Install APEX SSL

Follow the process described in Enabling SSL for Oracle HTTP Server.

Locations of the appropriate Oracle components can be determined by using Oracle Universal Installer.

In particular ensure:

1. the correct instance of Oracle Application Server (containing Oracle HTTP Server) is used
2. the correct wallet and version is used
3. the server type of 'oracle' is selected when generating the public key in Thawte

• http://download.oracle.com/docs/cd/B14099_11/web.1012/b14007/ssl.htm#sthref1468
• http://download.oracle.com/docs/cd/B14099_11/core.1012/b13995/wallets.htm#BABEGJGA
• http://www.nextre.it/oracledocs/certificates02.html

1. Log onto the machine 'oracle' (Windows 2000 box).
2. Open up a console (Start→Run→Type 'cmd' and press enter).
3. Enter the following to launch the Oracle Wallet Manager

4. C:

5. cd C:\oracle\product\10.2.0\db\bin

6. C:\oracle\product\10.2.0\db\BIN\launch.exe "C:\oracle\product\10.2.0\db\bin" owm.cl

7. Click on the file menu Wallet→New
8. Enter a password (ensure that this is stored in keypass) and set Wallet Type to 'Standard'.
9. Press Okay and you will be asked if you want to create a certificate request at this time. Click Yes and fill in the following information (Clicking Ok when done).
10. * Common Name: apex.example.com
11. * Organizational Unit: Department
12. * Organization: Company Name
13. * Location/City: = City
14. * State/Province: = County
15. * Country: GB
16. * Key Size: 2048
17. The wallet is then populated with a Certificate request. Click on this. On the right hand side of the screen you will see a load of text, copy all of this and create a file with it called apex.csr
18. Also, paste this into the thwarte web page when asked for CSR (Certificate Signing Request) and order your certificate.
19. In the Wallet Manager, click Wallet→Save As and save to C:\oracle\wallets\as2014. You asked if you want to create this location. Say yes.
20. Once Thwate has generated the certificate, they will email it to you. Save this as apex.cer
21. You will also have to log into the certificate center (here), select the certificate and click 'Pick up certificate' under the 'Status' tab.
22. You then set the format to X.509 (Apache and others). You will then see three certificates displayed named
23. * Primary Intermediate Certificate
24. * Secondary Intermediate Certificate
25. * End Entity Certificate
26. Copy these to text files and save them respectively
27. * thwate.primary.intermediate.cer
28. * thwate.secondary.intermediate.cer
29. * thwate.end.entity.cer
30. Get the ROOT CA from Thwate from [https://search.thawte.com/support/ssl-digital-certificates/index?page=content&actp=CROSSLINK&id=AR1470 here] and call it thwate.root.cer
31. Then, in the wallet manager, click “Operations→Import Trusted Certificate…”. Import
32. * thwate.primary.intermediate.cer
33. * thwate.secondary.intermediate.cer
34. * thwate.end.entity.cer
35. * thwate.root.cer
36. Then, in the wallet manager, click “Operations→Import User Certificate…”. Import apex.cer
37. Save the wallet and close the wallet manager.
38. Now you have a wallet ready to go. All we have to do is point the Oracle web server at the new wallet and restart the web server.

1. To point the Oracle web server at the new wallet, edit C:\oracle\product\10.2.0\db\Apache\Apache\conf\ssl.conf
2. Edit the line with SSLWallet file:C:\oracle\wallets\as
3. Ensure C:\oracle\product\10.2.0\db\opmn\conf\opmn.xml has start mode set to “ssl-enabled” instead of “ssl-disabled”.
4. Reload OPMN C:\oracle\product\10.2.0\db\opmn\bin\opmnctl reload
5. Stop Oracle HTTP Server C:\oracle\product\10.2.0\db\opmn\bin\opmnctl verbose stopproc ias-component=HTTP_Server
6. Start Oracle HTTP Server >C:\oracle\product\10.2.0\db\opmn\bin\opmnctl verbose startproc ias-component=HTTP_Server

When we used to run Oracle 10 on Windows Server 2000, we ran APEX on the Oracle HTTP server. Since upgrading to APEX 4.2.2, we have run the APEX listener on a Glassfish Application Server running on Linux.

Install APEX as shown here: Install_APEX

Then SSH to the machine apex.example.com and

su - oracle

cd /oracle/glassfish/glassfish4/glassfish/domains/domain1/config

Backup your current keystore and trust store

cp cacerts.jks cacerts.jks.backup`date +"%Y-%m-%d"`
cp keystore.jks keystore.jks.backup`date +"%Y-%m-%d"`

Change master-password for the server. Stop the domain and issue

asadmin change-master-password --savemasterpassword

Delete the default self-signed certificate

keytool -delete -alias s1as -keystore cacerts.jks -storepass <store_passwd>
keytool -delete -alias s1as -keystore keystore.jks -storepass <store_passwd>

Generate a new key pair for the application server. In addition to generating a key pair, the command wraps the public key into a self-signed certificate and stores the certificate and the private key in a new keystore entry identified by the alias. Please leave alias as s1as – the default alias of Glassfish keystore.

keytool -genkeypair -keyalg RSA -keystore keystore.jks -validity 1095 -alias s1as

You will be asked for the following information. For HTTPS hostname verification, it is important to ensure that the name of the certificate (CN) matches the fully-qualified hostname of your site (fully-qualified domain name). If the names do not match, clients connecting to the server will see a security alert stating that the name of the certificate does not match the name of the site

What is your first and last name?
  [Unknown]:  apex.example.com
What is the name of your organizational unit?
  [Unknown]:  Department
What is the name of your organization?
  [Unknown]:  Company Name
What is the name of your City or Locality?
  [Unknown]:  City
What is the name of your State or Province?
  [Unknown]:  County
What is the two-letter country code for this unit?
  [Unknown]:  GB
Is CN=apex.example.com, OU=Department, O=Company Name, L=City, ST=Hampshire, C=GB correct?
  [no]:  yes

Generate a Certificate Signing Request (CSR):

keytool -certreq -alias s1as -file s1as.csr -keystore keystore.jks -storepass <password>

Backup the file and submit the CSR to a Certificate Authority -Thawte https://ssl-certificate-center.thawte.com/process/retail/console_login?application_locale=THAWTE_US

Download Twawte secondary and primary certificates according to this document

https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO15518&actp=search&viewlocale=en_US

Use the “SSL Web Server” links to download Primary.crt and Secondary.crt certificates

Download your certificate when it is ready and Store the signed server certificate from the CA, including the markers —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–, into a file such ass1as.cert. Download the CA certificate and any intermediate CA certificates and store them in local files.

Import the CA certificate (if not already present) and any intermediate CA certificates (if not already present) indicated by the CA into the truststore cacerts.jks:

keytool -import -v -trustcacerts -alias s1as -file Primary.crt -keystore cacerts.jks -storepass <password>
keytool -import -v -trustcacerts -alias  Intermediate -file Secondary.crt -keystore cacerts.jks -storepass <password>

Download the certficate from Thwate (p7b format)

Replace the original self-signed certificate with the certificate you obtained from the CA, as stored in a file such as s1as.p7b. This will import the certificate using the same original alias s1as, keytool treats it as a command to replace the original certificate with the certificate obtained as a reply to a CSR. After running the command, you should see that the certificate s1as in the keystore is no longer the original self-signed certificate, but is now the response certificate from the CA.

keytool -import -v -trustcacerts -alias  s1as -file nameoffile.p7b -keystore keystore.jks -storepass <password>

Test certificate in keystore:

keytool -v -list -keystore keystore.jks

Start domain:

asadmin start-domain domain1

Enable secure communications on port 4848 by issuing command:

asadmin enable-secure-admin
asadmin restart-domain domain1

su - oracle
cd /oracle/glassfish/glassfish4/glassfish/domains/domain1/config

cp cacerts.jks cacerts.jks.backup`date +"%Y-%m-%d"`
cp keystore.jks keystore.jks.backup`date +"%Y-%m-%d"`

keytool -delete -alias s1as -keystore cacerts.jks -storepass Pa55word
keytool -delete -alias s1as -keystore keystore.jks -storepass Pa55word

keytool -import -v -trustcacerts -alias s1as -file test/crossRootCA.cer -keystore cacerts.jks -storepass Pa55word
keytool -import -v -trustcacerts -alias  Intermediate -file test/IntermediateCA.cer -keystore cacerts.jks -storepass Pa55word

keytool -import -v -trustcacerts -alias  s1as -file test/ssl_certificate.p7b -keystore keystore.jks -storepass Pa55word
keytool -v -list -keystore keystore.jks
asadmin start-domain domain1