7 Enabling SSL in Oracle Collaboration Suite

This chapter provides instructions for enabling and configuring SSL in Oracle Collaboration Suite.

It contains these topics:

• Recommended SSL Configurations

• SSL Configuration in Oracle Collaboration Suite Infrastructure

• SSL Configuration in Oracle Collaboration Suite Applications

• SSL Configutation For Single-Computer Installation

7.1 Recommended SSL Configurations

The Oracle Collaboration Suite Deployment Guide discusses various deployment topologies. It presents sample architectures for Oracle Collaboration Suite installation types. After you have identified the components on which you need to enable SSL, use the instructions in this chapter to configure the components.

7.2 SSL Configuration in Oracle Collaboration Suite Infrastructure

To enable SSL on Infrastructure on UNIX-based platforms, run the following script on the Infrastructure instance:

$ORACLE_HOME/bin/SSLConfigTool -config_w_prompt -opwd <orcladmin password>

The Microsoft Windows equivalent of the command is:

%ORACLE_HOME%\bin\SSLConfigTool -config_w_prompt -opwd <orcladmin password>

7.3 SSL Configuration in Oracle Collaboration Suite Applications

This section contains the following topics:

• Running the SSL Script on the Applications Tier

• Additional Steps For Enabling SSL in Oracle Collaboration Suite

• Enabling SSL in Oracle Mobile Collaboration

• Enabling SSL in Oracle Content Services

• Enabling SSL in Oracle Real-Time Collaboration

• Enabling SSL in Oracle Voicemail & Fax

• Enabling SSL Between Oracle Mobile Data Sync Server and OracleAS Webcache

• Enabling SSL in Oracle Collaborative Portlets

• Securing Enterprise Manager

7.3.1 Running the SSL Script on the Applications Tier

If you are planning to run the SSL script on the AIX platform, first set the following environment variable:

LIBPATH=$ORACLE_HOME/lib32

If you are planning to run the SSL script on the HP-UX platform, first set the following environment variable:

SHLIB_PATH=$ORACLE_HOME/lib32

Run the following script on the Applications tier instance:

$ORACLE_HOME/bin/midtierSSLConfigTool.<sh|bat> <oid hostname> <oid port> <oid
admin dn> <oid admin password> <http server SSL port> <http|https> <hostname of the computer> <True | False> <rollback|ocs_config>

On Microsoft Windows, the syntax is:

%ORACLE_HOME%\bin\midtierSSLConfigTool.<sh|bat> <oid hostname> <oid port> <oid
admin dn> <oid admin password> <http server SSL port> <http|https> <hostname of the computer> <True | False> <rollback|ocs_config>

Where:

• oid hostname is the host name of the Oracle Internet Directory computer the Applications tier is associated with

• oid port is the port that the Oracle Internet Directory server is listening on

• oid admin dn is the administrative DN for the Oracle Internet Directory admin user (cn=orcladmin)

• oid admin password is the password for the Oracle Internet Directory admin user

• http server SSL port is the SSL port that was configured during the install. This value can be found in the $ORACLE_HOME/install/portlist.ini (for Microsoft Windows: %ORACLE_HOME%\install\portlist.ini) file as the Oracle HTTP Server SSL port value.

• http | https is the protocol that the service registry items are to be changed to.

• hostname of the computer is the host name that the computer is using with reference to its Oracle Collaboration Suite configuration. This may be the local host name or a load balancer virtual host name, as the case may be.

• True | False is the boolean flag that determines the communication to OID

  • True: Communication to the Oracle Internet Directory using SSL only

  • False: Normal communication to Oracle Internet Directory

• rollback is an optional argument, that when passed, will run SSLConfigTool in -rollback mode. In other words, it enables the user to revert to their original configuration before an error.

  ocs_config is an optional argument that will only modify the Oracle Collaboration Suite service registry, then exit (SSLConfigTool will not be run).

  
  

  Note: You cannot specify rollback and ocs_config on the same command line.

  
  

On UNIX-based platforms, start and Stop OC4J_OCSClient by using the following commands:

./opmnctl stopproc process-type=OC4J_OCSClient
./opmnctl startproc process-type=OC4J_OCSClient

On Microsoft Windows, start and Stop OC4J_OCSClient by using the following commands:

opmnctl stopproc process-type=OC4J_OCSClient
opmnctl startproc process-type=OC4J_OCSClient

Note: While running midtersslconfigtool, if the script hangs at the dcmctl update configuration stage, stop the script manually, if required, and then perform the following steps: Log in as the installation owner (oracle user). Run the following command: opmnctl stopall Remove $ORACLE_HOME/opmn/logs/dcm-daemon.1 (for Microsoft Windows: %ORACLE_HOME%\opmn\logs\dcm-daemon.1) and $ORACLE_HOME/dcm/logs/daemon_logs (for Microsoft Windows: %ORACLE_HOME%\dcm\logs\daemon_logs) and re-create these files as the installation owner. Run the following command again: dcmctl updateconfig -ct opmn

7.3.2 Additional Steps For Enabling SSL in Oracle Collaboration Suite

When you enable SSL for Oracle Collaboration Suite, an additional step is required if a recognized Certificate Authority has not signed the server certificate. In this case, you have the following two options:

• Configure Oracle Collaboration Suite to accept all certificates

• Configure Oracle Collaboration Suite to accept the specified server certificate

If you have configured Oracle Collaboration Suite for SSL, you must choose one of these options in order to use Oracle Workspaces, the Oracle Content Services portlet, and Oracle Collaboration Suite Search.

To configure Oracle Collaboration Suite to accept all certificates:

1. Edit the ORACLE_HOME/opmn/conf/opmn.xml (for Microsoft Windows: ORACLE_HOME\opmn\conf\opmn.xml) file. For the process-types with IDs OC4J_OCSClient and OC4J_Portal, add an additional Java option to the start parameters:

   -Daxis.socketSecureFactory=org.apache.axis.components.net.SunFakeTrustSocketFactory
   
   

2. Reload the opmn.xml file as follows on UNIX-based platforms:

   ORACLE_HOME/opmn/bin/opmnctl reload
   
   

   This equivalent command on Microsoft Windows is:

   ORACLE_HOME\opmn\bin\opmnctl reload
   
   

3. On UNIX-based platforms, restart the OC4J_OCSClient and OC4J_Portal instances as follows:

   ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_OCSClient
   ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_Portal
   
   

   The Microsoft Windows equivalent commands are:

   ORACLE_HOME\opmn\bin\opmnctl restartproc process-type=OC4J_OCSClient
   ORACLE_HOME\opmn\bin\opmnctl restartproc process-type=OC4J_Portal
   
   

To configure Oracle Collaboration Suite to accept the specific server certificate used in an instance:

1. Use Oracle Wallet Manager to export the server certificate from the Oracle Wallet.

   This might be the wallet used by OracleAS Webcache or by Apache server, depending on the configuration.

2. Import the certificate into the current trust store for this JDK installation.

   For example, on UNIX-based platforms, if the installation is using the default trust store in the JDK, then the call would look like this:

   ORACLE_HOME/jdk/jre/bin/keytool -import -v -trustcacerts -file
   exported_certificate_location -keystore
   jdk/jre/lib/security/cacerts -storepass changeit -storetype jks
   
   

3. Restart the OC4J_OCSClient and OC4J_Portal instances as follows:

   ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_OCSClient
   ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_Portal
   
   

   The equivalent commands on Microsoft Windows are:

   ORACLE_HOME\opmn\bin\opmnctl restartproc process-type=OC4J_OCSClient
   ORACLE_HOME\opmn\bin\opmnctl restartproc process-type=OC4J_Portal
   

Note: If neither of these procedures is performed, then the integration of Oracle Workspaces with Oracle Content Services will fail, and the Library resource in Oracle Workspaces will be unavailable. Also, the Oracle Content Services portlet will not work, and Oracle Collaboration Suite Search will not be able to search content in Oracle Content Services.

7.3.3 Enabling SSL in Oracle Mobile Collaboration

To enable SSL in Oracle Mobile Collaboration, perform the following steps:

1. Set $ORACLE_HOME environment variable on the Applications tier.

2. Run the reRegisterSSO.<sh|bat> script located at $ORACLE_HOME/wireless/bin (On Microsoft Windows: %ORACLE_HOME%\wireless\bin) to register Oracle Mobile Collaboration. The syntax is

   ./reRegisterSSO.sh apptier_host_URL:https_server_SSL_portnumber
   
   

   For example:

   ./reRegisterSSO.sh https://host:8250/ptg/rm
   
   

   For Microsoft Windows, the syntax is:

   reRegisterSSO.bat apptier_host_URL:https_server_SSL_portnumber
   
   

To update the Oracle Mobile Push Mail configuration to use SSL, run the mcsutil script located at $ORACLE_HOME/wireless/install (for Microsoft Windows: %ORACLE_HOME%\wireless\install):

mcsutil.<sh|bat> -O $ORACLE_HOME -U -H <oldhost> -P <oldport> -N <new host> -W <new port>

Note: You need to verify the host and ports before the update is done.

7.3.4 Enabling SSL in Oracle Content Services

You can provide SSL settings after Oracle Content Services has been installed and configured. To do this, perform the steps outlined in Setting Parameters in the Application Server Control for Collaboration Suite and Setting Additional SSL Information.

This section contains the following topics:

• Setting Parameters in the Application Server Control for Collaboration Suite

• Setting Additional SSL Information

• Connecting to Oracle Internet Directory Using SSL

• If the Oracle Content Services Portlet Fails to Retrieve Content After Implementing SSL

7.3.4.1 Setting Parameters in the Application Server Control for Collaboration Suite

Use the Application Server Control for Collaboration Suite to set server configuration properties, as follows:

1. From the Collaboration Suite Home page, click the name of the Oracle Content Services domain. The Content Services Home page appears.

2. Click Domain Properties (under the Administration heading).

3. In the Properties section, select IFS.DOMAIN.APPLICATION.Application UseHttps and click Edit.

4. Set Value to True and click OK.

5. Select IFS.DOMAIN.APPLICATION.ApplicationPort and click Edit.

6. Set the Value to be one of the following:

   • If you are using OracleAS Web Cache, then enter the Web Cache SSL port.

   • If you are not using OracleAS Web Cache, then enter the non-Web Cache SSL port.

7. Click OK on the Edit Property page.

8. Click OK on the Edit Server Configuration page.

9. Restart the Oracle Content Services domain.

See Also: Oracle Content Services Administrator's Guide

7.3.4.2 Setting Additional SSL Information

In addition to setting Oracle Content Services server configuration parameters, you may need to set URLs in OracleAS Portal. Wherever the Oracle Content Services Portlet has been registered in OracleAS Portal, you should update the Oracle Content Services Portlet URLs.

7.3.4.3 Connecting to Oracle Internet Directory Using SSL

If you did not provide Oracle Internet Directory SSL information during Oracle Content Services configuration but still want to connect to Oracle Internet Directory using SSL, then perform the following steps using the Application Server Control for Collaboration Suite:

1. From the Collaboration Suite Home page, click the name of the Oracle Content Services domain. The Content Services Home page appears.

2. Click Service Configurations (under the Configuration heading).

3. Click the name of the service configuration you are using (for example, SmallServiceConfiguration). The Edit page appears.

4. In the Properties section, click IFS.SERVICE.CREDENTIALMANAGER.Oid. OidSsl. You may need to move to the second or subsequent page to see this property.

5. Set Value to true and click OK.

6. Select IFS.SERVICE.CREDENTIALMANAGER.Oid.OidUrl and click Edit.

7. Change the port number listed in the URL to be the SSL-enabled Oracle Internet Directory port, typically 636 or 4031.

8. Click OK on the Edit Property page.

9. Click OK on the Edit Server Configuration page.

10. Restart the Oracle Content Services domain.

See Also: Oracle Content Services Administrator's Guidefor more information

7.3.4.4 If the Oracle Content Services Portlet Fails to Retrieve Content After Implementing SSL

If the Oracle Content Services Portlet fails to retrieve content after finishing SSL implementation, then perform the following tasks:

1. Start oidadmin console and login as orcladmin.

2. Navigate to cn=Content, cn=VirtualServices, cn=Files, cn=Services, cn=OracleContext.

3. Change the labeleduri;webservicesurl attribute to use http instead of https.

4. Restart OC4J_Portal and access the portal to verify if the the Oracle Content Services Portlet displays the content.

7.3.5 Enabling SSL in Oracle Real-Time Collaboration

You can set Oracle Real-Time Collaboration so that all conferences and messages use secure HTTPS connections. To do so, you set the following properties for the Oracle Real-Time Collaboration system.

Perform the following steps on one of your Oracle Real-Time Collaboration core component instances. You need to perform these steps only once, because you will set all other instances by using the -system true option.

1. On the AIX platform, set the following environment variable:

   LIBPATH=$ORACLE_HOME/lib32
   
   

   On the HP-UX platform, set the following environment variable:

   SHLIB_PATH=$ORACLE_HOME/lib32
   
   

2. For UNIX-based platforms, on an Oracle Real-Time Collaboration core components instance, start the rtcctl configuration utility:

   $ORACLE_HOME/imeeting/bin/rtcctl
   
   

   The Microsoft Windows equivalent command is:

   %ORACLE_HOME%\imeeting\bin\rtcctl
   
   

3. Set the following property to indicate that the Oracle HTTP Server uses SSL connections:

   rtcctl> setProperty -system true -pname ApacheProtocolSecure -pvalue true
   
   

   
   

   Note: The Oracle Real-Time Collaboration property for the HTTPS port is set at installation. If you change the HTTPS port after installation, then you must also change the ApacheWebSecurePort value to match the HTTPS port value. The syntax is: rtcctl> setProperty -system true -pname ApacheWebSecurePort -pvalue port_value

   
   

4. Set the following property to enable SSL and force all instant messaging sessions and Web conferences to use SSL:

   rtcctl> setProperty -system true -pname RTCSSLSupportEnabled -pvalue true
   
   

   
   

   Note: If you do not want to force SSL but just allow it as an option, you can set the SSLRequiredForMeetings and IMSSLRequiredForXMPP properties to True and use the -force false option. Refer to the Oracle Real-Time Collaboration Administrator's Guide for more details about these properties.

   
   

5. Exit rtcctl using the following command:

   rtcctl> exit
   
   

The multiplexer used for Web conferences and the connection manager used for instant messaging on the Oracle Real-Time Collaboration core components system use the same wallet that the Oracle HTTP Server uses. You must set the WalletLocation property on each Oracle Real-Time Collaboration core components instance, to identify where the wallet file is located.

1. On the first of your Oracle Real-Time Collaboration core components instances, enter:

   $ORACLE_HOME/imeeting/bin/rtcctl
   rtcctl> setProperty -pname WalletLocation -pvalue "../Apache/Apache/conf/ssl.wlt/default"
   rtcctl> exit
   
   

   On Microsoft Windows:

   %ORACLE_HOME%\imeeting\bin\rtcctl
   rtcctl> setProperty -pname WalletLocation -pvalue "..\Apache\Apache\conf\ssl.wlt\default"
   rtcctl> exit
   
   

   The default path to the wallet file is shown in the example.

2. Repeat Step 1 on each of your Oracle Real-Time Collaboration core component instances.

For more information about all the properties discussed here, see Chapter 3 in Oracle Real-Time Collaboration Administrator's Guide. For more information about using the rtcctl utility, see Chapter 4 in the same manual.

If Oracle Real-Time Collaboration Cannot Access the Default Certificate

If Oracle Real-Time Collaboration cannot access the default certificate, then set up the following properties as shown:

rtcctl> setProperty -system true -pname SSLRequiredForMeetings -pvalue true -force false
rtcctl> setProperty -system true -pname RTCSSLSupportEnabled -pvalue true
rtcctl> setproperty -pname sslcertificatehostname -pvalue "*"
rtcctl> stop
rtcctl> start

7.3.6 Enabling SSL in Oracle Voicemail & Fax

SSL connections are used in two places, when Enterprise Manager connects to Oracle Internet Directory and when the Oracle Voicemail & Fax Applications connect to Oracle Internet Directory.

See Also: Oracle Internet Directory Administrator's Guide Administrator's Guide for more information on setting up Oracle Internet Directory for SSL connections

Enterprise Manager Connections

By default, when Enterprise Manager connects to Oracle Internet Directory, SSL is enabled for a target. Because SSL slows down the connection speed, you may want to disable SSL if you are behind a firewall and your network is secure.

To enable or disable SSL for Enterprise Manager connections to Oracle Internet Directory:

1. Log in to Enterprise Manager Grid Control, and navigate to the home page.

2. In the Target Search section, select Oracle Voicemail & Fax in the Search list and click Go.

3. Select the Voicemail & Fax target from the All Targets list and click Configure.

4. In the Configure Voicemail & Fax: name_of_Voicemail_&_Fax_target page, select Always require SSL for connections to enable SSL for all connections from Enterprise Manager to Oracle Internet Directory for this target.

   To disable SSL connections for this target, deselect Always require SSL connections.

5. Click Finish.

Voicemail & Fax Application Connections

You can use an SSL connection when Voicemail & Fax Applications connect to Oracle Internet Directory. This is set in the %ORACLE_HOME%\config\ias.properties file with the SSLONLY setting. By default, this is set as follows: SSLONLY=false. Turn SSL on if your network is not very secure or if you want all of your data encrypted.

Note: The SSLONLY setting affects how all applications configured under this Oracle home connect to the Oracle Collaboration Suite Database. Therefore, if other Oracle applications, in addition to Oracle Voicemail & Fax, are installed in this directory, they will be affected by changes to the SSLONLY setting.

7.3.7 Enabling SSL Between Oracle Mobile Data Sync Server and OracleAS Webcache

When Webcache receives an SSL (HTTPS) request from a Oracle Mobile Access Data Sync (formerly SyncML) client, there is a possibility that the HTTP header coming from the SyncML client will not specify the port being used. As a result, the Webcache will forward this HTTPS request to Oracle HTTP server as a simple HTTP request on port 7778, which is typically the port Oracle HTTP Server listens in the HTTP mode. This will cause a protocol mismatch and as a result, all synchronization attempts from a mobile device in SSL mode will fail.

Because the data being synchronized is typically confidential, it is important that the synchronization be done by using SSL.

To resolve this problem, you can use either of the following alternatives:

• Bypass Webcache and configure the Oracle Mobile Access Data Sync client so that it directly communicates with the HTTPS port of Oracle HTTP Server. This requires opening another port on the firewall.

• Configure Webcache so that there is an explicit Site-to-Server mapping, which matches all incoming traffic for the /ocst-bin (for Microsoft Windows: \ocst-bin) URLs (Oracle Mobile Data Sync Server URLs) to the Oracle HTTP Server SSL port.

  This solution does not require an additional port to be opened on the firewall because it enables the reuse of the Webcache SSL port (typically 443). However, for this solution to work successfully:

  • All devices synchronizing with the Oracle Mobile Data Sync Server are SSL-compliant.

  • Only SSL-synchronizations are allowed. No HTTP (non-SSL) synchronizations will work.

To enable SSL between Oracle Mobile Data Sync Server and OracleAS Webcache according to the second alternative, perform the following steps:

1. Create the SSL Listening point on Webcache as follows:

   1. Log in to Webcache Administration by using the following URL:

      http://<app-tiermachine>:<portnumber>/webcacheadmin
      
      

      In the previous syntax, app-tiermachine represents the URL to the computer on which Oracle Collaboration Suite Applications are installed.

      Also, portnumber represents the port used to connect to Webcache administration page, which is typically 9400. The port number in use can be obtained from the value of the Webcache Administration port found in $ORACLE_HOME/install/portlist.ini (for Microsoft Windows: %ORACLE_HOME%\install\portlist.ini). You will need to log in to this page.

   2. Click Listen Ports under Ports to add an entry for the HTTPS protocol.

   3. Click Add and enter the following values:

      • IP Address: ANY

      • Port Number: Value of Oracle HTTP Server SSL port found in portlist.ini.

      • Protocol: HTTPS

      • Require Client Side Certificate: Do not enable

      • Wallet: $ORACLE_HOME/webcache/wallets/default (for Microsoft Windows: %ORACLE_HOME%\webcache\wallets\default)

   4. Click Submit.

   5. Click Apply Changes.

2. Select the Site to Server Mapping option.

3. Select the option for the first line.

4. Click the Insert Above option.

5. In the screen that apprears, specify the following:

   • Hostname: *

   • Port Number: *

   • URL Path Prefix: /ocst-bin (for Microsoft Windows: \ocst-bin)

   In the Select Application Web Servers section, select the Apache HTTPS port option.

   Click Submit.

6. Verify that the first line that you added is shown as the first line in Site to Server Mapping.

7. Click Apply Changes.

8. Restart Webcache.

7.3.8 Enabling SSL in Oracle Collaborative Portlets

Oracle Collaborative Portlets internally uses HTTP to communicate with Oracle Collaboration Suite component application Web services (such as Oracle Mail and Oracle Calendar) to obtain application data. The use of SSL is not supported at this level.

In addition, if you configure SSL for Oracle Collaboration Suite and turn off the non-SSL (HTTP) port, then Oracle Collaborative Portlets will stop functioning. In other words, Oracle Collaborative Portlets requires the Web Cache non-SSL (HTTP) port to remain open.

Note: This is applicable for internal HTTP communication only. This does not affect external HTTP-based communication between browsers and Oracle Collaboration Suite.

To enable SSL in Oracle Collaborative Portlets, perform the following steps:

1. Log in to oidadmin as orcladmin.

2. Navigate to the cn=Content, cn=VirtualServices, cn=Files, cn=Services, cn=oracleContext DN.

3. Change the value of the labeleduri;webservicesurl attribute to the non-SSL URL that was used previously.

7.3.9 Securing Enterprise Manager

Perform the following steps to access the Enterprise Manager using SSL:

1. Shut down Application Server Control for Collaboration Suite by using the following command:

   ./emctl stop iasconsole
   
   

   On Microsoft Windows:

   emctl stop iasconsole
   
   

2. Run the following command:

   ./emctl secure em
   
   

   On Microsoft Windows:

   emctl secure em
   
   

3. Start the Application Server Control for Collaboration Suite by using the following command:

   ./emctl start iasconsole
   
   

   On Microsoft Windows:

   emctl start iasconsole
   
   

Enterprise Manager can now be accessed only by using HTTPS.

In case Enterprise Manager is to be accessed again using http, then perform the following steps:

1. Shut down the Application Server Control for Collaboration Suite by using the following command:

   ./emctl stop iasconsole
   
   

   On Microsoft Windows:

   emctl stop iasconsole
   
   

2. Edit $ORACLE_HOME/sysman/config/emd.properties (for Microsoft Windows: %ORACLE_HOME%\sysman\config\emd.properties):

   In EMD_URL, change https to http.

3. Edit $ORACLE_HOME/sysman/j2ee/config/emd-web-site.xml (for Microsoft Windows: %ORACLE_HOME%\sysman\j2ee\config\emd-web-site.xml):

   In the line starting with <web-site...>, change secure=true to secure=false

4. Edit $ORACLE_HOME/sysman/emd/targets.xml (for Microsoft Windows: %ORACLE_HOME%\sysman\emd\targets.xml):

   Change the StandaloneconsoleURL property for the oracle_ias target from https to http.

5. Start the Application Server Control for Collaboration Suite by using the following command:

   ./emctl start iasconsole
   
   

   On Microsoft Windows:

   emctl start iasconsole
   

7.4 SSL Configutation For Single-Computer Installation

This section contains the following topics:

• Preinstallation Tasks

• Infrastructure Tier Setup

• Applications Tier Setup

7.4.1 Preinstallation Tasks

Before configuring SSL for a single-computer installation, perform the following tasks:

1. Ensure that the entries for HTTP Server SSL Port and Web Cache HTTP Listen (SSL) Port are correct in the $ORACLE_HOME/install/portlist.ini (for Microsoft Windows: %ORACLE_HOME%\install\portlist.ini) file for both the Infrastructure tier and the Applications tier.

2. Ensure that SSL is enabled on Oracle Internet Directory.

3. On UNIX-based platforms, log in as root and run the following commands:

   cd $ORACLE_HOME/Apache/Apache/bin
   chown root .apachectl
   chmod 6750 .apachectl
   

7.4.2 Infrastructure Tier Setup

Stop the associated Applications tiers by using the following command on each:

$ORACLE_HOME/bin/ocsctl_sample -stop apps

On Microsoft Windows, stop the associated Applications tiers by using the following command on each:

%ORACLE_HOME%\bin\ocsctl_sample -stop apps

Now, perform the following tasks in the Oracle home of the Infrastructure tier:

1. Ensure that environment variables, ORACLE_HOME, ORACLE_SID, and PATH are set correctly.

2. Use the following command to roll back any changes that were made during the installation:

   $ORACLE_HOME/bin/SSLConfigTool -rollback -opwd <oid admin password>
   
   

   On Microsoft Windows:

   %ORACLE_HOME%\bin\SSLConfigTool -rollback -opwd <oid admin password>
   
   

3. Run SSLConfigTool in the Infrastructure Oracle home as follows:

   $ORACLE_HOME/bin/SSLConfigTool -config_w_prompt -opwd <oid admin password>
   
   

   On Microsoft Windows:

   %ORACLE_HOME%\bin\SSLConfigTool -config_w_prompt -opwd <oid admin password>
   
   

   Use the values specified in the portlist.ini and ias.properties files.

4. Enter the following command in the Infrastructure Oracle home to ensure to ensure that OracleAS Single Sign-On is configured to use the Oracle HTTP Server port of the Applications tier:

   $ORACLE_HOME/sso/bin/ssocfg.sh https <hostname> <midtier ssl Port>
   
   

   On Microsoft Windows:

   %ORACLE_HOME%\sso\bin\ssocfg.bat https <hostname> <midtier ssl Port>
   
   

   Ensure that the corresponding Port directive in the $ORACLE_HOME/Apache/Apache/conf/ssl.conf (for Microsoft Windows: %ORACLE_HOME%\Apache\Apache\conf\ssl.conf) file in the Infrastructure tier matches the Port directive in the $ORACLE_HOME/Apache/Apache/conf/ssl.conf (for Microsoft Windows: %ORACLE_HOME%\Apache\Apache\conf\ssl.conf) file of the Application tier.

   For Microsoft Windows, the comamnd is:

   %ORACLE_HOME\sso\bin\ssocfg.bat https <hostname> <midtier ssl Port>
   
   

   The SSL Listen directive of the Infrastructure tier and the Applications tiers should be different.

5. On UNIX-based platforms, enter the following commands:

   $ORACLE_HOME/opmn/bin/opmnctl stopproc process-type=HTTP_Server
   $ORACLE_HOME/opmn/bin/opmnctl startproc process-type=HTTP_Server
   
   

   On Microsoft Windows:

   %ORACLE_HOME%\opmn\bin\opmnctl stopproc process-type=HTTP_Server
   %ORACLE_HOME%\opmn\bin\opmnctl startproc process-type=HTTP_Server
   

7.4.3 Applications Tier Setup

Perform the following tasks in the Oracle home of the Applications tier:

Note: Ensure that before performing the following steps, the https://hostname.domain:midtier_ssl_port page is accessible.

1. Ensure that environment variables, ORACLE_HOME and PATH are set correctly.

2. On UNIX-based platforms, use the following command to roll back any changes that were made during the installation:

   $ORACLE_HOME/bin/SSLConfigTool -rollback -opwd <oid admin password>
   
   

   On Microsoft Windows:

   %ORACLE_HOME%\bin\SSLConfigTool -rollback -opwd <oid admin password>
   
   

3. Edit the $ORACLE_HOME/Apache/Apache/conf/mod_proxy.conf (for Microsoft Windows: %ORACLE_HOME%\Apache\Apache\conf\mod_proxy.conf) file of Applications tier. Change the http protocol to https in each URL and change the existing non-SSL port value to that of the Infrastructure SSL Listen port. This SSL Listen port value can be found as the Listen value in the Infrastructure $ORACLE_HOME/Apache/Apache/conf/ssl.conf (for Microsoft Windows: %ORACLE_HOME%\Apache\Apache\conf\ssl.conf) file.

4. On UNIX-based platforms, add the following directive to the $ORACLE_HOME/Apache/Apache/conf/mod_proxy.conf (for Microsoft Windows: %ORACLE_HOME%\Apache\Apache\conf\mod_proxy.conf) file after the ProxyRequests On directive:

   SSLProxyWallet file:<$ORACLE_HOME>/Apache/Apache/conf/ssl.wlt/default
   
   

5. If you are making the change on Oracle Collaboration Suite 10.1.1.0.2 Applications tier, then you must locate the -config_w_default string in the last line of the midtierSSLConfigTool.<sh|bat> file and change it to -config_w_prompt.

6. Run SSLConfigTool in the Applications Oracle home as follows on the UNIX-based platforms:

   $ORACLE_HOME/bin/midtierSSLConfigTool.sh <oid hostname> <oid port> \
   <oid admin dn> <oid admin password> <apps SSL port> https <hostname>\
   <oid ssl flag (true | false)>
   
   

   The command that you must run on Microsoft Windows is:

   $%RACLE_HOME\bin\midtierSSLConfigTool.bat <oid hostname> <oid port> \
   <oid admin dn> <oid admin password> <apps SSL port> https <hostname>\
   <oid ssl flag (true | false)>
   
   

   In the preceding command:

   • oid_hostname: The host name of the Oracle Internet Directory computer the Applications tier is associated with.

   • oid_port: The port that the Oracle Internet Directory server is listening on.

   • oid_admin_dn: The administrative Distinguished Name (DN) for the Oracle Internet Directory admin user (cn=orcladmin).

   • oid_admin_password: The password for the Oracle Internet Directory admin user.

   • http_server_SSL_port: The SSL port that was configured during the installation. This value can be found in the $ORACLE_HOME/install/portlist.ini file as the Oracle HTTP Server SSL port value.

   • https: The indication that the HTTPS communication protocol will be used for Oracle HTTP Server.

   • hostname_of_the_machine: The host name that the computer is using with reference to its Oracle Collaboration Suite configuration. This may be the local host name or a load balancer virtual host name, as the case may be.

   • true |false: The boolean value indicates whether you are connecting to the Oracle Internet Directory SSL port or not. If the value is set to true, then it indicates that you are connecting to the Oracle Internet Directory SSL port. If the value is set to false, then it indicates that you are connecting to the Oracle Internet Directory non-SSL port.

7. On the Applications tier Oracle home, run the following command:

   $ORACLE_HOME/dcm/bin/dcmctl updateConfig -ct HTTP_Server
   
   

   On Microsoft Windows:

   %ORACLE_HOME%\dcm\bin\dcmctl updateConfig -ct HTTP_Server
   
   

8. Run the $ORACLE_BASE/install/infra_ssotrans.sh (for Microsoft Windows: $ORACLE_BASE/install/infra_ssotrans.bat) script.

   
   

   Note: The ORACLE_BASE location is the directory in which the /infra (for Microsoft Windows: \infra) and /apps (for Microsoft Windows: \apps) directories are located.

   
   

9. Update the orcldasurlbase attribute in the Oracle Internet Directory by running the following commands:

   setenv LD_LIBRARY_PATH $ORACLE_HOME/lib32:$ORACLE_HOME/lib:$ORACLE_ \
   HOME/network/lib32:$ORACLE_HOME/network/lib
   
   $ORACLE_HOME/jdk/bin/java -classpath $ORACLE_HOME/jlib/ldapjclnt10.jar: \
   $ORACLE_HOME/jlib/ojmisc.jar: ORACLE_HOME/jlib DasUrlBaseUpdate <hostname> \
   <oid port> <oid admin dn> <oid admin password> <apps tier SSL Port value> \
   https <hostname> false
   
   

10. Run the following commands:

    $ORACLE_HOME/opmn/bin/opmnctl stopall
    $ORACLE_HOME/opmn/bin/opmnctl startall
    
    

    On Microsoft Windows:

    %ORACLE_HOME%\opmn\bin\opmnctl stopall
    %ORACLE_HOME%\opmn\bin\opmnctl startall
    
    

If you have been connecting to Oracle Collaboration Suite using the non-SSL ports, then you might have to clear the cache of your browser before connecting to the now SSL-enabled ports.