R12: SSL in multinode EBS

Hi Everyone,

Good piece of information. You may review previous SSL post
http://applicationsdba.blogspot.com/2008/01/what-is-new-in-r12-ssl.html
When you have multiple middle tiers when you enable SSL you have to request certificate for common URL host though its virtual.



In the above sample configuration, appstier1 and appstier2 are middle tier hosts running OHS and OC4J's. you will NOT request SSL certificates from Certificate authority for appstier1 and appstier2. Instead, you will request certificate for store.company.com !! :)
you will import certificate of store.company.com to appstier1.company.com and appstier2.company.com middle tiers.

SSL related notes for reference:

376694.1 Using the Oracle Wallet Manager Command Line Interface in Release 12
376700.1 Enabling SSL in Release 12

As usual leave your comments!!

23 comments:

Anonymous said...

this is very simple way to explain SSL crtificate impelmentation.
thanks Suresh.

Nikhil Mistry

Suresh Lakshmanan said...

Thank you Nikhil.

Sibusiso Maphalala said...

Hi

how are you doing, my name is Sibusiso i'm an apps dba based in South Africa.
I need your help with confiuring SSL on Discoverer..
The SSL was configured sucessfully on E-bus and now we need it to work on Discoverer
so that we will be able to view discoverer from E-bus.
I was able to start Discoverer on SSL but now the problem is when we access the
URL we get a certificate error. The certificate (which was already there) thats being read by the wallet
manager is the wrong on which we have removed but for some funny reason it
stills reads it.
The default directory for the wallet manger that we copied that certificates from E-Bus $APACHE_TOP/apache/conf is
/pruj1i/oracle/BIHome/webcache/wallets/default.

I trust that you will be able to help

Thanks

Suresh Lakshmanan said...

hi Sibusiso,

Here are few metalink note ids which may help you.
340178.1 - section 7.
338071.1
what is the error message?

suresh

Sibusiso Maphalala said...

Hi Suresh,

when we log on using the URL its throws in a certificate error, when I click
on the certificate I see that wallet uses the wrong certificate (the one that was in
the default directory intially) which we removed. how can I get the wallet to use the certficate that we imported using the wallet manager which are server.crt and the ca.crt.. This certificate is the same as the one that we use for E-bs .

Thanks

Suresh Lakshmanan said...

Hi Sibusiso,

Can you explain the architecture?
is it single node ebiz with single node discoverer?
what is the version of ebiz and disco?
what are the steps you have done so far.
let me review the steps that you have done. is the config contains sso/oid?

Thanks
Suresh

Sibusiso Maphalala said...

Hi Suresh

Yes its single ebiz node with discoverer on the same server with its oracle home.
Ebiz is 11.5.2 and Disco is 10.1.2.3
We followed the metalink note 338071.1.
The E-bz is has SSL configured on it and it work fine.
The problem comes when we want to import the certificate using the wallet manager.
after having imported the SSL certificate (the one used by E-bz), the wallet manager
still reads the default certificate that we had replaced with the E-bz one thats why we get
a certifiate error when we open the URL.
We have imported ca.crt and server.crt into the Oracle Wallet as Trusted Certificates, but
get failures when we try and import the server.crt as user certificate.

Thanks

Suresh Lakshmanan said...

Hi Maphalala,

Do you have different os unix user for discoverer?
Is it possible to have screen sharing session to understand the issue?

Thanks
Suresh

Sibusiso Maphalala said...

Hi Suresh

sorry for the late response.
The Discoverer and E-bs are both on the Sun Solaris same server.
It is not possible to have a screen sharing session.
The issue is with the certificates , we cant get the certificate to work with the Oracle wallet for Discoverer.
We have a licensed certificate which works fine on on E-bus so now we trying to use it the same
certifcate by importing it using the Wallet manager.
Have you implemented SSL on Discoverer (10g)thats intergrated with E-bs ??

Thanks

Suresh Lakshmanan said...

Hi Sibusiso,

My answers inline.

thanks
Suresh

On Mon, Oct 12, 2009 at 4:39 AM, Sibusiso Maphalala wrote:

Hi Suresh

sorry for the late response.
The Discoverer and E-bs are both on the Sun Solaris same server. (ok).
It is not possible to have a screen sharing session. ( it will be easy to find the cause :( for me )
The issue is with the certificates , we cant get the certificate to work with the Oracle wallet for Discoverer. (is the discoverer working without ssl enabled? i.e standard disco working fine?? - do you have sso/oid installed along with 10g disco component as a part of AS instllation?)
We have a licensed certificate which works fine on on E-bus so now we trying to use it the same
certifcate by importing it using the Wallet manager.(do you have any virutal host definied for the apache side? let me know the url for disco and ebiz. and hostname. is the host has any canonical /alias name(dns server side) or /etc/hosts)
Have you implemented SSL on Discoverer (10g)thats intergrated with E-bs ?? (yes, i have. its gonna be tough to find the cause being remote without having access to your environment. probably sharing screen and explaining the things will help to figure out the fix.. I will try my best to find the cause over mails).

Sibusiso Maphalala said...

This is a BI only install, no OID installed. Only an application layer is installed, no infrastructure. This is not a full Application Server installation.


Hi Suresh

Discoverer works fine on non-ssl.

No aliases in use, URL's are the same except for port numbers.

Integration of Discoverer into EBS works fine. Can configure DIscoverer for SSL without a problem, but have issues on using the same certificate as inuse by EBS. Found reference on Metalink Note 306653.1 Section 6.6, showing openssl can be used to create a new wallet file (ewallet.p12) and import the Server Certificate, CA Certificate and the private key. This I can do, but the import process asks for a password, and that is supposed to be used to open the wallet. When we try the password we get Invalid Password errors. How do we get around this?

Thanks
Sibusiso

Sibusiso Maphalala said...

Hi Suresh.

I managed to get the certificate working using the chain certificate and importing it through the wallet manager. the Discoverer URL does connect fine now the problem is only when connecting via discoverer plus it give an
Applet error. Please see the attached errolog. Oracle support has refered me to some note 748968.1which did not solve.


Thanks

Suresh Lakshmanan said...

Hi Sibusisco,

One of the note say this solution. Can you try that.

Note 372158.1
Cause

There were too many Java Plug-ins on the pc which generated conflicts during discoverer jar file download.
Solution

1. Go to PC Windows Control Panel and click on 'Add/Remove Programs' icon;

2. Remove all of the Java Plug-ins;

3. Connect to Discoverer Plus and redownload the java plug-in configured for Discoverer.


Thanks

Suresh

Sibusiso Maphalala said...

Hi Suresh.

Thanks for you help the Discoverer is working fine now.

Thanks
Have a great one :)

Sibusiso Maphalal said...

Hi Suresh.

I'm facing this issue now with the disco launcher the (required version of java ,1.4.2_06, is not the latest and may not contain latest security updates).
Can you please help out.

Thanks

Sibusiso Maphalala said...

Hi Suresh

I managed to fx the problem.

Thanks

Anonymous said...

Hi Suresh,
I have been reading on using hardware load balancer for http load balancing with R12. One comment I read is relating to the use of https in hardware load balancer, it said the load balancer may not be able to read the content of the request because it is encrypted and therefore don't know where to forward the request to. In this scenario, a reverse proxy is deployed between the load balancer and Apps tier to decrypted the request. Do you have similar experience on using https with hardware load balancer?

Anonymous said...

Dear Suresh,

Please advise what to check and where to check?

We are on Apps 11.5.10.2 (RDBMS 10.2.0.4

We are using Socket Mode with https on intranet.
We tried to failover to Physical Standby Database.

we are hitting this error-->

FRM-92050:Failed to connect to the server: app.server.btc:9000
Details...
java exception

java.io.IOException: javax.net.ssl.SSLException: SSL handshake failed: SSLConnectionClosedGraceful

at oracle.security.ssl.OracleSSLSocketImpl.startHandshake(Unknown Source)

at oracle.forms.net.HTTPSStream.connect(Unknown Source)
==================================

Our vales of parameters are
OA_HTML/bin/appsweb.cfg --> Parameter serverURL= (no Value)

In xml file parameter s_forms_servlet_serverurl (value is blank)

Would appreciate if anyone can reply this.
There is nothing on metalink reagrding this.
Please do not suggest to read Metalink Note 393128.1 - FRM-92050 SSLException SSLConnectionClosedGraceful On SSL Implementation

Suresh Lakshmanan said...

Hi,

Did you run the autoconfig??
You have to run autoconfig.
Check your context XML file is correct, it should be similar to your prod. (except server name chages etc)

Suresh

Anonymous said...

Hi Suresh,
Thanks for taking your time to reply me.

1. Yes we have run Autoconfig many times.
2. There is no changes in context.xml except the servername is different.

3. Could you suggest any way to catch this error on our forms/web server, we tried to catch it in listener logfile but no errors as error msg says SSLConnectionClosedGraceful

what is this Graceful ??

Thanks

Suresh Lakshmanan said...

Hi,

I haven't seen this error in my exp. google/metalink searches give quite hits.

Suresh

Sai K Reddy said...

Hi,

in R12, after setting SSL, OAM goes to HTTP instead of HTTPS what might be the prb ?

Sai K Reddy

Suresh Lakshmanan said...

No, in our setup we haven't done multiple imports.