Winding Up SSL Implementation in Oracle Apps 11i

SSL Configuration on Web Server broad level Steps
1.1 Create Certificates Using openssl (You can try OWM Oracle Wallet Manager as well)
1.2 Change Context File parameters mentioned in previous post mentioned above
1.3 run Autoconfig
1.4 Test Application

For detailed stesp by step guide for implementing SSL on E-Business Suite follow Metalink Note # 123718.1 11i: A Guide to Understanding and Implementing SSL for Oracle Applications
Above note covers SSL for Web Server , Form Server & Database Server , In typical Implementation you can configure SSL just to web server Node.

Few Important Note/Points w.r.t. SSL

SSL with Multiple Middle Tier
1. If you have multiple middle tier like server1, server2 ..serverN with load balancer infront of them & assume load balancer & assume that you access your apps via URL http://teachmeoracle.com which means ServerName in httpd.conf will have value teachmeoracle.com and while generating SSL under create CSR (Certificate Signing Request)phase Common Name should be same as ServerName in httpd.conf
2. You can use same Certificates as long as ServerName in httpd.conf are same

Cloning SSL Instances
If you are cloning already configured SSL to Target Instance, you need to create new Certificates on Target Instance. If target Instance was previously configured with SSL before cloning take a backup of SSL certificates (By Default certificates are in $IAS_ORACLE_HOME/Apache/Apache/certs/apache ssl.crt & ssl.key) and replace them after cloning.

If you are not sure about location of Certificates , check following directive in Context File ( *.xml file )
web_ssl_directory
web_ssl_keyfile
web_ssl_certfile
web_ssl_certchainfile

Performance with SSL
Yes, there be little bit performance degradation with SSL as server take some time to encrypt & decrypt messages/packets between Client & Server but there will not be big performance degradation. If you can’t afford performance hits because of SSL you can use
SSL Accelerators

Related Links
123718.1 11i: A Guide to Understanding and Implementing SSL for Oracle Applications

Post your comments on how you find this document …

Was this useful ? Should I explain in more detail or you need step by step guide
Your Feedback & Comment is quite important in Improving Contents on this Site

http://teachmeoracle.com/forum <- Forum Dedicated to Apps DBA’s

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

8 comments
Vitaliy says January 31, 2007

You can save yourself a lot of trouble by putting hardware Proxy/SSL-accelerator in front of your midtier.

Reply
Vitaliy says January 31, 2007

You can save yourself a lot of trouble by putting a hardware Proxy/SSL-accelerator in front of your midtier.

Reply
Atul Kumar says January 31, 2007

Vitaliy

Can you elaborate on trouble ?

Yes SSL accelerator will improve performance on SSL enabled web tier but there is additioanl cost associated with SSL accelerators

Reply
Vitaliy says January 31, 2007

Changing SSL certs every time you clone. Dealing with expired SSL certs. Dealing with SSL related security bugs.

While ORACLE APPS has built-in SSL functionality it’s not the only and not the best solution out there.

Hardware SSL-accelerator/Proxy can do a much better job on all counts.

Reply
aravind.cuddapah says October 6, 2007

We have SSL enabled. but as said in cloning SSL enabled instances we never take backup of ssl.crt & ssl.key . We never had any issues though we did not take the backup. Can you please brief on this? What exaclty happens if we dont take the backup of ssl.crt and ssl.key?

Thanks
Aravind Cuddapah

Reply
aravind.cuddapah says October 6, 2007

to add more when ever we clone using SSL enabled instance all these ssl.crt and ssl.key directories are replaced with source .But we never had any problems.

Thanks
Aravind Cuddapah

Reply
Atul says October 6, 2007

Hi Arvind,
First to understand ssl.crt contain your ServerName (ServerName directive in httpd.conf/ssl.conf) This server name will be same if you access apps using same name as MachineName on which apps is installed else it will be load balancer name.

Now if you clone instance from oNlineAppsDBA to DevoNlineApps so certificate on target instance will still be of source i.e. oNlineAppsDBA. You will not hit any issues but users will get warning while accessing page that ServerName on certificate doesn’t match with actual server do you wish to continue .

If you are using SSL on target instance as well and if delete ssl.crt & ssl.key from target you will not be able to start web server.

Do let me know if this is clear now .

Atul

Reply
sanjeev nanda says March 4, 2012

Hi Atul,
Can you guide me how to renew the SSL certificate in E-business suit.

Regards
sanjeev

Reply
Add Your Reply

Not found