Configure OHS with SSL
There are two major steps needed to configure SSL in Fusion Middleware 11g (11.1.1.X)
I. Create an Oracle Wallet which contains an SSL Certificate.
II. Configure ssl.conf directives to enable SSL with OHS.
1. Creating an Oracle Wallet
cd $APP_CONFIG/CommonDomain_webtier/config/OHS/ohs1
1.1 To create an Auto-Login Wallet
orapki wallet create -wallet keystores/default -auto_login_only
1.2 Create a self signed Certificate
orapki wallet add -wallet keystores/default -auto_login_only\
-dn 'CN=slcah772.us.oracle.com,O=Oracle Corporation,L=Redwood Shores,ST=California,C=US'\
-keysize 2048 -self_signed -validity 3650
Notes:
To get a Version 3 certificate: append option: -addext_ski
It has more infor:
X509v3 extensions:
X509v3 Subject Key Identifier:
B5:5A:53:A9:DF:54:2F:9E:54:C3:24:FD:7F:73:E8:2F:CC:E8:83:AA
Notes:
---------------------------------------------------------------------------------------------
1). Generate a Certificate Signing Request (CSR), without (-self_signed )
orapki wallet add -wallet keystores/default -auto_login_only\
-dn 'CN=slcah772.us.oracle.com,O=Oracle Corporation,L=Redwood Shores,ST=California,C=US'\
-keysize 2048 -validity 3650
2). Export the CSR
orapki wallet export -wallet keystores/default -dn \
'CN=server.uk.oracle.com, OU=Support, O=Oracle, L=Reading, ST=Berkshire, C=GB' \
-request server.csr -pwd Pass_of_CSR
This step must need a password, it is used for the exported file
3). Send the CSR (server.csr) to a CA
Download the certificate (server.crt) ,
Download the Trusted Root CA certificate (rootca.crt),
Download any required Intermediate Trusted CA certificates in Base64 format.
4). Import the Trusted Root/Intermediate Certificates into the Wallet
orapki wallet add -wallet keystores/default \
-trusted_cert -cert rootca.crt -pwd Pass_of_rootca
5). Import the User Certificate
orapki wallet add -wallet keystores/default \
-user_cert -cert ser.crt -pwd Pass_of_CSR
---------------------------------------------------------------------------------------------
1.3 display wallet informaion
orapki wallet display -wallet keystores/default
2. Configuring HTTP Server for SSL
cd $APP_CONFIG/CommonDomain_webtier/config/OHS/ohs1
Find a VirtualHost and config it
4448>
SSLVerifyClient optional
SSLWallet "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/default"
#SSLWallet "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/prj
#$APP_CONFIG/CommonDomain_webtier/config/OHS/ohs1/keystores/default
#Other SSL parameters
For apache:
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
SSLCertificateChainFile /etc/apache2/ssl/server.pem
3 restart the OHS
$APP_CONFIG/CommonDomain_webtier/bin/opmnctl restartproc process-type=OHS
$APP_CONFIG/CommonDomain_webtier/bin/opmnctl status -l
4 Test the URL for the Virtual Host
4448
Configure WLS with SSL
cd $APP_CONFIG/keystores
1 Create a keystore and private key
keytool -genkey -alias jks_demo -keyalg RSA -keysize 2048 -keypass Welcome2 \
-dname 'CN=serverxx.us.oracle.com,OU=Support,O=Oracle Corporation,L=Redwood City,ST=California,C=US' \
-keystore demo/server1_demo.jks -storepass Passwd1
alias is of the private key.
For Oracle, use should use it as below:
CN(Common Name):FQDN
OU(Organization Unit):null
O(Organization): Oracle Corporation
L(Locality/City): Redwood Shores
ST(State): California
C(Country): US
It has done 2 things:
a. created a keystore
b. created a private key
Notes: It is already a a self signed certificate, you can skip step 3,4,5,6 and 7.
2. To view the contents of the keystore
keytool -list -v -keystore demo/server1_demo.jks -storepass Passwd1
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: jks_demo
Creation date: Jun 3, 2015
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=serverxx.us.oracle.com, OU=Support, O=Oracle Corporation, L=Redwood City, ST=California, C=US
Issuer: CN=serverxx.us.oracle.com, OU=Support, O=Oracle Corporation, L=Redwood City, ST=California, C=US
Serial number: 556fa06d
Valid from: Wed Jun 03 17:48:45 PDT 2015 until: Tue Sep 01 17:48:45 PDT 2015
Certificate fingerprints:
MD5: 34:1C:69:7F:FE:76:86:F8:20:AD:5C:25:84:77:E6:5C
SHA1: BD:9C:9D:74:06:79:6A:E3:FA:4F:5D:AD:6F:2D:61:45:87:8F:9E:27
Signature algorithm name: SHA1withRSA
Version: 3
Created a keystore and private key
3. Create a Certificate Signing Request (CSR)
keytool -certreq -v -alias jks_demo -file serverxx3.csr -keypass Welcome2 \
-keystore demo/server1_demo.jks -storepass Passwd1
Certification request stored in file
Submit this to your CA
4. Send the CSR to CA, and download the Certificates
Download serverxx3.cer
Download the CA's root certificate as rootCA.cer
Download the other intermediate certificates
5. Import the CA's root certificate and intermediate certificates
keytool -import -keystore demo/server1_demo.jks -alias CA_VTN -trustcacerts -file VTN-PublicPrimary-G5.pem
keytool -import -keystore demo/server1_demo.jks -alias CA_Oracle -trustcacerts -file Oracle_SSL_CA_G2.pem
6. Import the Server Certificate
keytool -import -keystore demo/server1_demo.jks -alias jks_demo -keypass Welcome2 -trustcacerts -file serverxx3.cer
7. To view the contents of the keystore
keytool -list -v -keystore demo/server1_demo.jks -storepass Passwd1
8. Configure WebLogic Server for SSL
The steps below take you through configuring SSL for a Managed Server.
-
Login to the WLS console e.g: http://weblogic.uk.oracle.com:7001/console
-
Select 'Environment' -> 'Servers' and click on the server you want to configure
-
Select the 'Keystores' tab
-
Select 'Keystore -> 'Change'
-
Select 'Custom Identity and Custome Trust'from the drop down list and click 'Save'
-
1) Enter the relevant information in the Keystores page:
-
'Custom Identity Keystore' : e.g $MIDDLEWARE/keystores/keystore.jks
-
'Custom Identity Keystore' : JKS (Note: This has to be UPPERCASE)
-
'Custom Identity Keystore Passphrase' : e.g: welcome
-
'Confirm Custom Identity Keystore Passphrase' : e.g: welcome
-
'Custom Trust Keystore' : e.g $MIDDLEWARE/keystores/keystore.jks
-
'Custom Trust Keystore Type' : JKS (Note: This has to be UPPERCASE)
-
'Custom Trust Keystore Passphrase' : e.g: welcome
-
'Confirm Custom Trust Keystore Passphrase' : e.g: welcome
-
Click 'Save'
-
2). Select the 'SSL' tab and enter the relevant information:
-
'Private Key Alias' : e.g server_cert
-
'Private Key Password' : e.g welcome
-
'Confirm Private Key Password': e.g welcome
-
Click 'Save'
-
Select 'Environment' -> 'Servers' and click on the Managed Server configured
-
3). In the 'General' tab:
-
Check 'SSL Listen Port Enabled'
-
'SSL Listen Port' : e.g 7012 (make sure this is not used by another process)
-
Click 'Save'
9. Enable WebLogic Plug-In in WLS console
On FMW 11.1.1.4 or higher, there is an extra step required to prevent redirects going to http. This problem is documented in Note 1300169.1 HTTPS Request Returns HTTP When Using Redirects Through Mod_wl_ohs.
To prevent this problem:
-
Access the WebLogic Server console
-
Click on 'Servers' -> '' -> 'General' -> 'Advanced'
-
Check the 'WebLogic Plug-In Enabled' box.
-
Click 'Save'
-
Restart the Managed Server.
This has been an undocumented change and thus an internal documentation bug filed for a future release.
Bug 11824138 HTTPS REQUEST RETURNS HTTP WHEN USING REDIRECTS THROUGH MOD_WL_OHS
Configure OHS <-->WLS with SSL
cd $APP_CONFIG/keystores
list keystores used by FA WLS:
keytool -list -v -keystoreserver03.us.oracle.com_fusion_identity.jks
keytool -list -v -keystore fusion_trust.jks
keytool -list -keystore fusion_trust.jks|grep 'us.oracle.com_fusion'
server02.us.oracle.com_fusion, May 24, 2015, trustedCertEntry,
server001.us.oracle.com_fusion, May 24, 2015, trustedCertEntry,
server03.us.oracle.com_fusion, May 24, 2015, trustedCertEntry,
export the trused certificates:
keytool -export -alias server02.us.oracle.com_fusion -file server02.cer -keystore fusion_trust.jks -rfc -storepass Passwd1
keytool -export -alias server001.us.oracle.com_fusion -fileserver001.cer -keystore fusion_trust.jks -rfc -storepass Passwd1
keytool -export -aliasserver03.us.oracle.com_fusion -fileserver03.cer -keystore fusion_trust.jks -rfc -storepass Passwd1
ls *.cer
server02.cer server001.cer server03.cer
Import the trusted certificates:
cd $APP_CONFIG/CommonDomain_webtier/config/OHS/ohs1/keystores
orapki wallet display -wallet prj
orapki wallet add -wallet prj -cert server03.cer -trusted_cert -auto_login_only
orapki wallet add -wallet prj -cert server02.cer -trusted_cert -auto_login_only
orapki wallet add -wallet prj -cert server001.cer -trusted_cert -auto_login_only
orapki wallet display -wallet prj
Oracle PKI Tool : Version 11.1.1.7.0OPSS-FAREL7-BP
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Subject: CN=server001.us.oracle.com,O=Oracle Corporation,L=Redwood Shores,ST=California,C=US
Trusted Certificates:
Subject: CN=server001.us.oracle.com,O=Oracle Corporation,L=Redwood Shores,ST=California,C=US
Subject: CN=server001.us.oracle.com,OU=defaultOrganizationUnit,O=defaultOrganization,C=US
Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: CN=server02.us.oracle.com,OU=defaultOrganizationUnit,O=defaultOrganization,C=US
Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: CN=server03.us.oracle.com,OU=defaultOrganizationUnit,O=defaultOrganization,C=US
Subject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US
Change mod_wl_ohs.conf to set WLSSL Wallet location
SecureProxy off
WlSSLWallet "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/prj"
Debug debug ## use debug for diag issues, change to ERR later
WLIOTimeoutSecs 900
WLLogFile "|${ORACLE_HOME}/ohs/bin/odl_rotatelogs ${ORACLE_INSTANCE}/diagnostics/logs/${COMPONENT_TYPE}/${COMPONENT_NAME}/weblogic.log 43200"
DebugConfigInfo On
vi moduleconf/*.conf to enable theSSL
/sdpmessaging/userprefs-ui >
SetHandler weblogic-handler
WebLogicCluster server03.us.oracle.com:8706 #Change to use SSL port
WLProxySSL ON
WLProxySSLPassThrough ON
RewriteEngine On
RewriteOptions inherit
SecureProxy ON
For each Location/WLS we can config whether to use SSL or not.
Test the URL:
view weblogic.log:
2015-06-08T23:59:59.8584-07:00 <1024914338331992> ================New Request: [GET /sdpmessaging/userprefs-ui/faces/web/devices.jspx HTTP/1.1] =================
2015-06-08T23:59:59.8584-07:00 <1024914338331992> INFO: SSL is configured
2015-06-08T23:59:59.8594-07:00 <1024914338331992> ======internal request /bea_wls_internal/WLDummyInitJVMIDs======
initJVMID: Trying Host[10.247.44.15] Port[8706] SecurePort[8706] useSSL [1] ioTimeout [30] socketTimeout [2]
2015-06-08T23:59:59.9087-07:00 <1023514338331081> mod_weblogic(ssl): SSL Handshake successful
2015-06-08T23:59:59.9114-07:00 <1024914338331992> trying connect to PRIMARY '10.247.44.15'/8606/8706
2015-06-08T23:59:59.9114-07:00 <1024914338331992> getPooledConn: found a host and port/securePort match
2015-06-08T23:59:59.9550-07:00 <1023514338331081> mod_weblogic(ssl): SSL Handshake successful
2015-06-09T00:01:01.9586-07:00 <1023514338331081> INFO: Closing SSL context