Oracle HTTP Server Procedures
Creating a Wallet and Installing Certificate for Oracle HTTP Server
A default wallet is automatically installed with Oracle HTTP Server. You must configure a real wallet for each Oracle HTTP Server in your deployment.
Note: Starting 11.2.x, Oracle Wallet Manager is not installed with Oracle HTTP Server. The Oracle Wallet Manager gets installed only if you install the Oracle Database Client. You must use the wallet manager available with Database Client to create the wallet and import the certificate. If you are configuring Oracle HTTP Server for SSL, ensure that you always install the Oracle Database Client 64-bit as part of the installation of your EPM system products.
To create and install Oracle HTTP Server certificate :
-
On each machine that hosts Oracle HTTP Server, launch the Wallet Manager.
Select Start, then All Programs, Oracle-OHxxxxxx, then Integrated Management Tools, and then Wallet Manager.
xxxxxx
is the Oracle HTTP Server instance number. -
Create a new, empty Wallet.
-
In Oracle Wallet Manager, select Wallet, and then New.
-
Click Yes to create a default wallet directory, or No to create the Wallet file in a location of your choice.
-
In Wallet Password and Confirm Password on the New Wallet screen, enter the password that you want to use.
-
Click OK.
-
In the confirmation dialog box, click No.
-
-
Optional: If you are not using a CA that is known to Oracle HTTP Server, import the root CA certificate into the Wallet.
-
In Oracle Wallet Manager, right-click Trusted Certificates and select Import Trusted Certificate.
-
Browse and select the root CA certificate.
-
Select Open.
-
-
Create a certificate request.
-
In Oracle Wallet Manager, right-click Certificate: [Empty] and select Add Certificate Request.
-
In Create Certificate Request, enter the required information.
For the common name, enter the fully qualified server alias; for example,
epm.myCompany.com
orepminternal.myCompany.com
, available in thehosts
file on your system. -
Click OK.
-
In the confirmation dialog box, click OK.
-
Right-click the certificate request that you created, and then select Export Certificate Request.
-
Specify a name for the certificate request file.
-
-
Using the certificate request files, obtain signed certificates from the CA.
-
Import signed certificates.
-
In Oracle Wallet Manager, right-click the certificate request that was used to obtain the signed certificate, and then select Import User Certificate.
-
In Import Certificate, click OK to import the certificate from a file.
-
In Import Certificate, select the Certificate file, and then click Open.
-
-
Save the Wallet to a convenient location; for example, EPM_ORACLE_INSTANCE
/httpConfig/ohs/config/OHS/ohs_component/keystores/epmsystem
. -
Select Wallet, and then Auto Login to activate auto login.
Setting Up Oracle Wallet Using ORAPKI (on Linux)
To set up Oracle Wallet using ORAPKI command line, complete the following steps:
- Create a folder for your
wallet:
$ mkdir /MIDDLEWARE_HOME/oracle_common/wallet
- Add the location of the orapki utility to your
path:
$ export PATH=$PATH:$MIDDLEWARE_HOME/oracle_common/bin
- Create a wallet to hold your
certificate:
This command prompts you to enter and reenter a wallet password, if no password has been specified on the command line. It creates a wallet in the location specified for>$ MIDDLEWARE_HOME/oracle_common/bin/orapki wallet create -wallet [wallet_location] -auto_login
-wallet
. - Generate a certificate signing request (CSR) and add it to your
wallet:
$ MIDDLEWARE_HOME/oracle_common/bin/orapki wallet add -wallet [wallet_location] -dn 'CN=<CommonName>,OU=<OrganizationUnit>, O=<Company>, L=<Location>, ST=<State>, C=<Country>' -keysize 512|1024|2048|4096 -pwd [Wallet_Password]
- Add the root and intermediate certificate into the trusted
keystore
$ MIDDLEWARE_HOME/oracle_common/bin/orapki wallet add -wallet [wallet_location] -trusted_cert -cert [certificate_location] [-pwd]
- Use your CA (Cerificate Authority) to sign the CSR (Certificate Signing
Request). To export the certtificate request from an Oracle
Wallet:
$ MIDDLEWARE_HOME/oracle_common/bin/orapki wallet export -wallet [wallet_location] -dn 'CN=<CommonName>,OU=<OrganizationUnit>, O=<Company>, L=<Location>, ST=<State>, C=<Country>' -request [certificate_request_filename] [-pwd]
- Import the signed CSR into the
wallet:
$ MIDDLEWARE_HOME/oracle_common/bin/orapki wallet add -wallet [wallet_location] -user_cert -cert [certificate_location] [-pwd]
- To display the contents of the
wallet:
$ MIDDLEWARE_HOME/oracle_common/bin/orapki wallet display -wallet [wallet_location] [-pwd]
SSL-Enabling Oracle HTTP Server
After reconfiguring the web server on each machine that hosts Oracle HTTP Server, update Oracle HTTP Server configuration file by replacing the location of the default Wallet with the location of the wallet that you created.
To configure Oracle HTTP Server for SSL:
-
Reconfigure the web server on each Oracle HTTP Server host machine in your deployment.
-
Start EPM System Configurator for the instance.
-
In the configuration task selection screen, complete these steps, and then click Next.
-
Clear the selection from Uncheck All.
-
Expand Hyperion Foundation task group, and then select Configure Web Server.
-
-
In Configure Web Server, click Next.
-
In Confirmation, click Next.
-
In Summary, click Finish.
-
Using a text editor, open EPM_ORACLE_INSTANCE
/httpConfig/ohs/config/fmwconfig/components/OHS/ohs_component/ssl.conf
. -
Ensure that the SSL port you are using is listed under
OHS Listen port
. similar to the following:If you are using
19443
as the SSL communication port, your entries should be as follows:Listen 19443
-
Set
SSLSessionCache
parameter value tonone
. -
Update the configuration settings of each Oracle HTTP Server in your deployment.
-
Using a text editor, open EPM_ORACLE_INSTANCE
/httpConfig//ohs/config/fmwconfig/components/OHS/ohs_component/ssl.conf
. -
Locate the
SSLWallet
directive and change its value so that it points to the wallet where you installed the certificate. If you created the wallet in EPM_ORACLE_INSTANCEhttpConfig/ohs/config/OHS/ohs_component/keystores/epmsystem
, yourSSLWallet
directive may be as follows:SSLWallet "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/epmsystem"
-
Save and close
ssl.conf
.
-
-
Update
mod_wl_ohs.conf
on each Oracle HTTP Server in your deployment.-
Using a text editor, open EPM_ORACLE_INSTANCE
/httpConfig//ohs/config/fmwconfig/components/OHS/ohs_component/mod_wl_ohs.conf
. -
Ensure that the
WLSSLWallet
directive points to the Oracle Wallet where the SSL certificate is stored.WLSSLWallet MIDDLEWARE_HOME/ohs/bin/wallets/myWallet
For example,
C:/Oracle/Middleware/ohs/bin/wallets/myWallet
-
Set the value of
SecureProxy
directive is set toON
.SecureProxy ON
-
Ensure that the
LocationMatch
definitions for deployed Oracle Enterprise Performance Management System components are similar to the following Oracle Hyperion Shared Services example, which assumes a Oracle WebLogic Server cluster (onmyserver1
andmyserver2
using SSL port 28443):<LocationMatch /interop/> SetHandler weblogic-handler pathTrim / WeblogicCluster myServer1:28443,myServer2:28443 WLProxySSL ON </LocationMatch>
-
Save and close
mod_wl_ohs.conf
.
-