How to enable SSL on Weblogic for EBS R12.2

This document show the steps to implement SSL on weblogic on EBS R12.2.x Before applying SSL on weblogic you must have enabled SSL/TLS on Oracle E-Business Suite.

Reference Document: Enabling TLS in Oracle E-Business Suite Release 12.2 (Doc ID 1367293.1)

PreRequisites:

1. Enable SSL/TLS on E-Business Suite 12.2
2. Allow SSL ports for Weblogic in Firewall

Setup a WebLogic Server Identity Keystore:

. /u02/oracle/PREPROD/apps/EBSapps.env run
alias orapki=$FMW_HOME/oracle_common/bin/orapki

mkdir -p $NE_BASE/inst/$CONTEXT_NAME/wlsSSLArtifacts

Copy the existing Oracle wallet file to the wlsSSLArtifacts directory:

Make Sure you are copying the wallet which have already SSL certificates
(Root,Intermediate,Server) imported in it.

cd /u02/oracle/PREPROD/apps/fs_ne/inst/PREPROD_nawatdev/certs/Apache
cp cwallet.sso $NE_BASE/inst/$CONTEXT_NAME/wlsSSLArtifacts/

cd /u02/oracle/PREPROD/apps/fs2/EBSapps/comn/util/jdk64/jre/lib/security
cp cacerts $NE_BASE/inst/$CONTEXT_NAME/wlsSSLArtifacts/

Make sure cacerts file you copied have SSL certificates imported in it.

Convert the Oracle Wallet to a JKS Keystore:

cd $NE_BASE/inst/$CONTEXT_NAME/wlsSSLArtifacts

orapki wallet pkcs12_to_jks -wallet ./ -jksKeyStoreLoc ./ewallet.jks -jksKeyStorepwd oracle123
The ewallet.jks file generated will be referenced in the steps that follow

Extract the alias from the keystore using this command and the password set in the step above:
keytool -list -keystore ewallet.jks -v

Configure SSL on WLS:

Take a backup of $EBS_DOMAIN_HOME/config/config.xml file:

cp $EBS_DOMAIN_HOME/config/config.xml $EBS_DOMAIN_HOME/config/config.xml_orignal

Use the adstpall.sh script to stop everything on the run file system, and then start only the AdminServer using adadminsrvctl.sh script. When enabling SSL for the AdminServer, it needs to be in RUNNING state:

cd $ADMIN_SCRIPTS_HOME
sh adstpall.sh apps/qwaszx12

Starting only Weblogic Admin Services:

sh adadminsrvctl.sh start

Login to weblogic on browser: http://erp.test.com:7070/console

In the WebLogic Server Administration console, under the Domain Structure, click on Environment and Servers:

Environment → Servers

Click Lock & Edit

Click on the AdminServer to configure:

Under the Configuration tab, click on the Keystores sub-tab:

Click Change next to the Keystores setting:

Select the Custom Identity and Custom Trust option and click Save

Enter the identity details:

1. Custom Identity Keystore: /u02/oracle/PREPROD/apps/fs_ne/inst/PREPROD_nawatdev/wlsSSLArtifacts/ewallet.jks
2. Custom Identity Keystore Type: JKS (This must be in uppercase.)
3. Custom Identity Keystore Passphrase: This must match the password used from the orapki command previously in Step 2. (oracle123)
4. Confirm Custom Identity Keystore Passphrase (oracle123)

Enter the trust information:

1. Custom Trust Keystore: /u02/oracle/PREPROD/apps/fs_ne/inst/PREPROD_nawatdev/wlsSSLArtifacts/cacerts
2. Custom Trust Keystore Type: JKS
3. Custom Trust Keystore Passphrase: Enter the cacerts keystore password. See The cacerts Certificates File, keytool.
4. Confirm Custom Trust Keystore Passphrase: Confirm the cacerts keystore password.

Default password for cacerts is “changeit”

Click Save

Click the SSL tab:

Enter the identity details:

1. Private Key Alias: orakey . This would correspond to the alias extracted from the keystore previously in Step 2.
2. Private Key Passphrase: This must match the password used from the orapki command previously in Step 2. (oracle123)
3. Confirm Private Key Passphrase (oracle123)

Click Save.

Click the General tab:

Select SSL Listen Port Enabled check box.
Enter the SSL Listen Port (As per port pool)

Note: The SSL Listen Port base values are available through the context variable s_wls_admin_sslport. Based on the server type, you need to choose the corresponding port value for the SSL Listen Port. You need to manually calculate SSL Listen Port value. For simplicity, the default SSL Listen port value is 1 prefixed with the server default Non SSL Listen port value. For example, for port pool 0, the AdminServer Non SSL Listen port is 7001, so the AdminServer SSL Listen port will be 17001.

Before

After changes

Click Save.

Select the SSL tab:

Select the Advanced option and then perform the following:

Set the Hostname Verification to Custom Hostname Verifier 
and the Custom Hostname Verifier field to 
weblogic.security.utils.SSLWLSWildcardHostnameVerifier

Click Save.

Activate All Changes:

Click Activate Changes.

Shut Admin Server:

cd $ADMIN_SCRIPTS_HOME
sh adadminsrvctl.sh stop

make sure no application process is running: ps -ef|grep appldev

Restart everything including the Admin and Managed Servers:

cd $ADMIN_SCRIPTS_HOME
sh adstrtal.sh apps/qwaszx12

Sync Changes to the Context File:

Backup Context File:
cp /u02/oracle/PREPROD/apps/fs2/inst/apps/PREPROD_nawatdev/appl/admin/PREPROD_nawatdev.xml /u02/oracle/PREPROD/apps/fs2/inst/apps/PREPROD_nawatdev/appl/admin/PREPROD_nawatdev.xml_orignal

 perl $AD_TOP/bin/adSyncContext.pl contextfile=$CONTEXT_FILE

After SSL enablement for the AdminServer, the adSyncContext.pl script execution will populate the following context variables in the context file:

1. s_custom_trustKeyStoreFile — complete path of trust keystore
2. s_wls_admin_sslEnabled — true
3. s_wls_admin_sslport — AdminServer SSL port

Shut down Application:

cd $ADMIN_SCRIPTS_HOME
sh adstpall.sh apps/qwaszx12

Run AutoConfig via the adautocfg.sh script:

cd $ADMIN_SCRIPTS_HOME
sh adautocfg.sh

Autoconfig may take little longer to complete.

vi /u02/oracle/PREPROD/apps/fs2/FMW_Home/user_projects/domains/EBS_domain/config/config.xml

change
<connection-filter-rule>0.0.0.0/0 * * deny</connection-filter-rule>
to
<connection-filter-rule>0.0.0.0/0 * * allow</connection-filter-rule>

Start the Primary Application:

cd $ADMIN_SCRIPTS_HOME
sh adstrtal.sh apps/qwaszx12

adop phase=fs_clone

Access the weblogic URL: http://erp.test.com:17070/console

TEST it on UAT environment before moving to PRODUCTION