Enable HTTPS
The Oracle Enterprise Communications Broker (ECB) REST API only accepts requests over secure HTTPS connections. Unencrypted HTTP requests are rejected with a 426 Upgrade Required. Follow this procedure to enable secure communications between the REST client and the ECB.
Task 1: Generate a Certificate Signing Request on the ECB
After logging in as the admin user on the ECB:
- Access the certificate-record configuration element. ORACLE# conf t ORACLE(configure)# security ORACLE(security)# certificate-record ORACLE(certificate-record)#
- Supply the details for the certificate you will install on the ECB. ORACLE(certificate-record)# name example-name ORACLE(certificate-record)# country US ORACLE(certificate-record)# state MA ORACLE(certificate-record)# locality Boston ORACLE(certificate-record)# organization Engineering ORACLE(certificate-record)# common-name Acme ORACLE(certificate-record)# key-size 2048 ORACLE(certificate-record)# key-algor ecdsa
- Type done to save your configuration. ORACLE(certificate-record)# done
- Navigate to the top level of the ACLI. ORACLE(certificate-record)# exit ORACLE(security)# exit ORACLE(configure)# exit ORACLE#
- Generate a certificate request. ORACLE# generate-certificate-request example-name Generating Certificate Signing Request. This can take several minutes.... -----BEGIN CERTIFICATE REQUEST----- MIICzDCCAbQCAQAwVDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1BMRMwEQYDVQQH EwpCdXJsaW5ndG9uMRQwEgYDVQQKEwtFbmdpbmVlcmluZzENMAsGA1UEAxMEQWNt ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL8pu02mJNnEIgjfHR87 CAWpH0r/pTg51gXjDl5Oi/aoaLiDZJHR5REy1OylyY3Ih/jc6E/x8QGJGU5V+sVO . . . Bd0WH3fWraUf3PWralTF9xORElk+kqDzZIg3mkSTzCh+cggfpKx7udDh4OhQ3FRi LaDoX0VeKIvus5QtPjwCLnajfIUIR3gMWmXny0jOYXAd2sf3KFYSZTZYc84VpdGC CoAeZtTCpKj1/OJY7ukwGE09WTbEHPURghcXDd/LixUSn2mchvy6SQU2gk3LS6Wm vCnHyFNmcjlnXXZ/TREmbIn1wLDkwZk0stNokBBS9Qtcf4C60JmpjXyza1RXXnBz -----END CERTIFICATE REQUEST----- WARNING: Configuration changed, run "save-config" command. ORACLE#
Task 2: Acquire the Certificate
Send the certificate request to a Certificate Authority (CA). The CA will reply with a certificate for you to install on the ECB.
Task 3: Import the Certificate into the ECB
- Execute the import-certificate command.
- Paste the certificate into the ACLI, using a semicolon to terminate the certificate. ORACLE# import-certificate try-all example-name IMPORTANT: Please enter the certificate in the PEM format. Terminate the certificate with ";" to exit....... -----BEGIN CERTIFICATE----- MIIEMDCCAxigAwIBAgIBATANBgkqhkiG9w0BAQUFADCBgTELMAkGA1UEBhMCVVMx CzAJBgNVBAgMAk1BMRMwEQYDVQQHDApCdXJsaW5ndG9uMRQwEgYDVQQKDAtFbmdp bmVlcmluZzEXMBUGA1UEAwwOQWNtZSBQYWNrZXQgTUExITAfBgkqhkiG9w0BCQEW EmxhcnJ5LmVAb3JhY2xlLmNvbTAeFw0xODA2MDEyMDU1MzBaFw0yMzA2MDEyMDU1 . . . OcDuA+9hJpjKqCn51lmH39iHt0oeuwGKrrE919q4SDcEoSCb48gi8zR1hRy2Rfzx 9bsRJ+uFLWpwE88QaZUFviR+CmIBUl1o9Yk3bLOQFmf0DWgHiyy7DOuswVqoF/Xg rQNY6LB1Nm5e2yQ6ocLQ36S9HNIqewT6iPcf1RWbbf/Ond0QJYJMJV8RZeMD6JcB ehJMI7/fN6t9A4m3JaknJqYv3qg= -----END CERTIFICATE-----; Certificate imported successfully.... WARNING: Configuration changed, run "save-config" command. ORACLE#
Task 4: Configure TLS
- Access the tls-global configuration element. REST# conf t REST(configure)# security REST(security)# tls-global REST(tls-global)#
- Select the object and verify that session-caching is disabled and session-cache-timeout is 12. ORACLE(tls-global)# select ORACLE(tls-global)# show tls-global session-caching disabled session-cache-timeout 12 last-modified-by last-modified-date
- Type done to save your configuration. ORACLE(tls-global)# done
- Access the tls-profile configuration element. ORACLE(tls-global)# exit ORACLE(security)# tls-profile ORACLE(tls-profile)#
- Give a name to this tls-profile. ORACLE(tls-profile)# name restless
- Set end-entity-certificate to the name of the previously configured certificate-record. ORACLE(tls-profile)# end-entity-certificate example-name
- Set the TLS version. ORACLE(tls-profile)# tls-version compatibility
- Type done to save your configuration.
Enable HTTPS on the ECB Web Server
- Access the web-server-config configuration element. ORACLE# co t ORACLE(configure)# system ORACLE(system)# web-server-config ORACLE(web-server-config)#
- Select the object and show the parameters. ORACLE(web-server-config)# select ORACLE(web-server-config)# show web-server-config state enabled inactivity-timeout 5 http-state enabled http-port 80 https-state disabled https-port 443 http-interface-list REST,GUI tls-profile last-modified-by last-modified-date
- Set https-state to enabled. ORACLE(web-server-config)# https-state enabled
- Set http-interface-list to REST,GUI if using both REST and the GUI or to REST if using REST but not the GUI. ORACLE(web-server-config)# http-interface-list REST,GUI
- Set the tls-profile attribute to the name of the previously configured tls-profile configuration element. ORACLE(web-server-config)# tls-profile restless
- Type done to save your configuration.
Task 5: Save, Activate, and Reboot
- From the top level of the ACLI, save the configuration. ORACLE# save-config
- Activate the configuration. ORACLE# activate-config
- Reboot the ECB. ORACLE# reboot