How to enable SSL and TLS 1.2 in Oracle E-Business Suite Release 12.2
This document details the steps for enabling SSL/TLS 1.2 in Oracle E-Business Suite Release 12.2.x
PreRequisites:
Apply Necessary Patches for TLS 1.2 mentioned in below document:
Enabling TLS in Oracle E-Business Suite Release 12.2 (Doc ID 1367293.1)
5.1 Apply Required Updates and Patches
Stop the Application Services:
cd $ADMIN_SCRIPTS_HOME
sh adstpall.sh apps/apps
1 ) Create a Wellet and Generate CSR file:
. /u01/app/oracle/DEVDB/EBSapps.env run
cd /u01/walletnew
export PATH=$FMW_HOME/webtier/bin:$FMW_HOME/oracle_common/bin:$PATH
alias orapki=$FMW_HOME/oracle_common/bin/orapki
orapki wallet create -wallet ./ -auto_login_only
export DN='CN=test.domain.com.sa,O=TEST Investments Company,L=Riyadh,ST=Riyadh,C=SA'
orapki wallet add -wallet ./ -dn "$DN" -asym_alg RSA -keysize 2048 -sign_alg sha256 -validity 365 -auto_login_only
export DN='CN=test.domain.com.sa,O=TEST Investments Company,L=Riyadh,ST=Riyadh,C=SA'
2) Submit the Certificate Request to a Certificate Authority:
cd /u01/walletnew
orapki wallet export -wallet ./ -dn "$DN" -request server.csr
In my case I am using Digicerts Certificates.
Sumbit above generated CSR to certificate Autority to issue digital certificates.
3) Import the Server Certificate to the Wallet:
Upload the certificates received from CA Authority in a directory:
cd /u01/walletnew
mv TrustedRoot.crt ca.crt
mv DigiCertCA.crt intca.crt
mv devdb_nci_com_sa.crt server.crt
4) Import any root and intermediate certificates into the wallet:
orapki wallet add -wallet ./ -trusted_cert -cert ca.crt -auto_login_only
orapki wallet add -wallet ./ -trusted_cert -cert intca.crt -auto_login_only
orapki wallet add -wallet ./ -user_cert -cert server.crt -auto_login_only
5) Modify the Oracle HTTP Server Wallet:
cd /u01/app/oracle/DEVDB/fs1/FMW_Home/webtier/instances/EBS_web_OHS1/config/OHS/EBS_web/keystores/default
mkdir bkp-31Aug2023
mv cwallet.sso cwallet.sso.lck bkp-31Aug2023/
cp /u01/walletnew/cwallet.sso* /u01/app/oracle/DEVDB/fs1/FMW_Home/webtier/instances/EBS_web_OHS1/config/OHS/EBS_web/keystores/default
6) Modify the OPMN Wallet and Configure the Cipher Suites:
cd /u01/app/oracle/DEVDB/fs1/FMW_Home/webtier/instances/EBS_web_OHS1/config/OPMN/opmn/wallet
mkdir bkp-31Aug2023
mv cwallet.sso cwallet.sso.lck bkp-31Aug2023/
cp /u01/walletnew/cwallet.sso* /u01/app/oracle/DEVDB/fs1/FMW_Home/webtier/instances/EBS_web_OHS1/config/OPMN/opmn/wallet
7) Modify the Oracle Fusion Middleware Wallets:
cd /u01/app/oracle/DEVDB/fs1/FMW_Home/webtier/instances/EBS_web_OHS1/config/OHS/EBS_web/proxy-wallet
mkdir bkp-31Aug2023
mv cwallet.sso cwallet.sso.lck bkp-31Aug2023/
cp /u01/walletnew/cwallet.sso* /u01/app/oracle/DEVDB/fs1/FMW_Home/webtier/instances/EBS_web_OHS1/config/OHS/EBS_web/proxy-wallet
8) Add Ca in Internet certificates:
. /u01/app/oracle/DEVDB/EBSapps.env run
echo $ORACLE_HOME/sysman/config
/u01/app/oracle/DEVDB/fs1/EBSapps/10.1.2/sysman/config
cd /u01/app/oracle/DEVDB/fs1/EBSapps/10.1.2/sysman/config
cp b64InternetCertificate.txt b64InternetCertificate.txt_bk
cd /u01/walletnew
cat ca.crt >> $ORACLE_HOME/sysman/config/b64InternetCertificate.txt
9) Configure the OPMN Cipher Suites:
cd /u01/app/oracle/DEVDB/fs1/FMW_Home/webtier/instances/EBS_web_OHS1/config/OPMN/opmn
cp opmn.xml opmn.xml_bk
vi opmn.xml
find "ssl enabled"
Change
<ssl enabled="true" wallet-file="/u01/app/oracle/DEVDB/fs1/FMW_Home/webtier/instances/EBS_web_OHS1/config/OPMN/opmn/wallet" ssl-versions="TLSv1.2" ssl-ciphers="SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_128_GCM_SHA256"/>
TO
<ssl enabled="true" wallet-file="/u01/app/oracle/DEVDB/fs1/FMW_Home/webtier/instances/EBS_web_OHS1/config/OPMN/opmn/wallet" ssl-versions="TLSv1.0,TLSv1.1,TLSv1.2" ssl-ciphers="SSL_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA"/>
10) Edit the admin.conf File:
cd /u01/app/oracle/DEVDB/fs1/FMW_Home/webtier/instances/EBS_web_OHS1/config/OHS/EBS_web
cp admin.conf admin.conf_bk
vi admin.conf
find SSLCipherSuite
Change
SSLCipherSuite HIGH:MEDIUM
SSLProtocol TLSv1.2
TO
SSLCipherSuite HIGH:MEDIUM
SSLProtocol TLSv1 TLSv1.1 TLSv1.2
11) Edit SSL configuration File:
cd /u01/app/oracle/DEVDB/fs1/FMW_Home/webtier/instances/EBS_web_OHS1/config/OHS/EBS_web
cp ssl.conf ssl.conf_bk
vi ssl.conf
SLProtocol TLSv1.2
TO
SSLProtocol TLSv1 TLSv1.1 TLSv1.2
12) Start Weblogic Admin server:
. /u01/app/oracle/DEVDB/EBSapps.env run
cd $ADMIN_SCRIPTS_HOME
sh adadminsrvctl.sh start
13) Login the Weblogic console and change following configuration:
1) Click on Lock & Edit.
2) Under Domain Structure > your Oracle E-Business Suite domain >
Environment and Servers, select one of the managed servers.
(Note that you will need to repeat this for all managed servers in your environment.)
Then under the Server Start tab in the Arguments section, add the following:
-DUseSunHttpHandler=true -Dhttps.protocols=TLSv1.2
14) Redeploy NonJ2EEmanagement Application:
Once you've performed the Above, Redeploy the NonJ2EEmanagement Application
by following:
cd $FMW_HOME
. SetWebtier.env
$ORACLE_HOME/opmn/bin/opmnctl redeploy -adminHost test.domain.com.sa -adminPort 7001
perl $AD_TOP/bin/adSyncContext.pl contextfile=$CONTEXT_FILE
Stop the Weblogic Services:
sh adadminsrvctl.sh stop
15) Import Certificates in CACERTS files:
cd /u01/app/oracle/DEVDB/fs1/EBSapps/comn/util/jdk64/jre/lib/security/cacerts
chmod u+w cacerts
When prompted, enter the keystore password (the default password is "changeit").
keytool -import -alias OHSRootCA -file ca.crt -trustcacerts -v -keystore cacerts
keytool -import -alias OHSIntCA -file intca.crt -trustcacerts -v -keystore cacerts
keytool -import -alias OHSServer -file server.crt -trustcacerts -v -keystore cacerts
chmod u-w cacerts
cd /u01/app/oracle/DEVDB/fs1/EBSapps/comn/util/jdk32/jre/lib/security/cacerts
chmod u+w cacerts
keytool -import -alias OHSRootCA -file ca.crt -trustcacerts -v -keystore cacerts
keytool -import -alias OHSIntCA -file intca.crt -trustcacerts -v -keystore cacerts
keytool -import -alias OHSServer -file server.crt -trustcacerts -v -keystore cacerts
chmod u-w cacerts
16) Change Following Variables in the Context File:
. /u01/app/oracle/DEVDB/EBSapps.env run
echo $CONTEXT_FILE
/u01/app/oracle/DEVDB/fs1/inst/apps/DEVDB_devdb/appl/admin/DEVDB_devdb.xml
cd /u01/app/oracle/DEVDB/fs1/inst/apps/DEVDB_devdb/appl/admin
cp DEVDB_devdb.xml DEVDB_devdb.xml_bk
vi DEVDB_devdb.xml
Change below Context Variables:
s_url_protocol https
s_local_url_protocol https
s_webentryurlprotocol https
s_active_webport 4443
s_webssl_port 4443
s_https_listen_parameter 4443
s_login_page https://test.domain.com.sa:4443/OA_HTML/AppsLogin
s_external_url https://test.domain.com.sa:4443
17) Run Autoconfig on Application:
cd $ADMIN_SCRIPTS_HOME
adautocfg.sh
vi /u01/app/oracle/DEVDB/fs1/FMW_Home/user_projects/domains/EBS_domain/config/config.xml
change
<connection-filter-rule>0.0.0.0/0 * * deny</connection-filter-rule>
to
<connection-filter-rule>0.0.0.0/0 * * allow</connection-filter-rule>
18) Synchronization Between Run and Patch File Systems:
vi $APPL_TOP_NE/ad/custom/adop_sync.drv
#SSL SECTION - START
# Required for SSL setup migration from RUN to PATCH file-system.
# Please alter the commands in the event that rsync is not available or the platform does not support the example syntax.
#10.1.2 b64InternetCertificate.txt
rsync -zr %s_current_base%/EBSapps/10.1.2/sysman/config/b64InternetCertificate.txt %s_other_base%/EBSapps/10.1.2/sysman/config/b64InternetCertificate.txt
#Oracle HTTP Server Wallet - cwallet.sso
rsync -zr %s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/keystores/default/cwallet.sso %s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/keystores/default/cwallet.sso
#OPMN Wallet - cwallet.sso
rsync -zr %s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OPMN/opmn/wallet/cwallet.sso %s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OPMN/opmn/wallet/cwallet.sso
#Fusion Middleware Control Wallets - cwallet.sso
rsync -zr %s_current_base%/FMW_Home/user_projects/domains/EBS_domain_%s_dbSid%/opmn/%s_ohs_instance%/%s_ohs_component%/wallet/cwallet.sso %s_other_base%/FMW_Home/user_projects/domains/EBS_domain_%s_dbSid%/opmn/%s_ohs_instance%/%s_ohs_component%/wallet/cwallet.sso
rsync -zr %s_current_base%/FMW_Home/user_projects/domains/EBS_domain_%s_dbSid%/opmn/%s_ohs_instance%/wallet/cwallet.sso %s_other_base%/FMW_Home/user_projects/domains/EBS_domain_%s_dbSid%/opmn/%s_ohs_instance%/wallet/cwallet.sso
rsync -zr %s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/proxy-wallet/cwallet.sso %s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/proxy-wallet/cwallet.sso
#JDK keystore
rsync -zr --include=jdk* --include=jdk*/jre --include=jdk*/jre/lib --include=jdk*/jre/lib/security --include=cacerts --exclude=* %s_current_base%/EBSapps/comn/util/ %s_other_base%/EBSapps/comn/util/
#SSL SECTION - END
wq!
19) Start the Application Services:
cd $ADMIN_SCRIPTS_HOME
sh adstrtall.sh apps/apps
20) Run FS_CLONE
adop phase=fs_clone