Thursday, September 5, 2019

Enabling TLS in Oracle E-Business Suite Release 12.1 (Doc ID 376700.1)

This document describes how to encrypt some of the connections for Oracle E-Business Suite Release 12.1 using Transport Layer Security (TLS).
Note: For the setup and configuration required for Oracle E-Business Suite Release 12.2, refer to My Oracle Support Knowledge Document 1367293.1Enabling TLS in Oracle E-Business Suite Release 12.2.
The most current version of this document can be obtained in My Oracle Support Knowledge Document 376700.1.
The previous version of this document can be found in My Oracle Support Knowledge Document 2143099.1Enabling SSL or TLS in Oracle E-Business Suite Release 12.

In This Document

This document is divided into the following sections:
There is a change log at the end of this document.

Section 1: Introduction

Encrypting all connections for an application running over a network is done to provide communication security.
This document describes how to encrypt all connections for Oracle E-Business Suite Release 12.1 using Transport Layer Security (TLS). TLS is the successor to SSL and is a protocol that ensures privacy between communicating applications.

Section 2: How to Use This Document

Note: Before beginning, it's important to understand what you're trying to accomplish and your current configuration. This will help determine the relevant instructions in this document.
Begin by reading Section 3: Terminology and Concepts and Section 4: Oracle E-Business Suite Connections to understand the terminology and concepts used in this document.
Section 5: Configuring TLS 1.2 with Backward Compatibility and OpenSSL has been broken up into requirements that are needed for inbound, loopback, and outbound connections. Some of the outbound connection requirements in 5.3 Configure Loopback and Outbound Connections may depend on the specific configuration of the server that Oracle E-Business Suite is communicating with.
Section 6: Optional Configurations covers some optional configurations that can be used to further restrict the protocols that Oracle E-Business Suite uses. These include areas such as turning off all protocols except TLS 1.2 or ensuring that Oracle E-Business Suite has no HTTP ports open.
Section 7: Configuring Optional Integrations covers the specific configurations that will be required to encrypt communications between Oracle E-Business Suite and some of the optional integrations.
Section 8: Renew Revoked or Expired Certificates covers the case where you have an existing SSL/TLS instance and only need to renew your certificate. The certificate request remains unchanged, and depending on the Certifying Authority that issued the certificate, will only require the original certificate request to renew the certificate.This section outlines the steps for this process.
Section 9: Alternate TLS Termination Point covers the configuration of Oracle E-Business Suite with an alternate TLS termination point, such as a reverse proxy or load balancer. This section also covers the configuration of end-to-end TLS, where both Oracle E-Business Suite has been configured for TLS, in addition to making use of an alternate TLS termination point.

Section 3: Terminology and Concepts

  • Transport Layer Security (TLS)
    Transport Layer Security, or TLS, is the successor of SSL. TLS, like SSL, is a protocol that encrypts traffic between a client and a server. TLS creates an encrypted connection between two machines allowing for private information to be transmitted without the problems of eavesdropping, data tampering, or message forgery. There is no distinction between TLS certificates and SSL certificates issued by certifying authorities.
     
  • Secure Sockets Layer (SSL)
    SSL is a technology that defines the essential functions of mutual authentication, data encryption, and data integrity for secure transactions. Exchange of data between the client and server in such secure transactions is said to use the Secure Sockets Layer (SSL). This has been deprecated in favor of the preferred TLS reference going forward.
     
  • HTTP and HTTPS
    HTTP is the primary communication protocol for the World Wide Web. HTTPS is HTTP working on top of TLS.
     
  • Public Key Infrastructure
    The term Public Key Infrastructure (PKI) is used to describe the processes, technologies and practices that are required to provide a secure infrastructure. A PKI should provide the following - Authentication, Non repudiation, Confidentiality, Integrity, Access Control.
     
  • Certificate Authority (CA)
    A Certificate Authority is a trusted third party responsible for issuing, revoking, and renewing digital certificates. All digital certificates are signed with the Certificate Authority's private key to ensure authenticity. The Certificate Authority's Public Key is widely distributed.
     
  • Certificate Signing Request (CSR)
    A Certificate Signing Request (CSR) is a digital file which contains your public key and your name. You send the CSR to a Certifying Authority (CA) to be converted into a real certificate.
     
  • Digital Certificate (Public Key)
    A digital certificate is an electronic document that binds an identity to a pair of electronic keys that can be used to encrypt and sign digital information. Certificates are issued by a trusted third party, called a Certification Authority (CA). The document is usually in a standard X509 format and contains three elements:
    1. Entity attributes (information about your organization)
    2. Public key (which is bound to the private key)
    3. Digital signature by the trusted CA's private key
  • Types of Digital Certificates
    To reduce the number of certificates required for an environment, the following options are available:
    • Subject Alternative Name (SAN) Certificate
      The use of the Subject Alternative Name field allows you to specify multiple host names to be protected by a single public key certificate. Use of SAN will also allow for using a single certificate for multiple domains.
    • Wild Card Certificate
      A public key certificate which can be used with multiple subdomains of a domain.
  • Private (Server) Key
    The private key file is a digital file that you generate as part of a key pair (private key and public key) and use to encrypt/decrypt messages. The certificate request (CSR) that you send to your Certificate Authority (CA) is derived from this private key. Therefore, the resulting digital certificate (containing your public key) which is issued by your CA is bound to this private key.
  • In-house and/or Self-signed Certificates
    These type of certificates are not publicly available and are used either for internal security reasons, testing purposes, or cost savings. The up side is that customers have full control over these type of certificates, but the down side is that they require additional steps that are not needed in the case of general production certificates. Certificates of this type are still comprised of a root certificate, an intermediate certificate, and the primary server certificate. Server and client side truststores would need to be updated with the full certificate chain in this case. If any component of the certificate chain is not found, errors may be encountered. Be sure you understand the limitations of these certificates when using them in any environment.

  • TLS Termination Point
    A TLS termination point is the end-point server for the encrypted connection that has been initiated by a client (for example, a browser).

    In the case of Oracle E-Business Suite the Oracle HTTP Server can act as a TLS termination point. An alternate TLS termination point, such as a reverse proxy or load balancer, can be configured in front of the Oracle HTTP Server.

Section 4: Oracle E-Business Suite Connections

4.1 Types of Connections

Oracle E-Business Suite connections fall into the following three categories:
  • Inbound connections
  • Loopback connections
  • Outbound connections
Each type of connection is described in further detail below. We recommend that you configure TLS encryption for all connections in an Oracle E-Business Suite environment.
Inbound Connections
Inbound connections are from a client to the Oracle HTTP Server (OHS) delivered with the Oracle E-Business Suite applications technology stack. With inbound connections, the SHA-2 signed PKI certificate is requested from a CA by your company for your Oracle E-Business Suite OHS. Examples include, but are not limited to the following:
  • User accesses Oracle E-Business Suite applications pages through the network using a browser
  • User accesses Oracle E-Business Suite application through Oracle Forms when using Forms Servlet mode
  • An XML Gateway message originating from a customer is sent to Oracle E-Business Suite
  • A mobile phone accesses the Oracle E-Business Suite through a REST service
The following process describes how TLS works with inbound connections to OHS:
  1. The client sends the server its best protocol and a list of cipher suites that it can use.
  2. The server suggests a protocol and a cipher suite from the list.
  3. The server presents its certificate and certificate chain (except the root CA certificate) to the client. This certificate contains the server's identifying information.
  4. The server may also optionally ask for a client certificate from the client (which is validated in a similar manner by the server).
  5. The client checks its trust store (root CA certificates) and validates the chain of trust with the given certificate and certificate chain. If it validates, the server is authenticated as a trusted server.
  6. The client and server perform a key exchange to generate a session key which is used to encrypt subsequent data.
    Client certificates are rarely used, but are an option for XML Gateway when using "Mutual Authentication".

Loopback Connections
Loopback connections are from Oracle E-Business Suite back to the Oracle HTTP Server (OHS) delivered with the Oracle E-Business Suite applications technology stack. For loopback connections, the SHA-2 signed PKI certificate is requested from a CA by your company for your Oracle E-Business Suite OHS. Examples include, but are not limited to the following:
  • Workflow notification emails from the concurrent manager tier
  • Payments call back from the database tier
  • Oracle Process Manager and Notification (OPMN)
  • Oracle Applications Manager Log Viewer

Outbound Connections
Outbound connections are from Oracle E-Business Suite to external site(s). For outbound connections, the SHA (can be SHA-1 or SHA-2) signed PKI certificate is requested from a CA by a site you are connecting to from Oracle E-Business Suite. For this case, Oracle E-Business Suite is acting as an HTTPS client. You must trust the root CA of the remote server's certificate chain in your truststore. Examples include, but are not limited to the following:
  • Punchout in iProcurement
  • XML Gateway connection to a partner applications
  • Payments credit card processing
  • Dunn & Bradstreet (HZ)
  • International Trade Management (ITM) for screening orders and deliveries
  • CIS Tax Module

4.2 TLS Versions Certified with Oracle E-Business Suite Connections

Oracle E-Business Suite inbound, outbound, and loopback connections are currently certified with TLS 1.2, 1.1, and 1.0. The default Oracle E-Business Suite configuration provided in Section 5: Configuring TLS 1.2 with Backward Compatibility and OpenSSL allows for the handshake between the client and server to negotiate and use the highest version of TLS (either 1.2, 1.1, or 1.0) supported by both parties. This configuration is referred to as "TLS 1.2 with backward compatibility."
Example 1: If the outbound connection used by iProcurement is by default configured for TLS 1.2, 1.1 and 1.0 and if a call is made from Oracle E-Business Suite iProcurement to an external site that supports TLS 1.2 and a common cipher suite is found, then TLS 1.2 will be used. If a call is made from Oracle E-Business Suite iProcurement to an external site that supports TLS 1.1 and a common cipher suite is found, then the handshake negotiation will resolve to use TLS 1.1 for the connection.
Example 2: If the Oracle E-Business Suite Oracle HTTP Server (OHS) for inbound connections is by default configured for TLS 1.2, 1.1 and 1.0. If a client using a browser that supports TLS 1.2 attempts to connect to the OHS, then TLS 1.2 will be used. If a client using a browser that supports only up to TLS 1.1 attempts to connect to the OHS, then the handshake negotiation between the server and client will dictate the use of TLS 1.1 for the connection.
You may optionally configure Oracle E-Business Suite to use only the highest level of TLS certified with Oracle E-Business Suite Release 12.1. See 6.1 Configuring TLS 1.2 Only for more details.
The default requirements and configuration provided in Section 5: Configuring TLS 1.2 with Backward Compatibility and OpenSSL provides the ability to use SHA-2 signed PKI certificates and also addresses recent security vulnerabilities including:
  • Weak Cipher Suites/FREAK
  • POODLE
  • DROWN
  • ROBOT

Additional SSL/TLS Requirements for Java Web Start (JWS) Users

SSL/TLS users running Java Web Start (JWS) require a chain of trust to the Java certificate store for their server certificate on the desktop. This is in addition to the usual chain of trust to the browser.
If using a recognized certificate authority (CA) there should be no further requirements as the server certificate will already be included be in the Java 'System' store by default.
If using your own in-house CA you must import the server root (and if applicable the intermediate) certificate into the Java 'Secure Site CA' certificate store through the Java Control Panel:
Java Control Panel -> Security (tab) -> Manage Certificates (button) -> Certificate Type: Secure Site CA -> Import (button)
Without this chain of trust you will see a pop-up 'Security Warning' window stating "The connection to this website is untrusted" when trying to run Java content within EBS.

Section 5: Configuring TLS 1.2 with Backward Compatibility and OpenSSL

This section details the steps necessary to enable TLS 1.2 with backward compatibility and OpenSSL. As part of this process, you will also migrate to new OpenSSL libraries which will change the method by which you generate and import your SHA signed PKI certificate. The configuration and patches in this section also address recent vulnerabilities including weak cipher suites, FREAK, POODLE, and DROWN.
Note: If you have previously enabled SSL or TLS and are migrating to TLS 1.2, you will not be able to easily re-use your current certificate and private key even if they are still valid. You must follow all steps in this section and request that your certificate authority rekey or reissue your certificate. This is applicable for any certificates not already SHA-2 compliant.

5.1 Apply Required Updates and Patches

Follow the steps below to apply the necessary updates and patches.
Step 1 - Upgrade to latest Java Development Kit (JDK) 7.
Note: AIX customers need to upgrade their Application tier JDK to a minimum of JDK 1.7 SR10 FP1.
For JDK 7 upgrade, follow the instructions in My Oracle Support Document 1467892.1Using JDK 7.0 Latest Update with Oracle E-Business Suite Release 12.0 and 12.1.
Starting with the January 2017 Java CPU, TLS 1.1 and TLS 1.2 are enabled by default. The specific minimum version is JDK 1.7.0_131.
Step 2 - Upgrade to Oracle HTTP Server (OHS) 10.1.3.5.
To do this, follow the instructions in My Oracle Support Knowledge Document 454811.1Upgrading to the Latest OracleAS 10g 10.1.3.x Patch Set in Oracle E-Business Suite Release 12.
Step 3 - Apply the October 2015 CPU or a later CPU to Oracle Fusion Middleware 10.1.3.5.
Download Patch 21845960 for UNIX or Patch 21845962 for Windows from My Oracle Support and follow the instructions in Document 2051000.1Oracle E-Business Suite Releases 11i and 12 Critical Patch Update Knowledge Document (October 2015).
Note: Oracle always recommends that you apply the latest CPU to all components of Oracle E-Business Suite. Refer to My Oracle Support Knowledge Document 2484000.1Identifying the Latest Critical Patch Update for Oracle E-Business Suite Release 12.
Step 4 - Apply platform-specific updates.
For AIX and HP Itanium only, also apply Patch 21948197 to Oracle Fusion Middleware 10.1.3.5.
For Windows only, also apply Patch 22251660 to Oracle Fusion Middleware 10.1.3.5.
Step 5 - Apply the Oracle Fusion Middleware 10.1.3.5 OpenSSL patches.
In addition to applying the CPU patches listed in Step 3 above, you must also apply one of these combinations of OHS and OPMN patches which contain the required updates for the OpenSSL libraries.
Note: Oracle recommends that you apply the latest released patches in the list, which is represented here in the top row.

Please note the following:

* If you are on Linux, the OHS patches are only supported on Oracle Linux 5 or higher.
* If you are on AIX, Patch 29292327 and later are only supported on AIX 6.1 or higher.
* If patch is not available for your platform, contact Oracle Support to request the patch.

Delivery Date
OHS Patch
OPMN Patch
Apr 2019Patch 29292327Patch 27208670
Jan 2018Patch 27078378Patch 27208670
July 2017Patch 25859264Patch 24484104
Oct 2016Patch 24483815Patch 24484104
July 2016Patch 22447165Patch 22458773
Step 6 - Apply product-specific patches.
  • Oracle TXK - Apply Patch 23645824:R12.TXK.B to address issues after enabling TLS for OHS to OC4J connections.
  • Oracle Workflow - Apply patch 22974534:R12.OWF.B to address an Oracle Workflow Notification Mailer issue.
  • Oracle Workflow - Upgrade Java Mail API to 1.5.4 using patch 22322938 and OWF patch 27881758:R12.OWF.B to address Oracle Workflow Mailer issue with Outlook Office365 connection and TLS 1.2.
    If a conflict is reported with patch 8999551 allow opatch to roll it back when applying patch 22322938.
  • Oracle iProcurement - Apply the patches mentioned in My Oracle Support Knowledge Document 1937220.1Punchout in Oracle iProcurement and Exchange Fails After Supplier Site Migrates From SSLv3 to TLS Protocol (with SSL Handshake SSLIOClosedOverrideGoodbyeKiss), which correspond to the appropriate applications version.
  • Oracle iPayment - Ensure to meet the requirements listed in Document 1573912.1All About Oracle Payments Release 12 Wallets and Payments Data Encryption, for Payments configuration, as well as Document 2159740.1Oracle Payment Support For TLS1.2.
  • Oracle XML Gateway - For Oracle E-Business Suite Release 12.1 patching requirements, refer to Document 1961140.1Configuring Oracle XML Gateway for SSL/TLS Authentication in Oracle E-Business Suite Release 12.1. In addition, apply patch 22922530:R12.ECX.B.

5.1.1 Prerequisites for Implementing TLS for ECC Certification

Customers on database version 11.2.0.4 are required to apply Oct 2018 PSU or later to support ECC certificates. Customers on 12c database can skip this step.

5.2 Configure Inbound Connections

The steps below are for the minimum requirements for inbound connections to the Oracle E-Business Suite Application Tier Oracle HTTP Server (OHS) to enable TLS and for the use of SHA-2 signed PKI certificates.

5.2.1 Configure your environment

To configure your environment, you must perform the steps listed in this section.
Step 1 - Create a PKI key pair and certificate signing request.
Create a new directory if it does not already exist (for example, $INST_TOP/certs/Apache) and create a host-specific OpenSSL configuration file in that directory as the following:
% cat new.cnf
[req]
prompt = no
default_md = sha256
distinguished_name = dn
req_extensions = ext
[dn]
CN = hostname.domain.com
O = Example Inc
OU = Key Team
L = San Diego
ST = California
C = US
[ext]
subjectAltName = DNS:hostname.domain.com,DNS:domain.com
==================
Here is the explanation on what values to enter when creating the configuration file:
[req]
prompt = nodo not prompt
default_md = sha256the default message digest should be sha256 based
distinguished_name = dnget the Distinguished Name from the [dn] section
req_extensions = extget the extensions from the [ext] section

[dn]
CN = hostname.domain.comset Common Name to your full hostname
O = Example Incset the Organization to your company name
OU = Key Teamset Organizational Unit to any team or division within your company
L = San Diegoset Location to the city of your company's headquarters
ST = Californiaset State to the state or province or territory of your company's headquarters
C = USset Country to the ISO country code of the county

[ext]
subjectAltName = DNS:hostname.domain.com,DNS:domain.comspecify alternate hostnames If the hostname of your site is hostname.domain also add the domain without the hostname. here. Otherwise just repeat the Common Name.
Note that the values for the elements in your certificate signing request's Distinguished Name may be dictated by your local policies or the policies of the commercial Certificate Authority you will use to sign your certificate.
Check local and CA policies to determine acceptable values before generating the CSR.
===================
If you use wildcard certificate to protect multiple servers, specify the server name as an asterisk (*) plus the domain in Common Name. For example: *.domain.com .
If you use SAN (Subject Alternative Name) certificate to protect multiple servers, specify/add the SAN information in the order form when submitting the CSR to CA and then the issued certificate will contain the SAN elements, which is supported by most CAs nowadays. In case this is NOT supported by the CA and you need to add SAN information in the CSR before submitting, perform the following:
  1. Set Common Name (CN) to one of your hostnames, e.g: CN = hostname.domain.com
  2. Include all the hostnames in SAN (subjectAltName), e.g: subjectAltName = DNS:hostname.domain.com,DNS:hostname1.example.com,DNS:hostname2.example.com.
Step 2 - Backup directories and update your PATH.
  1. Backup your $INST_TOP/certs/Apache directory.
  2. Prepend the OpenSSL binary directory (for example: <10.1.3 OH>/Apache/open_ssl/bin) to your PATH so that the OpenSSL binary that came from the Oracle Fusion Middleware patches above will be used. You may also need to enable the execute permissions on the openssl binary.
    export PATH=<10.1.3 OH>/Apache/open_ssl/bin:$PATH

    chmod 755 openssl
  3. Set the OPENSSL_CONF environment parameter to the path of the new.cnf file created above.
    export OPENSSL_CONF=$INST_TOP/certs/Apache/new.cnf
Step 3 - Create a 2048 RSA private key and a CSR signed using sha256WithRSAEncryption.
  1. Make sure LD_LIBRARY_PATH contains a path to your Oracle Fusion Middleware 10.1.3 ORACLE_HOME/lib.
    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:< FMW 10.1.3 ORACLE_HOME>/lib
  2. Now, run the following command:
    openssl req -newkey rsa:2048 -nodes -keyout server.key -sha256 -out new.csr -config new.cnf
  3. Then submit your certificate request (CSR) to your certificate authority (CA).

    Note: If you are migrating to TLS 1.2 from a prior version of SSL or TLS and have a current, valid server certificate, you can request that your CA rekey or reissue your certificate.

For ECC customers only
Create a ECC private key and CSR with ecdsa-with-SHA256
  1. Make sure LD_LIBRARY_PATH contains a path to your Oracle Fusion Middleware 10.1.3 ORACLE_HOME/lib.
    2. export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:< FMW 10.1.3 ORACLE_HOME>/lib
  2. Now, run the following command:
    3. openssl ecparam -genkey -name prime256v1 -out server.key
    openssl req -new -sha256 -key server.key -out server.csr -config new.cnf
  3. Then submit your certificate request (CSR) to your certificate authority (CA).

For self-signed non-ECC and ECC certificate, Create a server.crt using below command
openssl req -x509 -sha256 -days 365 -key server.key -in server.csr -out server.crt
For self-signed certificate server.crt and ca.crt are same , So make a copy of server.crt as ca.crt.
Step 4 - Receive server certificate and certificate chain files from the CA.
From the CA, you will receive the following:
  • A CA signed server certificate
  • The certificate of the root CA
  • The certificates of any required intermediate CAs
  1. Place the above files in the same directory that contains your server private key: server.key.
  2. Rename the server certificate file to server.crt, rename the root CA file to ca.crt, and rename any intermediate certificate file to intermediate.crt.
    If you do not have an intermediate certificate, run the following command to create an empty intermediate.crt file:
    echo -n > intermediate.crt
    Note: Use the specified names for the files to ensure that the configuration directives used later in this document will reference the correct files.
  3. Verify that your $INST_TOP/certs/Apache directory contains the following files:
    • server.key
    • new.csr
    • server.crt
    • intermediate.crt
    • ca.crt
  4. Create a certificate file for OPMN containing the server certificate and any intermediate certificate by executing the following:
    cat server.crt intermediate.crt ca.crt > opmn.crt
Step 5 - Update the context file.
Use the Oracle E-Business Suite Oracle Applications Manager (OAM) Context Editor to change the TLS-related parameters as shown in this table:
TLS Related Parameters in the Context File
ParameterNon-TLS ValueTLS Enabled Value
s_url_protocolhttphttps
s_local_url_protocolhttphttps
s_webentryurlprotocolhttphttps
s_active_webportsame as s_webportsame as s_webssl_port
s_webssl_portnot applicabledefault is 4443
s_https_listen_parameternot applicablesame as s_webssl_port
s_login_pageURL constructed with http protocol and s_webportURL constructed with https protocol and s_webssl_port
s_external_urlURL constructed with http protocol and s_webportURL constructed with https protocol and s_webssl_port

Step 6 - Perform additional configuration.
Copy the original files from <FND_TOP>/admin/template to <FND_TOP>/admin/template/custom, if the custom directory or any of the customized template files do not already exist. Update these custom files as documented below.
Custom Template FileModification
<FND_TOP>/admin/template/custom/opmn_xml_1013.tmp (for UNIX)

<FND_TOP>\admin\template\custom\opmn_xml_1013_nt.tmp(for Windows)		Replace this line in the template:
<ssl enabled="true" wallet-file="%s_web_ssl_directory%/opmn"/>

With the following:
For UNIX/Linux
<ssl enabled="true" openssl-certfile="%s_web_ssl_directory%/Apache/opmn.crt" openssl-keyfile="%s_web_ssl_directory%/Apache/server.key" openssl-password="<PASSWORD>" openssl-lib="%s_weboh_oh%/lib" ssl-versions="TLSv1.0,TLSv1.1,TLSv1.2"/>
For Windows:
<ssl enabled="true" openssl-certfile="%s_web_ssl_directory%/Apache/opmn.crt" openssl-keyfile="%s_web_ssl_directory%/Apache/server.key" openssl-password="<PASSWORD>" openssl-lib="%s_weboh_oh%/bin" ssl-versions="TLSv1.0,TLSv1.1,TLSv1.2"/>
Note: The openssl-password is the passphrase for the the private key (server.key), which was not set when it was created. However, XML validation requires it to be set. The "<PASSWORD>" reference here is a generic password, such as "dummy" to comply with XML requirements.
Note: If you want to configure your environment to TLS 1.2 only, follow the instructions in 6.1 Configuring TLS 1.2 Only for the specific configuration needed for the above lines.
<FND_TOP>/admin/template/custom/httpd_conf_1013.tmp(for UNIX)
<FND_TOP>\admin\template\custom\httpd_conf_1013_nt.tmp(for Windows)		The instructions here are to comment out one line and to add a new line to reference mod_ssl.so. Separate instructions are listed for UNIX/Linux and Windows.
For UNIX/Linux
Modify the following
<IfDefine SSL>
LoadModule ossl_module libexec/mod_ossl.so
</IfDefine>
To the following:
<IfDefine SSL>
#LoadModule ossl_module libexec/mod_ossl.so
LoadModule ssl_module libexec/mod_ssl.so
</IfDefine>
For Windows
Modify the following:
<IfDefine SSL>
LoadModule ossl_module modules/ApacheModuleOSSL.DLL
</IfDefine>
To the following:
<IfDefine SSL>
#LoadModule ossl_module modules/ApacheModuleOSSL.DLL
LoadModule ssl_module modules/mod_ssl.so
</IfDefine>
Note: Even Windows customers need to change it to mod_ssl.sobased on the Apache module naming convention.
<FND_TOP>/admin/template/custom/ssl_conf_1013.tmp (for UNIX)
<FND_TOP>\admin\template\custom\ssl_conf_1013_nt.tmp(for Windows)		Step 1 - Comment out the following line in the template:
#SSLWallet file:%s_web_ssl_directory%/Apache
Step 2 - Add the following 3 lines into the template:
SSLCertificateFile %s_web_ssl_directory%/Apache/server.crt
SSLCertificateKeyFile %s_web_ssl_directory%/Apache/server.key
SSLCertificateChainFile %s_web_ssl_directory%/Apache/intermediate.crt
Step 3 - Replace the following:
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
With the following:
SSLCipherSuite ECDHE:!NULL:!3DES:!RC4:+aRSA:AES128-SHA
Step 4 - Replace the following:
SSLProtocol    -all +TLSv1 +SSLv3
With the following:
SSLProtocol all -SSLv2 -SSLv3
Note: If you want to configure your environment to use TLS 1.2 only, follow the instructions in 6.1 Configuring TLS 1.2 Only for the specific configuration needed for the above lines.
Also refer to the instructions in Document 387859.1Using AutoConfig to Manage System Configurations in Oracle E-Business Suite Release 12 to make changes to the customized version of the AutoConfig templates.
Step 7 - Run AutoConfig.
Run AutoConfig using the adautocfg.sh script in the application tier $ADMIN_SCRIPTS_HOME directory.
5.3 Configure Loopback and Outbound Connections
This section provides the minimum requirements for loopback and outbound connections to enable TLS use SHA-2 signed PKI certificates.

5.3.1 Perform the General Required Configuration

Step 1 - Perform necessary configuration using AutoConfig.
If you have applied the April 2017 or later JDK patch to your application tier, then you can skip this step.
The following modification will enable the TLS 1.1 and TLS 1.2 protocols.
Copy the original files mentioned in the table below from <FND_TOP>/admin/template to <FND_TOP>/admin/template/custom, if the custom directory or any of the customized template files do not already exist. Update these custom files as documented below.

Custom Template FileModification
<FND_TOP>/admin/template/custom/oc4j_properties_1013.tmp

<FND_TOP>/admin/template/custom/oafm_oc4j_properties_1013.tmp

<FND_TOP>/admin/template/custom/forms_oc4j_properties_1013.tmp(for UNIX)

<FND_TOP>\admin\template\custom\oc4j_properties_1013_nt.tmp
<FND_TOP>\admin\template\custom\oafm_oc4j_properties_1013_nt.tmp

<FND_TOP>\admin\template\custom\forms_oc4j_properties_1013_nt.tmp(for Windows)		Add:
https.protocols=TLSv1,TLSv1.1,TLSv1.2
Note: If you want to configure your environment to use TLS 1.2 only, follow the instructions in 6.1 Configuring TLS 1.2 Only for the specific configuration needed for the above lines.
Refer to My Oracle Support Knowledge Document 387859.1Using AutoConfig to Manage System Configurations in Oracle E-Business Suite Release 12 for details about AutoConfig template customization.
Step 2 - Update the b64InternetCertificate.txt TrustStores.
Add the contents of the ca.crt file to b64InternetCertificate.txt file located in the 10.1.2 ORACLE_HOME/sysman/config directory:
$ cat ca.crt >> <10.1.2 ORACLE_HOME>/sysman/config/b64InternetCertificate.txt
Step 3 - Update the cacerts TrustStore.
If you purchased your server certificate from a commercial CA, you will most likely not have to perform this step as the root CA certificate will already be present in cacerts. The keytool command will let you know if you attempt to add a certificate already present in cacerts.
  1. Update the JDK cacerts file.
    Oracle Web Services requires the Certificate of the Certifying Authority who issued your server certificate (ca.crt from the previous step) to be present in the JDK cacerts file.
  2. Navigate to the $OA_JRE_TOP/lib/security directory.
  3. Follow these steps to ensure these requirements are met:
    1. Backup the existing cacerts file.
    2. Copy your ca.crt file to this directory and issue the following command to ensure that cacerts has write permissions:
      $ chmod u+w cacerts
  4. Add your Apache ca.crt to cacerts:
    $ keytool -importcert -alias ApacheRootCA -file ca.crt -v -keystore cacerts
  5. When prompted, enter the keystore password (default password is "changeit").
  6. When you have completed the modifications to the cacerts, reset the permissions:
    $ chmod u-w cacerts
Note: Whenever you upgrade your JDK version on the server, any additional certificates you have added to your cacerts file will be lost. You will need to re-import the root certificate or keep a copy of your original cacerts file which you can copy back in.
Step 4 - Run AutoConfig.
Run AutoConfig using the adautocfg.sh script in the application tier $ADMIN_SCRIPTS_HOME directory.

5.3.2 Database

Oracle products such as Oracle Configurator, Order Management, Order Capture, Quoting, iPayment, iStore, and Pricing are leveraging the database as an HTTP client. The implementation of TLS for the Oracle Database Server (which acts as a client sending requests to the Web server) makes use of the Oracle Wallet Manager for setting up an Oracle wallet. Support for SHA-2 certificates requires a database version of 11.2.0.3 or higher. Reference Document 1315291.1.
Note: This is a mandatory requirement for Oracle iStore storefront pages when the web tier is TLS enabled.
To enable the HTTPS client request from the database using UTL_HTTP, you need to establish a truststore in wallet format. You do not need a server certificate for this wallet. You only need to import the root CA certificate for the root CAs that are the trust anchor for the sites you need UTL_HTTP to connect to.
  1. After setting your environment for the database tier, navigate to the $ORACLE_HOME/appsutil directory.
  2. Create a new wallet directory named wallet.
  3. Navigate to the newly created wallet directory.
  4. Open the Oracle Wallet Manager as a background process.
    owm &
  5. In the Oracle Wallet Manager Menu, navigate to Wallet > New.
    Answer NO to: Your default wallet directory doesn't exist. Do you wish to create it now? The new wallet screen will now prompt you to enter a password for your wallet. Click NO when prompted: A new empty wallet has been created. Do you wish to create a certificate request at this time?
  6. If you need to import ca.crt, on the Oracle Wallet Manager menu navigate to Operations > Import Trusted Certificate. Click OK. Double click on ca.crt to import it.
  7. Save the wallet: On the Oracle Wallet Manager Menu, click Wallet. Verify the Auto Login box is checked. Click Save.
If you are using ECC certificates, follow the steps below:
  1. After setting your environment for the database tier, navigate to the $ORACLE_HOME/appsutil directory.
  2. Create a new wallet directory named wallet.
  3. Create an Auto Login wallet.
    orapki wallet create -wallet . -auto_login -pwd <PASSWORD>
  4. Import Trusted CA cert ca.crt into the wallet.
    orapki wallet add -wallet . -trusted_cert -cert ca.crt -pwd <PASSWORD> -jsafe
  5. Command to display and verify the content of the wallet.
    orapki wallet display -wallet . -jsafe
To test that the wallet is properly set up and accessible, login to SQLPLUS as the apps user and execute the following:
SQL>select utl_http.request('[address to access]', '[proxy address]', 'file:[full path to wallet directory]', null) from dual;
where:
'[address to access]' = the URL for your Oracle E-Business Suite Rapid Install Portal.
'[proxy address]' = the URL of your proxy server, or NULL if not using a proxy server.
'file:[full path to wallet directory]' = the location of your wallet directory (do not specify the actual wallet files).
The final parameter is the wallet password, which is set to null by default.
Examples:
SQL>select utl_http.request('https://www.hostname.domain.com','http://www.proxyhost.domain:80', 'file:/d1/oracle/db/tech_st/12.1.0/appsutil/wallet', null) from dual;
SQL>select utl_http.request('https://www.hostname.domain.com:4443',null, 'file:/d1/oracle/db/tech_st/12.1.0/appsutil/wallet', null) from dual;
If the wallet has been properly set up, you will be returned the first 2,000 characters of the HTML page.
Note: Oracle Database 11g Release 2 (11.2) and Oracle Database 12c enables Oracle Real Application Clusters (RAC) nodes to share a wallet. This eliminates the need to manually copy and synchronize the wallet across all nodes. The wallet can be created on a shared file system, allowing all instances to access the same shared wallet. If you are not using a shared file system to store the wallet, you need to copy the wallet to all nodes. This also applies to advanced database security features for which you may already be using a wallet, such as Transparent Data Encryption.

Section 6: Optional Configurations

This section provides the steps required to implement optional configurations. To implement any one of these alternatives, you must have already completed the steps previously described in Section 5: Configuring TLS 1.2 with Backward Compatibility and OpenSSL.
6.1 Configuring TLS 1.2 Only
6.2 Disabling the HTTP Port
6.3 Enabling TLS for OHS to OC4J Connections
6.4 HTTP Strict Transport Security (HSTS)

6.1 Configuring TLS 1.2 Only

You may optionally configure Oracle E-Business Suite to use only the highest level of TLS certified with Oracle E-Business Suite Release 12.1.
Caution:
  • If you configure Oracle E-Business Suite Release 12.1 to use TLS 1.2 only, this configuration could result in the inability to connect to other sites or with browsers that do not support TLS 1.2.
  • The configuration outlined in this section is not supported on HP PA-RISC.
  • You should not configure Oracle E-Business Suite Release 12.1 to use TLS 1.2 only if you intend to use either Mobile Applications V5 or Oracle E-Business Suite Information Discovery V6, as these only support TLS 1.0.
This section provides the configuration steps required to restrict Oracle E-Business Suite Release 12.1 to use only TLS 1.2.

6.1.1 Prerequisites

To configure Oracle E-Business Suite Release 12.1 to use TLS 1.2 only, you must ensure that you not only meet the requirements listed in the above sections of this document, but that you fulfill the following additional requirements:
  • Upgrade Oracle Database
    Perform either of the following to enable TLS 1.2 support for Oracle Database
    • Upgrade to Oracle Database 12.1.0.2 following the instructions in My Oracle Support Knowledge Document 1524398.1Interoperability Notes EBS 12.0 or 12.1 with RDBMS 12cR1.
    • Upgrade to Oracle Database 11.2.0.4 following the instructions in My Oracle Support Knowledge Document 1058763.1Interoperability Notes EBS 12.0 or 12.1 with RDBMS 11gR2 (11.2.0.4).

      Note: For customers using Oracle Database 11.2.0.4, it is required to apply a supported version of Database PSU which is OCT PSU 2018 or later (see MOS Document 1147107.1Database Patch Set Update Overlay Patches Required for Use with PSUs and Oracle E-Business Suite).
  • Configure Java Runtime Environment (JRE) on the Desktop Client
    Ensure that your desktop client has either:
    • JRE 8 - TLS 1.2 enabled by default, or
    • JRE 6/7 - Starting with the January 2017 JAVA CPU, TLS 1.1 and TLS 1.2 are enabled by default. The specific minimum versions are JRE 1.6.0_141 and JRE 1.7.0_131.

      Note: For any JRE 6/7 version older than Jan '17 CPU, TLS 1.2 can be enabled in JRE 6/7 through the Java Control Panel by selecting: Java Control Panel > Advanced tab > Advanced Security Settings section > Use TLS 1.2.
       
  • Use a TLS-Supported Browser
    Currently supported Windows browsers are as follows, with TLS 1.2 enabled by default:
    • Microsoft Internet Explorer 11
    • Mozilla Firefox ESR 45.x
    • Google Chrome v49

6.1.2 Configuration for Inbound Connections

Step 1 - Update the configuration.
To configure Oracle E-Business Suite Release 12.1 to use TLS 1.2 only for inbound connections, follow the steps detailed in 5.2 Configure Inbound Connections, although replace step 6 with the step below:
Alternate Step 6 - Perform Additional Configuration:
Copy the original files mentioned in the table below from <FND_TOP>/admin/template to <FND_TOP>/admin/template/custom, if the custom directory or any of the customized template files do not already exist. Update these custom files as documented below:
Custom Template FileModification
<FND_TOP>/admin/template/custom/opmn_xml_1013.tmp(for UNIX)
<FND_TOP>\admin\template\custom\opmn_xml_1013_nt.tmp(for Windows)		For UNIX/Linux
Update the ssl enabled line as follows:
<ssl enabled="true" openssl-certfile="%s_web_ssl_directory%/Apache/opmn.crt" openssl-keyfile="%s_web_ssl_directory%/Apache/server.key" openssl-password="<PASSWORD>" openssl-lib="%s_weboh_oh%/lib" ssl-versions="TLSv1.2"/>
For Windows
Update as the ssl_enabled line as follows:
<ssl enabled="true" openssl-certfile="%s_web_ssl_directory%/Apache/opmn.crt" openssl-keyfile="%s_web_ssl_directory%/Apache/server.key" openssl-password="<PASSWORD>" openssl-lib="%s_weboh_oh%/bin" ssl-versions="TLSv1.2"/>
Note: The openssl-password is the passphrase for the the private key (server.key), which was not set when it was created. However, XML validation requires it to be set. The "<PASSWORD>" reference here is a generic password, such as "dummy" to comply with XML requirements.
<FND_TOP>/admin/template/custom/httpd_conf_1013.tmp(for UNIX)
<FND_TOP>\admin\template\custom\httpd_conf_1013_nt.tmp(for Windows)		The instructions here are to comment out one line and to add a new line to reference mod_ssl.so. Separate instructions are listed for UNIX/Linux and Windows.
For UNIX/Linux
Modify the following:
<IfDefine SSL>
LoadModule ossl_module libexec/mod_ossl.so
</IfDefine>
To the following:
<IfDefine SSL>
#LoadModule ossl_module libexec/mod_ossl.so
LoadModule ssl_module libexec/mod_ssl.so
</IfDefine>
For Windows
Modify the following:
<IfDefine SSL>
LoadModule ossl_module modules/ApacheModuleOSSL.DLL
</IfDefine>
To the following:
<IfDefine SSL>
#LoadModule ossl_module modules/ApacheModuleOSSL.DLL
LoadModule ssl_module modules/mod_ssl.so
</IfDefine>
Note: Even in Windows you must change it to mod_ssl.so based on the Apache module naming convention.
<FND_TOP>/admin/template/custom/ssl_conf_1013.tmp (for UNIX)
<FND_TOP>\admin\template\custom\ssl_conf_1013_nt.tmp(for Windows)		Set the SSLProtocol as follows:
SSLProtocol TLSv1.2

6.1.3 Configuration for Loopback and Outbound Connections

Step 1 - Perform necessary configuration using AutoConfig.
To configure Oracle E-Business Suite Release 12.1 to use TLS 1.2 only for inbound connections, follow the steps detailed in 5.3 Configure Loopback and Outbound Connections, although replace 5.3.1 Step 1 with the following:
Alternate 5.3.1 Perform the General Required Configuration
Step 1 - Perform necessary configuration using AutoConfig:
The following modification will enable the TLS 1.2 protocols.
Note: Before performing the below configuration, ensure that the external site to which your Oracle E-Business Suite products need to connect has support for TLS 1.2. If you are not certain, check with the site owner or use a site that reports on the configuration of internet facing web servers (such as https://www.ssllabs.com/ssltest/).
Copy the original files mentioned in the table below from <FND_TOP>/admin/template to >FND_TOP>/admin/template/custom, if the custom directory or any of the customized template files do not already exist. Update these custom files as documented below.
Custom Template FileModification
<FND_TOP>/admin/template/custom/oc4j_properties_1013.tmp
<FND_TOP>/admin/template/custom/oafm_oc4j_properties_1013.tmp
<FND_TOP>/admin/template/custom/forms_oc4j_properties_1013.tmp
(for UNIX)

<FND_TOP>\admin\template\custom\oc4j_properties_1013_nt.tmp
<FND_TOP>\admin\template\custom\oafm_oc4j_properties_1013_nt.tmp
<FND_TOP>\admin\template\custom\forms_oc4j_properties_1013_nt.tmp
(for Windows)		Add:
https.protocols=TLSv1.2
Refer to My Oracle Support Knowledge Document 387859.1Using AutoConfig to Manage System Configurations in Oracle E-Business Suite Release 12 for details about AutoConfig template customization.

6.2 Disabling the HTTP Port

You may optionally configure Oracle E-Business Suite to disable the HTTP port and use only the HTTPS port. Although this configuration is optional, we strongly recommend that you implement the configuration in this section and disable the HTTP port.
  1. Apply the minimum patch requirements.Apply the patch requirements as documented in 5.1 Apply Required Updates and Patches.
  2. Perform the required configuration.
    Copy the original template file, <FND_TOP>/admin/template/httpd_conf_1013.tmp, to the <FND_TOP>/admin/template/custom directory, if the custom directory or the customized template file does not already exist. Update the custom file by commenting out the following line:
    Listen %s_http_listen_parameter%
  3. Run AutoConfig.
    Run AutoConfig to synchronize the files.

Known Issues

  • Bug 20472035 - As a workaround until TXK bug 21969510 is addressed, you can set the profile 'Applications Help Web Base URL' to null at the Site level in your environment. This would be the only workaround until a permanent fix is provided by TXK bug 21969510. You will also need to remember to set this back to null after any AutoConfig run.

6.3 Enabling TLS for OHS to OC4J Connections

In Oracle E-Business Suite Release 12, the Oracle Application Server environment is managed by Oracle Process Monitoring and Notification services, or OPMN, which is a set of processes that include the Oracle HTTP Server (Apache) and OC4J containers (where J2EE processes run). In Oracle E-Business Suite Release 12.1, we have introduced support for secure communication between these layers. This advanced configuration should only be done on top of the basic TLS configuration.
Apply Patch 26933459 to address the issue with the system-jazn-data.xml file which affects Step 6.3.7 below.
The instructions in this section are for the Oracle Application Server.
OC4J supports TLS communication between Oracle HTTP Server and OC4J using AJPS. This is the secure version of Apache JServ Protocol, which is the protocol that Oracle HTTP Server uses to communicate with OC4J.
Note: The AJPS protocol used between Oracle HTTPS Server and OC4J is not visible to the end user.

6.3.1 Set your environment

  1. Log on to the application tier as the OS user who owns the application tier files.
  2. Source your application tier environment file (APPS<sid_machine>.env) located in the APPL_TOP directory.
  3. Navigate to the $INST_TOP/ora/10.1.3 and source the <sid_machine>.env file to set your 10.1.3 Oracle home variables.

6.3.2 Navigate to the web SSL directory

  1. Navigate to the web SSL directory as defined in the context file $ grep s_web_ssl_directory $CONTEXT_FILE.

    Note: Unless you have changed the default settings, this should be the same directory as $INST_TOP/certs which we will use in subsequent steps to identify this directory. This directory defines the location where private keys and certificate files are stored.
  2. Create a new directory with the name j2ee and then change to this directory.
    $ mkdir j2ee
    $ cd j2ee
  3. Copy over all necessary files from the $INST_TOP/certs/Apache directory to the j2ee directory.
  • intermediate.crt and ca.crt
  • server.key and server.crt

6.3.3 Rearrange the existing PEM files and create a PKCS12 (P12) file

  1. Use the following commands to rearrange the existing PEM files. Prepend the OpenSSL binary directory (for example: <10.1.3 OH>/Apache/open_ssl/bin) to your PATH so that the correct OpenSSL binary will be used.
    $ cat intermediate.crt ca.crt > chain.pem
    $ export OPENSSL_CONF=<10.1.3 OH>/Apache/open_ssl/bin/openssl.cnf
    $ openssl pkcs12 -export -out new.p12 -inkey server.key -in server.crt -certfile chain.pem
    Enter passphrase for server.key:<PASSWORD>
    Enter Export Password:<PASSWORD>
    Verifying - Enter Export Password:<PASSWORD>
  2. Next, use the keytool command to convert the P12 file into a JKS file for use by OC4J.
    $ keytool -importkeystore -srckeystore new.p12 -srcstoretype PKCS12 -destkeystore <hostname>.jks
    Enter destination keystore password: <PASSWORD>
    Re-enter new password: <PASSWORD>
    Enter source keystore password: <PASSWORD>
    Entry for alias 1 successfully imported.
    The alias for the only entry in the keystore is "1".
    If you used a different certificate authority for your Apache Wallet than you used for the j2ee Java keystore, you will need to import the Apache Wallet's root CA certificate into the keystore so it will be recognized as a trusted certifying authority. If this is not done, you will get handshake errors.
    To import the certificate for a certifying authority into your keystore:
    1. Copy the $INST_TOP/certs/Apache/ca.crt file to the $INST_TOP/certs/j2ee directory.
    2. Use the keytool import command to add ca.crt to the keystore:
      $ keytool -import -alias ApacheCA -file ca.crt -v -keystore <hostname>.jks -storepass <PASSWORD>
      Enter "yes" when prompted with: Trust this certificate? [no]: yes
  3. Remove all files from the $INST_TOP/certs/j2ee directory with the exception of the newly created JKS file.

6.3.4 Construct the certificate chain

Perform the following to create the certificate chain file:
cd %s_web_ssl_directory%/Apache
cat intermediate.crt ca.crt > chain.crt

6.3.5 Modify the configuration file

  1. Copy the original file, mod_oc4j_conf_1013.tmp for UNIX and mod_oc4j_conf_1013_nt.tmp for Windows, from <FND_TOP>/admin/template to <FND_TOP>/admin/template/custom.
  2. Modify the file by commenting out the following line:
    Oc4jSSLWalletFile %s_websrv_wallet_file%/Apache
    and adding the following lines:
    Oc4jOpenSSLLibPath %s_weboh_oh%/lib
    Oc4jOpenSSLCertFile %s_web_ssl_directory%/Apache/chain.crt
    Oc4jOpenSSLCertFile %s_web_ssl_directory%/Apache/server.crt
    Oc4jOpenSSLKeyFile %s_web_ssl_directory%/Apache/server.key
    Oc4jOpenSSLPassword <PASSWORD>

    #Excluding SSLv3.0 and SSLv2.0 is always excluded by OPMN
    Oc4jSSLVersions -SSLv3.0
    Oc4jSSLCiphers ECDHE:AES128-SHA:AES256-SHA

6.3.6 Change TLS-related variables

Use the Oracle E-Business Suite Oracle Applications Manager (OAM) context editor to change the SSL-related variables as shown in the following table:
Advanced TLS-Related Variables in the Context File
VariableNon-TLS ValueAdvanced TLS Value
s_oc4j_securefalsetrue
s_ajp_protocolajpajps
s_forms_tracking_cookiesdisabledenabled
s_oc4j_ssloffon

6.3.7 Run AutoConfig

If you have upgraded to Oracle E-Business Suite Release 12.1 by applying the 12.1 patchset to a previous release, you will need to delete the following files so that the new versions will be instantiated when you run AutoConfig. If you have made any customizations to these files (such as custom user credentials), be sure to back up the files before deleting so you can re-add your customizations to the new files.
  • $ORA_CONFIG_HOME/10.1.3/j2ee/oacore/config/system-jazn-data.xml
  • $ORA_CONFIG_HOME/10.1.3/j2ee/forms/config/system-jazn-data.xml
  • $ORA_CONFIG_HOME/10.1.3/j2ee/oafm/config/system-jazn-data.xml
Note: Delete these files is not necessary if you used Rapid Install for 12.1.
  1. Source your application tier environment file (APPS<sid_machine>.env) located in the APPL_TOP directory.
  2. Use the adstpall.sh script in the application tier $ADMIN_SCRIPTS_HOME directory to stop all services.
  3. Run AutoConfig using the adautocfg.sh script in the application tier $ADMIN_SCRIPTS_HOME directory.
  4. Update the newly instantiated files with your previous customizations if required.

6.3.8 Update the keystore password in the system-jazn-data.xml files

Navigate to the $ORA_CONFIG_HOME/10.1.3/j2ee/oacore/config directory and follow these steps:
  1. Open the system-jazn-data.xml file in the editor of your choice.
  2. Find the lines in the <user> section that read:
    <user>
    <name>oc4jkeystoreadmin</name>
    <display-name>OC4J keystore admin user</display-name>
    <guid>7D1943D0AF0411DC8F65CFCE4073EF3D</guid>
    <description>E-Business OC4J keystore admin user</description>
    <credentials>{903}Gfqv+nvfuUrfiQpcW7XcpptrOknyC0nj< credentials>
    </user>
    Note: The guid and credentials will be different on your system.

     
  3. Change the <credentials> line to read:
    <user>
    <name>oc4jkeystoreadmin</name>
    <display-name>OC4J keystore admin user</display-name>
    <guid>7D1943D0AF0411DC8F65CFCE4073EF3D</guid>
    <description>E-Business OC4J keystore admin user</description>
    <credentials>!<PASSWORD><credentials>
    </user>
    Where <PASSWORD> is a sample password and you should replace it with the one you chose when you created your keystore. Be sure to include the exclamation point (!). This will encrypt the password the next time the service is started.
  4. Save the file and exit.
  5. Navigate to the $ORA_CONFIG_HOME/10.1.3/j2ee/oafm/config directory and repeat steps 1-4.
  6. Navigate to the $ORA_CONFIG_HOME/10.1.3/j2ee/forms/config directory and repeat steps 1-4.

    Note: If you need to make other modifications to $ORA_CONFIG_HOME/10.1.3/j2ee/forms/config/system-jazn-data.xml unrelated to the purpose of this document, you are required to repeat the above modification. Failure to do so may result in errors when launching Forms.

6.3.9 Restart the application tier services

Use the $ADMIN_SCRIPTS_HOME/adstrtal.sh script to restart the application tier services.
Advanced TLS configuration for the Oracle Application Server is now complete. If there are any issues logging into Oracle E-Business Suite or launching Forms, these should be resolved before proceeding.

6.4 HTTP Strict Transport Security (HSTS)

You may optionally configure Oracle E-Business Suite to enable HTTP Strict Transport Security which instructs web browsers to only use secure connections for future requests when communicating with a web site.
This feature should be configured at the TLS termination point (for example: Oracle HTTP Server (OHS), Load-balancer). The max_age parameter allows you to specify a time period (in seconds) that browsers will communicate using only HTTPS. When testing HSTS, start the configuration using short time periods, for example, 15 minutes. When deploying to production a long value should be used, recommended values are in the range 6 to 12 months.
Once the HSTS header is configured and the browser has visited the HTTPS port, you won’t be able to access that server using HTTP. Browsers will rewrite the URL to HTTPS if the user attempts to connect via HTTP, but the rewrite will not change the port number. The rewriting will only work if the URL does NOT contain a port number.
  1. Configuration
    Custom Template FileModification
    <FND_TOP>/admin/template/custom/ssl_conf_1013.tmp(for UNIX)
    <FND_TOP>\admin\template\custom\ssl_conf_1013_nt.tmp(for Windows)    		Under the section <VirtualHost _default_:%s_webssl_port%>
    Add below parameter
    Header set Strict-Transport-Security "max-age=31536000"
    Example:
    <VirtualHost _default_:%s_webssl_port%>
    Header set Strict-Transport-Security "max-age=31536000"
  2. Run AutoConfig to synchronize the files.
  3. Use the $ADMIN_SCRIPTS_HOME/adstrtal.sh script to restart the application tier services.

Section 7: Configuring Optional Integrations

The following sub-sections provide required steps for optional integrations.
7.1 Oracle Discoverer
7.2 Oracle E-Business Suite Information Discovery7.3 Service Invocation Framework - SOA
7.4 Separate Certificates for Inbound and Outbound Communication

7.1 Oracle Discoverer

Discoverer users who enable TLS for Oracle E-Business Suite as per Section 5 must also enable TLS in the Client Java (JRE) which is used by Discoverer Plus.
Refer to the following documents for instructions and more information:

7.2 Oracle E-Business Suite Information Discovery

The Oracle E-Business Suite Information Discovery Release 12.1 V6 Studio Component only supports TLS 1.0 and does not support TLS 1.2.

Oracle E-Business Suite Information Discovery users who enable TLS for Oracle E-Business Suite (as documented in Section 5: Configuring TLS 1.2 with Backward Compatibility and OpenSSL) must also enable TLS for Oracle Endeca. Refer to My Oracle Support Knowledge Document 2075354.1DMZ and SSL Configuration Guide for Oracle E-Business Suite Information Discovery, Release 12.1 V6.

7.3 Service Invocation Framework - SOA

Required patching and configuration:
  1. Apply patch 25034687 R12.OWF.B using adpatch.
  2. Apply patch 22612527 to the 10.1.3.5 home.
  3. Update the 32-bit JDK 7 under $OA_JRE_TOP with the Java Cryptography Extension (JCE) updates. (If you have a JAN-2016 Java version that already includes JCE, you can skip this step.)
  4. Using Oracle Applications Manager, update the following context variables:
    s_afjsmarg = -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 or -Dhttps.protocols=TLSv1.2. The choice of setting here will depend on the protocol set in Section 5.3, Step 1 or Section 6.1.3.
    s_proxyhost = fully qualified host.domain name
    s_proxyport = port value
    s_proxybypassdomain = domain name (Example domain.com)
    s_nonproxyhosts = wildcard domain name (Example *.domain.com)
    s_ssl_truststore = $OA_JRE_TOP/lib/security/cacerts
    s_ssl_truststoretype = JKS
    s_ssl_trustmanageralgorithm = SunX509 (For IBM AIX, set the value to "IbmX509" instead.)
  5. Run AutoConfig using the adautocfg.sh script in the application tier $ADMIN_SCRIPTS_HOME directory.
  6. Use the adstpall.sh/adstrtal.sh script in the $ADMIN_SCRIPTS_HOME directory to stop and restart all services.

7.4 Separate Certificates for Inbound and Outbound Communication

In the case where you do not wish to use the external CA certificate for outbound connections, you can opt to use separate certificates for inbound and outbound communication. Use external CA certificates for inbound (and loopback) connections to the externally visible web entry point and use private CA certificates for the internal communications. Examples of this type of communication are:
Proxy -> OHS
OHS -> WLS
WLS -> DB
Applications tier -> DB
In this scenario the external CA certificate needs to be configured on the web entry point and all https clients (external and EBS loopback) must trust the rootCA certificate from that external CA. One would only need certificates for the outbound connections if the remote server requires a client certificate (i.e. Mutual Authentication). This could happen for some XML Gateway use cases.
In order to configure the internal entry points with the certificates from a private CA, all the internal https clients (App tier Java and DB) must be configured to trust the rootCA certificate from that private CA.
Certificate Usage
CommunicationConnection TypeCertificate TypeInstruction
EBS to OHS or EBS to ProxyInbound or loopbackFor inbound or loopback, external CA certificates are used.For inbound or loopback, follow the general TLS implementation documented in this note.
OutboundFor outbound, a separate certificate can be used, issued by a public CA, or in-house/self-signed certificates can be used.For outbound, the rootCA of the separate certificate must be added to the truststore when acting as a client. For the client authentication, you only need the certificate for the outbound connection.
Proxy to OHS
OHS to WLS
WLS to DB
Apptier to DB
WLS admin port to WLS
OPMN to OHS		Proxy to OHS, Appstier to DB, and OHS to WLS
WLS to DB		In-house or self-signed certificates can be used.Proxy to OHS is covered in the end-to-end TLS steps in this note. Appstier to DB and OHS to WLS are also covered in this note. Be certain to add the rootCA to the truststore wherever the note mentions to update the truststore.
WLS to DB only supports non-PKI encryption so far.

Section 8: Renew Revoked or Expired Certificates

If you need to update or renew your certificate, perform the following steps:
  1. Confirm that you previously applied the required updates and patches listed in 5.1 Apply Required Updates and Patches to enable TLS.
  2. Perform the following steps to renew or update your certificate:
    • From Section 5.2.1, perform:
      • Step 3 - Backup directories and update your PATH
      • Step 4 - Create a 2048 RSA private key and a CSR signed using sha256WithRSAEncryption
      • Step 5 - Receive server certificate and certificate chain files from the CA
    • Bounce the application tier services.

Section 9: Alternate TLS Termination Point

This section covers alternative configurations for TLS.
Alternate TLS Termination Point other than OHS
For customers who want to use a reverse proxy or load balancer as the only TLS termination point to off-load or handle the encryption/decryption of TLS inbound HTTP traffic, perform the following:
  1. For the EBS configuration, follow the steps below instead of the steps described in the sections above in this note.
  2. For the configuration of a reverse proxy or a load balancer, follow the instruction from the vendor of your choice. If you choose to use HAProxy, follow Document 2012639.1 Using HAProxy as a TLS Termination Point for Oracle E-Business Suite Release 12.1.3.  If you choose to use Oracle Traffic Director, follow Document 2130592.1 Oracle Traffic Director 12c Integration with Oracle E-Business Suite Releases 12.1 and 12.2.
End-to-End TLS
In this case, the TLS configuration for the inbound HTTP connections consists of TLS configured at the Oracle E-Business Suite/OHS level, in addition to use of a reverse proxy or load balancer. Use these steps once you have completed all steps in this note, including the steps for 'Alternate TLS Termination Point other than OHS' outlined below. The only difference being the changes as indicated in this section.
  1. Follow all the steps in this note.
  2. For the configuration of a reverse proxy or a load balancer, follow the instruction from the vendor of your choice. If you choose to use HAProxy, follow Document 2012639.1 Using HAProxy as a TLS Termination Point for Oracle E-Business Suite Release 12.1.3.  If you choose to use Oracle Traffic Director, follow Document 2130592.1 Oracle Traffic Director 12c Integration with Oracle E-Business Suite Releases 12.1 and 12.2.

Alternate TLS Termination Point other than OHS

Use the Oracle E-Business Suite Oracle Applications Manager (OAM) Context Editor to change the TLS-related parameters as shown in this table:
Changes When Using a TLS Termination Point Other than OHS
(such as a load balancer or reverse proxy)
ParameterNon-TLS ValueTLS Value
s_url_protocolhttphttp
s_local_url_protocolhttphttp
s_webentryurlprotocolhttphttps
s_active_webportsame as s_webportvalue of the TLS load balancer or reverse proxy external interfacing port
s_webentryhostsame as s_webhostTLS Accelerator hostname
s_webentrydomainsame as s_domainnameTLS Accelerator domain name
s_enable_sslterminator#remove the '#' to use ssl_terminator.conf in SSL terminated environments
s_login_pageURL constructed with http protocol and s_webportURL constructed with https protocol, s_webentryhost, s_webentrydomain, s_active_webport
s_external_urlURL constructed with http protocol and s_webportURL constructed with https protocol, s_webentryhost, s_webentrydomain, s_active_webport
The value of the s_webport is based on the default port prior to any TLS configuration, and remains unchanged when switching to TLS.
Run AutoConfig using the adautocfg.sh script in the application tier $ADMIN_SCRIPTS_HOME directory.
Use the adstpall.sh/adstrtal.sh script in the $ADMIN_SCRIPTS_HOME directory to stop and restart all services.
Verify that https connectivity is working properly.

End-to-End TLS

In the event that you wish to make use of TLS on the Oracle E-Business Suite OHS side, in addition to TLS termination point configuration, you will want to be aware of the following settings:
Use the Oracle E-Business Suite Oracle Applications Manager (OAM) Context Editor to change the TLS-related parameters as shown in this table:
Changes When Using End-to-End TLS
ParameterTLS Value
s_url_protocolhttps
s_local_url_protocolhttps
s_webentryurlprotocolhttps
s_webssl_portTLS port of EBS
s_https_listen_parameterTLS port of EBS
s_active_webportTLS termination point external port
s_webentryhostTLS termination point hostname
s_webentrydomainTLS termination point domain name
s_enable_sslterminatorRemove the '#' to use ssl_terminator.conf
s_login_pageURL constructed with https protocol, s_webentryhost, s_webentrydomain, s_active_webport
s_external_urlURL constructed with https protocol, s_webentryhost, s_webentrydomain, s_active_webport
Run AutoConfig using the adautocfg.sh script in the application tier $ADMIN_SCRIPTS_HOME directory.
Use the adstpall.sh/adstrtal.sh script in the $ADMIN_SCRIPTS_HOME directory to stop and restart all services.
Verify that https connectivity is working properly.
We advise that both sides of the TLS configuration be tested independently. For example, test to make sure your EBS instance works with the TLS termination point first, revert the change, and then test that TLS terminated locally at the EBS/OHS level works. Once it is confirmed that both configurations work for TLS, you can commit to the end-to-end TLS configuration by re-introducing the TLS termination point.

An example of the protocol flow in this scenario:

client https request > TLS Off-loader (https:443) > EBS TLS (https:4443)

There are two distinct TLS certificate chains in play, therefore the TLS handshake and negotiation must complete in order for the communication to be successful. Any break in this flow will result in TLS protocol errors. In this example, the TLS termination point is operating on the general default port of 443, while EBS is configured to operate on port 4443.

Appendix A: Disabling TLS

There may be a need to temporarily disable TLS for testing or for troubleshooting purposes. In such cases, use the following procedure to accomplish this, while at the same time not undermining the TLS configuration up to this point and allowing TLS to be enabled again.
  1. Revert back the configuration changes made in the following places:
    • 5.2.1 Configure your environment
              Step 5 - Update the Context File
              Step 6 - Perform Additional Configuration
    • 5.3.1 Perform the General Required Configuration
              Step 1 - Perform Necessary Configuration Using AutoConfig
    • 6.2 Disabling the HTTP Port (optional)
              Step 2 - Perform the required configuration
    • 6.3 Enabling TLS for OHS to OC4J Connections (optional)
              Step 6.3.5 Modify the configuration file
              Step 6.3.6 Change TLS-related variables
  2. Run AutoConfig. 
  3. Use the adstpall.sh/adstrtal.sh script in the $ADMIN_SCRIPTS_HOME directory to stop and restart all services. 

Appendix B: HP PA-RISC

Because of the unavailability of JDK 7 on this platform, only 5.1 Apply Required Updates and Patches and 5.2 Configure Inbound Connections applies to HP PA-RISC customers.
Note that all requirements in 5.1 Apply Required Updates and Patches (with the exception of JDK 7) are required for HP PA-RISC customers.

Appendix C: Known Issues

ProductComponentBugComments
Oracle iStoreOrdersBug 22922211This issue affects Windows customers only, after enabling TLS, users will face error and won't be able to place order from iStore using credit card.
   When using SAN certificate on a server of which hostname is not the same as CN, the following warning message might be seen in Apache log file, which can be safely ignored:
[warn] Init: RSA server certificate CommonName (CN) 'hostname.domain.com' does NOT match server name!?
   If you have applied a patch which provides a newer version of one of the templates that was modified in the custom folder, you may receive the following error: "Version Conflicts among development maintained and customized templates encountered; aborting AutoConfig run." In this case, copy over the newer template to the custom folder and re-apply the modification following the steps in this document.
Oracle Applications PlatformTriageBug 23295862Mac Safari users will encounter an Oracle Forms issue if TLS is enabled for an OHS to OC4J connection.
Oracle WorkflowJMAILERBug 23755698When Oracle E-Business Suite Release 12.1.3 is configured for TLS 1.2 only and the Workflow Mailer processes email notifications, the following errors may be displayed in the ssl_engine_log file:
[07/Jul/2016 08:54:55 21885] [error] SSL handshake failed (server hostname.domain.com:4514, client <IP>) (OpenSSL library error
follows)
[07/Jul/2016 08:54:55 21885] [error] OpenSSL: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol [Hint: speaking not SSL to HTTPS port!?]
These messages can safely be ignored.
Oracle WorkflowNotificationsBug 25838956For TLS 1.2 Only configuration, an email notification with OA FWK content is sent to a user with an HTML Mail notification preference, users will see a few small boxes in the user interface. Originally reported in bug 23605402 for EBS 12.2.
Requires minimum versions of JRE 1.6.0_141 or JRE 1.7.0_131 in order to address this issue.
Oracle OHSOPMN/OC4JBug 27582115AIX client will face an issue i.e.OPMN fails connecting to OC4J, if upgraded to latest JDK (example 1.7.0 SR10 FP10(Oracle jdk7u151-b14)) or higher) with the environment configured with strict TLSv1.2 and TLS enabled for OHS to OC4J connection.
Workaround : Rollback to a previous version of JDK , Example : 1.7.0 SR9 FP30 (Oracle jdk7u95-b13)
Oracle Security ServiceWalletbug 23277842Customers on database 11.2.0.4 and ECC certificates - orapki command does not support use of the "-jsafe" parameter.
Oracle PaymentsPayment Systembug 28975149Customers who have enabled TLS with ECC certificates and are on database version 11.2.0.4 will face a known issue when placing orders using credit card from iStore.

Appendix D: References

Refer to the following sources for more information:
  • Document 403537.1Secure Configuration for Oracle E-Business Suite Release 12
  • Document 2063486.1FAQ: Oracle E-Business Suite Security
  • Document 2143099.1Enabling SSL or TLS in Oracle E-Business Suite Release 12
  • Document 1937646.1CVE-2014-3566 - Instructions to Mitigate the SSLv3 Vulnerability ("POODLE Attack") in Oracle E-Business Suite
  • Document 2012639.1Using HAProxy as a TLS Termination Point for Oracle E-Business Suite Release 12.1.3
  • Document 2130592.1Oracle Traffic Director 12c Integration with Oracle E-Business Suite Releases 12.1 and 12.2
  • Document 1524398.1Interoperability Notes EBS 12.0 or 12.1 with RDBMS 12cR1
  • Document 1058763.1Interoperability Notes EBS 12.0 or 12.1 with RDBMS 11gR2 (11.2.0.4)
  • Document 1147107.1Database Patch Set Update Overlay Patches Required for Use with PSUs and Oracle E-Business Suite
  • Document 2274242.1TLS Protocol Options Available with Oracle Database 11.2.0.4 (MES Bundle patches)
  • Document 2159740.1Oracle Payment Support For TLS1.2
  • Document 2542707.1Discoverer 11g: Use of TLS 1.1 and TLS 1.2 with Discoverer Plus in SSL enabled Fusion Middleware

Change Log

DateDescription
2019-06-20
  • Updated Section 7.1 for Discoverer.
2019-04-19
  • Doc bug 29640433 - Added Note box under Section 5.2, Step 6 and under Section 6.1.2, Step 1, to clarify the use of default password.
  • Doc bug 29641486 - Added Note box update under Section 5.1, Step 5 and table updated with Apr 2019 OHS and OPMN patches.
2019-02-05
  • Doc bug 29293664 - Added comment to Section 5.1, Step 6 to allow opatch to rollback patch 8999551 when applying patch 22322938.
2019-01-08
  • Added Section 5.1.1 for 11.2.0.4 DB and ECC certificates.
  • Updated Section 6.1.1 Note block for 11.2.0.4 DB.
  • Added Known Issue for bug 23277842.
  • Added Known Issue for bug 28975149.
  • Updated Section 5.2.1, Step 4, #2 for renaming certificate files.
  • Updated Section 5.1, Step 1 for JDK requirements and removed references to JDK6 leaving JDK7 as the required minimum going forward.
2018-10-19
  • Added reference to Java Mail API patch 22322938 and Workflow patch 27881758 under Section 5.1, Step 6.
  • Added information on JWS to Section 4.
  • Added Section 6.4 for HSTS.
2018-10-16
  • Updated Discoverer guidance in Section 7.1.
2018-06-27
  • Doc bug 28086869 - Removed Section 6.3.9, as this step is no longer needed with the release of patch for bug 23645824.
  • Updated Section 5.1, Step 6 and added the need to apply patch 23645824.
  • Doc bug 28086869 - Removed Section 6.3.10, as this step is no longer needed due to change per doc bug 27852236.
  • Doc bug 28125088 - Updated Section 6.1.1 for support of Oracle Database 11.2.0.4 and TLS 1.2.
  • Updated Known Issue for bug 25838956.
  • Updated Section 6.3 and added reference to patch for bug 26933459.
  • Updated Section 5.1, Step 3 and added reference to additional iPayments note 2159740.1 and removed reference to applying patch 22724663, as this is already documented in the aforementioned note.
2018-04-18
  • Added information on in-house and/or self-signed certificates under Section 3.
  • Added JDK minimum requirements under Section 5.1, Step 1.
  • Added JRE minimum requirements under Section 6.1.1.
  • Added Section 7.3 for Service Invocation Framework - SOA functionality.
  • Added Section 7.4 for information on use of separate certificates for inbound and outbound communication.
2018-04-04
  • Added information for ECC to the following sections:
    - Section 5.2.1, Step 6 updated opmn.xml template and removed reference to ssl-ciphers.
    - Section 5.2.1, Step 6 updated ssl.conf template file SSLCipherSuite to use ECDHE:!NULL:!3DES:!RC4:+aRSA.
    - Section 5.3.2, Database wallet update.
    - Section 6.1.2, updated opmn.xml template and removed reference to ssl-ciphers.
    - Section 6.3.5, modified Oc4jSSLCiphers to use ECDHE:AES128-SHA:AES256-SHA.
  • Added Section 6.3.10 for workaround on known issue for bug 27582236.
  • Updated Section 5.2.1, Step 1 for SAN and Wild Card usage.
  • Added Known Issue for latest JDK and OC4J on AIX, doc bug 27726809.
2018-02-02
  • Section 5.1, Step 5 added patches for Jan 2018 - 27078378 and 27208670.
2018-01-23
  • Updated Section 5.2.1, Step 1 to add reference to SAN certificate usage.
  • Added Known Issue for error related to SAN certificate usage.
  • Added Known Issue for iStore.
  • Added Section 9: Alternate TLS Termination Point and moved previous information into this section for clarity. This separates the base level TLS configuration from the alternate configurations of using either TLS off-loading/acceleration, and end-to-end TLS.
  • Added information on PKI to Section 3.
  • Added information to Section 3 for SAN and Wild Card certificates.
2017-09-29
  • Updated cipher replacing references to DES-CBC3-SHA with AES256-SHA.
2017-09-07
  • Updated Section 5.1, Step 5 with clarification of required patching.
  • Under Section 6.3.3, added setting of OPENSSL_CONF to point to the correct openssl.cnf file and avoid 'warning' message.
2017-07-20
  • Updated Section 5.1, Step 5 with table containing required CPU patch combinations.
  • Added setting of OPENSSL_CONF in Section 5.2, Step 2.
2017-06-02
  • Updated SSLCipherSuite setting to exclude 3DES.
2017-05-22
  • Updated Section 5.1, Step 5 and replaced patch 22447165 and 22458773 with 24483815 and 24484104.
2017-01-03
  • Updated steps in Section 6.3 changing references for intCA.crt and rootCA.crt to intermediate.crt and ca.crt respectively.
2016-12-21
  • Added clarification to steps for Section 6.3.
2016-09-14
  • Updates to Section 5.1 related to JDK.
2016-09-01
  • Expanded on issue noted in section 6.3.9 for bug 23645824.
  • Updated information for Discoverer in Section 7.1.
2016-08-03
  • Added Table 5-3 for end-to-end TLS in 5.2 Step 5.
  • Added Known Issue on bug 23605402.
2016-07-28
  • Updated title of Section 5 specifying TLS 1.2.
2016-07-26
  • Corrected minor typo in Section 1.
2016-07-25
  • Initial publication of new content.
    Previous content can be found in My Oracle Support Knowledge Document 2143099.1.
My Oracle Support Knowledge Document 376700.1 by Oracle E-Business Suite Development.
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Oracle E-Business Suite Release 12.2 System Schema Migration

In This Document Section 1: Overview of the EBS System Schema Section 2: Requirements for Using the EBS System Schema Section 3: Migrating t...