1. Creating wallet
Surce run edition environemnt variable
$ source EBSapps.env run
Navigate to s_web_ssl_directory/Apache, If not create the the directory
cd /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/certs
mkdir Apache
Create an Auto-Login Wallet on Apache directory
cd /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/certs/Apache
$ orapki wallet create -wallet ./ -auto_login_only
Create a Certificate Request
cd /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/certs/Apache
$ orapki wallet add -wallet ./ -dn 'CN=devoracleebs@nsb.local' -asym_alg RSA -keysize 2048 -sign_alg sha256 -self_signed -validity 3650 -auto_login_only
2. Modify the Oracle HTTP Server Wallet
Copy wallet into $FMW_HOME/webtier/instances/<s_ohs_instance_loc>/config/OHS/<s_ohs_component>/keystores/default
cd /finsys/DEVEGL/fs1/FMW_Home/webtier/instances/EBS_web_DEVEGL_OHS1/config/OHS/EBS_web_DEVEGL/keystores/default
cp /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/certs/Apache/cwallet.sso .
Copy wallet into $EBS_DOMAIN_HOME/opmn/<s_ohs_instance_loc>/<s_ohs_component>/wallet
cd /finsys/DEVEGL/fs1/FMW_Home/user_projects/domains/EBS_domain_DEVEGL/opmn/EBS_web_DEVEGL_OHS1/EBS_web_DEVEGL/wallet
cp /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/certs/Apache/cwallet.sso .
Copy wallet into $EBS_DOMAIN_HOME/opmn/<s_ohs_instance_loc>/wallet
cd /finsys/DEVEGL/fs1/FMW_Home/user_projects/domains/EBS_domain_DEVEGL/opmn/EBS_web_DEVEGL_OHS1/wallet
cp /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/certs/Apache/cwallet.sso .
Copy wallet into $FMW_HOME/webtier/instances/<s_ohs_instance_loc>/config/OHS/<s_ohs_component>/proxy-wallet
cd /finsys/DEVEGL/fs1/FMW_Home/webtier/instances/EBS_web_DEVEGL_OHS1/config/OHS/EBS_web_DEVEGL/proxy-wallet
cp /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/certs/Apache/cwallet.sso .
Copy wallet into $FMW_HOME/webtier/instances/<s_ohs_instance_loc>/config/OPMN/opmn/wallet
cd /finsys/DEVEGL/fs1/FMW_Home/webtier/instances/EBS_web_DEVEGL_OHS1/config/OPMN/opmn/wallet
cp /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/certs/Apache/cwallet.sso .
3. Configure Protocol and Cipher Suite for FMW Internal Communication
shutdown all services
./adstpall apps/apps
Edit opmn.xml from $FMW_HOME/webtier/instances/<s_ohs_instance_loc>/config/OPMN/opmn
vi /finsys/DEVEGL/fs1/FMW_Home/webtier/instances/EBS_web_DEVEGL_OHS1/config/OPMN/opmn/opmn.xml
change
<ssl enabled="true"
wallet-file="<path to the wallet file>"/>
to
<ssl enabled="true"
wallet-file="/finsys/DEVEGL/fs1/FMW_Home/webtier/instances/EBS_web_DEVEGL_OHS1/config/OPMN/opmn/wallet" ssl-versions="TLSv1.0,TLSv1.1,TLSv1.2"
ssl-ciphers="SSL_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA"/>
Edit admin.conf from $FMW_HOME/webtier/instances/<s_ohs_instance_loc>/config/OHS/<s_ohs_component>
vi /finsys/DEVEGL/fs1/FMW_Home/webtier/instances/EBS_web_DEVEGL_OHS1/config/OHS/EBS_web_DEVEGL/admin.conf
change
SSLCipherSuite SSL_RSA_WITH_RC4_128_SHA
SSLProtocol nzos_Version_1_0 nzos_Version_3_0
to
SSLCipherSuite HIGH:MEDIUM
SSLProtocol nzos_Version_1_0 nzos_Version_1_1 nzos_Version_1_2
4. Update the Context File and Config Files
Start Application services
cd $ADMIN_SCRIPT_HOME
./adstrtall apps/apps
Login to Fusion Middlewere EM console via http://<host_name>:<port>/em
http://192.168.133.10:7021/em
Select web tier target under the EBS domain
Navigate to Administration, then Advanced Configuration
Select ssl.conf file for edit
Update the Listen and the VirtualHost default port as follows
change
Listen 4463 to Listen 4443
VirtualHost _default_:4463
to
Listen 4443
VirtualHost _default_:4443
change
SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
to
SSLProtocol nzos_Version_1_0 nzos_Version_1_1 nzos_Version_1_2
SSLCipherSuite HIGH:MEDIUM
Click on Apply
Run following command to propagate the changes made through the FMW console to the context file
$ perl $AD_TOP/bin/adSyncContext.pl contextfile=$CONTEXT_FILE
Enter the APPS user password:
Enter the WebLogic AdminServer password:
./adstrtall apps/apps
Review the adSyncContext.log for the changes that have been picked up and made to the context file
Edit Application contex file as per below
$vi $CONTEXT_FILE
change
<url_protocol oa_var="s_url_protocol">http</url_protocol>
to
<url_protocol oa_var="s_url_protocol">https</url_protocol>
change
<local_url_protocol oa_var="s_local_url_protocol">http</local_url_protocol>
to
<local_url_protocol oa_var="s_local_url_protocol">https</local_url_protocol>
change
<webentryurlprotocol oa_var="s_webentryurlprotocol">http</webentryurlprotocol>
to
<webentryurlprotocol oa_var="s_webentryurlprotocol">https</webentryurlprotocol>
change
<activewebport oa_var="s_active_webport" oa_type="DUP_PORT" base="8000" step="1" range="-1" label="Active Web Port">8020</activewebport>
to
<activewebport oa_var="s_active_webport" oa_type="DUP_PORT" base="8000" step="1" range="-1" label="Active Web Port">4443</activewebport>
change
<web_ssl_port oa_var="s_webssl_port" oa_type="PORT" base="4443" step="1" range="-1" label="Web SSL Port">4443</web_ssl_port>
to
<web_ssl_port oa_var="s_webssl_port" oa_type="PORT" base="4443" step="1" range="-1" label="Web SSL Port">4443</web_ssl_port>
change
<httpslistenparameter oa_var="s_https_listen_parameter">4443</httpslistenparameter>
to
<httpslistenparameter oa_var="s_https_listen_parameter">4443</httpslistenparameter>
change
<login_page oa_var="s_login_page">http://devoracleebs.nsb.local:8020/OA_HTML/AppsLogin</login_page>
to
<login_page oa_var="s_login_page">https://devoracleebs.nsb.local:4443/OA_HTML/AppsLogin</login_page>
change
<externURL oa_var="s_external_url">http://devoracleebs.nsb.local:8020</externURL>
to
<externURL oa_var="s_external_url">https://devoracleebs.nsb.local:4443</externURL>
5. Run Autoconfig on application tier
cd $ADMIN_SCRIPT_HOME
adautocfg.sh
6. Re-start Application tier services
cd $ADMIN_SCRIPT_HOME
./adstpall.sh apps/apps
./adstrtal.sh apps/apps
7. Access the system via following URL
https://devoracleebs.nsb.local:4443/OA_HTML/AppsLocalLogin.jsp
Enable TLS for WLS AdminServer
1. Setup a WebLogic Server Identity Keystore
Surce run edition environemnt variable
$ source EBSapps.env run
set an alias for orapki in order to pickup the executable from the $FMW_HOME and not the one under the 10.1.2 home
$ alias orapki=$FMW_HOME/oracle_common/bin/orapki
Create following directories
mkdir /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/wlsSSLArtifacts -p
Copy wallet file into newly created directory
cp /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/certs/Apache/cwallet.sso /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/wlsSSLArtifacts
Copy following to newly created directory
cp /finsys/DEVEGL/fs1/EBSapps/comn/util/jdk64/jre/lib/security/cacerts /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/wlsSSLArtifacts
2. Convert the Oracle Wallet to a JKS Keystore
Change directory to wlsSSLArtifacts
cd /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/wlsSSLArtifacts
Run the orapki command
orapki wallet pkcs12_to_jks -wallet ./ -jksKeyStoreLoc ./ewallet.jks -jksKeyStorepwd Ebs#1234
The ewallet.jks file will be generate. Extract alias using following command and note down the alias
keytool -list -keystore ewallet.jks -v
3. Configure SSL on WLS
Take a backup of $EBS_DOMAIN_HOME/config/config.xml file
Use the adstpall.sh script to stop everything on the run file system and start only admin server
cd $ADMIN_SCRIPT_HOME
adstpall.sh
./adadminsrvctl.sh start
login to the admin console via http://192.168.133.10:7021/console
In the WebLogic Server Administration console, under the Domain Configuration, click on Environment and Servers
Click Lock & Edit
Click on the AdminServer to configure
Under the Configuration tab, click on the Keystores sub-tab
Click Change next to the Keystores setting
Select the Custom Identity and Custom Trust option and click Save
Enter the identity details
For example:
Custom Identity Keystore: /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/wlsSSLArtifacts/ewallet.jks
Custom Identity Keystore Type: JKS (This must be in uppercase.)
Custom Identity Keystore Passphrase: This must match the password used from the orapki command previously in Step 2. Ebs#1234
Confirm Custom Identity Keystore Passphrase
Enter the trust information
For example:
Custom Trust Keystore: /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/wlsSSLArtifacts/cacerts
Custom Trust Keystore Type: JKS
Custom Trust Keystore Passphrase: Enter the cacerts keystore password. See The cacerts Certificates File, keytool. initial password is changeit
Confirm Custom Trust Keystore Passphrase: Confirm the cacerts keystore password
Click Save
Click the SSL tab
Enter the identity details
For example:
Private Key Alias: orakey. This would correspond to the alias extracted from the keystore previously in Step 2.
Private Key Passphrase: This must match the password used from the orapki command previously in Step 2. Ebs#1234
Confirm Private Key Passphrase
Click Save
Click the General tab
Select SSL Listen Port Enabled check box
Enter the SSL Listen Port
Note: The SSL Listen Port base values are available through the context variable s_wls_admin_sslport. Based on the server type, you need to choose the corresponding port value for the SSL Listen Port. You need to manually calculate SSL Listen Port value. For simplicity, the default SSL Listen port value is 1 prefixed with the server default Non SSL Listen port value.
For example, for port pool 0, the AdminServer Non SSL Listen port is 7001, so the AdminServer SSL Listen port will be 17001. 17021
Click Save
Select the SSL tab
Select the Advanced option and then perform the following
Set the Hostname Verification to Custom Hostname Verifier and the Custom Hostname Verifier field to weblogic.security.utils.SSLWLSWildcardHostnameVerifier
Click Save
Click Activate Changes
Post-Configuration Tasks
Restart everything including the Admin and Managed Servers using the adstpall.sh and adstrtal.sh
./adstpall.sh
./adstrtal.sh
Sync Changes to the Context File
perl $AD_TOP/bin/adSyncContext.pl contextfile=$CONTEXT_FILE
following changes will be reflect in contex file.
s_custom_trustKeyStoreFile - complete path of trust keystore
s_wls_admin_sslEnabled - true
s_wls_admin_sslport - AdminServer SSL port.
In the case where these listed context variables are not already populated, restart the middle tier services and re-run the following command:
$ perl $AD_TOP/bin/adSyncContext.pl contextfile=$CONTEXT_FILE