Configure Server/Client Side SSL and CRL for OAS Apache Server (10.1.2)

Posted on June 30, 2011 by Jianming Li

Create Wallet

Create Wallet with Oracle Wallet Manager (owm)

See this post on how to create an Oracle Wallet with Wallet Manager.

Create Wallet with orapki Utility

See orapki manual for details.

Configure Server Side SSL Authentication

* Open ssl.conf file located in the Apache conf directory
* Modify SSLWallet directive to point to the new wallet file

SSLWallet file:C:\product\10.1.3.1\OracleAS_2\Apache\Apache\conf\ssl.wlt\wallet1

* Restart Apache server
* Test to see that https://www.my.com can be accessed.

Configure Client Side SSL Authentication

Generate Client Certificate

* See the “Generate Client Key and Certificate” section on this post to generate a client Key and certificate using OpenSSL.

Setup Firefox Browser

* See the “Setup Firefox Browser for Client Authentication” section on this post on how to setup Firefox browser for client side SSL authentication.
* Restart Firefox browser

Enable Client Side SSL Authentication

* Add SSLVerifyClient directive to ssl.conf file

<VirtualHost _default_:443>
  ...
  SSLVerifyClient require
</VirtualHost>

Test Client Side SSL Authentication

* Restart Apache server
* Test to see that https://www.my.com can be accessed.

Setup CRL

Using SSLCARevocationFile

* Copy CRL file to Apache conf\ssl.crl directory
* For multiple CRL files, concatenate multiple CRL files into one master CRL file
* Add the following line and point SSLCARevocationFile directive to the master CRL file

  SSLCARevocationFile C:\product\10.1.3.1\OracleAS_2\Apache\Apache\conf\ssl.crl\exampleca.crl

Unix Only: Using SSLCARevocationPath

* Copy CRL file, e.g. exampleca.crl, to Apache conf/ssl.crl directory
* Go to Apache conf/ssl.crl directory
* Run make utility to setup symbolic links to CRL files

/opt/oracle/oas/Apache/Apache/conf/ssl.crl >make
exampleca.crl   ... 513cbb9e.r0

* Add the following line and point SSLCARevocationPath directive to the ssl.crl directory

  SSLCARevocationPath /opt/oracle/oas/Apache/Apache/conf/ssl.crl/

Test CRL

* Restart Apache server
* Test to see that https://www.my.com can NOT be accessed.
* Check that ssl_engine_log file located in the Apache logs directory contains the error message similar to the following:

[error] Certificate with serial 3 (0x3) revoked per CRL from issuer /CN=Example CA/ST=Virginia/C=US/Email=ca@exampleca.com/O=Example CA

* Try comment out SSLCARevocationFile directive and restart Apache https://www.my.com can now be accessed again.

References

* Configure Apache 2 Certificate Revocation List (CRL)
* Enabling SSL for Oracle HTTP Server
* http://www.nextre.it/oracledocs/certificates02.html
* Configuring HTTP Server to use SSL in Oracle Application Server 10g (10.1.2 – 10.1.3) [ID 341904.1]
* Master Note for SSL Configuration in Oracle Application Server 10g (10.1.2 – 10.1.3) [ID 1281035.1]

This entry was posted in apache, oc4j, oracle, ssl. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.