Oracle E-Business Suite mobile apps support the HTTPS protocol for certificates from commercial Certificate Authority (CA) vendors, as well as custom or self-signed certificates. This support is based on capability provided by Oracle Mobile Application Framework (Oracle MAF).
To enable TLS in Oracle E-Business Suite mobile apps, ensure that you complete the following required tasks:
Important: Before setting up your mobile app with any of the advanced configurations, ensure basic mobile app configuration is performed and validated. See: Validating the Configuration.
Common Tasks for Enabling TLS in Oracle E-Business Suite (Prerequisite Tasks)
This section describes the common setup tasks for enabling TLS in Oracle E-Business Suite. These tasks serve as prerequisites for configuring Oracle E-Business Suite mobile apps for TLS connections.
See: Setup Tasks for Enabling TLS in Oracle E-Business Suite.
Mobile Apps Specific Setup Tasks for TLS Connections
After completing the common or prerequisite tasks for enabling TLS in Oracle E-Business Suite, you can perform additional setup tasks specifically to enable TLS connections for Oracle E-Business Suite mobile apps.
Oracle E-Business Suite mobile apps built with Oracle E-Business Suite Mobile Foundation Release 6.0 or later support TLS 1.2 only and TLS 1.2 with backward compatibility (recommended). Before performing setup tasks for mobile apps, ensure your Oracle E-Business Suite environment is TLS enabled.
For information on enabling TLS 1.2 only and TLS 1.2 with backward compatibility in Oracle E-Business Suite, see:
For Oracle E-Business Suite Release 12.1, see My Oracle Support Knowledge Document 376700.1, Enabling TLS in Oracle E-Business Suite Release 12.1.
For Oracle E-Business Suite Release 12.2, see My Oracle Support Knowledge Document 1367293.1, Enabling TLS in Oracle E-Business Suite Release 12.2.
Please note that Oracle E-Business Suite mobile apps built with Oracle E-Business Suite Mobile Foundation Release 5.0 only support TLS 1.0.
Once your Oracle E-Business Suite is TLS enabled, you can perform the following additional setup tasks and validation to ensure successful TLS connections for mobile apps.
Note: Prior to Oracle E-Business Suite Mobile Foundation Release 9.0, if your mobile apps are deployed on Android 5 devices, you must apply Oracle Fusion Middleware January 2017 Oracle Critical Patch Updates (minimum requirement) (see Document 2203916.1) to bring the required TLS (Transport Layer Security) version and negotiation support for TLS-based connection to Oracle E-Business Suite.
For Oracle E-Business Suite 12.1.3, apply appropriate Oracle Fusion Middleware 10.1.3.5 patches. See My Oracle Support Knowledge Document 376700.1.
For Oracle E-Business Suite 12.2, apply appropriate Oracle Fusion Middleware 11.1.1.9 patches. See My Oracle Support Knowledge Document 1367293.1.
Using Public Certificates with Oracle E-Business Suite Mobile Apps
Using Custom or Self-signed Certificates with Oracle E-Business Suite Mobile Apps
Public certificates are included within Application Resource Security cacerts file. Oracle MAF recognizes only commercial CA-issued TLS certificates.
For a list of certificates supported by Oracle MAF, see Migrating to New cacerts File for SSL in MAF 2.x.x, Installing Oracle Mobile Application Framework.
For example, for Oracle E-Business Suite mobile apps built with Oracle E-Business Suite Mobile Foundation Release 9.1, refer to the following certificates information, plus the migration note specifically for this release:
Migrating to New cacerts File for SSL in MAF 2.6.0, Installing Oracle Mobile Application Framework
Oracle Mobile Application Framework 2.6.3 Migration Notes (from MAF 2.6.2) (https://www.oracle.com/application-development/technologies/maf/maf263migration.html)
For the apps built with the MAF version earlier than 2.6.3, locate the Oracle MAF documentation from "Previous releases of Oracle Mobile Application Framework Documentation" (https://www.oracle.com/application-development/technologies/maf/maf-prev-rel.html).
For information on the Oracle MAF version required for your mobile app, see Oracle E-Business Suite Mobile Apps, Release 12.1 and 12.2 Documentation Index, My Oracle Support Knowledge Document 1641772.1, and Section 1: Oracle E-Business Suite Mobile Foundation Release Update History in Oracle E-Business Suite Mobile Foundation Release Notes, My Oracle Support Knowledge Document 1642431.1.
For more information on mobile security, refer to Securing MAF Applications, Developing Mobile Applications with Oracle Mobile Application Framework.
Mobile users can dynamically add custom CA or self-signed server certificates to the standard Oracle E-Business Suite mobile apps downloaded from the Apple App Store or Google Play for TLS connections to Oracle E-Business Suite, starting with Oracle E-Business Suite Mobile Foundation Release 7.0 and onwards.
Importing Certificates Dynamically for Standard Oracle E-Business Suite Mobile Apps
Perform the following steps to import certificates after a standard app is installed:
Save the custom CA or self-signed certificate file in binary format (DER), for example, <ca-cert-filename>.cer.
Note: Use keytool or an appropriate tool to view the contents of the certificate file <ca-cert-filename>.cer and confirm that the file is the correct self-signed or custom CA certificate for the Oracle E-Business Suite environment. If the correct certificate for the Oracle E-Business Suite environment is not imported to the app, then the app user cannot connect to the Oracle E-Business Suite server.
Change the extension of the certificate file to <ca-cert-filename>.servercert.
Upload the certificate file to an internal server where your mobile users can access from their mobile devices.
Ask your mobile users to install required Oracle E-Business Suite mobile apps.
Open the certificate file from the internal server using the mobile device's web browser.
For iOS devices, use Safari web browser to open the certificate file.
For Android devices, use Chrome web browser to open the certificate file.
When prompted, select the Oracle E-Business Suite mobile app to open the certificate file with so that it is imported into that app.
Restart the app and connect to Oracle E-Business Suite.
Repeat the tasks from step 5 to step 7 for each Oracle E-Business Suite mobile app that should connect to that server.
Note: For Oracle Mobile Learning for Oracle E-Business Suite, apart from importing the certificate with extension .servercert to the app, download and install the original certificate <ca-cert-filename>.cer to the device's user truststore (not system truststore) in order to play the course content.
Importing Certificates to cacerts for Enterprise-distributed Mobile Apps
You need to create a custom version of an app through enterprise distribution and import additional root-CA certificates into to the MAF application's truststore. The app is distributed through your enterprise's own site, rather than through a public app store.
For more information on setting up environment for enterprise distribution, see Importing Additional Root-CA Certificates (Optional), Oracle E-Business Suite Mobile Apps Developer's Guide, Release 12.1 and 12.2.
Use the following steps to validate if your mobile app can perform a successful TLS handshake with the Oracle E-Business Suite TLS endpoint:
Validate that the JDK 8 client can connect to the Oracle E-Business Suite TLS endpoint.
Install JDK 8 on a computer.
Create a file named Url.java with the following content:
/* * @(#)Url.java 1.3 01/05/10
*/
import java.net.*;
import java.io.*;
/* This example illustrates using a URL to access resources
* on any site, including a secure site. */
public class Url {
public static void main(String[] args) throws Exception {
String url = "https://apps.example.com/robots.txt" ;
if( args.length >= 1 ) // get URL from command line
url = args[0] ;
System.out.println( "###### Hitting URL " + url );
URL site = new URL( url );
BufferedReader in = new BufferedReader(
new InputStreamReader(
site.openStream()));
String inputLine;
while ((inputLine = in.readLine()) != null)
System.out.println(inputLine);
in.close();
}
} Compile Url.java using the following command, assuming that you have Java 8 JDK installed in the ~/jdk1.8/directory:
$ ~/jdk1.8/bin/javac Url.java
Run Url.class using the following commands, assuming that you have Java 8 JDK installed in the ~/jdk1.8/directory:
$ ~/jdk1.8/jre/bin/java -Dhttps.protocols=TLSv1 Url https://ebs.example.com:4443/robots.txt
Replace the sample input URL in this example with the specific URL for your Oracle E-Business Suite TLS endpoint.
If HTML content is returned as the result after you run these commands, then the TLS handshake is successful. If the following exceptions appear instead, then the TLS certificate on the server is not recognized by the JDK 8 client. You need to configure the Oracle E-Business Suite TLS endpoint with a server certificate issued by a commercial CA, as listed in Migrating to New cacerts File for SSL in MAF 2.x.x, Installing Oracle Mobile Application Framework.
Note: For information on the Oracle MAF version required for your mobile app, see Section 1: Oracle E-Business Suite Mobile Foundation Release Update History, Oracle E-Business Suite Mobile Foundation Release Notes, Oracle Support Knowledge Document 1642431.1.
Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.
Please note that these exceptions could also happen for a trusted certificate if the certificate chain is incomplete.
Validate that the Oracle E-Business Suite TLS endpoint presents the complete certificate chain.
Please note that even if the Oracle E-Business Suite TLS endpoint is configured with a certificate from a commercial CA, the TLS handshake could still fail. Use the following steps to verify if the server presents the full certificate chain where the CA's certificate is present:
Connect to the TLS endpoint using openssl with the -showcerts option:
openssl s_client -connect ebs.example.com:4443 -showcerts
Alternatively, use the following commands for more condensed results:
openssl s_client -connect ebs.example.com:4443 -showcerts 2>/dev/null | sed '/BEGIN CERT/,/END CERT/d' | sed -n '/^Certificate chain/,/^---/ p'
These commands should display the complete certificate chain and the actual certificate content. For example,
The certificate chain is displayed as 0 -> 1.
The condensed version of the actual certificate chain content can be:
Certificate chain 0 s:/C=US/ST=California/L=Redwood City/O=Oracle Corporation/OU=FOR TESTING PURPOSES ONLY/CN=ebs.example.com i:/C=US/O=Oracle Corporation/OU=VeriSign Trust Network/OU=Class 3 MPKI Secure Server CA/CN=Oracle SSL CA 1 s:/C=US/O=Oracle Corporation/OU=VeriSign Trust Network/OU=Class 3 MPKI Secure Server CA/CN=Oracle SSL CA i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G3
In this example certificate chain:
0 is the server certificate, issued to CN=ebs.example.com by the intermediate CA, CN=Oracle SSL CA.
1 is the intermediate CA certificate, issued to CN=Oracle SSL CA by the root CA certificate, CN=VeriSign Class 3 Public Primary Certification Authority - G3.
The intermediate CA certificate is signed by a VeriSign root CA certificate that is in the client's truststore.
Ensure that the displayed certificate chain refers to a root CA whose certificate exists in the mobile client's truststore. In addition, ensure that the last certificate states that this root CA is its issuer.
For a list of root CAs trusted by the mobile client, see Migrating to New cacerts File for SSL in MAF 2.x.x, Installing Oracle Mobile Application Framework.
Ensure that you not only configure the server certificate, but also provide the certificates of any intermediate CAs.