{"id":2676,"date":"2011-07-06T10:24:25","date_gmt":"2011-07-06T15:24:25","guid":{"rendered":"http:\/\/jianmingli.com\/wp\/?p=2676"},"modified":"2011-07-14T10:01:58","modified_gmt":"2011-07-14T15:01:58","slug":"setup-crl-for-oracle-10g-http-server-ohs","status":"publish","type":"post","link":"https:\/\/jianmingli.com\/wp\/?p=2676","title":{"rendered":"Setup CRL for Oracle 10g HTTP Server (OHS)"},"content":{"rendered":"<span id=\"Overview\"><h2>Overview<\/h2><\/span>\n<span id=\"Apache_Versions\"><h3>Apache Versions<\/h3><\/span>\n<p>* In general, OHS shipped with OAS 10g is based on Apache 1.3.<br \/>\n* If you installed standalone OHS from OAS 10g Companion CD, then it&#8217;s based on Apache 2.0.<br \/>\n* See <a href=\"http:\/\/www.oracle.com\/technetwork\/middleware\/ias\/ohs-101310-faq-131717.pdf\">this file<\/a> for details on what Apache versions are shipped with OAS 10g.<br \/>\n* See<a href=\"?p=2733\"> this post<\/a> on how to find Apache Version.<br \/>\n* Sample output from bundled OHS (based on Apache 1.3):<\/p>\n<pre>\r\nApache Version \tOracle-Application-Server-10g\/10.1.3.5.0 Oracle-HTTP-Server\r\nApache Release \t10334100\r\nApache API Version \t19990320 \r\n<\/pre>\n<p>* Sample output from stand-alone OHS (based on Apache 2.0):<\/p>\n<pre>\r\nApache Version \tOracle-Application-Server-10g\/10.1.3.5.0 Oracle-HTTP-Server\r\nApache API Version \t20020903 \r\n<\/pre>\n<span id=\"Caveats\"><h3>Caveats<\/h3><\/span>\n<p>* Both Apache 1.3 and 2.0 based OHS installs come with mod_ossl, NOT mod_ssl. mod_ossl is a modified version of mod_ssl from Oracle.<br \/>\n* OHS comes with an undocumented(?) directive named <strong>SSLCACheck<\/strong>. It needs to be set to On for CRL support.<\/p>\n<pre>\r\nSSLCRLCheck On\r\n<\/pre>\n<p>* For OHS based on Apache 1.3 (bundled), expired CRL files are used by default.<br \/>\n* For OHS based on Apache 2.0(stand-alone), expired CRLs are NOT used by default.<\/p>\n<span id=\"Setup\"><h2>Setup<\/h2><\/span>\n<p>* Follow <a href=\"?p=2639\">this post<\/a> to setup server side, client side SSL as well as CRL support.<br \/>\n* You need to set SSLCACheck to On for CRL support.<br \/>\n* For example, in ssl.conf:<\/p>\n<pre>\r\nSSLEngine on\r\n\r\nSSLWallet file:\/opt\/oracle\/ohs\/conf\/ssl.wlt\/wallet1\r\n\r\nSSLVerifyClient require\r\n\r\nSSLCRLCheck On\r\n\r\n#SSLCARevocationFile \/opt\/oracle\/ohs\/conf\/ssl.crl1\/exampleca.crl\r\nSSLCARevocationPath \/opt\/oracle\/ohs\/conf\/ssl.crl1\/<\/pre>\n<p>* Oddly, you need to rename the file name extension from r0 to r<strong>N<\/strong> in order for CRL to work.<\/p>\n<pre lang=\"bash\">bash-3.00$ pwd\r\n\/opt\/oracle\/ohs\/conf\/ssl.crl1\r\nbash-3.00$ ls\r\n513cbb9e.rN    Makefile       exampleca.crl\r\n<\/pre>\n<p>* As mentioned before, for stand alone OHS, CRL files need to be current. Expired CRL files are ignored.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Overview Apache Versions * In general, OHS shipped with OAS 10g is based on Apache 1.3. * If you installed standalone OHS from OAS 10g Companion CD, then it&#8217;s based on Apache 2.0. * See this file for details on &hellip; <a href=\"https:\/\/jianmingli.com\/wp\/?p=2676\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[21,35,55],"tags":[],"class_list":["post-2676","post","type-post","status-publish","format-standard","hentry","category-apache","category-oracle","category-ssl"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p8cRUO-Ha","_links":{"self":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/2676","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2676"}],"version-history":[{"count":12,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/2676\/revisions"}],"predecessor-version":[{"id":2729,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/2676\/revisions\/2729"}],"wp:attachment":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2676"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2676"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2676"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}