Install SSL certificate for Oracle HTTP server
I received a PFX file that contains an SSL wildcard certificate for our company *.xyz.com.
I used this tool "xca" to extract two files: "server.crt" and "serverkey.pem".
I want to install this on the oracle 11g HTTP server (OHS) installed as standalone based on apache 2.2
With oracle, i have to create a wallet and point the SSL.CONF wallet directive to use that wallet.
I used Oracle Wallet Manager to create it and import the certificate but this is where i am having a problems.
First I could not restart the web server but the it worked but I got SSL handshake errors (Shown below).
According to oracle steps, I have to create a CSR and then import the certificate into the wallet
http://www.apache.com/resources/how-to-setup-an-ssl-certificate-on-apache/
However, when I tried to use Oracle Wallet Manager, there were two options: import server certificate and trusted certificate.
The import server certificate was greyed out. I had to create a CSR just to get it enabled but I did not use the CSR, i just imported the "server.crt" file.
I also tried to import the "serverkey.pem" into the trused certificate option but was rejected (invalid certificate).
Do you know how to create a successful wallet based on the files i have and not creating a CSR since i already have a certificate file?
2013-05-04T20:11:40.2718-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1253263680] [user: root] [VirtualHost: ptp.xyz.xom:443] nzos handshake error, nzos_Handshake returned 29040(server ptp.xyz.xom:443, client 10.60.117.121)
[2013-05-04T20:11:40.2719-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1253263680] [user: root] [VirtualHost: ptp.xyz.xom:443] NZ Library Error: Unknown error
[2013-05-04T20:11:40.4774-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1263753536] [user: root] [VirtualHost: ptp.xyz.xom:443] unusably short session_id provided (0 bytes)
[2013-05-04T20:11:40.4776-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1263753536] [user: root] [VirtualHost: ptp.xyz.xom:443] nzos handshake error, nzos_Handshake returned 29040(server ptp.xyz.xom:443, client 10.60.117.121)
[2013-05-04T20:11:40.4776-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1263753536] [user: root] [VirtualHost: ptp.xyz.xom:443] NZ Library Error: Unknown error
[2013-05-04T20:11:40.6814-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1274243392] [user: root] [VirtualHost: ptp.xyz.xom:443] unusably short session_id provided (0 bytes)
[2013-05-04T20:11:40.6816-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1274243392] [user: root] [VirtualHost: ptp.xyz.xom:443] nzos handshake error, nzos_Handshake returned 29040(server ptp.xyz.xom:443, client 10.60.117.121)
[2013-05-04T20:11:40.6816-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1274243392] [user: root] [VirtualHost: ptp.xyz.xom:443] NZ Library Error: Unknown error
I do not have weblogic installed. I only have standalone 11g HTTP server with mod_plsql.
If i can get OWM working to create a successful certificate them the problem would be resolved.
I am just not sure what is Root Certificate and Trustworthy Certificate and how to get that from the files i have.
Similar Messages
-
How to set -Xss or ulimit for Oracle Http Server
Hi,
We are facing Out of Memory Error in OHS 11g in our cluster environment. Where I can see below statements in http log file:
# There is insufficient memory for the Java Runtime Environment to continue.
# Cannot create GC thread. Out of system resources.
# Possible reasons:
# The system is out of physical RAM or swap space
# In 32 bit mode, the process size limit was hit
# Possible solutions:
# Reduce memory load on the system
# Increase physical memory or swap space
# Check if swap backing store is full
# Use 64 bit Java on a 64 bit OS
# Decrease Java heap size (-Xmx/-Xms)
# Decrease number of Java threads
# Decrease Java thread stack sizes (-Xss)
# Set larger code cache with -XX:ReservedCodeCacheSize=
# This output file may be truncated or incomplete.
# Out of Memory Error (gcTaskThread.cpp:46), pid=17956, tid=140591807985408
When I run the ulimit command on machine, stack size is showing as 10MB:
Result:
[oracle@XXXXXX bin]$ ulimit -a
core file size (blocks, -c) unlimited
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 1031958
max locked memory (kbytes, -l) 3500000
max memory size (kbytes, -m) unlimited
open files (-n) 131072
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 10240
cpu time (seconds, -t) unlimited
max user processes (-u) 131072
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
Setting the stack size to 512KB or 256KB might resolve the problem.
I tried setting ulimit -s 512 in my user bash_profile. and ran ulimit -a , then it is showing as
stack size (kbytes, -s) 512
If I set at user level, does it have any impact? Or we should set at JVM level using -Xss
Can some body tell me where can I set -Xss for Oracle HTTP server 11g?
Regards,
VidyaHi Marco,
I believe you'll need to setup a MX record under 'More Actions' for your domain in Site Settings / Site Domains.
Select the option "Use another external service for email" and enter your primary mail server's hostname at priority 10.
Think you can repeat this step for your secondary mail server (priority 20) if you have one.
Regards
Mike -
Install SSL certificate for OAM 11gR2
Experts, I wanted to know some recommended urls, links etc for configuring and installing SSL certs for OAM 11gR2.
Base install for OAM is working fine and all consoles are ok.
I have found following link from the docs
http://docs.oracle.com/cd/E27559_01/core.1112/e28516/sslconfig.htm#ASADM1800
Please confirm above link would suffice to install and configure SSL.
Any other challenges or issues likely to come up would help, like importing certificates and root certificate etc.Assuming you're referring to SSL between OAM Server and WebGate, it is documented here: Securing Communication - 11g Release 2 (11.1.2)
Regards,
Colin -
Hi,
We are trying to install SSL certificate (Verisign Class 3) on iPlanet Web Server (version 7). However, at the final step we are getting the error "ADMIN4118: Only one server certificate can be installed at a time"
We are following the below steps,
Under "Server Certificates" tab,
-> Click on "Install" button.
-> On "Select Configuration" click on "Next" button.
-> On "Select Tokens and Passwords", select default token as "internal" and click on "Next" button.
-> On "Enter Certificate Data", select option as "Certficate File" and give path to the certificate file which is having .p7b extension
-> On "Certificate Details" we are getting warning as "Duplicate Server Details Found" and it's by default using the existing certificate's nickname.
-> On "Review" page after clicking "Finish" button, an error is displayed saying "ADMIN4118: Only one certificate server can be installed at a time"
There are multiple sub-domains availble and the new certificate we want to install contains one more sub-domain.
So, say currently the subdomains present are,
1.abc.com
2.abc.com
so on...
and now we are trying to install a SSL certificate having one more subdomain say 10.abc.com.
Please let us know if you have solution to this problem.
Thanks,
RajeshHi Rajesh,
That error is most commonly seen when you are trying to install a certificate chain into the Web Server.
The chain should be installed using the "Certificate Authorities" tab per the following steps:
1) Login to the Admin Console.
2) Click Edit Configuration from Common Tasks > Configuration Tasks.
3) Click the Certificates > Certificate Authorities tab from the Configurations page.
4) Click the Install... tab from the Certificate Authorities (CAs) page.
An Install CA Certificate Wizard opens. The wizard guides you through the settings available for installing a Certificate Chain. Select Certificate Chain when prompted for Certificate Type.
You should then see the CA and intermediate certificate(s) listed in the security database.
If you have access to MOS, more details can be found in the MOS KM Note:
Oracle iPlanet Web Server - 'ADMIN4118: Only one server certificate can be installed at a time' When Installing Certificate Chain (Doc ID 1925025.1)
regards
Tracey -
How to create a service for Oracle HTTP Server
Hi,
I hope someone can help me.
I would like to create a service for an Oracle HTTP Server.
We are running APEX 3.2 on an 10.2.0.4 database (not XE).
We have a Windows XP system.
To run APEX on a 10g we need the HTTP Server.
Unfortunately no service was created while the installing of the Oracle HTTP Server.
How can I create a service later. After the installation.
I know that you can create a service with Instrsrv.exe and Srvany.exe. But I dont know wheather I can use this in this case.
I need an .exe file for that.
The HTTP-Server has the opmnctl.exe.
But I have to write opmnctl.exe startall when I start or opmnctl.exe stopall when I want to stop it . How can I realize that in a Service?
Thanks for your answer
JensHi,
I hope someone can help me.
I would like to create a service for an Oracle HTTP Server.
We are running APEX 3.2 on an 10.2.0.4 database (not XE).
We have a Windows XP system.
To run APEX on a 10g we need the HTTP Server.
Unfortunately no service was created while the installing of the Oracle HTTP Server.
How can I create a service later. After the installation.
I know that you can create a service with Instrsrv.exe and Srvany.exe. But I dont know wheather I can use this in this case.
I need an .exe file for that.
The HTTP-Server has the opmnctl.exe.
But I have to write opmnctl.exe startall when I start or opmnctl.exe stopall when I want to stop it . How can I realize that in a Service?
Thanks for your answer
Jens -
Problem installing SSL certificate for CPS
I work at a medium-sized University, and we have used
Contribute 3 with CPS1.11 for well over a year. Recently, however,
the Contribute clients began having difficulty logging in to CPS.
At first this was intermittent, but is now constant. Adobe support
suggested replacing the CPS self-signed SSL certificate with a
genuine one, because apparently the self-signed certificate is
causing communication delays and timeouts.
I have the certificate, and am trying to use keytool (see
http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html)
to install it, but it is asking me for a keystore password, which I
don't know. Apparently the standard defaults are "changeit" or
"passphrase", but neither of these work.
As a test, I created a fresh install of CPS and attempted to
list the keys in the keystore, but again was asked for a keystore
password and the defaults did not work. Adobe support suggested I
ask here. Anybody have any experience installing a certificate for
CPS?Are you sure that the certificate needs to be installed to all users? Can you provide more details about the certificate and its purposes?
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new:
SSL Certificate Verifier
Check out new:
PowerShell FCIV tool. -
Problems installing SSL certificates for more than one alias on iMS 5.2
I have a problem to getting encyption on IMAP/HTTP/SMTP when they are on the same server. I only getting one SSL certificate installed by the Netscape console wizard, and therefore only one alias.
Let's say I have 3 aliases to the same server just for the scalability, imap.vxu.se, smtp.vxu.se and mail.vxu.se for http (https). Then I can only have one certificate installed at the same time, for example https://mail.vxu.se. And the others, like (S)IMAP I getting a dialouge that says the hostname doesnt is the same as the registred in the certificate. How do I solve this? Is there some possibillity to install more than ONE certificate, so I can have one certificate for each alias?
Environment: Full 420R, Solaris 8, iMS5.2
Thanks in adviceAlthough I completely agree the comments that suggestion this is not a great configuration idea, the error you are seeing ("...bean not found...") likely has nothing to do with the configuration - at least not as mentioned. My first guess is that if you are running the same exact form (FMX) as you ran for your first test then there should be no error. The only way such an error would appear is if the proper jar files are not being pulled to the client JRE or if the fmx was not properly generated. Be sure you are including config=webutil in the URL or that you have added the Webutil configuration info to your own named configuration section of formsweb.cfg
Regardless, if this is a Windows machine, the probability of having problems with multiple installations of the same version is high. Consider that the system PATH, CLASSPATH, ORACLE_HOME and various other system variables needed by the server side of the installation will overlap for each installation. This will cause problems. On the client side, attempting to download jars of the same name from the same server, but which are not actually the same files will confuse the JRE. If the JRE detects that a file which it has already cached is coming from the same server (host) then it will not attempt to pull it again. This will be a problem if the jars are not exactly the same in both installation. Making the problem worse is that you may not be able to easily determine from which installation the jars (or any files) were obtained.
So. as a general rule, regardless of whether multple installations can co-exist, I would not recommend it. This is especially true on a Windows platform. -
Is there a way to change the CSR for install SSL Certificate for CCMADMIN
HI there,
Our customer want a solution for the https failure on CCMAdmin and CCMUser sites.
For that, I have exported a csr to buy a ssl certificate from verisign.
The problem is the csr includes fqdn an not just the servername
But the users just have to type in the servername to reach the server.
Is there a way to export a csr which include as common name only the server name without changing the domain settings in the cucm?
thanks
MarcoHi
You can go to the server via SSH, and enter the 'set web-security' command with the alternate-host-name parameter:
Command Syntax
set web-security orgunit orgname locality state country alternate-host-name
Parameters
• orgunit represents the organizational unit.
• orgname represents the organizational name.
• locality represents the organization location.
• state represents the organization state.
• country represents the organization country.
• alternate-host-name (optional) specifies an alternate name for the host when you generate a
web-server (Tomcat) certificate.
Note When you set an alternate-host-name parameter with the set web-security command,
self-signed certificates for tomcat will contain the Subject Alternate Name extension with
the alternate-host-name specified. CSR for Cisco Unified Communications Manager will
contain Subject Alternate Name Extension with the alternate host name included in the CSR.
Typically you would still use an FQDN, but a less specific one (e.g. ccm.company.com)...
Regards
Aaron
Please rate helpful posts... -
Problem in applying the 6078836 OS Library Patch for Oracle HTTP Server
Hi ,
While installing Oracle ebusiness suite R12on a RHEL5 linux box (2.6.32-300.10.1.el5uek)
After running the installation, the post-installation System checks revealed that the HTTP, Virtual Directory, Login Page, Help Page & JSP services were failing. All the errors have the same error code RW-50015. ! Require Installing an OS Library patch for HTTP server according to Note ID
Oracle Applications Installation and Upgrade Notes Release 12 (12.0.4) for Linux (32-bit) [ID 402310.1]
I am unable to stop the Database after stopping the Apps tier services. while trying to login into sqlplus hitting up this Error ! Please Advise
sqlplus: error while loading shared libraries: /oracle/VIS/db/tech_st/11.1.0/lib/libnnz11.so: cannot restore segment prot after reloc: Permission denied
[Oracle@OracleLinuxServer 11.1.0]$ cd
sqlplus / as sysdba
sqlplus: error while loading shared libraries: /oracle/VIS/db/tech_st/11.1.0/lib/libnnz11.so: cannot restore segment prot after reloc: Permission denied
Following is the Output of some commands which may help in understanding the Issue !
*[Oracle@OracleLinuxServer ~]$ cd /oracle/VIS/db/tech_st/11.1.0*
*[Oracle@OracleLinuxServer 11.1.0]$ find / -name libclntsh\* -ls 2>/dev/null*
*142017047 13416 -rwxr-xr-x 1 applmgr oinstall 13712482 Dec 19 01:27 /oracle/VIS/apps/tech_st/10.1.3/lib/libclntsh.so.10.1*
*142016603 0 lrwxrwxrwx 1 applmgr oinstall 17 Dec 19 01:27 /oracle/VIS/apps/tech_st/10.1.3/lib/libclntsh.so -> libclntsh.so.10.1*
*142443526 13400 -rwxr-xr-x 1 applmgr oinstall 13696149 Dec 19 01:28 /oracle/VIS/apps/tech_st/10.1.2/lib/libclntsh.so.10.1*
*142443190 0 lrwxrwxrwx 1 applmgr oinstall 17 Dec 19 01:28 /oracle/VIS/apps/tech_st/10.1.2/lib/libclntsh.so -> libclntsh.so.10.1*
*89850399 36348 -rwxrwx--- 1 Oracle oinstall 37174788 Sep 12 2008 /oracle/VIS/db/tech_st/11.1.0/inventory/prereqs/bin/linux/libclntsh.so.11.1*
*89719502 0 lrwxrwxrwx 1 Oracle oinstall 17 Dec 18 23:33 /oracle/VIS/db/tech_st/11.1.0/lib/libclntsh.so -> libclntsh.so.11.1*
*89719501 36276 -rwxr-xr-x 1 Oracle oinstall 37100033 Dec 18 23:33 /oracle/VIS/db/tech_st/11.1.0/lib/libclntsh.so.11.1*
id
uid=2000(Oracle) gid=2000(oinstall) groups=2000(oinstall) context=root:system_r:unconfined_t:SystemLow-SystemHigh
*[Oracle@OracleLinuxServer 11.1.0]$ env|egrep 'ORA|PATH' | sort*
LD_LIBRARY_PATH=/oracle/VIS/db/tech_st/11.1.0/lib:/usr/X11R6/lib:/usr/openwin/lib:/oracle/VIS/db/tech_st/11.1.0/lib:/usr/dt/lib:/oracle/VIS/db/tech_st/11.1.0/ctx/lib
LIBPATH=/oracle/VIS/db/tech_st/11.1.0/lib:/usr/X11R6/lib:/usr/openwin/lib:/oracle/VIS/db/tech_st/11.1.0/lib:/usr/dt/lib:/oracle/VIS/db/tech_st/11.1.0/ctx/lib
ORACLE_HOME=/oracle/VIS/db/tech_st/11.1.0
ORACLE_SID=VIS
ORA_NLS10=/oracle/VIS/db/tech_st/11.1.0/nls/data/9idata
ORA_TZFILE=/oracle/VIS/db/tech_st/11.1.0/oracore/zoneinfo/timezlrg.dat
PATH=/oracle/VIS/db/tech_st/11.1.0/perl/bin:/oracle/VIS/db/tech_st/11.1.0/bin:/usr/bin:/usr/sbin:/oracle/VIS/db/tech_st/11.1.0/appsutil/jre/bin:/usr/ccs/bin:/bin:/usr/bin/X11:/usr/local/bin:/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/home/Oracle/bin:.
SHLIB_PATH=/oracle/VIS/db/tech_st/11.1.0/lib:/usr/lib:/oracle/VIS/db/tech_st/11.1.0/ctx/libAlso I 've checked the /oracle/VIS/db/tech_st/11.1.0/cfgtoollogs/opatch/ opatch_history.txt
Find that the Patch version is same for every Patch: Please suggest..... Thanks!
Following is the all contents of the file:
*[Oracle@OracleLinuxServer opatch]$ vi opatch_history.txt*
Command : apply -verbose -silent /nfs/bld/d26/PRDXBLD9/apps/apps_st/comn/autobuild/patch/patch/7639602/7639602
Log File : /nfs/bld/d26/PRDXBLD9/db/tech_st/11.1.0/cfgtoollogs/opatch/opatch2009-03-25_23-17-01PM.log
Date & Time : Wed Mar 25 23:18:41 PDT 2009
Oracle Home : /nfs/bld/d26/PRDXBLD9/db/tech_st/11.1.0
OPatch Ver. : 11.1.0.6.2
Current Dir : /nfs/bld/d22/AB/autobuild/passwd
Command : apply -verbose -silent /nfs/bld/d26/PRDXBLD9/apps/apps_st/comn/autobuild/patch/patch/7627743/7627743
Log File : /nfs/bld/d26/PRDXBLD9/db/tech_st/11.1.0/cfgtoollogs/opatch/opatch2009-03-25_23-18-41PM.log
Date & Time : Thu Mar 26 01:23:19 PDT 2009
Oracle Home : /nfs/bld/d26/PRDXBLD9/db/tech_st/11.1.0
OPatch Ver. : 11.1.0.6.2
Current Dir : /nfs/bld/d26/PRDXBLD9/db/tech_st/11.1.0
Command : lsinventory
Log File : /nfs/bld/d26/PRDXBLD9/db/tech_st/11.1.0/cfgtoollogs/opatch/opatch2009-03-26_01-23-19AM.log
Date & Time : Tue Mar 31 03:13:12 PDT 2009
Oracle Home : /nfs/bld/d26/PRDXBLD9/db/tech_st/11.1.0
OPatch Ver. : 11.1.0.6.2
Current Dir : /nfs/bld/d22/AB/autobuild/passwd
Command : lsinventory -invPtrLoc /nfs/bld/d26/PRDXBLD9/db/tech_st/11.1.0/oraInst.loc
Log File : /nfs/bld/d26/PRDXBLD9/db/tech_st/11.1.0/cfgtoollogs/opatch/opatch2009-03-31_03-13-12AM.log
Date & Time : Tue Mar 31 03:13:18 PDT 2009
Oracle Home : /nfs/bld/d26/PRDXBLD9/db/tech_st/11.1.0
OPatch Ver. : 11.1.0.6.2
Current Dir : /nfs/bld/d22/AB/autobuild/passwd
Command : lsinventory -invPtrLoc /nfs/bld/d26/PRDXBLD9/db/tech_st/11.1.0/oraInst.loc
Log File : /nfs/bld/d26/PRDXBLD9/db/tech_st/11.1.0/cfgtoollogs/opatch/opatch2009-03-31_03-13-18AM.log
Date & Time : Wed Dec 19 19:59:52 GMT+05:30 2012
Oracle Home : /oracle/VIS/db/tech_st/11.1.0
OPatch Ver. : 11.1.0.6.2
Current Dir : /oracle/VIS/db/tech_st/11.1.0/OPatch
Command : lsinventory
Log File : /oracle/VIS/db/tech_st/11.1.0/cfgtoollogs/opatch/opatch2012-12-19_19-59-52PM.log
Date & Time : Thu Dec 20 00:03:59 GMT+05:30 2012
Oracle Home : /oracle/VIS/db/tech_st/11.1.0
OPatch Ver. : 11.1.0.6.2
Current Dir : /home/Oracle/6078836
Command : apply
Log File : /oracle/VIS/db/tech_st/11.1.0/cfgtoollogs/opatch/opatch2012-12-20_00-03-59AM.log
Date & Time : Thu Dec 20 01:28:42 GMT+05:30 2012
Oracle Home : /oracle/VIS/db/tech_st/11.1.0
OPatch Ver. : 11.1.0.6.2
Current Dir : /home/Oracle
Command : lsinventory -detail
Log File : /oracle/VIS/db/tech_st/11.1.0/cfgtoollogs/opatch/opatch2012-12-20_01-28-42AM.log -
What do I need for Oracle Http Server with mod_plsql on Linux 64bit?
I am trying to get the OHS onto a linux box but I am not quite sure I am installing the correct thing!!
I currently have a windows box running the 10g Application server but everything seems to have changed since then and there seems to be several different things to do with the Fusion Middleware and stuff. I've tried to find an overview in plain english of what all these things are but all I can find are lots of marketing buzzwords!
All in need to to be able to run the OHS with the mod_plsql so I can run my apex application. I'd be greatfull if someone could point me in the right direction for what I need to install!
The box it is going on is a CentOS Linux 64bit machine. I've download and installed Oracle WebLogic Server 11g Rel 1 (10.3.3) using the generic installer for the 64 bit java but there seems to be no http server despite it saying there is! Most likely I am doing something wrong but the installer finishes successfully but nothing is running on port 7001.
Do I actually need the WebTier instead? Is that the best solution for running the OHS with mod_plsql? Do I need the WebLogic install as well? Unfortunately I am fairly new to Linux as well which isn't helping!!
thanks for any help
RobertWell, you have two options:
- Use the OHS from the OFM WebTier Utilities distro. (To use 11.1.1.3 version, you need both the 11.1.1.2 and 11.1.1.3 distros)
- Use the OHS from the DB Companion Disk distro.
WebLogic Server is a Java EE application with an HTTP server included, but not intended to be used as a replacement of OHS/Apache. It doesn't support mod's...
HTH,
--olaf -
Why we need SSL Certificates for configuring App Server in Sharepoint
Hi Support,
We are planning to have a separate server for Apps, while configuring the server its asking for certificate. The main scenario is while configuring server inside the same firewall why we need SSL for configuring.
Could you please let me know the reason why we need SSL for configuring App Server.
Thanks in Advance,
Regards,
PradeepHi Pradeep,
SSL (Secure Sockets Layer) is a transaction security standard that provides encrypted protection between browsers and App Servers. When SSL is enabled for an App Server, browsers communicate with the App
Server by means of an HTTPS connection, which is HTTP over an encrypted Secure Sockets Layer. HTTPS connections are widely used by banks and web vendors for secure transactions over the web.
Secure Sockets Layer is a requirement for web applications that are deployed in scenarios that support server-to-server authentication and app authentication. This is such a scenario. As a prerequisite
for configuring Task Synchronization, the computer that is running SharePoint Server must have SSL configured.
Reference:
http://blogs.technet.com/b/speschka/archive/2012/09/03/planning-the-infrastructure-required-for-the-new-app-model-in-sharepoint-2013.aspx
http://corypeters.net/2013/03/ssl-and-sharepoint-2013/
Best Regards,
Eric
Eric Tao
TechNet Community Support -
Installing SSL Certificate for ITS WGate with sapgenpse
Hello.
We have setup Web Dispatcher and ITS WGate on the same host. Dispatcher accepts connections from 443 and ITS accepts connections from 8000.
We have done SSL Settings for Web Dispatcher with sapgenpse successfully.
But as WGate is running on Microsoft IIS Server, we couldn't install the same certificate response to Microsoft IIS. Is there a way to install certificate for ITS Server with sapgenpse tool or IIS Server's tool?
Or should we demand another SSL response from CA generated from Microsoft IIS Server?
Thanks in advance.
Edited by: teknikdanisman on Jan 15, 2010 10:42 AMI have solved the problem. I have exported the SSL key with sapgenpse in format P12 and imported from IIS.
-
How to install Soap on the (Apache) Oracle HTTP Server
Hi,
Does anyone know how to install SOAP on the Oracle HTTP Server? I downloaded a soap version (it seems that the standard version comes without SOAP) from the xml.apache.org site and followed the installation instructions as far as I could (only Tomcat is described). However, no 'soaping'!!! Maybe I'm overlooking something because I cannot imagine that it should be difficult.
Thanks in advance!
HansHans, the SOAP implementation is part of OC4J. You get it out of the box. Check out how to use the out-of-the-box implementation in the tutorials on Web services with Oracle9i JDeveloper at:
http://otn.oracle.com/tech/webservices/htdocs/series/content.html
These tutorials/samples use the implementation of SOAP/WSDL that Oracle calls J2EE Web Services and this is the long term direction of Oracle's Web services implementation. This implementation is what Oracle will be evolving to Sun's Java Web Services Developer Pack as it finalizes into J2EE 1.4.
If you want to use Oracle/Apache SOAP, this too is included in OC4J but its support is being deprecated in future releases of Oracle9iAS in favour of the J2EE Web Services implementation. To find it, check out the OC4J/soap/webapps/ directory for the soap.ear file (it is in a slightly different spot if you are using the full Oracle9iAS R2 but still within the soap directory structure. Simply add <application name="soap" path="../../../soap/webapps/soap.ear" auto-start="true"/> to your OC4J server.xml and <web-app application="soap" name="soap" root="/soap" /> to your OC4J http-web-site.xml, re-start and away you go.
Finally, just to be sure, SOAP support in Oracle9iAS did not appear until 1.0.2.2.x and higher. If using 1.0.2.1 or less, you are correct, there is no SOAP support.
Mike.
Most folks that try out the J2EE Web Services find it is pretty easy to use so -
Installation of the VeriSign digital certification in Oracle HTTP Server
I am not obtaining to generate to the pair of keys and the CSR in Oracle HTTP Server, will have some tip I is thankful.
Thanks
LeandroHi Leandro,
Here are some steps to setup digital certificates into Oracle HTTP Server for Unix.
1. The temporary working directory is /u01/tmp/myssl.
2. The contents of <9iAS_HOME>/Apache/open_ssl/bin have been copied to the
temporary working directory created in Assumption #1.
3. SSL file names are priv.key (private key), certreq.csr (certificate request),
and cert.crt (SSL certificate). The actual SSL certificate file could be
named other than 'cert.crt'.
4. By default, SSL is configured using port 443, which requires ROOT access to
start the web listener.
If you want to change this from the default port, you will need to change
the following two parameters in the httpd.conf file to an unused port number:
Listen 443
<VirtualHost default:443>
5. All necessary UNIX environment variables are set correctly for your Oracle
product before implementing these procedures.
6. User must be familiar with UNIX concepts like shell navigation, UNIX
environments, file manipulation/search, file copy/backups, etc.
How to Request and Configure an SSL Certificate for Oracle9i Application Server
Step-by-Step Instructions:
1. Change your present working directory to the temporary working directory, e.g.,
/u01/tmp/myssl. Ensure the contents of <9iAS_HOME>/Apache/open_ssl/bin have
been copied into this temporary working directory.
2. Copy 5 large files, each at least 250KB, into your temporary working directory.
Suggest looking in any /bin directory for large sized binary files. Execute
the following command to generate the random character file:
% openssl md5 * > rand.rnd
3. Execute the following command to generate the private key (priv.key):
% openssl genrsa -rand rand.rnd -des3 1024 > priv.key
- when prompted, enter a "PEM pass phrase" password
- re-enter password when prompted to verify password
-- remember the pass phrase password you entered
- this command generates the priv.key file and associated pass phrase
- set permissions on the priv.key file to prevent unauthorized editing
% chmod 400 priv.key
- backup the priv.key file to a secure location
NOTE
The PEM pass phrase must be at least 4 characters in length. Remember this
pass phrase, you will be prompted to enter it in the next step and each
time you start up the Oracle HTTP Server (OHS) in SSL mode.
Optionally, you can unencrypt the value of the private key, so that you
will not be prompted for the PEM pass phrase every time you start up OHS
in SSL mode.
To unencrypt the private key, execute the following two commands (Note:
ensure file permissions set to r+w):
% cp priv.key priv.key.bak
% openssl rsa -in priv.key.bak -out priv.key
- the demo certificate shipped with Oracle9iAS does not require a pass
phrase to start OHS in SSL mode.
- on UNIX, to generate the certificate request and start OHS in SSL mode,
the pass phrase must be entered, unless you executed the above steps
to unencrypt.
- on Windows NT/2000, if a certificate is used that has a pass phrase,
the OHS will hang; therefore, on Windows NT/2000, you must execute
the steps to unencrypt.
4. Execute the following command to generate an SSL certificate request
(certreq.csr) based on your private key.
% openssl req -new -key priv.key -out certreq.csr -config openssl.cnf
- when prompted, enter the "PEM pass phrase" set when the private key
was created.
- when prompted, enter the requested fields that make up the
Distinguished Name.
-- each entry must be valid information, i.e., email, state, location, etc.
- when prompted for the "Common Name", you MUST enter the fully
qualified name which will be accessed via client browsers; e.g.,
if clients will use:
https://mysite.domain.com
-- then, you must enter mysite.domain.com as the "Common Name"
- the requested 'extra' attributes, i.e., "challenge password" and
"optional company name", are OPTIONAL; just hit ENTER to use NULL values.
5. You should now have the private key and certificate request files (priv.key
and certreq.csr) in your temporary working directory.
NOTE
At this point, you can use your certificate request file 'certreq.csr' to
order a valid SSL certificate from any CA-vendor, e.g., Verisign.
After you receive your SSL certificate, skip to Step #6 for instructions
on how to deploy your SSL files.
OPTIONAL
You can start 9iAS in SSL mode (see Step #12) and test the pre-installed demo
certificate and private key included for testing purposes.
It is a good idea to test to be sure the Oracle HTTP Server SSL mode works
successfully before deploying your new SSL certificate. To try these demo
files, access the 9iAS index page in a browser using the HTTPS protocol and
the appropriate SSL Listen port. URL format:
https://myhost.domain.com:<ssl_port>
The user will see a Security Alert (IE), or New Site Certificate (Netscape)
warning message, click Continue/Next to accept.
OPTIONAL
To create a self-signed certificate, execute the following commands:
(csh) % setenv RANDFILE rand.rnd
<sh or ksh> % export RANDFILE=rand.rnd
% openssl x509 -req -days 30 -in certreq.csr -signkey priv.key > tempcert.crt
- when prompted, enter the "PEM pass phrase" set when the private key was created.
- this command generates a temporary self-signed certificate file 'tempcert.crt'
valid for 30 days, which can be used while awaiting a valid SSL certificate
purchased from an authorized CA-vendor.
- if this option is used, after generating the 'tempcert.crt' file, skip to
Step #6 for instructions on how to deploy your SSL files.
OPTIONAL
These steps are specifically for requesting a TRIAL certificate from the
CA-vendor Verisign.
- Go to www.verisign.com and click on "Free Guides and Trials" link and
follow instructions to request a "Free Trial SSL ID". During this process,
you will be asked to provide certificate request information.
- Open the 'certreq.csr' file using your text editor of choice.
- Starting with "-----BEGIN NEW CERTIFICATE REQUEST-----" copy all lines
including the BEGIN and END of certificate lines.
- Paste this copied data into the Verisign page where requested and continue.
- You will see the Verisign web site decode your certificate request
information. This decoded information is presented to you to verify it is
correct. If it is, then continue with the process.
- You will be presented with another set of questions from Verisign. Be sure
to answer with the correct email address, as this address will be used to
send your SSL certificate.
- After you answer all these questions, you will be sent a TRIAL 14-day
SSL certificate via email.
- WARNING! You must follow this step carefully, you cannot copy and paste
information from an email to a new text file. After you get your TRIAL
certificate, save the entire email message to a text file. Open this file
using your text editor of choice. You will see the email address header
information and the line:
-----BEGIN CERTIFICATE-----
- Delete all text that appears before the -----BEGIN CERTIFICATE----- line.
The modified file should contain only certificate information. After you
delete the email header, save this text file inside your temporary directory
with the filename 'trialcert.crt'.
6. Now you are ready to configure Oracle9i Application Server (9iAS) with your
SSL certificate files.
7. Back up your existing <9iAS_HOME>/Apache/Apache/conf/httpd.conf file.
8. Open the httpd.conf file with your text editor of choice.
9. Edit the following httpd.conf directives to use your generated private key
and SSL certificate file, which could be the filename for either the
temporary self-signed certificate, the TRIAL test certificate, or the
purchased valid certificate. The information following the # symbol are
comments.
NOTE
The directory of the SSL files (private key and certificate file)
can reside in any location you choose. The temporary working
directory will continue to be referenced in these procedure steps.
# use the appropriate (i.e., valid, temporary, or trial) certificate filename
SSLCertificateFile /u01/tmp/myssl/tempcert.crt
#private key from Step #4 above:
SSLCertificateKeyFile /u01/tmp/myssl/priv.key
10. Save your modified httpd.conf and exit the text editor.
11. Log in as authorized user (if default ports 80 and 443 are used, ROOT user
must execute commands in next step).
12. Execute the following command to stop, then start Apache in SSL mode
(ensure proper UNIX environments are set; else, execute command from
<9iAS_HOME>/Apache/Apache/bin.)
For Oracle8iAS 1.x:
% httpdsctl stop
% httpdsctl startssl
For Oracle9iAS 1.0.2.x:
% apachectl stop
% apachectl startssl
- when prompted, enter the "pass phrase" created in Step #3.
-- not required if you unencrypted the private key file
- when the Oracle HTTP Server starts successfully in SSL mode, access the
9iAS index page in a browser using the HTTPS protocol and the appropriate
SSL Listen port. URL format:
https://myhost.domain.com:<ssl_port>
- if using a temporary self-signed or TRIAL test certificate, the user will
see a Security Alert (IE), or New Site Certificate (Netscape) warning message,
click Continue/Next to accept.
====================
I hope this help !!
Ilan Salviano -
Mod_osso behavior differences with 10gR3 Oracle HTTP Server 2
We have an install of standalone 10gR3 Oracle HTTP Server 2 (i.e. the Apache 2 version), and have noticed that the behavior of mod_osso is different than the regular 10gR3 Oracle HTTP Server (i.e. the Apache 1 version).
We use the following in our mod_osso.conf:
<Location /somepath>
AuthType Basic
require valid-user
</Location>
First Difference: With OHS 2, when we go to /somepath, we get the error "missing AuthName" in the Apache logs.
So, we set an AuthName. Now, our mod_osso.conf looks like this:
<Location /OnDemand>
AuthType Basic
AuthName "Oracle Single Sign On"
require valid-user
</Location>
Second Difference: Now, we we go to /somepath, Apache returns a 401, which causes the browser to prompt for credentials! We can enter anything we want in the dialog, and everything will continue as normal (i.e. redirects to the Oracle SSO Server to prompt for credentials, etc).
So, our question is: Why these behavior differences in 10gR3 OHS 2? It almost seems as if it's using an old 9i mod_osso!
Thanks,
- BillOkay, we figured it out.
Apparently, the three "LoadModule mod_auth*" lines in OHS 2 httpd.conf need to be commented out.
Now mod_osso is working exactly as with OHS 1.
- Bill
Maybe you are looking for
-
Image capture no longer works? ios5/10.7.2
Hi I can no longer see my photos in image capture. This is iOS5/Mac OS X 10.7.2. It just shows up blank. I really do not want to use iPhoto (dislike strongly, as it manages photos for me, which I do not want to do), and I also do not want to use iClo
-
Disappointed with Nokia Music service
I paid $170 for Nokia Music credit in June 2008. I bought about $100 worth of music, but had a lot of trouble getting it to work. After numerous service calls and emails, multiple PC and handset software updates, multiple backups and memory card form
-
Two symptoms of a possible power problem with my Insignia 32" (NS-LBD32X=10A) are an occasional burst of static in any mode and in DVD mode an occasional screen freeze. I'm not sure if the two problems are related but wondering if a surge protector
-
My ipad mini loses Internet connection every time it automatically locks.
My ipad mini loses Internet connection every time it automatically locks. I have to re-establish the connection but sometimes it would take too long for the Internet to be connected. I'm using a wireless connection
-
How disable smartcut section select box? Wayne help needed!
Dear friends I disable smartcut section select box with Toolbar=Navigation parameter in link http://localhost:45000/workspace/browse/get/KursHYP2008/siyavus/BimR.bqy&user=admin&pass=password&Toolbar=Navigation but when I login in LoginDash and activa