Skip Headers

Oracle9i Application Server Installation Guide
Release 1 (v1. for AIX-Based Systems, Compaq Tru64 UNIX, HP 9000 Series HP-UX, and Linux Intel

Part Number A95909-01
Go To Table Of Contents
Go To Index

Go to previous page Go to next page

Enabling SSL for Oracle HTTP Server

This appendix describes the method of enabling SSL for Oracle HTTP Server. The following topics guide you through the necessary steps:

Generate the Certification Request

Perform the following steps to generate a certificate request:

  1. Use the commands below to generate the certification request:

    prompt> ORACLE_HOME/Apache/open_ssl/binopenssl md5 *>rand.dat
    prompt> ORACLE_HOME/Apache/open_ssl/binopenssl genrsa -rand rand.dat -des3 
    prompt> ORACLE_HOME/Apache/open_ssl/binopenssl req -new -key server.pem -out 
    server.pem -config ./openssl.cnf

    When you run the final command, a certificate request is generated. The following is an example of a certification request:

    Country Name (2 letter code) [AU]: US
    State or Province Name (full name)[Some-State]: California
    Locality name (eg, city) []: Redwood Shores
    Organization Name (eg, company) [Internet Widgits Pty Ltd}: Oracle
    Organizational Unit Name (eg, section) []: EITQA
    Common Name (eg, YOUR name) []
    Email Address []:

    Enter the following "extra" attributes to be sent with your certification request. This step is optional.

    A challenge password []:
    An optional company name []:

    Be sure to take note of the following:

    • These commands create two files: server.pem and server.csr (certificate request).

    • For Common Name, include the FULL name of the HOST and DOMAIN you are running the command on, for example:

    • Remember the password you enter. This password is used every time Oracle HTTP Server is started.

  2. Send the Certification Request. In the CSR area, paste the certification request from server.csr file.

  3. When you receive the certificate, paste it into a file named server.crt.

    Be sure that you get the Root Trial CA certificate by going to the URL mentioned in the Certificate Authority email. Export that certificate from the browser to a file named rootcacert.crt. If you are getting a trial certificate, only then do you need to put the trial CA certificate in the browser.

  4. Copy the following in appropriate directories:

    • Certificate file server.key into the ./Apache/Apache/conf/ssl.crt directory.

    • server.pem file into the.../Apache/Apache/conf/ssl.key directory.

    • Root Trial CA file rootcacert.crt into the.../Apache/Apache/conf/ssl.crt directory.

Modify httpd.conf File to Enable SSL

Make the following changes to the httpd.conf file to enable SSL:

  1. Port changes: Be sure your entries are similar to the ones in the example below:

    # This port is used when starting without SSL
    Port 7777
    # This port is used when starting with SSL
    <IfDefine SSL>
       Port 7777
       Port 7788
    ##SSL Support
    ##When we also provide SSL we have to listen to the standard HTTP port
    ##(see above) and to the HTTPS port
    <IfDefine SSL>
       Listen 7777
       Listen 7788
    ##SSL Virtual Host Context
  2. SSL Certificate related entries: To configure the httpd.conf file to your certificate, search for SSLCertificateFile and make this entry as below pointing to your certificate that came from the certificate authority. This is illustrated in the following example:

    SSLCertificateFile .../Apache/Apache/conf/ssl.crt/server.crt
    Entry for Server Private Key
    SSLCertificateKeyFile .../Apache/Apache/conf/ssl.key/server.pem
    Entry for Server Certificate Chain: (The Root Trial CA Certificate)
    SSLCertificateChainFile .../Apache/Apache/conf/ssl.crt/rootcacert.crt
    Entry for Certificate Authority (CA): as below
    #Certificate Authority (CA):
    #Set the CA certificate verification path where to find CA 
    #certificates for client authentication or alternatively one 
    #huge file containing all of this (file must be PEM encoded). 
    #Note: Inside SSLCACertificatePath you beed hash symlinks 
    #to point to the certificate files. Use the provided
    #Makefile to update the hash symlinks after changes.
    #SSLCACertificateFile conf/ssl.crt/ca-bundle.crt
    SSLCACertificateFile conf/ssl.crt
    SSLCACertificateFile conf/ssl.crt/rootcacert.crt
  3. Restart Oracle HTTP Server.

For information on enabling SSL for Oracle9iAS Portal, refer to Oracle Portal 3.0.8 Configuration Guide.

Go to previous page Go to next page
Copyright © 2001 Oracle Corporation.

All Rights Reserved.
Go To Table Of Contents
Go To Index