|
|
| Enabling SSL for E-Business suite in 11i |
| Monday, June 16, 2008 |
Enabling SSL for E-Business Suite
==============================
url - https://visclone.oneapps.com
ip - 192.9.200.215
application version – 11.5.10.2
database version – 9.2.0.6.0
Referred metalink document - 123718.1
Common setups:
--------------
Set this following settings in application user
.bash_profile.
#su – apple
#vi .bash_profile
SCRIPT_TOP=/u01/oracle1/viscomn/admin/scripts/
visclone_visclone/
APACHE_TOP=/u01/oracle1/visora/iAS/Apache/
OPENSSL_TOP=/u01/oracle1/visora/iAS/Apache/open_ssl
OPENSSL_CONF=/u01/oracle1/visora/iAS/Apache/open_ssl/
bin/openssl.cnf
Save and quit.
:wq
Provide certificate for HTTP Server:
------------------------------------
Creating work directory to keep private key as well as
certificate files.
#mkdir /u01/oracle1/viscomn/admin/certs
# mkdir /u01/oracle1/viscomn/admin/certs/apache
Sub-directories:
# mkdir /u01/oracle1/viscomn/admin/certs/apache/ssl.crt
# mkdir /u01/oracle1/viscomn/admin/certs/apache/ssl.key
Edit the following value in .xml file.
#vi /u01/oracle1/visappl/admin/visclone_visclone.xml
/u01/oracle1/viscomn/admin/certs/apache
Checking the value of RANDFILE in OPENSSL_CONF,
It should be
RANDFILE = $ENV::HOME/.rnd
Creating server PEM-encoded private key file
--------------------------------------------
#cd /u01/oracle1/viscomn/admin/certs/apache/
Execute this following command ,
cd $OPENSSL_TOP/bin
openssl genrsa -des3 -out apache_1024.key 1024
it will ask to enter the PEM pass phrase:oneapps123
(to avoid confusion give common password for all).
Go to file $OPENSSL_CONF,
And edit the follow line
dir = ./demoCA as
dir = . /u01/oracle1/viscomn/admin/certs/apache/
(Specify directory which is created to keep the
private and certificate files)
Generating certificate signing request(CSR)
-------------------------------------------
#cd /u01/oracle1/viscomn/admin/certs/apache/
Execute following command,
cd $OPENSSL_TOP/bin
openssl req -config $OPENSSL_CONF -new -key
apache_1024.key -out apache_1024.csr
It will ask following details,
Enter the PEM pass phrase :oneapps123
Country Name(2 letter code) :IN
State or Province Name :Karnataka
Locality Name (e.g., City) :Bangalore
Organization Name :oneAPPS
Organizational Unit Name :httpserver
Common Name :vis.oneapps.com(hostname)
E-mail Address :kumaran@oneapps.com
Remaining you can skip.
Submitting certificate request(CSR)to
-------------------------------------
certificate authority(CA)
-------------------------
Go to the website www.verisign.com and search
“trial certificate”.Just register for trial certificate
and finally it will ask you to submit your CSR, copy
the apache_1024.csr
#cat /u01/oracle1/viscomn/admin/certs/apache/
apache_1024.csr
And paste in verisign site.(copy full content of the file,
Don’t skip anything) And click submit. You will receive the
certificate with in a hour.
Creating the server PEM-encoded certificate file
------------------------------------------------
Do the pre-requisites which is mentioned in e-mail, you
need to follow only the first step(ROOT CA certificate)
In first link you will get the ROOT CA certificate copy
and save in a.cer format in your local machine.
Steps for Microsoft browser
---------------------------
1.open internet explorer->tools->internet options->
content->certificates->import->next->select file
types all, select a.cer->open->next->select Automatically
select the certificate store based on the type of the
certificate->OK->finish->Yes.
Steps for firefox browsers:
---------------------------
1.open firefox->tools->options->Advanced->veiw certificates
->Authorities->import->a.cer->open->check trust this CA to
identity websites->Ok.
Then,
Copy the certificate which you received in your e-mail and
save it as a apache_1024.crt. then ftp to server
$ ftp 192.9.200.215
Username:apple
Password:apple
ftp>bin
ftp>hash
ftp>cd /u01/oracle1/viscomn/admin/certs/apache/
ftp>put apache_1024.crt
Creating the file of PEM-encoded Server
----------------------------------------
Certificates(ca.crt)
--------------------
From your local machine,
Open internet explorer.Go to File->open->browse file
apache_10247.crt ->click OK.
In certificate window click ->certification path on the
first line->then view certificate->details->copy to
file->next->select Base-64 encoded X.509->next->
enter name as ca->export->close.
From your local machine,
ftp 192.9.200.215
username:apple
password:apple
ftp>bin
ftp>hash
ftp>cd /u01/oracle1/viscomn/admin/certs/apache/
ftp>put ca.crt
Copy server key and certificate :
---------------------------------
In server machine,
#cd $ COMMON_TOP/admin/certs/apache
# cp apache_1024.crt $COMMON_TOP/admin/certs/apache/
ssl.crt/server.crt
# cp apache_1024.key $COMMON_TOP/admin/certs/apache/
ssl.key/server.key
# cp $APACHE_TOP/Apache/conf/ssl.crt/ca-bundle.crt $COMMON_TOP/admin/certs/apache/ssl.crt/ca-bundle.crt
# cp ca.crt $COMMON_TOP/admin/certs/apache/ssl.crt/
ca.crt
Certificate provisioning for Forms 6i Server:
---------------------------------------------
Create wallet directory.
#mkdir $COMMON_TOP/admin/certs/forms/
#su – apple
#cd $ORACLE_HOME/
#xhost +
#export DSIPLAY=192.9.200.215:0.0
#echo $DISPLAY(check display)
#export THREADS_FLAG=native
#cd bin/
#owm
In wallet manager,Newselect No for prompt->create
wallet password->(oneapps123)->Ok->Yes.
(A empty wallet created..)
it will ask the following details.
Common Name :vis.oneapps.com
Organizational unit :Forms
Organization :oneAPPS
Locality/City :Bangalore
State Province :karanataka
Country :IN
Key size :512
->Ok. It will show the message certificate was created
submit Certificate Authority.Select wallet and check
auto login check box is checked.Save in the location
$COMMON_TOP/admin/certs/forms
Submitting Certificate Request(CSR)to Certificate
-------------------------------------------------
Authority(CA):
--------------
Goto www.verisign.com and search for “trial certificate”.
Copy and paste the .csr from the wallet to verisign and
submit.
Creating the server PEM-encoded certificate file
------------------------------------------------
Do the pre-requisites which is mentioned in e-mail, you need
to follow only the first step(ROOT CA certificate)
In first link you will get the ROOT CA certificate copy and
save in a1.cer format in your local machine.
Steps for Microsoft browser.
2.open internet explorer->tools->internet options->content->
certificates->import->next->select file types all,select
a1.cer->open->next->select Automatically select the
certificate store based on the type of the certificate->
OK->finish->Yes.
Steps for firefox browsers:
2.open firefox->tools->options->Advanced->veiw certificates->
Authorities->import->a1.cer->open->check trust this CA to
identity websites->Ok.
Once you received the certificate save as forms_512.crt and
ftp to server,
ftp 192.9.200.215
username:apple
password:apple
ftp>bin
ftp>hash
ftp>cd $COMMON_TOP/admin/certs/forms
ftp>put forms_512.crt
ftp>bye
Import User certificate in to Wallet Manager:
---------------------------------------------
In wallet manager OperationsImport user certificates->
check radio for select file contains the certificate->
Ok.
Give full path of certificate file where stored,
/u01/oracle1/viscomn/admin/certs/forms/
Highlight the forms_512.crt->Ok.(see the message at
bottom certificate successfully imported).
Got the error!
User certificate import has failed because the CA certificate
doesn't exist.
Do you want to import a CA certificate now?
Yes->check the radio button for select the file that contains
the certificate->/u01/oracle1/viscomn/admin/certs/forms/
and highlight the file CA_root.cer->Ok.
Configuring SSL with HTTP server
--------------------------------
Make the changes in .xml file http to https
#vi /u01/oracle1/visappl/admin/visclone_visclone.xml
%s_url_protocol
%s_local_url_protocol
%s_webentryurlprotocol
%s_frmConnectMode
%s_apps_portal_url
%s_webssl_port keep as 443(default)
%s_active_webport 443
%s_webport 443
"s_forms60_wallet">/u01/oracle1/viscomn/admin/certs/
forms
#vi /u01/oracle1/viscomn/html/bin/appsweb.cfg
connectMode=https
Edit scripts in the following location,
#cd $SCRIPT_TOP/adfractl.sh
f60ctl start port=$FORMS_PORT mode=https exe=f60webmx >
$FRMLOG 2>/dev/null
#SCRIPT_TOP/adfrmctl.sh
f60ctl start port=$FORMS_PORT mode=https exe=f60webmx >
$FRMLOG 2>/dev/null
Through OAM->sitemap->autoconfig>configuration wizard->
forms listener servlet
->enable OAM->sitemap->autoconfig->configuration wizard->
ssl->enable
Edit the file,
#vi $COMMON_TOP/portal/visclone_visclone.xml/aplogon.html
a href="https://visclone.oneapps.com/oa_servlets/AppsLogin"
target=_top (remove the web listener port)
Clear the cache in this location,
#sh $SCRIPT_TOP/adapcctl.sh stop (root user)
#cd $COMMON_TOP/_pages
#rm –f *
#sh $SCRIPT_TOP/adapcctl.sh start (root user)
Bounce all services once.
If Apache is not starting try to start as a root user.
And check the error for Apache logs. So now you can
use https instead of using http. In next post i'll
update concept of https and its advantages. |
posted by Senthil Kumaran @ 10:46 PM   |
|
|
|
|
| About Me |
|
Name: Senthil Kumaran
Home: Oslo, Oslo, Norway
About Me: I'm working as a oracle applications dba(Apps DBA OCP) and fusion middleware.This views are my own only and not neccessary to match with others
See my complete profile
|
| Previous Post |
|
| Archives |
|
| Links |
|
|
| Powered by |
 |
| Add On |
|
|
|
|
|
|
|
|
