19 Configuring SSL

This module describes various ways to configure Oracle Beehive with SSL. It covers the following topics:

SSL Checklist
Configuring SSL with Oracle Beehive
Configuring SSL with Oracle Beehive DMZ Instances
Procedures Related to Configuring SSL

Notes:

Refer to "Configuring Oracle Beekeeper for SSL Access" to configure SSL for Oracle Beekeeper.

If you do not want to use SSL with your Oracle Beehive deployment, follow the steps described in "Installing Non-SSL Oracle Beehive Site".

SSL Checklist

After following the steps described in this module, ensure the following for all your application tiers:

A properly configured Oracle wallet resides in <Oracle home>/Apache/Apache/conf/ssl.wlt/default for each application tier.
For each Oracle Beehive instance, the property WalletDir is set to the properly configured Oracle wallet. In addition, the property WalletDir refer to the same location for each application tier.
Each Oracle Beehive instance's wallet contains a valid certificate.
The file <Oracle home of DMZ instance>/beehive/conf/bti.properties is configured properly for each Oracle Beehive DMZ instance.
The file <Oracle home>/opmn/conf/opmn.xml is configured properly for each application tier.

Configuring SSL with Oracle Beehive

This section covers the following procedures:

Configuring SSL with Test Certificates for Oracle Beehive
Configuring SSL with Self-Signed Certificates During Installation of Oracle Beehive
Configuring SSL with Self-Signed Certificates After Installation of Oracle Beehive

Configuring SSL with Test Certificates for Oracle Beehive

The following steps describe how to configure SSL with test certificates during or after the installation of one or more Oracle Beehive instances:

Enable secure ONS notification for your database by following the steps described in "Configuring Oracle Wallet for Oracle Database and Oracle RAC".
Install your first Oracle Beehive instance, if you have not already done so.
By default, an Oracle wallet with test certificates for OPMN is created in Oracle Beehive. This Oracle wallet is located in <Oracle Beehive home>/opmn/conf/ssl.wlt/default.

Copy the contents of <Oracle Beehive home>/opmn/conf/ssl.wlt/default to the <Database home>/opmn/conf/ssl.wlt/default directory. This will overwrite the Oracle wallet files in this directory.

If you are using Oracle RAC, copy the contents of <Oracle Beehive home>/opmn/conf/ssl.wlt/default to the <Database home>/opmn/conf/ssl.wlt/default directory on each Oracle RAC node.
Configure TLS on your first Oracle Beehive instance. Refer to "Configuring TLS with Oracle Wallet".
Perform the post-install steps for configuring Oracle RAC except step 7 (Register for ONS Notification). Refer to "Post-Install Steps" in "Configuring and Installing Oracle Beehive Release 1 for Oracle RAC"
Configure the virtual server of your Oracle Beehive instance with a load balancer. Refer to "Configuring High Availability Environment with Load Balancer" in "Installing Oracle Beehive in High Availability Environment".
If you have more than one Oracle Beehive instance, configure TLS on all your other Oracle Beehive instances. Refer to "Configuring TLS on Multiple Instances" in "Configuring TLS with Oracle Wallet".
Enable ORMIS on all your Oracle Beehive instances. Refer to "Enabling ORMIS with Password-Protected Oracle Wallet" in "Configuring TLS with Oracle Wallet".
Enable AJPS on all your Oracle Beehive instances. Refer to "Enabling AJPS".

Note:

After configuring SSL with test (self-signed) certificates for an Oracle Beehive environment with multiple instances, you may receive an alert message similar to the following:

You have received an invalid certificate.... Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number.

In this scenario, create a self-signed certificate for each Oracle Beehive instance with a unique serial number. If you are using OpenSSL to create self-signed certificates, use the -set_serial option:

openssl x509 -req -in certreq.csr -CA cacert.crt -CAkey cakey.pem
  -CAcreateserial -set_serial 01 -days 365 > server.crt

For more information about creating self-signed certificates with OpenSSL (and then importing them into Oracle Wallet), refer to "Creating Self-Signed Certificate and Importing it into Wallet".

Configuring SSL with Self-Signed Certificates During Installation of Oracle Beehive

The following steps describe how to configure SSL with self-signed certificates during the installation of one or more Oracle Beehive instances:

Enable secure ONS notification on your database by following the steps described in "Configuring Oracle Wallet for Oracle Database and Oracle RAC".
Remove all test certificates using Oracle Wallet Manager from the wallet you created for Oracle Database in Step 1, if any. The order of removal should be (1) user certificate, (2) certificate request, and (3) trusted certificate.
For the wallet of Oracle Database you created in Step 1, create a self-signed server certificate for each Oracle RAC node using a root certificate (from a certificate authority). Import these self-signed server certificates as well as the root certificate to the wallet for Oracle Database. Refer to "Creating Self-Signed Certificate and Importing it into Wallet".
Install your first Oracle Beehive instance.
Configure TLS on your first Oracle Beehive instance. Refer to "Configuring TLS with Oracle Wallet".
Remove the test certificates using Oracle Wallet Manager from the wallets in Oracle Beehive. The order of removal should be (1) user certificate, (2) certificate request, and (3) trusted certificate. These wallets should be located in <Oracle Beehive home>/opmn/conf/ssl.wlt/default and <Oracle Beehive home>/Apache/Apache/conf/ssl.wlt/default.
For the wallet located in <Oracle Beehive home>/opmn/conf/ssl.wlt/default, create a self-signed server certificate for the Oracle Beehive server using a root certificate (from a certificate authority). Import this self-signed server certificate as well as the root certificate to this wallet. Refer to "Creating Self-Signed Certificate and Importing it into Wallet".

Repeat this step for the wallet located in <Oracle Beehive home>/Apache/Apache/conf/ssl.wlt/default.
Perform the post-install steps for configuring Oracle RAC except Step 7 (Register for ONS Notification).
Configure the virtual server of each Oracle Beehive instances with a load balancer. Refer to "Configuring High Availability Environment with Load Balancer" in "Installing Oracle Beehive in High Availability Environment".
Install an additional Oracle Beehive instance (software only install). In the following steps, this instance will be referred to as the second instance.
Replace orapki and Oracle Wallet Manager (owm) binaries of the second instance with those from the first instance. Create new wallets located in <Oracle Beehive new instance home>/opmn/conf/ssl.wlt/default and <Oracle Beehive new instance home>/Apache/Apache/conf/ssl.wlt/default. Refer to "Configuring TLS with Oracle Wallet".
Remove test certificates using Oracle Wallet Manager from the wallets in <Oracle Beehive new instance home>/opmn/conf/ssl.wlt/default and <Oracle Beehive new instance home>/Apache/Apache/conf/ssl.wlt/default, if any. The order of removal should be (1) user certificate, (2) certificate request, and (3) trusted certificate.
Repeat Step 8 for the second instance.
Run the Config Wizard for the second instance and complete the configuration.
Configure TLS on all Oracle Beehive instances.
If you want to install another Oracle Beehive instance, repeat Steps 11 to 15.
Enable ORMIS on all Oracle Beehive instances. Refer to "Enabling ORMIS with Password-Protected Oracle Wallet" in "Configuring TLS with Oracle Wallet"
Enable AJPS on all Oracle Beehive instances. Refer to "Enabling AJPS".

Configuring SSL with Self-Signed Certificates After Installation of Oracle Beehive

The following steps describe how to configure SSL with self-signed certificates after the installation of one or more Oracle Beehive instances:

Enable secure ONS notification on your database by following the steps described in "Configuring Oracle Wallet for Oracle Database and Oracle RAC".
Remove all test certificates using Oracle Wallet Manager from the wallet you created for Oracle Database in Step 1, if any. The order of removal should be (1) user certificate, (2) certificate request, and (3) trusted certificate.
For the wallet of Oracle Database you created in Step 1, create a self-signed server certificate for each Oracle RAC node using a root certificate (from a certificate authority). Import these self-signed server certificates as well as the root certificate to the wallet for Oracle Database. Refer to "Creating Self-Signed Certificate and Importing it into Wallet".
Choose one of your Oracle Beehive instances on which to perform Steps 4 to 7 (you will repeat these steps on your other instances later). Configure TLS on the Oracle Beehive instance. Refer to "Configuring TLS with Oracle Wallet".
Remove the test certificates from the wallets of the Oracle Beehive instance. The order of removal should be (1) user certificate, (2) certificate request, and (3) trusted certificate. These wallets should be located in <Oracle Beehive home>/opmn/conf/ssl.wlt/default and <Oracle Beehive home>/Apache/Apache/conf/ssl.wlt/default.
For the wallet located in <Oracle Beehive home>/opmn/conf/ssl.wlt/default, create a self-signed server certificate for Oracle Beehive using a root certificate (from a certificate authority). Import this self-signed server certificate as well as the root certificate to this wallet. Refer to "Creating Self-Signed Certificate and Importing it into Wallet".

Repeat this step for the wallet located in <Oracle Beehive home>/Apache/Apache/conf/ssl.wlt/default.
Register for ONS Notification. By default, Oracle Beehive is configured to receive secure ONS notifications. If SSL ONS notification is disabled on the Oracle Beehive instance, enable it by changing the value of NotificationServerSslEnabled property of OpmnCluster component to true. Refer to Step 7, "Register for ONS Notification" in "Configuring and Installing Oracle Beehive Release 1 for Oracle RAC".
If you have multiple Oracle Beehive instances, repeat Steps 4 to 7 for each of your instances.
Enable ORMIS on all Oracle Beehive instances. Refer to "Enabling ORMIS with Password-Protected Oracle Wallet" in "Configuring TLS with Oracle Wallet"
Enable AJPS on all Oracle Beehive instances. Refer to "Enabling AJPS".

Configuring SSL with Oracle Beehive DMZ Instances

This section covers the following procedures:

Configuring SSL with Test Certificates After Installation of DMZ Instances
Configuring SSL with Self-Signed Certificates After Installation of DMZ Instances

Configuring SSL with Test Certificates After Installation of DMZ Instances

The following steps describe how to configure SSL with test certificates during the installation of one or more Oracle Beehive instances:

Install your DMZ instance.
Configure Oracle Wallet for the DMZ instance. For more information, refer to "Step A: Configuring Oracle Wallet with Oracle Beehive DMZ Instances" in "Configuring Oracle Beehive Demilitarized Zone Instances". This step involves creating an Oracle Wallet for your DMZ instance and editing the file <Oracle home of DMZ instance>/opmn/conf/opmn.xml so that it refers to the new Oracle Wallet.
Follow the steps described in "Step B: Configuring Oracle Beehive DMZ Instances" in "Configuring Oracle Beehive Demilitarized Zone Instances"
Configure the virtual server of your Oracle Beehive DMZ instances with a load balancer. For more information, refer to "Configuring High Availability Environment with DMZ Instances and Load Balancer" in "Installing Oracle Beehive in High Availability Environment".

Configuring SSL with Self-Signed Certificates After Installation of DMZ Instances

The following steps describe how to configure SSL with self-signed certificates after the installation of one or more Oracle Beehive DMZ instances:

Install your DMZ instance.
Configure Oracle Wallet for the DMZ instance. For more information, refer to "Step A: Configuring Oracle Wallet with Oracle Beehive DMZ Instances" in "Configuring Oracle Beehive Demilitarized Zone Instances". This step involves creating an Oracle Wallet for your DMZ instance and editing the file <Oracle home of DMZ instance>/opmn/conf/opmn.xml so that it refers to the new Oracle Wallet.
For the wallet located in <Oracle Beehive DMZ home>/opmn/conf/ssl.wlt/default, create a self-signed server certificate for the Oracle Beehive DMZ instance using a root certificate (from a certificate authority). Import this self-signed server certificate as well as the root certificate to this wallet. For more information, refer to "Creating Self-Signed Certificate and Importing it into Wallet"

Repeat this step for the wallet located in <Oracle Beehive DMZ home>/Apache/Apache/conf/ssl.wlt/default.
Follow the steps described in "Step B: Configuring Oracle Beehive DMZ Instances" in "Configuring Oracle Beehive Demilitarized Zone Instances"
Configure the virtual server of your Oracle Beehive DMZ instances with a load balancer. For more information, refer to "Configuring High Availability Environment with DMZ Instances and Load Balancer" in "Installing Oracle Beehive in High Availability Environment".

Procedures Related to Configuring SSL

This section covers the following procedures related to configuring SSL:

Configuring Oracle Wallet for Oracle Database and Oracle RAC
Creating Self-Signed Certificate and Importing it into Wallet

Configuring Oracle Wallet for Oracle Database and Oracle RAC

These steps create an Oracle Wallet for OPMN for Oracle Database. If you are using Oracle RAC, these steps configure Oracle Wallet for Oracle Cluster Ready Services (CRS) for each Oracle RAC node.

In the following steps, <Database home> refers to the location of Oracle Database, and <CRS home> refers to the location of CRS of your Oracle RAC node.

Create the directory <Database home>/opmn/conf/ssl.wlt/default.
Create the wallet with the orapki tool:
```
<Database home>/bin/orapki wallet create
  -wallet <Database home>/opmn/conf/ssl.wlt/default
  -auto_login -pwd welcome
 
```
This command will create a wallet in the default location, <Database home>/opmn/conf/ssl.wlt/default.
Add the following line to the file <Database home>/opmn/conf/ons.config:
```
walletfile=<Database home>/opmn/conf/ssl.wlt/default
```
If you are using Oracle RAC, then for each Oracle RAC node, repeat Steps 1, 2, and 3, and then add the following line to <CRS home>/opmn/conf/ons.config:
```
walletfile=<Database home>/opmn/conf/ssl.wlt/default
```

Creating Self-Signed Certificate and Importing it into Wallet

The following steps create a self-signed server certificate and imports it into an Oracle Wallet. You may also create a certificate signed by a certificate authority (CA) and import that into an Oracle Wallet. Refer to "Creating CA-Signed Certificate and Importing it into Wallet" for more information.

You will be performing these steps for the wallet you created in the following procedures:

"Configuring Oracle Wallet for Oracle Database and Oracle RAC" (which creates a wallet for OPMN for Oracle Database)
"Configuring TLS with Oracle Wallet" (which creates a wallet for Oracle Beehive)
"Step A: Configuring Oracle Wallet with Oracle Beehive DMZ Instances" (which creates a wallet for an Oracle Beehive DMZ instance)

Create your own certificate authority. This step uses OpenSSL. For more information about OpenSSL, refer to http://www.openssl.org/.

On Linux and other UNIX-based operating systems, the command openssl is typically located in /usr/bin.
```
openssl req -new -x509 -keyout cakey.pem -out cacert.crt -days 365
```
This command generates two files named cakey.pem and cacert.crt.
Create and export a certificate request with Oracle Wallet Manager:
1. Run Oracle Wallet manager, <Oracle Beehive home>/bin/owm. (Use <Database home>/bin/owm instead if you have not installed any Oracle Beehive instances.)
2. Open the wallet (to which you want to add the certificate).
3. Create a certificate request. Click the Operations tab. Click Add Certificate Request. Fill out the form. The Common Name should be the name of the server for which you are creating the certificate (such as the name of the Oracle RAC node). Click OK.
4. Save the wallet.
5. Click the Operation tab. Click Export Certificate Request. Enter the path and file name of the certificate request. These steps assume that the name of this file is certreq.csr. (Keep Oracle Wallet Manager open; you will use it in Step 4.)
From a command prompt, generate a server certificate with the following command:
```
openssl x509 -req -in certreq.csr -CA cacert.crt -CAkey cakey.pem
  -CAcreateserial -days 365 > server.crt
```
This command generates two files, cacert.crt and server.crt (which is the server certificate).
In Oracle Wallet Manager, click the Operations tab. Click Import Trusted Certificate. Select the file cacert.crt. Click OK.
Click Import User Certificate. Select the file server.crt. Click OK.
Repeat Steps 2 to 5 (except Step 1; you can use the same cakey.pem and cacert.crt files for other servers) for each server for which you want to create a certificate. (In particular, you would repeat these steps for each Oracle RAC node.)

Using Oracle Wallet to Create Self-Signed Certificate

Alternatively, you may use Oracle Wallet to create a self-signed certificate.

Add a self-signed certificate to the wallet with the following command:

orapki wallet add
  -wallet <Oracle home>/Apache/Apache/conf/ssl.wlt/default/
  -dn CN=user
  -keysize 2048
  -self_signed
  -validity 365

CN=user is the distinguished name of an arbitrary user who will be the certificate owner.

Creating CA-Signed Certificate and Importing it into Wallet

Alternatively, you may create a certificate signed by a certificate authority (CA), and import that into the Oracle Beehive wallet:

Add a certificate request to the Oracle Beehive wallet:
```
orapki wallet add
  -wallet <Oracle home>/Apache/Apache/conf/ssl.wlt/default/
  -dn CN=user
  -keysize 2048
  -validity 365
```
The directory <Oracle home>/Apache/Apache/conf/ssl.wlt/default/ is the Oracle Beehive default wallet directory. CN=user is the distinguished name of an arbitrary user who will be the certificate owner.

Export the certificate request to a file:

orapki wallet export
  -wallet <Oracle home>/Apache/Apache/conf/ssl.wlt/default/
  -dn CN=user
  -request certificate_request.txt

The file certificate_request.txt is the exported certificate request.

With your certificate authority (CA) and your certificate request (certificate_request.txt), create a signed user certificate. In addition, export the trusted certificate from your CA. These steps use the file user_certificate.txt as the signed user certificate and the file trusted_certificate.txt as the trusted certificate exported from your CA.

You may use Oracle Wallet as a CA for testing purposes by following these steps.
1. Create an auto-login wallet to act as a certificate authority. These steps assume that this wallet is stored in /private/ca_wallet. Create a signed certificate from the request for test purposes:
```
orapki cert create
  -wallet /private/ca_wallet
  -request certificate_request.txt
  -cert user_certificate.txt
  -validity 365
```
  The file user_certificate.txt is the signed user certificate.
2. Export the trusted certificate from the CA wallet:
```
orapki wallet export
  -wallet /private/ca_wallet
  -dn CN=ca_user
  -cert trusted_certificate.txt
```
  The file trusted_certificate.txt is the exported (test) trusted certificate from the CA wallet.

Add the trusted certificate from the CA to the Oracle Beehive wallet:

orapki wallet add
  -wallet <Oracle home>/Apache/Apache/conf/ssl.wlt/default/
  -trusted_cert
  -cert trusted_certificate.txt

Add the user certificate to the Oracle Beehive wallet:

orapki wallet add
  -wallet <Oracle home>/Apache/Apache/conf/ssl.wlt/default/
  -user_cert user_certificate.txt

Installing Non-SSL Oracle Beehive Site

The following steps describe how to install a non-SSL Oracle Beehive site in which none of its tiers communicate using SSL:

Note:

Because Oracle Beehive DMZ instances have SSL enabled by default, the following steps will not work for DMZ instances unless you configure them to receive non-SSL notifications as described in "Step B: Configuring Oracle Beehive DMZ Instances" in "Configuring Oracle Beehive Demilitarized Zone Instances".

Install your first Oracle Beehive application tier. Note that this application tier, by default, will have SSL disabled for Oracle Notification Service (ONS), which is used by OPMN of this application tier to communicate with other OPMNs in the site. In the next step, you will disable SSL (if necessary).

Ensure that the value of NotificationServerSslEnabled in the _current_site:OpmnCluster component in the first Oracle Beehive application tier is false:

beectl list_properties
  --component _current_site:OpmnCluster
  --name NotificationServerSslEnabled

If NotificationServerSslEnabled is true, then set it to false:

beectl modify_property
  --component _current_site:OpmnCluster
  --name NotificationServerSslEnabled
  --value false
  --activate_configuration

In the first Oracle Beehive application tier, set the value of HttpServerSslEnabled in the _current_site:HttpServerCluster component to false, then run beectl modify_local_configuration_files:
```
beectl modify_property
  --component _current_site:HttpServerCluster
  --name HttpServerSslEnabled
  --value false
  --activate_configuration

beectl modify_local_configuration_files
```
If you are using Oracle Real Application Clusters (RAC) as your database, ensure that you have disabled SSL ONS notifications. Refer to Register for ONS Notification in "Configuring and Installing Oracle Beehive Release 1 for Oracle RAC".
Install any additional Oracle Beehive application tiers. You do not need to perform any additional steps for these application tiers.