11 Replies Latest reply on Jul 27, 2017 2:04 AM by 966638

    SSL in R12.1

    966638

      Hi,

        I have enabled SSL in R12.1 instance. Now I want to remove the certificate warning while accessing the pages.

        Please suggest how I can create a self signed certificate and steps to for the same

       

        EBS - 12.1.2

        DB - . 11.2.0.4

        OS - Windows

        • 1. Re: SSL in R12.1
          handat

          The warning you see is because our certificate is self signed, or the hostname does not match. You will need to tell us what the warnings are to determine what you need to change to make them go away, but for one, you need CA signed certifcates rather than self signed certificates if you want no warnings and the CN entry on the certificate needs to match the host name of the URL that you are using to access your service.

          • 2. Re: SSL in R12.1
            966638

            Thanks for the update

            If I create new wallet request with proper name(as per the access link) and create and import self signed certificate. Will it remove the certificate warning?

            • 3. Re: SSL in R12.1
              handat

              It depends on what the actual warning is. Without you telling us what the warning is, we can only guess what it is.

              • 4. Re: SSL in R12.1
                966638

                Attached 2 screens:

                 

                screen 1: Need to click " continue to use this website" and want avoid the same : "blue pen highlighted area"

                 

                screen 2: Warning is coming :   "blue pen highlighted area"

                 

                 

                scree1:

                Screen 1.JPG

                 

                Screen 2:

                     Screen 2.JPG

                • 5. Re: SSL in R12.1
                  handat

                  Screen one shows clearly the reasons for the warning:

                   

                  The security certificate presented by this website was issued for a different website's address.

                  The security certificate presented by this website was not issued by a trusted certificate authority.

                  The security certificate presented by this website has expired or is not yet valid.

                   

                  So if you get a CA signed certificate with the CN matching the website's URL host and domain, then the warning will go away. This needs to be CA signed, not self signed, unless your CA's certificate is imported into each and every browser accessing your site which is possible if its a company intranet, but not if its on the internet.

                  • 6. Re: SSL in R12.1
                    966638

                    I have created new wallet and copied the wallet files in

                    d:\oracle\UAT\inst\apps\TEST_test\certs/Apache  and d:\oracle\UAT\inst\apps\TEST_test\certs/opmn

                     

                    Apache is not starting and failing with below error:

                     

                    Error

                    --> Process (index=1,uid=565,pid=34924)

                        failed to start a managed process after the maximum retry limit

                        Log:

                        D:\oracle\UAT\inst\apps\TEST_test\ora\10.1.3\opmn\logs\\HTTP_Server~1.log

                     

                    HTTP log:

                    ------------

                    WARNING: StartServers has no effect on Win32

                    [Wed Jul 26 12:33:19 2017] [notice] User directive has no affect on Win32

                    [Wed Jul 26 12:33:19 2017] [warn] pid file D:/oracle/uat/inst/apps/TEST_test/pids/10.1.3/apache/httpd.pid overwritten -- Unclean shutdown of previous Apache run?

                    [Wed Jul 26 12:33:19 2017] [error] mod_ossl: Init: SSL call to NZ function nzos_OpenWallet failed with error 28759 (Server test.test:4450, wallet file:d:\\oracle\\TEST\\inst\\apps\\TEST_test\\certs/Apache)

                    [Wed Jul 26 12:33:19 2017] [error] mod_ossl: Failed to open the wallet [Hint: incorrect path, incorrect password, bad wallet, ...]

                    Error: Failed to open the wallet [Hint: incorrect path, incorrect password, bad wallet, ...] (Server test.test:4450, wallet file:d:\oracle\UAT\inst\apps\TEST
                    _test\certs/Apache)

                    • 7. Re: SSL in R12.1
                      966638

                      I used password welcome1 while creating wallet. anywhere do I need to change this password?

                      • 8. Re: SSL in R12.1
                        handat

                        Did you create an auto wallet? mod_ossl expects you to use an auto wallet so no password is prompted for. Alternatively, you could also use SSLWalletPassword to explicitly specify the password, but this directive is deprecated.

                        • 9. Re: SSL in R12.1
                          966638

                          Used below command:

                           

                          orapki wallet create -wallet $INST_TOP/certs/Apache -auto_login -> it prompt for password

                           

                          orapki wallet add \

                              -wallet . \

                              -dn "CN=mymachine.us.oracle.com,OU=ATG Specialty,O=Support,L=Denver,ST=Colorado,C=US"

                              -keysize 2048 \

                              -pwd welcome1

                           

                          How I can fix this issue and how I can create wallet without password. don't know existing wallet password

                          • 10. Re: SSL in R12.1
                            handat

                            Did you actually add a certificate into your wallet? Your orapki command does not specify a -cert option.

                             

                            Make sure you actually have a certificate in the wallet by listing what is currently in the wallet:

                             

                            orapki wallet display -wallet $INST_TOP/certs/Apache

                             

                            Then once you verified it is there, run the following to generate an auto wallet for your wallet:

                             

                            orapki wallet create -wallet $INST_TOP/certs/Apache -pwd welcome1 -auto_login

                             

                            To double check, your wallet is the ewallet.p12 file and the auto wallet is the cwallet.sso file.

                            • 11. Re: SSL in R12.1
                              966638

                              verified the wallet and i can see certificate is there.  I can see ewallet.p12 file and the auto wallet is the cwallet.sso file is in Apache directory.

                               

                              executed autologin steps again and started services. still same.  I think I am missing some steps, like copy this files to any location/ password mismtch with any exiting files