Configuring OHS 12c for HTTPS Communication
Oracle 12c introduced back the old Oracle concept of Wallets, while standard keystores can still be used, this post focuses on the configuration using Oracle Wallets.
CREATE CSR AND SLL CERTS USING WALLETS
The first step is to create a wallet and then a CSR (the request you need to submit to the certification authority to generate your SSL certificate)
1. Create a new directory to store the wallet (we will be using the $HOME directory of the Oracle user)
mkdir ~/keystores
$ORACLE_HOME/oracle_common/bin/orapki wallet create -wallet $HOME/keystores/wallet -auto_login_only3. Create CSR (certificate request), you pass the DN for the certificate, usually your sitename and the company
$ORACLE_HOME/oracle_common/bin/orapki wallet add -wallet $HOME/keystores/wallet -dn 'CN=ora-middleware.blogspot.com,OU=IT,O=ACME,L=Atlanta,ST=GA,C=USA' -keysize 2048 -auto_login_only
4. Export CSR, now that you have created the CSR, we need to export it to a file we can send to the certification Authority. The following command will create a file server.csr containing the CSR
$ORACLE_HOME/oracle_common/bin/orapki wallet export -wallet $HOME/keystores/wallet -dn 'CN=ora-middleware.blogspot.com,OU=IT,O=ACME,L=Atlanta,ST=GA,C=USA' -request $HOME/keystores/wallet/server.csr
5. Now, you will need to request a certification authority using the generated file, i.e. goDaddy in my case, for a SSL certificate, they will send you the certificate as well as the root and intermediate certificates required,
6. Once the cert authority creates the certificate, you will need to first import root certificate, sometimes they will give it to you as part of the bundle, in my case, it was not present and I have to downloaded it from their website (gdroot-g2.crt from goDaddy), you need all the certificates in the SSL chain.
$ORACLE_HOME/oracle_common/bin/orapki wallet add -wallet $HOME/keystores/wallet -trusted_cert -cert $HOME/keystores/wallet/gdroot-g2.crt -auto_login_only
7. Now import any other certificate in the chain, I got this one as part of the bundle they sent me
$ORACLE_HOME/oracle_common/bin/orapki wallet add -wallet $HOME/keystores/wallet -trusted_cert -cert $HOME/keystores/wallet/gd_bundle-g2-g1.crt -auto_login_only
8. Finally, import the cert itself
$ORACLE_HOME/oracle_common/bin/orapki wallet add -wallet $HOME/keystores/wallet -user_cert -cert $HOME/keystores/wallet/certificatefromgodaddy.crt -auto_login_only
9. You can validate that the certificates have been imported using the following command.
$ORACLE_HOME/oracle_common/bin/orapki wallet display -wallet $HOME/keystores/wallet
CONFIGURE OHS for SSL
Now that we have a wallet, we need to tell OHS to use it, by default, 12c has already a virtualhost configured for SSL, so we only have to update it and specify the new wallet. In my case I have a stand-alone installation, if you have an OHS with Enterprise Manager configured most of this can be done from the Web Console, but the manual work works in both scenarios1. Edit the ssl.conf file under the configuration folder for the instance.
vi $ORACLE_HOME/user_projects/domains/base_domain/config/fmwconfig/components/OHS/ohs1/ssl.conf
Set the SSLWallet directive to the directory were we saved the wallet
SSLWallet /home/opc/keystores/wallet
2. Stop OHS
$ORACLE_HOME/user_projects/domains/base_domain/bin/stopComponent.sh ohs1
3. Start OHS
$ORACLE_HOME/user_projects/domains/base_domain/bin/startComponent.sh ohs1
4. You can test the configuration on the default SSL port for OHS 4443
https://mysite..com:4443
MAKE HTTP RUN ON PRIVILEGED PORTS
If you want to just use the https URL without any ports, you will need to modify OHS to run on the port 443, for plain http the port is 80.
1. Change the permissions on the launch file
sudo chown root $ORACLE_HOME/ohs/bin/launch
sudo chmod 4750 $ORACLE_HOME/ohs/bin/launch
2. Edit the httpd.conf file on the same directory ($ORACLE_HOME/user_projects/domains/base_domain/config/fmwconfig/components/OHS/ohs1)sudo chmod 4750 $ORACLE_HOME/ohs/bin/launch
Modify the Listen Directive from the default 7777 to 80
Listen 80
Also, modify or add if it doesn't exist the following directives with the linux user and group that own the OHS installation
User opc
Group opc
Group opc
3. for SSL, edit hte same ssl.conf as before and modify the Listen directive from the default 4443, to 443
Listen 443
Also, update the virtual host directive to use the same port
%lt;VirtualHost *:443%gt;
4. Stop OHS
$ORACLE_HOME/user_projects/domains/base_domain/bin/stopComponent.sh ohs1
5. Start OHS
$ORACLE_HOME/user_projects/domains/base_domain/bin/startComponent.sh ohs1
6. You can test now without the ports
https://mysite..com
http://mysite..com
http://mysite..com
3 comments:
Thank you thank you thank you!!! This has helped me out of a pickle!!
I've been able to get the 12c OHS running on a privileged port with startComponent.sh ohs1, but if I'm logged in as oracle, how to I stop the process owned by root? stopComponent.sh ohs1 won't do it. thanks.
It is very hard to configure by going through the documentation. It is super simple explanation. Thanks.
Post a Comment