SSL Configuration on Web Server broad level Steps
1.1 Create Certificates Using openssl (You can try OWM Oracle Wallet Manager as well)
1.2 Change Context File parameters mentioned in previous post mentioned above
1.3 run Autoconfig
1.4 Test Application
For detailed stesp by step guide for implementing SSL on E-Business Suite follow Metalink Note # 123718.1 11i: A Guide to Understanding and Implementing SSL for Oracle Applications
Above note covers SSL for Web Server , Form Server & Database Server , In typical Implementation you can configure SSL just to web server Node.
Few Important Note/Points w.r.t. SSL
SSL with Multiple Middle Tier
1. If you have multiple middle tier like server1, server2 ..serverN with load balancer infront of them & assume load balancer & assume that you access your apps via URL http://teachmeoracle.com which means ServerName in httpd.conf will have value teachmeoracle.com and while generating SSL under create CSR (Certificate Signing Request)phase Common Name should be same as ServerName in httpd.conf
2. You can use same Certificates as long as ServerName in httpd.conf are same
Cloning SSL Instances
If you are cloning already configured SSL to Target Instance, you need to create new Certificates on Target Instance. If target Instance was previously configured with SSL before cloning take a backup of SSL certificates (By Default certificates are in $IAS_ORACLE_HOME/Apache/Apache/certs/apache ssl.crt & ssl.key) and replace them after cloning.
If you are not sure about location of Certificates , check following directive in Context File ( *.xml file )
web_ssl_directory
web_ssl_keyfile
web_ssl_certfile
web_ssl_certchainfile
Performance with SSL
Yes, there be little bit performance degradation with SSL as server take some time to encrypt & decrypt messages/packets between Client & Server but there will not be big performance degradation. If you can’t afford performance hits because of SSL you can use
SSL Accelerators
Related Links
123718.1 11i: A Guide to Understanding and Implementing SSL for Oracle Applications
Post your comments on how you find this document …
Was this useful ? Should I explain in more detail or you need step by step guide
Your Feedback & Comment is quite important in Improving Contents on this Site
http://teachmeoracle.com/forum <- Forum Dedicated to Apps DBA’s
Related Posts for SSL
- SSL in Oracle Apps 11i / R12
- Winding Up SSL Implementation in Oracle Apps 11i
- Configure SSL or HTTPS for Oracle Apps 11i
- Overview of SSL in Oracle Applications 11i
Popularity: 13% [?]
Download R12 VMware
Documentation
Good hands-on exercises (installation, patching, cloning), very experienced trainer worth every penny
7 users commented in " Winding Up SSL Implementation in Oracle Apps 11i "
Follow-up comment rss or Leave a TrackbackYou can save yourself a lot of trouble by putting hardware Proxy/SSL-accelerator in front of your midtier.
You can save yourself a lot of trouble by putting a hardware Proxy/SSL-accelerator in front of your midtier.
Vitaliy
Can you elaborate on trouble ?
Yes SSL accelerator will improve performance on SSL enabled web tier but there is additioanl cost associated with SSL accelerators
Changing SSL certs every time you clone. Dealing with expired SSL certs. Dealing with SSL related security bugs.
While ORACLE APPS has built-in SSL functionality it’s not the only and not the best solution out there.
Hardware SSL-accelerator/Proxy can do a much better job on all counts.
We have SSL enabled. but as said in cloning SSL enabled instances we never take backup of ssl.crt & ssl.key . We never had any issues though we did not take the backup. Can you please brief on this? What exaclty happens if we dont take the backup of ssl.crt and ssl.key?
Thanks
Aravind Cuddapah
to add more when ever we clone using SSL enabled instance all these ssl.crt and ssl.key directories are replaced with source .But we never had any problems.
Thanks
Aravind Cuddapah
Hi Arvind,
First to understand ssl.crt contain your ServerName (ServerName directive in httpd.conf/ssl.conf) This server name will be same if you access apps using same name as MachineName on which apps is installed else it will be load balancer name.
Now if you clone instance from oNlineAppsDBA to DevoNlineApps so certificate on target instance will still be of source i.e. oNlineAppsDBA. You will not hit any issues but users will get warning while accessing page that ServerName on certificate doesn’t match with actual server do you wish to continue .
If you are using SSL on target instance as well and if delete ssl.crt & ssl.key from target you will not be able to start web server.
Do let me know if this is clear now .
Atul
Leave A Reply