5.11 Oracle Forms Services and SSL

By default, the HTTPS port is not enabled when installing Oracle Application Server 10g. There are two steps to enable SSL: enable the HTTPS port in Oracle HTTP Server, then enable Web Cache to accept HTTPS connections from Oracle HTTP Server.

Note: If you've coded your Forms application such that the logon dialog appears (because you haven't specified the user/password as part of the configuration for the application you're running) and you're not running your application with SSL/HTTPS, you should be aware that there is a potential security issue. The password that is entered in the logon dialog will be sent across the network.

5.11.1 Configuring Oracle HTTP Server to use SSL

When you enable Oracle HTTP Server to use SSL, you modify a portion of the Oracle Process Manager and Notification Server (OPMN) configuration file. After you've modified and saved this file, you will need to restart OPMN processes.

To configure Oracle HTTP Server to use SSL:

1. Open ORACLE_HOME/opmn/conf/opmn.xml in a text editor and find this block of code:

    <ias-component id="HTTP_Server">
       <process-type id="HTTP_Server" module-id="OHS">
               <module-data>
                       <category id="start-parameters">
                               <data id="start-mode" value="ssl-disabled"/>
                       </category>
               </module-data>
       <process-set id="HTTP_Server" numprocs="1"/>
   </process-type>
   </ias-component>
   

2. Change the start-mode parameter value to ssl-enabled:

    <ias-component id="HTTP_Server">
       <process-type id="HTTP_Server" module-id="OHS">
               <module-data>
                       <category id="start-parameters">
                               <data id="start-mode" value="ssl-enabled"/>
                       </category>
               </module-data>
       <process-set id="HTTP_Server" numprocs="1"/>
   </process-type>
   </ias-component>
   

3. Force OPMN to reload the modified opmn.xml configuration file:

   opmnctl reload

5.11.2 Configuring Oracle Web Cache to use SSL

Use the Web Cache Admin page to enable HTTPS connections from Oracle HTTP Server.

To configure Web Cache to use SSL:

1. Open the Web Cache Manager page. If you configured OracleAS Web Cache during installation, you can access it as http://hostname.domain:port. Its default port is 4000, or as the Web Cache HTTP Listen port number as listed in:

   • Solaris: ORACLE_HOME/install/portlist.ini

   • Windows: ORACLE_HOME\install\portlist.ini

2. Login as the application server administrator.

3. Locate the Port section in the navigator frame and click Listen Ports.

4. Click Add.

5. From the For Cache dropdown list, select the target Web Cache.

6. Enter the following information, as shown in Table 5-1:

   Table 5-1 HTTPS Port Configuration Information

   Setting	Description
   IP Address	Any valid IP address
   Port Number	443
   Protocol	HTTPS
   Require Client-Side Certification	Enable or disable client-side certificates.Select Require Client-Side Certificate to enable OracleAS Web Cache to require browsers to provide SSL certificates. You'll need to import ewallet.p12 file from webcache/wallet/default. A client-side certificate is a method for verifying the identity of the client. It binds information about the client user to the user's public key and must be digitally signed by a trusted certificate authority.
   Wallet	Enter the directory location of the wallet. This directory must contain an existing wallet. This wallet is used for administration, invalidation, and statistics monitoring of HTTPS requests for sites hosted by OracleAS Web Cache.Oracle recommends entering the location, even if the default is being used. The default location is ORACLE_HOME/webcache/wallets/default.

   
   
7. 
   

   Note: When selecting and using client-side certification, you must use Sun Java Plug-in 1.4.2 or later. Visit http://java.sun.com/ for more information.

   
   

8. Click Apply Changes.

9. Restart Web Cache.

5.11.3 Running a Form with SSL

Running a Forms application that uses an HTTPS port requires a certificate to be imported. If you access Web Cache through port 4443, you need to import the Web Cache certificate. If you access Oracle HTTP Server through port 4444, you need to import the Oracle HTTP Server certificate.

To import the Web Cache certificate:

1. Invoke Wallet Manager:

   • Windows: Invoke Wallet manager launch.exe

   • Solaris: owm

2. Open ORACLE_HOME\WebCache\wallets\default.

3. Enter welcome as the password.

4. Select Auto Login.

5. Select FOR TEST PURPOSES ONLY.

6. Choose [Operations]-[Export Trusted Certificate] and provide a name.

7. Open this file in a text editor and copy all of its contents and append it to C:\Program Files\Oracle\JInitiator 1.3.1.21\lib\security\certdb.txt.

8. Run the Form Servlet as https://computer.mycompany.com:4443/forms/frmservlet.

9. Verify that the JInitiator log window shows the HTTPS protocol.

To import the Oracle HTTP Server Certificate:

1. Invoke Wallet manager:

2. • Windows: Invoke Wallet manager launch.exe

   • Solaris: owm

3. Open ORACLE_HOME\Apache\Apache\conf\ssl.wlt\default.

4. Enter welcome as the password.

5. Select Auto Login.

6. Select FOR TEST PURPOSES ONLY.

7. Choose [Operations]-[Export Trusted Certificate] and provide a name.

8. Open this file in a text editor and copy all of its contents and append it to C:\Program Files\Oracle\JInitiator 1.3.1.21\lib\security\certdb.txt.

9. Run the Form Servlet as https://computer.mycompany.com:4444/forms/frmservlet.

10. Verify that the JInitiator log window displays the HTTPS protocol.

5.11.4 Configuring SSL with a Load Balancing Router

Running a Forms application that uses an HTTPS port requires a certificate to be imported. If a Forms server is behind a load balancing router, and SSL terminates at it, you need to import the certificate from the load balancing router.

Follow these steps to enable SSL with your Forms applications over a load balancing router:

1. Open the Security Alert dialog by opening https://mycomputer.us.oracle.com:443/forms/frmservlet in a Web browser.

2. Click View Certificate.

3. Click the Details tab in the Certificate dialog.

4. Click Copy to File...

5. In the Welcome page of the Certificate Export Wizard, click Next.

6. In the Export File Format page, select Base-64 encoded X.509 (.CER), then click Next.

7. Enter a file name such as c:\temp\forms, then click Next.

8. Click Finish.

   A message appears saying that the export was successful.

9. Click OK.

10. Close the Certificate Export Wizard, but keep the Security Alert dialog open.

11. Open c:\temp\forms.cer in a text editor.

12. Copy the contents of the file into JInitiator's certdb.txt file in lib\security.

13. Save certdb.txt.

14. Reopen the Security Alert dialog and click Yes.