Thursday, March 9, 2023

Configure SSL on Oracle E-Business Suite 12.2 using Self-Signed Certificate

1. Creating wallet

  1. Surce run edition environemnt variable

    2. $ source EBSapps.env run

  2. Navigate to s_web_ssl_directory/Apache, If not create the the directory

    3. cd /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/certs
    mkdir Apache

  3. Create an Auto-Login Wallet on Apache directory

    4. cd /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/certs/Apache
    $ orapki wallet create -wallet ./ -auto_login_only

  4. Create a Certificate Request

    5. cd /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/certs/Apache
    $ orapki wallet add -wallet ./ -dn 'CN=devoracleebs@nsb.local' -asym_alg RSA -keysize 2048 -sign_alg sha256 -self_signed -validity 3650 -auto_login_only
2. Modify the Oracle HTTP Server Wallet

  1. Copy wallet into $FMW_HOME/webtier/instances/<s_ohs_instance_loc>/config/OHS/<s_ohs_component>/keystores/default

    2. cd /finsys/DEVEGL/fs1/FMW_Home/webtier/instances/EBS_web_DEVEGL_OHS1/config/OHS/EBS_web_DEVEGL/keystores/default
    cp /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/certs/Apache/cwallet.sso  .

  2. Copy wallet into $EBS_DOMAIN_HOME/opmn/<s_ohs_instance_loc>/<s_ohs_component>/wallet

    3. cd /finsys/DEVEGL/fs1/FMW_Home/user_projects/domains/EBS_domain_DEVEGL/opmn/EBS_web_DEVEGL_OHS1/EBS_web_DEVEGL/wallet
    cp /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/certs/Apache/cwallet.sso .

  3. Copy wallet into $EBS_DOMAIN_HOME/opmn/<s_ohs_instance_loc>/wallet

    4. cd /finsys/DEVEGL/fs1/FMW_Home/user_projects/domains/EBS_domain_DEVEGL/opmn/EBS_web_DEVEGL_OHS1/wallet
    cp /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/certs/Apache/cwallet.sso .

  4. Copy wallet into $FMW_HOME/webtier/instances/<s_ohs_instance_loc>/config/OHS/<s_ohs_component>/proxy-wallet

    5. cd /finsys/DEVEGL/fs1/FMW_Home/webtier/instances/EBS_web_DEVEGL_OHS1/config/OHS/EBS_web_DEVEGL/proxy-wallet
    cp /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/certs/Apache/cwallet.sso .

  5. Copy wallet into $FMW_HOME/webtier/instances/<s_ohs_instance_loc>/config/OPMN/opmn/wallet

    6. cd /finsys/DEVEGL/fs1/FMW_Home/webtier/instances/EBS_web_DEVEGL_OHS1/config/OPMN/opmn/wallet
    cp /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/certs/Apache/cwallet.sso .
3. Configure Protocol and Cipher Suite for FMW Internal Communication

  1. shutdown all services

    2. ./adstpall apps/apps

  2. Edit opmn.xml from $FMW_HOME/webtier/instances/<s_ohs_instance_loc>/config/OPMN/opmn

    3. vi /finsys/DEVEGL/fs1/FMW_Home/webtier/instances/EBS_web_DEVEGL_OHS1/config/OPMN/opmn/opmn.xml
    change
<ssl enabled="true"
     wallet-file="<path to the wallet file>"/>

to
<ssl enabled="true"
    wallet-file="/finsys/DEVEGL/fs1/FMW_Home/webtier/instances/EBS_web_DEVEGL_OHS1/config/OPMN/opmn/wallet" ssl-versions="TLSv1.0,TLSv1.1,TLSv1.2"
ssl-ciphers="SSL_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA"/>

  3. Edit admin.conf from $FMW_HOME/webtier/instances/<s_ohs_instance_loc>/config/OHS/<s_ohs_component>

    4. vi /finsys/DEVEGL/fs1/FMW_Home/webtier/instances/EBS_web_DEVEGL_OHS1/config/OHS/EBS_web_DEVEGL/admin.conf
    change
SSLCipherSuite SSL_RSA_WITH_RC4_128_SHA
SSLProtocol nzos_Version_1_0 nzos_Version_3_0

to
SSLCipherSuite HIGH:MEDIUM
SSLProtocol nzos_Version_1_0 nzos_Version_1_1 nzos_Version_1_2
4. Update the Context File and Config Files

  1. Start Application services

    2. cd $ADMIN_SCRIPT_HOME
./adstrtall apps/apps

  2. Login to Fusion Middlewere EM console via http://<host_name>:<port>/em

    3. http://192.168.133.10:7021/em

  3. Select web tier target under the EBS domain

  4. Navigate to Administration, then Advanced Configuration

  5. Select ssl.conf file for edit

  6. Update the Listen and the VirtualHost default port as follows 

    7. change
Listen 4463 to Listen 4443
VirtualHost _default_:4463

to
Listen 4443
VirtualHost _default_:4443
    change
SSLProtocol    -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM

to
SSLProtocol    nzos_Version_1_0 nzos_Version_1_1 nzos_Version_1_2
SSLCipherSuite HIGH:MEDIUM

  7. Click on Apply

  8. Run following command to propagate the changes made through the FMW console to the context file 

    9. $ perl $AD_TOP/bin/adSyncContext.pl contextfile=$CONTEXT_FILE
Enter the APPS user password:
Enter the WebLogic AdminServer password:
./adstrtall apps/apps
    Review the adSyncContext.log for the changes that have been picked up and made to the context file

  9. Edit Application contex file as per below

    10. $vi $CONTEXT_FILE
    change
<url_protocol oa_var="s_url_protocol">http</url_protocol>

to
<url_protocol oa_var="s_url_protocol">https</url_protocol>
    change
<local_url_protocol oa_var="s_local_url_protocol">http</local_url_protocol>

to
<local_url_protocol oa_var="s_local_url_protocol">https</local_url_protocol>
    change
<webentryurlprotocol oa_var="s_webentryurlprotocol">http</webentryurlprotocol>

to
<webentryurlprotocol oa_var="s_webentryurlprotocol">https</webentryurlprotocol>
    change
<activewebport oa_var="s_active_webport" oa_type="DUP_PORT" base="8000" step="1" range="-1" label="Active Web Port">8020</activewebport>

to
<activewebport oa_var="s_active_webport" oa_type="DUP_PORT" base="8000" step="1" range="-1" label="Active Web Port">4443</activewebport>
    change
<web_ssl_port oa_var="s_webssl_port" oa_type="PORT" base="4443" step="1" range="-1" label="Web SSL Port">4443</web_ssl_port>

to
<web_ssl_port oa_var="s_webssl_port" oa_type="PORT" base="4443" step="1" range="-1" label="Web SSL Port">4443</web_ssl_port>
    change
<httpslistenparameter oa_var="s_https_listen_parameter">4443</httpslistenparameter>

to
<httpslistenparameter oa_var="s_https_listen_parameter">4443</httpslistenparameter>
    change
<login_page oa_var="s_login_page">http://devoracleebs.nsb.local:8020/OA_HTML/AppsLogin</login_page>

to
<login_page oa_var="s_login_page">https://devoracleebs.nsb.local:4443/OA_HTML/AppsLogin</login_page>
    change
<externURL oa_var="s_external_url">http://devoracleebs.nsb.local:8020</externURL>

to
<externURL oa_var="s_external_url">https://devoracleebs.nsb.local:4443</externURL>
5. Run Autoconfig on application tier 
cd $ADMIN_SCRIPT_HOME
adautocfg.sh
6. Re-start Application tier services 
cd $ADMIN_SCRIPT_HOME
./adstpall.sh apps/apps
./adstrtal.sh apps/apps
7. Access the system via following URL 
https://devoracleebs.nsb.local:4443/OA_HTML/AppsLocalLogin.jsp
Enable TLS for WLS AdminServer 1. Setup a WebLogic Server Identity Keystore

  1. Surce run edition environemnt variable

    2. $ source EBSapps.env run

  2. set an alias for orapki in order to pickup the executable from the $FMW_HOME and not the one under the 10.1.2 home

    3. $ alias orapki=$FMW_HOME/oracle_common/bin/orapki

  3. Create following directories

    4. mkdir /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/wlsSSLArtifacts -p

  4. Copy wallet file into newly created directory

    5. cp /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/certs/Apache/cwallet.sso /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/wlsSSLArtifacts

  5. Copy following to newly created directory

    6. cp /finsys/DEVEGL/fs1/EBSapps/comn/util/jdk64/jre/lib/security/cacerts /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/wlsSSLArtifacts
2. Convert the Oracle Wallet to a JKS Keystore

  1. Change directory to wlsSSLArtifacts

    2. cd /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/wlsSSLArtifacts

  2. Run the orapki command

    3. orapki wallet pkcs12_to_jks -wallet ./ -jksKeyStoreLoc ./ewallet.jks -jksKeyStorepwd Ebs#1234

  3. The ewallet.jks file will be generate. Extract alias using following command and note down the alias

    4. keytool -list -keystore ewallet.jks -v
3. Configure SSL on WLS

  1. Take a backup of $EBS_DOMAIN_HOME/config/config.xml file

  2. Use the adstpall.sh script to stop everything on the run file system and start only admin server

    3. cd $ADMIN_SCRIPT_HOME
adstpall.sh
./adadminsrvctl.sh start

  3. login to the admin console via http://192.168.133.10:7021/console

  4. In the WebLogic Server Administration console, under the Domain Configuration, click on Environment and Servers

  5. Click Lock & Edit

  6. Click on the AdminServer to configure

  7. Under the Configuration tab, click on the Keystores sub-tab

  8. Click Change next to the Keystores setting

  9. Select the Custom Identity and Custom Trust option and click Save

  10. Enter the identity details

    11. For example:
Custom Identity Keystore: /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/wlsSSLArtifacts/ewallet.jks
Custom Identity Keystore Type: JKS (This must be in uppercase.)
Custom Identity Keystore Passphrase: This must match the password used from the orapki command previously in Step 2. Ebs#1234
Confirm Custom Identity Keystore Passphrase

  11. Enter the trust information

    12. For example:
Custom Trust Keystore: /finsys/DEVEGL/fs_ne/inst/DEVEGL_devoracleebs/wlsSSLArtifacts/cacerts
Custom Trust Keystore Type: JKS
Custom Trust Keystore Passphrase: Enter the cacerts keystore password. See The cacerts Certificates File, keytool. initial password is changeit
Confirm Custom Trust Keystore Passphrase: Confirm the cacerts keystore password

  12. Click Save

  13. Click the SSL tab

  14. Enter the identity details

    15. For example:
Private Key Alias: orakey. This would correspond to the alias extracted from the keystore previously in Step 2.
Private Key Passphrase: This must match the password used from the orapki command previously in Step 2. Ebs#1234
Confirm Private Key Passphrase

  15. Click Save

  16. Click the General tab

  17. Select SSL Listen Port Enabled check box

  18. Enter the SSL Listen Port

    19. Note: The SSL Listen Port base values are available through the context variable s_wls_admin_sslport. Based on the server type, you need to choose the corresponding port value for the SSL Listen Port. You need to manually calculate SSL Listen Port value. For simplicity, the default SSL Listen port value is 1 prefixed with the server default Non SSL Listen port value.
For example, for port pool 0, the AdminServer Non SSL Listen port is 7001, so the AdminServer SSL Listen port will be 17001. 17021

  19. Click Save

  20. Select the SSL tab

  21. Select the Advanced option and then perform the following

    22. Set the Hostname Verification to Custom Hostname Verifier and the Custom Hostname Verifier field to weblogic.security.utils.SSLWLSWildcardHostnameVerifier

  22. Click Save

  23. Click Activate Changes

Post-Configuration Tasks

  1. Restart everything including the Admin and Managed Servers using the adstpall.sh and adstrtal.sh

    2. ./adstpall.sh
./adstrtal.sh

  2. Sync Changes to the Context File

    3. perl $AD_TOP/bin/adSyncContext.pl contextfile=$CONTEXT_FILE

following changes will be reflect in contex file.
s_custom_trustKeyStoreFile - complete path of trust keystore
s_wls_admin_sslEnabled - true
s_wls_admin_sslport - AdminServer SSL port.
In the case where these listed context variables are not already populated, restart the middle tier services and re-run the following command:

$ perl $AD_TOP/bin/adSyncContext.pl contextfile=$CONTEXT_FILE
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)