Foundation1 / Installation Guide / Installing Fresh System / Planning Installation / Security Considerations / Oracle Ssl / This page

Configure Oracle for SSL

The main problem with automated traffic over SSL is the trust issue, a web browser can always ask the user for guidance. When it comes to trust a non user driven program can't. This problem is solved in the following way. You put the certificate of all the trusted servers in special place, called an Oracle Wallet. Oracle will then look in this place to make a informed decision about whether or not to trust a server that it is connecting to.

Automatic copy and creation of the wallet

The database wallet path is automatically set during a fresh installation and the installer will also generate a <ifs_home>\instance\<instance>\security\ohs\cwallet.sso file with the appropriate certificate for accessing the Middleware web server. The certificate (cwallet.sso) will be stored in the PLSQLAP_ENVIRONMENT_TAB. In the PLSQLAP_ENVIRONMENT_TAB the wallet path on the Database server is specified as well. If the path with the certificate don't exist it will be created and the certificate will be exported to the path. The default path location is $ORACLE_DIAG/admin/<instance>/ifs_wallet. This path can be altered in the IFS Admin Console, in the Database source section. Whenever a new certificate is generated by the installer it will be pushed out to the database server automatically.

It is possible to import certificates to the database wallet by placing the certificate that should be imported in <ifs_home>\instance\<instance>\security\database\import and run the installer.

Note: If chaning the path location in the IFS Admin Console make sure you set the file permission right. It is a security risk letting anybody have access to this file. It is not wrong to have this file write protected (for example on cd) once all certificates are imported.

Wallet path and certificate storage

The Wallet path is set by the installer and ends upp in the PLSQLAP_ENVIRONMENT_TAB table. You can Log on as APPOWNER and add or update the PLSQLAP_ENVIRONMENT_TAB with

NAME	VALUE	BLOB VALUE
SSL_WALLET_PATH	file:<Path to the wallet >
SSL_WALLET_File		contains the latest cwallet.sso file

Example:

NAME	VALUE
SSL_WALLET_PATH	file:C:\app\admin\ifs10cdb\ifs_wallet

Note that the Wallet path must be readable from within Oracle RDBMS i.e. it must be readable by the user that starts the Oracle service.

Verify

Verify that it's possible to access the default page on the Application Server.

select utl_http.request('https://<fqdn>:<port>', NULL,'file:c:\wallet',NULL) from dual;

Verify that the PL/SQL Access Provider can send request to Application Server and Application Server can read a random key in the PLSQLAP_ENVIRONMENT_TAB table.

select Plsqlap_Server_API.Ping_Result__ FROM dual;

should return '1' on success

Verify that the Database Wallet path is set in the PLSQLAP_ENVIRONMENT_TAB table.

select value from plsqlap_environment_tab where name='SSL_WALLET_PATH';

should return correct path to the cwallet.sso file on the database server.

Verify that the Database Wallet Certificate is set in the PLSQLAP_ENVIRONMENT_TAB table.

select value from plsqlap_environment_tab where name='SSL_WALLET_CERT';

should return correct path to the cwallet.sso file on the database server.

Make sure the DB wallet is signed for the correct fqdn and that wallet is readable:

C:\ifs_home\instance\<instance>\security\ohs>orapki wallet display -wallet .\cwallet.sso -complete;