The following uses a self signed certificate but if you would like to create a local certificate authority(CA) for signing such certificates please view the tutorial here...
Basic Steps
- Create Wallet with Self-Signed certificate
- Copy Wallet with Self-Signed certificate to OPMN certificate directory
- Modify Xml attributes
- Run Adauto config
- Configure database (Copy Wallet)
- Restart Server
- End
Middle Tier Setup
Step 1) Generate Wallet and Self-Signed Certificate
Source your environment
- Log on to the application (middle) tier, as the OS user who owns the application tier files.
- Source your /.env file to set your APPL_TOP variables.
- Navigate to the $INST_TOP/ora/10.1.3 and source the .env file to set your 10.1.3 ORACLE_HOME variables. When working with wallets and certificates, you must use the 10.1.3 executables.
Create a Wallet
- Verify the location of the Web SSL directory: grep s_web_ssl_directory $CONTEXT_FILE
- Navigate to this directory, which will have Apache and opmn subdirectories
- Change to the Apache subdirectory
- Backup any existing wallets (demo certificates are included in Release 12)
Create your new wallet:
orapki wallet create -wallet . -auto_login -pwd
"-wallet ." (note the ".") tells orapki that you want to create the wallet in the current directory. You can also specify the full path to any directory where you wish to create a wallet.
" -auto_login" tells orapki that you want to create cwallet.sso which is an obfuscated copy of ewallet.p12. With auto login enabled, processes submitted by the OS user who created the wallet will not need to supply the password to access the wallet.
You should now see two wallet files in your directory: cwallet.sso and ewallet.p12.
Add your self-signed certificate to the wallet.
Enter the following command all on one line, substituting the appropriate parameters for your instance:
orapki wallet add -wallet . -dn "CN=EBSSERVER.COM,OU=IT,O=COMPANY_NAME,L=CITY,ST=STATE,C=US" -keysize 1024 -self_signed -validity 9650 -pwd *********
When viewed in the wallet manager the certificate must be in [Ready] state
Check permission on certificates to make sure everyone has access to them (oracle install user).
Step 2) - Modify the OPMN wallet.
The E-Business Suite Rapid Install process creates a default "demo" opmn wallet in the $INST_TOP/certs/opmn directory that can be used in test instances for basic SSL testing. Now that the Apache wallet has been created you will need to to use these same certificates for opmn. Use the following steps to backup and copy the wallets:
- Navigate to the $INST_TOP/certs/opmn directory.
- Create a new directory named BAK
- Move the ewallet.p12 and cwallet.sso files to the BAK directory just created.
- Copy the ewallet.p12 and cwallet.sso files from the $INST_TOP/certs/Apache directory to the $INST_TOP/certs/opmn directory.
- Do the same for the apache directory
Step 3) Appstier Setup
Edit the context xml file in $APPL_TOP/admin, change the SSL related variables to SSL values
SSL Related Variables in the Context File
|
Variable |
Non-SSL Value |
SSL Value |
|
|
s_url_protocol |
http |
https |
|
|
s_local_url_protocol |
http |
https |
|
|
s_webentryurlprotocol |
http |
https |
|
|
s_active_webport |
same as s_webport |
same as s_webssl_port |
|
|
s_webssl_port |
not applicable |
default is 4443 |
|
|
s_https_listen_parameter |
not applicable |
same as s_webssl_port |
|
|
s_help_web_agent |
url constructed with http protocol and s_webport for both
non-SSL and SSL |
|
|
|
s_login_page |
url constructed with http protocol and s_webport |
url constructed with https protocol
and s_webssl_port
|
|
|
s_external_url |
url constructed with http protocol and s_webport |
url constructed with https protocol and s_webssl_port
|
|
Execute autoconfig
Bounce the mid-tier services
Step 4) DB Tier Setup
Once you run autoconfig on Apps Tier, you need to do wallet setup on DB tier as well. Since R12 is autoconfig enabled, there will be a directory called appsutil in ORACLE_HOME on database side. Follow below steps to carry out the setup on database side.
- Login to DB tier as oracle user
- Change dir to $ORACLE_HOME/appsutil
- Create a new dir with name “wallet”
- Copy wallet and certificate files from steps above to this directory
If Not Working
- Recheck XML parameters
- Verify permissions on wallet files
No comments:
Post a Comment