SSL in Oracle Apps 11i / R12

In order to Understand SSL in Oracle Applications 11i & R12 lets first understand 

Components in Apps which can listen for SSL Requests
———————————————
1. Load balancer (if you have one between clients and oracle apps)
2. Web Server (11i web server built on Oracle Apache)
3. Form Server(If forms are configured for Forms Listener default method in 11i. In Servlet mode request to are fulfilled by Web Server and you don’t run form server) – To check more on this check my post Forms Listener & Forms Servlet Listener
4. OC4J Oracle Container for Java (only in R12 and not in 11i)
5. Database

So you can configure SSL in Oracle Applications as
————————————————————–
1. From Client (browser) to Load balancer as SSL;  from LB to all other apps component Non SSL (For this Load balancer should have SSL acceleration capability. Load balancer will decrypt client requests coming as SSL and forward them to web server as Non SSL and receive Non SSL response from web server, encrypt them and forward back to users as SSL) – Web Server, Forms & database all run in Non SSL

If you don’t have Load Balancer (or with SSL acceleration) then

2. From Client (browser) till Web Server SSL and from Web to other component as Non SSL (forms, database..) – Web Server should be configured for HTTPS

3. To Web Server and Forms from these to database as Non SSL (Forms and Web Server should be configured for HTTP)

4. All the way till database on SSL (Web Server, Forms & Database all should be configured for SSL)

Option 1 i.e. Configure SSL for Apps where SSL is terminating at Load Balancer(BigIP or F5 SSL accelerator)
—————————–
This configuration is based on following assumption

1. Connection from Browser to Load Balancer is SSL (HTTP) i.e. Load balancer is configured to listen on SSL Port
2. Connection from Load Balancer to server is non SSL (HTTPS) i.e. Apps Web Server is listening on Non SSL Port
3. Conversion of SSL to Non SSL (requests coming from user to Server) and Non SSL to SSL (requests serve by web-server and returned to user) is done by load balancer (SSL accelerator). Example of such SSL accelerator is F5 or Big IP
4. Load Balancer (also acting as SSL Accelerator) is doing port translation. To understand port translation; better think as if Load Balancer is listening on port 443 (SSL Port) where as web server is listening on Non SSL port like 8000. Load balancer will route all requests coming from user on port 443 to server listening on 8000 (translating port on 8000).

Configuration
In Context File (at $APPL_TOP/admin/$CONTEXT_NAME.xml) Change following parameter :

1. s_webentryhost  to load balancer name
2. s_webentrydomainto load balancer domain-name
3. s_active_webportto load balancer port
4. s_webentryurlprotocol  to load balancer protocol https or http
5. s_login_page  to $s_webentryurlprotocol://$s_webentryhost.$s_webentrydomain:$s_activewebport/oa_servlets/AppsLogin

Other similar parameter in context file which you don’t change

s_webhost : Actual Host Name of Server on which 11i is installed
s_webdomain: Actual Domain-name of Server on which 11i is installed
s_webport : actual port on which HTTP Server for 11i is listening

Things to consider while doing SSL
—————————————————–
1. If you are using dummy or self signed certificates, Your forms will not open via Jinitiator and you will hit error message like “load class oracle/apps/fnd/formsClient/FormsLauncher.class not found” This is because under Jinitiator’s repository for list of valid CA’s (Certifying Authority) at $install_location_of_jinitiator_on_client_pc\ lib\ security\ certdb Dummy CA is not listed

Fix: Include Dummy Non Standard Certifying Authority’s certificates at $install_location_of_jinitiator_on_client_pc\ lib\ security\ certdb (on client machine)
  
  How to add CA’s certificate in Jinitiator at Client Machine & how to get test certificates coming soon..

2. If you are terminating SSL at Load balancer and domain name of load balancer is different from domain name on server then login to OAM may fail because of different cookie domain values. Check “session.topleveldomain” in zone.properties

What is different w.r.t. SSL in 11i & R12
———————————————————–
In 11i Web server certificates (public key & private key) are stored as text file on Server where as on R12 certificates for Web Server are stored in Wallets (Oracle Wallets – OWM) 

P.S. Forms & Database certificates in both 11i & R12 are stored in Wallets (Oracle Wallet Manager)

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Oracle Gold Partner specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

35 comments
nhawi says October 6, 2007

I have this errove when try to start my application R12
adopmnctl.sh exiting with status 2

kindly advice

Reply
Atul says October 6, 2007

Nhawi,
Check opmnctl log at 10.1.3 ORACLE_HOME/opmn/logs

It should most probably be in $INST_TOP/ora/10.1.3/opmn/logs

If you don’t see logs there let me know and I’ll log in to my test server .

Update us with error message and will try to find cause of this R12 startup issue

Reply
mmuhtadi says December 24, 2007

Boss,

I configured SSL for the HTTP Server only of our test apps instance. We you navigate the system through the HTML-based applications everything is working fine with SSL, but, when invoking any Form-base module the JInitiator hangs and the following errors appear in the Jave Console:
WARNING: Unable to cache https://p2es.kockw.com:8007/OA_JAVA/oracle/apps/fnd/jar/fndlist.jarload: class oracle/apps/fnd/formsClient/FormsLauncher.class not found.java.lang.ClassNotFoundException: java.io.IOException: javax.net.ssl.SSLException: SSL handshake failed: SSLBadParameterErr

Please advise where could be the problem? I don’t need the form layer and the database layer to be configures with ssl, only I need the web server layer.

Reply
Atul says December 24, 2007

MMuhtadi,
You configured SSL but CA (certifying authority – chained one) is not in list of Jinitiator list of CA servers so add that in $install_dir_of_jinit\lib\security\certdb.txt

Check metalink notes # 373736.1, 387822.1,

Reply
mmuhtadi says December 25, 2007

Atul,

Thank you for the reply, but it is mentioned in the Note 373736.1 that: “Select your working directory on the server ($COMMON_TOP/admin/certs/forms)”, but I didn’t configure SSL for Forms Layer, so how could I find the above mentioned directory ? I only have $COMMON_TOP/admin/certs/apache ?

Waiting your reply.

Mohammad Muhtadi

Reply
Atul says December 25, 2007

mmuhtadi,
I don’t think you are interested in configuring ssl on forms and its not required.

You should install CA (certifying authority) certificates on client jinitiator (on all client machine) in above mentioned location.

For more info & discussion check http://teachMeOracle.com/forum

Reply
mmuhtadi says December 25, 2007

Atul,

What I did exactly, I copied the apache_1024.crt from the server to my client machine using bin mode, then I opened the certificate, then I exported it in a file, then I copied the contents of the file which starts with “BEGIN CERTIFICATE” and ends with “END CERTIFICATE” then I appended it in the certdb.txt file which is located in my JInitiator home directory, after all of that I still have the java exception ??

Any ideas ???

M.Muhtadi

Reply
mmuhtadi says December 25, 2007

Atul,

If SSL is not configured for Forms Layer, why shall I inform the JInitiator with the certified list of certificates ?????

Reply
amuhtadi says February 2, 2008

hi mmuhtadi, i think im ur brother , i was searching in the same website:)

Reply
Rick says December 17, 2008

Hi Atul,

I faced the same problem too when trying to launch SSL for web services only. The error i get is “Opening ….FormsLauncher/class.class” and the forms does not pop up. I read from certain sources and one workaround is to include the cert into the certdb.txt file.

Now, I have one question, if I purchase a commercial cert from one of the CAs that are specified in the certdb.txt file, example thawte, does that mean that I do not need to manually include the certdb.txt file?

Appreciate your help greatly. Thanks

Reply
Rick says December 17, 2008

Hi Atul,

Thanks for any comments

Reply
Atul Kumar says December 17, 2008

Rick,
For all standard certificates like thawte or verisign you donot need to include in certdb.txt as they are pre included in certdb.txt

Reply
Rick says December 17, 2008

Hi Atul,

The reason why I’m asking is because we actually purchased a thawte SSL web server cert but we still hit the problem.

Upon investigation, we found that the default cert for thawte that is in the certdb.txt file is actually meant for SSL 123 cert, not web server. Since both certs are signed using different root CA, see example below:

Default entry in certdb.txt:
“# Subject Name: CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, C=ZA”

Web server purchased:
“CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, C=ZA”

We checked with Thawte and they suspect that if we have purchased a SSL 123 cert in the first place, this problem would not have surfaced.

Do you think this will work instead?

Thank you

Reply
Atul Kumar says December 18, 2008

Rick,
Is there intermediatery CA as well in certificate from Thwate.

Mail me certificate at atul [at] onlineappsdba.com and your jinitiator version or simply open CA and intermediatery CA (If any) and then compare if same value (text) exists in certdb.txt of jinitator

If exists then it should work , if not it will not work and you need to rebuild jinitiator.

Reply
Rick says December 21, 2008

Hi Atul,

We tried rolling out with a SSL 123 cert and it works fine. Thanks for the assistance rendered!

Reply
anilftg1 says September 27, 2009

Hi,
I am configuring on TEST server and our server is oatest.abclife.com and its listening on port 10515.
I got the certificate from Verisign and did the steps.
1.Install certificate on windows side,also install certificate server.cer under
$COMMON_TOP/admin/certs/ssl.crt and also the key under ssl.key dir.
According to metalink docc.I changed xml file.
1. s_webentryhost is oatest
2. s_webentrydomainto abclife.com
3. s_active_webport to 10515
4. s_webentryurlprotocol to https
5. s_login_page to http://oatest.abcife.com:10515/oa_servlets/AppsLogin

I put correct entry in httpd.conf file
I tried every thing but my page is not coming up.Networking guy says the port behind firewall is open.
When I checked the connection 10515 is connected when I did with 443 is not connected.
Here is httpd.conf entry.
SSLCertificateFile
/testapp/applmgr/common/admin/certs/apache/ssl.crt/server.crt

SSLCertificateKeyFile
/testapp/applmgr/common/admin/certs/apache/ssl.key/server.key
SSLCertificateChainFile
/testapp/applmgr/common/admin/certs/apache/ssl.crt/ca.crt
Port 10515 I changed to 443 also but no success
Listen 10515

#
Listen 443
Where I am doing wrong so that my Https should work.like https://oatest.abc.com:443

Thanks
Anil

Reply
Atul Kumar says September 28, 2009

Anil,
Is this 11i or R12 ?

You mentioned

Listen 10515
#
Listen 443

Are there two listen ports (this is impossible unless you use virtual host)

1. Which is listen port ?
2. Update output of “netstat -an | grep ”
3. Which document you are using to configure SSL ?
4. Is there any error in error_log or ssl_engine_log

Reply
anilftg1 says September 28, 2009

Hi Atul,
I am using 123718.1 Docc Step 3.1.1. Configuring SSL with Oracle HTTP Server using Configuration Wizards.Client is on 11.5.9.Easy step don’t know where I am going wrong.I changed all the variable in xml file according to docc.
My listen port is 10515 http://oatest.abclife.com:10515 works
Here is entry in my httpd.conf file.
Port 10515
Listen 10515

[appltest@oatest conf]$ netstat -an |grep 10515
tcp 0 0 0.0.0.0:10515 0.0.0.0:* LISTEN
Thanks
Anil

Reply
anilftg1 says September 28, 2009

Hi Atul,
I want that my https://oatest.abclife.com:10515 should works.
Thanks
Anil

Reply
anilftg1 says September 28, 2009

Hi,
I checked one thing accroding to docc.we have not applied patch Patch (TXK (FND) Patch O:5478710
I will apply and change the setting and post the result.
Thanks

Reply
anilftg1 says October 2, 2009

Hi Atul,
I applied the patch but still not able to configure.I want https://oatest.abc.com:10515 should work without https it works fine.I am following 123718.1 docc .
***************************
set the %s_url_protocol variable to https
set the %s_local_url_protocol variable to https
set the %s_webentryurlprotocol variable to https
set the %s_frmConnectMode variable to https
set the %s_webssl_port variable to the Apache SSL port required
set the %s_active_webport variable to the same value as that for the %s_webssl_port variable
set the %s_webport variable to the same value as that for the %s_webssl_port variable
Note: prior to TXK (FND) AutoConfig Template Rollup Patch F (3104607 December 2003) this value was set to the non-ssl Apache Port.
set the %s_web_ssl_directory variable to point to the full directory path of the directory that is to contain the .crt and .key files that you are using for Apache eg /admin/certs/apache
set %s_apps_portal_url variable to https
run AutoConfig as described in MetaLink Note 165195.1
*************
where I am doing wrong if I changed to 443 then in httpd.conf I see listen and port both 443.
Please guide me.http://oatest.abc.com:10515 works fine.What should I change.
Thanks
Anil

Reply
anilftg1 says October 2, 2009

Hi Atul,
If I changed s_frmConnectMode=https it does not work but if I let it be socket then it works.I put s_webssl_port=10515.
Now I can see the page when I type https://oatest.abclife.com:10515/ but after that when I click on oracle application manager it works but if I click on Ebusiness home page it takes me to http://oatest.abclife.com:10515/oa_servlets/AppsLogin and no page found I am seeing here no https.
Is it socket mode should be servlet don’t know Can you tell?
Thanks
Anil

Reply
Atul Kumar says October 4, 2009

@ Anil,
Let me understand your requirement correctly, you want to configure SSL in apps to listen on port 10515 and for this you are following note 123718.1

after configure SSL when you try to access website using https://server.domain:10515 you get page not found

If this is true then check

httpd.conf and look for entry like

Listen
Port

1. What is value of these two parameters ?
2. Any error in error_log, error_log_pls, ssl_error_log … under $IAS_ORACLE_HOME/ Apache/ Apache/ logs
3. Is machine listening on port 10515 when you start Apache

netstat -an | grep 10515

If not then check start up logs of Apache

Reply
mtriola says February 4, 2010

Atul,

In scenario 1, where SSL terminates at the load balancer, since we are setting the s_login_page to https://load_balancer_name.lb_domain:443/oa_servlets/AppsLogin
can you use the same load balancer for multiple E-Business Suite environments? I’m thinking no. Please advise. Thanks.

Reply
Atul Kumar says February 4, 2010

@mtriola, You can use same load balancer but with different URL i.e. https://loadbalancer2.lb_doamin:443

Note – You don’t use actual load balancer name but entry in load balancer .

You define Names/URLs in Load Balancer like

lbrName1:443 pointing to server1:8000 & server2:8000

or
lbrName2:443 pointing to server1:8001 & server2:8001

Reply
mtriola says February 5, 2010

Thanks Atul. I understand it now.

I have it setup so the load balancer forwards port 443 (oratstapp.monster.com:443) to 8080, which is my apache server (have 2 but only 1 running for testing). I can get to the initial page but when trying to login, I get a page cannot be displayed.

https://oratstapp.monster.com >>>works

when I try to Login it tries to connect to the below, without success. I turned on Apache debug but I’m not seeing anything in the logs. Any suggestions?

https://oratstapp.monster.com/OA_HTML/fndvald.jsp >>>>fails with page cannot be displayed

Reply
Atul Kumar says February 5, 2010

@ Mtriola
Which document you are following to configure load balancer in front og apps ?

Reply
mtriola says February 5, 2010

123718.1 as well as your information.

Reply
mtriola says February 5, 2010

Atul,

I figured out my mistake. I had left the loadbalancer’s actual name in the s_webentryhost variable. I updated it to oratstapp and now its working. Thanks for setting me straight.

Reply
rizwan ghadiyali says May 3, 2011

Hi Atul ,

Access to forms from load balancer (through SSL ) is slow while directly accessing through server is fast . we are using Jinitiator and JPI both . we are facing this issue while using JPI but not with Jinitiator . Any idea why this is happening .

Reply
Atul Kumar says May 3, 2011

@ rizwan ghadiyali,
This could be because of many reasons , to understand issue

1. Which load balancer you are using ?
2. Is SSL terminating at load balancer or you have SSL all the way till forms server .

3. Is forms server running in socket mode or servlet listener mode ?

Reply
rizwan ghadiyali says May 9, 2011

Answering your question

1) we are using webcache as software load balancer

2) SSL is terminating at load balancer

3) We are using Oracle Application Server 10.1.2.3 so i am not able to find adformsctl.sh utility .. So how do i check this ?

Reply
» SSL in WebLogic (CA, KeyStore, Identity & Trust Store) : Things you must know – Part I Online Apps DBA: One Stop Shop for Apps DBA’s says February 5, 2013

[…] SSL with Custom Certificates and Certifying Authority. For SSL in Oracle E-Business Suite click here, SSL in Oracle Internet Directory (OID) click here , SSL in Oracle Virtual Directory (OVD) […]

Reply
Inder says March 1, 2015

Hello Atul.
we are using 2DMZ nodes for isupplier module where SSL certification persist,Load Balance also configured, now we want to use SSL certificate on Load Balancer instead of DMZ nodes, do You have any idea of step by step approch for it

Reply
Atul Kumar says June 8, 2015

@Inder,
You ask your load balancer team to configure SSL certificate against EBS URL for DMZ (they should know on load balancer how to generate SSL certificate and attach to profile of an entry in LBR)

Reply
Add Your Reply