15 Enabling SSL or TLS or ECC in Oracle Apps R12.2

 Apply Necessary Patches for TLS 1.2 mentioned in below document:

Apply Necessary Patches for TLS 1.2 mentioned in below document:

Enabling TLS in Oracle E-Business Suite Release 12.2 (Doc ID 1367293.1)
5.1 Apply Required Updates and Patches

#SSL/TLS

adop phase=apply patches=27014303,22326911,22522877

#ECC

adop phase=apply patches=35302518,36539557,35921578,36527716,35921500,35921608,35921575,33377862,35921498,34617743,36279972,35045912,32379321,33282888,33828966,36245474,35059202,35680702,35625136,36167205,35573606,36440950,31054002,35211868,31604775,36214549,35088899,35135853,36032743,36553308,36032764,36032714,36032737,36032663


Stop the Application 

cd $ADMIN_SCRIPTS_HOME
sh adstpall.sh apps/apps

15.1 Create a Wellet and Generate CSR file

. /u01/app/FBS/EBSapps.env run
 
cd /u01/app/FBS/fs_ne/inst/FBS_ebstest/certs/Apache
export PATH=$FMW_HOME/webtier/bin:$FMW_HOME/oracle_common/bin:$PATH
alias orapki=$FMW_HOME/oracle_common/bin/orapki
 
orapki wallet create -wallet . -auto_login -pwd K0Junga#

orapki wallet add -wallet . -dn "CN=ebstest.finsys.co.ke, OU=IT, O=Finsys,L=Nairobi,ST=Nairobi,C=KE" -keysize 2048 -sign_alg sha256 -self_signed -validity 3650 -pwd K0Junga#

orapki wallet export -wallet . -dn "CN=ebstest.finsys.co.ke,OU=IT,O=Finsys,L=Nairobi,ST=Nairobi,C=KE" -cert server.crt -pwd K0Junga#

15.2 Submit the Certificate Request to a Certificate Authority

cd /u01/app/FBS/fs_ne/inst/FBS_ebstest/certs/Apache
orapki wallet export -wallet ./ -dn "$DN" -request server.csr

Sumbit above generated CSR to certificate Autority to issue digital certificates

15.3 Import the Server Certificate to the Wallet

Upload the certificates received from CA Authority in a directory

cd /u01/app/FBS/fs_ne/inst/FBS_ebstest/certs/Apache

mv TrustedRoot.crt ca.crt
mv DigiCertCA.crt intca.crt
mv devdb_nci_com_sa.crt server.crt

15.4 Import any root and intermediate certificates into the wallet

orapki wallet add -wallet ./ -trusted_cert -cert ca.crt -auto_login_only
orapki wallet add -wallet ./ -trusted_cert -cert intca.crt -auto_login_only
orapki wallet add -wallet ./ -user_cert -cert server.crt -auto_login_only


15.5 Modify the Oracle HTTP Server Wallet

cd /u01/app/FBS/fs1/FMW_Home/webtier/instances/EBS_web_OHS1/config/OHS/EBS_web/keystores/default

mkdir bak_sso_14_Apr_2025
mv cwallet.sso cwallet.sso.lck  bak_sso_14_Apr_2025/

cp /u01/app/FBS/fs_ne/inst/FBS_ebstest/certs/Apache/cwallet.sso* /u01/app/FBS/fs1/FMW_Home/webtier/instances/EBS_web_OHS1/config/OHS/EBS_web/keystores/default

15.6 Modify the OPMN Wallet and Configure the Cipher Suites

cd /u01/app/FBS/fs1/FMW_Home/webtier/instances/EBS_web_OHS1/config/OPMN/opmn/wallet

mkdir bak_sso_14_Apr_2025
mv cwallet.sso cwallet.sso.lck  bak_sso_14_Apr_2025/

cp /u01/app/FBS/fs_ne/inst/FBS_ebstest/certs/Apache/cwallet.sso* /u01/app/FBS/fs1/FMW_Home/webtier/instances/EBS_web_OHS1/config/OPMN/opmn/wallet

15.7 Modify the Oracle Fusion Middleware Wallets

cd /u01/app/FBS/fs1/FMW_Home/webtier/instances/EBS_web_OHS1/config/OHS/EBS_web/proxy-wallet
mkdir bak_sso_14_Apr_2025
mv cwallet.sso cwallet.sso.lck  bak_sso_14_Apr_2025/

cp /u01/app/FBS/fs_ne/inst/FBS_ebstest/certs/Apache/cwallet.sso* /u01/app/FBS/fs1/FMW_Home/webtier/instances/EBS_web_OHS1/config/OHS/EBS_web/proxy-wallet

15.8 Add Ca in Internet certificates

. /u01/app/FBS/EBSapps.env run

echo $ORACLE_HOME/sysman/config
/u01/app/FBS/fs1/EBSapps/10.1.2/sysman/config

cd /u01/app/FBS/fs1/EBSapps/10.1.2/sysman/config
cp b64InternetCertificate.txt b64InternetCertificate.txt_bk

cd /u01/app/FBS/fs_ne/inst/FBS_ebstest/certs/Apache
cat ca.crt >> $ORACLE_HOME/sysman/config/b64InternetCertificate.txt

15.9 Configure the OPMN Cipher Suites

cd /u01/app/FBS/fs1/FMW_Home/webtier/instances/EBS_web_OHS1/config/OPMN/opmn
cp opmn.xml opmn.xml_bk
vi opmn.xml

find "ssl enabled"
Change
<ssl enabled="true" wallet-file="/u01/app/FBS/fs1/FMW_Home/webtier/instances/EBS_web_OHS1/config/OPMN/opmn/wallet" ssl-versions="TLSv1.2" ssl-ciphers="SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_128_GCM_SHA256"/>
TO
<ssl enabled="true" wallet-file="/u01/app/FBS/fs1/FMW_Home/webtier/instances/EBS_web_OHS1/config/OPMN/opmn/wallet" ssl-versions="TLSv1.0,TLSv1.1,TLSv1.2" ssl-ciphers="SSL_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA"/>

15.10 Edit the admin.conf File

cd /u01/app/FBS/fs1/FMW_Home/webtier/instances/EBS_web_OHS1/config/OHS/EBS_web
cp admin.conf admin.conf_bk
vi admin.conf

find  SSLCipherSuite

Change
SSLCipherSuite HIGH:MEDIUM
SSLProtocol TLSv1.2

TO

SSLCipherSuite HIGH:MEDIUM
SSLProtocol TLSv1 TLSv1.1 TLSv1.2

15.11 Edit SSL configuration File

cd /u01/app/FBS/fs1/FMW_Home/webtier/instances/EBS_web_OHS1/config/OHS/EBS_web
cp ssl.conf ssl.conf_bk
vi ssl.conf

SLProtocol TLSv1.2
TO
SSLProtocol TLSv1 TLSv1.1 TLSv1.2

15.12 Start Weblogic Admin server

. /u01/app/FBS/EBSapps.env run
cd $ADMIN_SCRIPTS_HOME
sh adadminsrvctl.sh start

15.13 Login the Weblogic console and change following configuration

1) Click on Lock & Edit.
2) Under Domain Structure > your Oracle E-Business Suite domain >
   Environment and Servers, select one of the managed servers.
   (Note that you will need to repeat this for all managed servers in your environment.)
Then under the Server Start tab in the Arguments section, add the following:
-DUseSunHttpHandler=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2

15.14 Redeploy NonJ2EEmanagement Application

As part of the patching process in this step, set the $ORACLE_HOME to point to either the $FMW_HOME/oracle_common directory, or the $FMW_HOME/webtier directory. Refer to the individual patch readme files to set accordingly.

Patch 20429551 provides the updated orapki utility needed to support SHA2 certificate requests.

It is safe to roll back Patch 25072950 in the case of a conflict.

After applying Patch 26045188, remove the NonJ2EEManagement deployment from the WebLogic Console and then proceed with redeployment by performing the following steps:

  1. Navigate to the WebLogic Server Admin Console at http://<s_wls_admin_host>.<s_wls_admin_domain>:<s_wls_admin port>/console and derive context variable values using either the run or patch edition context file, dependent on your current patching state.
  2. From the Domain Structure panel, navigate to Deployments.
  3. Locate in the list of deployments NonJ2EEManagement (11.1.1).
  4. Stop the application “NonJ2EEManagement (11.1.1)”.
  5. In the Change Center panel, click Lock & Edit.
  6. Select the checkbox beside the deployed application NonJ2EEManagement (11.1.1).
  7. Delete the NonJ2EEManagement (11.1.1) application.
  8. Click Activate Changes.
  9. Navigate to $FMW_HOME and source the SetWebtier.env file.
  10. Redeploy the $ORACLE_HOME/opmn/applications/NonJ2EEManagement.ear file delivered by this patch:

$ORACLE_HOME/opmn/bin/opmnctl redeploy -adminHost <ADMINSERVER_HOST> -adminPort <ADMINSERVER_PORT>

 

Once you've performed the AboveRedeploy the NonJ2EEmanagement Application
by following:

cd $FMW_HOME
SetWebtier.env
$ORACLE_HOME/opmn/bin/opmnctl redeploy -adminHost ebstest.finsys.co.ke -adminPort 7011

perl $AD_TOP/bin/adSyncContext.pl contextfile=$CONTEXT_FILE

Stop the Weblogic Services:

sh adadminsrvctl.sh stop

15.15 Import Certificates in CACERTS files

cd /u01/app/FBS/fs1/EBSapps/comn/util/jdk64/jre/lib/security
chmod u+w cacerts

When prompted, enter the keystore password (the default password is "changeit").

keytool -import -alias OHSRootCA -file ca.crt -trustcacerts -v -keystore cacerts
keytool -import -alias OHSIntCA -file intca.crt -trustcacerts -v -keystore cacerts
keytool -import -alias OHSServer -file /u01/app/FBS/fs_ne/inst/FBS_ebstest/certs/Apache/server.crt -trustcacerts -v -keystore ./cacerts -storepass changeit
chmod u-w cacerts


cd /u01/app/FBS/fs1/EBSapps/comn/util/jdk32/jre/lib/security/cacerts

chmod u+w cacerts
keytool -import -alias OHSRootCA -file ca.crt -trustcacerts -v -keystore cacerts
keytool -import -alias OHSIntCA -file intca.crt -trustcacerts -v -keystore cacerts
keytool -import -alias OHSServer -file /u01/app/FBS/fs_ne/inst/FBS_ebstest/certs/Apache/server.crt -trustcacerts -v -keystore ./cacerts -storepass changeit
chmod u-w cacerts

16.16 Change Following Variables in the Context File

. /u01/app/FBS/EBSapps.env run
echo $CONTEXT_FILE
/u01/app/FBS/fs1/inst/apps/DEVDB_devdb/appl/admin/FBS_ebstes.xml
cd /u01/app/FBS/fs1/inst/apps/FBS_ebstes/appl/admin
cp DEVDB_devdb.xml DEVDB_devdb.xml_bk

vi DEVDB_devdb.xml

Change below Context Variables:

s_url_protocol           https
s_local_url_protocol     https
s_webentryurlprotocol    https
s_active_webport         4453
s_webssl_port            4453
s_https_listen_parameter 4453
s_login_page             https://ebstest.finsys.co.ke.sa:4453/OA_HTML/AppsLogin
s_external_url           https://ebstest.finsys.co.ke:4453

15.17 Run Autoconfig on Application

cd $ADMIN_SCRIPTS_HOME
adautocfg.sh

vi /u01/app/FBS/fs1/FMW_Home/user_projects/domains/EBS_domain/config/config.xml

change
<connection-filter-rule>0.0.0.0/0 * * deny</connection-filter-rule>
to
<connection-filter-rule>0.0.0.0/0 * * allow</connection-filter-rule>

15.18 Synchronization Between Run and Patch File Systems

vi $APPL_TOP_NE/ad/custom/adop_sync.drv

#SSL SECTION - START
# Required for SSL setup migration from RUN to PATCH file-system.
# Please alter the commands in the event that rsync is not available or the platform does not support the example syntax.

#10.1.2 b64InternetCertificate.txt
rsync -zr %s_current_base%/EBSapps/10.1.2/sysman/config/b64InternetCertificate.txt %s_other_base%/EBSapps/10.1.2/sysman/config/b64InternetCertificate.txt

#Oracle HTTP Server Wallet - cwallet.sso
rsync -zr %s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/keystores/default/cwallet.sso %s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/keystores/default/cwallet.sso

#OPMN Wallet - cwallet.sso
rsync -zr %s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OPMN/opmn/wallet/cwallet.sso %s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OPMN/opmn/wallet/cwallet.sso

#Fusion Middleware Control Wallets - cwallet.sso
rsync -zr %s_current_base%/FMW_Home/user_projects/domains/EBS_domain_%s_dbSid%/opmn/%s_ohs_instance%/%s_ohs_component%/wallet/cwallet.sso %s_other_base%/FMW_Home/user_projects/domains/EBS_domain_%s_dbSid%/opmn/%s_ohs_instance%/%s_ohs_component%/wallet/cwallet.sso

rsync -zr %s_current_base%/FMW_Home/user_projects/domains/EBS_domain_%s_dbSid%/opmn/%s_ohs_instance%/wallet/cwallet.sso %s_other_base%/FMW_Home/user_projects/domains/EBS_domain_%s_dbSid%/opmn/%s_ohs_instance%/wallet/cwallet.sso

rsync -zr %s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/proxy-wallet/cwallet.sso %s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/proxy-wallet/cwallet.sso

#JDK keystore
rsync -zr --include=jdk* --include=jdk*/jre --include=jdk*/jre/lib --include=jdk*/jre/lib/security --include=cacerts --exclude=* %s_current_base%/EBSapps/comn/util/ %s_other_base%/EBSapps/comn/util/
#SSL SECTION - END

wq!

15.19 Start the Application Services

cd $ADMIN_SCRIPTS_HOME
sh adstrtall.sh apps/apps

15.20 Run FS_CLONE

adop phase=fs_clone



Reference:

Enabling TLS in Oracle E-Business Suite Release 12.2 (Doc ID 1367293.1)

No comments:

Post a Comment

Subscribe to: Posts (Atom)