Monday, October 30, 2006

Setting Up SSL for Application Express

If you are reading this, you might be interested in this post as well and probably this one.

I'll try to give sufficient info to do this...
All steps are done with ORACLE_HOME set to the middle tier home (Apache, Companion CD home)

1. You need to use Oracle Wallet Manager (OWM) to create a wallet and get it set up.
-- a. set up ORACLE_HOME, etc.
-- b. go to $ORACLE_HOME/bin
-- c. run Oracle Wallet Manager ./owm
-- d. create a new wallet and save in a new directory (e.g. /home/oracle/myWallet/)
-- e. create a certificate request
-- -- i. the common name is the name of the url, for example www.concept2completion.net
-- -- ii. Organizational Unit and Organization are just text associated with your company
-- -- iii. You should spell out the state
-- f. export the request to a text file
-- g. You will need to go to a certificate authority (CA) to get a certificate and paste in the contents of the text file created in (f). I have had problems with both goDaddy and Verisign. I have had good luck with entrust.com and thawte.com
-- h. If you get a trial certificate you will need to get the trial Root Certificate (aka trusted certificate) from the CA. Save it as a text file. Install that into OWM as a trusted cert.
-- i. Now install your cert (from g) in OWM and save.
2. Configure your ssl.conf file, located in $ORACLE_HOME/Apache/Apache/conf
-- a. You can use the default listen and port settings (probably 4443 or 4447) or you can change to 443. If you change to 443, you need to change all occurences. Also, the apachectl file will need to be owned by root (located in $ORACLE_HOME/Apache/Apache/bin/). Same requirement as running on Port 80.
---- 1. Setting up Apache to run on ports below 1024
1 Shutdown OHS
2 Become root
3 cd $ORACLE_HOME/Apache/Apache/bin
4 chown root .apachectl
5 chmod 6750 .apachectl
6 cd $ORACLE_HOME/Apache/Apache/logs
7 rm -f *
-- b. Besides the port change, you need to change the location of your wallet and give your wallet password. You can encrypt the password, but I'm not covering that here and now. (See Oracle Support Note 184677.1)
SSLWallet file:/home/oracle/myWallet/
SSLWalletPassword mySuperPW1
-- c. Save ssl.conf
3. Here is the trick. You need to configure OPMN to run in SSL mode. Edit the file opmn.xml (located in $ORACLE_HOME/opmn/conf/)
-- a. under start mode, look for ssl-disabled
-- -- change to
-- -- ssl-enabled
-- b. Save opmn.xml
4. go to $ORACLE_HOME/opmn/bin and restart
-- a. opmnctl stopall
-- b. opmnctl startall

OK, now you are running in SSL. You might want to run everything in SSL, or just some things. To do this, you can set an Apache Rewrite Rule. Here is an example that will rewrite everything that is in pls/apex to https (assumes you are running on port 443). Edit your httpd.conf file, add the lines below at the end of the file, opmnctl stopall, opmnctl startall:
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/pls/apex/(.*)$ https://concept2completion.net/pls/apex/$1 [L,R]

Hope this captures all of the steps. Let me know if this helps.

If you are reading this, you might be interested in this post as well and probably this one.

43 comments:

Roger Cohen said...

Many thanks for these detailed and accurate instructions - they allowed me to set up SSL for Apex on a Windows 2003 Oracle installation with no other help.

Roger Cohen
roger.cohen@quixa.com

Anonymous said...

Anton,

I don't even qualify as a novice when it comes to using LDAP. Your posting appears to be very useful. Question: If one wanted to just rewrite (secure) the user/password authentication process, how would that configuration be for an ApEx/Apache envrionrment?

Jeff Perry
jeffsp59@yahoo.com

Anton Nielsen said...

Question: If one wanted to just rewrite (secure) the user/password authentication process, how would that configuration be for an ApEx/Apache envrionrment?

Jeff,

You can set up LDAP for un/pw authentication and for authorization fairly easily. The easiest way is to use the built-in LDAP APIs. There is a good how-to here.

Drop me a note if this does not cover what you are looking for.

Anonymous said...

Anton,
how are you?
the examples imply that all compnents ( db, apache ) reside on the same machine. Can i move them to diff. hosts ?
// I just started looking into APEX, pardon my ignorance.

Andrew

Anton Nielsen said...

Andrew,

With the 10g database (standard or enterprise editions) you can definitely move components to different machines--database on one machine and the Web Server on another. With DB Express you can not--well, perhaps you can, but it would involve using a web server other than the one baked into the database.

It may or may not make sense to do it, though. I'm not a licensing expert, but separating things out may have a cost impact.

In short, to separate it on to different machines, just install the database on one machine and the Web Server (Oracle http server based on Apache) on another.
Anton

Peter Manchev said...

Thank you for the example.

I have one further question:

Can I set up digital certificate auth for my Apex 3.0 App users in similar way? Did anyone succeed in doing it?

I would like to do it in a way, similar to the one described in the following article:

OpenSSL user authentication with Apache using x.509 certificates on smart cards

www.opensc-project.org/files/doc/apache-client-authentication(v0.5.1).pdf

Best,
Pete

Anton Nielsen said...

Pete,

I gave a quick read through the document. I suspect you could do this, but I have not tried it. The Apache server used with Apex is based on v1.3, but I think most of what is in the doc should work.

Let me know if you go through the steps.

Anton

Kostya said...

Hello!

I tried to follow throw all this steps. And it doesn't work.

Can you describe this lines widly:
"Also, the apachectl file will need to be owned by root (located in $ORACLE_HOME/Apache/Apache/bin/). Same requirement as running on Port 80."

Maybe this one cause my problems.

Best Regards, Kostya Proskudin.

Anton Nielsen said...

Kostya,

I just updated the post to describe how to run Apache on ports below 1024. Hope this helps.

Anton

Anonymous said...

Hello,
I'm reffering to the posting from Jeff Perry.
I read the mentioned how-to but there is no comment on using LDAP over SSL. But that's what I'm also interested in.
Thanks in advance,
Ingo

Kostya said...

On basis of your Post, I create my own post, where discussed a user authentication and how to create your own certificates.
http://proskudin.blogspot.com/2007/06/authentification-using-client-ssl.html

Anonymous said...

I've setup ssl authentication on Oracle Apache. The problem is that I couldn't find a way to transfer the properties from certificate to APEX, so at the and each authenticated user becomes a public user.

Nenad

Anton Nielsen said...

Nenad,

I'm not sure I understand what you are trying to accomplish. Are you using PKI Certs to establish user identity (that is, to do authentication)? This article does not address authentication, only configuring SSL. Let me know if you are looking for authentication via PKI Certs and I'll try to post something on that topic.

Anton

Nenad Noveljic said...

Hi Anton,

Yes, this is exactly what I would like to do: to identify the user based on his certificate.

I have already configured Apache for two way SSL, so that each user needs to present a valid certificate signed by a trusted CA in order to get into the application. In the next step I would like to establish the identity of a authenticated user, but it seems that APEX misses an API for accessing the properties of the user certificate.
I'll be gratefull for any usefull hint!

Nenad Noveljic

Anonymous said...

Hi,

Do I need to download something for getting Oracle Wallet Manager to work? And what do I need to install?
I am using opensuse 10.2, oracle database 10g and apex 3.0.1.

Thanks for your help.
Regards,
Denise

Anonymous said...

you do not need to download anything. OWN is part of the companion cd install. The exact commands to start own are in the post above. Let me know if you try those and have a problem.

Anton

Denise said...

Hi,

Thank you very much for your answer.

I am using Opensuse 10.2, Oracle database XE 10g and APEX 3.0.1.
I have tried to install the HTTP Server from the companion cd. And it said this is not made for my operating system. I would have to use another system to get that to work.
I have not tried it with the other things available on the cd. But do you know whether it is the same? That e.g. I cannot use the OWM because I don't have the 'right' operating system?

Anton Nielsen said...

Denise,

I don't know anything specific about Opensuse. I am running SuSe and the server that I used to create these instructions. To do any of this you need an Oracle HTTP server, either from 10g Application Server or from the 10g Companion CD. If you can't get either of those to install you won't be able to get this to work.

Anton

Anonymous said...

Denise,
You might want to try adding -ignoreSysPrereqs when launching the OUI installer, it should skip the OS test

Kannan said...

Anton

Your post was very useful along with other posts that I referred. I've compiled a page for those who would want to look at how to configure a "Self-Signed Certificate for Oracle Application Express with Oracle AS 10.1.2 on Windows 2003". It can be found at http://kannankumara.blogspot.com/2008/02/self-signed-certificate-for-oracle-as.html

Mark said...

I just installed Oracle XE 10.2.0, and it does not seem to include OWM. Can anyone confirm this? OWM is nowhere to be found. bummer!

Berbiji said...

Anton,
I've configured an Oracle HTTP Server 10.1.2 with SSL.
This configuration can be run from Mozilla browsers and Opera, but not from Internet Explorer.

What I found from Apache's error_log.xxxx is
error mod_ossl: SSL call to NZ function nzos_Handshake failed with error 29014 (server ---.---.com:4443, client --.--.--.--)
error mod_ossl: Unknown error
error mod_ossl: SSL call to NZ function nzos_Handshake failed with error 28864 (server ---.---.com:4443, client --.--.--.--)
error mod_ossl: SSL IO error Hint: the client stop the connection unexpectedly

So I looked in the Metalink and found Note:312041.1 and applied patch 4960210 and restart the server. But now it wouldn't start at all, despite that all configuration files were not changed.

Any help would be greatly appreciated.

Anton Nielsen said...

Berbiji,

I'm afraid I would need a lot more info or access to your server to troubleshoot this. I have applied this patchset many times without issues. I have run in to this very error, and the patch may or may not solve it.

One possibility is that you have a 10g database on the same box and that you have an ons port conflict. If you have a database on the box, try rebooting and not bringing up the db listener. See if things work with that off.

The next thing to do is get the patch installed properly and get everything running with the patch but without SSL. Then try to put in SSL. If you don't have a lot invested in the setup, just uninstall everything and install the latest version and the patch. See if you can get that running, then try to add in SSL.

If that does not work, respond to this with the following:

Operating System and version
Exact versions of all Oracle software on the server
SSL Configuration steps
Certificate provider and type of cert

Berbiji said...

Anton, what if I have a different database box? would that step be different?

Thanks

yo said...

Hi

I have a little problem, i didn't install OAS or anything else on my ORACLE 11g and the directory $ORACLE_HOME/Apache doesn't exist, i know i have an Apache and SSL installed because i access EM trough https but i don't know where is it, and like i said i can't complete all the steps described in your guide.

I'm working with APEX included in the Enterprise Edition of ORACLE 11g and currently i access to the apps via http

Please send me an idea.

Thanks.

Anton Nielsen said...

Yo,

Your EM webserver is not the same one you use to access APEX. You are probably using the embedded pl/sql gateway (EPG). It depends on how you installed things. I don't use the EPG often and I'm not sure if you can set up SSL with the EPG. I suggest you check your install log ($ORACLE_HOME/install) and see if it lists an OHS install and port. If not, you may want to consider running the OHS install and using that. If you want personal assistance you can click the C2 Consulting link and send a message or call 1-617-639-0232 and someone will set you up with a consultant. I'm pretty busy these days, but there are other folks that can help you. Not to be too promotional, but C2 can also help you get started building APEX apps. Just give a call or drop a message.

Anton

yo said...

OK

Thanks a lot.

In fact I'm already developing apps, i just need configure it to use SSL, I'm gona do that you suggest.

Thanks again Anton.

Martin said...

Hi Anton,

my customer has an Oracle Apache Standalone 9.0.4.0.0 installed. Now i have done the switch to SSL like your Blog entry and the Blog entry of Kannan Kumara. The SSL works fine with APEX and the Firefox browser. But with IE 7 i get the error 'Can't show the Site'.
In the following files i can experience errors independant of IE or Firefox. It seems that Firefox can ignore these errors.

In the file access_log: "GET /pls/lpt01/f?p=lpwav:1 HTTP/1.1" 401 494
In the ssl_request_log: SSLv3 SSL_RSA_WITH_RC4_128_MD5 "GET /pls/lpt01/f?p=lpwav:1 HTTP/1.1" 494

Can you imagine what's wrong ?

Best regads
Martin

loga said...

hi,
i am very new to SSL. this is very much useful for my project.
please let me know whether any free ca is available .
in you post ..
You will need to go to a certificate authority (CA) to get a certificate and paste in the contents of the text file created in (f).
where i need to go for free ssl CA?

Thanks
Logaa

Gary said...

-- e. create a certificate request
-- i. the common name is the name of the url, for example www.concept2completion.net

I'm doing this for the first time. I'm running Oracle 10g on a Sun/Solaris machine and mod_plsql on a sep. Win 2003 test machine that is not currently connected to the net.

My goal is to have clients log in securely to my APEX apps.

Can I still get and install a cert and config APEX? If so, I have a couple of questions.

1) Do I need to change permissions and owner on the .apachectl? How and to what in windows?

2) Please explain "url, for example" What url do I need to supply?

I'm such a newbie, thanks!

Anton Nielsen said...

Gary,

You can definitely get this set up in your environment. When you say that you want clients to log in securely I assume that you mean enter a un/pw over an SSL connection. Also, I'm not sure what you mean by clients. Whoever is logging in to your application will need some sort of connection to your Windows Apache server. If your Windows machine is not connected to the net (and you have users coming from the net) you will either need to poke a hole in your firewall to allow traffic or you will have to set up a reverse proxy that handles the traffic and routes it to the Windows apache (through the firewall).

1) Do I need to change permissions and owner on the .apachectl? How and to what in windows?

Not on Windows. This is a Unix requirement.

2) Please explain "url, for example" What url do I need to supply?

This is the URL that your users will type in their browser. DNS will need to resolve this URL to your Windows machine. (Unless you plan to use a reverse proxy, but that is another post altogether.)

I LOVE YOU said...

AV,無碼,a片免費看,自拍貼圖,伊莉,微風論壇,成人聊天室,成人電影,成人文學,成人貼圖區,成人網站,一葉情貼圖片區,色情漫畫,言情小說,情色論壇,臺灣情色網,色情影片,色情,成人影城,080視訊聊天室,a片,A漫,h漫,麗的色遊戲,同志色教館,AV女優,SEX,咆哮小老鼠,85cc免費影片,正妹牆,ut聊天室,豆豆聊天室,聊天室,情色小說,aio,成人,微風成人,做愛,成人貼圖,18成人,嘟嘟成人網,aio交友愛情館,情色文學,色情小說,色情網站,情色,A片下載,嘟嘟情人色網,成人影片,成人圖片,成人文章,成人小說,成人漫畫,視訊聊天室,性愛,性感影片,正妹,聊天室,情色論壇

Anonymous said...

Hi -

We have 11g with Oracle HTTP Server behind our firewall and Apache in front of the firewall providing reverse proxy.

We currently have 3 domains in Apache.

How would this work we wanted only one domain in our Apache installation to be under SSL?

Thanks,
Kay

Anton Nielsen said...

Kay,

C2 has a course specifically for advanced configurations. If you are interested in that, click the C2 Consulting link at the top of the page. The short answer, though, is to have just one of the virtual host entries operate in SSL and the others in straight http.

See also:
http://c2anton.blogspot.com/2006/10/oracle-portal-virtual-host-and-ssl.html

# Use name-based virtual hosting.
#
#NameVirtualHost *
#NameVirtualHost 12.34.56.78:80
#NameVirtualHost 12.34.56.78

#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for requests without a known
# server name.
#
#
# ServerAdmin webmaster@dummy-host.example.com
# DocumentRoot /www/docs/dummy-host.example.com
# ServerName dummy-host.example.com
# ErrorLog logs/dummy-host.example.com-error_log
# CustomLog logs/dummy-host.example.com-access_log common
#

Anton

Anonymous said...

Anton,
I´ve problem with the certificate request. My certificate authority rejected it with comment "MD5 Signature Algorithm Detected,Please change the signature algorithm to SHA1 or better, create a new CSR and try it again! " but I can´t find any possibility to change this in the wallet manager.
Any idea? Thanks! Andy

Anonymous said...

Under SSL would my new APEX page URL look the same except for the https as opposed to http?

Anton Nielsen said...

Andy,

You will either need to upgrade to a newer version of Apache. You can do this with the latest Oracle HTTP Server. If you are just using the modplsql gateway, you can use any
Apache (not just Oracle) and the new APEX listener.

Anonymous,

If you configure the SSL port to be 443, then yes. If you use another port then you will need to add the port to the url: for example, https://mymachine.mydomain.com:4443

Anton

Anonymous said...

Thanks! Very helpful.

rob said...

How do you get the client cert information (example DN string) from within Apex? I would need this if I want to do an LDap lookup.

Thanks,
Rob

איתי גודאי said...

Thanks a lot for this great POST , made my day.

Two Issues :

1. Works - Enabled it with GoDaddy (12.9$ version - standard SSL 2048 - 128 bit).

2. Don't forget to set Auto-Login in the wallet (wallet -> AutoLogin -> check it) or mention in the conf file the SSL password (verify in doc how to set it).

Anonymous said...

Hi All,
nice post, but what if I need to force the login page only(i.e 101) for https protocol, other pages http. I am using standalone http server.

Regards,
omar

Anonymous said...

Hi Anton.

As I understand, this action is used when you develop an application which will be secured.

I need an app which need to access a web service over internet and that service is secured. Host company of that web service sent me CA.crt and public_key.cer.

Do I have to complete all your steps, or I just need some of those for adding those certs in my app?

I don't need to secure my app with certificates. It will be used by users allready defined in our database.

Thank you,
Miroslav

Staff Ngeditblog said...

tempat nyari SSL murah ya di IDwebhost.com Cuman disini kamu bisa menemukan paket terbaik untuk hosting webkamu.