This module describes how to achieve the highest level of
authentication for their Single Sign-on application. Oracle offers certificate-based
authentication (X.509 client certificates) for the Oracle Single Sign On server
using Oracle Certificate Authority (OCA).
SSL enabling the Oracle Application Server
Overview
You use two basic configurations in this tutorial: Default
Certificate Authentication (Certificate Only) and Fallback Authentication.
Certificate Only Authentication
Certificate Only Authentication allows only those users who
have been issued a digital certificate by the OCA to authenticate against your
Web applications. In this configuration, even if you have a valid user ID and
password for an application, you will not be able to authenticate unless your
browser has been issued a digital certificate from the OCA.
Users with certificates will not be challenged for their username
and password because the certificate itself is their credential. If the certificate
is valid, as soon as the user clicks the login button they will be automatically
logged in to their application without entering a username and password.
Fallback Authentication
With Fallback Authentication configured, if a user has a certificate,
they will be automatically authenticated into their applications. However, with
fallback authentication configured, if the user does not have a digital certificate,
they will instead be challenged for a user name and password when they try to
login and granted access if the user name and password are valid.
To get an SSL certificate and use it to enable SSL, perform
the following steps:
1.
Open a terminal window and set the ORACLE_HOME environment variable.
export ORACLE_HOME=/home/oracle/infra
2.
In the same window, change your directory to $ORACLE_HOME/bin,
and start Oracle Wallet Manager (OWM).
$ cd $ORACLE_HOME/bin
$ owm&
3.
Oracle Wallet Manager is displayed.
4.
Select the Wallet menu and click the New... menu option.
5.
You get a warning as shown below. Click No to proceed.
6.
The New Wallet window appears. Enter the password for the wallet as welcome1.
Click OK.
7.
You are prompted to create a certificate request. Click Yes in
the dialog box.
8.
The Create Certificate Request window is displayed. Enter details as
shown in the image. For the common name, enter the qualified host name
of the machine. Click OK.
9.
A confirmation dialog box appears. Click OK.
10.
In the navigation pane, you see the wallet with a certificate request
that you have just created. Click the node to view the certificate request
generated on the right.
Requesting
a Server Certificate by Using OCA User Pages
Keep OWM open, and open a browser window. Go to OCA User interface by
typing the URL https://host.domain:4400/oca/user.
Close the dialog box with the message "Website Certified by an Unknown
Authority." You will see the OCA User interface Home page. Click
the Server / Sub CA Certificate tab.
2.
On the Server / Sub CA Certificate page, click the Request a Certificate
button.
3.
The Server / Sub CA certificate request form appears. In this form, enter
the following values:
PKCS#10 Request: Copy the certificate request generated by OWM here.
Name: <hostname.domain>
Phone Number: 12345
Certificate Usage: Select SSL/Encryption
Validity Period: Select 1 year
Then, click Submit.
4.
The OCA server displays a confirmation of your request. Note the certificate
request ID; this ID will be used for future references. Click OK.
Approve
the Server Certificate Requested by Using OCA Administration Pages
Open another browser. Go to OCA Administration pages by typing the URL
https://host.domain:4400/oca/admin.
2.
Click the Certificate Management tab. The browser prompts you to select
the OCA administrator certificate. Select the correct certificate and
click OK.
3.
The OCA Administration pages are displayed. Click the Certificate
Management tab. This page displays all pending certificate requests.
4.
Select the pending certificate, and then click View Details. The browser
may ask you to select the OCA administrator certificate. The Certificate
Request Details page is displayed. Click the Approve button to
approve the certificate. The browser may prompt you to select the OCA
administrator certificate on the browser.
5.
OCA displays a confirmation message, confirming that the certificate
is approved. Click OK.
6.
Go back to the browser with the OCA User interface, and perform a search
using the Certificate Request ID given to you previously. The approved
certificate will be listed here.
7.
Click the Download CA Certificate button.
8.
The page displaying the CA certificate appears. Click the Advanced
button here to download the CA certificate.
9.
The CA Certificate Details page with the CA certificate is displayed.
On this page, under the section BASE64-Encoded Certificate, the CA certificate
is displayed. Copy the text after the line Begin Certificate till
End Certificate.
Shift to OWM and from the Operations menu, select the Import Trusted
Certificate option.
2.
The Import Trusted Certificate dialog box is displayed. Select the option
button as shown in the image, and click OK.
3.
In the next dialog box, paste the certificate that you copied from the
OCA User interface. Click OK.
4.
Now under the Trusted Certificate node in the navigation pane, you see
that ocaadmin is added. Click this node to view the details
in the right pane.
5.
Go back to the browser with the OCA User interface. Click OK on the page
from where you copied the CA certificate.
6.
You return to the page displaying your approved certificate. To download
the approved certificate, click the value in the Serial Number
field.
7.
This displays the page having your certificate. On this page, under the
section BASE64-Encoded Certificate, your certificate is displayed. Copy
the text after the line Begin Certificate till End Certificate.
8.
Return to OWM, and select the Certificate:[Requested] node from the navigation
pane. Then, select the Import User Certificate menu option from
the Operations menu.
9.
The Import Certificate dialog box appears. Select the option as shown
in the image. Click OK.
10.
In the next dialog box, paste the certificate that you copied from the
OCA User interface. Click OK.
11.
You find that the certificate node in the navigation pane changes from
Certificate:[Requested] to Certificate:[Ready]. Now the wallet with a
certificate is ready to use for SSL.
12.
Then, go to the Wallet menu, and select the Save As option to save the
wallet. Save this wallet in the /home/oracle/labs directory. From a terminal
window, you access this directory and see that there is a new file created
with the name ewallet.p12. This file contains the wallet.
Configuring
Different Files to Set up SSL for the Oracle HTTP Server by Using Oracle Application
Server Control
Log in as ias_admin user. This starts Oracle Application Server Control.
2.
Click Process Management at the bottom of the page.
3.
In the opmn.xml file, change the value for the "HTTP_Server"
"start-mode" to "ssl-enabled".
Click the Apply button.
4.
After changing the opmn.xml file, you have to change ssl.conf file. To
do that click the Application Server locator link and click the HTTP_Server
link from System Components region.
5.
Click Administration.
6.
Click Advanced Server Properties.
7.
Click the link for the ssl.conf file.
8.
Find the "VirtualHost" closing tag:
</VirtualHost>
Open a new line above this </VirtualHost> closing tag and enter
the following directives:
RewriteEngine on
RewriteOptions inherit
9.
In the same file, find the following line:
"#SSLVerifyClient require"
Take out the comment at the beginning of the line and change "require"
to "optional."
Example:
SSLVerifyClient optional
Click the Apply button after completing your edit.
10.
To implement these settings, you must start the OracleAS instance. Stop
and start the instance with the following commands:
opmnctl stopall
opmnctl startall
Place the cursor on this icon to hide all screenshots.
Bookmark
