11 Enabling SSL for Oracle HTTP Server

This chapter contains information about enabling and configuring SSL for Oracle HTTP Server.

Topics discussed are:

• Overview

• Configuring SSL

• Additional SSL Features

• Using SSL Configuration Directives

11.1 Overview

Secure Sockets Layer (SSL) is an encrypted communication protocol that is designed to securely send messages across the Internet. It resides between Oracle HTTP Server on the application layer and the TCP/IP layer, transparently handling encryption and decryption when a secure connection is made by a client.

One common use of SSL is to secure Web HTTP communication between a browser and a Web server. This case does not preclude the use of non-secured HTTP. The secure version is simply HTTP over SSL (named HTTPS). The differences are that HTTPS uses the URL scheme https:// rather than http://, and its default communication port is 4443 on UNIX or 443 on Windows.

mod_ossl is a plug-in to Oracle HTTP Server that enables the server to use SSL.

See Also: Oracle Application Server Administrator's Guide

11.2 Configuring SSL

By default, SSL is disabled when you install Oracle Application Server. Perform the following tasks to enable and configure SSL:

• Task 1: Creating a Real Wallet

• Task 2: Enabling SSL

• Task 3: (Optional) Customizing Your Configuration

11.2.1 Task 1: Creating a Real Wallet

To configure Oracle HTTP Server for SSL, you need a wallet that contains the certificate for the server. Wallets store your credentials, such as certificate requests, certificates, and private keys.

The default wallet that is automatically installed with Oracle HTTP Server is for testing purposes only. A real wallet has to be created for your production server. The default wallet is located in ORACLE_HOME/Apache/Apache/conf/ssl.wlt/default. You can either place the new wallet in that location, or change the SSLWallet directive in ORACLE_HOME/Apache/Apache/conf/ssl.conf to point to the location of your real wallet.

See Also: Oracle Application Server Administrator's Guide for instructions on creating a wallet. It is important that you do the following: Generate a certificate request: For the Common Name, specify the name or alias of the site you are configuring. Set the auto-login feature for your wallet: Make sure that you enable this auto-login feature. The default wallet has this feature disabled.

11.2.2 Task 2: Enabling SSL

Perform the following steps to enable SSL:

1. Open opmn.xml in a text editor.

2. In the <ias-component id="HTTP_Server"> entry, change the start mode from "ssl-disabled" to "ssl-enabled". After modification is made, the entry should look like the following:

   <data id="start-mode" value="ssl-enabled"/>
   
   

3. Save and close opmn.xml.

4. Update the distributed cluster management database with the change:

   ORACLE_HOME/dcm/bin/dcmctl updateconfig -ct opmn
   
   

5. Reload OPMN using the following command:

   opmnctl reload
   
   

6. Stop Oracle HTTP Server using Application Server Control Console, or with the following command:

   • UNIX: ORACLE_HOME/opmn/bin> opmnctl [verbose] stopproc ias-component=HTTP_Server

   • Windows: ORACLE_HOME\opmn\bin> opmnctl [verbose] stopproc ias-component=HTTP_Server

     
     

     See Also: "Starting, Restarting, and Stopping Oracle HTTP Server"

     
     

7. Start Oracle HTTP Server using Application Server Control Console, or with the following command:

   • UNIX: ORACLE_HOME/opmn/bin> opmnctl [verbose] startproc ias-component=HTTP_Server

   • Windows: ORACLE_HOME\opmn\bin> opmnctl [verbose] startproc ias-component=HTTP_Server

     
     

     See Also: "Starting, Restarting, and Stopping Oracle HTTP Server"

     
     
     
     

     Note: Be sure that you stop and start Oracle HTTP Server as per the instructions. Restarting Oracle HTTP Server does not yield the same result as stopping and starting it.

     
     

8. You can verify if SSL was enabled successfully by navigating to the SSL port, for example:

   HTTPS://hostname:4443
   
   

11.2.3 Task 3: (Optional) Customizing Your Configuration

Optionally, you can further customize your configuration using mod_ossl directives.

See Also: "Using mod_ossl Directives"

Note: The templates files installed during installation contain all the necessary SSL configuration directives and a default setup for SSL.

To enable client authentication, do the following:

1. Specify SSLVerifyClient on the server side.

2. Use proper client certificate on your client side for the HTTPS connection. Refer to your client documentation for information on getting and using a client certificate. Be sure that your client certificate is trusted by the server wallet.

   
   

   See Also: Oracle Application Server Administrator's Guide for instructions on how to import a trusted certificate into your wallet.

   
   

11.3 Additional SSL Features

This section contains SSL features that are supported for this release.

• Global Server ID Support

• PKCS #11 Support

11.3.1 Global Server ID Support

This feature adds support SSL protocol features called variously "step-up", "server gated crypto" or "global server ID". "Step-up" is a feature that allows old, weak encryption browsers, to "step-up" so that public keys greater than 512 bits and bulk encryption keys greater than 64 bits can be used in the SSL protocol. This means that server X.509 certificates that contain public keys in excess of 512 bits and which contain "step-up" digital rights can now be used by Oracle Application Server. Such certificates are often called "128 bit" certificates, even though the certificate itself typically contains a 1024 bit certificate. The Verisign Secure Site Pro is an example of such a certificate which can now be used by Oracle Application Server.

Global Server ID functionality is provided by default, there is no configuration necessary.

11.3.2 PKCS #11 Support

Public-Key Cryptography Standards #11, or PKCS #11 for short, is a public key cryptography specification that outlines how systems use hardware security modules, which are basically "boxes" where cryptographic functions (encryption/decryption) are performed and where encryption keys are stored.

Oracle HTTP Server supports the option of having dedicated SSL hardware through nCipher. nCipher is a certified third party accelerator that improves the performance of the PKI cryptography that SSL uses.

See Also: Oracle Application Server Administrator's Guide http://www.ncipher.com

11.4 Using SSL Configuration Directives

mod_ossl provides standard support for HTTPS protocol connections to Oracle Application Server. It enables secure connections between Oracle HTTP Server and a browser client by using an Oracle-provided encryption mechanism over SSL. It may also be used for authentication over the Internet through the use of digital certificate technology. It supports SSL v. 3.0, and provides:

• Encrypted communication between client and server, using RSA or DES encryption standards.

• Integrity checking of client-server communication using MD5 or SHA checksum algorithms.

• Certificate management with Oracle wallets.

The following mod_ssl directives are not supported by mod_ossl.

• SSLRandomSeed

• SSLCertificateFile

• SSLCertificateKeyFile

• SSLCertificateChainFile

• SSLCACertificateFile

• SSLCACertificatePath

• SSLVerifyDepth

  
  

  Note: The server will not start if these directives are used.

  
  

11.4.1 Using mod_ossl Directives

To configure SSL for your Oracle HTTP Server, enter the mod_ossl directives you want to use in the httpd.conf file.

The following directives are described in subsequent sections:

• SSLAccelerator

• SSLCARevocationFile

• SSLCARevocationPath

• SSLCipherSuite

• SSLEngine

• SSLLog

• SSLLogLevel

• SSLMutex

• SSLOptions

• SSLPassPhraseDialog

• SSLProtocol

• SSLRequire

• SSLRequireSSL

• SSLSessionCache

• SSLSessionCacheTimeout

• SSLVerifyClient

• SSLWallet

• SSLWalletPassword

11.4.1.1 SSLAccelerator

Specifies if SSL accelerator is used. Currently only nFast card is supported.

Category	Value
Valid Values	yes/no
Syntax	SSLAccelerator yes|no
Default	SSLAccelerator no
Context	server configuration

Note: The SSLAccelerator directive has been deprecated. For information on enabling SSL acceleration support using a wallet, refer to the Oracle Advanced Security Administrator's Guide on http://www.oracle.com/technology/documentation.

11.4.1.2 SSLCARevocationFile

Specifies the file where you can assemble the Certificate Revocation Lists (CRLs) from CAs (Certificate Authorities) that you accept certificates from. These are used for client authentication. Such a file is the concatenation of various PEM-encoded CRL files in order of preference. This directive can be used alternatively or additionally to SSLCARevocationPath.

Category	Value
Syntax	SSLCARevocationFile file_name
Example	SSLCARevocationFile /ORACLE_HOME/Apache/Apache/conf/ssl.crl/ca_bundle.crl
Default	None
Context	server configuration, virtual host

11.4.1.3 SSLCARevocationPath

Specifies the directory where PEM-encoded Certificate Revocation Lists (CRLs) are stored. These CRLs come from the CAs (Certificate Authorities) that you accept certificates from. If a client attempts to authenticate itself with a certificate that is on one of these CRLs, then the certificate is revoked and the client cannot authenticate itself with your server.

Category	Value
Syntax	SSLCARevocationPath path/to/CRL_directory/
Example	SSLCARevocationPath /ORACLE_HOME/Apache/Apache/conf/ssl.crl/
Default	None
Context	server configuration, virtual host

11.4.1.4 SSLCipherSuite

Specifies the SSL cipher suite that the client can use during the SSL handshake. This directive uses a colon-separated cipher specification string to identify the cipher suite. Table 11-2 shows the tags you can use in the string to describe the cipher suite you want.

Tags are joined together with prefixes to form a cipher specification string.

Category	Value
Valid Values	none: Adds the cipher to the list + : Adds the cipher to the list and place them in the correct location in the list - : Remove the cipher from the list (can be added later) ! : Remove the cipher from the list permanently
Example	SSLCipherSuite ALL:!LOW:!DH In this example, all ciphers are specified except low strength ciphers and those using the Diffie-Hellman key negotiation algorithm.
Syntax	SSLCipherSuite cipher-spec
Default	ALL:!ADH:!EXPORT56:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
Context	server configuration, virtual host, directory

Table 11-1 SSLCipher Suite Tags

Function	Tag	Meaning
Key exchange	kRSA	RSA key exchange
Key exchange	kDHr	Diffie-Hellman key exchange with RSA key
Authentication	aNULL	No authentication
Authentication	aRSA	RSA authentication
Authentication	aDH	Diffie-Hellman authentication
Encryption	eNULL	No encryption
Encryption	DES	DES encoding
Encryption	3DES	Triple DES encoding
Encryption	RC4	RC4 encoding
Data Integrity	MD5	MD5 hash function
Data Integrity	SHA	SHA hash function
Aliases	SSLv3	All SSL version 3.0 ciphers
Aliases	EXP	All export ciphers
Aliases	EXP40	All 40-bit export ciphers only
Aliases	EXP56	All 56-bit export ciphers only
Aliases	LOW	All low strength ciphers (export and single DES)
Aliases	MEDIUM	All ciphers with 128-bit encryption
Aliases	HIGH	All ciphers using triple DES
Aliases	RSA	All ciphers using RSA key exchange
Aliases	DH	All ciphers using Diffie-Hellman key exchange

Note: There are restrictions if export versions of browsers are used. Oracle module, mod_ossl, supports RC4-40 encryption only when the server uses 512 bit key size wallets.

Table 11-2 Cipher Suites Supported in Oracle Advanced Security 10i

Cipher Suite	Authentication	Encryption	Data Integrity
SSL_RSA_WITH_3DES_EDE_CBC_SHA	RSA	3DES (168)	SHA
SSL_RSA_WITH_RC4_128_SHA	RSA	RC4 (128)	SHA
SSL_RSA_WITH_RC4_128_MD5	RSA	RC4 (128)	MD5
SSL_RSA_WITH_DES_CBC_SHA	RSA	DES (56)	SHA
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA	DH anon	3DES (168)	SHA
SSL_DH_anon_WITH_RC4_128_MD5	DH anon	RC4 (128)	MD5
SSL_DH_anon_WITH_DES_CBC_SHA	DH anon	DES (56)	SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5	RSA	RC4 (40)	MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA	RSA	DES40 (40)	SHA
SSL_RSA_WITH_AES_128_CBC_SHA	RSA	AES (128)	SHA
SSL_RSA_WITH_AES_256_CBC_SHA	RSA	AES (256)	SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBS_SHA	DH DSS	DES (40)	SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA	DH DSS	DES (50)	SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA	DH DSS	3DES (168)	SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA	DH RSA	DES (40)	SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA	DH RSA	DES (56)	SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA	DH RSA	3DES (168)	SHA
SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA	DH DSS	DES (40)	SHA
SSL_DHE_DSS_WITH_RC4_128_SHA	DH DSS	RC4 (128)	SHA
SSL_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA	DH DSS	RC4 (56)	SHA

11.4.1.5 SSLEngine

Toggles the usage of the SSL Protocol Engine. This is usually used inside a <VirtualHost> section to enable SSL for a particular virtual host. By default, the SSL Protocol Engine is disabled for both the main server and all configured virtual hosts. Example 11-1 is an example for using SSLEngine directive. The default SSL is 4443 on UNIX and 443 on Windows.

Example 11-1 Using SSLEngine Directive

<VirtualHost_dafault_:4443>
  SSLEngine on
  ...
</VirtualHost>

Category	Value
Syntax	SSLEngine on|off
Default	SSLEngine off
Context	server configuration, virtual host

11.4.1.6 SSLLog

Specifies where the SSL engine log file will be written. (Error messages will also be duplicated to the standard Oracle HTTP Server log file specified by the ErrorLog directive.)

Place this file at a location where only root can write, so that it cannot be used for symlink attacks. If the filename does not begin with a slash (/), it is assumed to be relative to the ServerRoot. If the filename begins with a bar (|), then the string following the bar is expected to be a path to an executable program to which a reliable pipe can be established.

This directive should occur only once per virtual server configuration.

Category	Value
Syntax	SSLVerifyClient path/to/filename
Default	None
Context	server configuration, virtual host

11.4.1.7 SSLLogLevel

Specifies the verbosity degree of the SSL engine log file.

Category	Value
Valid Values	The levels are (in ascending order, where each level is included in the levels preceding it): none: No dedicated SSL logging is done. Messages of type 'error' are duplicated to the standard HTTP server log file specified by the ErrorLog directive. error: Only messages of the type 'error' (conditions that stop processing) are logged. warn: Messages that notify of non-fatal problems (conditions that do not stop processing) are logged. info: Messages that summarize major processing actions are logged. trace: Messages that summarize minor processing actions are logged. debug: Messages that summarize development and low-level I/O operations are logged.
Syntax	SSLLogLevel level
Default	None
Context	server configuration, virtual host

11.4.1.8 SSLMutex

Type of semaphore (lock) for SSL engine's mutual exclusion of operations that have to be synchronized between Oracle HTTP Server processes.

Category	Value
Valid Values	none: Uses no mutex at all. Not recommended, because the mutex synchronizes the write access to the SSL session cache. If you do not configure a mutex, the session cache can become garbled. file:path/to/mutex: Uses a file for locking. The process ID (PID) of the Oracle HTTP Server parent process is appended to the filename to ensure uniqueness. If the filename does not begin with a slash (/), it is assumed to be relative to ServerRoot. This setting is not available on Windows. sem: Uses an operating system semaphore to synchronize writes. On UNIX, it would be a Sys V IPC semaphore; on Windows, it is a Windows Mutex. This is the best choice, if the operating system supports it.
Example	SSLMutex file:/usr/local/apache/logs/ssl_mutex
Syntax	SSLMutex type
Default	SSLMutex none
Context	server configuration

11.4.1.9 SSLOptions

Controls various runtime options on a per-directory basis. In general, if multiple options apply to a directory, the most comprehensive option is applied (options are not merged). However, if all of the options in an SSLOptions directive are preceded by a plus ('+') or minus ('-') symbol, then the options are merged. Options preceded by a plus are added to the options currently in force, and options preceded by a minus are removed from the options currently in force.

Category	Value
Valid Values	StdEnvVars: Creates the standard set of CGI/SSI environment variables that are related to SSL. This is disabled by default because the extraction operation uses a lot of CPU time and usually has no application when serving static content. Typically, you only enable this for CGI/SSI requests. ExportCertData: Enables the following additional CGI/SSI variables: SSL_SERVER_CERT SSL_CLIENT_CERT SSL_CLIENT_CERT_CHAIN_n (where n= 0, 1, 2...) These variables contain the Privacy Enhanced Mail (PEM)-encoded X.509 certificates for the server and the client for the current HTTPS connection, and can be used by CGI scripts for deeper certificate checking. All other certificates of the client certificate chain are provided. This option is "Off" by default because there is a performance cost associated with using it. SSL_CLIENT_CERT_CHAIN_n variables are in the following order: SSL_CLIENT_CERT_CHAIN_0 is the intermediate CA who signs SSL_CLIENT_CERT. SSL_CLIENT_CERT_CHAIN_1 is the intermediate CA who signs SSL_CLIENT_CERT_CHAIN_0, and so forth, with SSL_CLIENT_ROOT_CERT as the root CA. FakeBasicAuth: Translates the subject distinguished name of the client X.509 certificate into an HTTP basic authorization user name. This means that the standard HTTP server authentication methods can be used for access control. Note that no password is obtained from the user; the string 'password' is substituted.
Valid Values (for SSLOptions continued)	StrictRequire: Denies access when, according to SSLRequireSSL or directives, access should be forbidden. Without StrictRequire, it is possible for a 'Satisfy any' directive setting to override the SSLRequire or SSLRequireSSL directive, allowing access if the client passes the host restriction or supplies a valid user name and password. Thus, the combination of SSLRequireSSL or SSLRequire with SSLOptions +StrictRequire gives mod_ossl the ability to override a 'Satisfy any' directive in all cases. CompatEnvVars: Exports obsolete environment variables for backward compatibility to Apache SSL 1.x, mod_ssl 2.0.x, Sioux 1.0, and Stronghold 2.x. Use this to provide compatibility to existing CGI scripts. OptRenegotiate: This enables optimized SSL connection renegotiation handling when SSL directives are used in a per-directory context.
Syntax	SSLOptions [+-] option
Default	None
Context	server configuration, virtual host, directory

11.4.1.10 SSLPassPhraseDialog

Type of pass phrase dialog for wallet access. mod_ossl asks the administrator for a pass phrase in order to access the wallet.

Category	Value
Valid Values	builtin: when the server is started, mod_ossl prompts for a password for each wallet. This cannot be used when Oracle HTTP Server is managed by OPMN. No user interaction is allowed when Oracle HTTP Server is started by OPMN. exec:path/to/program - when the server is started, mod_ossl calls an external program configured for each wallet. This program is invoked with two arguments: servername:portnumber and RSA or DSA.
Syntax	SSLPassPhraseDialog type
Example	SSLPassPhraseDialog exec:/usr/local/apache/sbin/pfilter
Default	SSLPassPhraseDialog builtin
Context	server configuration

11.4.1.11 SSLProtocol

Specifies SSL protocol(s) for mod_ossl to use when establishing the server environment. Clients can only connect with one of the specified protocols.

Category	Value
Valid Values	SSLv2, SSLv3, TLSv1, ALL
Example	To specify only SSL version 3.0, set this directive to the following: SSLProtocol +SSLv3
Syntax	SSLProtocol [+-] protocol
Default	SSLProtocol ALL
Context	server configuration, virtual host

11.4.1.12 SSLRequire

Denies access unless an arbitrarily complex boolean expression is true.

Category	Value
Syntax	SSLRequire expression
Default	None
Context	directory

The expression must match the following syntax (given as a BNF grammar notation):

expr ::= "true" | "false"
"!" expr
expr "&&" expr
expr "||" expr
"(" expr ")"

comp ::=word "==" word | word "eq" word
word "!=" word |word "ne" word
word "<" word |word "lt" word
word "<=" word |word "le" word
word ">" word |word "gt" word
word ">=" word |word "ge" word
word "=~" regex
word "!~" regex
wordlist ::= word
wordlist "," word

word ::= digit
cstring
variable
function

digit ::= [0-9]+

cstring ::= "..."

variable ::= "%{varname}"

Table 11-3 and Table 11-4 list standard and SSL variables. These are valid values for varname.

function ::= funcname "(" funcargs ")"

For funcname, the following function is available:

file(filename)

The file function takes one string argument, the filename, and expands to the contents of the file. This is useful for evaluating the file's contents against a regular expression.

Table 11-3 lists the standard variables for SSLRequire varname.

Table 11-3 Standard Variables for SSLRequire Varname

Standard Variables	Standard Variables	Standard Variables
HTTP_USER_AGENT	PATH_INFO	AUTH_TYPE
HTTP_REFERER	QUERY_STRING	SERVER_SOFTWARE
HTTP_COOKIE	REMOTE_HOST	API_VERSION
HTTP_FORWARDED	REMOTE_IDENT	TIME_YEAR
HTTP_HOST	IS_SUBREQ	TIME_MON
HTTP_PROXY_CONNECTION	DOCUMENT_ROOT	TIME_DAY
HTTP_ACCEPT	SERVER_ADMIN	TIME_HOUR
HTTP:headername	SERVER_NAME	TIME_MIN
THE_REQUEST	SERVER_PORT	TIME_SEC
REQUEST_METHOD	SERVER_PROTOCOL	TIME_WDAY
REQUEST_SCHEME	REMOTE_ADDR	TIME
REQUEST_URI	REMOTE_USER	ENV:variablename
REQUEST_FILENAME

Table 11-4 lists the SSL variables for SSLRequire varname.

Table 11-4 SSL Variables for SSLRequire Varname

SSL Variables	SSL Variables	SSL Variables
HTTPS	SSL_PROTOCOL	SSL_CIPHER_ALGKEYSIZE
SSL_CIPHER	SSL_CIPHER_EXPORT	SSL_VERSION_INTERFACE
SSL_CIPHER_USEKEYSIZE	SSL_VERSION_LIBRARY	SSL_SESSION_ID
SSL_CLIENT_V_END	SSL_CLIENT_M_SERIAL	SSL_CLIENT_V_START
SSL_CLIENT_S_DN_ST	SSL_CLIENT_S_DN	SSL_CLIENT_S_DN_C
SSL_CLIENT_S_DN_CN	SSL_CLIENT_S_DN_O	SSL_CLIENT_S_DN_OU
SSL_CLIENT_S_DN_G	SSL_CLIENT_S_DN_T	SSL_CLIENT_S_DN_I
SSL_CLIENT_S_DN_UID	SSL_CLIENT_S_DN_S	SSL_CLIENT_S_DN_D
SSL_CLIENT_I_DN_C	SSL_CLIENT_S_DN_Email	SSL_CLIENT_I_DN
SSL_CLIENT_I_DN_O	SSL_CLIENT_I_DN_ST	SSL_CLIENT_I_DN_L
SSL_CLIENT_I_DN_T	SSL_CLIENT_I_DN_OU	SSL_CLIENT_I_DN_CN
SSL_CLIENT_I_DN_S	SSL_CLIENT_I_DN_I	SSL_CLIENT_I_DN_G
SSL_CLIENT_I_DN_Email	SSL_CLIENT_I_DN_D	SSL_CLIENT_I_DN_UID
SSL_CLIENT_CERT	SSL_CLIENT_CERT_CHAIN_n	SSL_CLIENT_ROOT_CERT
SSL_CLIENT_VERIFY	SSL_CLIENT_M_VERSION	SSL_SERVER_M_VERSION
SSL_SERVER_V_START	SSL_SERVER_V_END	SSL_SERVER_M_SERIAL
SSL_SERVER_S_DN_C	SSL_SERVERT_S_DN_ST	SSL_SERVER_S_DN
SSL_SERVER_S_DN_OU	SSL_SERVER_S_DN_CN	SSL_SERVER_S_DN_O
SSL_SERVER_S_DN_I	SSL_SERVER_S_DN_G	SSL_SERVER_S_DN_T
SSL_SERVER_S_DN_D	SSL_SERVER_S_DN_UID	SSL_SERVER_S_DN_S
SSL_SERVER_I_DN	SSL_SERVER_I_DN_C	SSL_SERVER_S_DN_Email
SSL_SERVER_I_DN_L	SSL_SERVER_I_DN_O	SSL_SERVER_I_DN_ST
SSL_SERVER_I_DN_CN	SSSL_SERVER_I_DN_T	SSL_SERVER_I_DN_OU
SSL_SERVER_I_DN_G	SSL_SERVER_I_DN_I

11.4.1.13 SSLRequireSSL

Denies access to clients not using SSL. This is a useful directive for absolute protection of a SSL-enabled virtual host or directories in which configuration errors could create security vulnerabilities.

Category	Value
Syntax	SSLRequireSSL
Default	None
Context	directory

11.4.1.14 SSLSessionCache

Specifies the global/interprocess session cache storage type. The cache provides an optional way to speed up parallel request processing.

Category	Value
Valid Values	none: disables the global/interprocess session cache. Produces no impact on functionality, but makes a major difference in performance. shmht:/path/to/datafile[bytes]: Uses a high-performance hash table (bytes specifies approximate size) inside a shared memory segment in RAM, which is established by the /path/to/datafile. This hash table synchronizes the local SSL memory caches of the server processes. shmcb:/path/to/datafile[bytes]: Uses a high-performance Shared Memory Cyclic Buffer (SHMCB) session cache to synchronize the local SSL memory caches of the server processes. The performance of shmcb is more uniform in all environments when compared to shmht.
Syntax	SSLSessionCache type
Examples	SSLSessionCache shmht: /ORACLE_HOME/Apache/Apache/logs/ssl_scache(512000) SSLSessionCache shmcb: /ORACLE_HOME/Apache/Apache/logs/ssl_scache(512000)
Default	SSLSessionCache none

11.4.1.15 SSLSessionCacheTimeout

Specifies the number of seconds before a SSL session in the session cache expires.

Category	Value
Syntax	SSLSessionCacheTimeout seconds
Default	300
Context	server configuration

11.4.1.16 SSLVerifyClient

Specifies whether or not a client must present a certificate when connecting.

Category	Value
Valid Values	none: No client certificate is required optional: Client may present a valid certificate require: Client must present a valid certificate
Syntax	SSLVerifyClient level
Default	None
Context	server configuration, virtual host

Note: The level optional_no_ca included with mod_ssl (in which the client can present a valid certificate, but it need not be verifiable) is not supported in mod_ossl.

11.4.1.17 SSLWallet

Specifies the location of the wallet with its WRL.

Category	Value
Syntax	SSLWallet wrl The format of wrl is: file:path to wallet
Example	SSLWallet file:/etc/ORACLE/WALLETS/server Other values of wrl may be used as permitted by the Oracle SSL product.
Default	None
Context	server configuration, virtual host

11.4.1.18 SSLWalletPassword

Specifies the Wallet password needed to access the wallet specified within the same context. You can choose either a cleartext wallet password or an obfuscated password. The obfuscated password is created with the command line tool iasobf. If you must use a regular wallet, Oracle recommends that you use the obfuscated password instead of a cleartext password.

See Also: "Using the iasobf Utility"

Category	Value
Syntax	SSLWalletPassword password If no password is required do not set this directive. Note: If a wallet created with the Auto Login feature of Oracle Wallet Manager is used, then do not set this directive because these wallets do not require passwords.
Default	None
Context	server configuration, virtual host

Note: SSLWalletPassword has been deprecated. A warning message is generated in the Oracle HTTP Server log if this directive is used. For secure wallets, Oracle recommends that you get a SSO wallet, with auto-login enabled, instead. Refer to the"Task 1: Creating a Real Wallet".

11.4.2 Using the iasobf Utility

The iasobf utility enables you to generate an obfuscated wallet password from a cleartext password.

If you are using an Oracle Wallet that has been created with Auto Login enabled (an SSO wallet), then you do not need to use this utility. However, if you must use a regular wallet with a password, then Oracle recommends that you use the password obfuscation tool iasobf, which is located in ORACLE_HOME/Apache/Apache/bin, to generate an obfuscated wallet password from a cleartext password.

To generate an obfuscated wallet password, the command syntax is:

iasobf -p password 

The obfuscated password is printed to the terminal. iasobf requires operating system user of httpd process. Accordingly, use the root argument for UNIX or system argument for Windows. For example, on UNIX, the command will be iasobf -password root.

Note: The corresponding tool for Windows environments is called osslpassword, which can be used in the same way as iasobf.

11.4.3 Using mod_proxy Directives

The following directives are for mod_proxy support only:

• SSLProxyCache

• SSLProxyCipherSuite

• SSLProxyProtocol

• SSLProxyWallet

• SSLProxyWalletPassword

11.4.3.1 SSLProxyCache

Specifies whether the proxy cache will be used. The proxy will use the same session as the SSL server uses.

Category	Value
Syntax	SSLProxyCache on/off
Default	SSLProxyCache off
Context	server configuration, virtual host

11.4.3.2 SSLProxyCipherSuite

Specifies the proxy server's cipher suite.

Category	Value
Syntax	SSLCipherSuite cipher-spec
Default	None
Context	server configuration, virtual host

11.4.3.3 SSLProxyProtocol

Controls the proxy server's SSL protocol flavors.

Category	Value
Syntax	SSLProxyProtocol [+-] protocol
Default	None
Context	server configuration, virtual host

11.4.3.4 SSLProxyWallet

Specifies the location of the wallet containing the certificates to use when opening proxy connections.

Category	Value
Syntax	SSLProxyWallet wrl
Default	None
Context	server configuration, virtual host

11.4.3.5 SSLProxyWalletPassword

Specifies the proxy wallet password.

Category	Value
Syntax	SSLProxyWalletPassword password
Default	None
Context	server configuration, virtual host

Note: SSLProxyWalletPassword has been deprecated. A warning message is generated in the Oracle HTTP Server log if this directive is used. For secure wallets, Oracle recommends that you get a SSO wallet instead.