41 SSL Configuration in Oracle Fusion Middleware

This chapter describes issues associated with SSL configuration in Oracle Fusion Middleware. It includes the following topics:

41.1 General Issues and Workarounds

This section describes general issues and workarounds. It includes the following topics:

41.1.1 Replacement User Certificates for Oracle Wallets

The Oracle wallets used by Oracle HTTP Server, Oracle Web Cache, and Oracle Internet Directory, as well as the keystore used by Oracle Virtual Directory, include a Verisign root key (Serial#: 02:ad:66:7e:4e:45:fe:5e:57:6f:3c:98:19:5e:dd:c0 ) that expires Jan 07, 2010 15:59:59 PST.

Customers using the user certificate signed by this root key will need to obtain a replacement user certificate signed by their Certificate Authority (CA), and import that CA's root key into the Oracle wallet.

See "Common Certificate Operations" in the "Wallet Management" section of the Oracle Fusion Middleware Administrator's Guide for steps to import a root key into an Oracle wallet.

41.1.2 Incorrect Message or Error when Importing a Wallet

Problem 1

Fusion Middleware Control displays an incorrect message when you specify an invalid wallet password while attempting to import a wallet. The issued message "Cannot create p12 without password." is incorrect. Instead, it should notify the user that the password is incorrect and request a valid password.

Problem 2

Fusion Middleware Control displays an incorrect message when you attempt to import a password-protected wallet as an autologin wallet. The issued message "Cannot create p12 without password." does not provide complete information. Instead, it should notify the user that importing a password-protected wallet requires a password.

Problem 3

If you attempt to import an autologin wallet as a password-protected wallet using either Fusion Middleware Control or WLST, a NullPointerException error is displayed.

41.2 Configuration Issues and Workarounds

This section describes configuration issues and their workarounds. It includes the following topics:

41.2.1 Tools for Importing DER-encoded Certificates

You cannot use Oracle Enterprise Manager Fusion Middleware Control or the WLST command-line tool to import DER-encoded certificates or trusted certificates into an Oracle wallet or a JKS keystore.

Instead, use other tools that are available for this purpose.

  • To import DER-encoded certificates or trusted certificates into an Oracle wallet, use:

    • Oracle Wallet Manager or

    • orapki command-line tool

  • To import DER-encoded certificates or trusted certificates into a JKS keystore, use the keytool utility.

41.2.2 Using a Keystore Not Created with WLST or Fusion Middleware Control

If an Oracle wallet or JKS keystore was created with tools such as orapki or keytool, it must be imported prior to use. Specifically:

  • For Oracle HTTP Server, Oracle Webcache, and Oracle Internet Directory, if a wallet was created using orapki or Oracle Wallet Manager, in order to view or manage it in Fusion Middleware Control you must first import it with either Fusion Middleware Control or the WLST importWallet command.

  • For Oracle Virtual Directory, if a keystore was created using keytool, in order to view or manage it in Fusion Middleware Control you must first import it with either Fusion Middleware Control or the WLST importKeyStore command.

41.2.3 Components May Enable All Supported Ciphers

Customers should be aware that when no cipher is explicitly configured, some 11g Release 1 (11.1.1) components enable all supported SSL ciphers including DH_Anon (Diffie-Hellman Anonymous) ciphers.

At this time, Oracle HTTP Server is the only component known to set ciphers like this.

Configure the components with the desired cipher(s) if DH_Anon is not wanted.