Professional Documents
Culture Documents
1 Pgina 1 de 29
In This Document
Section 1: Introduction
Section 2: Concepts and Terminology
Section 3: Application Tier Setup
Section 4: Database Tier Setup
Section 5: Advanced SSL Setup
Section 6: Converting Existing Certificates
Section 7: Creating your Certifying Authority's Certificate
Section 8: Oracle Application Server Certificate Authority
Section 9: Disabling Older SSL Protocols and Weak Ciphers
Section 10: Encrypting Database Network Traffic using ANO/ASO
Appendix A - Using Network Traffic Encryption
Appendix B - Disabling SSL
This document explains the setup steps for enabling SSL in Oracle E-Business Suite Release 12.0 and 12.1; for
Release 12.2, use document 1367293.1 instead.
The most current version of this document can be obtained in My Oracle Support Knowledge Document
376700.1.
Section 1: Introduction
The most significant change for Secure Sockets Layer (SSL) support in Oracle E-Business Suite Release 12 is the
use of the mod_ossl module for the Oracle HTTP Server. Like mod_ssl, the mod_ossl plug-in enables strong
cryptography for Oracle HTTP Server. In contrast to the OpenSSL module, mod_ossl is based on the Oracle
implementation of SSL, which supports SSL and TLS protocols, and is based on Certicom and RSA Security
technology.
In Oracle E-Business Suite Release 12 SSL certificates will be managed by Oracle Wallet Manager 10g, which
will be accessible via the familiar OWM graphical user interface (GUI) or the new ORAPKI command line
interface (CLI). Since Oracle E-Business Suite Release 12 uses the Forms Listener Servlet, a separate certificate
is no longer needed for Forms as it will share the same wallet as the Oracle HTTP Server.
In keeping with the theme of security, and as part of implementing SSL, it is recommended that you also review
your current JRE deployment, as well as looking into enhanced JAR file signing. Refer to document 393931.1 for
information on obtaining the most current JRE, and document 1591073.1 for information on signing JAR files.
Note: Use of the Forms Server Listener with ConnectMode=https is not supported. ConnectMode=https
only works with JInitiator, which includes the Oracle SSL libraries. Release 12 uses the Sun Java Plugin. If
you need to use https for the Forms communication layer you must use the servlet architecture.
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=rif88q3fl_343... 08/05/2015
Document 376700.1 Pgina 2 de 29
SSL is a technology that defines the essential functions of mutual authentication, data encryption, and data
integrity for secure transactions. Exchange of data between the client and server in such secure transactions is
said to use the Secure Sockets Layer (SSL).
Transport Layer Security is a cryptographic protocol that ensures privacy between communicating applications
and their users on the Internet. While SSL is supported with all versions of the Oracle Application Server, TLS
requires a minimum of Application Server 10.1.2.0.
Oracle Applications Release 11i supports the use of SSL and TLS.
Oracle Applications Release 12 supports the use of both SSL and TLS.
User certificates - issued to servers or users to prove their identity in a public key/private key exchange.
Trusted certificates - representing entities who you trust, such as certificate authorities.
1. The client sends a request to the server using HTTPS connection mode.
2. The server presents its certificate to the client. This certificate contains the server's identifying
information.
3. The client checks its list of trust points and compares the information in the certificate with the server's
public key. If it matches, the server is authenticated as a trusted server.
4. The client sends the server a list of the encryption levels, or ciphers, that it can use.
5. The server receives the list and selects the strongest level of encryption that they have in common.
6. The client creates a session key which is used to encrypt the data, and sends this session key to the
server which can decrypt the data with its private key
1. The UTL_HTTP package is used for making HTTP callouts from SQL and PL/SQL to a Web Node (Oracle
HTTP server).
2. When the package fetches data from a Web site using HTTPS, it specifies the location to the Oracle
Wallet that resides on the database server. This wallet contains the certificate for the Certifying Authority
(CA) that signed the Web node's server certificate.
A Certificate Authority is a trusted third party responsible for issuing, revoking, and renewing digital certificates.
All digital certificates are signed with the Certificate Authority's private key to ensure authenticity. The
Certificate Authority's Public Key is widely distributed.
A Certificate Signing Request (CSR) is a digital file which contains your public key and your name. You send the
CSR to a Certifying Authority (CA) to be converted into a real certificate.
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=rif88q3fl_343... 08/05/2015
Document 376700.1 Pgina 3 de 29
A digital certificate is an electronic document that binds an identity to a pair of electronic keys that can be used
to encrypt and sign digital information. Certificates are issued by a trusted third party, called a Certification
Authority (CA). The document is usually in a standard X509 format and contains three elements:
Verisign (http://verisign.com/) will allow your organization to apply for a free trial certificate which will be valid
for 2 weeks for testing purposes.
The private key file is a digital file that you generate and for use to decrypt messages sent to you. The
certificate request (CSR) that you send to your Certificate Authority (CA) is derived from this private key.
Therefore, the resulting digital certificate (containing your public key) which is issued by your CA is bound to
this private key.
Secure Server Certificates are 128 bit certificates which provide 128 bit SSL encryption. If a browser has 128 bit
support, then encryption is negotiated to 128 bits. However, if the browser only supports 40 bit encryption, the
level of encryption, regardless of a 128 bit certificate, will be negotiated down to 40 bits.
Global Server Certificates, also referred to as Server Gated Cryptography, are 128 bit certificates that enable all
browsers to use 128 bit encryption, even if the browser only supports 40 bit encryption. A global server
certificate usually has 2 parts: the certificate itself and an extra intermediate certificate which is used to provide
the step-up. The marketing names of these certificates vary depending on the company that issues the
certificate, for example, Thawte calls them 128 bit SuperCerts. It is not possible to get trial versions of global
server certificates; therefore it is not possible to test unless one is purchased.
Secure Socket Layer (SSL) Accelerators can be used to reduce the SSL traffic and workload off the web servers.
Usually SSL accelerators are the primary targets for https requests from the user's desktop and thus are the
initial target for all desktop client communication. They are responsible for converting "https" SSL requests to
non-SSL "http" requests, directing the request to the http server which is running in non-SSL mode. Before
sending the response back to the desktop they again convert the non-SSL requests to SSL requests.
If you are planning on using an SSL Accelerator only, you can skip steps 1 through 7 in Section 3, and proceed
to Step 8, referencing the table - Changes when using an SSL Accelerator. Please make certain that the
SSL certificate used on the SSL Accelerator is in place. Consult the documentation for your SSL Accelerator as
needed. If you are also enabling SSL at the Oracle E-Business Suite level in addition to the SSL Accelerator,
then all steps in Section 3 would still apply.
If you are making use of a self-signed, in-house, or trial certificate and the root CA or any intermediate
certificate component is not found in the certificate chain, errors may be encountered. In this case, you would
need to follow all the steps in Section 3, starting with step 5. In addition, you may also need to import any
certificate components into the client side JRE trust store.
Windows -> Control Panel -> Programs -> Java -> Security (tab) -> Manage Certificates
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=rif88q3fl_343... 08/05/2015
Document 376700.1 Pgina 4 de 29
From here you can import Trusted Certificates as well as Signer CA certificates. Depending on the type of
certificate, you may also need to import the same certificate components into the client side browser.
Note: If you plan to use "cookie based session persistence" at the HTTP Load Balancer level, and you plan
to enable SSL for HTTP traffic at all application tier Web Nodes, you have to use a SSL Accelerator as the
Web Entry Point Host. This is because HTTP Load Balancers cannot intercept the SSL encrypted
communication between the Client Browser and the application tier Web Server to insert or delete cookies
to maintain session persistence. It is advantageous to use SSL accelerators because it requires less
maintenance as none of the application tier Web Nodes have to be configured for SSL anymore.
Note: The demo certificates are not secure and should never be used in a production environment.
The main steps for setting up SSL on the Application Tier are:
These instructions involve the use of the Oracle Wallet Manager Graphical User Interface. If you would prefer to
use the Oracle Wallet Manager Command Line Interface refer to My Oracle Support Knowledge Document
376694.1: Using the Oracle Wallet Manager Command Line Interface in Release 12.
If you have unexpired certificates from your Oracle E-Business Suite Release 11i SSL instance you can convert
them using the instructions in Section 5 .
Note: Discoverer users who enable SSL for the E-Business Suite must also enable SSL for Discoverer.
- For Discoverer without Portal or Single SignOn (SSO) refer to My Oracle Support Knowledge Document
338071.1 - How To Configure Discoverer 10g (10.1.2) Plus/Viewer For HTTPS (SSL) Access
- For Discoverer with Portal and/or Single SignOn (SSO) refer to My Oracle Support Knowledge Document
339448.1 - Quick Start to Configure Discoverer Plus/Viewer/Portlet Provider 10.1.2.0.2 in SSL + SSO
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=rif88q3fl_343... 08/05/2015
Document 376700.1 Pgina 5 de 29
1. Logon to the application tier as the OS user who owns the application tier files.
2. Source your application tier environment file (APPS<sid_machine>.env) located in the APPL_TOP
directory.
3. Navigate to the $INST_TOP/ora/10.1.3 and source the <sid_machine>.env file to set your 10.1.3
ORACLE_HOME variables.
Note: When working with wallets and certificates you must use the 10.1.3 executables.
$ owm &
After clicking "Yes" in step 2 the Create Certificate Request Screen will pop up:
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=rif88q3fl_343... 08/05/2015
Document 376700.1 Pgina 6 de 29
Select your Country from the drop down list, and for the Key Size, select 2048 as a minimum.
Click OK.
Note: Depending on your certificate provider, they may not accept the MD5 based certificate
request (CSR) generated by the Oracle Wallet Manager (OWM). For example, VeriSign will
now only accept SHA-1 2048 bit based CSRs or higher. In such cases, you will need to convert
the MD5 CSR to a suitable SHA-1 based CSR. Refer to Section 9 and Signature Algorithm
Changes.
You will need to export the Certificate Request before you can submit it to a Certifying Authority.
cwallet.sso
ewallet.p12
server.csr
You may now submit server.csr to your Certifying Authority to request a Server Certificate.
After you receive your Server Certificate from your Certifying Authority you will need to import it
into your wallet. Copy the certificate to server.crt in the wallet directory on your server by one of
the following methods:
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=rif88q3fl_343... 08/05/2015
Document 376700.1 Pgina 7 de 29
$ owm &
Note: If all trusted certificates that make up the chain of server.crt are not present in the wallet, then
adding the certificate will fail. When the wallet was created, the certificates for the most common CAs
(such as VeriSign, GTE, and Entrust) were included automatically. Contact your certifying authority if you
need to add their certificate, and save the provided file as ca.crt in the wallet directory in a base64 format.
Another option is to follow the instructions in Section 7 to create ca.crt from your server certificate
(server.crt). If your Certifying Authority provided an intermediate certificate (to complete the chain) then
save the provided file as intca.crt in a Base64 format, this will need to be imported into Oracle Wallet
Manager prior to importing the server.crt. Certificates that comprise several parts (such as the P7B type)
would also fall into this category.
If you need to import the CA Certificate you will also need to add the contents of ca.crt file to
b64InternetCertificate.txt file located in the 10.1.2 ORACLE_HOME/sysman/config directory:
If you were also provided an Intermediate Certificate (intca.crt) then you will also need to add that to the
b64InternetCertificate.txt:
The E-Business Suite Rapid Install process creates a default "demo" opmn wallet in the $INST_TOP/certs/opmn
directory that can be used in test instances for basic SSL testing. Now that the Apache wallet has been created
you will need to to use these same certificates for opmn. Use the following steps to backup and copy the
wallets:
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=rif88q3fl_343... 08/05/2015
Document 376700.1 Pgina 8 de 29
Oracle Web Services requires the Certificate of the Certifying Authority who issued your server certificate (ca.crt
from the previous step) to be present in the JDK cacerts file. In addition, some features of XML Publisher and BI
Publisher require the server certficate (server.crt from previous step) to be present. Follow these steps to be
sure these requirements are met:
If you were also provided an Intermediate Certificate (intca.crt) then you will also need to add
that to the cacerts before adding the server.crt:
Note: Whenever you upgrade your jdk version on the server any additional certificate you added to your
cacerts file will be lost. You will need to re-import the root certificate or keep a copy of your original cacerts
file which you can copy back in.
Use the E-Business Suite - Oracle Applications Manager (OAM) Context Editor to change the SSL related
variables as shown in this table:
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=rif88q3fl_343... 08/05/2015
Document 376700.1 Pgina 9 de 29
Autoconfig can be run by using the adautocfg.sh script in the Application Tier $ADMIN_SCRIPTS_HOME
directory.
In Oracle E-Business Suite Release 12 we keep a non-ssl port open for those products which need to access
some of their pages via the http protocol, as well as the Oracle Applications Help System. If you wish to disable
the http port and force all users to access your pages via the https protocol you can add a redirect rule to
$INST_TOP/ora/10.1.3/Apache/Apache/conf/custom.conf file.
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=rif88q3fl_343... 08/05/2015
Document 376700.1 Pgina 10 de 29
Any updates you make to the custom.conf file will be preserved when Autoconfig is run.
Use the adapcctl.sh script in the $ADMIN_SCRIPTS_HOME directory to stop and restart the Application Tier
Apache services.
Note: This is a mandatory requirement for Oracle iStore storefront pages when the Web Tier is also SSL
enabled.
To enable SSL on the Database Tier you need to only create a wallet. You do not need a server certificate for
this wallet. If you were required to import your ca.crt (and intca.crt if it exists) into the application tier wallet
you will need to do it for this wallet also.
1. After setting your environment for the database tier, navigate to the $ORACLE_HOME/appsutil directory.
2. Create a new wallet directory named: wallet
3. Navigate to the newly created wallet directory.
4. Open the Wallet Manager as a background process:
owm &
5. On the Oracle Wallet Manager Menu navigate to Wallet -> New.
Answer NO to: Your default wallet directory doesn't exist. Do you wish to create it now?
The new wallet screen will now prompt you to enter a password for your wallet.
To test that the wallet is properly set up and accessible, login to SQLPLUS as the apps user and execute the
following:
where:
'[address to access]' = the url for your E-Business Suite Rapid Install Portal.
'[proxy address]' = the url of your proxy server, or NULL if not using a proxy server.
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=rif88q3fl_343... 08/05/2015
Document 376700.1 Pgina 11 de 29
'file:[full path to wallet directory]' = the location of your wallet directory (do not specify the actual wallet
files).
The final parameter is the wallet password, which is set to null by default.
Examples:
SQL>select utl_http.request('https://www.oracle.com:4443','http://proxy.com:80',
'file:/d1/oracle/db/tech_st/10.2.0/appsutil/wallet', null) from dual;
SQL>select utl_http.request('https://www.oracle.com:4443',null,
'file:/d1/oracle/db/tech_st/10.2.0/appsutil/wallet', null) from dual;
If the wallet has been properly set up, you will be returned the first 2,000 characters of the html page.
Note: Oracle Database 11g Release 2 (11.2) and Oracle Database 12c enables Oracle Real Application
Clusters (RAC) nodes to share a wallet. This eliminates the need to manually copy and synchronize the
wallet across all nodes. The wallet can be created on a shared file system, allowing all instances to access
the same shared wallet. If you are not using a shared file system to store the wallet, you need to copy the
wallet to all nodes. This also applies to advanced database security features for which you may already be
using a wallet, such as Transparent Data Encryption.
The instructions in this section are for the Oracle Application Server.
OC4J supports SSL communication between Oracle HTTP Server and OC4J using AJPS. This is the secure
version of Apache JServ Protocol which is the protocol that Oracle HTTP Server uses to communicate with OC4J.
Note: The AJPS protocol used between Oracle HTTP Server and OC4J is not visible to the end user
There are 3 certificate options available to you when you creating your keystore for the Advanced SSL
Configuration:
1. Self-Signed Certificates
Self-signed certificates are appropriate to use for testing the Advanced SSL configurations. These are
sometimes also used for Advanced SSL Configuration in a production environment where you are
effectively your own client. Be sure you understand the limitations of self-signed certificates when using
them in any environment.
2. Certificates signed by the OracleAS Certificate Authority (see Section 8) .
These certificates were designed to be used within your Oracle Application Server environment.
3. Certificates signed by a Certificate Authority such as Verisign, Thawte, etc.
These certificates are appropriate for use in any environment and provide the highest level of security.
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=rif88q3fl_343... 08/05/2015
Document 376700.1 Pgina 12 de 29
Some steps will be slightly different if you are using Self-Signed Certificates. When a step contains a section for
both Self-Signed Certificates and Certificates Signed by a Certificate Authority (includes OracleAS Certificate
Authority, Versign, Thawte, etc) be sure to follow the steps in the appropriate section.
1. Logon to the application tier as the OS user who owns the application tier files.
2. Source your application tier environment file (APPS<sid_machine>.env) located in the APPL_TOP
directory.
3. Navigate to the $INST_TOP/ora/10.1.3 and source the <sid_machine>.env file to set your 10.1.3
ORACLE_HOME variables.
Note: When working with wallets and certificates you must use the 10.1.3 executables.
Note: Unless you have changed the default settings this should be the same directory as $INST_TOP/certs
which we will use in subsequent steps to identify this directory. This directory defines the location where
private keys and certificate files are stored.
2. Create a new directory with the name j2ee and then change to this directory.
$ mkdir j2ee
$ cd j2ee
3. Determine the values for the following parameters which will be used when you create the keystore for
your instance:
Parameter Value
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=rif88q3fl_343... 08/05/2015
Document 376700.1 Pgina 13 de 29
4. Create your keystore by entering the following command all on 1 line substituting the appropriate
parameters (in bold) for your instance:
Note: We are using OU=JKS to distinguish this certificate from the Apache certficate. Since we have not
specified an alias the default alias "mykey" will be used.
A. Self-Signed Certificates
This step is not applicable for self-signed certificates. If using self-signed certificates proceed to
Step 4.
B. Certificates Signed by a Certificate Authority
To generate a certificate request enter the following command all on 1 line substituting the
appropriate parameters (in bold) for your instance:
Note: If your using Thawte as your Certificate Authority you should check the box:
PKCS #7 Select this option for servers that use Java JDK keystore - including Tomcat and Jetty."
When you receive your signed certificate copy it to this directory ($INST_TOP/certs/j2ee) as jks_server.crt
along with the Certificate Authority's root certificate which should be re-named jks_ca.crt and the Authorities
intermediate certificate (if applicable) which should be renamed jks_intca.crt.
Note: We are naming the certificate jks_server.crt to distinguish it from the Apache server.crt
If you want to create jks_ca.crt and/or jks_intca.crt using your jks_server.crt file you can do so by following the
directions in Section 7: Creating your Certifying Authority's Certificate.
A. Self-Signed Certificates
This step is applicable only if you are using self-signed certificates.
If your certificates were signed by a Certifying Authority continue with Step 4 B.
1. You will not have a signed certficate to add to the keystore. You will sign the
certificate in the keystore using the keytool's selfcert command. Enter the following
all on 1 line substituting the appropriate parameters (in bold) for your instance:
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=rif88q3fl_343... 08/05/2015
Document 376700.1 Pgina 14 de 29
2. After signing the certificate you will need to extract the certificate so it can be
imported into the Apache and OPMN wallets This will be done using the keytool list
command:
Enter "yes" when prompted with: Trust this certificate? [no]: yes
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=rif88q3fl_343... 08/05/2015
Document 376700.1 Pgina 15 de 29
Note: You may not have an intermediate ca certificate. It will depend on the Certifying Authority and
certificate type. If an intermediate ca certificate has been provided then this will also need to be imported
with the root certificate.
We are not specifying an alias when importing jks_server.crt. The default alias "mykey" will be used. (This
is because the -dname on the certificate matches the -dname on the key generated when the keystore was
created.)
You can use either of the following commands to see the contents of your keystore.
The -list command by default prints the MD5 fingerprint of a certificate. If the -v
option is specified, the certificate is printed in human-readable format:
If you used a different Certificate Authority for your Apache Wallet than you used for the
j2ee Java Keystore you will need to import the Apache Wallet's root CA Certificate into the
keystore so it will be recognized as a trusted Certifying Authority. If this is not done, you
will get handshake errors. To import a the certificate for a Certifying Authority into your
keystore:
1. Copy the $INST_TOP/certs/Apache/ca.crt file to the $INST_TOP/certs/j2ee directory.
2. Use the keytool import command to add ca.crt to the keystore:
Enter "yes" when prompted with: Trust this certificate? [no]: yes
Step 5 - Add the Keystore CA Certificates to the Apache and OPMN Wallets (conditional)
This step is only necessary if you have used self-signed certificates to create the keystore OR you used different
Certifying Authorities for the keystore and Apache Wallet.
Use the E-Business Suite - Oracle Applications Manager (OAM) Context Editor to change the SSL
related variables as shown in this table:
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=rif88q3fl_343... 08/05/2015
Document 376700.1 Pgina 16 de 29
Non-SSL
Variable Advanced SSL Value
Value
s_oc4j_ssl off on
If you have upgraded to Release 12.1 by applying the 12.1 patchset to a previous release you will need to
delete the following files so that the new versions will be instantiated when autoconfig is run. If you have made
any customizations to these files (custom user credentials, etc) be sure to back the files up before deleting so
you can re-add your customizations to the new files.
$ORA_CONFIG_HOME/10.1.3/j2ee/oacore/config/system-jazn-data.xml
$ORA_CONFIG_HOME/10.1.3/j2ee/forms/config/system-jazn-data.xml
$ORA_CONFIG_HOME/10.1.3/j2ee/oafm/config/system-jazn-data.xml
Note: Deleting these 3 files is not necessary if you used the 12.1 Rapid Install.
1. Use the adstpall.sh script in the Application Tier $ADMIN_SCRIPTS_HOME directory to stop all services.
2. Run autoconfig using the adautocfg.sh script in the Application Tier $ADMIN_SCRIPTS_HOME directory.
3. Update the newly instantiated files with your previous customizations if required.
<user>
< name>oc4jkeystoreadmin</name>
<display-name>OC4J keystore admin user</display-name>
<guid>7D1943D0AF0411DC8F65CFCE4073EF3D</guid>
<description>E-Business OC4J keystore admin user</description>
< credentials>{903}Gfqv+nvfuUrfiQpcW7XcpptrOknyC0nj< credentials>
</user>
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=rif88q3fl_343... 08/05/2015
Document 376700.1 Pgina 17 de 29
where password = the password you assigned when you created your keystore. Be sure to include
the !.
This will encrypt the password the next time the service is started.
Example: <user>
<name>oc4jstore</name>
<display-name>OC4J keystore admin user</display-name>
<guid>7D1943D0AF0411DC8F65CFCE4073EF3D</guid>
<description>E-Business OC4J keystore admin user</description>
<credentials>!password<credentials>
</user>
Advanced SSL Configuration for the Oracle Application Server is now complete. If there are any issues logging
into E-Business Suite or launching Forms these should be resolved before proceeding with Section 10:
Encrypting database network traffic using ANO/ASO which is optional.
1. Logon to the application application tier as the OS user who owns the application tier files.
2. Navigate to the $INST_TOP/ora/10.1.3 and source the <sid_machine>.env file to set your
10.1.3 ORACLE_HOME variables.
Note: When working with wallets and certificates you must use the 10.1.3 executables.
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=rif88q3fl_343... 08/05/2015
Document 376700.1 Pgina 18 de 29
If your server certificate was issued by a Certifying Authority other than Verisign, Entrust, GTE, or RSA Data
Security you'll also need to add it to b64InternetCertificate.txt file located in the 10.1.2
ORACLE_HOME/sysman/config directory:
1. Copy server.crt to your PC (if necessary) using one of the following methods:
ftp (in binary mode) ca.crt to your application tier wallet directory
copy the contents of ca.crt and paste into a new file in your application tier wallet directory
using a text editor. Save the file as ca.crt
For more information please refer to the Oracle Application Server Certificate Authority 10g White Paper.
As a result of increased focus on security, there has been a gradual phasing out of weak ciphers and older
protocols such as SSLv3 in favor of more secure protocols such as TLS 1.0 or higher.
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=rif88q3fl_343... 08/05/2015
Document 376700.1 Pgina 19 de 29
1. Review Note 387859.1 - Using AutoConfig to Manage System Configurations in Oracle E-Business Suite
be sure you are comfortable with and understand the concepts before proceeding.
2. Review Note SSL V3.0 "Poodle" Vulnerability for background information on the need to disable SSLv3,
and Note 1937646.1 for steps to remove SSLv3 and weak ciphers in Oracle E-Business Suite.
Note: Due to a limitation with the Oracle HTTP Server (OHS) 10g, only TLS 1.0 has been certified. Use of
TLS 1.1 and 1.2 is still pending at this time. Any change in this certification will be updated in this space.
Note: We are currently working on the certification of SHA-2 certificates with the Oracle HTTP Server for
Oracle E-Business Suite Release 12.0 and 12.1. As an option while we are working on this certification, you
may use an alternate technology (ie, a load balancer, reverse proxy, etc) that supports SHA-2 as the
SSL/TLS termination point. Another alternative is to request that your certificate authority issue a SHA-1
certificate.
Depending on your certificate provider, they may not accept MD5 based certificate requests (CSR) generated by
Oracle Wallet Manager (OWM). For example, VeriSign will now only accept SHA-1 2048 bit based CSRs or
higher. Due to a current limitation in both OWM and orapki, they are incapable of generating anything other
than MD5 based CSRs. The workaround is to make use of openssl to generate the CSR. An example of this
process is provided here:
1) Generate your CSR using the OWM as this will also create the key pair, and save the wallet.
2) Use openssl to take the existing wallet and save it as a new PEM format file:
At this point openssl will prompt you for the request attributes. Be sure to enter the same data you entered
when creating the CSR in OWM. Do not specify a 'challenge password' as this has been deemed to be insecure
by most certifying authorities.
5) Upon receiving your newly issued certificate, you can import this into your wallet using OWM continuing with
Section 3, Step 5.
Note 1448161.1 How To Produce CSR With A SHA-1 Or Better Signature Algorithm
Note 1275428.1 Support Status for SHA-2 in Oracle Application Server (10.1.2.X.X/10.1.3.X.X) and Fusion
Middleware 11g (11.1.1.X)
Note 1939223.1 Is it Possible to Generate SHA-2 Certificate Signing Requests with Oracle Wallet Manager or
ORAPKI in FMW11g
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=rif88q3fl_343... 08/05/2015
Document 376700.1 Pgina 20 de 29
Note: This configuration is certified for Oracle E-Business Suite using Forms Listener Servlet (the default
mode) on all certified Oracle E-Business Suite platforms (including database only platforms). To view
specific release and platform support, go to Certifications on My Oracle Support and search for Oracle E-
Business Suite certifications against 'Advanced Security' and 'Advanced Networking Option'.
Advanced security encryption can be configured, based on a combination of client and server configuration
parameters as REJECTED, ACCEPTED, REQUESTED or REQUIRED.
The following matrix - taken from the database documentation - shows how a connection attempt will succeed
or fail to provide an encrypted connection with various combinations of the ENCRYPTION variable in the
sqlnet.ora file on client and server.
Client
S
e ACCEPTED OFF OFF ON ON
r
v
e REQUESTED OFF ON ON ON
r
REQUIRED No Connection ON ON ON
Oracle has certified Oracle E-Business Suite Release 12 with the server parameter set to REQUIRED - this
ensures that all Oracle E-Business Suite Release 12 TNS network traffic is being encrypted.
Although ANO/ASO supports a number of different encryption algorithms, the supported algorithms are version
dependent. For Oracle E-Business Suite Release 12 certification the the server's preference is set to AES256,
AES192, 3DES168.
Appendix A - Using Network Traffic Encryption contains information on Enabling Trace, Verifying ANO is
Functioning Correctly, and the Types of Encryptions Allowed and Supported.
The remainder of this section will help you enable the encryption in each of the different ORACLE_HOMEs in an
Oracle E-Business Suite Release 12 deployment.
Ensure the 10.1.2 Oracle Home is at patch level 10.1.2.3 before applying CPU Patch 12837860.
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=rif88q3fl_343... 08/05/2015
Document 376700.1 Pgina 21 de 29
1. Upgrade to Oracle Application Server 10.1.2.3 (as detailed in 'Upgrading OracleAS 10g Forms and
Reports in Oracle E-Business Suite Release 12' My Oracle Support Knowledge Document 437878.1).
2. Apply CPU Patch 12837860 to the 10.1.2.3 Oracle Home (as detailed in "Section 3.1.6 Oracle Fusion
Middleware Utilities for Oracle Databases" in "Patch Set Update and Critical Patch Update October 2011"
My Oracle Support Knowledge Document 1346104.1).
Note: No CPU patch needs to be applied to the 10.1.3 Oracle Home used by the Oracle HTTP Server.
1. Run adadmin
2. When the Main Menu appears select 'Maintain Applications Files Menu' and then select 'Relink
Applications Program'.
3. Answer the questions below as follows, in order to select the individual executables for relinking.
$ $ORACLE_HOME/appsutil/scripts/<sid_machine>/addlnctl.sh stop
<ORACLE_SID>
Oracle E-Business Suite will be unavailable to users until the remaining tasks in this section
are completed.
$ $ORACLE_HOME/appsutil/scripts/<sid_machine>/addlnctl.sh start
<ORACLE_SID>
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=rif88q3fl_343... 08/05/2015
Document 376700.1 Pgina 22 de 29
By default, the Oracle E-Business Suite Release 12 Application Tier installations do not have either
a sqlnet.ora or sqlnet_ifile.ora file so we will need create these. We keep the ANO/ASO directives
in the sqlnet_ifile.ora file to isolate it from any future autoconfig updates that affect the sqlnet.ora
file.
###############################################################
#
# sqlnet.ora file for application tier sqlnet encryption with Advanced
SSL Configuration
#
###############################################################
IFILE = <full path to TNS_ADMIN>/sqlnet_ifile.ora
Use the editor of you choice to create the sqlnet_ifile.ora file with the following lines:
###############################################################
#
# sqlnet_ifile.ora for application tier sqlnet encryption with
Advanced SSL Configuration
#
###############################################################
SQLNET.ENCRYPTION_TYPES_CLIENT=(AES256, AES192, 3DES168)
SQLNET.ENCRYPTION_CLIENT=REQUIRED
Use the E-Business Suite - Oracle Applications Manager (OAM) Context Editor to change the SSL
related variables on each application tier server as shown in this table:
Non-
Variable SSL Advanced SSL Value
Value
ENCRYPTION_CLIENT=REQUIRED
s_custom_dbc_params
ENCRYPTION_TYPES_CLIENT=(3DES168)
Note: This step sets the configuration for JDBC client connections and is optional. If the value is not set,
and the parameter on the database tier is set to REQUIRED, the JDBC client connection value will be
ACCEPTED (which is the default value). As long as an encryption or integrity algorithm match is found, the
connection will continue without error and the security service will remain enabled.
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=rif88q3fl_343... 08/05/2015
Document 376700.1 Pgina 23 de 29
If you updated the context file in Step 4 you now need to run autoconfig on each application tier server:
Tracing can both help verify that encryption is active, and help diagnose the cause of any errors.
TRACE LEVEL can be set to the level of tracing required. The TNS Listener must be restarted for the
trace setting to take effect.
To enable tracing, the following parameters should be added to the sqlnet.ora file:
TRACE_DIRECTORY_SERVER= <a directory to which the OS user running the listener can write>
TRACE_LEVEL_SERVER= 16
TRACE_UNIQUE_SERVER= ON
Note: tracing at this level generates many large files in the trace directory. You should only run in tracing
mode while verifying that encryption takes place. Once satisfied that TNS traffic is indeed encrypted,
uncomment (or remove) the lines relating to tracing from sqlnet.ora file and bounce the tnslistener.
After enabling tracing, check the trace files in the appropriate directories to verify that ANO functionality
is in use:
In the trace directory you will see a number of trace files with names such as svr_NNNNN.trc.
....
na_tns: authentication is not active
na_tns: encryption is active, using 3DES168
na_tns: exit
....
If you have not defined a tnsnav.ora file, then the following message will appear in the sqlnet trace (.trc)
file and can be safely ignored:
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=rif88q3fl_343... 08/05/2015
Document 376700.1 Pgina 24 de 29
Some of the trace files are small (approximately 3kb) and do not contain any information
concerning enabled encryption. These files are generated for connections that originate from the
database and do not traverse the network. These files will be generated even when only the
database and its listener are running.
$ cd $TNS_ADMIN/../../trace
Other files are larger, some quite large, and they will contain "encryption is active, using
CRYPTOALGORITHM..." messages.
$ cd $TNS_ADMIN/trace
$ ls -ltr | tail -3
-rw-r--r-- 1 oracle dba 28427064 Sep 24 14:20 svr_11547.trc
-rw-r--r-- 1 oracle dba 70609051 Sep 24 14:20 svr_29270.trc
-rw-r--r-- 1 oracle dba 763726186 Sep 24 14:20 svr_29144.trc
The connections using AES256 are generated by the executables linked to the OCI C libraries
(sqlplus, FNDLIBR, RCVOLTM,...) and the 3DES168 connections originate from the connections via
the JDBC interface.
The following section - based on the Oracle Database documentation - describes how the selection of
encryption algorithms is performed on a per-connection basis. You do not have to use this information,
you can instead simply use the configuration examples provided earlier in this document. However, you
will have to create your own configuration files if you wish to use different algorithms or have third party
tools that do not support encryption.
In any network connection, it is possible for both the client and server to each support more than one
encryption algorithm and more than one integrity algorithm. When a connection is made, the server
selects which algorithm to use, if any, from those algorithms specified in its sqlnet.ora file.
The server searches for a match between the algorithms available on both the client and the server, and
picks the first algorithm in its own list that also appears in the client list. If one side of the connection
does not specify an algorithm list, all the algorithms installed on that side are acceptable. The connection
fails with error message ORA-12650 if either side specifies an algorithm that is not installed.
Encryption and integrity parameters are defined by modifying the sqlnet.ora file on the clients and the
servers on the network.
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=rif88q3fl_343... 08/05/2015
Document 376700.1 Pgina 25 de 29
You can choose to configure any or all of the available Oracle Advanced Security encryption algorithms
and either or both of the available integrity algorithms Only one encryption algorithm and one integrity
algorithm is used for each connect session.
Note: Advanced Security selects the first encryption algorithm and first integrity algorithm enabled on the
client and the server. Oracle recommends that you select algorithms and key lengths in the order in which
you prefer negotiation - ideally with the strongest key length first.
To negotiate whether to turn on encryption or integrity, you can specify four possible values for
the Oracle Advanced Security encryption and integrity configuration parameters. The four values
are listed in the order of increasing security. The value REJECTED provides the minimum amount
of security between client and server communications, and the value REQUIRED provides the
maximum amount of network security:
REJECTED
ACCEPTED
REQUESTED
REQUIRED
REJECTED
Select this value if you do not elect to enable the security service, even if required by the other
side.
In this scenario, this side of the connection specifies that the security service is not permitted. If
the other side is set to REQUIRED, the connection terminates with error message ORA-12650. If
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=rif88q3fl_343... 08/05/2015
Document 376700.1 Pgina 26 de 29
the other side is set to REQUESTED, ACCEPTED, or REJECTED, the connection continues without
error and without the security service enabled.
ACCEPTED
Select this value to enable the security service if required or requested by the other side.
In this scenario, this side of the connection does not require the security service, but it is enabled
if the other side is set to REQUIRED or REQUESTED. If the other side is set to REQUIRED or
REQUESTED, and an encryption or integrity algorithm match is found, the connection continues
without error and with the security service enabled. If the other side is set to REQUIRED and no
algorithm match is found, the connection terminates with error message ORA-12650.
If the other side is set to REQUESTED and no algorithm match is found, or if the other
side is set to ACCEPTED or REJECTED, the connection continues without error and
without the security service enabled.
REQUESTED
Select this value to enable the security service if the other side permits it.
In this scenario, this side of the connection specifies that the security service is desired but not
required. The security service is enabled if the other side specifies ACCEPTED, REQUESTED, or
REQUIRED. There must be a matching algorithm available on the other side otherwise the service
is not enabled. If the other side specifies REQUIRED and there is no matching algorithm, the
connection fails.
REQUIRED
Select this value to enable the security service or preclude the connection.
In this scenario, this side of the connection specifies that the security service must be enabled.
The connection fails if the other side specifies REJECTED or if there is no compatible algorithm on
the other side.
The following table shows whether the security service is enabled, based on a combination of
client and server configuration parameters. If either the server or client has specified REQUIRED,
the lack of a common algorithm causes the connection to fail. Otherwise, if the service is enabled,
lack of a common service algorithm results in the service being disabled.
Client
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=rif88q3fl_343... 08/05/2015
Document 376700.1 Pgina 27 de 29
Displaying the encryption options available from the Tools and Database ORACLE_HOME
After setting your environment to either the Tools or Database ORACLE_HOME using the "adapters"
command:
$ . $ORACLE_HOME/bin/adapters
This will display a list of the encryption options available for the following:
1. Refer to Step 8 and use the E-Business Suite - Oracle Applications Manager (OAM) Context Editor and
change the context variables to the Non-SSL Value noted in the table.
2. Run AutoConfig.
3. Use the adapcctl.sh script in the $ADMIN_SCRIPTS_HOME directory to stop and restart the Application
Tier Apache services.
Change Log
Date Description
April 2, 2015 Added clarification for support of TLS 1.1 and 1.2.
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=rif88q3fl_343... 08/05/2015
Document 376700.1 Pgina 28 de 29
October 23, 2014 Updated Section 9 with information on disabling older SSL protocols
- Published revised document to include all remaining comments, and all format
June 10, 2014
and grammatical changes.
Dec 18, 2013 Added a forward reference to the SSL document for R12.2
Nov 14, 2011 Certification specific details on DB ANO/ASO feature has been removed
Aug 12, 2010 Added Section 9 - Disabling SSL v2 and Weak Ciphers
Processed remarks and added Certificate Provisioning for XML Publisher or Business
Dec 23, 2008
Intelligence Publisher.
Added note that use of the Forms Server Listener with ConnectMode=https is not
Oct 4, 2007
supported.
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=rif88q3fl_343... 08/05/2015
Document 376700.1 Pgina 29 de 29
REFERENCES
https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=rif88q3fl_343... 08/05/2015