Oracle HTTP Server, client certificate chain

I use Oracle (Apache) HTTP Server, installed from Oracle SOA Suit distrib.
There're 2 types of ssl client cert chains that I use: client-issue-root, client-root.
My ssl works fine, unless I should config mod_ossl to accept only user certificates signed by certificate issuer (not root).
I add SSLRequire directive:
SSLOptions StdEnvVars ExportCertData
SSLRequire (%{SSL_CLIENT_CERT_CHAIN_0} == file("/path/to/issue.cer"))
but this doesn't work (condition expression always turn in false), and
SSLOptions StdEnvVars ExportCertData
SSLRequire (%{SSL_CLIENT_CERT_CHAIN_0} == "")
condition always turn in true.
So, SSL_CLIENT_CERT_CHAIN_0 is ALWAYS EMPTY.
I've tried to use different versions of ApacheModuleOSSL.dll (build in 09/19/2006 version 10.1.3.1, 06/12/2007 version 10.1.3.3), result is the same.
I've found something about mod_ssl (not mod_ossl) in "Technologies for Information Environment Security: TIES project report" (http://edina.ac.uk/projects/ties/ties_23-9.pdf):
"NOTE: This is the second, and more significant, problem we encountered in this area of mod_ssl: the first caused all the
SSL_CLIENT_CERT_CHAIN_n environmental variables to be empty. We traced this bug back to a literal +17 offset into a
character string that should have been +18, but by the time we had done so, a fixed version was available."
Is there the same problem in mod_ossl?
Does anybody have any ideas?

Once again)
http://www.mail-archive.com/[email protected]/msg11705.html
I've got a question for Oracle developers: is this the same problem in OHS and OHS2 mod_ossl?
And if yes, when we can wait the patch?
Thanks!

Similar Messages

  • Weblogic certificate is not being authenticated in Oracle HTTP Server

    I am using Oracle HTTP Server with SSL and mod_proxy set up trying to pass a url through to the weblogic server. I start with my OHS url in the browser and the proxy is switches to the url to weblogic but I get the following error on the OHS side:
    [2011-12-22T18:40:09.4683-07:00] [OHS] [INCIDENT_ERROR:32] [OHS-2077] [core.c] [host_id: denovm11-6] [host_addr: 10.139.164.196] [tid: 1155799360] [user: root] [ecid: 004hBXzInYHEOPb_THt1ic0007DM000002] [rid: 0] [VirtualHost: social.us.oracle.com:443] nzos proxy handshake error, nzos_Handshake returned 29024(server social.us.oracle.com:443, client 10.139.164.191)
    [2011-12-22T18:40:09.4683-07:00] [OHS] [INCIDENT_ERROR:32] [OHS-2171] [core.c] [host_id: denovm11-6] [host_addr: 10.139.164.196] [tid: 1155799360] [user: root] [ecid: 004hBXzInYHEOPb_THt1ic0007DM000002] [rid: 0] [VirtualHost: social.us.oracle.com:443] NZ Library Error: Invalid X509 certificate chain [Hint: the client probably doesn't provide a valid client certificate]
    [2011-12-22T18:40:09.4685-07:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: denovm11-6] [host_addr: 10.139.164.196] [tid: 1155799360] [user: root] [ecid: 004hBXzInYHEOPb_THt1ic0007DM000002] [rid: 0] [VirtualHost: social.us.oracle.com:443] (20014)Internal error: proxy: pass request body failed to 10.139.164.191:7001 (denovm11-1.us.oracle.com)
    [2011-12-22T18:40:09.4685-07:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: denovm11-6] [host_addr: 10.139.164.196] [tid: 1155799360] [user: root] [ecid: 004hBXzInYHEOPb_THt1ic0007DM000002] [rid: 0] [VirtualHost: social.us.oracle.com:443] proxy: pass request body failed to 10.139.164.191:7001 (denovm11-1.us.oracle.com) from 10.139.164.196 ()
    And the following error on the weblogic side:
    ####<Dec 22, 2011 6:40:10 PM MST> <Warning> <Security> <denovm11-1> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <8e6c6502a1af117a:4eeee51e:13466bb040d:-8000-000000000000a764> <1324604410502> <BEA-090482> <BAD_CERTIFICATE alert was received from denovm11-6.us.oracle.com - 10.139.164.196. Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.>
    Here is my ssl.conf from OHS:
    # Oracle HTTP Server mod_ossl configuration file: ssl.conf #
    # OHS Listen Port
    Listen 443
    <IfModule ossl_module>
    ## SSL Global Context
    ## All SSL configuration in this context applies both to
    ## the main server and all SSL-enabled virtual hosts.
    # Some MIME-types for downloading Certificates and CRLs
    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl .crl
    # Pass Phrase Dialog:
    # Configure the pass phrase gathering process.
    # The filtering dialog program (`builtin' is a internal
    # terminal dialog) has to provide the pass phrase on stdout.
    SSLPassPhraseDialog builtin
    # Inter-Process Session Cache:
    # Configure the SSL Session Cache: First the mechanism
    # to use and second the expiring timeout (in seconds).
    SSLSessionCache "shmcb:${ORACLE_INSTANCE}/diagnostics/logs/${COMPONENT_TYPE}/${COMPONENT_NAME}/ssl_scache(512000)"
    SSLSessionCacheTimeout 300
    # Semaphore:
    # Configure the path to the mutual exclusion semaphore the
    # SSL engine uses internally for inter-process synchronization.
    <IfModule mpm_winnt_module>
    SSLMutex "none"
    </IfModule>
    <IfModule !mpm_winnt_module>
    SSLMutex pthread
    </IfModule>
    ## SSL Virtual Host Context
    <VirtualHost *:443>
    <IfModule ossl_module>
    # SSL Engine Switch:
    # Enable/Disable SSL for this virtual host.
    SSLEngine on
    # Client Authentication (Type):
    # Client certificate verification type and depth. Types are
    # none, optional and require.
    SSLVerifyClient none
    # SSL Cipher Suite:
    # List the ciphers that the client is permitted to negotiate.
    SSLCipherSuite SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
    # SSL Certificate Revocation List Check
    # Valid values are On and Off
    SSLCRLCheck Off
    #Path to the wallet
    SSLWallet "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/default"
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/cgi-bin">
    SSLOptions +StdEnvVars
    </Directory>
    BrowserMatch ".*MSIE.*" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
    </IfModule>
    <IfModule proxy_module>
    ProxyRequests Off
    <Proxy *>
    Order deny,allow
    Allow from all
    </Proxy>
    # Path to the wallet
    SSLProxyWallet "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/default"
    SSLProxyEngine on
    SSLProxyVerify none
    # ottest : denovm11-1
    ProxyPass /test https://abc.us.oracle.com:7001/test
    ProxyPassReverse /test https://abc.us.oracle.com:7001/test
    </IfModule>
    </VirtualHost>
    </IfModule>
    On the OHS side I have all the certificates needed so SSL is working properly. The weblogic environment is currently working fine with other webgates, but those are apache and we are trying to switch to OHS.
    Can OHS use mod_proxy to connect to weblogic or do I need to use mod_wl_ohs?
    Does anyone see anything wrong in my ssl.conf file in regards to the proxy section.
    Thanks in advance.

    In summary:
    You need to create a new wallet with CSR (certificate signing req)
    Send this to your certificate authority and get the signed server certificate.
    Now import the signed server cert and the trusted root cert in to the wallet that you created newly.
    Modify ssl.conf to point to the new wallet location.
    To create wallet refer to : http://docs.oracle.com/cd/E25054_01/core.1111/e10105/wallets.htm#CHDGIJDC
    Further reference: http://docs.oracle.com/cd/E25054_01/core.1111/e10105/sslconfig.htm#CBDGIJDF
    Dont mind if this doc is 500 pages ;)

  • SSL Certificate problem in the Oracle http server

    Hi,
    I have setup the oracle http server (OHS 11g) in linux machine and we created a virtual directory to access a web application.
    In NON SSL connection it is working fine but when we try use the SSL connection we are not able to access the web application the port (4443) is not up.
    Require help in this issue ?
    regards,
    Suresh G
    Edited by: Sangeetha on Jan 3, 2013 12:13 PM

    Hi Suresh,
    Did u check the port ??
    Also cud you paste the steps u followed do configure SSl on Ohs ??
    Cheers :-)

  • Installation of the VeriSign digital certification in Oracle HTTP Server

    I am not obtaining to generate to the pair of keys and the CSR in Oracle HTTP Server, will have some tip I is thankful.
    Thanks
    Leandro

    Hi Leandro,
    Here are some steps to setup digital certificates into Oracle HTTP Server for Unix.
    1. The temporary working directory is /u01/tmp/myssl.
    2. The contents of <9iAS_HOME>/Apache/open_ssl/bin have been copied to the
    temporary working directory created in Assumption #1.
    3. SSL file names are priv.key (private key), certreq.csr (certificate request),
    and cert.crt (SSL certificate). The actual SSL certificate file could be
    named other than 'cert.crt'.
    4. By default, SSL is configured using port 443, which requires ROOT access to
    start the web listener.
    If you want to change this from the default port, you will need to change
    the following two parameters in the httpd.conf file to an unused port number:
    Listen 443
    <VirtualHost default:443>
    5. All necessary UNIX environment variables are set correctly for your Oracle
    product before implementing these procedures.
    6. User must be familiar with UNIX concepts like shell navigation, UNIX
    environments, file manipulation/search, file copy/backups, etc.
    How to Request and Configure an SSL Certificate for Oracle9i Application Server
    Step-by-Step Instructions:
    1. Change your present working directory to the temporary working directory, e.g.,
    /u01/tmp/myssl. Ensure the contents of <9iAS_HOME>/Apache/open_ssl/bin have
    been copied into this temporary working directory.
    2. Copy 5 large files, each at least 250KB, into your temporary working directory.
    Suggest looking in any /bin directory for large sized binary files. Execute
    the following command to generate the random character file:
         % openssl md5 * > rand.rnd
    3. Execute the following command to generate the private key (priv.key):
    % openssl genrsa -rand rand.rnd -des3 1024 > priv.key
         - when prompted, enter a "PEM pass phrase" password
         - re-enter password when prompted to verify password
         -- remember the pass phrase password you entered
         - this command generates the priv.key file and associated pass phrase
         - set permissions on the priv.key file to prevent unauthorized editing
         % chmod 400 priv.key
         - backup the priv.key file to a secure location
    NOTE
    The PEM pass phrase must be at least 4 characters in length. Remember this
    pass phrase, you will be prompted to enter it in the next step and each
    time you start up the Oracle HTTP Server (OHS) in SSL mode.
    Optionally, you can unencrypt the value of the private key, so that you
    will not be prompted for the PEM pass phrase every time you start up OHS
    in SSL mode.
    To unencrypt the private key, execute the following two commands (Note:
    ensure file permissions set to r+w):
         % cp priv.key priv.key.bak
         % openssl rsa -in priv.key.bak -out priv.key
    - the demo certificate shipped with Oracle9iAS does not require a pass
    phrase to start OHS in SSL mode.
    - on UNIX, to generate the certificate request and start OHS in SSL mode,
    the pass phrase must be entered, unless you executed the above steps
    to unencrypt.
    - on Windows NT/2000, if a certificate is used that has a pass phrase,
    the OHS will hang; therefore, on Windows NT/2000, you must execute
    the steps to unencrypt.
    4. Execute the following command to generate an SSL certificate request
    (certreq.csr) based on your private key.
         % openssl req -new -key priv.key -out certreq.csr -config openssl.cnf
         - when prompted, enter the "PEM pass phrase" set when the private key
    was created.
         - when prompted, enter the requested fields that make up the
    Distinguished Name.
         -- each entry must be valid information, i.e., email, state, location, etc.
         - when prompted for the "Common Name", you MUST enter the fully
    qualified name which will be accessed via client browsers; e.g.,
    if clients will use:
    https://mysite.domain.com
         -- then, you must enter mysite.domain.com as the "Common Name"
         - the requested 'extra' attributes, i.e., "challenge password" and
    "optional company name", are OPTIONAL; just hit ENTER to use NULL values.
    5. You should now have the private key and certificate request files (priv.key
    and certreq.csr) in your temporary working directory.
    NOTE
    At this point, you can use your certificate request file 'certreq.csr' to
    order a valid SSL certificate from any CA-vendor, e.g., Verisign.
    After you receive your SSL certificate, skip to Step #6 for instructions
    on how to deploy your SSL files.
    OPTIONAL
    You can start 9iAS in SSL mode (see Step #12) and test the pre-installed demo
    certificate and private key included for testing purposes.
    It is a good idea to test to be sure the Oracle HTTP Server SSL mode works
    successfully before deploying your new SSL certificate. To try these demo
    files, access the 9iAS index page in a browser using the HTTPS protocol and
    the appropriate SSL Listen port. URL format:
    https://myhost.domain.com:<ssl_port>
    The user will see a Security Alert (IE), or New Site Certificate (Netscape)
    warning message, click Continue/Next to accept.
    OPTIONAL
    To create a self-signed certificate, execute the following commands:
    (csh) % setenv RANDFILE rand.rnd
    <sh or ksh> % export RANDFILE=rand.rnd
    % openssl x509 -req -days 30 -in certreq.csr -signkey priv.key > tempcert.crt
    - when prompted, enter the "PEM pass phrase" set when the private key was created.
    - this command generates a temporary self-signed certificate file 'tempcert.crt'
    valid for 30 days, which can be used while awaiting a valid SSL certificate
    purchased from an authorized CA-vendor.
    - if this option is used, after generating the 'tempcert.crt' file, skip to
    Step #6 for instructions on how to deploy your SSL files.
    OPTIONAL
    These steps are specifically for requesting a TRIAL certificate from the
    CA-vendor Verisign.
    - Go to www.verisign.com and click on "Free Guides and Trials" link and
    follow instructions to request a "Free Trial SSL ID". During this process,
    you will be asked to provide certificate request information.
    - Open the 'certreq.csr' file using your text editor of choice.
    - Starting with "-----BEGIN NEW CERTIFICATE REQUEST-----" copy all lines
    including the BEGIN and END of certificate lines.
    - Paste this copied data into the Verisign page where requested and continue.
    - You will see the Verisign web site decode your certificate request
    information. This decoded information is presented to you to verify it is
    correct. If it is, then continue with the process.
    - You will be presented with another set of questions from Verisign. Be sure
    to answer with the correct email address, as this address will be used to
    send your SSL certificate.
    - After you answer all these questions, you will be sent a TRIAL 14-day
    SSL certificate via email.
    - WARNING! You must follow this step carefully, you cannot copy and paste
    information from an email to a new text file. After you get your TRIAL
    certificate, save the entire email message to a text file. Open this file
    using your text editor of choice. You will see the email address header
    information and the line:
    -----BEGIN CERTIFICATE-----
    - Delete all text that appears before the -----BEGIN CERTIFICATE----- line.
    The modified file should contain only certificate information. After you
    delete the email header, save this text file inside your temporary directory
    with the filename 'trialcert.crt'.
    6. Now you are ready to configure Oracle9i Application Server (9iAS) with your
    SSL certificate files.
    7. Back up your existing <9iAS_HOME>/Apache/Apache/conf/httpd.conf file.
    8. Open the httpd.conf file with your text editor of choice.
    9. Edit the following httpd.conf directives to use your generated private key
    and SSL certificate file, which could be the filename for either the
    temporary self-signed certificate, the TRIAL test certificate, or the
    purchased valid certificate. The information following the # symbol are
    comments.
    NOTE
    The directory of the SSL files (private key and certificate file)
    can reside in any location you choose. The temporary working
    directory will continue to be referenced in these procedure steps.
    # use the appropriate (i.e., valid, temporary, or trial) certificate filename
    SSLCertificateFile /u01/tmp/myssl/tempcert.crt
    #private key from Step #4 above:
    SSLCertificateKeyFile /u01/tmp/myssl/priv.key
    10. Save your modified httpd.conf and exit the text editor.
    11. Log in as authorized user (if default ports 80 and 443 are used, ROOT user
    must execute commands in next step).
    12. Execute the following command to stop, then start Apache in SSL mode
    (ensure proper UNIX environments are set; else, execute command from
    <9iAS_HOME>/Apache/Apache/bin.)
    For Oracle8iAS 1.x:
    % httpdsctl stop
    % httpdsctl startssl
    For Oracle9iAS 1.0.2.x:
    % apachectl stop
    % apachectl startssl
    - when prompted, enter the "pass phrase" created in Step #3.
    -- not required if you unencrypted the private key file
    - when the Oracle HTTP Server starts successfully in SSL mode, access the
    9iAS index page in a browser using the HTTPS protocol and the appropriate
    SSL Listen port. URL format:
    https://myhost.domain.com:<ssl_port>
    - if using a temporary self-signed or TRIAL test certificate, the user will
    see a Security Alert (IE), or New Site Certificate (Netscape) warning message,
    click Continue/Next to accept.
    ====================
    I hope this help !!
    Ilan Salviano

  • Re-install of Oracle HTTP Server in a configured environment

    OS: Oracle Enterprise Linux 5.5 64 bit
    Hyperion: v11.1.2.0
    Web Server1: SharedServices, Calc, EAS, APS, Planning installed and configured. They are working from URL and clients.
    We ran into issues with Workspace configuration. If we have to re-install Oracle HTTP server on the web server, will it affect the current configuration adversely? In other words, do we need to start all over again?
    Has anyone else run into similar or related issues? How were you able to resolve it?
    This is related to another thread I have on this forum. It is related but these are different issues and we are trying to see how we can proceed while waiting for support to respond.
    Configuration of Workspace failed
    Any thoughts/ suggestions?
    Thanks,

    The errors I see in the config log are:
    [server1]$ grep Error configtool.log.bak15
    [2010-12-01T16:44:40.106-08:00] [EPMCFG] [ERROR] [EPMCFG-05364] [oracle.EPMCFG] [tid: 19] [ecid: 0000Im^YOPRCOtmMwqIbMG1CxihS00000A,0] [SRC_CLASS: com.hyperion.foundation.config.WebServerConfigurationTaskProcessor] Error in web server configuring:[[
    [2010-12-01T16:51:34.658-08:00] [EPMCFG] [ERROR] [EPMCFG-05364] [oracle.EPMCFG] [tid: 17] [ecid: 0000Im^ZxIYCOtmMwqIbMG1CxinO000008,0] [SRC_CLASS: com.hyperion.foundation.config.WebServerConfigurationTaskProcessor] Error in web server configuring:[[
    [server1]$ grep ERROR configtool.log.bak15
    [2010-12-01T16:44:25.648-08:00] [EPMCFG] [ERROR] [EPMCFG-02151] [oracle.EPMCFG] [tid: 19] [ecid: 0000Im^YOPRCOtmMwqIbMG1CxihS00000A,0] [SRC_CLASS: com.hyperion.hit.fusion.FusionComponent] oracleComponent is null. Component will not be provisioned.
    [2010-12-01T16:44:40.106-08:00] [EPMCFG] [ERROR] [EPMCFG-07236] [oracle.EPMCFG] [tid: 19] [ecid: 0000Im^YOPRCOtmMwqIbMG1CxihS00000A,0] [SRC_CLASS: com.hyperion.cis.config.ant.apache2.OHS2Configurator] /apps/Oracle/Middleware/user_projects/epmsystem1/httpConfig/ohs/config/OHS/ohs_component/httpd.conf wasnt found. OHS wasnt configured successfully, see oraInventory logs for more details"
    [2010-12-01T16:44:40.106-08:00] [EPMCFG] [ERROR] [EPMCFG-05364] [oracle.EPMCFG] [tid: 19] [ecid: 0000Im^YOPRCOtmMwqIbMG1CxihS00000A,0] [SRC_CLASS: com.hyperion.foundation.config.WebServerConfigurationTaskProcessor] Error in web server configuring:[[
    [2010-12-01T16:51:18.900-08:00] [EPMCFG] [ERROR] [EPMCFG-02151] [oracle.EPMCFG] [tid: 17] [ecid: 0000Im^ZxIYCOtmMwqIbMG1CxinO000008,0] [SRC_CLASS: com.hyperion.hit.fusion.FusionComponent] oracleComponent is null. Component will not be provisioned.
    [2010-12-01T16:51:34.658-08:00] [EPMCFG] [ERROR] [EPMCFG-07236] [oracle.EPMCFG] [tid: 17] [ecid: 0000Im^ZxIYCOtmMwqIbMG1CxinO000008,0] [SRC_CLASS: com.hyperion.cis.config.ant.apache2.OHS2Configurator] /apps/Oracle/Middleware/user_projects/epmsystem1/httpConfig/ohs/config/OHS/ohs_component/httpd.conf wasnt found. OHS wasnt configured successfully, see oraInventory logs for more details"
    [2010-12-01T16:51:34.658-08:00] [EPMCFG] [ERROR] [EPMCFG-05364] [oracle.EPMCFG] [tid: 17] [ecid: 0000Im^ZxIYCOtmMwqIbMG1CxinO000008,0] [SRC_CLASS: com.hyperion.foundation.config.WebServerConfigurationTaskProcessor] Error in web server configuring:[[                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       

  • How to call webservice through Oracle HTTP Server

    I have cluster of three Managed Servers. They are behind a Oracle HTTP Server. I deployed a web service to the cluster. When calling web service, I got the error. The error is that the client of web service can not directly access the Managed Servers.
    The error tell that it can not access http://webapp01:7003/webservice/HelloWorld?WSDL
    Where webapp01 is the host name of a managed server.
    Is there a way that web service return the result to HTTP Server and HTTP Server return it to web service client.

    1. Before you invoke the WebServices from client program, I guess you may have already generated the webservices client jar for the WSDL that is deployed using sun jdk "wsimport" command or bea's clientgen ant task. At this time, what is the wsdl url you gave. In the generated client jar file you should see .JAVA files also. Check the Service related .java file and check the WSDL URL in that file. If it is using weblogic servers managed server host and port, then the problem you see is obvious.
    2. To fix this, you re-generate the webservices client jar file again this time giving the http server host and port instead of weblogic host and port. I am hoping you already modified httpd.conf file to accept the webservice url pattern. Check the .JAVA file generated for service to see the WSDL URL that is having inside.
    3. Another approach is on your client side, before you invoke any operation on WebService, you will be first getting Service object, then Port object and invoke methods on Port object. When you get Service Object, you can pass the WSDL URL as one parameter and ServiceName (QName) as second parameter. Most of time we use default constructor without any parameters to get Service object. But you can use other constructor and pass 2 parameters. The WSDL URL will have HttpServers host and port, and rest of the url for wsdl will be the same.
    In our env, we have similar requirment. SOAP BPEL Process WebServices are deployed on WLS 10.3.1 on a Cluster with 2 ManagedServers. We have Apache Proxy in front of this Cluster. All our WSDL requests goes to Apache host and port + wsdl url. This inturn goes to one of the managed servers at a time in round-robin. This is working. In httpd.conf we gave "MatchExpression / " so that any request from apache will go to cluster.
    HTH
    Ravi Jegga

  • Slow performance with oracle http server connecting weblogic

    I have a performance issue while using Oracle HTTP server as a proxy with weblogic server. It takes 10-15 seconds to pass the requests.
    I also received the error related to SSL in my error logs even though i havent configured the SSL.
    please find the error received in the OHS error logs
    nzos handshake error, nzos_Handshake returned 28862
    NZ Library Error: SSL IO error [Hint: the client stop the connection unexpectedly]
    And please find a request information from the access log files.
    Fri May 28 09:24:48 2010 <5944127503148828> getPooledConn: No more connections in the pool for Host[114.57.162.39] Port[6499] SecurePort[6499]
    Fri May 28 09:24:48 2010 <5944127503148828> general list: trying connect to '114.57.162.39'/6499/6499 at line 3082 for '/fed/user/authnoam?refid=id-ixGFItkxw4Nt4l3wlz4W9sWR-ao-'
    Fri May 28 09:25:00 2010 <5944127503148828> SSL is not configured for this connection
    Fri May 28 09:25:00 2010 <5944127503148828> Local Port of the socket is 4472
    it is visible that the while it is doing "general list trying to connect to" it takes a long time
    Any pointers are highly appreciated.

    Shannon,
    The OHS + Weblogic installation, just means you will have an admin server, with Enterprise Manager that can manage your OHS instances. That being said:
    1 - You don't have to extend any domain, since the only thing OHS will need is an Admin Server with Enterprise Manager.
    2 - I (myself, I don't speak for Oracle here) have a personal preference of having stand alone OHS. If you don't know how to work with httpd.conf and mod_wl.conf, I would suggest installing a separate domain only for it, that way you can keep the weblogic turned off, and turn it on only when you need to edit any configuration.
    Thanks

  • Error starting up ApEx's Oracle HTTP server

    Hello.
    I have just configured a brand new Oracle HTTP server on a brand new ApEx database. When I try to start the server, it doesn't start and I see errors in the log files.
    dads.conf in Apache/modplsql/conf directory:
    Alias /i/ "/u01/app/oracle/product/10.2.0/http/Apache/images/"
    AddType text/xml xbl
    AddType text/x-component htc
    <Location /pls/apex>
    Order deny,allow
    PlsqlDocumentPath docs
    AllowOverride None
    PlsqlDocumentProcedure wwv_flow_file_mgr.process_download
    PlsqlDatabaseConnectString zemple:1521:orp244a.<my domain here>.com ServiceNameFormat
    PlsqlNLSLanguage AMERICAN_AMERICA.WE8ISO8859P1
    PlsqlAuthenticationMode Basic
    SetHandler pls_handler
    PlsqlDocumentTablename wwv_flow_file_objects$
    PlsqlDatabaseUsername APEX_PUBLIC_USER
    PlsqlDefaultPage apex
    PlsqlDatabasePassword <my password here>
    PlsqlRequestValidationFunction wwv_flow_epg_include_modules.authorize
    Allow from all
    </Location>
    orp244a is a 10.2.0.4 database into which ApEx has been installed per the install guide with no errors. The Oracle HTTP server is 10.2.0.1. Both run on Zemple. I have substituted the domain name and the password for APEX_PUBLIC_USER account with <my domain here> and <my password here>, respectively, for security reasons.
    When I check http://zemple.<my domain here>:7777, I get the standard Oracle HTTP Server page. But when I check http://zemple.<my domain here>:7777/pls/apex I get the "Page cannot be found" error.
    error_log in Apache/logs directory:
    [Mon Mar 16 14:50:59 2009] [notice] Oracle-Application-Server-10g/10.1.2.0.2 Oracle-HTTP-Server configured -- resuming normal operations
    [Mon Mar 16 14:50:59 2009] [notice] Accept mutex: fcntl (Default: fcntl)
    [Mon Mar 16 14:51:07 2009] [error] [client 10.222.137.7] [ecid: 1237233067:10.220.17.126:21396:0:2,0] File does not exist: /u01/app/oracle/product/10.2.0/http
    /Apache/Apache/htdocs/pls
    [Mon Mar 16 14:51:55 2009] [error] [client 10.222.137.7] [ecid: 1237233115:10.220.17.126:21399:0:2,0] mod_plsql: /pls/apex/apex HTTP-404 ORA-06502: PL/SQL: nu
    meric or value error\nORA-06512: at "SYS.OWA_MATCH", line 41\nORA-06512: at line 18\n
    [Mon Mar 16 14:51:59 2009] [error] [client 10.222.137.7] [ecid: 1237233119:10.220.17.126:21399:0:4,0] mod_plsql: /pls/apex/apex HTTP-404 ORA-06502: PL/SQL: nu
    meric or value error\nORA-06512: at "SYS.OWA_MATCH", line 41\nORA-06512: at line 18\n
    Any idea what my problem might be?
    Thank You
    Boris

    The modplsql/logs directory is completely empty.
    The stop and start of the http server is clean - no errors reported.
    The main log in Apache/Apache/logs directory is not big, since it is a brand new install of the http server. Here is the complete log:
    [Mon Mar 16 13:45:38 2009] [notice] FastCGI: process manager initialized (pid 7879)
    [Mon Mar 16 13:45:39 2009] [notice] Oracle-Application-Server-10g/10.1.2.0.2 Oracle-HTTP-Server configured -- resuming normal operations
    [Mon Mar 16 13:45:39 2009] [notice] Accept mutex: fcntl (Default: fcntl)
    [Mon Mar 16 14:45:06 2009] [notice] FastCGI: process manager initialized (pid 18854)
    [Mon Mar 16 14:45:07 2009] [notice] Oracle-Application-Server-10g/10.1.2.0.2 Oracle-HTTP-Server configured -- resuming normal operations
    [Mon Mar 16 14:45:07 2009] [notice] Accept mutex: fcntl (Default: fcntl)
    [Mon Mar 16 14:45:56 2009] [error] [client 10.222.137.7] [ecid: 1237232756:10.220.17.126:18862:0:1,0] mod_plsql: /pls/apex/apex_admin HTTP-404 ORA-06502: PL/S
    QL: numeric or value error\nORA-06512: at "SYS.OWA_MATCH", line 41\nORA-06512: at line 18\n
    [Mon Mar 16 14:46:32 2009] [error] [client 10.222.137.7] [ecid: 1237232792:10.220.17.126:18866:0:1,0] File does not exist: /u01/app/oracle/product/10.2.0/http
    /Apache/Apache/htdocs/pls/
    [Mon Mar 16 14:46:38 2009] [error] [client 10.222.137.7] [ecid: 1237232798:10.220.17.126:18860:0:2,0] File does not exist: /u01/app/oracle/product/10.2.0/http
    /Apache/Apache/htdocs/pls/
    [Mon Mar 16 14:46:45 2009] [error] [client 10.222.137.7] [ecid: 1237232805:10.220.17.126:18866:0:2,0] File does not exist: /u01/app/oracle/product/10.2.0/http
    /Apache/Apache/htdocs/pls/
    [Mon Mar 16 14:50:58 2009] [notice] FastCGI: process manager initialized (pid 21392)
    [Mon Mar 16 14:50:59 2009] [notice] Oracle-Application-Server-10g/10.1.2.0.2 Oracle-HTTP-Server configured -- resuming normal operations
    [Mon Mar 16 14:50:59 2009] [notice] Accept mutex: fcntl (Default: fcntl)
    [Mon Mar 16 14:51:07 2009] [error] [client 10.222.137.7] [ecid: 1237233067:10.220.17.126:21396:0:2,0] File does not exist: /u01/app/oracle/product/10.2.0/http
    /Apache/Apache/htdocs/pls
    [Mon Mar 16 14:51:55 2009] [error] [client 10.222.137.7] [ecid: 1237233115:10.220.17.126:21399:0:2,0] mod_plsql: /pls/apex/apex HTTP-404 ORA-06502: PL/SQL: nu
    meric or value error\nORA-06512: at "SYS.OWA_MATCH", line 41\nORA-06512: at line 18\n
    [Mon Mar 16 14:51:59 2009] [error] [client 10.222.137.7] [ecid: 1237233119:10.220.17.126:21399:0:4,0] mod_plsql: /pls/apex/apex HTTP-404 ORA-06502: PL/SQL: nu
    meric or value error\nORA-06512: at "SYS.OWA_MATCH", line 41\nORA-06512: at line 18\n
    [Mon Mar 16 15:01:46 2009] [error] [client 10.222.137.7] [ecid: 1237233706:10.220.17.126:21399:0:9,0] File does not exist: /u01/app/oracle/product/10.2.0/http
    /Apache/Apache/htdocs/pls/htmldb
    [Mon Mar 16 15:01:53 2009] [error] [client 10.222.137.7] [ecid: 1237233713:10.220.17.126:21399:0:11,0] mod_plsql: /pls/apex/apex HTTP-404 ORA-06502: PL/SQL: n
    umeric or value error\nORA-06512: at "SYS.OWA_MATCH", line 41\nORA-06512: at line 18\n
    Thank You
    Boris

  • New Oracle HTTP server install unable to host remote HTMLDB.

    Hi all.
    I installed the Oracle HTTP Server from the Oracle 10G Release 1 companion CD on a Mac Powerbook running the Tiger OS. I have a CentOS Linux server on my network with Oracle 10G R2 database running that I've installed HTMLDB 2.0 on. I can not seem to get the HTTP server to serve up a front end to my HTMLDB. I can connect and log into the Oracle Database from the MAC using SQLPlus using the HTMLDB_PUBLIC_USER account and password.
    Here is my dads.conf file:
    Alias /i/ "/oracle/product/10.1.0/db_1/Apache/Apache/images/"
    <Location /pls/htmldb>
    SetHandler pls_handler
    Order deny,allow
    Allow from all
    AllowOverride None
    PlsqlDatabaseUsername HTMLDB_PUBLIC_USER
    PlsqlDatabasePassword HTMLDB
    PlsqlDatabaseConnectString CentOSServ3:1521:htmldb ServiceNameFormat
    PlsqlDefaultPage htmldb
    PlsqlDocumentTablename wwv_flow_file_objects$
    PlsqlDocumentPath docs
    PlsqlDocumentProcedure wwv_flow_file_manager.process_download
    PlsqlAuthenticationMode Basic
    PlsqlNLSLanguage AMERICAN_AMERICA.WE8MSWIN1252
    </Location>
    AddType text/xml xbl
    AddType text/x-component htc
    Here is the errors I'm seeing on the error log:
    [Wed Jan 10 12:58:47 2007] [notice] FastCGI: process manager initialized (pid 246)
    [Wed Jan 10 12:58:48 2007] [emerg] mod_onsint can't initialize ons runtime.
    [Wed Jan 10 12:58:48 2007] [notice] Oracle-Application-Server-10g/10.1.2.0.0 Oracle-HTTP-Server configured -- resuming normal operations
    [Wed Jan 10 12:58:48 2007] [notice] Accept mutex: flock (Default: flock)
    [Wed Jan 10 12:58:58 2007] [error] [client 127.0.0.1] [ecid: 1168451937:192.168.2.121:249:0:12,0] mod_plsql: /pls/htmldb/htmldb HTTP-503 ORA-12514
    It keeps giving me the error for the Language, but I've changed the PlsqlNLSLanguage serveral times to other posted values I've found and other postings and I still get that error.
    Has anyone else worked through this or may have an idea how I can get this working?
    Thanks,
    Mike

    Also, here is the error I get when browsing to : http://localhost:7780/pls/htmldb/htmldb from the HTTP server.
    Service Temporarily Unavailable
    The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.
    Oracle-Application-Server-10g/10.1.2.0.0 Oracle-HTTP-Server Server at 192.168.3.1 Port 7780
    Thanks,
    Mike

  • How to get standalone Oracle HTTP Server with mod_plsql?

    Hi,
    I do not know if it is just me but it seems to be a nightmare to get OHS with mod_plsql from the official OTN download site. I downoaded the companion CD for Windows - 3 disks, installed OHS - no mod_plsql. Then I tried to find any clue on OTN on how to download mod_plsql - none. Plenty of information on how to configure it and use it, but nothing on how to get it.
    PLSQL gateways is not an option for us because many of our clients do not allow direct communication between the database and the Internet.
    Windows 2003 Server R2
    Apex 3.2.1
    RDBMS 10.2.0.4
    Any help appreciated,
    WK
    PS.
    I would not like to download the software from unofficial sites but rather get it straight from Oracle.

    Hi,
    For those interested: I found Oracle HTTP Server with mod_plsql on OTN -> downloads -> middleware -> WebCenter suite.
    WK

  • ISE Problem: EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain

    Hello, I´m stucked with this problem for 3 weeks now.
    I´m not able to configure the EAP-TLS autentication.
    In the "Certificate Store" of the ISE server I have Installed the Root, policy and the Issuing certificates as "trust for client authentication",and in the Local store I have a certificate issuing for the same issuing authority which sign the thw client ones.
    The ISE´s certificate has been issued with the "server Authentication certificate" template.
    The clients have installed the certificates  also the certificate chain.
    When I try to authenticate the wireless clients I allways get the same error: "     Authentication failed : 12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain"
    and "OpenSSLErrorMessage=SSL alert
    code=0x230=560 ; source=local ; type=fatal ; message="Unknown CA - error self-signed certificate in chain",OpenSSLErrorStack=  1208556432:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2720"
    I don´t know what else can I do.
    Thank you
    Jorge

    Hi Rik,
    the Below are the certificate details
    ISE Certificate Signed by XX-CA-PROC-06
    User PKI Signed by XX-CA-OTHER-08
    In ISE certificate Store i have the below certificates
    XX-CA-OTHER-08 signed by XX-CA-ROOT-04
    XX-CA-PROC-06 signed by XX-CA-ROOT-04
    XX-CA-ROOT-04 signed by XX-CA-ROOT-04
    ISE certificate signed by XX-CA-PROC-06
    I have enabled - 'Trust for client authentication' on all three certificates
    this is unchecked - 'Enable Validation of Certificate Extensions (accept only valid certificate)'
    when i check the certificates of current user in the Client PC this is how it shows.
    XX-CA-ROOT-04 is listed in Trusted root Certification Authority
    and XX-CA-PROC-06 and XX-CA-OTHER-08  are in Intermediate Certificate Authorities

  • The verification of the server's certificate chain failed

    Hi All,
    Not sure this is the right forum for this but never mind.
    I am trying to get abap2GApps working and am having problems with the client certificates.
    I am getting the below error in ICM :-
    [Thr 06] Mon Jul 30 09:34:47 2012
    [Thr 06] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
    [Thr 06]    session uses PSE file "/usr/sap/BWD/DVEBMGS58/sec/SAPSSLC.pse"
    [Thr 06] SecudeSSL_SessionStart: SSL_connect() failed
      secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"
    [Thr 06] >>            Begin of Secude-SSL Errorstack            >>
    [Thr 06] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed
    ERROR in af_verify_Certificates: (24/0x0018) Chain of certificates is incomplete : "OU=Equifax Secure Certificate Authority, O=E
    ERROR in get_path: (24/0x0018) Can't get path because the chain of certificates is incomplete
    [Thr 06] <<            End of Secude-SSL Errorstack
    [Thr 06]   SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"
    [Thr 06]   SSL NI-sock: local=172.30.7.170:59036  peer=172.30.8.100:80
    [Thr 06] <<- ERROR: SapSSLSessionStart(sssl_hdl=60000000053910f0)==SSSLERR_SSL_CONNECT
    [Thr 06] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT {000726d5} [icxxconn_mt.c 2031]
    Having already got the accounts.google.com SSL certificate chain installed and working I can't get the docs.google.com SSL chain working.
    For accounts.google.com they use (this set works) :-
    1) CN=accounts.google.com, O=Google Inc, L=Mountain View, SP=California, C=US
    2) CN=Thawte SGC CA, O=Thawte Consulting (Pty) Ltd., C=ZA
    3) OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
    For docs.google.com they use a different set of SSL certs. :-
    1) CN=*.google.com, O=Google Inc, L=Mountain View, SP=California, C=US
    2) CN=Google Internet Authority, O=Google Inc, C=US
    3) OU=Equifax Secure Certificate Authority, O=Equifax, C=US
    Can anyone explain what I am doing wrong or how to correct this?
    Thanks
    Craig

    Further UPDATE
    After removing every certificate related to docs.google.com I still get the same error!
    I have even tried downloading the root certificate directly from GeoTrust themselves and yet I still get the same error.
    I have even resorted to running SAP program ZSSF_TEST_PSE from note 800240 to check the PSE and all is well!
    Referring to SAP Note 1318906 suggests I am missing a certificate in the chain but I am not!
    "Situation: The ICM is in the client role and the following entry is displayed in the trace:
    ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed
    Reason:You try to set up a secure connection to a server, but the validity of the certificate cannot be verified because the required certificates are not available.
    Solution:The missing certificates are listed in the trace file. You must use transaction STRUST to insert these certificates in the Personal Security Environment (PSE) that is used for the connection. The certificates are usually made available to you by the server administrator. If the certificates are public Certification Authority (CA) certificates, you can also request the certificates there."
    What could possibly causing this?
    Please help!
    Craig

  • I configure the JServ , but Oracle HTTP Server doesn't work agian

    my Oracle HTTP Server doesn't work after i've configured the JServ by Oracle Enterprise Manager.
    when i run flowing command :
    D:\oraias\dcm\bin>dcmctl getstate -v
    and Error message : "ADMN-100999 Base Exception:
    java.lang.ClassCastException:java.lang.Boolean" has shown.
    and i navigate Enterprise Manager web site these Error Message showing:
    "Your browser or operating system is not a supported client configuration for this version of Enterprise Manager. Using Enterprise Manager with your current client configuration may result in incorrect display of data or incorrect updates to configuration settings. See the release notes for information on supported client configurations. Root Cause: java.lang.Boolean. java.lang.Boolean"
    how can i do? please help me.
    THX

    The key message -
    mod_plsql: /pls/htmldb/htmldb_login HTTP-503 ORA-12541
    Looking up that error gives -
    [[email protected] ~]$ oerr ora 12541
    12541, 00000, "TNS:no listener"
    // *Cause: The connection request could not be completed because the listener
    // is not running.
    // *Action: Ensure that the supplied destination address matches one of
    // the addresses used by the listener - compare the TNSNAMES.ORA entry with
    // the appropriate LISTENER.ORA file (or TNSNAV.ORA if the connection is to
    // go by way of an Interchange). Start the listener on the remote machine.So it looks like the listener isn't running for your database to me (i.e. "lsnrctl start")

  • ISQLPlus and Oracle HTTP Server

    After I reinstalled Oracle 9i on Windows XP, I now get a a FastCGI server error whenever I attempt to launch Oracle HTTP Server: "Redefinition of previously defined FastCGI Server". How do I correct this? I uninstalled the database prior to reinstalling. Question 2: I also installed Oracle 9i on Windows 98 and Oracle HTTP Server appears NOT to be part of the install so I don't know how to make iSQLPlus work. Any ideas on either of these? I would prefer to work on Windows XP.

    In answer to your first question, it may be answered in this SQL*Plus FAQ entry:
    http://otn.oracle.com/support/tech/sql_plus/htdocs/runtime.html#isql_duplicate_entries
    In answer to your second question, I don't think iSQL*Plus is part of the Windows 98 install. I don't think you even have a database, just the Oracle Client.
    Alison

  • Upgrade Oracle http server for last servlet function

    Hi
    Currently i use Oracle http server with servlet.
    It seems that my version with jsdk.jar file don't support EncodeUrl function and web.xml file.
    How can i upgrade my server ?
    I have tried to replace jsdk.jar file with servlet22.jar file but without results !
    Where can i found more information ?
    Thanks
    Philippe

    Hi all
    That´s right, the OHS was installed with the Fusion Middleware Web Utilities installation and working fine !
    The Apex application is online without problems.
    Now, my challenge is to implement the security certificate (SSL) on OHS.
    I´ve been read many things but I´m a little confused and looking for a specific documentation to do that.
    The certificate was generated and got the especific files ( .cer / .crt / .key ) but the problem is how to configure.
    Is it necessary to install another software ?
    Is wallet manager must be used or just configure some files like ssl.conf ?
    Thanks in advance for any help.
    Angelo

Maybe you are looking for