   

HOME MY ORACLE ACE JOURNEY ORACLE  LINUX  SQL QUERIES TRAININGS  MY YOUTUBE 

Enable SSL for EBS R12.1

by Himanshu - March 27, 2013

Enable SSL for EBS R12.1

In this post, I am sharing how to implement SSL for EBS R12 from the command line using orapki.

Steps to setup SSL. ation/Upgrade Projects,Que

1.            Create New Wallet

2.            Create a Certificate Request
3.            Upload Certificate to Wallet
4.            Modify the OPMN wallet
5.            Import certs to cacerts
6.            Update the Context File
7.            Settings for DB Tier

 Note: No wild card certificate allowed in this method and this will enable only TLS1.0

Create New Wallet

Login EBS Application server and source using environment file (APPS<sid_machine>.env) located in the
APPL_TOP directory.

1.            Navigate to the $INST_TOP/ora/10.1.3 and source the env file to set your 10.1.3
ORACLE_HOME variables.

2.            Navigate to the $INST_TOP/certs/Apache directory.

3.            Take backup of existing wallet files to a backup directory.

4.            Create New wallet using orapki utility as below

bash-4.1$ cd $INST_TOP/Apache

bash-4.1$ orapki wallet create -wallet . -auto_login -pwd apps123

bash-4.1$ ls -ltr

total 16

-rw------- 1 oracle dba 7912 Mar 1515:26 ewallet.p12

-rw------- 1 oracle dba 7940 Mar 1515:26 cwallet.sso

Create a Certificate Request

Create new certificate request file by passing appropriate details as input which is used for generating a SSL
Certificate.

1.            Below are the details required to be passed to generate csr file.

Common Name name of server with domain, e.g. funebs121.lab

Organizational Unit: The unit within your organization, e.g. HR
Organization: is the name of your organization, e.g. Funlab
Locality/City: is your locality or city, e.g. Delhi
State/Province: is the full name of your State or Province - do not abbreviate,

Country: Select country from drop down list, e.g. IN

Keysize: Encryption level and min is 1024, recommended value - 2048

3.            Use command as below to generate certificate request file and export it.

$ orapki wallet add -wallet . -dn "CN=funebs121.lab,OU=IT,O=Funlab,L=Delhi,ST=Delhi,C=IN" -keysize 2048

-pwd apps123

$ orapki wallet export -wallet . -dn "CN=funebs121.lab,OU=IT,O=Funlab,L=Delhi,ST=Delhi,C=IN" -keysize

2048 -request server.txt -pwd apps123

4.            Verify the certificate request file from wallet as below.

$ cd $INST_TOP/certs/Apache/

$ orapki wallet display -wallet .

Requested Certificates:

Subject:        CN=funebs121.lab,OU=IT,O=Funlab,L=Delhi,ST=Delhi,C=IN  ß File requested

User Certificates:

Trusted Certificates:

Subject:        CN=GTE CyberTrust Root,O=GTE Corporation,C=US

Subject:        CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net

Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net

Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Subject:        OU=Secure Server Certification Authority,O=RSA Data Security\, Inc.,C=US

Subject:        CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net

Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US

Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE

Corporation,C=US

Subject:        CN=Entrust.net Secure Server Certification Authority,OU=(c) 2000 Entrust.net

Limited,OU=www.entrust.net/SSL_CPS incorp. by ref. (limits liab.),O=Entrust.net

Then submit the generated request file(server.txt) to Certifying authority to request a self-signed certificate.

Upload Certificate to Wallet

1.            As the certificate provided is self signed, once Certifying authority provides Self-signed Server
Certificate we need additional certificates to import them to the wallet. We need to download root
certificate, intermediate certificates to import server certigficate to wallet.

Note: Save certificate in base-64 format.

2.            Once certificate is received save the file as server.crt in ($INST_TOP/certs/Apache). Also import
all the root certificates of this certificate and save certificates with necessary conventions as below.

Root Certifciate - ca.crt

Intermediate Certificate - intermediate_base64.cer

Server.crt - server_base64.cer

Root & Intermediate certificates can be obtained from Internal Certifying authority if you are using self signed
certificates.

3.            Ftp the certificate files to the server and place them in $INST_TOP/certs/Apache directory.

4.            Upload these certificates to Wallet using commands as below.

 bash-4.1$ cd $INST_TOP/certs/Apache

 $ orapki wallet add -wallet . -trusted_cert -cert SSL/ca.crt -pwd apps123

$ orapki wallet add -wallet . -trusted_cert -cert SSL/intermediate_base64.cer -pwd apps123

$ orapki wallet add -wallet . -user_cert -cert SSL/123080_base64_certificate.cer -pwd apps123

5.            Display Wallet contents and you should see all the certificates uploaded to wallet.

bash-4.1$ orapki wallet display -wallet .

Requested Certificates:

User Certificates:

Subject:        CN=funebs121.lab,OU=HR,O=Funlab,L=Delhi,ST=Delhi,C=IN

Trusted Certificates:

Subject:        CN=GTE CyberTrust Root,O=GTE Corporation,C=US

Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Subject:        CN=Intermediate Authority,O=Funlab,C=US

Subject:        OU=Secure Server Certification Authority,O=RSA Data Security\, Inc.,C=US

Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE

Corporation,C=US

Subject:        CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net

Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net

Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Subject:        CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net

Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US

Subject:        CN=Funlab Root Certificate Authority,O=Funlab

I AM AN ORACLE ACE PRO
Subject:        CN=Entrust.net Secure Server Certification Authority,OU=(c) 2000 Entrust.net
Limited,OU=www.entrust.net/SSL_CPS incorp. by ref. (limits liab.),O=Entrust.net

6.            We need to import root & intermediate certificates to b64InternetCertificate.txt file located in the
10.1.2 ORACLE_HOME/sysman/config directory.

$ cd $INST_TOP/certs/Apache/

$ cat SSL/ca.crt >>$ORACLE_HOME/sysman/config/b64InternetCertificate.txt à root cert

$ cat SSL/infra_intermediate_base64.cer >>$ORACLE_HOME/sysman/config/b64InternetCertificate.txt 

à Inter cert

$ cat SSL/Infra_East_Base64.cer  >> $ORACLE_HOME/sysman/config/b64InternetCertificate.txt  àInter cert

 
Modify the OPMN wallet

As default opmn wallet comes with demo wallet files, these should be now replace with newly created wallets
as below.

1.            Navigate to the $INST_TOP/certs/opmn directory.

2.            Create a new directory named BAK

3.            Move the ewallet.p12 and cwallet.sso files to the BAK directory just created.

4.            Copy the ewallet.p12 and cwallet.sso files from the $INST_TOP/certs/Apache directory to the
$INST_TOP/certs/opmn directory.

$ cd $INST_TOP/certs/opmn

$ mkdir BAK

$ mv * BAK/

$ cp ../Apache/ewallet.p12 .

$ cp ../Apache/cwallet.sso .

Import certs to cacerts

Now the new certificates files needs to be uploaded to cacerts under $OA_JRE_TOP/security/lib for proper
functioning of XML Piublisher, OPP, etc.,
 1.            Navigate to the $OA_JRE_TOP/lib/security directory

2.            Backup the existing cacerts file.

cd $OA_JRE_TOP/lib/security

cp cacerts cacerts.orig

4.            Copy your ca.crt and server.crt files to this directory and issue the following command to insure
that cacerts has write permissions:

$ chmod u+w cacerts

  Add your Apache ca.crt and server.crt to cacerts as below.

bash-4.1$ cd -

/oracle/orainst1/d112uk/inst/apps/d112uk_camcfnldap01/certs

bash-4.1$ cd Apache/SSL/

bash-4.1$ ls

Server_base64_certificate.cer  ca.crt  intermediate_base64.cer

bash-4.1$ cat intermediate_base64.cer >> ca.crt

bash-4.1$ cp -pr ca.crt $OA_JRE_TOP/lib/security

bash-4.1$ cp -pr Server_base64_certificate.cer $OA_JRE_TOP/lib/security

FEATURED POST
 

bash-4.1$ cd $OA_JRE_TOP/lib/security

$ keytool -import -alias ApacheRootCA_2048 -file ca.crt -trustcacerts -v -keystore cacerts

When prompted enter the keystore password (default password is changeit).

$ keytool -import -alias ApacheServer_2048 -file 123080_base64_certificate.cer -trustcacerts -v -keystore

cacerts
Guided Project Cycle to
Trust this certificate? [no]:  Yes
Practice EBS Implement, Build
Certificate was added to keystore  and Upgrade from 12.1 to 12.2
Update the Context File (Learn By Doing)
FUNORACLEAPPS - NOVEMBER 28, 2020
1.            Backup existing context file under $INST_TOP/appl/admin/<db>_<server>.xml

2.            Modify all below variables in the context file and save it.

SSL Related Variables in the Context File

Variable Non-SSL Value SSL Value

s_url_protocol http https

s_local_url_protocol http https

s_webentryurlprotocol http https

s_active_webport same as s_webport same as s_webssl_port

s_webssl_port not applicable 4443 (port pool 0)

s_https_listen_parameter not applicable same as s_webssl_port

s_login_page http://funebs121.lab:8000/OA_HTML/AppsLogin https://funebs121.lab:4443/OA_HTML/AppsLogin

s_external_url http://funebs121.lab:8009 https://funebs121.lab:4443

 3.            Run autoconfig using adautocfg.sh file.

4.            Restart the middle tier services.

Settings for DB Tier

To enable SSL on the Database Tier, We need to import server certificate,ca.crt (and intca.crt if it exists) by
creating an empty wallet.

1.            Connect to database and find the wallet location as below.

SQL> select fnd_profile.value('FND_DB_WALLET_DIR') from dual

SQL> /

FND_PROFILE.VALUE('FND_DB_WALLET_DIR')

--------------------------------------------------------------------------------

/u01/GOLD/db/tech_st/11.2.0/appsutil/wallet

3.            After setting your environment for the database tier, navigate to the $ORACLE_HOME/appsutil
directory.

4.            Verify for directory waller, if It doesn’t exist create now.

5.            Navigate to the newly created wallet directory.

6.            Create a new empty wallet in this directory

orapki wallet create -wallet $ORACLE_HOME/appsutil/wallet -auto_login -pwd apps123 LABELS

  funoracleapps Oracle Apps Oracle

7.            FTP the certificate files from application server to database server and import them into this Linux scripts R12.2 sudofoa
newly created wallet as below.
Shell Scripting Oracle Cloud
bash-4.1$ pwd
Oracle Database

/u01/GOLD/db/tech_st/11.2.0/appsutil/wallet APPS R12.2 Architecture Cloud

  Weblogic Azure Oracle 12c

$ orapki wallet add -wallet $ORACLE_HOME/appsutil/wallet -trusted_cert -cert root_base64.cer -pwd Oracle RAC R12.2 Installation
apps123
Oracle 11g ADOP AWK

$ orapki wallet add -wallet $ORACLE_HOME/appsutil/wallet -trusted_cert -cert intermediate_base64.cer -pwd Oracle Virtual Box Unix
apps123
RAC Installation
 
Oracle Linux Installation Linux Mint 18
$ orapki wallet add -wallet $ORACLE_HOME/appsutil/wallet -trusted_cert -cert
MultiNode R12.2 AWS DataGuard
123080_base64_certificate.cer -pwd apps123
Linux Mint Amazon Web Services
 
Autoconfig BIND
8.            Test the wallet created from above steps as below and it should return page content.
Concurrent Managers DNS Docker

SQL> select UTL_HTTP.REQUEST MacOS OEM13c

( url => fnd_profile.value('APPS_FRAMEWORK_AGENT')||'/OA_HTML/IRCRESUMEUK1.xsl', Oracle Multitenant RDS

  proxy => hr_util_web.proxyForURL(fnd_profile.value('APPS_FRAMEWORK_AGENT')), System Boot Terminated Abort

  wallet_path=>'file:'||fnd_profile.value('FND_DB_WALLET_DIR'),  wallet_password=>fnd_preference.eget('#I BlueJeans Cloning Crashed

NTERNAL','WF_WEBSERVICES','EWALLETPWD','WFWS_PWD')) EC2 Failure Installation

from dual; Listener NLS ODI

  ORACLE_BASE Oracle Golden Gate 12c

The above query should return HTML output. Postgres Postgres Installation

Restart Adop SQL Developer SSO

 
Service Groups oraclecloud rman
 SSL Setup Completed
setup
 
If you like please follow and comment

 Share on Facebook  Tweet   

You might like

EBS R12.1: PA: Transaction Import DCS-10001:Internal error No supported authentication

WebADI Document Missing encountered Oracle Database methods available
Columns Appliance January 17, 2023
January 18, 2023 January 18, 2023

 Previous Post Next Post 

Post a Comment

Enter Comment

Followers (35) Next

Comments UrbanPro

Fusion Infotech
Thanks for the nice post. As we provide Oracle
EBS...

Fusion Infotech Follow

Thanks, This is the article we are looking for on
...

r
Trainings Reviews
Great Article Artificial Intelligence Projects Jav...
Have you taken taking from me!! Reviews
Request for a Certificate
Community Forums
 Join Telegram Groups

Linux Admin and Shell Scripting

Oracle Apps/Core/Rac DBA

Our Good Friend's

Learn Oracle From Dawaa

"Certificate is just to showcase your learning! Its not
Powered by Blogger the measurement of your Knowledge". Please note
Copyright Funoracleapps.com@2022 this section will be opened for students

© 2023 - FOA(Fun Oracle Apps) -Learn Oracle Apps/Linux Admin/Bash Scripting/Core/RAC/Datagaurd DBA/Cloud Home AboutMe Disclaimer SiteMap Contact