Open in app

Sign in

Write

Sign in

How to enable SSL and TLS 1.2 in Oracle E-Business Suite Release 12.2

Mohsin Ali
4 min readDec 13, 2023

--

This document details the steps for enabling SSL/TLS 1.2 in Oracle E-Business Suite Release 12.2.x

PreRequisites:

Apply Necessary Patches for TLS 1.2 mentioned in below document:

Enabling TLS in Oracle E-Business Suite Release 12.2 (Doc ID 1367293.1) 
5.1 Apply Required Updates and Patches

Stop the Application Services:

cd $ADMIN_SCRIPTS_HOME
sh adstpall.sh apps/apps

1 ) Create a Wellet and Generate CSR file:

. /u01/app/oracle/DEVDB/EBSapps.env run 
 
cd /u01/walletnew 
export PATH=$FMW_HOME/webtier/bin:$FMW_HOME/oracle_common/bin:$PATH 
alias orapki=$FMW_HOME/oracle_common/bin/orapki 
 
orapki wallet create -wallet ./ -auto_login_only 
export DN='CN=test.domain.com.sa,O=TEST Investments Company,L=Riyadh,ST=Riyadh,C=SA' 
 
orapki wallet add -wallet ./ -dn "$DN" -asym_alg RSA -keysize 2048 -sign_alg sha256 -validity 365 -auto_login_only 
 
export DN='CN=test.domain.com.sa,O=TEST Investments Company,L=Riyadh,ST=Riyadh,C=SA'

2) Submit the Certificate Request to a Certificate Authority:

cd /u01/walletnew
orapki wallet export -wallet ./ -dn "$DN" -request server.csr

In my case I am using Digicerts Certificates.

Sumbit above generated CSR to certificate Autority to issue digital certificates.

3) Import the Server Certificate to the Wallet:

Upload the certificates received from CA Authority in a directory:

cd /u01/walletnew

mv TrustedRoot.crt ca.crt
mv DigiCertCA.crt intca.crt
mv devdb_nci_com_sa.crt server.crt

4) Import any root and intermediate certificates into the wallet:

orapki wallet add -wallet ./ -trusted_cert -cert ca.crt -auto_login_only
orapki wallet add -wallet ./ -trusted_cert -cert intca.crt -auto_login_only
orapki wallet add -wallet ./ -user_cert -cert server.crt -auto_login_only

5) Modify the Oracle HTTP Server Wallet:

cd /u01/app/oracle/DEVDB/fs1/FMW_Home/webtier/instances/EBS_web_OHS1/config/OHS/EBS_web/keystores/default

mkdir bkp-31Aug2023
mv cwallet.sso cwallet.sso.lck  bkp-31Aug2023/

cp /u01/walletnew/cwallet.sso* /u01/app/oracle/DEVDB/fs1/FMW_Home/webtier/instances/EBS_web_OHS1/config/OHS/EBS_web/keystores/default

6) Modify the OPMN Wallet and Configure the Cipher Suites:

cd /u01/app/oracle/DEVDB/fs1/FMW_Home/webtier/instances/EBS_web_OHS1/config/OPMN/opmn/wallet

mkdir bkp-31Aug2023
mv cwallet.sso cwallet.sso.lck  bkp-31Aug2023/

cp /u01/walletnew/cwallet.sso* /u01/app/oracle/DEVDB/fs1/FMW_Home/webtier/instances/EBS_web_OHS1/config/OPMN/opmn/wallet

7) Modify the Oracle Fusion Middleware Wallets:

cd /u01/app/oracle/DEVDB/fs1/FMW_Home/webtier/instances/EBS_web_OHS1/config/OHS/EBS_web/proxy-wallet
mkdir bkp-31Aug2023
mv cwallet.sso cwallet.sso.lck  bkp-31Aug2023/

cp /u01/walletnew/cwallet.sso* /u01/app/oracle/DEVDB/fs1/FMW_Home/webtier/instances/EBS_web_OHS1/config/OHS/EBS_web/proxy-wallet

8) Add Ca in Internet certificates:

. /u01/app/oracle/DEVDB/EBSapps.env run

echo $ORACLE_HOME/sysman/config
/u01/app/oracle/DEVDB/fs1/EBSapps/10.1.2/sysman/config

cd /u01/app/oracle/DEVDB/fs1/EBSapps/10.1.2/sysman/config
cp b64InternetCertificate.txt b64InternetCertificate.txt_bk

cd /u01/walletnew
cat ca.crt >> $ORACLE_HOME/sysman/config/b64InternetCertificate.txt

9) Configure the OPMN Cipher Suites:

cd /u01/app/oracle/DEVDB/fs1/FMW_Home/webtier/instances/EBS_web_OHS1/config/OPMN/opmn
cp opmn.xml opmn.xml_bk
vi opmn.xml

find "ssl enabled"
Change 
<ssl enabled="true" wallet-file="/u01/app/oracle/DEVDB/fs1/FMW_Home/webtier/instances/EBS_web_OHS1/config/OPMN/opmn/wallet" ssl-versions="TLSv1.2" ssl-ciphers="SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_128_GCM_SHA256"/>
TO
<ssl enabled="true" wallet-file="/u01/app/oracle/DEVDB/fs1/FMW_Home/webtier/instances/EBS_web_OHS1/config/OPMN/opmn/wallet" ssl-versions="TLSv1.0,TLSv1.1,TLSv1.2" ssl-ciphers="SSL_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA"/>

10) Edit the admin.conf File:

cd /u01/app/oracle/DEVDB/fs1/FMW_Home/webtier/instances/EBS_web_OHS1/config/OHS/EBS_web
cp admin.conf admin.conf_bk
vi admin.conf

find  SSLCipherSuite

Change
SSLCipherSuite HIGH:MEDIUM
SSLProtocol TLSv1.2

TO

SSLCipherSuite HIGH:MEDIUM
SSLProtocol TLSv1 TLSv1.1 TLSv1.2

11) Edit SSL configuration File:

cd /u01/app/oracle/DEVDB/fs1/FMW_Home/webtier/instances/EBS_web_OHS1/config/OHS/EBS_web
cp ssl.conf ssl.conf_bk
vi ssl.conf

SLProtocol TLSv1.2
TO
SSLProtocol TLSv1 TLSv1.1 TLSv1.2

12) Start Weblogic Admin server:

. /u01/app/oracle/DEVDB/EBSapps.env run
cd $ADMIN_SCRIPTS_HOME 
sh adadminsrvctl.sh start

13) Login the Weblogic console and change following configuration:

1) Click on Lock & Edit.
2) Under Domain Structure > your Oracle E-Business Suite domain > 
   Environment and Servers, select one of the managed servers. 
   (Note that you will need to repeat this for all managed servers in your environment.)
Then under the Server Start tab in the Arguments section, add the following:
-DUseSunHttpHandler=true -Dhttps.protocols=TLSv1.2

14) Redeploy NonJ2EEmanagement Application:

Once you've performed the Above, Redeploy the NonJ2EEmanagement Application 
by following:

cd $FMW_HOME
. SetWebtier.env
$ORACLE_HOME/opmn/bin/opmnctl redeploy -adminHost test.domain.com.sa -adminPort 7001

perl $AD_TOP/bin/adSyncContext.pl contextfile=$CONTEXT_FILE

Stop the Weblogic Services:

sh adadminsrvctl.sh stop

15) Import Certificates in CACERTS files:

cd /u01/app/oracle/DEVDB/fs1/EBSapps/comn/util/jdk64/jre/lib/security/cacerts
chmod u+w cacerts

When prompted, enter the keystore password (the default password is "changeit").

keytool -import -alias OHSRootCA -file ca.crt -trustcacerts -v -keystore cacerts
keytool -import -alias OHSIntCA -file intca.crt -trustcacerts -v -keystore cacerts
keytool -import -alias OHSServer -file server.crt -trustcacerts -v -keystore cacerts
chmod u-w cacerts


cd /u01/app/oracle/DEVDB/fs1/EBSapps/comn/util/jdk32/jre/lib/security/cacerts

chmod u+w cacerts
keytool -import -alias OHSRootCA -file ca.crt -trustcacerts -v -keystore cacerts
keytool -import -alias OHSIntCA -file intca.crt -trustcacerts -v -keystore cacerts
keytool -import -alias OHSServer -file server.crt -trustcacerts -v -keystore cacerts
chmod u-w cacerts

16) Change Following Variables in the Context File:

. /u01/app/oracle/DEVDB/EBSapps.env run
echo $CONTEXT_FILE
/u01/app/oracle/DEVDB/fs1/inst/apps/DEVDB_devdb/appl/admin/DEVDB_devdb.xml
cd /u01/app/oracle/DEVDB/fs1/inst/apps/DEVDB_devdb/appl/admin
cp DEVDB_devdb.xml DEVDB_devdb.xml_bk

vi DEVDB_devdb.xml

Change below Context Variables:

s_url_protocol           https
s_local_url_protocol     https
s_webentryurlprotocol    https
s_active_webport         4443
s_webssl_port            4443
s_https_listen_parameter 4443
s_login_page             https://test.domain.com.sa:4443/OA_HTML/AppsLogin
s_external_url           https://test.domain.com.sa:4443

17) Run Autoconfig on Application:

cd $ADMIN_SCRIPTS_HOME
adautocfg.sh

vi /u01/app/oracle/DEVDB/fs1/FMW_Home/user_projects/domains/EBS_domain/config/config.xml

change
<connection-filter-rule>0.0.0.0/0 * * deny</connection-filter-rule>
to
<connection-filter-rule>0.0.0.0/0 * * allow</connection-filter-rule>

18) Synchronization Between Run and Patch File Systems:

vi $APPL_TOP_NE/ad/custom/adop_sync.drv

#SSL SECTION - START
# Required for SSL setup migration from RUN to PATCH file-system.
# Please alter the commands in the event that rsync is not available or the platform does not support the example syntax.

#10.1.2 b64InternetCertificate.txt
rsync -zr %s_current_base%/EBSapps/10.1.2/sysman/config/b64InternetCertificate.txt %s_other_base%/EBSapps/10.1.2/sysman/config/b64InternetCertificate.txt

#Oracle HTTP Server Wallet - cwallet.sso
rsync -zr %s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/keystores/default/cwallet.sso %s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/keystores/default/cwallet.sso

#OPMN Wallet - cwallet.sso
rsync -zr %s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OPMN/opmn/wallet/cwallet.sso %s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OPMN/opmn/wallet/cwallet.sso

#Fusion Middleware Control Wallets - cwallet.sso
rsync -zr %s_current_base%/FMW_Home/user_projects/domains/EBS_domain_%s_dbSid%/opmn/%s_ohs_instance%/%s_ohs_component%/wallet/cwallet.sso %s_other_base%/FMW_Home/user_projects/domains/EBS_domain_%s_dbSid%/opmn/%s_ohs_instance%/%s_ohs_component%/wallet/cwallet.sso

rsync -zr %s_current_base%/FMW_Home/user_projects/domains/EBS_domain_%s_dbSid%/opmn/%s_ohs_instance%/wallet/cwallet.sso %s_other_base%/FMW_Home/user_projects/domains/EBS_domain_%s_dbSid%/opmn/%s_ohs_instance%/wallet/cwallet.sso

rsync -zr %s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/proxy-wallet/cwallet.sso %s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/proxy-wallet/cwallet.sso

#JDK keystore
rsync -zr --include=jdk* --include=jdk*/jre --include=jdk*/jre/lib --include=jdk*/jre/lib/security --include=cacerts --exclude=* %s_current_base%/EBSapps/comn/util/ %s_other_base%/EBSapps/comn/util/
#SSL SECTION - END

wq!

19) Start the Application Services:

cd $ADMIN_SCRIPTS_HOME
sh adstrtall.sh apps/apps

20) Run FS_CLONE

adop phase=fs_clone
Oracle E Business Suite
Ebs R12 Upgrade
Oracle Ebs R12
Ebs R12 Ssl
Ebs R12 Tls

--

--

Mohsin Ali

Written by Mohsin Ali

10 Followers

Oracle Application Database Consultant Linkedin: https://www.linkedin.com/in/mohsinalirana/

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams