Here  we would be looking at the detailed steps for Enabling TLS in Oracle Apps R12.2

Introduction:

The data between web browser and web server travels unencrypted in R12 application So the password and other information can be tracked by sniffer. We are avoiding this by implementing SSL in R12.

With SSL implementation, the data travels in the encrypted forms and Only web browser and web server can decrypt it.

The implementation requires the SSL certificate and configuration in the R12 environment   as per the configuration

What is SSL?

SSL and TLS are the cryptographic protocol that ensures privacy between communicating applications and their users on the Internet

What is Transport Layer Security (TLS)

Transport Layer Security, or TLS, is the successor of SSL. TLS, like SSL, is a protocol that encrypts traffic between a client and a server. TLS creates an encrypted connection between two machines allowing for private information to be transmitted without the problems of eavesdropping, data tampering, or message forgery.

How SSL works

1. The client sends a request to the server using HTTPS connection mode.
2. The server presents its digital certificate to the client. This certificate contains the server’s identifying information like server name, Organization and server public key and digital signature of the CA private key
3. The client (web browser) has the public keys of the all the CA. It decrypts the digital certificate private key This verification proves that the sender had access to the private key, and therefore is likely to be the person associated with the public key. If the verification goes good, the server is authenticated as a trusted server.
4. The client sends the server a list of the encryption levels, or ciphers, that it can use.
5. The server receives the list and selects the strongest level of encryption that they have in common.
6. The client encrypts a random number with the server’s public key and sends the result to the server (which only the server should be able to decrypt with its private key); both parties then using the random number to generate a unique session key for subsequent encryption and decryption of data during the session

The ssl Implementation will depend on the topology of the R12 implementation. I am here highlighting all the major one.

TLS Termination Point

• A TLS termination point is the end-point server for the encrypted connection that has been initiated by a client (for example, a browser).
• In the case of Oracle E-Business Suite the Oracle HTTP Server can act as a TLS termination point. An alternate TLS termination point, such as a reverse proxy or load balancer, can be configured in front of the Oracle HTTP Server.

Various SSL topology

• A single webserver deployment with TLS terimination Point as webserver

This is pretty simple. We will need the digital certificate for the webserver. The steps are straight forward. The traffic between web browser and webserver will be encrypted

• Having a Load balancer which is serving to 2 or more webserver makes it little bit complicated

In this case, we could have following options

1.End to end encryption of traffic (TLS termination Point as webserver)

The entire traffic flow i.e. from browser to load balancer and from load balancer to web server is encrypted

There are two ways to do it

a) Pass-through configuration: The load balance in this case does not decrypt/encrypt the message .it just passes through the traffic to the webserver

b) Decryption/encryption: The load balance in this case decrypt the traffic at the load balancer level and then again encrypt it and send it to web server which again decrypt it

2. SSL terminator(Alternate TLS termination point): The traffic between web browser and load balancer is only encrypted. The Load balance acts as SSL terminator and terminate the SSL at the load balancer level and passes the unencrypted traffic to the webserver.

Steps to perform configuration on each topology is give below

A single webserver deployment with TLS terimination Point as webserver

 Step 1

Set Your Environment

The steps detailed in this section must be executed on the (running) run file system in order to ensure that during the next online patching the TLS setup is then propagated to the patch file system. There should not be an active patching cycle at this point. In order to check whether an Online Patching Cycle is already active or not, you can use the following command:

UNIX:

$ adop -status

1. Log on to the Oracle E-Business Suite Release 12.2 application tier as the OS user who owns the installation files.
2. The file system with the Applications context file variable s_file_edition_type set to ‘run’ denotes the run file system. Source your application tier environment file (<sid_machine>.env), located in the APPL_TOP directory on the run file system. Do not source the APPS<sid_machine>.env file, otherwise the 10.1.2 environment variables will be picked up and Oracle Wallet Manager 11g will fail to start. After sourcing the environment file, the $FILE_EDITION environment variable should be ‘run’.
3. Set the PATH environment variable to include the Fusion Middleware location and DISPLAY variable for owm gui

 Step 2

Create a wallet

The s_web_ssl_directory location is still used by some Oracle E-Business Suite Release 12.2 components (for example, XML Gateway Transportation Agent OXTA) and during the Oracle Fusion Middleware cloning process.

We can find this location in below way

cat $CONTEXT_FILE|grep “s_web_ssl_directory”

Open the Wallet manager as a background process:

On the Oracle Wallet Manager Menu navigate to Wallet >

New.

Answer NO to: Your default wallet directory doesn’t exist. Do you wish to create it now?

The new wallet screen will now prompt you to enter a password for your wallet

Enter the password and remember it

A new empty wallet has been created. Do you wish to create a certificate request at this time?

After clicking “Yes” in the Create Certificate Request Screen will pop up:

Fill in the appropriate values where:

Select your Country from the drop down list, and for the Key Size, select 2048 as a minimum. Click OK.

Click  On certificate requested

You will need to export the Certificate Request before you can submit it to a Certifying Authority.

1. Click on Certificate [Requested] to Highlight it.
2. From the menu click Operations >

Export Certificate Request

3. Save the file as server.csr
4. From the menu click Wallet and then click Save.
5. On the Select Directory screen change the Directory to your fully qualified wallet directory.
6. Click OK.
7. From the menu click Wallet and check the Auto Login box.

Be sure to make this password something you will remember. You will need to use the password whenever you open the wallet with Oracle Wallet Manager or perform operations on the wallet using the Command Line Interface. With auto login enabled processes submitted by the OS user who created the wallet will not need to supply the password to access the wallet.

8. Exit the Wallet Manager.

The wallet directory will now contain the following files:

cwallet.sso

ewallet.p12

server.csr

You may now submit server.csr to your Certifying Authority to request a Server Certificate

Save the wallet using wallet and save and give the directory path

Step 5

Import your Server Certificate to the Wallet

After you receive your Server Certificate from your Certifying Authority you will need to import it into your wallet. Copy the certificate to server.crt in the wallet directory on your server by one of the following methods:

1. ftp the certificate (in binary mode)
2. copy and paste the contents into server.crt

Follow these steps to import server.crt into your wallet:

1. Open the Wallet Manager as a background process:

$ owm &

2. From the menu click Wallet then Open.
3. Answer Yes when prompted:

Your default wallet directory does not exist.

Do you want to continue?

4. On the Select Directory screen change the Directory to your fully qualified wallet directory and

click OK

5. Enter your wallet password and click OK.
6. On the Oracle Wallet Manager Menu navigate to Operations Import User Certificate. Server certificates are a type of user certificate. Since the Certifying Authority issued a certificate for the server, placing its distinguished name (DN) in the Subject field, the server is the certificate owner, thus the “user” for this user certificate.

7. Click OK.
8. Double Click on server.crt to import it.
9. Save the wallet:
10. On the Oracle Wallet Manager Menu click Wallet.
11. Verify the Auto Login box is checked.
12. Click Save

Note: If all trusted certificates that make up the chain of server.crt are not present in the wallet, then adding the certificate will fail. When the wallet was created, the certificates for the most common CA’s (such as VeriSign, GTE, and Entrust) were included automatically. Contact your certifying authority if you need to add their certificate, and save the provided file as ca.crt in the wallet directory in a base64 format. Another option is to follow the instructions given below to create ca.crt from your server certificate (server.crt). If your Certifying Authority provided an intermediate certificate (to complete the chain) then save the provided file as intca.crt in a Base64 format, this will need to be imported into Oracle Wallet Manager prior to importing the server.crt. Certificates that comprise several parts (such as the P7B type) would also fall into this category

Detailed steps to Import Certificate with screen shots

Then click wallet -> open

Click yes

Enter  the full path of the wwallet directory

Enter the wallet password

Now Operations : Import User certficate

Alternatively you can add the certificate

orapki wallet add \ 
 -wallet . \
-trusted_cert \
-cert ca.cer \
-pwd <pwd>

orapki wallet add \
-wallet . \
-trusted_cert \
-cert intca.cer \
-pwd <pwd>

 
orapki wallet add \
-wallet .\
-user_cert \
-cert tech.cer \
-pwd <pwd>

 

If you need to import the CA Certificate you will also need to add the contents of ca.crt file to b64InternetCertificate.txt file located in the 10.1.2 ORACLE_HOME/sysman/config directory:

$ cat ca.crt >> <10.1.2 ORACLE_HOME>/sysman/config/b64InternetCertificate.txt

If you were also provided an Intermediate Certificate (intca.crt) then you will also need to add that to the b64InternetCertificate.txt:

$ cat intca.crt >> <10.1.2 ORACLE_HOME>/sysman/config/b64InternetCertificate.txt

Step 6 – Modify the Oracle HTTP Server wallet.

The <s_web_ssl_directory>/Apache is still used by some Oracle E-Business Suite Release 12.2 components, but is not used by the Oracle HTTP Server.

Copy the <s_web_ssl_directory>/Apache wallet (cwallet.sso ) to <s_ohs_instance_loc>/config/OHS/<s_ohs_component>/keystores/default  directory location

You can find these variable from Context file

cat $CONTEXT_FILE|grep “s_ohs_instance_loc”

cat $CONTEXT_FILE|grep “s_ohs_component”

Step 7 – Modify the OPMN wallet and configure the cipher suites.

Modify the OPMN Wallet

The default location for the OPMN wallet is in the <s_ohs_instance_loc>/config/OPMN/opmn/wallet directory.

We can find this location in below way

cat $CONTEXT_FILE|grep “s_ohs_instance_loc”

1. Navigate to the <s_ohs_instance_loc>/config/OPMN/opmn/wallet directory.
2. Move the existing wallet files to a backup directory in case you wish to use them again in the future.
3. Copy the cwallet.sso files from the <s_ohs_instance_loc>/config/OHS/<s_ohs_component>/keystores/default directory to the current directory.

Configure the OPMN Cipher Suites

You must perform this configuration to enforce strong cipher suites on the OPMN remote port.

1. Ensure all processes are down.
2. Open the opmn.xml file located under your web tier instance.
3. Towards the top of the file, look for the SSL options within the <notification-server> section.
   Change:

<ssl enabled=”true”
wallet-file=”<path to the wallet file>”/>
to

<ssl enabled=”true”
wallet-file=”<Path to the Wallet file>” ssl-versions=”TLSv1.0″
ssl-ciphers=”<Pick two ciphers from the list of valid ciphers below,separated by a comma>”/>
The following list specifies the valid cipher suites that can be used:

• SSL_RSA_WITH_AES_256_CBC_SHA
• SSL_RSA_WITH_AES_128_CBC_SHA
• SSL_RSA_WITH_3DES_EDE_CBC_SHA

For example:

<ssl enabled=”true”
wallet-file=”/EBS_web_EBSDB_OHS1/config/OPMN/opmn/wallet” ssl-versions=”TLSv1.0″
ssl-ciphers=”SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA”/>

Edit the admin.conf file.
Change:

SSLCipherSuite SSL_RSA_WITH_RC4_128_SHA
SSLProtocol nzos_Version_1_0 nzos_Version_3_0

to

SSLCipherSuite <pick a valid cipher from the list above>:<pick another valid cipher from the list above>
SSLProtocol nzos_Version_1_0 nzos_Version_1_1 nzos_Version_1_2

Step 8 – Modify the Oracle Fusion Middleware Control Console.

Fusion Middleware Control Console utilizes the functionality of OPMN to manage your Oracle Fusion Middleware Enterprise.

Move the existing wallet files to a backup directory in case you wish to use them again in the future.

• $EBS_DOMAIN_HOME/opmn/<s_ohs_instance>/<s_ohs_component>/wallet
• $EBS_DOMAIN_HOME/opmn/<s_ohs_instance>/wallet
• $FMW_HOME/webtier/instances/<s_ohs_instance>/config/OHS/<s_ohs_component>/proxy-wallet

We can find this location in below way

cat $CONTEXT_FILE|grep “EBS_DOMAIN_HOME”

Copy the cwallet.sso file from the <s_ohs_instance_loc>/config/OPMN/opmn/wallet directory to all three locations mentioned above.

Note: In the case of a shared file system and multinode configuration, updates to the first two directories are done on the primary node, and updates to the third directory are done on the respective applications tier node where OHS is being configured for TLS. The reason being is that the first two directories will only exist on the primary node, and the third directory will only exist on each applications tier node where OHS is enabled.

Step 9

Use Oracle Fusion Middleware Control to make some additional configuration file changes:

1. Log in to Oracle Fusion Middleware Control Console (for example, http://<hostname>.<domain>:<AdminServer Port>/em).
2. Select Web Tier Target under EBS Domain.
3. Select Administration > Advanced Configuration.
4. Select ssl.conf file for edit.
5. Update the Listen <port> and the VirtualHost _default_:<port> directives to SSL port, for example Listen 4443.
6. Update the SSLProtocol and SSLCipherSuite entry to match the following:

SSLProtocol TLSv1 TLSv1.1 TLSv1.2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!RC4:+HIGH:+MEDIUM

7. Click Apply.

The following command should be run (on all application tier nodes) to propagate the changes made through the Oracle Fusion Middleware Control Console to the context file variables:

perl $AD_TOP/bin/adSyncContext.pl contextfile=$CONTEXT_FILE
Enter the APPS user password:
Enter the WebLogic AdminServer password:

Review the adSyncContext.log for the changes that have been picked up and made to the context file.

Use the Oracle E-Business Suite 12.2 – OAM Context Editor to change the TLS related variables shown in this table:

The value of the s_webport is based on the default port prior to any TLS configuration and remains unchanged when switching to TLS

Step 10 – Run Autoconfig

Autoconfig can be run by using the adautocfg.sh script in the Application Tier $ADMIN_SCRIPTS_HOME directory.

Step 11 – Restart the Application Tier services

Use the adapcctl.sh script in the $ADMIN_SCRIPTS_HOME directory to stop and restart the Application Tier Apache services.

Step 12 – Propagate TLS changes to patch file systems.

The following steps must be performed in order to synchronize the TLS setup between the two file systems:

1. Edit $APPL_TOP_NE/ad/custom/adop_sync.drv.
2. Assuming the rsynccommand is available on UNIX, the following directives must be copied and pasted between the <Begin Customization> and <End Customization> section after the existing <#Copy Ends>:

Steps to be used when going for SSL terminator

There is no need for certificate creation and installation on the web server. In this case,  we just need to set the context file parameter given below

Use Oracle Fusion Middleware Control to make some additional configuration file changes:

1. Log in to Oracle Fusion Middleware Control Console (for example, http://<hostname>.<domain>:<AdminServer Port>/em).
2. Select Web Tier Target under EBS Domain.
3. Select Administration > Advanced Configuration.
4. Select ssl.conf file for edit.
5. Update the ServerName directive to the TLS termination point setup <hostname>.<domain>.
6. Click Apply.
7. Select httpd.conf file for edit.
8. Update the ServerName directives to the TLS termination point setup <hostname>.<domain>.
9. Click Apply.

Use the Oracle E-Business Suite 12.2 – Oracle Applications Manager (OAM) Context Editor to change the TLS related variables shown in this table:

The value of the s_webport is based on the default port prior to any TLS configuration, and remains unchanged when switching to TLS.

 Run Autoconfig

Autoconfig can be run by using the adautocfg.sh script in the Application Tier $ADMIN_SCRIPTS_HOME directory.

Restart the Application Tier services

Use the adapcctl.sh script in the $ADMIN_SCRIPTS_HOME directory to stop and restart the Application Tier Apache services.

Steps for End to end encryption with Pass through configuration on Load Balancer

 1) All the steps given for single web server need to be executed.

2) The certificate need to be created with load balancer Name

3)   We can execute the certificate steps on one Node and then copy all the steps to the other nodes

Context value changes

Run Autoconfig

Autoconfig can be run by using the adautocfg.sh script in the Application Tier $ADMIN_SCRIPTS_HOME directory.

Restart the Application Tier services

Use the adapcctl.sh script in the $ADMIN_SCRIPTS_HOME directory to stop and restart the Application Tier Apache services.

Steps for End to end encryption with Encryption/decryption on Load Balancer

1) All the steps given for single web server need to be executed.

2) The certificate need to be created at load balancer level and web node level also. It need to be created with load balancer Name on both the side

3)   We can execute the certificate steps on one Web Node and then copy all the steps to the other nodes

4) The Load balance should have the client SSL certificate for the Web  node certificate

Context value changes

Run Autoconfig

Autoconfig can be run by using the adautocfg.sh script in the Application Tier $ADMIN_SCRIPTS_HOME directory.

Restart the Application Tier services

Use the adapcctl.sh script in the $ADMIN_SCRIPTS_HOME directory to stop and restart the Application Tier Apache services.

Configure Loopback and Outbound Connections

Step 1 – Update the managed server (WLS) configuration.

Append the following JVM parameter to all managed servers and the WebLogic administration server:

1. Log in to Oracle Fusion Middleware Administration Console (for example, http://<hostname>.<domain>:<AdminServer Port>/console)
2. Click on Lock & Edit.
3. Under Domain Structure > your EBS domain > Environment and Servers, select one of the managed servers. (Note that you will need to repeat this for all managed servers and the WebLogic administration server in your environment.)
   Then under the Server Start tab in the Arguments section, add the following:

-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2

1. Click on Save.
2. Repeat steps 3 and 4 for all remaining managed servers.
3. Click on Activate Changes.

Step 2 – Update the b64InternetCertificate.txt Truststores

Add the contents of the ca.crt file to b64InternetCertificate.txt file.

If you need to import the CA Certificate, you will also need to add the contents of the ca.crt file to the b64InternetCertificate.txt file located in the 10.1.2 ORACLE_HOME/sysman/config directory:

$ cat ca.crt >> <10.1.2 ORACLE_HOME>/sysman/config/b64InternetCertificate.txt

Step 3 – Update the cacerts Truststore

1. Update the JDK cacerts file.
   Oracle Web Services requires the certificate of the certifying authority who issued your server certificate (ca.crt from the previous step) to be present in the JDK cacerts file. In addition, some features of XML Publisher and BI Publisher require the server certificate (server.crt from previous step) to be present.
2. Navigate to the $OA_JRE_TOP/lib/security directory.
3. Follow these steps to ensure these requirements are met:
4. Backup the existing cacerts file.
5. Copy your ca.crt and server.crt files to this directory and issue the following command to insure that cacerts has write permissions:

Step 4 Database tier setup

Oracle products such as Oracle Configurator, Order Management, Order Capture, Quoting, iPayment, iStore, and Pricing are leveraging the database as an HTTP client. The implementation of TLS for the Oracle Database Server (which acts as a client sending requests to the Web server) makes use of the Oracle Wallet Manager for setting up an Oracle wallet.

Note: This is a mandatory requirement for Oracle iStore storefront pages when the web tier is TLS enabled.

To enable the HTTPS client request from the database using UTL_HTTP, you need to establish a truststore in wallet format. You do not need a server certificate for this wallet. You only need to import the root CA certificate for the root CAs that are the trust anchor for the sites you need UTL_HTTP to connect to.

1. After setting your environment for the database tier, navigate to the $ORACLE_HOME/appsutil directory.
2. Create a new wallet directory named wallet.
3. Navigate to the newly created wallet directory.
4. Open the Oracle Wallet Manager as a background process.

owm &

To test that the wallet is properly set up and accessible, log in to SQLPLUS as the apps user and execute the following:

SQL>select utl_http.request('[address to access]', '[proxy address]', 'file:[full path to wallet directory]', null) from dual;

where:

‘[address to access]’ = the URL for your Oracle E-Business Suite Rapid Install Portal.

‘[proxy address]‘ = the URL of your proxy server, or NULL if not using a proxy server.

‘file:[full path to wallet directory]’ = the location of your wallet directory (do not specify the actual wallet files).

Related  links

Enabling SSL or TLS in Oracle E-Business Suite Release 12 (Doc ID 2143099.1)
How to find R12 components Version
40 Adpatch question every DBA should know
awk command
Keytool command