Configure SSL for Oracle Traffic Director

You can update the Oracle Traffic Director load balancer in Oracle Java Cloud Service to use a generated, self-signed certificate, or a certificate that has been issued by a CA.

Before you begin, ensure that you have enabled Oracle Traffic Director in your service instance, and also registered your custom domain name, as described in Configure a Vanity Domain Name for a Service Instance.

By default, if you created your service instance in an Oracle Cloud Infrastructure Classic region, external access to the load balancer console is disabled for security purposes. If you did not enable console access while provisioning your service instance, see Enabling Console Access in an Oracle Java Cloud Service Instance.

Tasks:

• Create a Self-Signed SSL Certificate in Oracle Traffic Director

• Import a CA-Issued SSL Certificate to Oracle Traffic Director

• Associate the SSL Certificate with Oracle Traffic Director

Create a Self-Signed SSL Certificate in Oracle Traffic Director

If you are not using a CA-issued certificate, then create a self-signed certificate by using the Load Balancer Console.

1. Access the Oracle Java Cloud Service console.
2. Click for the desired service instance and select Open Load Balancer Console.
3. Log in to console using the credentials defined when provisioning your service instance.

   If you created your service instance using the Oracle Java Cloud Service console, the user name and password default to the Oracle WebLogic Server Administration Console user name and password.

4. Access the load balancer configuration (for example, opc-config):
   • If your service instance is running Oracle Traffic Director 12c, click the Target Navigation icon. Expand the Traffic Director folder and click the name of the Traffic Director configuration.
   • If your service instance is running Oracle Traffic Director 11g, click Configurations and then click the name of the Traffic Director configuration.
5. If your service instance is running Oracle Traffic Director 12c, perform these steps to create a self-signed certificate:
   1. Click Traffic Director Configuration and select Security > Manage Certificates.
   2. Click Generate Keypair.
   3. Enter an Alias for the new certificate.
   4. Set the Common Name to your custom domain name. For example, example.com.
   5. Complete the remaining fields and click OK.
6. If your service instance is running Oracle Traffic Director 11g, perform these steps to create a self-signed certificate:
   1. Expand SSL in the navigation pane and click Server Certificates.
   2. Click New Self Signed Certificate.
   3. Set the Server Name to your custom domain name. For example, example.com.
   4. Complete the remaining fields and click Next.
   5. On the Certificate Options page, enter a Nickname (alias) for the certificate. Click Next.
   6. Click Create Certificate.

Import a CA-Issued SSL Certificate to Oracle Traffic Director

Use the Load Balancer Console to create a Certificate Signing Request (CSR). After receiving the CA-issued certificate, import it into the load balancer configuration.

1. Access the Oracle Java Cloud Service console.
2. Click for the desired service instance and select Open Load Balancer Console.
3. Log in to console using the credentials defined when provisioning your service instance.

   If you created your service instance using the Oracle Java Cloud Service console, the user name and password default to the Oracle WebLogic Server Administration Console user name and password.

4. Access the load balancer configuration (for example, opc-config):
   • If your service instance is running Oracle Traffic Director 12c, click the Target Navigation icon. Expand the Traffic Director folder and click the name of the Traffic Director configuration.
   • If your service instance is running Oracle Traffic Director 11g, click Configurations and then click the name of the Traffic Director configuration.
5. If your service instance is running Oracle Traffic Director 12c, perform these steps to generate a CSR:
   1. Click Traffic Director Configuration and select Security > Manage Certificates.
   2. Click Generate Keypair.
   3. Enter an Alias for the new certificate.
   4. Set the Common Name to your custom domain name. For example, example.com.
   5. Complete the remaining fields and click OK.
   6. Select your new certificate and click Generate CSR.
6. If your service instance is running Oracle Traffic Director 11g, perform these steps to generate a CSR:
   1. Expand SSL in the navigation pane and click Server Certificates.
   2. Click Create Certificate Request.
   3. Set the Server Name to your custom domain name. For example, example.com.
   4. Complete the remaining fields and click Next.
   5. On the Certificate Options page, click Next to accept the defaults.
   6. Click Create CSR.
7. Save the generated CSR text, including the header line -----BEGIN NEW CERTIFICATE REQUEST----- and footer line -----END NEW CERTIFICATE REQUEST-----.
8. Submit the CSR to your CA vendor to request a new CA-issued SSL certificate.
9. Return to the Load Balancer Console for your service instance.
10. If your service instance is running Oracle Traffic Director 12c, perform these steps to import the CA-issued certificate:
    1. Click Traffic Director Configuration and select Security > Manage Certificates.
    2. Click Import.
    3. Verify that Certificate Type is set to Certificate.
    4. Select the Alias of the certificate you generated earlier.
    5. You can paste the certificate text directly in the Paste Certificate String Here field, or click Choose File and select the certificate on your local file system. If you opt to paste the certificate text, be sure to include the headers BEGIN CERTIFICATE and END CERTIFICATE, including the beginning and ending hyphens.
    6. Click OK.
11. If your service instance is running Oracle Traffic Director 11g, perform these steps to import the CA-issued certificate:
    1. Expand SSL in the navigation pane and click Server Certificates.
    2. Click Install Certificate.
    3. Enter a Nickname (alias) for the certificate.
    4. You can paste the certificate text directly in the Certificate Data field, or provide the path to the certificate file in the Certificate File field. If you opt to paste the certificate text, be sure to include the headers BEGIN CERTIFICATE and END CERTIFICATE, including the beginning and ending hyphens.
    5. Click Next.
    6. Click Install Certificate.

For more information about managing load balancer certificates, see:

• Managing Certificates in Administering Oracle Traffic Director (12.2.1)

• Managing Certificates in Oracle Traffic Director Administrator's Guide (11.1.1.7)

Associate the SSL Certificate with Oracle Traffic Director

After installing a CA-issued or self-signed SSL certificate to the load balancer, you must associate it with the HTTPS listeners in the load balancer’s configuration. After the association is made, the load balancer will present the SSL certificate while processing any new HTTPS requests.

1. Access the Oracle Java Cloud Service console.
2. Click for the desired service instance and select Open Load Balancer Console.
3. Log in to console using the credentials defined when provisioning your service instance.

   If you created your service instance using the Oracle Java Cloud Service console, the user name and password default to the Oracle WebLogic Server Administration Console user name and password.

4. Access the load balancer configuration (for example, opc-config):
   • If your service instance is running Oracle Traffic Director 12c, click the Target Navigation icon. Expand the Traffic Director folder and click the name of the Traffic Director configuration.
   • If your service instance is running Oracle Traffic Director 11g, click Configurations and then click the name of the Traffic Director configuration.
5. Navigate to the Listeners in this configuration:

   • If your service instance is running Oracle Traffic Director 12c, click Traffic Director Configuration and select Administration > Listeners.

   • If your service instance is running Oracle Traffic Director 11g, click Listeners in the navigation pane.

6. Click https-listener-1.
7. In the SSL/TLS Settings section select your new certificate in the RSA Certificate field.
8. Activate your changes:

   • If your service instance is running Oracle Traffic Director 12c, click OK.

   • If your service instance is running Oracle Traffic Director 11g, click Deploy Changes.

9. Repeat from step 3 to update the certificate of any additional HTTPS listeners in this configuration.

   Alternatively, you can configure SSL/TLS Settings for an entire Virtual Server in the load balancer configuration.

10. Restart the load balancer node(s) in your service instance for the change to take effect.
    1. Return to the Oracle Java Cloud Service console.
    2. Beside the load balancer node, click Manage this node , and then select Restart.
    3. When prompted for confirmation, click OK.

For more information about the SSL settings of the load balancer, see:

• Configuring SSL/TLS Between Oracle Traffic Director and Clients in Administering Oracle Traffic Director (12.2.1)

• Configuring SSL/TLS Between Oracle Traffic Director and Clients in Oracle Traffic Director Administrator's Guide (11.1.1.7)