Tuesday, October 31, 2006

Oracle Portal Virtual Host and SSL

I recently ran into an issue that Oracle Portal was presenting the wrong base href in some pages. This was a virtual hosted environment, that is, several machine names point to the same installation of portal. We had followed the virtual hosting documentation perfectly, and in fact, we had it running for quite some time without any issue. The issue cropped up when we added an additional virtual host.
This additional host was the first one that was not SSL. It took a little while to figure it out, but the solution was to make sure that all of the https (ssl) virtual hosts appear in the httpd.conf file prior to the first http virtual host. I'm still not sure why this would make a difference, but it solved the problem.

Monday, October 30, 2006

Setting Up SSL for Application Express

If you are reading this, you might be interested in this post as well and probably this one.

I'll try to give sufficient info to do this...
All steps are done with ORACLE_HOME set to the middle tier home (Apache, Companion CD home)

1. You need to use Oracle Wallet Manager (OWM) to create a wallet and get it set up.
-- a. set up ORACLE_HOME, etc.
-- b. go to $ORACLE_HOME/bin
-- c. run Oracle Wallet Manager ./owm
-- d. create a new wallet and save in a new directory (e.g. /home/oracle/myWallet/)
-- e. create a certificate request
-- -- i. the common name is the name of the url, for example www.concept2completion.net
-- -- ii. Organizational Unit and Organization are just text associated with your company
-- -- iii. You should spell out the state
-- f. export the request to a text file
-- g. You will need to go to a certificate authority (CA) to get a certificate and paste in the contents of the text file created in (f). I have had problems with both goDaddy and Verisign. I have had good luck with entrust.com and thawte.com
-- h. If you get a trial certificate you will need to get the trial Root Certificate (aka trusted certificate) from the CA. Save it as a text file. Install that into OWM as a trusted cert.
-- i. Now install your cert (from g) in OWM and save.
2. Configure your ssl.conf file, located in $ORACLE_HOME/Apache/Apache/conf
-- a. You can use the default listen and port settings (probably 4443 or 4447) or you can change to 443. If you change to 443, you need to change all occurences. Also, the apachectl file will need to be owned by root (located in $ORACLE_HOME/Apache/Apache/bin/). Same requirement as running on Port 80.
---- 1. Setting up Apache to run on ports below 1024
1 Shutdown OHS
2 Become root
3 cd $ORACLE_HOME/Apache/Apache/bin
4 chown root .apachectl
5 chmod 6750 .apachectl
6 cd $ORACLE_HOME/Apache/Apache/logs
7 rm -f *
-- b. Besides the port change, you need to change the location of your wallet and give your wallet password. You can encrypt the password, but I'm not covering that here and now. (See Oracle Support Note 184677.1)
SSLWallet file:/home/oracle/myWallet/
SSLWalletPassword mySuperPW1
-- c. Save ssl.conf
3. Here is the trick. You need to configure OPMN to run in SSL mode. Edit the file opmn.xml (located in $ORACLE_HOME/opmn/conf/)
-- a. under start mode, look for ssl-disabled
-- -- change to
-- -- ssl-enabled
-- b. Save opmn.xml
4. go to $ORACLE_HOME/opmn/bin and restart
-- a. opmnctl stopall
-- b. opmnctl startall

OK, now you are running in SSL. You might want to run everything in SSL, or just some things. To do this, you can set an Apache Rewrite Rule. Here is an example that will rewrite everything that is in pls/apex to https (assumes you are running on port 443). Edit your httpd.conf file, add the lines below at the end of the file, opmnctl stopall, opmnctl startall:
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/pls/apex/(.*)$ https://concept2completion.net/pls/apex/$1 [L,R]

Hope this captures all of the steps. Let me know if this helps.

If you are reading this, you might be interested in this post as well and probably this one.

Thursday, October 19, 2006

Oracle Instant Portal - Public

I recently began playing with OIP a bit more. It has a fun UI, so when my son asked to make a website for his school project I suggested that my son use it for his project. I figured it would force me to learn the in-and-outs a bit better. Well, I was right.

After getting some content into the site, my son asked to make it available so anyone could see it. I had never even tried it. So, I just tried it. I added PUBLIC to the oip_available_users group in Oracle Internet Directory (OID). Then I added PUBLIC as a view user to the pages I wanted to be public. Seems to make sense, right? It didn't work. After a little poking around I found out that OIP won't allow a page to be public. So, what's the next thing to do? Remove the public user, right? Wrong!

If you use the OIP user management feature to remove a user, it DELETES the user from OID. That, of course, is exactly what I did. I deleted the public user from OID, thereby causing all of my public portal pages to break. I could barely log in.

I did a little research to find a solution. The two solutions I could find were reinstall and try reseeding all of the initial users, then clean up. I did not like either choice. I just created a new user in OID called PUBLIC. Everything has worked since then, but I may yet have issues.

Update: Since this original post I have found that a lot of permissions get lost. You will need to run the script that recreates all of the public permissions on form building, etc. If you run in to this, run all the set_user_acl procedures in the /portal30/admin/plsql/wwv/wwvsecd.sql script, which reference the PUBLIC user (USER_PUBLIC).