl httpdsctl.BAK

b. Transfer the Oracle-specific environment that is set-up in the apachectl script to the httpdsctl script.

The configuration section begins with the line:

# |||||||||||||||||||| START CONFIGURATION SECTION||||||||||||||||||||

and ends with the line:

# |||||||||||||||||||| END CONFIGURATION SECTION||||||||||||||||||||

Many of the lines in the configuration section can be copied from apachectl to httpdsctl, but there are alsovariables in this section that must be defined differently between starting in SSL vs. NonSSL mode, such asthe variables PIDFILE (which should point to httpds.pid in the $APACHE_TOP/Apache/logs directory) andHTTPD (which should point to httpds in the $APACHE_TOP/Apache/bin directory, thus invoking the settings inthe httpds.conf file).

(Note that if you are on 11i.1 and have manually converted to using Apache as the single listener, this will looka bit different to a fresh install of 11i.2 or higher).

In 11i.1, by following Note 119873.1 (http://metalink.oracle.com/epmos/faces/DocumentDisplay?id=119873.1)

Apache Single Listener Configuration for Applications 11.5.1, you will have added lines to set and to export the


7/16/2014 Document 123718.1


following Oracle-specific variables:

ORACLE_HOME LD_LIBRARY_PATH SHLIB_PATH LIBPATH WV_GATEWAY_CFG NLS_LANG

And also for 11i.1, by following the instructions in Note 119873.1(http://metalink.oracle.com/epmos/faces/DocumentDisplay?id=119873.1) , the value for ulimit will have beenaltered as follows:

# Self-Service Applications often need more file handles ulimit -n 1024

ulimit

In 11i.2, apachectl will typically have only the following Oracle-specific environment variables:

ORACLE_HOME LD_LIBRARY_PATH or SHLIB_PATH or LIBPATH (platform dependent) WV_GATEWAY_CFG

The important thing is to set and export the Oracle-specific variables in httpdsctl that you know to be workingin apachectl.

c. Save the changes that you have made to the httpdsctl script.

Once you have transferred the necessary environment settings from apachectl to httpdsctl and checked yourwork carefully, save and close the file httpdsctl

d. Test the changes that you have made to the httpdsctl script file

(Note that if you are using a trial certificate or a non-recognized CA root certificate you will need to completethe steps in Section Working with Unrecognized CA Root Certificate / Phase 1 - Web browser beforeperforming this step).

Use the httpdsctl script to start Apache in SSL mode as follows:

$APACHE_TOP/Apache/bin/httpdsctl startssl

If your server key is encrypted, you will be prompted for the PEM pass phrase that you chose when creatingyour server's private key. Also, if you have chosen the default port 443 (or any other port number less than1024) for your SSL port, you will have to start Apache as root.

Make sure that Apache can startup successfully before continuing. Ensure that there are spawned processesfor Apache through use of the command ps -ef | grep util and that you successfully get an SSL

connection to the default Apache banner screen using https:/<host.domain>:<SSL_port> where<host.domain> is the fully qualified name of the machine running Apache and <SSL_port> is the SSL portnumber defined in httpds.conf.

e. Replace the call to apachectl with a call to httpdsctl in the control script that starts the Apache server.

First, make a backup of $SCRIPT_TOP/adapcctl.sh

$ cd $SCRIPT_TOP $ cp adapcctl.sh adapcctl.sh.BAK

Then, edit the file adapcctl.sh in $COMMON_TOP/admin/scripts as follows:

Find the line :

[YOUR_COMMON_TOP]/util/apache/1.3. 9/Apache/Apache/bin/apachectl start

Change "apachectl start" to "httpdsctl startssl", for example:

[YOUR_COMMON_TOP]/util/apache/1.3. 9/Apache/Apache/bin/httpdsctl startssl

Find the line :

[YOUR_COMMON_TOP]/util/apache/1.3. 9/Apache/Apache/bin/apachectl stop


7/16/2014 Document 123718.1


Change "apachectl stop" to "httpdsctl stop", for example:

[YOUR_COMMON_TOP]/util/apache/1.3. 9/Apache/Apache/bin/httpdsctl stop

Save and close the file adapcctl.sh

On Windows NT/2000, the Apache service should be configured to use SSL through use of the adsvapc.cmdfile that is shipped with Oracle Applications in the admin\install directory in the Oracle Applications commontop directory tree. Follow the instructions below to change the Apache service to run in SSL mode:

f. Make a backup of the adsvapc.cmd file in your <CommonTopMountPoint>\admin\install directory

g. Edit the adsvapc.cmd file as follows to use the httpds.conf file and the SSL definitions contained within it:

Change:

e:\oracle\prodcomn\util\OamkSvc.exe -si "Oracle Apache Server PROD" -e-a -c "e:\oracle\prodora\iAS\Apache\Apache\Apache.exe -fe:\oracle\prodora\iAS\Apache\Apache\conf\httpd.conf"

to

e:\oracle\prodcomn\util\OamkSvc.exe -si "Oracle Apache Server PROD" -e-a -c "e:\oracle\prodora\iAS\Apache\Apache\Apache.exe -D SSL -fe:\oracle\prodora\iAS\Apache\Apache\conf\httpds.conf"

h. Deinstall the existing Apache service.

From a non-sourced command window with the PATH variable unset (eg PATH set to null) run:

adsvapc.cmd -deinstall

(You may get an exiting with status 1 the first time this is run. Rerun it a second time and it should exit withstatus 0.)

i. Install the modified Apache service.

In the same command window run:

adsvapc.cmd

This should recreate the service with reference to httpds and will also use the SSL portions of that file.

(Note that if you are using a trial certificate or a non-recognized CA root certificate you will need to completethe steps in Section Working with Unrecognized CA Root Certificate / Phase 1 - Web browser beforetesting your work.

Step 4.1.1. Testing

You should now proceed to Chapter 5.1 - Verifying SSL Set-up for Oracle HTTP Server to test the Applications sign-on process.Once the test result was verified, you must also complete step 4.1.2 below.

Step 4.1.2. Additional Configuration Steps

Once you have determined that the Oracle HTTP server can run in SSL mode and connections to Core Forms and Self-Service WebApplications is successful, you should now proceed to Option 4.4 - Additional Configuration Steps to complete the manualconfiguration.

Option 4.2 Configuring SSL with Oracle Forms 6i Server

If you are not using AutoConfig to manage your system, please proceed with the manual steps described in this section to complete theconfiguration of SSL with Oracle Forms 6i Server.

Set the following SSL environment variables for Developer 6i Forms server by defining them somewhere below the setting of theORACLE_HOME variable in the environment file for your 8.0.6 Oracle Home: $ORACLE_HOME/[sid].env

On Windows NT/2000 platforms, these variables should also be set in the registry under \HK_LOCAL_MACHINE\SOFTWARE\ORACLEusing the regedit or regedt32 command.

7/16/2014 Document 123718.1


Variable Value

FORMS60_WALLETspecifies the directory created for your wallet that holds thecertificate used on the server.

For example: $COMMON_TOP/admin/certs/forms

FORMS60_HTTPS_NEGOTIATE_DOWN specifies whether to allow the Forms Server to negotiate encryptiondown to the highest level supported by the client (TRUE) or toensure that all encryption occurs at the level at which it is running(FALSE). This should be set to TRUE.

Step 4.2.1 Configuring SSL with Oracle Forms 6i Server

Edit the FORMS60_WEB_CONFIG_FILE (appsweb.cfg)

The FORMS60_WEB_CONFIG_FILE variable is defined in your $APACHE_TOP/Apache/conf/apps.conf file for Apache to use during theinitial connection in order to spawn a forms session. It is defined for Release 11i Apps to be $OA_HTML/bin/appsweb.cfg. This file must beedited to allow forms sessions in https mode.

a. Make a backup of the appsweb.cfg file in the Oracle Applications HTML bin ($OA_HTML/bin) directory treeb. Edit appsweb.cfgc. Find the connectMode parameter in the section:

; Forms Client-Server Communication Mode: socket, http, or https

d. Set the connectMode parameter to be https. For example:

connectMode=https

e. Save and close the file appsweb.cfg

Note that this file should always be kept in sync with the version at $FND_TOP/resource/appsweb.cfg. Be sure any changes you make arereflected in both locations.

Amend the forms server process to startup in https mode

In order for the forms server process to startup in https mode on UNIX, you must edit your forms server control script (adfractl.sh,adfroctl.sh or adfrmctl.sh) under $SCRIPT_TOP directory. If you originally did an install of 11i.1, you may be using either adfractl.sh oradfroctl.sh. If your original install was of 11i.2 or above, you are probably using adfrmctl.sh

a. Make a backup of the forms startup script file in use ($SCRIPT_TOP/adfractl.sh, adfroctl.sh or adfrmctl.sh)

For example, where <script_name> is the name of the forms startup script in use:

$ cp $SCRIPT_TOP/<script_name> $SCRIPT_TOP/<script_name.BAK>

b. Edit the and change the command that invokes f60ctl to use mode https, for example

$ vi $SCRIPT_TOP/<script_name>

c. Alter the line that starts with f60ctl start port=$FORMS_PORT mode=http exe=f60webmx to read

f60ctl start port=$FORMS_PORT mode=https exe=f60webmx >> $FRMLOG 2>/dev/null

d. Save and close the forms startup script file

On Windows NT/2000 platforms the forms server process is implemented through use of services. The forms service should be configuredto use https through use of the adsvfrm.cmd file that is shipped with Oracle Applications in the admin\install directory in the OracleApplications common top directory tree. Follow the instructions below to change the forms service to run in https mode on WindowsNT/2000:

a. Make a backup of the adsvfrm.cmd file in your <CommonTopMountPoint>\admin\install directoryb. Edit adsvfrm.cmd file as follows to change the connect mode from socket to https:

7/16/2014 Document 123718.1


Change:

<Applications COMMON_TOP>\util\OamkSvc.exe -si OracleFormsServer-Forms60<sid> -e -a -t -c "<8.0.6 ORACLE_HOME>\bin\ifsrv60.exe -listen port=9000 mode=SOCKET log=<Applications COMMON_TOP>\admin\log\forms_server.log"

to

<Applications COMMON_TOP>\util\OamkSvc.exe -si OracleFormsServer-Forms60<sid> -e -a -t -c "<8.0.6 ORACLE_HOME>\bin\ifsrv60.exe -listen port=9000 mode=HTTPS log=<Applications COMMON_TOP>\admin\log\forms_server.log"

c. Deinstall the existing forms service. From a command window run:

adsvfrm.cmd -deinstall

(You may get an exiting with status 1 the first time this is run. Rerun it a second time and it should exit with status0.)

d. Install the modified forms service. In the same command window run:

adsvfrm.cmd

This should recreate the service using https.

Note: Recreating the service in this way will reset the mode of the service in the registry. You can check the settings using theregistry editor by running regedit or regedt32.

For 11i.1, go to the Registry key \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\OracleFormsServerSID, whereSID is the name of your database instance. Double-click on Mode value and ensure that it is set to https.

For 11i.2 and later, go to the Registry key\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\OracleFormsServerSID\Application, where SID is the name of yourdatabase instance. Double-click on the Parameters value and ensure that the mode is set to https.

Note also that in 11i.1, Mode and Port are separate registry values, but in later releases, they are combined into a singleParameters registry key.

e. Change the ?Log on As? property of the forms service from ?System? to ?This Account? with a Windows NT Administrator useron the host machine using Control Panel > Services. Then restart the service.

Step 4.2.2 Testing

You should now proceed to Option 5.2 - Verifying SSL Set-up for Oracle Forms 6i Server to test the Forms startup and Applicationssign-on process.

Option 4.3 Configuring SSL with Oracle Database Server

Step 4.3.1. Required Patches and Prerequisite Steps

If your E-Business Suite system is 11.5.9 or below and you are not using AutoConfig to manage your system, apply the followingprerequisite patches to all Web, Forms, Admin, and Concurrent Processing nodes. The following patches are shipped with the E-BusinessSuite Release 11.5.10.

PatchNo


3797160 Provides new profile definition forFND_DB_WALLET_DIR

for non AutoConfig-enabled

You must also have generated the necessary Wallet files as described in Chapter 2, Option 2.3 - Certificate Provisioning for OracleDatabase Server to create the necessary wallet files.

Step 4.3.2. Configuring SSL with Oracle Database Server

Manually update the Database Wallet Directory profile option


7/16/2014 Document 123718.1


You may omit this step if you are using AutoConfig to manage your configuration. If you are not using AutoConfig, you will need tomanually update the Database Wallet Directory profile option value that was created by the patch for bug ref 3797160. Perform the stepslisted below to update this profile option value:

a. Sign on to the E-Business Suite as the System Administrator responsibility.b. Navigate to the System Profile Values screen.c. Query the Database Wallet Directory profile option.d. Enter the full path to the wallet directory that was created earlier on the database tier. Assuming that the value of ORACLE_HOME

of your database server installation is /u08/app/oracle/visdb, the value profile option value must be set as follows:

/u08/app/oracle/visdb/appsutil/wallet

e. Save your changes.

Step 4.3.3. Testing

You can now go to Chapter 5.3 - Verifying SSL Set-up for Oracle Database Server to test the wallet set-up.

Option 4.4 Additional Configuration Steps

Follow the instructions in this section only if you are not using AutoConfig to manage your system and only after you have determined thatthe Oracle HTTP server and Forms server can run in SSL mode and connections to Core Forms and Self-Service Web Applications issuccessful. This section describes how you can change the profile options and html page links for proper user navigation for securecommunication.

4.4.1 Profile Options

Sign on to Core Forms Applications as System Administrator and navigate to Profile > System

1. Query the profile option: Applications Web Authentication Server

This profile option deserves special note. It is used internally in Self-Service Web Applications code only for servers using SSL. It shouldbe set as follows:

http:// rather than https://

the non-SSL port for Apache

the machine name, not qualified by domain

Example: http://orl-sun:8800

2. Changes to other profile options

Query each of the following profile options to change each to use https:// instead of http:// and the secure SSL port instead of the non-SSLport for Apache.

a. Application Framework Agent

Example:

https://orl-sun.us.oracle.com:443

b. Applications Help Web Agent

Example:

https://orl-sun.us.oracle.com:443/pls/prod

c. Applications Web Agent

Example:

https://orl-sun.us.oracle.com:443/pls/prod

d. ICX: Report Images

7/16/2014 Document 123718.1


Example:

https://orl-sun.us.oracle.com:443/OA_MEDIA

e. ICX: Report Launcher

Example:

https://orl-sun.us.oracle.com:443/dev60cgi/rwcgi60

f. ICX: Report Link

Example:

https://orl-sun.us.oracle.com:443/pls/prod/

g. ICX: Report Cache

Example:

https://orl-sun.us.oracle.com:443/CACHE

h. ICX: Requisition Server

Example:

https://orl-sun.us.oracle.com:443

3. Profile option ICX: FORMS LAUNCHER using the non-SSL Apache port

Make sure to leave the profile option ICX: FORMS LAUNCHER as using the non-SSL Apache port.

This is because JInitiator 1.1.7.27 requires that the initial connection to the Web server must be via the non-SSL port to load the jar files.

This limitation is described in Appendix A (Current Limitations and Considerations).

For example:

http://<host.domwin>:<non-SSL port>/dev60cgi/f60cgi

4.4.2 Self Service Starting Page URL

Sign on to Self-Service Web Applications as System Administrator and navigate to System Administration-> General Application Options.

Change the Starting Page URL to use https:// instead of http://and the secure SSL port instead of the non-SSL port for Apache.

For example:

https://<host.port>:<SSL port>/OA_HTML/US/ICXINDEX.htm

4.4.3 HTML pages

There are four HTML files must be edited for proper user navigation for secure communication via the Applications Release 11i portal page.For each of files listed, make a backup before editing, then edit the line(s) indicated for that file such that the link uses https:// instead ofhttp:// and the secure SSL port instead of the non-SSL port for Apache.

1. Make a backup of each file

$ cd $COMMON_TOP/portal

$ cp aplogon.html aplogon.html.BAK

$ cp applist.html applist.html.BAK

$ cp appos090.html appos090.html.BAK

$ cp appetmp.html appetmp.html.BAK

2. Edit $COMMON_TOP/portal/aplogon.html

7/16/2014 Document 123718.1


Find and edit the line that provides the link for the Personal Home Page:

<a href="https://[host.domain]:[port]/OA_HTML/US/ICXINDEX.htm" target=_top>

3. Edit $COMMON_TOP/portal/applist.html

Find and edit the line that provides the link for the Online Help to read (this is all one line):

<tr><td><a href="https://[host.domain]:[port]/pls/[sid]/fnd_help.launch?LANG=US&ROOT=FND:LIBRARY&PATH=US/FND/@FNDSCSGN_NAVIGATOR" target=_top> 11i Online help</a></td></tr>

4. Edit $COMMON_TOP/portal/appos090.html

Find and edit the lines that define the example link for the Personal Home Page to read (this is all one line):

<P CLASS="CE-CodeEx"><A href="https://<host.domain>:<SSLPort>/OA_HTML/US/ICXINDEX.htm">https://<host.domain>:<SSLPort>/OA_HTML/US/ICXINDEX.htm</a></P> <P CLASS="CE-CodeEx"></P>

5. Edit $COMMON_TOP/portal/appetmp.html

Find and edit the lines that define your Web Listener Port. Change the value of [port] to reflect the Apache SSL port, for example:

<td><a href="appgloss.html#WEBPRT">Web Listener Port</a> </td>

<td>WEBPRT </td> <td>SSL port</td>

4.4.4 Re-Register the Oracle Applications Framework Web Provider with Oracle Portal (Optionally Required)

If you are using Oracle Portal the Oracle Applications Framework Web Provider for the E-Business Suite environment must be re-registered in the Oracle Portal Repository so that it uses the https protocol and the secure ssl port.

Sign on to Oracle Portal as a portal administrator and navigate to: "Administer" tab -> "Portlets" region -> "Edit a Provider Registration" section Select your Framework Web Provider from the list, and click "Edit" On the "Connection" tab update the URL to use https and the same SSL port you configured for Apache. Click "Apply" and then "OK". Select your Framework Web Provider from the list again, and click "Refresh"

Note: the navigation above is for Portal10g. When navigating in prior releases the nomenclature may be slightly different.

Chapter 5. Verifying SSL Configuration

This chapter contains instructions for testing the various SSL configurations previously performed as documented in this document.

Option 5.1 . Verifying SSL Set-up for Oracle HTTP ServerOption 5.2 . Verifying SSL Set-up for Oracle Forms 6i ServerOption 5.3 . Verifying SSL Set-up for Oracle Database Server

Option 5.1 Verifying SSL Set-up for Oracle HTTP Server

Test Startup of Apache and Apps Signon

Startup the Apache server in SSL mode on Unix by invoking apacctl.sh (which will invoke the httpdsctl script) or on Windows NT/2000 bystarting the Apache service.

On UNIX, you can ensure that there are several spawned processes for Apache through use of the following command:

% ps -ef | grep util

On NT/2000, you should use the processes taskbar to check for Apache processes.

If your server key is encrypted, you will be prompted for the PEM pass phrase that you chose when creating your server's private key.

Ensure that Apache can startup successfully before continuing and that you successfully get an SSL connection to the default Apache

7/16/2014 Document 123718.1


banner screen using

https://<host.domain>:<SSL_port>

where

<host.domain> is the fully qualified name of the machine running Apache

<SSL_port> is the SSL port number defined in httpds.conf.

Test the Forms Listener Servlet (Conditional)

If you have chosen to use the alternative Forms Listener Servlet architecture introduced in Forms/Reports 6i patchset 4 you should testthat you can connect successfully to forms. Logon to your E-Business Suite Home Page and choose the System Administratorresponsibility. Selecting any of the functions should launch forms in a new window.

Option 5.2 Verifying SSL Set-up for Oracle Forms 6i Server

Test Startup of Oracle Forms 6i Server and Apps Signon

If you are using a trial certificate or a non-recognized CA root certificate, you will need to complete the steps in Section IV, Part B(Working with an unrecognized CA Root certificate - Phase 2 Oracle Forms) before testing your work.

1. Start up the forms servers

On UNIX, startup the forms metrics server (adfmsctl.sh) and forms metrics client (adfmcctl.sh) as usual. Use your edited$SCRIPT_TOP/adfractl.sh (or adfroctl.sh, or adfrmctl.sh) to startup the forms server in https mode:

$SCRIPT_TOP/adfractl.sh start

On NT start the forms service using the control panel.

2. Make sure that the forms server has started successfully before continuing:

On UNIX, check for a process for f60srvm and a process similar to f60webmx webfile= HTTPS9,4,PID20 which indicates that forms isrunning in HTTPS mode using the command:

$ ps -ef | grep f60

On Windows NT/2000, check the services panel and task bar for forms server processes

3. Test that you can connect to Forms (Core) Applications

Remember that using JInitiator 1.1.7.27 requires that the initial connection to the Web server must be via the non-SSL port to load the jarfiles. This limitation is described in Appendix A (Current Limitations and Considerations).

4. Complete the steps in Chapter 6.1 (Troubleshooting - Client Connections)

Complete the steps in Chapter 6.1 (Troubleshooting - Client Connections) to prepare the client then test signon to Forms using thefollowing URL for UNIX:

http://[host.domain]:[port] /dev60cgi/f60cgi

or, for NT:

http://[host.domain]:[port] /dev60cgi/if60cgi

where [host.domain] is the fully qualified hostname of the machine running Apache

and [port] is the non-SSL web listener port.

NOTE:

If the forms server is not starting successfully, or you cannot connect to Forms go over the above steps, checking formistakes. The answer is most likely somewhere in the set-up instructions above. If you continue to have problems, checkChapter 6.3 (Troubleshooting - Connection to Oracle Forms Server) for more help.

7/16/2014 Document 123718.1


Option 5.3 Verifying SSL Set-up for Oracle Database Server

Test wallet setup

To test that the wallet is properly set up and accessible, login to SQLPLUS as the apps user and execute the following:

utl_http.request('[address to access]', '[proxy address]', 'file:[full path to walletdirectory]', null)

where:

'[address to access]' = the url for your Oracle Applications Rapid Install Portal, for example: 'https://www.oracle.com:4443'

[proxy address]' = the url of your proxy server, or NULL if you are not using a proxy server, for example: 'http://proxy.com:80'

'file:[full path to wallet directory]' = the location of your wallet directory, for example: 'file:/d1/dg02db/9.2.0/appsutil/wallet'

The final parameter is the wallet password, which is set to null by default.

NOTE:

You must use the prefix 'file:' and only the directory is specified, not the actual wallet files.

Examples:

utl_http.request('https://www.oracle.com:4443','http://proxy.com:80', 'file:/d1/dg02db/9.2.0/appsutil/wallet', null)

utl_http.request('https://www.oracle.com:4443',null, 'file:/d1/dg02db/9.2.0/appsutil/wallet', null)

If the wallet has been properly set up, you will be returned the first 2,000 characters of the html page.

If you receive any errors check the following:

For AutoConfig enabled instances:

Be sure you have followed the instructions in Oracle MetaLink Note 165195.1(http://metalink.oracle.com/epmos/faces/DocumentDisplay?id=165195.1) under the section titled "Section 5: MaintainingSystem Configurations" to copy AutoConfig to the RDBMS ORACLE_HOME and Run AutoConfig on the database tier node.

For non AutoConfig enabled instances:

Be sure the Database Wallet Directory profile option exactly matches the location of the wallet directory.

Chapter 6. Troubleshooting

6.1. Client Connections

6.1.1 Refresh the Client Caches

The browser and JInitiator both have a mechanism for remembering activities that are performed repeatedly. In a production environmentthese mechanisms dramatically increase the performance of the client. However, when testing any changes made to the servers, we oftenwant to start with a clean slate. The following steps allow you to test your changes with confidence that client caching is not obscuring theresult.

1. Clean out your browser cache:

a. Netscape

Edit > Preferences > Advanced > Cache

Click the button Clear Memory Cache & Clear Disk Cache

b. MSIE


7/16/2014 Document 123718.1


Tools > Internet Options > General Tab

In the Temporary Internet Files block, click Delete Files...

In the History block, click Clear History

2. Clean out the JInitiator cache

Delete all files contained in the directory

c:\Program Files\Oracle\JInitiator 1.1.7.27 Export\jcache

3. Exit your browser completely and start a new session.

6.1.2 Disable Browser Proxy Settings

If your organization uses a firewall and the network administrator has not yet opened the necessary port in the firewall you will need todisable the browser proxy settings:

a. Netscape

Edit > Preferences > Advanced > Proxies

Click radio button for Direct Connection to the Internet

b. MSIE

Tools > Internet Options > Connections Tab

In the Local Area Network (LAN) block, click LAN Settings.

Uncheck the checkbox for Use a Proxy Server

6.1.3 Enable JInitiator's Java Console

Enabling JIniatitor's Java console allows you to view all activity and errors for JInitiator for forms connections.

a. Start > Programs > Jinitiator<version>

b. Check "Show Java Console"

6.2. Startup/Connection to Oracle HTTP Server

6.2.1 Startup of Apache Web Server

If the Apache Server does not start, use the following checklist to investigate any problem areas

1. Check the following files for typing mistakes or missing environment variables:

httpds.conf

httpdsctl

adapcctl.sh

Note, from Rdbms 8.1.7 onwards, the following commands will run a syntax check on the httpd.conf or httpds.conf configuration files.

on Windows :

<Oracle_Home>\Apache\Apache>apache -t

on Unix :

<Oracle_Home>/Apache/Apache/bin>httpdsctl -configtest

Note that this only checks that the Apache syntax is correct, not that directories or files referenced actually exist.

7/16/2014 Document 123718.1


2. Check the messages in the Apache log files which are located in the Apache/logs directory of the Apache directory tree.

error_log

ssl_engine_log

The messages they contain are often quite helpful and informative. Use them as search strings in the MetaLink technical database to helpdiagnose any problems.

6.2.2 Connection to Apache Web Server

1. Contact your local firewall administrator

Contact your local firewall administrator if you see the following message when connecting to the SSL port:

Forbidden

You are not permitted to access the remote system.

This error indicates that the firewall has not been opened for the Apache SSL port. If you are inside the firewall, unset the proxy settings inyour browser as described in section 6.1.2. Disable Browser Proxy Settings above.

2. Possible problem with browser proxy settings

There may be a problem with the browser proxy settings if everything works perfectly with Netscape, but attempts to use Internet Explorerfail with the following error message:

You are not Authorized to view the page,

HTTP Error 403 Forbidden.

If this error message occurs, try unchecking the proxy server in browser settings as described in section 6.1.2. Disable Browser ProxySettings above. IE only works with proxy server settings for port 443, any SSL port that is not 443 gets routed through proxy even ifbypass proxies is set to on.

3. Connected to non-SSL port but not SSL port

If you can connect to the non-SSL port and not to the SSL port, you should check whether the Apache server has started on the SSLports.

On Unix, use the following command to check:

ps -ef

On NT, use the following command to check:

netstat -a

If the SSL ports are not being used, you should check the service definitions in httpds.conf and, on NT in the adsvapc.cmd file to ensurethat the syntax to start and run the service using SSL is correct.

4. Connected to non-SSL port but connection to SSL port is refused

If you can connect to the non-SSL port, but your connection is refused when connecting to the SSL port, check the contents of thessl_engine_log file in the Apache/logs directory in the Apache directory tree. If you see a message in the following format:

[11/Dec/2000 22:25:48 01283] [warn] Init: (sundial:443) RSA server certificate CommonName (CN) ̀otclnx1.us.oracle.com' does NOT match server name! ?

this indicates that you have either specified your machine name (Common Name) incorrectly when creating the certificate request forApache, or you have tried to copy the certificate and server key over from another web server machine and not made the correctamendments.

6.3. Connection to Oracle Forms Server

6.3.1 JInitiator

If JInitiator never spawns when you attempt to connect to Oracle Forms, check what mode is being used for the initial connection. For the

7/16/2014 Document 123718.1


initial download of jar files, Jinitiator 1.1.7.27 needs to connect to the non-SSL port, from version 1.1.8.3 jar files can be downloaded overthe SSL connection.

6.3.2 Problems with Certificates

1. On NT, if you have successfully created the forms service, then attempt to make a connection, but the Java Consolehangs after the lines

connectMode=HTTPS

Cipher capability:128 bit

and the htts.log file shows the error ?open wallet failed?. You should ensure that the forms service has been started with theservice property ?Log on AS? set to This Account with a Windows NT Administrator user on the forms server host machine.If this is correct and the error persists, you should also ensure that the cwallet.sso file that is created through use of theOracle Wallet Manager is in the FORMS60_WALLET directory that is nominated in the 8.0.6 ORACLE_HOME environmentfile and that this value also matches the registry setting for FORMS60_WALLET

2. There may be a problem with the certificate in use if the Java Console downloads the jar files when you attempt to connectto Oracle Forms but then displays messages like the following:

Openinghttp://otclnx1.us.oracle.com:11082/OA_JAVA/oracle/jinitiator/ProxySettings.class

no proxy

connectMode=HTTPS

Cipher capability:40 bit.

javax.net.ssl.SSLException: SSL handshake failed: X509CertChainInvalidErr

at oracle.security.ssl.OracleSSLSocketImpl.

startHandshake(OracleSSLSocketImpl.java)

at oracle.forms.net.HTTPSStream.connect(Unknown Source)

at oracle.forms.net.HTTPConnection.connect(Unknown Source)

at oracle.forms.engine.Runform.initConnection(Unknown Source)

at oracle.forms.engine.Runform.startRunform(Unknown Source)

at oracle.forms.engine.Main.createRunform(Unknown Source)

at oracle.forms.engine.Main.start(Unknown Source)

at sun.applet.JinitAppletPanel.run(Compiled Code) at java.lang.Thread.run(Thread.java:466)

This message indicates that you have imported an unrecognized certificate into JInitiator's database of trusted CA's.

3. The certificate in use may have expired if you are able to connect successfully using Socket or HTTP mode, but when youattempt to connect in HTTPS mode using the Forms listener, the JAVA CONSOLE displays an SSL handshake failure andthen gives an error showing that it is unable to connect to the machine name in the following format:

no proxy

@ proxyHost=d2kqa-apps4.us.oracle.com

proxyPort=9096

connectMode=HTTPS

Cipher capability:128 bit. javax.net.ssl.SSLException: SSL handshake failed:X509CertExpiredErr atoracle.security.ssl.OracleSSLSocketImpl.startHandshake(OracleSSLSocketImpl.java)

at oracle.forms.net.HTTPSStream.connect(Unknown Source)

at oracle.forms.net.HTTPConnection.connect(Unknown Source)

at oracle.forms.engine.Runform.initConnection(Unknown Source)

at oracle.forms.engine.Runform.startRunform(Unknown Source)

at oracle.forms.engine.Main.createRunform(Unknown Source)

at oracle.forms.engine.Main.start(Unknown Source)

at sun.applet.JinitAppletPanel.run(Compiled Code) at java.lang.Thread.run(Thread.java:466)

Error messages in this format indicate that the certificate of your Forms server has expired and should be replaced with avalid certificate.

4. There may be a problem with the certdb.txt file if signon to Forms is successful when you attempt to connect to OracleForms, but the Java Console shows messages similar to the following:

7/16/2014 Document 123718.1


connectMode=HTTPS IO Exception caught: java.io.IOException:

h:\PROGRA~1\oracle\JINITI~1.27E\lib\security\certdb.txt

java.lang.NullPointerException: IO Exception caught: java.io.IOException:

h:\PROGRA~1\oracle\JINITI~1.27E\lib\security\certdb.txt

java.lang.NullPointerException:

Cipher capability:40 bit.

Negotiated Cipher Suite:40 bit. Forms Applet version is : 4

This message suggests that the certdb.txt file either has not been transferred from the server correctly or that the file ismissing from the Jinitiator\lib\security directory eg:

c:\Program Files\Oracle\JInitiator <version>\lib\security

Follow the instructions in Section 2. Update JInitiator's CA root certificate database to resolve this issue.

6.3.3 Reported Problems with Multi-User Installs

For multi-user installs (i.e. an oracle user and an applmgr user), one customer has reported problems starting the Forms server asapplmgr. The symptoms reported were that when attempting to connect to forms, the Java console indicated problems accessing the jarfiles. Further information was acquired by starting the forms server with the log= parameters and examining the log file, which showed anerror reading the wallet (as specified by the environment variable FORMS60_WALLET). The resolution in this customer's case was to startthe forms server as oracle, rather than applmgr.

If this seems to be an issue, before starting the forms server as oracle, check the following:

1. You are not attempting to connect to Forms and download jar files over the SSL port of Apache.2. For this wallet, ensure that the Auto Login checkbox is checked.3. Ensure that on UNIX machines, the oracle and applmgr users are in the same UNIX group and that the group has full permissions

on the directory and files in FORMS60_WALLET.

6.4 Use of SSL with Oracle Portal

6.4.1 Known Issues

1. Customers wishing to run the Oracle Portal Parallel Page Engine in https mode in environments that have been installed usingversions of Rapid Install earlier than version 11.5.10 need to apply patch 1824205 to the iAS ORACLE_HOME. Without this patch,the jserv.log will show the following error after enabling SSL for the HTTP listener:

[01/04/2003 03:51:14:785 PST] page/ContentFetcher Unexpected Exception Request

Failed: java.lang.NullPointerException: SSL context null in setting cipher list name=content-fetcher16 label=page url=https://.../!PORTAL30.wwpob_page.show?_pageid=51 time=866ms timeout=60000ms process=Reading [01/04/2003 03:51:14:977 PST] page/Content Fetcher Caught: java.lang.NullPointerException: SSL context null in setting cipher list Source) at HTTPClient.ExtBufferedInputStream.available(ExtBufferedInputStream.java:320) at HTTPClient.StreamDemultiplexor.available(StreamDemultiplexor.java:383) at HTTPClient.RespInputStream.available(RespInputStream.java:191) at java.io.InputStreamReader.inReady(InputStreamReader.java:194) at java.io.InputStreamReader.fill(InputStreamReader.java:166) at java.io.InputStreamReader.read(InputStreamReader.java:244) at oracle.webdb.page.ContentFetcher.run(ContentFetcher.java:524)

2. Customers using OAS10g with Internet Explorer cannot log into OracleAS Portal when the SSO HTTP Server and the middle tierWebCache (or HTTP Server if the WebCache is not used) are running on a single machine and using the same ServerName. Aftersubmitting the login information, the browser is redirected to the Portal home page and the following error is raised:

Error: Unexpected error encountered in wwsec_app_priv.process_signon (ORA-06502: PL/SQL: numeric or valueerror: character string buffer too small) (WWC-41417)

7/16/2014 Document 123718.1


or

Error: The decryption of the authentication information was unsuccessful.This may be caused by data inconsistency, an incorrect encryption key in this application's configuration, or an illegalaccess attempt. Please notify your administrator. (WWC-41454)

To resolve this MSIE error do one of the following:

1. Use Netscape Navigator to login to OracleAS Portal. 2. Install the Infrastructure tier and the Application Server middle-tier on two separate machines.3. Follow the instructions in Metalink Note 285986.1 (http://metalink.oracle.com/epmos/faces/DocumentDisplay?

id=285986.1) to add an additional virtual hostname.

3. After upgrading to ATG-H and HR FP-J you receive this warning when logging into Portal:

"There are secure and non-secure items on this page. Do you want to proceed"

This is fixed in 11.5.10 CU2 for ATG Product family (4125550) and one-off patch 4734630 ONE-OFF REQUEST FOR SCHEME(HTTP/HTTPS) FIXES CONTAINED IN CU2 FOR PORTAL NAV which can be applied on top of 11.5.10 Consolidated Update (CU1)for ATG Product Family (4017300).

Appendix A. Current Limitations & Considerations

This section describes the current issues your organization must consider in implementing SSL for Oracle Applications. Many of thelimitations described are being addressed by Oracle Development at the time of writing this document and may be resolved by the time ofyour reading. Please check MetaLink for the status of referenced bugs or contact Oracle Support for current information.

Incompatibility of Apache / Oracle Forms 6i Certificate formats

The process of generating a certificate request (CSR) and the resulting certificate from openssl (used for Apache SSL implementation)cannot be used by Oracle Wallet Manager in an Oracle Forms 6i SSL implementation. This is because:

If the original certificate was generated with Oracle Wallet Manager, the private key is not in a suitable format for Apache to use fordecryption of messages.If the original certificate was generated using openssl, Wallet Manager does not have the capability of recognizing the existence ofthe private key.

The implication is that two certificates must be used by one organization wishing to implement SSL for both the Oracle Application's Weband Forms servers.

Bug 1483135 (http://webiv.oraclecorp.com/cgi-bin/webiv/do.pl/Get?WwwID=Bug:1483135) was originally logged for this incompatibilitybetween the technology stack components.

Bug 1533603 (http://webiv.oraclecorp.com/cgi-bin/webiv/do.pl/Get?WwwID=Bug:1533603) has been raised because Oracle Wallet Managerdoes not use its private key in a standard format that can be interpreted by the Apache Server.

Bug 1491508 (http://webiv.oraclecorp.com/cgi-bin/webiv/do.pl/Get?WwwID=Bug:1491508) has been logged for the inability of Oracle WalletManager to import a User Certificate if the CSR is generated elsewhere.

As of 9i implementations of Oracle Applications, both iAS and Database stacks will be united so that the Apache server can understandOracle Wallets. The Oracle Wallet format will also be amended allowing it to inter operate with browsers and openssl. If you have 9i OracleWallet Manager and an earlier version of apache, you will be able to use the openssl pkcs12 utility to convert the apache format to astandard format and open it in Wallet Manager. These changes are incorporated into iAS version 2.0.

Key Size Limitation of 512 bits for Oracle Forms 6i Server

Due to restrictions imposed by the United States during the initial development of Oracle Applications Release 11i, rapid installs up to11i.4 include the Export Edition of Developer 6i. The result of this being that Oracle Wallet Manager and Forms 6i Server supported aprivate/public key size no longer than 512 bits and corresponding 40-bit client-server message encryption.

Since the original release of Oracle Applications Release 11i, laws concerning encryption strength have relaxed, Developer 6i has gainedan ?approved product? status effectively removing the distinction between domestic and export encryption and a key size of 1024 bits andcorresponding 128-bit client-server message encryption has become the recommended standard.

Bug 1365794 (http://webiv.oraclecorp.com/cgi-bin/webiv/do.pl/Get?WwwID=Bug:1365794) has been logged for this limitation of the FormsServer included with Release 11i technology stack.






7/16/2014 Document 123718.1


Bug 1713616 (http://webiv.oraclecorp.com/cgi-bin/webiv/do.pl/Get?WwwID=Bug:1713616) provides details of a one off patch that can beapplied to Developer 6i to upgrade from the export to the domestic edition to gain the benefit of the improved encryption levels that itsupplies. This patch is required for any Release 11i implementations that have been installed with RapidInstall versions 11i.3 or earlier thatwould like to use the higher encryption levels supported in the domestic version of the Developer 6I base. Any new implementations thathave been installed with version 11i.4 or later of RapidInstall will already incorporate the domestic version of Developer 6i. (On NT 4.0 / Win2000, any patch for 6I will upgrade the export version to domestic). From Forms 6i patch 5 (6.0.8.14) onwards, the domestic edition will beapplied to all implementations.

If you are not sure which version of forms your install of Release 11i Applications is using, you can check this by setting up theenvironment for the 8.0.6 ORACLE_HOME and typing f60run. This will display a page of information to the terminal, the first line of whichshows the Forms Runtime version.

JInitiator 1.1.7.27 cannot download jar files via SSL

When connecting to core Oracle Applications (Forms), Oracle JInitiator 1.1.7.27 must download jar files to the client using a non-SSL Webconnection. After jar files are downloaded, subsequent communication between the Oracle Forms 6i Server and JInitiator will be in httpsmode (as shown by the Java console for JInitiator).

Since non-SSL web connections are not configured by the latest versions of AutoConfig patches (TXK AutoConfig Template Rollup F(November 2003), bug 3104607 onwards), customers that are using AutoConfig must use JInitiator 1.1.8.3 or above which have thecapability to download jar files over an SSL Web connection.

Please check certify for certification of your specific product configuration and be sure to follow any special instructions which may includeapplying specific patches or changes to the FORMS60_WEB_CONFIG_FILE (appsweb.cfg). More information on this topic may be foundin the MetaLink document: " Upgrading the JInitiator version used with Oracle Applications 11i(http://metalink.oracle.com/epmos/faces/DocumentDisplay?id=124606.1) "

Forms 6i Wallet Manager does not work with new Verisign Extended Validation Certificates.

In April 2006 Versign began issuing Extended Validation (EV) Certificates. While Apache/iAS will function just fine with these newcertificates, the Forms 6i Wallet Manager will not. You will need to use the Forms Listener Servlet if you wish to enable SSL for Forms. Please see Metalink Note 436312.1 (http://metalink.oracle.com/epmos/faces/DocumentDisplay?id=436312.1) for further information.

Appendix B. Firewalls

In order for users outside your organization's intranet to make SSL connections, the network administrator must open the following ports inthe firewall for network traffic:

Apache SSL portApache non-SSL port (necessary for Forms connections until JInitiator is capable of initial download of jar files over SSL connection)Forms Listener portTCF Server port (if used in your environment, TCF SSL not covered in this document)

Appendix C. Use of the Forms Listener Servlet

Forms 6i Patchset 4 onwards will include a new architecture for the Forms Server to improve the deployment of Forms applications throughthe internet. The current Forms Listener will continue to be supported in socket mode for an intranet usage. The new Forms Serverarchitecture is servlet based and is called the Forms Listener Servlet. Using this new feature, all the communication between the Formsclient and the Forms Server goes through the web server (instead of a direct connection between the Forms client and the Forms Server).This type of connection is totally standard and the requirements in terms of proxy and firewall settings are the same as any web basedapplication (like a standard servlet for instance).

Here are some of the benefits of the architecture:

Support for a broader range of firewalls and proxiesNo protocol restriction (HTTP/1.1 or HTTP1.0)No extra process to manage (No Forms listener process)No specific certificate to purchase/manage for SSL deployment (Done at the web server level)Standard Load balancing techniques supportInternet Explorer 5.0 native support in intranet and internet deployment

The Forms Listener Servlet has been designed to work with iAS. It has been built using standard technology so it should work with anyServlet engine 2.0 or above. Further documentation on its implementation is available in white papers that have been written as well asOracle Metalink Note 247136.1 (http://metalink.oracle.com/epmos/faces/DocumentDisplay?id=247136.1) - Forms 6i Listener Servlet For






7/16/2014 Document 123718.1


Web Deployment of Forms in Oracle 9iAS Rel 1 (http://metalink.oracle.com/epmos/faces/DocumentDisplay?id=247136.1) .

Implementing Forms Listener Servlet

AutoConfig-enabled system

To implement Forms Listener Servlet, you can use the Configuration Wizards utility. This utility is available asa command-line interface and also from Oracle Applications Manager (OAM). This utility is shipped with the E-Business Suite Release 11.5.10.

If you are using 11.5.9 or lower and would like to use this utility, apply the following prerequisite patches to allWeb, Forms, and Concurrent Processing nodes:

PatchNo


3258830 OAMPatchset H

About Oracle Applications Manager Mini-pack 11i.OAM.H(http://metalink.oracle.com/epmos/faces/DocumentDisplay?

id=258330.1) - Note 258330.1

2864765 AdvancedUtilitiesPatch

Running Configuration Wizards from the Command Line inOracle Applications 11i(http://metalink.oracle.com/epmos/faces/DocumentDisplay?

id=277574.1) - Note 277574.1

The Configuration Wizards utility automates the configuration of Forms Listener Servlet. For additionalinformation on the usage of this utility, please refer to the following documents:

1. Oracle MetaLink Note 277574.1 (http://metalink.oracle.com/epmos/faces/DocumentDisplay?

id=277574.1) - "Running Configuration Wizards from the Command Line in Oracle Applications11i"

2. OAM On-line Help: Help -> Oracle Applications Manager -> System Configuration ->AutoConfig -> Configuration Wizards

After completing the configuration of SSL with Oracle HTTP server using the Configurationwizards utility, run AutoConfig as described in MetaLink Note 165195.1(http://metalink.oracle.com/epmos/faces/DocumentDisplay?id=165195.1) .

Non AutoConfig-enabled system

If you are not using AutoConfig to manage your system, see the Oracle MetaLink Note 201340.1 Using FormsListener Servlet with Oracle Applications 11i (http://metalink.oracle.com/epmos/faces/DocumentDisplay?

id=201340.1) .

Appendix D. Converting OpenSSL Certificates to Wallet Format for use with Web Cache

Using Web Cache with SSL requires an Oracle Wallet. Your exisitng Apache server.key, server.crt, and ca.crt files on the ApplicationsMiddle Tier can be converted into an Oracle Wallet format using the following instructions and openssl version 0.9.7 or higher.

Copy the existing server.crt, ca.crt, and server.key files from $COMMON_TOP/admin/certs/apache/ssl.crt and$COMMON_TOP/admin/certs/apache/ssl.key directories to a temporary directory. Run the following command which will combine the certificate's public key, private key and root certficate into one file which can bebe imported into Oracle Wallet Manager.

/usr/bin/openssl pkcs12 -export -descert -in server.crt -inkey server.key -certfile ca.crt -name <friendly name> -out ewallet.p12 where <friendly name> is a name you give for the certificate and private key.

You will be prompted to Enter Export Password: This password will be required to open the wallet.

Copy ewallet.p12 to Webcache wallet directory as the user who owns the Web Cache file system. If you FTP the file be sure to do so in binary mode. Ensure that your Web Cache environment is correctly sourced. Enable AutoLogin for the wallet









7/16/2014 Document 123718.1


Set the DISPLAY variable to display to the IP address from where you are working. For example: % export DISPLAY=138. 22.155.16:0.0 where 138.22.155.16 is the IP address of your workstation.

For LINUX only - set the environment variable THREADS_FLAG=native. For example: export THREADS_FLAG=native

Run owm, which is located under the $ORACLE_HOME/bin directory. For example: $ORACLE_HOME/bin/owm &

On Windows NT/2000, run Oracle Wallet Manager using Start > Programs > Oracle for Windows NT > Oracle WalletManager or Start > Programs > Oracle for Windows NT > Integrated Management Tools > Wallet Manager.

On the Oracle Wallet Manger Menu: Navigate to Wallet -> Open Select Yes when prompted with the message: " Your default directory doesn't exist. Do you wish to continue?" Use the Select Directory window to navigate to your wallet directory. Click ok and enter the wallet password when prompted to open the wallet.

On the Oracle Wallet Manger Menu: Be sure the AutoLogin feature is checked.

When the AutoLogin feature is checked the wallet can be accessed by OS processes (i.e. sqlplus) thatare owned by the same owner who created the wallet. To open the wallet using Oracle Wallet Managera password will still be required.

Save the wallet and exit.

You should now have the following wallet files in your wallet directory. ewallet.p12 cwallet.sso

Related Documentation

Apache SSL Configuration

Apache Single Listener Configuration for Applications 11.5.1 (http://metalink.oracle.com/epmos/faces/DocumentDisplay?

id=119873.1) (Note 119873.1)Configuring Oracle HTTP Server with SSL and Global Server Certificates(http://metalink.oracle.com/epmos/faces/DocumentDisplay?id=137136.1) (Note 137136.1)How to be a Certificate Authority (CA) with Oracle HTTP Server on Unix(http://metalink.oracle.com/epmos/faces/DocumentDisplay?id=117022.1) (Note 117022.1)How to Request and Configure Test SSL Certificate with for Oracle9iASv1 on Unix(http://metalink.oracle.com/epmos/faces/DocumentDisplay?id=114444.1) (Note 114444.1)Advanced Configurations and Topologies for Enterprise Deployments of E-Business Suite 11i(http://metalink.oracle.com/epmos/faces/DocumentDisplay?id=217368.1) (Note 217368.1)

Forms SSL Configuration

How to Deploy Forms via HTTPS with Forms Server 6i (http://metalink.oracle.com/epmos/faces/DocumentDisplay?id=106350.1)

(Note 106350.1)Forms 6i Listener Servlet For Web Deployment of Forms in Oracle 9iAS Rel 1(http://metalink.oracle.com/epmos/faces/DocumentDisplay?id=247136.1) (Note 247136.1)Deploying Forms Applications to the Web with Forms Server Release 6i(http://metalink.oracle.com/epmos/main/downloadattachmentprocessor?attachid=123718.1:100&clickstream=yes) , Part no.A73071_01 (PDF, 1.8Kb)How to make Jinitiator work with Apache with SSL (HTTPS) with a Verisign Trial Certificate and 1.0.2.2.2(http://metalink.oracle.com/epmos/faces/DocumentDisplay?id=147836.1) (Note 147836.1)

Using SSL with Portal

Configuring SSL for Portal on UNIX (http://metalink.oracle.com/epmos/faces/DocumentDisplay?id=161099.1) (Note 161099.1)Configuring SSL for Portal on NT (http://metalink.oracle.com/epmos/faces/DocumentDisplay?id=136153.1) (Note 136153.1)How to Configure Portal with SSL and Global Server Certificates (http://metalink.oracle.com/epmos/faces/DocumentDisplay?








https://support.oracle.com/epmos/main/downloadattachmentprocessor?attachid=123718.1:100&clickstream=yes





7/16/2014 Document 123718.1


id=137145.1) (Note 137145.1)

Using SSL with Oracle XML Gateway and Oracle Workflow

Installing Oracle XML Gateway and Oracle Workflow with Oracle Applications 11i(http://metalink.oracle.com/epmos/faces/DocumentDisplay?id=152775.1) (Note 152775.1)

Web Cache with SSL Configuration

Installing and Configuring Oracle Application Server Web Cache with Oracle E-Business Suite(http://metalink.oracle.com/epmos/faces/DocumentDisplay?id=306653.1) (Note 306653.1)

Using SSL with Advanced Security Option (ASO) / Advanced Networking Option (ANO)

Encrypting EBS 11i Network Traffic using Advanced Security Option / Advanced Networking Option(http://metalink.oracle.com/epmos/faces/DocumentDisplay?id=391248.1) (Note 391248.1)

Versign 3 Tier Certificates

Information on using new 3 tier certificates issued by VeriSign with Applications 11i(http://metalink.oracle.com/epmos/faces/DocumentDisplay?id=436312.1) (Note 436312.1)

Change Log

October 29, 2009: Added optional instructions to create webserver wallet for use with LDAP server.December 26, 2008: Added Forms 6i Wallet Issue with Verisgn EV Certificates to Appendix A.December 23, 2008: Processed remarks and added Certificate Provisioning for XML Publisher or Business Intelligence Publisher.October 7, 2008: Added information on Transport Layer Security (TLS).June 19, 2008: Added changes for using SSL Accelerator and iRecruitement to the list of db wallet users. Clarified use and setup of Forms SSL, added reference and link to Note 436312.1January 16, 2008: Added note to apply patch 5946797 for latest version of ca-bundle.crt.December 27, 2006: Changes to generate the random character file with sha1 in place of md5 as Verisign no longer supports md5.November 27, 2006: Changes for RUP O. Added steps to run ssodatan.sh and reregister partner application.September 26, 2006: Added reference to Metalink Note 391248.1 Encrypting EBS 11i Network Traffic using Advanced SecurityOption / Advanced Networking OptionAugust 24, 2006: Added reference to Metalink Note 147836.1 How to make Jinitiator work with Apache with SSL (HTTPS) with aVerisign Trial Certificate and 1.0.2.2.2April 2, 2006: Added details on changing context variable for apps_portal_url to the ssl enabled url.December 8, 2005: Removed Appendix B as link and data contained therein is obsolete. Added known Portal issue #3. Added requirement of using Forms Listener Servlet with JS2E 1.4.2.xAugust 25, 2005: Added steps to modify Portal Framework Provider, modified Appendix E command to convert certificates.July 21, 2005: Clarified steps for creating file of PEM-encoded Server Certificates (ca.crt)July 5, 2005: Clarified that directory structure and naming conventons must be used to avoid problems with SSL infrastructure.July 1, 2005: Added Appendix E. Converting OpenSSL Certificates to Wallet FormatJune 3, 2005: Added Portal Known issue when using OAS10g and Internet Explorer. February 21, 2005: Added information for using the Forms Listener Servlet architecture.February 16, 2005: Updated "Related Documentation" links, added instructions for setting webentry url protocol and web port inStep 3.1.3.January 3, 2005: Added change for profile option Application Framework AgentOctober 12, 2004: Added Web Services and Oracle Transport Agent.September 21, 2004: Added information about Configuration Wizards.September 06, 2004: Organized the existing information into separate sections for certificate provisioning, configuration forautoconfig and non-autoconfig enabled environments, and verification.

Copy right © 2004 Oracle Corporation

MetaLink Note 123718.1

Last updated: 15-Oct-2012






SSL in Oracle Apps 11i

Documents

Transcript of SSL in Oracle Apps 11i