Create Certificate and Configuring SSL in Oracle Apps 11i


OS : Redhat Linux 4.5
Apps : 11i(11.5.10.2)
Webserver : Apache

Set ths following environment varibles
export SCRIPT_TOP=$COMMON_TOP/admin/scripts/sar_sys45
export APACHE_TOP=/oracle/app/apps/sarora/iAS/Apache
export OPENSSL_TOP=/oracle/app/apps/sarora/iAS/Apache/open_ssl
export OPENSSL_CONF=$OPENSSL_TOP/bin

Edit in XML file ===> APPL_TOP/admin
set the %s_url_protocol variable to https
set the %s_local_url_protocol variable to https
set the %s_webentryurlprotocol variable to https
set the %s_frmConnectMode variable to https
set the %s_webssl_port variable to the Apache SSL port required
set the %s_active_webport variable to the same value as that for the %s_webssl_port variable
set the %s_webport variable to the same value as that for the %s_webssl_port variable
set the %s_web_ssl_directory variable to point to the full directory path of the directory that is to contain the .crt and .key files that you are using for Apache
eg <$COMMON_TOP>/admin/certs/apache
set %s_apps_portal_url variable to https

Stop Apps services

Run AutoConfig

mkdir sslcert
chmod 0700 sslcert
cd sslcert
mkdir certs private
echo '100001' >serial
touch certindex.txt


openssl req -x509 -newkey rsa:1024 -keyout private/cakey.pem -out cacert.pem -days 10000 -config openssl.cnf

ls -lrt
-rw-r--r-- 1 applmgr dba 963 Apr 17 20:24 cakey.pem
-rw-r--r-- 1 applmgr dba 1273 Apr 17 20:24 cacert.pem
openssl req -nodes -new -x509 -keyout apache.key -out apache_request.pem -days 3650 -config openssl.cnf
# Note : give common name your url name (for example sys43.doyen.in)
-rw-r--r-- 1 applmgr dba 1273 Apr 17 20:26 apache_request.pem
-rw-r--r-- 1 applmgr dba 891 Apr 17 20:26 apache.key
openssl x509 -x509toreq -in apache_request.pem -signkey apache.key -out apache.csr
-rw-r--r-- 1 applmgr dba 2180 Apr 17 20:26 apache.csr
openssl ca -config openssl.cnf -policy policy_anything -out apache.crt -infiles apache.csr
-rw-r--r-- 1 applmgr dba 920 Apr 18 14:36 apache.crt


cp -f apache.crt /oracle/app/apps/testora/iAS/Apache/Apache/conf/ssl.crt/server.crt
cp -f apache.key /oracle/app/apps/testora/iAS/Apache/Apache/conf/ssl.key/server.key
cp -f cacert.pem /oracle/app/apps/testora/iAS/Apache/Apache/conf/ca.crt

Start apps services

Run root user for appache start for https

sh $COMMON_TOP/admin/scripts/_/adapcctl.sh start

ex : sh /oracle/app/apps/testcomn/admin/scripts/TEST_sys43/adapcctl.sh start

----------------------------------------------------------------------------------------
openssl x509 -subject -in apache.crt
openssl x509 -noout -text -in apache.crt
openssl s_client -connect host.domain:sslport

Refer Metalink Doc
123718.1 ==> 11i: A Guide to Understanding and Implementing SSL for Oracle Applications
300969.1 ==> Troubleshooting SSL with Oracle Applications 11i

Create Certificate and Configuring SSL in Redhat Linux 4.5

mkdir /sslcert
chmod 0700 sslcert
cd /sslcert
mkdir certs private
echo '100001' >serial
touch certindex.txt
touch openssl.conf
Edit openssl.cnf
Copy the bellow content of "###End openssl"
=====================================================================
#
# OpenSSL configuration file.
#

# Establish working directory.

dir = /sslcert

[ ca ]
default_ca = CA_default

[ CA_default ]
serial = $dir/serial
database = $dir/certindex.txt
new_certs_dir = $dir/certs
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 365
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match

[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req

[ req_distinguished_name ]
# Variable name Prompt string
#------------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64

# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------ ------------------------------
0.organizationName_default = My Company
localityName_default = My Town
stateOrProvinceName_default = State or Providence
countryName_default = US

[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always

[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash

#
###End openssl
#
=====================================================================

openssl req -x509 -newkey rsa:1024 -keyout private/cakey.pem -out cacert.pem -days 10000 -config openssl.cnf
openssl req -nodes -new -x509 -keyout apache.key -out apache_request.pem -days 3650 -config openssl.cnf
# Note : give common name your url name (for example sys43.doyen.in)
openssl x509 -x509toreq -in apache_request.pem -signkey apache.key -out apache.csr
openssl x509 -req -days 10 -in apache.csr -signkey apache.key -out apache.crt

/etc/httpd/conf

cp -f apache.crt /etc/httpd/conf/ssl.crt/server.crt
cp -f apache.key /etc/httpd/conf/ssl.key/server.key
cp -f cacert.pem /etc/httpd/conf/ca.crt

Restart Your Apache ....
==================================================
Check
openssl x509 -subject -in apache.crt
openssl x509 -noout -text -in apache.crt
openssl s_client -connect host.domain:sslport

kernel.shmall = 2097152
kernel.shmmax=4294967295
kernel.shmmni = 4096
kernel.sem = 256 32000 100 142
fs.file-max = 206173
kernel.msgmnb=65535
kernel.msgmni=2878
net.ipv4.ip_local_port_range = 10000 65000
net.core.rmem_default=262144
net.core.wmem_default=262144
net.core.rmem_max=262144
net.core.wmem_max=262144

kernel.shmall = 2097152
kernel.shmmax=4294967295
kernel.shmmni = 4096
kernel.sem = 256 32000 100 142
fs.file-max = 206173
kernel.msgmnb=65535
kernel.msgmni=2878
net.ipv4.ip_local_port_range = 10000 65000
net.core.rmem_default=262144
net.core.wmem_default=262144
net.core.rmem_max=262144
net.core.wmem_max=262144