Configure Oracle for SSL
The main problem with automated traffic over SSL is the trust issue, a web
browser can always ask the user for guidance. When it comes to trust a non user
driven program can't. This problem is solved in the following way. You put the
certificate of all the trusted servers in special place, called an Oracle
Wallet. Oracle will then look in this place to make a informed decision about
whether or not to trust a server that it is connecting to.
The database
wallet path is automatically set during a fresh installation and the installer will also generate a
<ifs_home>\instance\<instance>\security\ohs\cwallet.sso file with the appropriate certificate for accessing the Middleware
web server. The certificate (cwallet.sso) will be stored in the PLSQLAP_ENVIRONMENT_TAB. In the PLSQLAP_ENVIRONMENT_TAB the wallet path on the Database server is specified as well. If the path with the certificate don't exist it will be created and the certificate will be exported to the path. The default path location is $ORACLE_DIAG/admin/<instance>/ifs_wallet.
This path can be altered in the IFS Admin Console, in the Database source
section. Whenever a new certificate is generated by the installer it will be
pushed out to the database server automatically.
It is possible to import certificates to the database wallet by placing the certificate that should be imported in <ifs_home>\instance\<instance>\security\database\import and run the installer.
Note: If chaning the path location in the IFS Admin
Console make sure you set the file permission right. It is
a security risk letting anybody have access to this file. It is not wrong to
have this file write protected (for example on cd) once all certificates are
imported.
Wallet path and certificate storage
The Wallet path is set by the installer and ends upp in the PLSQLAP_ENVIRONMENT_TAB table.
You can Log on
as APPOWNER and add or update the PLSQLAP_ENVIRONMENT_TAB with
| NAME |
VALUE |
BLOB VALUE |
| SSL_WALLET_PATH |
file:<Path to the wallet > |
|
| SSL_WALLET_File |
|
contains the latest cwallet.sso file |
Example:
| NAME |
VALUE |
| SSL_WALLET_PATH |
file:C:\app\admin\ifs10cdb\ifs_wallet |
Note that the Wallet path must be readable from within Oracle RDBMS i.e.
it must be readable by the user that starts the Oracle service.
Verify
 |
Verify that it's possible to access the
default page on the Application Server.
select utl_http.request('https://<fqdn>:<port>', NULL,'file:c:\wallet',NULL) from dual;
Verify that the PL/SQL Access Provider
can send request to Application Server and Application Server can read a random
key in the PLSQLAP_ENVIRONMENT_TAB table.
select Plsqlap_Server_API.Ping_Result__ FROM dual;
should return '1' on success
Verify that the Database Wallet path
is set in the PLSQLAP_ENVIRONMENT_TAB table.
select value from plsqlap_environment_tab where name='SSL_WALLET_PATH';
should return correct path to the cwallet.sso file on the database server.
Verify that the Database Wallet Certificate
is set in the PLSQLAP_ENVIRONMENT_TAB table.
select value from plsqlap_environment_tab where name='SSL_WALLET_CERT';
should return correct path to the cwallet.sso file on the database server.
Make sure the DB wallet is signed for the correct fqdn and that wallet is
readable:
C:\ifs_home\instance\<instance>\security\ohs>orapki wallet display -wallet .\cwallet.sso -complete;
|
 |
NA |