• Find us:
    +1-669-900-5138   |   +44-203-372-5553
  • Free Newsletter

    Get Latest Updates

  • Make Training Enquiry


    Company

  • Categories

  • Archive

  • SSL in Oracle Apps 11i / R12

    Posted by "" in "ssl" on 2007-10-04

    Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInPin on PinterestEmail this to someone

    In order to Understand SSL in Oracle Applications 11i & R12 lets first understand 

    Components in Apps which can listen for SSL Requests
    ———————————————
    1. Load balancer (if you have one between clients and oracle apps)
    2. Web Server (11i web server built on Oracle Apache)
    3. Form Server(If forms are configured for Forms Listener default method in 11i. In Servlet mode request to are fulfilled by Web Server and you don’t run form server) – To check more on this check my post Forms Listener & Forms Servlet Listener
    4. OC4J Oracle Container for Java (only in R12 and not in 11i)
    5. Database

    So you can configure SSL in Oracle Applications as
    ————————————————————–
    1. From Client (browser) to Load balancer as SSL;  from LB to all other apps component Non SSL (For this Load balancer should have SSL acceleration capability. Load balancer will decrypt client requests coming as SSL and forward them to web server as Non SSL and receive Non SSL response from web server, encrypt them and forward back to users as SSL) – Web Server, Forms & database all run in Non SSL

    If you don’t have Load Balancer (or with SSL acceleration) then

    2. From Client (browser) till Web Server SSL and from Web to other component as Non SSL (forms, database..) – Web Server should be configured for HTTPS

    3. To Web Server and Forms from these to database as Non SSL (Forms and Web Server should be configured for HTTP)

    4. All the way till database on SSL (Web Server, Forms & Database all should be configured for SSL)

    Option 1 i.e. Configure SSL for Apps where SSL is terminating at Load Balancer(BigIP or F5 SSL accelerator)
    —————————–
    This configuration is based on following assumption

    1. Connection from Browser to Load Balancer is SSL (HTTP) i.e. Load balancer is configured to listen on SSL Port
    2. Connection from Load Balancer to server is non SSL (HTTPS) i.e. Apps Web Server is listening on Non SSL Port
    3. Conversion of SSL to Non SSL (requests coming from user to Server) and Non SSL to SSL (requests serve by web-server and returned to user) is done by load balancer (SSL accelerator). Example of such SSL accelerator is F5 or Big IP
    4. Load Balancer (also acting as SSL Accelerator) is doing port translation. To understand port translation; better think as if Load Balancer is listening on port 443 (SSL Port) where as web server is listening on Non SSL port like 8000. Load balancer will route all requests coming from user on port 443 to server listening on 8000 (translating port on 8000).

    Configuration
    In Context File (at $APPL_TOP/admin/$CONTEXT_NAME.xml) Change following parameter :

    1. s_webentryhost  to load balancer name
    2. s_webentrydomainto load balancer domain-name
    3. s_active_webportto load balancer port
    4. s_webentryurlprotocol  to load balancer protocol https or http
    5. s_login_page  to $s_webentryurlprotocol://$s_webentryhost.$s_webentrydomain:$s_activewebport/oa_servlets/AppsLogin

    Other similar parameter in context file which you don’t change

    s_webhost : Actual Host Name of Server on which 11i is installed
    s_webdomain: Actual Domain-name of Server on which 11i is installed
    s_webport : actual port on which HTTP Server for 11i is listening

    Things to consider while doing SSL
    —————————————————–
    1. If you are using dummy or self signed certificates, Your forms will not open via Jinitiator and you will hit error message like “load class oracle/apps/fnd/formsClient/FormsLauncher.class not found” This is because under Jinitiator’s repository for list of valid CA’s (Certifying Authority) at $install_location_of_jinitiator_on_client_pc\ lib\ security\ certdb Dummy CA is not listed

    Fix: Include Dummy Non Standard Certifying Authority’s certificates at $install_location_of_jinitiator_on_client_pc\ lib\ security\ certdb (on client machine)
      
      How to add CA’s certificate in Jinitiator at Client Machine & how to get test certificates coming soon..

    2. If you are terminating SSL at Load balancer and domain name of load balancer is different from domain name on server then login to OAM may fail because of different cookie domain values. Check “session.topleveldomain” in zone.properties

    What is different w.r.t. SSL in 11i & R12
    ———————————————————–
    In 11i Web server certificates (public key & private key) are stored as text file on Server where as on R12 certificates for Web Server are stored in Wallets (Oracle Wallets – OWM) 

    P.S. Forms & Database certificates in both 11i & R12 are stored in Wallets (Oracle Wallet Manager)

    33 Responses to “SSL in Oracle Apps 11i / R12”

    1. nhawi says:

      I have this errove when try to start my application R12
      adopmnctl.sh exiting with status 2

      kindly advice

    2. Atul says:

      Nhawi,
      Check opmnctl log at 10.1.3 ORACLE_HOME/opmn/logs

      It should most probably be in $INST_TOP/ora/10.1.3/opmn/logs

      If you don’t see logs there let me know and I’ll log in to my test server .

      Update us with error message and will try to find cause of this R12 startup issue

    3. mmuhtadi says:

      Boss,

      I configured SSL for the HTTP Server only of our test apps instance. We you navigate the system through the HTML-based applications everything is working fine with SSL, but, when invoking any Form-base module the JInitiator hangs and the following errors appear in the Jave Console:
      WARNING: Unable to cache https://p2es.kockw.com:8007/OA_JAVA/oracle/apps/fnd/jar/fndlist.jarload: class oracle/apps/fnd/formsClient/FormsLauncher.class not found.java.lang.ClassNotFoundException: java.io.IOException: javax.net.ssl.SSLException: SSL handshake failed: SSLBadParameterErr

      Please advise where could be the problem? I don’t need the form layer and the database layer to be configures with ssl, only I need the web server layer.

    4. Atul says:

      MMuhtadi,
      You configured SSL but CA (certifying authority – chained one) is not in list of Jinitiator list of CA servers so add that in $install_dir_of_jinit\lib\security\certdb.txt

      Check metalink notes # 373736.1, 387822.1,

    5. mmuhtadi says:

      Atul,

      Thank you for the reply, but it is mentioned in the Note 373736.1 that: “Select your working directory on the server ($COMMON_TOP/admin/certs/forms)”, but I didn’t configure SSL for Forms Layer, so how could I find the above mentioned directory ? I only have $COMMON_TOP/admin/certs/apache ?

      Waiting your reply.

      Mohammad Muhtadi

    6. Atul says:

      mmuhtadi,
      I don’t think you are interested in configuring ssl on forms and its not required.

      You should install CA (certifying authority) certificates on client jinitiator (on all client machine) in above mentioned location.

      For more info & discussion check http://teachMeOracle.com/forum

    7. mmuhtadi says:

      Atul,

      What I did exactly, I copied the apache_1024.crt from the server to my client machine using bin mode, then I opened the certificate, then I exported it in a file, then I copied the contents of the file which starts with “BEGIN CERTIFICATE” and ends with “END CERTIFICATE” then I appended it in the certdb.txt file which is located in my JInitiator home directory, after all of that I still have the java exception ??

      Any ideas ???

      M.Muhtadi

    8. mmuhtadi says:

      Atul,

      If SSL is not configured for Forms Layer, why shall I inform the JInitiator with the certified list of certificates ?????

    9. amuhtadi says:

      hi mmuhtadi, i think im ur brother , i was searching in the same website:)

    10. Rick says:

      Hi Atul,

      I faced the same problem too when trying to launch SSL for web services only. The error i get is “Opening ….FormsLauncher/class.class” and the forms does not pop up. I read from certain sources and one workaround is to include the cert into the certdb.txt file.

      Now, I have one question, if I purchase a commercial cert from one of the CAs that are specified in the certdb.txt file, example thawte, does that mean that I do not need to manually include the certdb.txt file?

      Appreciate your help greatly. Thanks

    11. Rick says:

      Hi Atul,

      Thanks for any comments

    12. Atul Kumar says:

      Rick,
      For all standard certificates like thawte or verisign you donot need to include in certdb.txt as they are pre included in certdb.txt

    13. Rick says:

      Hi Atul,

      The reason why I’m asking is because we actually purchased a thawte SSL web server cert but we still hit the problem.

      Upon investigation, we found that the default cert for thawte that is in the certdb.txt file is actually meant for SSL 123 cert, not web server. Since both certs are signed using different root CA, see example below:

      Default entry in certdb.txt:
      “# Subject Name: CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, C=ZA”

      Web server purchased:
      “CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, C=ZA”

      We checked with Thawte and they suspect that if we have purchased a SSL 123 cert in the first place, this problem would not have surfaced.

      Do you think this will work instead?

      Thank you

    14. Atul Kumar says:

      Rick,
      Is there intermediatery CA as well in certificate from Thwate.

      Mail me certificate at atul [at] onlineappsdba.com and your jinitiator version or simply open CA and intermediatery CA (If any) and then compare if same value (text) exists in certdb.txt of jinitator

      If exists then it should work , if not it will not work and you need to rebuild jinitiator.

    15. Rick says:

      Hi Atul,

      We tried rolling out with a SSL 123 cert and it works fine. Thanks for the assistance rendered!

    16. anilftg1 says:

      Hi,
      I am configuring on TEST server and our server is oatest.abclife.com and its listening on port 10515.
      I got the certificate from Verisign and did the steps.
      1.Install certificate on windows side,also install certificate server.cer under
      $COMMON_TOP/admin/certs/ssl.crt and also the key under ssl.key dir.
      According to metalink docc.I changed xml file.
      1. s_webentryhost is oatest
      2. s_webentrydomainto abclife.com
      3. s_active_webport to 10515
      4. s_webentryurlprotocol to https
      5. s_login_page to http://oatest.abcife.com:10515/oa_servlets/AppsLogin

      I put correct entry in httpd.conf file
      I tried every thing but my page is not coming up.Networking guy says the port behind firewall is open.
      When I checked the connection 10515 is connected when I did with 443 is not connected.
      Here is httpd.conf entry.
      SSLCertificateFile
      /testapp/applmgr/common/admin/certs/apache/ssl.crt/server.crt

      SSLCertificateKeyFile
      /testapp/applmgr/common/admin/certs/apache/ssl.key/server.key
      SSLCertificateChainFile
      /testapp/applmgr/common/admin/certs/apache/ssl.crt/ca.crt
      Port 10515 I changed to 443 also but no success
      Listen 10515

      #
      Listen 443
      Where I am doing wrong so that my Https should work.like https://oatest.abc.com:443

      Thanks
      Anil

    17. Atul Kumar says:

      Anil,
      Is this 11i or R12 ?

      You mentioned

      Listen 10515
      #
      Listen 443

      Are there two listen ports (this is impossible unless you use virtual host)

      1. Which is listen port ?
      2. Update output of “netstat -an | grep ”
      3. Which document you are using to configure SSL ?
      4. Is there any error in error_log or ssl_engine_log

    18. anilftg1 says:

      Hi Atul,
      I am using 123718.1 Docc Step 3.1.1. Configuring SSL with Oracle HTTP Server using Configuration Wizards.Client is on 11.5.9.Easy step don’t know where I am going wrong.I changed all the variable in xml file according to docc.
      My listen port is 10515 http://oatest.abclife.com:10515 works
      Here is entry in my httpd.conf file.
      Port 10515
      Listen 10515

      [appltest@oatest conf]$ netstat -an |grep 10515
      tcp 0 0 0.0.0.0:10515 0.0.0.0:* LISTEN
      Thanks
      Anil

    19. anilftg1 says:

      Hi Atul,
      I want that my https://oatest.abclife.com:10515 should works.
      Thanks
      Anil

    20. anilftg1 says:

      Hi,
      I checked one thing accroding to docc.we have not applied patch Patch (TXK (FND) Patch O:5478710
      I will apply and change the setting and post the result.
      Thanks

    21. anilftg1 says:

      Hi Atul,
      I applied the patch but still not able to configure.I want https://oatest.abc.com:10515 should work without https it works fine.I am following 123718.1 docc .
      ***************************
      set the %s_url_protocol variable to https
      set the %s_local_url_protocol variable to https
      set the %s_webentryurlprotocol variable to https
      set the %s_frmConnectMode variable to https
      set the %s_webssl_port variable to the Apache SSL port required
      set the %s_active_webport variable to the same value as that for the %s_webssl_port variable
      set the %s_webport variable to the same value as that for the %s_webssl_port variable
      Note: prior to TXK (FND) AutoConfig Template Rollup Patch F (3104607 December 2003) this value was set to the non-ssl Apache Port.
      set the %s_web_ssl_directory variable to point to the full directory path of the directory that is to contain the .crt and .key files that you are using for Apache eg /admin/certs/apache
      set %s_apps_portal_url variable to https
      run AutoConfig as described in MetaLink Note 165195.1
      *************
      where I am doing wrong if I changed to 443 then in httpd.conf I see listen and port both 443.
      Please guide me.http://oatest.abc.com:10515 works fine.What should I change.
      Thanks
      Anil

    22. anilftg1 says:

      Hi Atul,
      If I changed s_frmConnectMode=https it does not work but if I let it be socket then it works.I put s_webssl_port=10515.
      Now I can see the page when I type https://oatest.abclife.com:10515/ but after that when I click on oracle application manager it works but if I click on Ebusiness home page it takes me to http://oatest.abclife.com:10515/oa_servlets/AppsLogin and no page found I am seeing here no https.
      Is it socket mode should be servlet don’t know Can you tell?
      Thanks
      Anil

    23. Atul Kumar says:

      @ Anil,
      Let me understand your requirement correctly, you want to configure SSL in apps to listen on port 10515 and for this you are following note 123718.1

      after configure SSL when you try to access website using https://server.domain:10515 you get page not found

      If this is true then check

      httpd.conf and look for entry like

      Listen
      Port

      1. What is value of these two parameters ?
      2. Any error in error_log, error_log_pls, ssl_error_log … under $IAS_ORACLE_HOME/ Apache/ Apache/ logs
      3. Is machine listening on port 10515 when you start Apache

      netstat -an | grep 10515

      If not then check start up logs of Apache

    24. mtriola says:

      Atul,

      In scenario 1, where SSL terminates at the load balancer, since we are setting the s_login_page to https://load_balancer_name.lb_domain:443/oa_servlets/AppsLogin
      can you use the same load balancer for multiple E-Business Suite environments? I’m thinking no. Please advise. Thanks.

    25. Atul Kumar says:

      @mtriola, You can use same load balancer but with different URL i.e. https://loadbalancer2.lb_doamin:443

      Note – You don’t use actual load balancer name but entry in load balancer .

      You define Names/URLs in Load Balancer like

      lbrName1:443 pointing to server1:8000 & server2:8000

      or
      lbrName2:443 pointing to server1:8001 & server2:8001

    26. mtriola says:

      Thanks Atul. I understand it now.

      I have it setup so the load balancer forwards port 443 (oratstapp.monster.com:443) to 8080, which is my apache server (have 2 but only 1 running for testing). I can get to the initial page but when trying to login, I get a page cannot be displayed.

      https://oratstapp.monster.com >>>works

      when I try to Login it tries to connect to the below, without success. I turned on Apache debug but I’m not seeing anything in the logs. Any suggestions?

      https://oratstapp.monster.com/OA_HTML/fndvald.jsp >>>>fails with page cannot be displayed

    27. Atul Kumar says:

      @ Mtriola
      Which document you are following to configure load balancer in front og apps ?

    28. mtriola says:

      123718.1 as well as your information.

    29. mtriola says:

      Atul,

      I figured out my mistake. I had left the loadbalancer’s actual name in the s_webentryhost variable. I updated it to oratstapp and now its working. Thanks for setting me straight.

    30. rizwan ghadiyali says:

      Hi Atul ,

      Access to forms from load balancer (through SSL ) is slow while directly accessing through server is fast . we are using Jinitiator and JPI both . we are facing this issue while using JPI but not with Jinitiator . Any idea why this is happening .

    31. Atul Kumar says:

      @ rizwan ghadiyali,
      This could be because of many reasons , to understand issue

      1. Which load balancer you are using ?
      2. Is SSL terminating at load balancer or you have SSL all the way till forms server .

      3. Is forms server running in socket mode or servlet listener mode ?

    32. rizwan ghadiyali says:

      Answering your question

      1) we are using webcache as software load balancer

      2) SSL is terminating at load balancer

      3) We are using Oracle Application Server 10.1.2.3 so i am not able to find adformsctl.sh utility .. So how do i check this ?

    33. […] SSL with Custom Certificates and Certifying Authority. For SSL in Oracle E-Business Suite click here, SSL in Oracle Internet Directory (OID) click here , SSL in Oracle Virtual Directory (OVD) […]

    Leave a Reply



  • K21 Technologies is among the most experienced Oracle Gold Partner for Identity Access Management service providers. We work with application development companies and in-house technology division to help achieve significant returns on their IT security investment. Our clientele includes some of the globally renowned corporate, which speaks of our expertise in our field.

    We have the most talented and experienced team that can swiftly deploy security solutions even in complex IT ecosystem. Our clients highly appreciate our timely implementation, interactive training, on-demand support and community resources.
  • CONTACTS

    K21 Technologies
    8 Magnolia Place, Harrow,
    London, HA2 6DS

    UK: +44(0)7476444481
    USA: +1-888-414-1821

  • 2014, K21 Technologies. All rights reserved DMCA.com
  • TOP
    TOP