1 2 Previous Next 17 Replies Latest reply: Aug 12, 2012 5:47 PM by user13010474 RSS

    HTTPS Configuration

    user13010474
      Hi, I am new to apex...please help me with the following

      At my site's installation of Apex there are many workspaces, my requirement is to set SSL/HTTPS for one workspace.

      1. Is it possible to turn on https at workspace level instead of instance level (home-manage service-instance settings-Require HTTPS setting)? I could not find workspace level setting.
      2. If its not then is there any other way of achieving it? i.e. implementing ssl for my workspace and not impacting other workspaces.

      3. If one is setting the "Require https" to yes at instance level, then is configuring SSL by creating Wallet mandatory? or optional?
        • 1. Re: HTTPS Configuration
          user13010474
          Any help would be appreciated, please!!!
          • 2. Re: HTTPS Configuration
            Dietmar Aust
            Hi anonymous,

            a few questions:

            *) which version of APEX are u using?
            *) which listener are you using for APEX (APEX Listener, Oracle Apache using mod_plsql, the embedded plsql gateway)?
            *) have you set up SSL using a certificate yet and is it working?

            You could use url rewrites in the Apache to enforce ssl based on specific application ids. But you could also enforce that in the application directly , for example on the login page of your application using owa_util.redirect_url.

            Cheers,
            Dietmar.
            -----
            blog: [ http://daust.blogspot.com ] JDD-Spreadsheet-Suite: [ http://jdd-software.com ]
            JasperReportsIntegration: [ http://www.opal-consulting.de/tools ] [ https://www.opal-consulting.de/forums  ]
            • 3. Re: HTTPS Configuration
              user13010474
              Hi Dietmar, Thanks for your response...below are my replies. Appreciate your help.

              *) which version of APEX are u using?
              -- Using Apex 3.2
              *) which listener are you using for APEX (APEX Listener, Oracle Apache using mod_plsql, the embedded plsql gateway)?
              -- The url name contains pls (.../pls/...), so i think its using Oracle Apache using mod_plsql
              *) have you set up SSL using a certificate yet and is it working?
              -- A certificate has been setup but its being used for SSO purpose. For SSL is a new certificate required? Can you please let me know.

              You could use url rewrites in the Apache to enforce ssl based on specific application ids. But you could also enforce that in the application directly , for example on the login page of your application using owa_util.redirect_url
              -- Can you please explain in detail on how to do this or direct me to some source/blog where I can find more details (with example).
              • 4. Re: HTTPS Configuration
                user13010474
                Help please...
                • 5. Re: HTTPS Configuration
                  Dietmar Aust
                  I am currently working on an example ... I'll be with you in a moment.
                  • 6. Re: HTTPS Configuration
                    Dietmar Aust
                    I am currently working on an example ... I'll be with you in a moment.
                    • 7. Re: HTTPS Configuration
                      Dietmar Aust
                      I am currently working on an example ... I'll be with you in a moment.
                      • 8. Re: HTTPS Configuration
                        Dietmar Aust
                        Hi anonymous,

                        this is the easiest solution with the least impact to any other application on your server:

                        *) create an application level process
                        - Name: "https only access allowed"
                        - Sequence: 1 (can also be 0 or even negative, just make sure it is the first thing that gets executed)
                        - Point: On Load: Before Header
                        - Process Text:
                        begin
                          if     upper(owa_util.get_cgi_env('REQUEST_PROTOCOL'))='HTTP' 
                             AND upper(owa_util.get_cgi_env('REQUEST_METHOD'))='GET'  then
                        
                            -- rebuild target url using SSL
                            owa_util.redirect_url('https://'
                                              || owa_util.get_cgi_env('HTTP_HOST')
                                              || owa_util.get_cgi_env('SCRIPT_NAME')
                                              || owa_util.get_cgi_env('PATH_INFO')
                                              || '?'
                                              || owa_util.get_cgi_env('QUERY_STRING')
                                              );
                          
                            -- stop processing
                            apex_application.g_unrecoverable_error := true;
                          end if;
                        end;
                        If you are not using the default ports (80 for http and 443 for https) then you will
                        have to use:
                             replace(owa_util.get_cgi_env('HTTP_HOST'), ':8080' , ':4443')
                        instead of
                             owa_util.get_cgi_env('HTTP_HOST')
                        . This is an example for using port 8080 for http and port 4443 for https.

                        Does that work?

                        If you have to do that for all applications I would rather do the url rewrite in the Apache httpd.conf.

                        Cheers,
                        Dietmar.

                        -----
                        blog: [ http://daust.blogspot.com ] JDD-Spreadsheet-Suite: [ http://jdd-software.com ]
                        JasperReportsIntegration: [ http://www.opal-consulting.de/tools ] [ https://www.opal-consulting.de/forums  ]
                        • 9. Re: HTTPS Configuration
                          user13010474
                          Hi Dietmar,

                          After creating application process as you mentioned.....when i try to login on IE it says "Internet Explorer cannot display the webpage" but on firefox it gives the below error...

                          Secure Connection Failed
                          An error occurred during a connection to oemtest.webdev.mycomp.com:7800.
                          SSL received a record that exceeded the maximum permissible length.
                          (Error code: ssl_error_rx_record_too_long)
                          The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
                          Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.

                          On net many posts mention that its mainly due to configuration issue (mostly port 443 not configured for ssl). I dont know about how to configure the apache server for ports etc, its someone else at my work who looks into this. Will have them check and keep you posted. Meanwhile ff you can throw some information on where exactly its done and what needs to be done for this error it would be really great....

                          Thanks a lot for your help...it made me progress my task..
                          • 10. Re: HTTPS Configuration
                            Dietmar Aust
                            Hi anonymous,

                            please tell us your name, thanks.

                            Ok, let's take this step by step.

                            1) Tell us the complete regular URL you are using to access APEX, e.g.: http://<domain>:<port>/pls/apex
                            // you can change the domain name (or put in a local ip address) if you don't want to publish that here, but please tell us your correct port

                            2) You need to be able to access APEX securely using https, does that work? What is the URL you are using? For example, on my site on the internet, I am using https://www.opal-consulting.de/apex, thus I use the default port 443 for https communication. Another typical port would be 4443.

                            Once we have this information, we can enforce that only your application will require https, all others can continue using http.

                            Do you have 2) working or do you need to set up https on you Oracle Apache first?

                            Cheers,
                            Dietmar.
                            • 11. Re: HTTPS Configuration
                              user13010474
                              Hi Dietmar,

                              1) Tell us the complete regular URL you are using to access APEX, e.g.: http://<domain>:<port>/pls/apex

                              Apex workspace url -
                              http://oemtest.webdev.companya.com:7800/pls/apexiasracq/f?p=4000:1500:2419258091503698::NO:::

                              Application url (which errors out....here i see that http has been replaced by https by the application process you mentioned) -
                              https://oemtest.webdev.companya.com:7800/pls/apexiasracq/f?p=114:1:6716489595556051:::::

                              2) You need to be able to access APEX securely using https, does that work? What is the URL you are using? For example, on my site on the internet, I am using https://www.opal-consulting.de/apex, thus I use the default port 443 for https communication. Another typical port would be 4443.
                              Do you have 2) working or do you need to set up https on you Oracle Apache first?

                              You mean to say that for this to work the apache should be configured to use https? If apache is configured for SSL would it impact all the applications using the apache server?
                              Please explain. And below is my name :-)

                              Regards,
                              Nazeem

                              Edited by: user13010474 on Jul 17, 2012 10:00 AM
                              • 12. Re: HTTPS Configuration
                                Dietmar Aust
                                Hi Nazeem,

                                yes, you need to configure SSL between your browser and the http/webserver, in your case the Oracle http server.

                                And no, if you configure SSL on the http server, you are typically able to communicate via http AND https to this http server.

                                Thus it will not necessarily affect the other applications.

                                The application process I have described will ENFORCE using https and thus disallow http access for this application .. and this application only.

                                I thouht this is what you needed to accomplish.

                                But if you want to allow both http and https for your application you would not need the application process.

                                What you need in any case is to configure https for your Oracle http server.

                                Hope that helps,
                                Dietmar.
                                • 13. Re: HTTPS Configuration
                                  user13010474
                                  Hi Dietmar,

                                  Now I got more clarity on what needs to be done. I have submitted request for certificates to be created. Once I get them will do the Oracle Wallet and Apache configurations and then would test the application process you mentioned to implement SSL at application level.

                                  If I switch the "Require HTTPS" at instance level then I guess I don't need to create any application processes or anything else to implement SSL for all the applications...right?

                                  Once I get the certs and after doing configurations I will update the result.

                                  Thanks again for your help...

                                  Regards,
                                  Nazeem

                                  Edited by: user13010474 on Jul 19, 2012 8:41 PM
                                  • 14. Re: HTTPS Configuration
                                    Dietmar Aust
                                    Hi Nazeem,
                                    If I switch the "Require HTTPS" at instance level then I guess I don't need to create any application processes or anything else to implement SSL for all the applications...right?
                                    Well, not really. If you read the context sensitive help for this parameter in the internal administration, it will tell you that this setting will ONLY affect the access to the APEX workspace administration and the internal administration.

                                    What it technically does is to change the session cookie for the workspace login and flag it as "secure". Thus your browser and the APEX engine will only exchange the cookie while using HTTPS. When using http you will see the login page and you can enter a valid username/password combination. But once you click on LOGIN, no cookie will be sent, the login will not be accepted and you will return to the login page without an error message. Thus it is secure but not really userfriendly.

                                    On more thing. This setting "Require HTTPS on instance level" will NOT affect your applications. You would have to set the setting "Secure" to yes (under Shared Components > Authentication Schemes > Create / Edit > Session Cookie Attributes) for each application individually.

                                    But then you will get the same behaviour as when trying to log in to the workspace administration. It will be secure but you simply cannot log in using http. And you won't get a hint why your login doesn't work.

                                    Thus you could then:
                                    - notify the user on page 101 that he has to use https instead of http or
                                    - use the above mentioned process to redirect the user to https instead of http

                                    I would usually take a different approach entirely. Before switching an instance to https I would first test all applications that they work with https without problems. Then I would use the Apache to redirect all http traffic to https (this is a small configuration change). And you are done :). Even if somebody calls any application using http he will silently be redirected to https for this application.

                                    But initially you were asking for an approach with no effects on other applications on your instance. Thus I described the other approach.

                                    Good luck,
                                    Dietmar.

                                    -----
                                    blog: [ http://daust.blogspot.com ]
                                    JasperReportsIntegration: [ http://www.opal-consulting.de/tools ] [ https://www.opal-consulting.de/forums  ]
                                    1 2 Previous Next