Definitions, Acronyms, and Abbreviations
Term
|
Description
|
OHS
|
Oracle HTTP Server
|
PKCS12
| |
TLS
|
Transport Layer Security (https://en.wikipedia.org/wiki/Transport_Layer_Security)
|
SSL
|
Secure Socket Layer (http://info.ssl.com/article.aspx?id=10241)
|
Keystore
| |
Wallet
| |
Keytool
| |
openssl
| |
orapki
|
Ports:
Make sure following ports are open on OHS machine.
SSL: 4443 (Recommended)
Non-SSL: 7777 (It could be different one as per your environment)
Step1: Importing an existing SSL key/certificate pair into a Java Keystore
If you have given a pair of .cert and .key file (Maybe with password), you have to strictly follow steps listed in this awesome blog by John Graham(http://blog.jgc.org/2011/06/importing-existing-ssl-keycertificate.html). Here are the steps he has given:
1. Suppose you have a certificate and key in PEM format. The key is named host.key and the certificate host.crt.
2. The first step is to convert them into a single PKCS12 file using the command: openssl pkcs12 -export -in host.crt -inkey host.key > host.p12. You will be asked for various passwords (the password to access the key (if set) and then the password for the PKCS12 file being created).
3. Then import the PKCS12 file into a keystore using the command: keytool -importkeystore -srckeystore host.p12 -destkeystore host.jks -srcstoretype pkcs12. You now have a keystore named host.jks containing the certificate/key you need.
1. Suppose you have a certificate and key in PEM format. The key is named host.key and the certificate host.crt.
2. The first step is to convert them into a single PKCS12 file using the command: openssl pkcs12 -export -in host.crt -inkey host.key > host.p12. You will be asked for various passwords (the password to access the key (if set) and then the password for the PKCS12 file being created).
3. Then import the PKCS12 file into a keystore using the command: keytool -importkeystore -srckeystore host.p12 -destkeystore host.jks -srcstoretype pkcs12. You now have a keystore named host.jks containing the certificate/key you need.
We have to have all keys and certificates bundled in a PKCS12 file(.p12 or .pfx) and then import into a single java Keystore(.jks).
To know about PKCS12 read on https://en.wikipedia.org/wiki/PKCS_12
"In cryptography, PKCS 12 defines an archive file format for storing many cryptography objects as a single file. It is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust"
Step2: Convert Java Keystore to OHS wallet
2.1 Create OHS Wallet
To create a Password Protected Wallet (e.g ewallet.p12 and cwallet.sso), run the following command:
$MIDDLEWARE_HOME/oracle_common/bin/orapki wallet create -wallet <path> -auto_login
For example:
/fmw11g/webtier/oracle_common/bin/orapki wallet create -wallet /fmw11g/instances/webtier/config/OHS/ohs1/keystores/default/newwallet -auto_login
Please enter a password for this Wallet: Welcome1
Please confirm the password: Welcome1
To create an Auto-Login Only Wallet (cwallet.sso only), run the following command:
$MIDDLEWARE_HOME/oracle_common/bin/orapki wallet create -wallet <path> -auto_login_only
For example:
/fmw11g/webtier/oracle_common/bin/orapki wallet create -wallet /fmw11g/instances/webtier/wallet -auto_login_only
2.2 Convert JAVA keystore in to Wallet
Convert the Java Keystore to the Oracle Wallet created above, by running the following command:$MIDDLEWARE_HOME/oracle_common/bin/orapki wallet jks_to_pkcs12 -wallet <wallet_location_from_Step2> [-pwd <wallet_pwd>] -keystore <keystore_location_from_Step1>/ewallet.jks -jkspwd <Step1_pwd> [-auto_login_only]
For example for a Password Protected Wallet:
/fmw11g/webtier/oracle_common/bin/orapki wallet jks_to_pkcs12 -wallet /fmw11g/instances/webtier/config/OHS/ohs1/keystores/default/newwallet -pwd Welcome1 -keystore /fmw11g/webtier/oracle/common/bin/ewallet.jks -jkspwd Welcome1
For an Auto-Login Wallet:
/fmw11g/webtier/oracle_common/bin/orapki wallet jks_to_pkcs12 -wallet /fmw11g/instances/webtier/config/OHS/ohs1/keystores/default/newwallet -keystore /fmw11g/webtier/oracle/common/bin/ewallet.jks -jkspwd Welcome1 -auto_login
The Wallet is now ready for use with Fusion Middleware 11g/12c. Note the auto login wallet is required for products like Oracle HTTP Server. To use -auto_login or -auto_login_only does not matter unless you want the .sso and .p12 file, (-auto_login), which will be required for opening in tools like Oracle wallet Manager.
Make sure to edit ssl.conf with new wallet location.
No comments:
Post a Comment