SSL in Oracle Apps 11i / R12

In order to Understand SSL in Oracle Applications 11i & R12 lets first understand 

Components in Apps which can listen for SSL Requests
———————————————
1. Load balancer (if you have one between clients and oracle apps)
2. Web Server (11i web server built on Oracle Apache)
3. Form Server(If forms are configured for Forms Listener default method in 11i. In Servlet mode request to are fulfilled by Web Server and you don’t run form server) – To check more on this check my post Forms Listener & Forms Servlet Listener
4. OC4J Oracle Container for Java (only in R12 and not in 11i)
5. Database

So you can configure SSL in Oracle Applications as
————————————————————–
1. From Client (browser) to Load balancer as SSL;  from LB to all other apps component Non SSL (For this Load balancer should have SSL acceleration capability. Load balancer will decrypt client requests coming as SSL and forward them to web server as Non SSL and receive Non SSL response from web server, encrypt them and forward back to users as SSL) – Web Server, Forms & database all run in Non SSL

If you don’t have Load Balancer (or with SSL acceleration) then

2. From Client (browser) till Web Server SSL and from Web to other component as Non SSL (forms, database..) – Web Server should be configured for HTTPS

3. To Web Server and Forms from these to database as Non SSL (Forms and Web Server should be configured for HTTP)

4. All the way till database on SSL (Web Server, Forms & Database all should be configured for SSL)

Option 1 i.e. Configure SSL for Apps where SSL is terminating at Load Balancer(BigIP or F5 SSL accelerator)
—————————–
This configuration is based on following assumption

1. Connection from Browser to Load Balancer is SSL (HTTP) i.e. Load balancer is configured to listen on SSL Port
2. Connection from Load Balancer to server is non SSL (HTTPS) i.e. Apps Web Server is listening on Non SSL Port
3. Conversion of SSL to Non SSL (requests coming from user to Server) and Non SSL to SSL (requests serve by web-server and returned to user) is done by load balancer (SSL accelerator). Example of such SSL accelerator is F5 or Big IP
4. Load Balancer (also acting as SSL Accelerator) is doing port translation. To understand port translation; better think as if Load Balancer is listening on port 443 (SSL Port) where as web server is listening on Non SSL port like 8000. Load balancer will route all requests coming from user on port 443 to server listening on 8000 (translating port on 8000).

Configuration
In Context File (at $APPL_TOP/admin/$CONTEXT_NAME.xml) Change following parameter :

1. s_webentryhost  to load balancer name
2. s_webentrydomainto load balancer domain-name
3. s_active_webportto load balancer port
4. s_webentryurlprotocol  to load balancer protocol https or http
5. s_login_page  to $s_webentryurlprotocol://$s_webentryhost.$s_webentrydomain:$s_activewebport/oa_servlets/AppsLogin

Other similar parameter in context file which you don’t change

s_webhost : Actual Host Name of Server on which 11i is installed
s_webdomain: Actual Domain-name of Server on which 11i is installed
s_webport : actual port on which HTTP Server for 11i is listening

Things to consider while doing SSL
—————————————————–
1. If you are using dummy or self signed certificates, Your forms will not open via Jinitiator and you will hit error message like “load class oracle/apps/fnd/formsClient/FormsLauncher.class not found” This is because under Jinitiator’s repository for list of valid CA’s (Certifying Authority) at $install_location_of_jinitiator_on_client_pc\ lib\ security\ certdb Dummy CA is not listed

Fix: Include Dummy Non Standard Certifying Authority’s certificates at $install_location_of_jinitiator_on_client_pc\ lib\ security\ certdb (on client machine)
  
  How to add CA’s certificate in Jinitiator at Client Machine & how to get test certificates coming soon..

2. If you are terminating SSL at Load balancer and domain name of load balancer is different from domain name on server then login to OAM may fail because of different cookie domain values. Check “session.topleveldomain” in zone.properties

What is different w.r.t. SSL in 11i & R12
———————————————————–
In 11i Web server certificates (public key & private key) are stored as text file on Server where as on R12 certificates for Web Server are stored in Wallets (Oracle Wallets – OWM) 

P.S. Forms & Database certificates in both 11i & R12 are stored in Wallets (Oracle Wallet Manager)

About the Author Masroof Ahmad

Leave a Comment:

35 comments
Add Your Reply