{"id":2639,"date":"2011-06-30T13:18:41","date_gmt":"2011-06-30T18:18:41","guid":{"rendered":"http:\/\/jianmingli.com\/wp\/?p=2639"},"modified":"2011-06-30T13:20:41","modified_gmt":"2011-06-30T18:20:41","slug":"configure-serverclient-ssl-and-crl-for-oracle-oas-apache-server-10-1-2","status":"publish","type":"post","link":"https:\/\/jianmingli.com\/wp\/?p=2639","title":{"rendered":"Configure Server\/Client Side SSL and CRL for OAS Apache Server (10.1.2)"},"content":{"rendered":"<span id=\"Create_Wallet\"><h2>Create Wallet<\/h2><\/span>\n<span id=\"Create_Wallet_with_Oracle_Wallet_Manager_owm\"><h3>Create Wallet with Oracle Wallet Manager (owm)<\/h3><\/span>\n<p>See <a href=\"?p=2666\">this post<\/a> on how to create an Oracle Wallet with Wallet Manager.<\/p>\n<span id=\"Create_Wallet_with_orapki_Utility\"><h3>Create Wallet with orapki Utility<\/h3><\/span>\n<p>See orapki manual for details.<\/p>\n<span id=\"Configure_Server_Side_SSL_Authentication\"><h2>Configure Server Side SSL Authentication<\/h2><\/span>\n<p>* Open ssl.conf file located in the Apache conf directory<br \/>\n* Modify SSLWallet directive to point to the new wallet file<\/p>\n<pre lang=\"bash\">\r\nSSLWallet file:C:\\product\\10.1.3.1\\OracleAS_2\\Apache\\Apache\\conf\\ssl.wlt\\wallet1\r\n<\/pre>\n<p>* Restart Apache server<br \/>\n* Test to see that https:\/\/www.my.com can be accessed.<\/p>\n<span id=\"Configure_Client_Side_SSL_Authentication\"><h2>Configure Client Side SSL Authentication<\/h2><\/span>\n<span id=\"Generate_Client_Certificate\"><h3>Generate Client Certificate<\/h3><\/span>\n<p>* See the &#8220;Generate Client Key and Certificate&#8221; section on <a href=\"?p=2601\">this post<\/a> to generate a client Key and certificate using OpenSSL.<\/p>\n<span id=\"Setup_Firefox_Browser\"><h3>Setup Firefox Browser<\/h3><\/span>\n<p>* See the &#8220;Setup Firefox Browser for Client Authentication&#8221; section on <a href=\"?p=2601\">this post<\/a> on how to setup Firefox browser for client side SSL authentication.<br \/>\n* Restart Firefox browser<\/p>\n<span id=\"Enable_Client_Side_SSL_Authentication\"><h3>Enable Client Side SSL Authentication<\/h3><\/span>\n<p>* Add SSLVerifyClient directive to ssl.conf file<\/p>\n<pre lang=\"xml\">\r\n<VirtualHost _default_:443>\r\n  ...\r\n  SSLVerifyClient require\r\n<\/VirtualHost>\r\n<\/pre>\n<span id=\"Test_Client_Side_SSL_Authentication\"><h3>Test Client Side SSL Authentication<\/h3><\/span>\n<p>* Restart Apache server<br \/>\n* Test to see that https:\/\/www.my.com can be accessed.<\/p>\n<span id=\"Setup_CRL\"><h2>Setup CRL<\/h2><\/span>\n<span id=\"Using_SSLCARevocationFile\"><h3>Using SSLCARevocationFile<\/h3><\/span>\n<p>* Copy CRL file to Apache conf\\ssl.crl directory<br \/>\n* For multiple CRL files, concatenate multiple CRL files into one master CRL file<br \/>\n* Add the following line and point SSLCARevocationFile directive to the master CRL file<\/p>\n<pre lang=\"bash\">\r\n  SSLCARevocationFile C:\\product\\10.1.3.1\\OracleAS_2\\Apache\\Apache\\conf\\ssl.crl\\exampleca.crl\r\n<\/pre>\n<span id=\"Unix_Only:_Using_SSLCARevocationPath\"><h3>Unix Only: Using SSLCARevocationPath<\/h3><\/span>\n<p>* Copy CRL file, e.g. exampleca.crl, to Apache conf\/ssl.crl directory<br \/>\n* Go to Apache conf\/ssl.crl directory<br \/>\n* Run make utility to setup symbolic links to CRL files<\/p>\n<pre lang=\"bash\">\r\n\/opt\/oracle\/oas\/Apache\/Apache\/conf\/ssl.crl >make\r\nexampleca.crl   ... 513cbb9e.r0\r\n<\/pre>\n<p>* Add the following line and point SSLCARevocationPath directive to the ssl.crl directory<\/p>\n<pre lang=\"bash\">\r\n  SSLCARevocationPath \/opt\/oracle\/oas\/Apache\/Apache\/conf\/ssl.crl\/\r\n<\/pre>\n<span id=\"Test_CRL\"><h3>Test CRL<\/h3><\/span>\n<p>* Restart Apache server<br \/>\n* Test to see that <a href=\"https:\/\/www.my.com\">https:\/\/www.my.com<\/a> can NOT be accessed.<br \/>\n* Check that ssl_engine_log file located in the Apache logs directory contains the error message similar to the following:<\/p>\n<pre>\r\n[error] Certificate with serial 3 (0x3) revoked per CRL from issuer \/CN=Example CA\/ST=Virginia\/C=US\/Email=ca@exampleca.com\/O=Example CA\r\n<\/pre>\n<p>* Try comment out SSLCARevocationFile directive and restart Apache <a href=\"https:\/\/www.my.com\">https:\/\/www.my.com<\/a> can now be accessed again.<\/p>\n<span id=\"References\"><h2>References<\/h2><\/span>\n<p>* <a href=\"?p=2601\">Configure Apache 2 Certificate Revocation List (CRL)<\/a><br \/>\n* <a href=\"http:\/\/download.oracle.com\/docs\/cd\/B14099_19\/web.1012\/b14007\/ssl.htm\">Enabling SSL for Oracle HTTP Server<\/a><br \/>\n* <a href=\"http:\/\/www.nextre.it\/oracledocs\/certificates02.html\">http:\/\/www.nextre.it\/oracledocs\/certificates02.html<\/a><br \/>\n* <a href=\"https:\/\/support.oracle.com\/CSP\/main\/article?cmd=show&#038;type=NOT&#038;id=341904.1\">Configuring HTTP Server to use SSL in Oracle Application Server 10g (10.1.2 &#8211; 10.1.3) [ID 341904.1]<\/a><br \/>\n* <a href=\"https:\/\/support.oracle.com\/CSP\/main\/article?cmd=show&#038;type=NOT&#038;id=1281035.1\">Master Note for SSL Configuration in Oracle Application Server 10g (10.1.2 &#8211; 10.1.3) [ID 1281035.1]<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Create Wallet Create Wallet with Oracle Wallet Manager (owm) See this post on how to create an Oracle Wallet with Wallet Manager. Create Wallet with orapki Utility See orapki manual for details. Configure Server Side SSL Authentication * Open ssl.conf &hellip; <a href=\"https:\/\/jianmingli.com\/wp\/?p=2639\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[21,69,35,55],"tags":[],"class_list":["post-2639","post","type-post","status-publish","format-standard","hentry","category-apache","category-oc4j","category-oracle","category-ssl"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p8cRUO-Gz","_links":{"self":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/2639","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2639"}],"version-history":[{"count":20,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/2639\/revisions"}],"predecessor-version":[{"id":2670,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/2639\/revisions\/2670"}],"wp:attachment":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2639"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2639"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2639"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}