Tuesday, November 6, 2012

Configuring SSL [HTTPS] on OHS in fusion applications

Configuring SSL  [HTTPS]  on OHS in  fusion applications with Open ssl and oracle  wallet manager

To enable the fusion applications with the https[encrypted connection between the client and the server] we need to have the vendor ssl [root ca] certificate[ like verisign..etc...] or we can create our own Root certificate by using Open SSL 
once the root ca is created  we need to authorize the usr certificate with the root ca and Place the root ca and user certificate  in the wallet  and link the wallet to the OHS in the fusion application to enable the https..

First we need to create a new empty wallet with the certificate request 

Creating Wallet using OWM[oracle wallet manager]

For creating the empty wallet we can using the GUI tool know as the OWM or Orapki in the command line 
Here we are using OWM for creating the oracle wallet

The location of the OWM in the fusion applications is /base path/products/dbclinet/bin/owm

Start the OWM 

Step 2

Select wallet and click new to create a new wallet 

Step 3

Click Yes to proceed to choose the location for creating the wallet 


There are two type's of wallet we can create 
[1] Standard [PKCS#12] 
[2]PKCS #11
The standard wallet [PKCS#12]
In the standard wallet  credentials are store in the file system  which we use for the fusion applications
The PKCS#11
IN PKCS#11 credentials are store in the  hardware security module for servers, private keys on tokens for clients
we are selecting to use the standard wallet for the fusion applications
Provide the password according to the specific condition displayed 
Step 5
Click no as we can create the certificate request later 

Once we click No then the new empty wallet will be create with out [RootCa trusted certificate or user certificate] we need to certificate request For user certificate

Step 6

Creating New certificate request in the wallet 
click the certificate[empty] and Select add certificate request fill the necessary details according to your organization and save the certificate select the certificate key size as 4096 for the strong key  

Save the wallet under the /basepath/config/CommonDomain_webtier/config/OHS/ohs1/keystores/<wallet directoryname>

Step 7

export the certificate request to the file 
give the file name and click save 

Now you will see three files inside the wallet directory

[oracle@fah]$ ls
cwallet.sso  ewallet.p12  user_certificate_request.req

Once the certificate request is create the we need to use the root authority to sign this certificate.. we can get the root ca from the vendors are we can create the root ca from the OPEN SSL
here we are creating the root ca through the open ssl

Creating the RootCa with Open SSL

Creating the private key by using openssl

Syntax :openssl genrsa -out <private_key_cert_file> <keysize>

[oracle@fah]$ openssl genrsa  -out fa_privkey.prm  4096
Generating RSA private key, 4096 bit long modulus
e is 65537 (0x10001)

Step 2

Create the root certificate with the privatekey
Syntax opensslreq -new -x509 -keyout <provate key file name> -out <certificate name> -days <number of days the cert lives>

[oracle@fah]$ openssl req -new -x509 -keyout fa_privkey.pem -out fa_root_cert.pem -days 3650
Generating a 1024 bit RSA private key
writing new private key to 'fa_privkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
phrase is too short, needs to be at least 4 chars
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []
Email Address []:palaneandavar@alshirawi.ae

Country Name              [two digit country code for your country]
State or Province Name[name of the state or province where company is located]
Locality Name              [address of the locality]
Organization Name       [Company name]
Common Name             [any name like companyname_rootca]
Email Address               [email id]
x509                               [X.509 is an ITU-T standard for a public key infrastructure (PKI) and Privilege Management Infrastructure]
keyout                           [the file name contains the key]

Step 3

Creating the User certificate and authorizing with Root_Ca

Syntax :openssl x509 -req -in <certificate request file> -CA <root_ca certificate> -CAkey <privatekey> -CAcreateserial -out <usr_certificate_name>

[oracle@fahtestdb alshirawi]$ openssl x509 -req -in user_certificate_request.req -CA fa_root_cert.pem -CAkey fa_privkey.pem -CAcreateserial -out usersert.pem
Signature ok
subject=/CN=*.<domain_name>/OU= <organizational unit >/O=<organazatation>/L=<location>/C=AE
Getting CA Private Key
Enter pass phrase for fa_privkey.pem:



Import RootCa to wallet
Navigate to Operations and select import trusted certificate for importing the root ca

Setp 2
Select the location off the root ca cert stored and import 

click ok and select the file from the location to import into the wallet 

Step 3
Now you can see the root certificate had been imported into the wallet

Step 4
Import the user certificate in to the wallet
Click ok and select the file from the location to import into the wallet 

     Step 5
    save the wallet with the option auto login 


The configuration of the OHS server files are in the location of <basepath>/config/CommonDomain_webtier/config/OHS/ohs1/in the fusion applications there will be two files know as the 
we need to add the location of the new wallet in this files to take effect

Edit the FusioSSL.conf and modify the location of the wallet

#Path to the wallet
   SSLWallet "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/<you

Edit the ssl.conf 

#Path to the wallet
   SSLWallet "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/<your wallet folder location>"

your wallet folder location =we need to give the location of the Folder name where the new wallet is store the default location is 

Finally import the RootCa to the end user's desktop and place it on the trusted root authorities the Firefox is the recommended browser for the fusion applications 

NOTE:Place the Rootca in the trusted root authorities in the browsers 

No comments:

Post a Comment