Monday, December 22, 2014

Install OHS Certificate


To secure the http communication between web browsers and OHS web server, you will need to install the certificate from a trusted authority on OHS server.
By default OHS store the keys in the keystore located at
$INSTANCE/config/OHS/ohs5/keystores/default

 By default OHS uses the keystore cwallet.sso defined at the above location. It is a good idea to leave the default keystore alone and create your own keystore at a different location.

 Follow the steps below to setup the certificate:

 1> Start the Oracle Wallet Manager(owm)

 owm is an Oracle provided utility that you could use to manage the keystore and certificates. You could find it at $OHS_HOME/bin .

 Example:
cd /app/oracle/product/fmw/webServer/bin
./owm

This will start the OWM interface.



2> Create a new Oracle Wallet

 Click on Wallet --> New to create a new wallet. You will be asked to enter password for the wallet.


When clicked on OK, a new wallet will be created for you. 


3> Create a Certificate Signing Request (CSR)

 Clicking "Yes" on the confirmation window will create a new CSR window. Alternatively, you could choose Operations --> "Add Certificate Request" to create a CSR.

 Supply the information for your CSR



4> Get the certificate

 Right click on the CSR --> Export it. Send it to the Certificate authority. CA will send back a trusted certificate and a user certificate.



Save the above wallet, once you receive the 2 certificate, open the wallet again and import the certificates.
5> Import the certs

 Import the Trusted cert first. 

 sftp the certificate received from CA to the server, then use OWM to import the cert.



A message will be displayed at the bottom that certificate is imported successfully. 
Follow the same procedure to import the user certificate.

 The certificate will be shown as ready after the user certificate is imported.

Save the wallet. There will be 2 files created at the save location.

 cwallet.sso
ewallet.p12

 6> Modify the config files

 You could create a new keystore parallel to the default location

 Default keystore: $INSTANCE/config/OHS/ohs5/keystores/default
Custom keystore: $INSTANCE/config/OHS/ohs5/keystores/custom

Copy the newly create wallet file to the custom location. The location of keystore is in the configuration files and it is loaded at the startup of the server. Modify the config files to change the location.

 Stop the wen server.
Go to the config location, $INSTANCE/config/OHS/oha1
grep for the file containing SSLWallet, usually it is in the file ssl.conf

  #Path to the wallet
   SSLWallet "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/default"
   <FilesMatch "\.(cgi|shtml|phtml|php)$">

Modify the SSLWallet setting to point to the directory where the new keystore is located.

 Restart the web server.

 Test by going to the https:// url

 --have fun






Posted by at

1 comment:

  1. AnonymousJune 29, 2017 at 5:11 AM

    Nice Post Manish, appreciate your efforts to share your expertise on this. I have to do this within couple of weeks, will post my results/experience/errors here if you could help.

    ReplyDelete

Subscribe to: Post Comments (Atom)