Saturday, March 19, 2011

Configuring SSL on Oracle Beehive

This post describes how to install and configure a self-signed SSL certificate onto your Oracle Beehive 2.x installation.

Obviously, adjust directories paths, passwords, and hostname according to your environment.

1. Set your environment
export BEE_HOME=/u01/app/oracle/product/2.0.1.0.0/beehive_1
export ORACLE_HOME=$BEE_HOME
export JAVA_HOME=$ORACLE_HOME/jdk
export LD_LIBRARY_PATH=$ORACLE_HOME/lib
export PATH=$BEE_PATH
2. Enable auto-login mode for the default wallet
orapki wallet create -wallet /u01/app/oracle/product/2.0.1.0.0/beehive_1/Apache/Apache/conf/ssl.wlt/default/ -auto_login -pwd welcome
3. Configure the Oracle Beehive instance to use Oracle Wallet
beectl list_properties --component beehive_instance_beehive1.beehiveapp.ipnweb.com --name WalletDir 
beectl modify_property --component beehive_instance_beehive1.beehiveapp.ipnweb.com --name WalletDir --value /u01/app/oracle/product/2.0.1.0.0/beehive_1/Apache/Apache/conf/ssl.wlt/default
beectl activate_configuration
4. Create your own certificate authority

The "openssl" command is installed on most Linux distributions. You will be prompted for information to enter, which I have highlighted below.
/usr/bin/openssl req -new -x509 -keyout cakey.pem -out cacert.crt -days 3650
Generating a 1024 bit RSA private key
................++++++
.........++++++
writing new private key to 'cakey.pem'
Enter PEM pass phrase: welcome1
Verifying - Enter PEM pass phrase: welcome1
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Maryland
Locality Name (eg, city) [Newbury]:Rockville
Organization Name (eg, company) [My Company Ltd]:IPN Web
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:beehive.ipnweb.com
Email Address []:admin@ipnwebbeehive.com
5. Create and export a certificate request with Oracle Wallet Manager

a. Run Oracle Wallet Manager:
owm
b. Open the default wallet by navigating to: Wallet --> Open

c. Open the following file:
/u01/app/oracle/product/2.0.1.0.0/beehive_1/Apache/Apache/conf/ssl.wlt/default
d. Navigate to: Operations --> Add Certificate Request

e. Enter the following information:
 Common Name:         beehiveapp.ipnweb.com
 Organizational Unit:    IT
 Organization:              IPN Web
 Locality/City:              Rockville
 State/Province:           Maryland
 Country:                     United States
 Key Size:                   1024
f. Click "Certificate:[Requested]"

g. Export the certificate by navigating to: Operations --> Export Certificate Request

h. Save the file as:
certreq.csr
6. Generate a server certificate
openssl x509 -req -in certreq.csr -CA cacert.crt -CAkey cakey.pem -CAcreateserial -days 3650 > server.crt
Signature ok
subject=/C=US/ST=Maryland/L=Rockville/O=IPN Web/OU=IT/CN=beehiveapp.ipnweb.com
Getting CA Private Key
Enter pass phrase for cakey.pem: welcome1
7. Import the Trusted Certificate and User Certificate to Oracle Wallet Manager

a. Navigate to:  Operations --> Import Trusted Certificate

b. Import the following file:
cacert.crt
c. Navigate to:  Operations --> Import User Certificate

d. Import the following file:
server.crt
e. Click on:  Wallet --> Save

f. Click on:  Wallet --> Exit

8. Import Trusted Certificate and  User Certificate to OPMN wallet

a. Run Oracle Wallet Manager:
owm
b. Open the default wallet by navigating to: Wallet --> Open

c. Open the following file:
/u01/app/oracle/product/2.0.1.0.0/beehive_1/opmn/conf/ssl.wlt/default/
d. Perform Step 7 again

9. I forgot why I performed this step
cd $ORACLE_HOME/opmn/conf
cp -Rp $ORACLE_HOME/Apache/Apache/conf/ssl.wlt .
10. Perform final Beehive configuration
beectl modify_property --component _CURRENT_SITE:ManagedOc4jCluster --name OrmisEnabled --value true
beectl list_components --type BeehiveInstance
beectl modify_property --component beehive_instance_beehive1.beehiveapp.ipnweb.com --name WalletDir --value /u01/app/oracle/product/2.0.1.0.0/beehive_1/Apache/Apache/conf/ssl.wlt/default/ 
beectl modify_secure_property --component beehive_instance_beehive1.beehiveapp.ipnweb.com --name WalletPassword --value welcome
beectl activate_configuration
11. No need to enable AJPS

I personally don't do this, mostly because this communication is internal to my network. If you must be PCI compliant, you may need to do this step. Refer to the Oracle documentation in that case.


Applicable Versions:
  • Oracle Beehive 2.0.1

References:
  • http://download.oracle.com/docs/cd/E16671_01/bh.200/e16641/wallet.htm#CIHEFHCH
  • http://download.oracle.com/docs/cd/E16671_01/bh.200/e16641/ssl.htm#CBHJEIDE
  • http://download.oracle.com/docs/cd/E16671_01/bh.200/e16641/wallet.htm#CIHGACCJ
  • http://download.oracle.com/docs/cd/E16671_01/bh.200/e16641/ajp.htm#BEHCFBBF

Ahmed Aboulnaga

2 comments:

Chandru said...

Hi Ahmed,

Thanks for your valuable posts, which helped many developers across the world.

I have an issue.
we are on Soa suite 11.1.1.5 under /u01/oracle/Middleware.
I couldnt able to find owm under any of the folder in this.
But we have owm in /u01/apps/oracle/rcuhome/bin
When I run owm here, it gace me the following error.
Not sure what to do, kindly help me in resolving this.

[oracle@alvmnrvltsoa01 bin]$ ./owm
./owm: line 164: /ade/aime_rcuintegration_932542/rcuintegration/shiphome/rcuHome/jdk/jre//bin/java: No such file or directory
Done.


Thanks,
Chandru

Ahmed Aboulnaga said...

Hi Chandru,

A few questions.

(1) Why are you running "owm"? What are you trying to do here?

(2) Before running the command below, type "which java" and paste the output here.