Oracle EBS 12.2.9 Enable SSL with Self-Signed Certificate and Disable HTTP

Author     : Cihan Gedik

Email        : [email protected]

Linkedin  : https://www.linkedin.com/in/cihan-gedik-13b55065/

Group      : https://www.linkedin.com/groups/13792740/

Oracle EBS 12.2.9 Enable SSL with Self-Signed Certificate

Oracle EBS 12.2 or later

Selfsigned SSL Certificate

SSL Port  ( In this post I used 4443 default port )

Important Note : I do not recommend self signed certificate for Production Systems.

Please always check Oracle Support document too to use the latest patches and changes. This blog will help you so much.

Doc : 2143101.1

3.1 Set Your Environment

export PATH=$FMW_HOME/webtier/bin:$FMW_HOME/oracle_common/bin:$PATH

orapki wallet create -wallet . -auto_login -pwd ittutorial

3.2 Create a Wallet (Self Signed )

Note : For EBS SSL sha256 is so important if you dont use this parameter, it will not work.

orapki wallet add -wallet . -dn “CN=proderp1.ittutorial.com,OU=Whistle Auto,O=Whistle Auto,L=Los Angeles,ST=CA,C=US” -keysize 2048 -sign_alg sha256  -self_signed -validity 3650 -pwd ittutorial

3.6 Modify the Oracle HTTP Server Wallet

The default location for the Oracle HTTP Server configuration is in a location specific to the Oracle Fusion Middleware web tier. The <s_web_ssl_directory>/Apache is still used by some Oracle E-Business Suite Release 12.2 components, but is not used by the Oracle HTTP Server. Use the following instructions to copy the <s_web_ssl_directory>/Apache wallet to <s_ohs_instance_loc>/config/OHS/<s_ohs_component>/keystores/default directory location:

1. Navigate to the <s_ohs_instance_loc>/config/OHS/<s_ohs_component>/keystores/defaultdirectory location. Refer to the Application context file for the exact location of the ohs_instance_loc variable (details the ohs instance location) and the ohs_component variables (name of a specific ohs component for example OHS).
2. Move the existing wallet files to a backup directory in case you wish to use them again in the future.
3. Copy the ssofrom <s_web_ssl_directory>/Apache into the current directory.

Find Location ( Variables )

grep “s_ohs_instance_loc” $CONTEXT_FILE

         <ohs_instance_loc oa_var=”s_ohs_instance_loc”>/u01/oracle/prod/app/fs1/FMW_Home/webtier/instances/EBS_web_OHS1</ohs_instance_loc>

grep “s_ohs_component” $CONTEXT_FILE

Navigate to Location :

cd /u01/oracle/prod/app/fs1/FMW_Home/webtier/instances/EBS_web_OHS1/config/OHS/EBS_web/keystores/default

Backup Existing Wallet

mkdir backup

mv /u01/oracle/prod/app/fs1/FMW_Home/webtier/instances/EBS_web_OHS1/config/OHS/EBS_web/keystores/default/* backup/

Copy Self-Signed Wallet to Oracle HTTP Server Directory in Context File

cp /u01/oracle/prod/app/fs_ne/inst/prod_proderp1/certs/Apache/* /u01/oracle/prod/app/fs1/FMW_Home/webtier/instances/EBS_web_OHS1/config/OHS/EBS_web/keystores/default

3.7 Modify the OPMN Wallet

Find Location ( Variables )

grep “s_ohs_instance_loc” $CONTEXT_FILE

         <ohs_instance_loc oa_var=”s_ohs_instance_loc”>/u01/oracle/prod/app/fs1/FMW_Home/webtier/instances/EBS_web_OHS1</ohs_instance_loc>

cd /u01/oracle/prod/app/fs1/FMW_Home/webtier/instances/EBS_web_OHS1/config/OPMN/opmn/wallet 

mkdir backup

mv * backup/

cp /u01/oracle/prod/app/fs1/FMW_Home/webtier/instances/EBS_web_OHS1/config/OHS/EBS_web/keystores/default/cwallet.sso .

3.8 Fusion Middleware Control Console

Fusion Middleware Control Console utilizes the functionality of OPMN to manage your Oracle Fusion Middleware Enterprise. Using a Web browser, Fusion Middleware Control Console provides a graphical interface that enables management of all system components in your network and enterprise. Changes made in the previous steps to the OPMN wallet also need to be made to the wallet used by Fusion Middleware Control MBeans, which rely on successful SSL communication to manage the OPMN based components.

Use the following steps to backup and copy the wallets. If the Fusion Middleware Control wallets contain additional certificates that are not stored in the web tier OPMN wallet, you may want to export them and then re-import them after the following steps have been completed:

1. Move the existing wallet files to a backup directory in case you wish to use them again in the future. Refer to the Application context file for the variables for your instance:

• $EBS_DOMAIN_HOME/opmn/<s_ohs_instance>/<s_ohs_component>/wallet
• $EBS_DOMAIN_HOME/opmn/<s_ohs_instance>/wallet
• $FMW_HOME/webtier/instances/<s_ohs_instance>/config/OHS/<s_ohs_component>/proxy-wallet

2. Copy the ssofile from the <s_ohs_instance_loc>/config/OPMN/opmn/wallet directory to all three locations mentioned above

3.9 Update the JDK Cacerts File

Oracle Fusion Middleware components (including Oracle WebLogic Server, Oracle Web Services) requires the certificate of the certificate authority who issued your root certificate (ca.crt from the previous step) to be present in the JDK cacerts file. In addition, some features of Oracle BI Publisher require the server certificate (server.crt from previous step) to be present.

Note: Whenever you upgrade your JDK version on the server, any additional certificate you added to your cacerts file will be lost. You will need to re-import the root certificate or keep a copy of your original cacerts file which you can copy back in.

Follow the steps below for all application tier nodes:

1. Navigate to the <s_fmw_jdktop>/jre/lib/security Refer to the Application context file for the exact location of the <s_fmw_jdktop>variable.
2. Back up the existing cacerts file.
3. Copy your crtand server.crt files to this directory, and issue the following command to ensure that cacerts has write permissions:

grep “s_fmw_jdktop” $CONTEXT_FILE

<fmw_jdktop oa_var=”s_fmw_jdktop” osd=”LINUX_X86-64″>/u01/oracle/prod/app/fs1/EBSapps/comn/util/jdk64</fmw_jdktop>

cd /u01/oracle/prod/app/fs1/EBSapps/comn/util/jdk64/jre/lib/security

cp -pr cacerts cacerts_org

cp /u01/oracle/prod/app/fs_ne/inst/prod_proderp1/certs/Apache/Trusted.crt .

cp /u01/oracle/prod/app/fs_ne/inst/prod_proderp1/certs/Apache/user.crt .

4. Add your root crtand Oracle HTTP Server server.crt to cacerts:

To Delete Cert :

keytool -delete -alias OHSRootCA -keystore cacerts -storepass changeit

keytool -delete -alias OHSServer  -keystore cacerts -storepass changeit

Cacerts Default Password : changeit

keytool -import -alias OHSRootCA -file trusted.crt -trustcacerts -v -keystore cacerts -storepass changeit
keytool -import -alias OHSServer -file user.crt -trustcacerts -v -keystore cacerts -storepass changeit

We don’t have intermediate for self signed 

If you were also provided an intermediate certificate (intca.crt) then you will also need to add that to the cacerts before adding the server.crt:

$ keytool -import -alias OHSRootCA -file ca.crt -trustcacerts -v -keystore cacerts
$ keytool -import -alias OHSIntCA -file intca.crt -trustcacerts -v -keystore cacerts
$ keytool -import -alias OHSServer -file server.crt -trustcacerts -v -keystore cacerts

Note: For Oracle E-Business Suite Release 12.2 installations that use 64-bit JDK for Oracle Fusion Middleware, the steps in this section must be repeated for the 32-bit JDK keystore location that is still in use by some products. If the Application context file <s_fmw_java_use_64> variable is set to ‘true’, then repeat the steps for the 32-bit cacerts in $OA_JRE_TOP/lib/security. Some UNIX platforms such as Oracle Solaris have a single JDK location.

cd $OA_JRE_TOP/lib/security 

cp cacerts cacerts_org

cp /u01/oracle/prod/app/fs_ne/inst/prod_proderp1/certs/Apache/Trusted.crt .

cp /u01/oracle/prod/app/fs_ne/inst/prod_proderp1/certs/Apache/user.crt .

keytool -import -alias OHSRootCA -file trusted.crt -trustcacerts -v -keystore cacerts -storepass changeit
keytool -import -alias OHSServer -file user.crt -trustcacerts -v -keystore cacerts -storepass changeit

3.10 Update the Context File and Config Files

In Oracle E-Business Suite Release 12.2 some configuration files are no longer maintained by AutoConfig (including httpd.conf and ssl.conf). Oracle Enterprise Manager 11g Fusion Middleware Control should be used to maintain these configuration files as well as making additional changes to context file variables.

Standard SSL Setup

Use Oracle Fusion Middleware Control to make some additional configuration file changes:

1. Login to Oracle Fusion Middleware Control Console (for example, http://<hostname>.<domain>:<AdminServer Port>/em).
2. Select Web Tier Target under EBS Domain.
3. Select Administration > Advanced Configuration.
4. Select conffile for edit.
5. Update the Listen <port> and the VirtualHost _default_:<port> directives to SSL port, for example Listen 4443.
6. Click Apply.

The following command should be run (on all application tier nodes) to propagate the changes made through the Oracle Fusion Middleware Control Console to the context file variables:

perl $AD_TOP/bin/adSyncContext.pl contextfile=$CONTEXT_FILE
Enter the APPS user password:
Enter the WebLogic AdminServer password:

Review the adSyncContext.log for the changes that have been picked up and made to the context file.

Note: When setting up SSL for the first time, the default protocol will be set to ‘http’ and only the port related context variables will be updated by running adSyncContext.pl. Additional URL-based context variables <s_login_page> and <s_external_url> will need to be updated using Oracle Applications Manager (OAM). On an instance where the protocol is already set to ‘https’, then these context variables will be updated as long as the <port> matches the existing value defined for s_active_webport. Otherwise, it is assumed that the login related URLs have been customized and should not be automatically changed

Change these paremeter via Oracle application manager(OAM). Manual changes via $CONTEXT_FILE is not working anymore and please be careful about to confirm configuration before you restart the application server. Otherwise you may not start it again normally.

sh $ADMIN_SCRIPTS_HOME/adstpall.sh apps/password

1. Start all services
2. log on to OAM & click site map.
3. Click AutoConfig from the list of System Configuration features in the Administration tab.
4. Click the Edit Parameter button for the application tier context file to access the Context File Parameters page & then click the system tab.
5. Click the Focus icon (blue triangle) for oa_web_server. This expands oa_web_server and shows the web server related parameters.
6. Update the Web Port (s_active_webport) parameter from < Original port number> to 80.
7. Save it & answer the tab.Then logout of OAM

sh $ADMIN_SCRIPTS_HOME/adautocfg.sh

The value of the s_webport is based on the default port prior to any SSL configuration, and remains unchanged when switching to SSL.

3.11 Run AutoConfig

sh $ADMIN_SCRIPTS_HOME/adautocfg.sh

3.13 Restart the Application Tier Services

sh $ADMIN_SCRIPTS_HOME/adstpall.sh apps/whistleapps

3.14 Synchronization Between Run and Patch File Systems

Note : This is very important, After change this file ( Uncomment the line according to your O/S ) I strongly recommend adop phase=prepare to see the changes are applied to the patch file system.

The following steps must be performed in order to synchronize the SSL setup between the two file systems:

1. Edit $APPL_TOP_NE/ad/custom/adop_sync.drv.
2. Assuming the rsync command is available on UNIX, the following directives must be copied and pasted between the <Begin Customization> and <End Customization> section after the existing <#Copy Ends>:

Note : Before disable HTTP port, Make sure SSL is working, In case of something not working via https protocol you may need HTTP protocol to access OAM.

5.1 Disabling the HTTP Port

You may optionally configure Oracle E-Business Suite to disable the HTTP port and use the HTTPS port only. Although this configuration is optional, we strongly recommend that you implement the configuration in this section and disable the HTTP only port.

Log in to the Oracle Fusion Middleware Control Console (http://<hostname>.<domain>:<AdminServer Port>/em).

1. Select the Web Tier target under the EBS domain.
2. Click on the EBS_web_<SID> and the Oracle HTTP Server drop down.
3. Select Administration> Advanced Configuration.
4. Select httpd.conf file for edit and click on Go.
5. Search for Listen parameter and comment it or disable it (for example, #Listen 8000)
6. Switch the order of the following include statements such that the ssl.conf comes before the admin.conf:

# Include the SSL definitions and Virtual Host container
include “${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/ssl.conf”
# Include the admin virtual host (Proxy Virtual Host) related configuration
include “${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/admin.conf”

7. Click Applyand restart the OPMN services for the change to take effect