8i | 9i | 10g | 11g | 12c | 13c | 18c | 19c | 21c | 23c | Misc | PL/SQL | SQL | RAC | WebLogic | Linux
Oracle HTTP Server (OHS) 11g and 12c : Configure SSL
This article describes how to configure SSL for Oracle HTTP Server (OHS) 11g and 12c.
Related articles.
- Linux HTTP Server Configuration : SSL Configuration (HTTPS)
- Creating Self-Signed SSL Certificates
- WebLogic Server 11g and 12c : Configure SSL for a Managed Server
Configuration Options
Oracle HTTP Server (OHS) is an Apache HTTP Server with some extra modules included, so we can take the normal approach of configuring SSL like any other Apache server, as described in this article.
By default OHS uses a wallet containing a demo certificate to enable HTTPS. We should replace this demo certificate with a self-signed certificate or a certificate from a certificate authority. This article will describe replacing the demo certificate with self-signed certificate.
Create a Wallet and Certificate
The following article includes a number of methods for creating certificates, keystores and wallets.
Here is an example of creating a wallet containing a self-signed certificate.
mkdir -p ~/wallet cd ~/wallet $MW_HOME/oracle_common/bin/orapki wallet create -wallet ./ -pwd WalletPasswd123 -auto_login $MW_HOME/oracle_common/bin/orapki wallet add -wallet ./ -pwd WalletPasswd123 \ -dn "CN=`hostname`, OU=Example Department, O=Example Company, L=Birmingham, ST=West Midlands, C=GB" \ -keysize 1024 -self_signed -validity 3650
If you have an existing JKS keystore used to SSL enable WebLogic managed servers, you can create a wallet from it with the following commands.
mkdir -p ~/wallet cd ~/wallet $MW_HOME/oracle_common/bin/orapki wallet create -wallet ./ -pwd WalletPasswd123 -auto_login $MW_HOME/oracle_common/bin/orapki wallet jks_to_pkcs12 -wallet ./ -pwd WalletPasswd123 \ -keystore ~/keystore/identity.jks -jkspwd KeystorePassword123
Edit ssl.conf
Edit the "$INSTANCE_HOME/ssl.conf" file, amending the following setting to these values.
SSLProtocol -All +TLSv1 SSLWallet "/home/oracle/wallet" SSLCipherSuite HIGH:!aNULL:!MD5:!3DES:!DES:!DHE:!RSA
Depending on the components you are using, and any additional configuration you have performed, you should check the following files too.
$INSTANCE_HOME/httpd.conf $INSTANCE_HOME/admin.conf
You must restart OHS for the changes to take effect.
$DOMAIN_HOME/bin/stopComponent.sh ohs1 $DOMAIN_HOME/bin/startComponent.sh ohs1
For more information see:
- Linux HTTP Server Configuration : SSL Configuration (HTTPS)
- Creating Self-Signed SSL Certificates
- WebLogic Server 11g and 12c : Configure SSL for a Managed Server
Hope this helps. Regards Tim...