Monday, December 15, 2008

Enabling SSL for Oracle HTTP Server

Enabling SSL for the HTTP server is a relative simple task, and the essential steps are described next.

1) Edit the "opmn.xml" file
(don't forget to make a backup copy). You can edit this file via the OEM or manually (via shell).
Access the Oracle Entreprise Manager (http://your_server:1810) and at the bottom of the page, click the link that reads "Process Management".
In the "opmn.xml" file, change the value for the "HTTP_Server" "start-mode" to "ssl-enabled" and click Apply.

2)Edit the "ssl.conf" file.
This file is accessible via the OEM on the HTTP_Server > Administration > Advanced Server Properties > ssl.conf

Just above the closing tag, enter the following directives:

RewriteEngine on

RewriteOptions inherit

In this same file find the line that reads "#SSLVerifyClient require", and uncomment it (delete the "#").

Finally change the "SSLWallet file" value to $ORACLE_HOME/oca/wallet/ssl and click the Apply button after finishing your edit.

3) Reset the OCA SSL Wallet password.

Run the following command on the linux shell:

$ORACLE_HOME/oca/bin/./ocactl setpasswd -type CASSL

Enter the OCA administrators password.

Enter the new wallet password.

Confirm the new wallet password.

4) Edit the Wallet.

Now that you have the wallet's password open it using the Oracle Wallet Manager and insert as a trusted certificate the CA certificate you created.

5) Import your user certificate to Firefox/IE.
You can now access your website through a secure channel and using user authentication via digital certificate.

Note: this post assumes that you have successfully create a CA certificate and a user certificate signed by the CA. I recommend using OpenSSL. In the next few days I'll post on OpenSSL focusing on this issue. Feedback is more than welcomed!

No comments: