Master Note for SSL Configuration in Fusion Middleware 11g
Master Note for SSL Configuration in Fusion Middleware 11g
Titleimage
Posted by Patrick Hamou on 2017:09:19 16:00:10
APPLIES TO: Oracle WebLogic Server Version 10.3.1 and later and Oracle Fusion Middleware Version 11.1.1.1.0 and later
Oracle WebLogic Server - Version 10.3.1 and later
Oracle Fusion Middleware - Version 11.1.1.1.0 and later
Information in this document applies to any platform.
PURPOSE: SSL Configuration in Fusion Middleware 11g, Wallet types, Keystores, Wallet and Keystore creation methods, Oracle HTTP Server, Webcache, WebLogic server
This is a Master Note for SSL Configuration in Fusion Middleware 11g. By following this Note you should be able to understand Wallet types, Keystores, Wallet and Keystore creation methods, and configuration of Oracle HTTP Server, Webcache, and WebLogic server with SSL.
For Oracle Application Server 10.1.2.X - 10.1.3.X please see Note 1281035.1 Master Note for SSL Configuration in Oracle Application Server 10g (10.1.2 - 10.1.3)
For Fusion Middleware 12.1.X please see Note 1628909.1 Master Note for SSL Configuration in Fusion Middleware 12c
SCOPE: Oracle Fusion Middleware
Oracle Fusion Middleware 11g Administrators
DETAILS: SSL Configuration, Wallet types, Keystores, Wallet and Keystore creation methods, configuration of Oracle HTTP Server, Webcache, WebLogic server
Configuring any FMW 11g Component for SSL requires an understanding of the following concepts:
1. What is SSL and how does it work?
2. What is a Wallet or Keystore, and what types of Wallets/Keystores are available in FMW 11g
3. How to create a Wallet/Keystore
4. How to configure FMW 11g Components with SSL
By using this Note, you should be guided through the whole process from start to finish.
Section I: An Introduction to PKI and SSL
Before embarking on any SSL Configuration it is worthwhile understanding how SSL technology works and the terms used. It is worthwhile reading:
Note 264080.1 An Introduction to PKI and SSL
Section II: Wallets and Keystores in FMW 11g
Understanding Wallets and Keystores
The first step in configuring SSL is to configure a Wallet or Keystore. To gain a better understanding of the different types of Wallets and Keystores available in FMW 11g, follow:
Note 1218603.1 Understanding Wallets and Keystores in Fusion Middleware 11g
Creating Wallets and Keystores
Once you understand the types of Wallets and Keystores available and their purpose, you can now create a valid Wallet or Keystore.
Configuring a valid Wallet or Keystore involves the following steps:
1. Create a Wallet or Keystore
2. Generate a Certificate Signing Request (CSR)
3. Send the CSR to a Certificate Authority (CA)
4. Import the Trusted CA Certificate(s)
5. Import the Server Certificate
The following Notes take you through the process of achieving this. Choose a Wallet or Keystore creation method that suits your circumstances.
Wallets
Any of the following methods can be used to generate a Wallet for a C Based Component (OHS, Webcache, OPMN, OID). Generally speaking we would recommend using FMW Control. However using FMW Control (or WLST) is *only* possible if the component you are configuring is associated with a WebLogic Server Domain. If you *do not* have a WLS Domain, for example with Standalone Webtier, or Standalone OID, then use either Oracle Wallet Manager (OWM) or ORAPKI.
Note 1226834.1 How To Create a Wallet via Fusion Middleware Control in FMW 11g
Note 1226484.1 How To Create a Wallet via Oracle Wallet Manager in FMW 11g
Note 1226654.1 How To Create a Wallet via ORAPKI in FMW 11g
Note 1226753.1 How To Create a Wallet via WebLogic Scripting Tool (WLST) in FMW 11g
Keystores
The following Note can be used to generate a keystore for all Java based components (WLS, SOA, WebCenter, DIP, ODSM):
Note 1230333.1 How To Create a Java Keystore via Keytool in FMW 11g
Miscellaneous
Note 1225107.1 How To Convert an Existing Private Key and Certificate to an Oracle Wallet or Keystore in FMW 11g
Note 1242014.1 How to Move an Oracle Wallet from Oracle Application Server 10g to FMW 11g
Note 1087516.1 How To Extract A Private Key and Certificate From A Wallet in FMW 11g
Note 1237143.1 How To Move A Fusion Middleware 11g Wallet From One Server To Another
Note 1241714.1 How To Convert an AutoLogin Wallet to a Password Protected Wallet in Fusion Middleware 11g
Note 1268793.1 How to Import a Third Party Wallet into FMW 11g (11.1.1.X)
Note 818274.1 Can an Oracle Wallet be Converted to a Java Keystore?
Note 1368940.1 How To Identify The Correct Trusted Root Certificate Authority Certificate(s) for a User Certificate?
Note 1371209.1 How to Replace an Expired or Expiring Certificate in FMW 11g
Note 1391991.1 How To Convert A Java KeyStore To An Oracle Wallet
Note 344434.1 How to Find and Use Oracle Wallet Manager Documentation for SSL with Oracle Fusion Middleware
Note 1562879.1 How To Extract The Private Key and Certificates From A Java Keystore
Troubleshooting Wallet and Keystore Problems
Note 367755.1 Troubleshooting Wallet Manager Problems in Oracle Application Server 10g and FMW 11g
Note 1382350.1 Troubleshooting Wallet Problems in FMW Control in FMW 11g
Section III: Configuring FMW Oracle Components for SSL
Once you have successfully created your Wallet or Keystore, you are ready to configure your desired component for SSL.
Oracle HTTP Server
For Server Authentication follow:
Note 1226933.1 Configuring Oracle HTTP Server to use SSL in Fusion Middleware 11g (11.1.1.X)
For Client Authentication follow:
Note 1228083.1 Configuring SSL Client Authentication with Oracle HTTP Server in Fusion Middleware 11g (11.1.1.X)
Note 1269633.1 How to Configure CRL Checking in Oracle HTTP Server in FMW 11g (11.1.1.X)
Miscellaneous:
Note 1268723.1 Configuring Mod_wl_ohs to use SSL between Oracle HTTP Server and Weblogic Server in FMW 11g (11.1.1.X)
Oracle WebCache
For Server Authentication follow:
To connect Webcache to OHS:
Note 1233972.1 Configuring Oracle Web Cache to use SSL in Fusion Middleware 11g (11.1.1.X)
To connect Webcache direct to WebLogic Server:
Note 1352230.1Configuring Oracle Web Cache to use SSL in Fusion Middleware 11g (11.1.1.X) with WebLogic Server
For Client Authentication follow:
Note 1235137.1 Configuring SSL Client Authentication in Web Cache in Fusion Middleware 11g (11.1.1.X)
Note 1371257.1 How to Configure CRL Checking in Oracle WebCache in FMW 11g (11.1.1.X)
Oracle WebLogic Server
For Server Authentication follow:
Note 1235653.1 Configuring Oracle WebLogic Server (10.3.X) to use SSL in Fusion Middleware 11g (11.1.1.X)
For Client Authentication follow:
Note 1237334.1 Configuring Oracle WebLogic Server (10.3.X) to use SSL Client Authentication in Fusion Middleware 11g (11.1.1.X)
Miscellaneous:
Note 1268027.1 How To Configure WebLogic Managed Server To Listen On HTTPS Only In FMW 11g
Note 1353951.1 How to Configure WebLogic Admin Server to Listen on SSL Only and associated FMW Considerations
Ciphersuites and Protocols
Note 1936300.1 How to Change SSL Protocols (to Disable SSL 2.0/3.0) in Oracle Fusion Middleware Products
Note 453079.1 Restricting Anonymous or Weak Ciphers in SSL (HTTPS) for Oracle Fusion Middleware 10g/11g
Section IV: Known Issues
Note 1283744.1 Oracle HTTP Server and/or WebCache Fails to Start after Configuring SSL in FMW 11g on Windows
Note 1223617.1 FMW Control Shows A Wallet As Valid After Copying a File or Creating a Directory Under the /keystores Directory
Note 1260444.1 Fusion Middleware Control Does Not Populate Oracle HTTP Server SSL Variables Correctly
Note 1264169.1Mod_wl_ohs via SSL to WebLogic Server fails in FMW 11g 11.1.1.2
Note 1268324.1 Certificate Errors in Admin Console and Logs After Disabling HTTP for Managed Server
Note 1275428.1 Support Status for SHA2 Certificates in Oracle Application Server (10.1.2.X.X) and Fusion Middleware 11g (11.1.1.X)
Note 1939223.1 Is it Possible to Generate SHA2 Certificate Signing Requests with Oracle Wallet Manager or ORAPKI in FMW 11g
Note 1287794.1 Oracle HTTP Server Core Dumps When Accessing /em or /console Using Mod_wl_ohs With SSL
Note 1351724.1 Using FMW 11g CRL URL Functionality With A Proxy Server
Note 1182045.1 HTTP URL's Displayed When Connecting HTTPS to Webcache and Webcache Connects to WLS via HTTP:
Note 1355311.1 IIS Proxy Plugin 1.0 For WebLogic Server Is Truncating The WL -Proxy-Client-Cert Header
Note 1356121.1 IIS W3WP.EXE Crashes When Using Proxy Plugin 1.0 For WebLogic Server With SSL And 4096 Bit Key
Note 428546.1 Is It Possible to have a Single Wallet with Multiple Certificates for Different Web Cache Sites?
Note 1451530.1 Oracle HTTP Server Logs Show " Nzos_Handshake Returned 29048" Errors
Note 1454591.1 When Using OHS 11.1.1.6 And WLS 10.3.6 To Forward Client Certificates, The Certificate Is Not Passed
Note 1518703.1 How to Secure the FMW Control EM Agent Using Self Signed Certificates
Note 1520757.1 How To Secure The FMW Control EM Agent Using Custom Generated Certificates
Note 1559703.1 Oracle HTTP Server Allows Revoked Client Certificates Access When Client Certificate Are Revoked By And CRL Issued By a Different SubCA
Note 1559742.1 Oracle HTTP Server And Oracle WebCache Do Not Read CRL Files Above a Certain Size
Note 1551148.1 Unable to Delete the Server Certificate in a Wallet using Fusion Middleware Control
Note 1675108.1 Internet Explorer 9,10,11 Fails To Connect Via SSL to Oracle HTTP Server 11.1.1.X When Using Client Authentication When TLS 1.2 is Selected
Note 1936300.1 How to Change SSL Protocols (to Disable SSL 3.0) in Oracle Fusion Middleware Products
Note 1968027.1 Please Provide Proper DN' Whilst Exporting Certificate With ORAPKI
Posted by Patrick Hamou on 2017:09:19 16:00:10