If you are reading this, you might be interested in this post as well and probably this one.
I'll try to give sufficient info to do this...
All steps are done with ORACLE_HOME set to the middle tier home (Apache, Companion CD home)
1. You need to use Oracle Wallet Manager (OWM) to create a wallet and get it set up.
-- a. set up ORACLE_HOME, etc.
-- b. go to $ORACLE_HOME/bin
-- c. run Oracle Wallet Manager ./owm
-- d. create a new wallet and save in a new directory (e.g. /home/oracle/myWallet/)
-- e. create a certificate request
-- -- i. the common name is the name of the url, for example www.concept2completion.net
-- -- ii. Organizational Unit and Organization are just text associated with your company
-- -- iii. You should spell out the state
-- f. export the request to a text file
-- g. You will need to go to a certificate authority (CA) to get a certificate and paste in the contents of the text file created in (f). I have had problems with both goDaddy and Verisign. I have had good luck with entrust.com and thawte.com
-- h. If you get a trial certificate you will need to get the trial Root Certificate (aka trusted certificate) from the CA. Save it as a text file. Install that into OWM as a trusted cert.
-- i. Now install your cert (from g) in OWM and save.
2. Configure your ssl.conf file, located in $ORACLE_HOME/Apache/Apache/conf
-- a. You can use the default listen and port settings (probably 4443 or 4447) or you can change to 443. If you change to 443, you need to change all occurences. Also, the apachectl file will need to be owned by root (located in $ORACLE_HOME/Apache/Apache/bin/). Same requirement as running on Port 80.
---- 1. Setting up Apache to run on ports below 1024
1 Shutdown OHS
2 Become root
3 cd $ORACLE_HOME/Apache/Apache/bin
4 chown root .apachectl
5 chmod 6750 .apachectl
6 cd $ORACLE_HOME/Apache/Apache/logs
7 rm -f *
-- b. Besides the port change, you need to change the location of your wallet and give your wallet password. You can encrypt the password, but I'm not covering that here and now.
SSLWallet file:/home/oracle/myWallet/
SSLWalletPassword mySuperPW1
-- c. Save ssl.conf
3. Here is the trick. You need to configure OPMN to run in SSL mode. Edit the file opmn.xml (located in $ORACLE_HOME/opmn/conf/)
-- a. under start mode, look for ssl-disabled
-- -- change to
-- -- ssl-enabled
-- b. Save opmn.xml
4. go to $ORACLE_HOME/opmn/bin and restart
-- a. opmnctl stopall
-- b. opmnctl startall
OK, now you are running in SSL. You might want to run everything in SSL, or just some things. To do this, you can set an Apache Rewrite Rule. Here is an example that will rewrite everything that is in pls/apex to https (assumes you are running on port 443). Edit your httpd.conf file, add the lines below at the end of the file, opmnctl stopall, opmnctl startall:
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/pls/apex/(.*)$ https://concept2completion.net/pls/apex/$1 [L,R]
Hope this captures all of the steps. Let me know if this helps.
If you are reading this, you might be interested in this post as well and probably this one.
Monday, October 30, 2006
Subscribe to:
Post Comments (Atom)
28 comments:
Many thanks for these detailed and accurate instructions - they allowed me to set up SSL for Apex on a Windows 2003 Oracle installation with no other help.
Roger Cohen
roger.cohen@quixa.com
Anton,
I don't even qualify as a novice when it comes to using LDAP. Your posting appears to be very useful. Question: If one wanted to just rewrite (secure) the user/password authentication process, how would that configuration be for an ApEx/Apache envrionrment?
Jeff Perry
jeffsp59@yahoo.com
Question: If one wanted to just rewrite (secure) the user/password authentication process, how would that configuration be for an ApEx/Apache envrionrment?
Jeff,
You can set up LDAP for un/pw authentication and for authorization fairly easily. The easiest way is to use the built-in LDAP APIs. There is a good how-to here.
Drop me a note if this does not cover what you are looking for.
Anton,
how are you?
the examples imply that all compnents ( db, apache ) reside on the same machine. Can i move them to diff. hosts ?
// I just started looking into APEX, pardon my ignorance.
Andrew
Andrew,
With the 10g database (standard or enterprise editions) you can definitely move components to different machines--database on one machine and the Web Server on another. With DB Express you can not--well, perhaps you can, but it would involve using a web server other than the one baked into the database.
It may or may not make sense to do it, though. I'm not a licensing expert, but separating things out may have a cost impact.
In short, to separate it on to different machines, just install the database on one machine and the Web Server (Oracle http server based on Apache) on another.
Anton
Thank you for the example.
I have one further question:
Can I set up digital certificate auth for my Apex 3.0 App users in similar way? Did anyone succeed in doing it?
I would like to do it in a way, similar to the one described in the following article:
OpenSSL user authentication with Apache using x.509 certificates on smart cards
www.opensc-project.org/files/doc/apache-client-authentication(v0.5.1).pdf
Best,
Pete
Pete,
I gave a quick read through the document. I suspect you could do this, but I have not tried it. The Apache server used with Apex is based on v1.3, but I think most of what is in the doc should work.
Let me know if you go through the steps.
Anton
Hello!
I tried to follow throw all this steps. And it doesn't work.
Can you describe this lines widly:
"Also, the apachectl file will need to be owned by root (located in $ORACLE_HOME/Apache/Apache/bin/). Same requirement as running on Port 80."
Maybe this one cause my problems.
Best Regards, Kostya Proskudin.
Kostya,
I just updated the post to describe how to run Apache on ports below 1024. Hope this helps.
Anton
Hello,
I'm reffering to the posting from Jeff Perry.
I read the mentioned how-to but there is no comment on using LDAP over SSL. But that's what I'm also interested in.
Thanks in advance,
Ingo
On basis of your Post, I create my own post, where discussed a user authentication and how to create your own certificates.
http://proskudin.blogspot.com/2007/06/authentification-using-client-ssl.html
I've setup ssl authentication on Oracle Apache. The problem is that I couldn't find a way to transfer the properties from certificate to APEX, so at the and each authenticated user becomes a public user.
Nenad
Nenad,
I'm not sure I understand what you are trying to accomplish. Are you using PKI Certs to establish user identity (that is, to do authentication)? This article does not address authentication, only configuring SSL. Let me know if you are looking for authentication via PKI Certs and I'll try to post something on that topic.
Anton
Hi Anton,
Yes, this is exactly what I would like to do: to identify the user based on his certificate.
I have already configured Apache for two way SSL, so that each user needs to present a valid certificate signed by a trusted CA in order to get into the application. In the next step I would like to establish the identity of a authenticated user, but it seems that APEX misses an API for accessing the properties of the user certificate.
I'll be gratefull for any usefull hint!
Nenad Noveljic
Hi,
Do I need to download something for getting Oracle Wallet Manager to work? And what do I need to install?
I am using opensuse 10.2, oracle database 10g and apex 3.0.1.
Thanks for your help.
Regards,
Denise
you do not need to download anything. OWN is part of the companion cd install. The exact commands to start own are in the post above. Let me know if you try those and have a problem.
Anton
Hi,
Thank you very much for your answer.
I am using Opensuse 10.2, Oracle database XE 10g and APEX 3.0.1.
I have tried to install the HTTP Server from the companion cd. And it said this is not made for my operating system. I would have to use another system to get that to work.
I have not tried it with the other things available on the cd. But do you know whether it is the same? That e.g. I cannot use the OWM because I don't have the 'right' operating system?
Denise,
I don't know anything specific about Opensuse. I am running SuSe and the server that I used to create these instructions. To do any of this you need an Oracle HTTP server, either from 10g Application Server or from the 10g Companion CD. If you can't get either of those to install you won't be able to get this to work.
Anton
Denise,
You might want to try adding -ignoreSysPrereqs when launching the OUI installer, it should skip the OS test
Anton
Your post was very useful along with other posts that I referred. I've compiled a page for those who would want to look at how to configure a "Self-Signed Certificate for Oracle Application Express with Oracle AS 10.1.2 on Windows 2003". It can be found at http://kannankumara.blogspot.com/2008/02/self-signed-certificate-for-oracle-as.html
I just installed Oracle XE 10.2.0, and it does not seem to include OWM. Can anyone confirm this? OWM is nowhere to be found. bummer!
Anton,
I've configured an Oracle HTTP Server 10.1.2 with SSL.
This configuration can be run from Mozilla browsers and Opera, but not from Internet Explorer.
What I found from Apache's error_log.xxxx is
error mod_ossl: SSL call to NZ function nzos_Handshake failed with error 29014 (server ---.---.com:4443, client --.--.--.--)
error mod_ossl: Unknown error
error mod_ossl: SSL call to NZ function nzos_Handshake failed with error 28864 (server ---.---.com:4443, client --.--.--.--)
error mod_ossl: SSL IO error Hint: the client stop the connection unexpectedly
So I looked in the Metalink and found Note:312041.1 and applied patch 4960210 and restart the server. But now it wouldn't start at all, despite that all configuration files were not changed.
Any help would be greatly appreciated.
Berbiji,
I'm afraid I would need a lot more info or access to your server to troubleshoot this. I have applied this patchset many times without issues. I have run in to this very error, and the patch may or may not solve it.
One possibility is that you have a 10g database on the same box and that you have an ons port conflict. If you have a database on the box, try rebooting and not bringing up the db listener. See if things work with that off.
The next thing to do is get the patch installed properly and get everything running with the patch but without SSL. Then try to put in SSL. If you don't have a lot invested in the setup, just uninstall everything and install the latest version and the patch. See if you can get that running, then try to add in SSL.
If that does not work, respond to this with the following:
Operating System and version
Exact versions of all Oracle software on the server
SSL Configuration steps
Certificate provider and type of cert
Anton, what if I have a different database box? would that step be different?
Thanks
Hi
I have a little problem, i didn't install OAS or anything else on my ORACLE 11g and the directory $ORACLE_HOME/Apache doesn't exist, i know i have an Apache and SSL installed because i access EM trough https but i don't know where is it, and like i said i can't complete all the steps described in your guide.
I'm working with APEX included in the Enterprise Edition of ORACLE 11g and currently i access to the apps via http
Please send me an idea.
Thanks.
Yo,
Your EM webserver is not the same one you use to access APEX. You are probably using the embedded pl/sql gateway (EPG). It depends on how you installed things. I don't use the EPG often and I'm not sure if you can set up SSL with the EPG. I suggest you check your install log ($ORACLE_HOME/install) and see if it lists an OHS install and port. If not, you may want to consider running the OHS install and using that. If you want personal assistance you can click the C2 Consulting link and send a message or call 1-617-639-0232 and someone will set you up with a consultant. I'm pretty busy these days, but there are other folks that can help you. Not to be too promotional, but C2 can also help you get started building APEX apps. Just give a call or drop a message.
Anton
OK
Thanks a lot.
In fact I'm already developing apps, i just need configure it to use SSL, I'm gona do that you suggest.
Thanks again Anton.
Hi Anton,
my customer has an Oracle Apache Standalone 9.0.4.0.0 installed. Now i have done the switch to SSL like your Blog entry and the Blog entry of Kannan Kumara. The SSL works fine with APEX and the Firefox browser. But with IE 7 i get the error 'Can't show the Site'.
In the following files i can experience errors independant of IE or Firefox. It seems that Firefox can ignore these errors.
In the file access_log: "GET /pls/lpt01/f?p=lpwav:1 HTTP/1.1" 401 494
In the ssl_request_log: SSLv3 SSL_RSA_WITH_RC4_128_MD5 "GET /pls/lpt01/f?p=lpwav:1 HTTP/1.1" 494
Can you imagine what's wrong ?
Best regads
Martin
Post a Comment