This chapter describes issues associated with SSL configuration in Oracle Fusion Middleware. It includes the following topics:
This section describes general issues and workarounds. It includes the following topics:
orapki PKI command-line tool does not work in Oracle SOA Suite and Oracle WebCenter installations.
Take these steps to resolve this issue:
Apply the one-off patch for this problem.
Set the environment variable
JRE_HOME to point to the Java runtime environment.
JRE_HOME variable must be set so that the
orapki tool can find the java executable.
The Oracle wallets used by Oracle HTTP Server, Oracle Web Cache, and Oracle Internet Directory, as well as the keystore used by Oracle Virtual Directory, include a Verisign root key (Serial#: 02:ad:66:7e:4e:45:fe:5e:57:6f:3c:98:19:5e:dd:c0 ) that expires Jan 07, 2010 15:59:59 PST.
Customers using the user certificate signed by this root key will need to obtain a replacement user certificate signed by their Certificate Authority (CA), and import that CA's root key into the Oracle wallet.
See the Oracle Fusion Middleware Administrator's Guide for steps to import a root key into an Oracle wallet.
Fusion Middleware Control displays an incorrect message when you specify an invalid wallet password while attempting to import a wallet. The issued message "Cannot create p12 without password." is incorrect. Instead, it should notify the user that the password is incorrect and request a valid password.
Fusion Middleware Control displays an incorrect message when you attempt to import a password-protected wallet as an autologin wallet. The issued message "Cannot create p12 without password." does not provide complete information. Instead, it should notify the user that importing a password-protected wallet requires a password.
If you attempt to import an autologin wallet as a password-protected wallet using either Fusion Middleware Control or WLST, a NullPointerException error is displayed.
This section describes configuration issues and their workarounds. It includes the following topics:
You cannot use Oracle Enterprise Manager Fusion Middleware Control or the
WLST command-line tool to import DER-encoded certificates or trusted certificates into an Oracle wallet or a JKS keystore.
Instead, use other tools that are available for this purpose.
To import DER-encoded certificates or trusted certificates into an Oracle wallet, use:
Oracle Wallet Manager or
orapki command-line tool
To import DER-encoded certificates or trusted certificates into a JKS keystore, use the
If an Oracle wallet or JKS keystore was created with tools such as
keytool, it must be imported prior to use. Specifically:
For Oracle HTTP Server, Oracle Webcache, and Oracle Internet Directory, if a wallet was created using
orapki or Oracle Wallet Manager, in order to view or manage it in Fusion Middleware Control you must first import it with either Fusion Middleware Control or the WLST
For Oracle Virtual Directory, if a keystore was created using
keytool, in order to view or manage it in Fusion Middleware Control you must first import it with either Fusion Middleware Control or the WLST
Customers should be aware that when no cipher is explicitly configured, some 11g Release 1 (11.1.1) components enable all supported SSL ciphers including
DH_Anon (Diffie-Hellman Anonymous) ciphers.
At this time, Oracle HTTP Server is the only component known to set ciphers like this.
Configure the components with the desired cipher(s) if
DH_Anon is not wanted.
This section contains SSL documentation errata:
The section titled What's New in This Guide? incorrectly states that Oracle Wallet Manager is discontinued.
11g Release 1 (11.1.1) introduces a new web-based interface known as Fusion Middleware Control. WLST is the new command-line tool. You can use both these tools to manage not just Oracle wallets, but also JKS keystore files.
While Oracle Wallet Manager is still available, its usage should be limited to PKCS#11 wallets (that is, Hardware Security Module integration).