10 Enabling SSL for Oracle HTTP Server

This chapter contains information about enabling and configuring SSL for Oracle HTTP Server. Topics discussed are:

Overview
Configuring SSL
Additional SSL Features
Using SSL Configuration Directives

10.1 Overview

Secure Sockets Layer (SSL) is an encrypted communication protocol that is designed to securely send messages across the Internet. It resides between Oracle HTTP Server on the application layer and the TCP/IP layer, transparently handling encryption and decryption when a secure connection is made by a client.

One common use of SSL is to secure Web HTTP communication between a browser and a Web server. This case does not preclude the use of non-secured HTTP. The secure version is simply HTTP over SSL (named HTTPS). The differences are that HTTPS uses the URL scheme https:// rather than http://, and its default communication port is 4443 on UNIX or 443 on Windows.

mod_ossl is a plug-in to Oracle HTTP Server that enables the server to use SSL.

10.2 Configuring SSL

By default, SSL is disabled when you install Oracle Application Server. Perform these tasks to enable and configure SSL:

Task 1: Creating a Real Wallet
Task 2: Enabling SSL
Task 3: (Optional) Customizing Your Configuration

10.2.1 Task 1: Creating a Real Wallet

To configure Oracle HTTP Server for SSL, you need a wallet that contains the certificate for the server. Wallets store your credentials, such as certificate requests, certificates, and private keys.

The default wallet that is automatically installed with Oracle HTTP Server is for testing purposes only. A real wallet has to be created for your production server. The default wallet is located in ORACLE_HOME/Apache/Apache/conf/ssl.wlt/default. You can either place the new wallet in that location, or change the SSLWallet directive in ORACLE_HOME/Apache/Apache/conf/ssl.conf to point to the location of your real wallet.

See Also:

Oracle Application Server Administrator's Guide for instructions on creating a wallet. It is important that you do the following:

Generate a certificate request: For the Common Name, specify the name or alias of the site you are configuring.
Set the auto-login feature for your wallet: Make sure that you enable this auto-login feature. The default wallet has this feature disabled.

10.2.2 Task 2: Enabling SSL

Perform the following steps to enable SSL manually:

Open opmn.xml in a text editor.
In the <ias-component id="HTTP_Server"> entry, change the start mode from "ssl-disabled" to "ssl-enabled". After modification is made, the entry should look like the following:
```
<data id="start-mode" value="ssl-enabled"/>
```
Save and close opmn.xml.
Reload OPMN using the following command:
```
opmnctl reload
```
Stop Oracle HTTP Server using the following command:
- UNIX: ORACLE_HOME/opmn/bin> opmnctl [verbose] stopproc ias-component=HTTP_Server
- Windows: ORACLE_HOME\opmn\bin> opmnctl [verbose] stopproc ias-component=HTTP_Server
Start Oracle HTTP Server using the following command:
- UNIX: ORACLE_HOME/opmn/bin> opmnctl [verbose] startproc ias-component=HTTP_Server
- Windows: ORACLE_HOME\opmn\bin> opmnctl [verbose] startproc ias-component=HTTP_Server
  
  Note:
  Be sure that you stop and start Oracle HTTP Server as per the instructions. Restarting Oracle HTTP Server does not yield the same result as stopping and starting it.
You can verify if SSL was enabled successfully by navigating to the SSL port, for example:
```
HTTPS://hostname:4443
```

10.2.3 Task 3: (Optional) Customizing Your Configuration

Optionally, you can further customize your configuration using mod_ossl directives.

See Also:

"Using mod_ossl Directives"

Note:

The templates files installed during installation contain all the necessary SSL configuration directives and a default setup for SSL.

To enable client authentication, do the following:

Specify SSLVerifyClient on the server side.
Use proper client certificate on your client side for the HTTPS connection. Refer to your client documentation for information on getting and using a client certificate. Be sure that your client certificate is trusted by the server wallet.

See Also:
Oracle Application Server Administrator's Guide for instructions on how to import a trusted certificate into your wallet.

10.3 Additional SSL Features

This section contains SSL features that are supported for this release.

Global Server ID Support
PKCS #11 Support

10.3.1 Global Server ID Support

This feature adds support SSL protocol features called variously "step-up", "server gated crypto" or "global server ID". "Step-up" is a feature that allows old, weak encryption browsers, to "step-up" so that public keys greater than 512 bits and bulk encryption keys greater than 64 bits can be used in the SSL protocol. This means that server X.509 certificates that contain public keys in excess of 512 bits and which contain "step-up" digital rights can now be used by Oracle Application Server. Such certificates are often called "128 bit" certificates, even though the certificate itself typically contains a 1024 bit certificate. The Verisign Secure Site Pro is an example of such a certificate which can now be used by Oracle Application Server.

Global Server ID functionality is provided by default, there is no configuration necessary.

10.3.2 PKCS #11 Support

Public-Key Cryptography Standards #11, or PKCS #11 for short, is a public key cryptography specification that outlines how systems use hardware security modules, which are basically "boxes" where cryptographic functions (encryption/decryption) are performed and where encryption keys are stored.

Oracle HTTP Server supports the option of having dedicated SSL hardware through nCipher. nCipher is a certified third party accelerator that improves the performance of the PKI cryptography that SSL uses.

See Also:

10.4 Using SSL Configuration Directives

mod_ossl provides standard support for HTTPS protocol connections to Oracle Application Server. It enables secure connections between Oracle HTTP Server and a browser client by using an Oracle-provided encryption mechanism over SSL. It may also be used for authentication over the Internet through the use of digital certificate technology. It supports SSL v. 3.0, and provides:

Encrypted communication between client and server, using RSA or DES encryption standards.
Integrity checking of client/server communication using MD5 or SHA checksum algorithms.
Certificate management with Oracle wallets.

The following mod_ssl directives are not supported by mod_ossl.

SSLRandomSeed
SSLCertificateFile
SSLCertificateKeyFile
SSLCertificateChainFile
SSLCACertificateFile
SSLCACertificatePath
SSLVerifyDepth

Note:
The server will not start if these directives are used.

10.4.1 Using mod_ossl Directives

To configure SSL for your Oracle HTTP Server, enter the mod_ossl directives you want to use in the httpd.conf file.

The following directives are described:

SSLAccelerator
SSLCARevocationFile
SSLCARevocationPath
SSLCipherSuite
SSLEngine
SSLLog
SSLLogLevel
SSLMutex
SSLOptions
SSLPassPhraseDialog
SSLProtocol
SSLRequire
SSLRequireSSL
SSLSessionCache
SSLSessionCacheTimeout
SSLVerifyClient
SSLWallet
SSLWalletPassword

10.4.1.1 SSLAccelerator

Specifies if SSL accelerator is used. Currently only nFast card is supported.

Category	Value
Valid Values	`yes/no`
Syntax	`SSLAccelerator yes\|no`
Default	`SSLAccelerator no`
Context	server configuration

Note:

The SSLAccelerator directive has been deprecated. For information on enabling SSL acceleration support using a wallet, refer to the Oracle Advanced Security Administrator's Guide on http://www.oracle.com/technology/documentation.

10.4.1.2 SSLCARevocationFile

Specifies the file where you can assemble the Certificate Revocation Lists (CRLs) from CAs (Certificate Authorities) that you accept certificates from. These are used for client authentication. Such a file is the concatenation of various PEM-encoded CRL files in order of preference. This directive can be used alternatively or additionally to SSLCARevocationPath.

Category	Value
Syntax	`SSLCARevocationFile` `file_name`
Example	`SSLCARevocationFile /ORACLE_HOME/Apache/conf/ssl.crl/ca_bundle.crl`
Default	None
Context	server configuration, virtual host

10.4.1.3 SSLCARevocationPath

Specifies the directory where PEM-encoded Certificate Revocation Lists (CRLs) are stored. These CRLs come from the CAs (Certificate Authorities) that you accept certificates from. If a client attempts to authenticate itself with a certificate that is on one of these CRLs, then the certificate is revoked and the client cannot authenticate itself with your server.

Category	Value
Syntax	`SSLCARevocationPath` `path/to/CRL_directory/`
Example	`SSLCARevocationPath /ORACLE_HOME/Apache/conf/ssl.crl/`
Default	None
Context	server configuration, virtual host

10.4.1.4 SSLCipherSuite

Specifies the SSL cipher suite that the client can use during the SSL handshake. This directive uses a colon-separated cipher specification string to identify the cipher suite. Table 10-2 shows the tags you can use in the string to describe the cipher suite you want.

Tags are joined together with prefixes to form cipher specification string.

Category	Value
Valid Values	`none`: Adds the cipher to the list `+` : Adds the cipher to the list and place them in the correct location in the list `-` : Remove the cipher from the list (can be added later) `!` : Remove the cipher from the list permanently
Example	`SSLCipherSuite` `ALL:!LOW:!DH` In this example, all ciphers are specified except low strength ciphers and those using the Diffie-Hellman key negotiation algorithm.
Syntax	`SSLCipherSuite` `cipher-spec`
Default	`ALL:!ADH:!EXPORT56:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP`
Context	server configuration, virtual host, directory

Table 10-1 SSLCipher Suite Tags

Function	Tag	Meaning
Key exchange	`kRSA`	`RSA` key exchange
Key exchange	`kDHr`	Diffie-Hellman key exchange with RSA key
Authentication	`aNULL`	No authentication
Authentication	`aRSA`	`RSA` authentication
Authentication	`aDH`	Diffie-Hellman authentication
Encryption	`eNULL`	No encryption
Encryption	`DES`	`DES` encoding
Encryption	`3DES`	Triple `DES` encoding
Encryption	`RC4`	`RC4` encoding
Data Integrity	`MD5`	`MD5` hash function
Data Integrity	`SHA`	`SHA` hash function
Aliases	`SSLv3`	All SSL version 3.0 ciphers
Aliases	`EXP`	All export ciphers
Aliases	`EXP40`	All 40-bit export ciphers only
Aliases	`EXP56`	All 56-bit export ciphers only
Aliases	`LOW`	All low strength ciphers (export and single `DES`)
Aliases	`MEDIUM`	All ciphers with 128-bit encryption
Aliases	`HIGH`	All ciphers using triple `DES`
Aliases	`RSA`	All ciphers using `RSA` key exchange
Aliases	`DH`	All ciphers using Diffie-Hellman key exchange

Note:

There are restrictions if export versions of browsers are used. Oracle module, mod_ossl, supports RC4-40 encryption only when the server uses 512 bit key size wallets.

Table 10-2 Cipher Suites Supported in Oracle Advanced Security 10i

Cipher Suite	Authentication	Encryption	Data Integrity
`SSL_RSA_WITH_3DES_EDE_CBC_SHA`	`RSA`	`3DES (168)`	`SHA`
`SSL_RSA_WITH_RC4_128_SHA`	`RSA`	`RC4 (128)`	`SHA`
`SSL_RSA_WITH_RC4_128_MD5`	`RSA`	`RC4 (128)`	`MD5`
`SSL_RSA_WITH_DES_CBC_SHA`	`RSA`	`DES (56)`	`SHA`
`SSL_DH_anon_WITH_3DES_EDE_CBC_SHA`	`DH anon`	`3DES (168)`	`SHA`
`SSL_DH_anon_WITH_RC4_128_MD5`	`DH anon`	`RC4 (128)`	`MD5`
`SSL_DH_anon_WITH_DES_CBC_SHA`	`DH anon`	`DES (56)`	`SHA`
`SSL_RSA_EXPORT_WITH_RC4_40_MD5`	`RSA`	`RC4 (40)`	`MD5`
`SSL_RSA_EXPORT_WITH_DES40_CBC_SHA`	`RSA`	`DES40 (40)`	`SHA`
`SSL_RSA_WITH_AES_128_CBC_SHA`	`RSA`	`AES (128`)	`SHA`
`SSL_RSA_WITH_AES_256_CBC_SHA`	`RSA`	`AES (256)`	`SHA`
`SSL_DHE_DSS_EXPORT_WITH_DES40_CBS_SHA`	`DH DSS`	`DES (40)`	`SHA`
`SSL_DHE_DSS_WITH_DES_CBC_SHA`	`DH DSS`	`DES (50)`	`SHA`
`SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA`	`DH DSS`	`3DES (168)`	`SHA`
`SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA`	`DH RSA`	`DES (40)`	`SHA`
`SSL_DHE_RSA_WITH_DES_CBC_SHA`	`DH RSA`	`DES (56)`	`SHA`
`SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA`	`DH RSA`	`3DES (168)`	`SHA`
`SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA`	`DH DSS`	`DES (40)`	`SHA`
`SSL_DHE_DSS_WITH_RC4_128_SHA`	`DH DSS`	`RC4 (128)`	`SHA`
`SSL_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA`	`DH DSS`	`RC4 (56)`	`SHA`

10.4.1.5 SSLEngine

Toggles the usage of the SSL Protocol Engine. This is usually used inside a <VirtualHost> section to enable SSL for a particular virtual host. By default, the SSL Protocol Engine is disabled for both the main server and all configured virtual hosts. Example 10-1 is an example for using SSLEngine directive. The default SSL is 4443 on UNIX and 443 on Windows.

Example 10-1 Using SSLEngine Directive

<VirtualHost_dafault_:4443>
  SSLEngine on
  ...
</VirtualHost>

Category	Value
Syntax	`SSLEngine on\|off`
Default	`SSLEngine off`
Context	server configuration, virtual host

10.4.1.6 SSLLog

Specifies where the SSL engine log file will be written. (Error messages will also be duplicated to the standard Oracle HTTP Server log file specified by the ErrorLog directive.)

Place this file at a location where only root can write, so that it cannot be used for symlink attacks. If the filename does not begin with a slash (/), it is assumed to be relative to the ServerRoot. If the filename begins with a bar (|), then the string following the bar is expected to be a path to an executable program to which a reliable pipe can be established.

This directive should occur only once per virtual server configuration.

Category	Value
Syntax	`SSLVerifyClient` `path/to/filename`
Default	None
Context	server configuration, virtual host

10.4.1.7 SSLLogLevel

Specifies the verbosity degree of the SSL engine log file.

Category	Value
Valid Values	The levels are (in ascending order, where each level is included in the levels preceding it): `none`: No dedicated SSL logging is done. Messages of type 'error' are duplicated to the standard HTTP server log file specified by the `ErrorLog` directive. `error`: Only messages of the type 'error' (conditions that stop processing) are logged. `warn`: Messages that notify of non-fatal problems (conditions that do not stop processing) are logged. `info`: Messages that summarize major processing actions are logged. `trace`: Messages that summarize minor processing actions are logged. `debug`: Messages that summarize development and low-level I/O operations are logged.
Syntax	`SSLLogLevel` `level`
Default	None
Context	server configuration, virtual host

10.4.1.8 SSLMutex

Type of semaphore (lock) for SSL engine's mutual exclusion of operations that have to be synchronized between Oracle HTTP Server processes.

Category	Value
Valid Values	`none`: Uses no mutex at all. Not recommended, because the mutex synchronizes the write access to the SSL session cache. If you do not configure a mutex, the session cache can become garbled. `file:`path/to/mutex: Uses a file for locking. The process ID (PID) of the Oracle HTTP Server parent process is appended to the filename to ensure uniqueness. If the filename does not begin with a slash (/), it is assumed to be relative to `ServerRoot`. This setting is not available on Windows. `sem`: Uses an operating system semaphore to synchronize writes. On UNIX, it would be a Sys V IPC semaphore; on Windows, it is a Windows Mutex. This is the best choice, if the operating system supports it.
Example	`SSLMutex file:/usr/local/apache/logs/ssl_mutex`
Syntax	`SSLMutex` `type`
Default	`SSLMutex` `none`
Context	server configuration

10.4.1.9 SSLOptions

Controls various runtime options on a per-directory basis. In general, if multiple options apply to a directory, the most comprehensive option is applied (options are not merged). However, if all of the options in an SSLOptions directive are preceded by a plus ('+') or minus ('-') symbol, then the options are merged. Options preceded by a plus are added to the options currently in force, and options preceded by a minus are removed from the options currently in force.

Category	Value
Valid Values	`StdEnvVars`: Creates the standard set of CGI/SSI environment variables that are related to SSL. This is disabled by default because the extraction operation uses a lot of CPU time and usually has no application when serving static content. Typically, you only enable this for CGI/SSI requests. `ExportCertData`: Enables the following additional CGI/SSI variables: `SSL_SERVER_CERT` `SSL_CLIENT_CERT` `SSL_CLIENT_CERT_CHAIN_n` (where n= 0, 1, 2...) These variables contain the Privacy Enhanced Mail (PEM)-encoded X.509 certificates for the server and the client for the current HTTPS connection, and can be used by CGI scripts for deeper certificate checking. All other certificates of the client certificate chain are provided. This option is "Off" by default because there is a performance cost associated with using it. `SSL_CLIENT_CERT_CHAIN_n` variables are in the following order: `SSL_CLIENT_CERT_CHAIN_0` is the intermediate CA who signs `SSL_CLIENT_CERT`. `SSL_CLIENT_CERT_CHAIN_1` is the intermediate CA who signs `SSL_CLIENT_CERT_CHAIN_0`, and so forth, with `SSL_CLIENT_ROOT_CERT` as the root CA. `FakeBasicAuth`: Translates the subject distinguished name of the client X.509 certificate into an HTTP basic authorization user name. This means that the standard HTTP server authentication methods can be used for access control. Note that no password is obtained from the user; the string 'password' is substituted.
Valid Values (for `SSLOptions` continued)	`StrictRequire`: Denies access when, according to SSLRequireSSL or directives, access should be forbidden. Without `StrictRequire`, it is possible for a '`Satisfy any'` directive setting to override the `SSLRequire` or `SSLRequireSSL` directive, allowing access if the client passes the host restriction or supplies a valid user name and password. Thus, the combination of `SSLRequireSSL` or `SSLRequire` with `SSLOptions +StrictRequire` gives `mod_ossl` the ability to override a `'Satisfy any'` directive in all cases. `CompatEnvVars`: Exports obsolete environment variables for backward compatibility to Apache SSL 1.x, `mod_ssl` 2.0.x, Sioux 1.0, and Stronghold 2.x. Use this to provide compatibility to existing CGI scripts. `OptRenegotiate`: This enables optimized SSL connection renegotiation handling when SSL directives are used in a per-directory context.
Syntax	`SSLOptions` [+-] `option`
Default	None
Context	server configuration, virtual host, directory

10.4.1.10 SSLPassPhraseDialog

Type of pass phrase dialog for wallet access. mod_ossl asks the administrator for a pass phrase in order to access the wallet.

Category	Value
Valid Values	`builtin`: when the server is started, `mod_ossl` prompts for a password for each wallet. This cannot be used when Oracle HTTP Server is managed by OPMN. No user interaction is allowed when Oracle HTTP Server is started by OPMN. `exec:`path/to/program - when the server is started, `mod_ossl` calls an external program configured for each wallet. This program is invoked with two arguments: servername:portnumber and `RSA` or `DSA`.
Syntax	`SSLPassPhraseDialog` type
Example	`SSLPassPhraseDialog exec:/usr/local/apache/sbin/pfilter`
Default	`SSLPassPhraseDialog` `builtin`
Context	server configuration

10.4.1.11 SSLProtocol

Specifies SSL protocol(s) for mod_ossl to use when establishing the server environment. Clients can only connect with one of the specified protocols.

Category	Value
Valid Values	SSLv2, SSLv3, TLSv1, ALL
Example	To specify only SSL version 3.0, set this directive to the following: `SSLProtocol` `+SSLv3`
Syntax	`SSLProtocol` `[+-] protocol`
Default	`SSLProtocol ALL`
Context	server configuration, virtual host

10.4.1.12 SSLRequire

Denies access unless an arbitrarily complex boolean expression is true.

Category	Value
Syntax	`SSLRequire` `expression`
Default	None
Context	directory

The expression must match the following syntax (given as a BNF grammar notation):

expr ::= "true" | "false"
"!" expr
expr "&&" expr
expr "||" expr
"(" expr ")"

comp ::=word "==" word | word "eq" word
word "!=" word |word "ne" word
word "<" word |word "lt" word
word "<=" word |word "le" word
word ">" word |word "gt" word
word ">=" word |word "ge" word
word "=~" regex
word "!~" regex
wordlist ::= word
wordlist "," word

word ::= digit
cstring
variable
function

digit ::= [0-9]+

cstring ::= "..."

variable ::= "%{varname}"

Table 10-3 and Table 10-4 list standard and SSL variables. These are valid values for varname.

function ::= funcname "(" funcargs ")"

For funcname, the following function is available:

file(filename)

The file function takes one string argument, the filename, and expands to the contents of the file. This is useful for evaluating the file's contents against a regular expression.

Table 10-3 lists the standard variables for SSLRequire varname.

Table 10-3 Standard Variables for SSLRequire Varname

Standard Variables	Standard Variables	Standard Variables
`HTTP_USER_AGENT`	`PATH_INFO`	`AUTH_TYPE`
`HTTP_REFERER`	`QUERY_STRING`	`SERVER_SOFTWARE`
`HTTP_COOKIE`	`REMOTE_HOST`	`API_VERSION`
`HTTP_FORWARDED`	`REMOTE_IDENT`	`TIME_YEAR`
`HTTP_HOST`	`IS_SUBREQ`	`TIME_MON`
`HTTP_PROXY_CONNECTION`	`DOCUMENT_ROOT`	`TIME_DAY`
`HTTP_ACCEPT`	`SERVER_ADMIN`	`TIME_HOUR`
`HTTP:headername`	`SERVER_NAME`	`TIME_MIN`
`THE_REQUEST`	`SERVER_PORT`	`TIME_SEC`
`REQUEST_METHOD`	`SERVER_PROTOCOL`	`TIME_WDAY`
`REQUEST_SCHEME`	`REMOTE_ADDR`	`TIME`
`REQUEST_URI`	`REMOTE_USER`	`ENV:variablename`
`REQUEST_FILENAME`

Table 10-4 lists the SSL variables for SSLRequire varname.

Table 10-4 SSL Variables for SSLRequire Varname

SSL Variables	SSL Variables	SSL Variables
`HTTPS`	`SSL_PROTOCOL`	`SSL_CIPHER_ALGKEYSIZE`
`SSL_CIPHER`	`SSL_CIPHER_EXPORT`	`SSL_VERSION_INTERFACE`
`SSL_CIPHER_USEKEYSIZE`	`SSL_VERSION_LIBRARY`	`SSL_SESSION_ID`
`SSL_CLIENT_V_END`	`SSL_CLIENT_M_SERIAL`	`SSL_CLIENT_V_START`
`SSL_CLIENT_S_DN_ST`	`SSL_CLIENT_S_DN`	`SSL_CLIENT_S_DN_C`
`SSL_CLIENT_S_DN_CN`	`SSL_CLIENT_S_DN_O`	`SSL_CLIENT_S_DN_OU`
`SSL_CLIENT_S_DN_G`	`SSL_CLIENT_S_DN_T`	`SSL_CLIENT_S_DN_I`
`SSL_CLIENT_S_DN_UID`	`SSL_CLIENT_S_DN_S`	`SSL_CLIENT_S_DN_D`
`SSL_CLIENT_I_DN_C`	`SSL_CLIENT_S_DN_Email`	`SSL_CLIENT_I_DN`
`SSL_CLIENT_I_DN_O`	`SSL_CLIENT_I_DN_ST`	`SSL_CLIENT_I_DN_L`
`SSL_CLIENT_I_DN_T`	`SSL_CLIENT_I_DN_OU`	`SSL_CLIENT_I_DN_CN`
`SSL_CLIENT_I_DN_S`	`SSL_CLIENT_I_DN_I`	`SSL_CLIENT_I_DN_G`
`SSL_CLIENT_I_DN_Email`	`SSL_CLIENT_I_DN_D`	`SSL_CLIENT_I_DN_UID`
`SSL_CLIENT_CERT`	`SSL_CLIENT_CERT_CHAIN_n`	`SSL_CLIENT_ROOT_CERT`
`SSL_CLIENT_VERIFY`	`SSL_CLIENT_M_VERSION`	`SSL_SERVER_M_VERSION`
`SSL_SERVER_V_START`	`SSL_SERVER_V_END`	`SSL_SERVER_M_SERIAL`
`SSL_SERVER_S_DN_C`	`SSL_SERVERT_S_DN_ST`	`SSL_SERVER_S_DN`
`SSL_SERVER_S_DN_OU`	`SSL_SERVER_S_DN_CN`	`SSL_SERVER_S_DN_O`
`SSL_SERVER_S_DN_I`	`SSL_SERVER_S_DN_G`	`SSL_SERVER_S_DN_T`
`SSL_SERVER_S_DN_D`	`SSL_SERVER_S_DN_UID`	`SSL_SERVER_S_DN_S`
`SSL_SERVER_I_DN`	`SSL_SERVER_I_DN_C`	`SSL_SERVER_S_DN_Email`
`SSL_SERVER_I_DN_L`	`SSL_SERVER_I_DN_O`	`SSL_SERVER_I_DN_ST`
`SSL_SERVER_I_DN_CN`	`SSSL_SERVER_I_DN_T`	`SSL_SERVER_I_DN_OU`
`SSL_SERVER_I_DN_G`	`SSL_SERVER_I_DN_I`

10.4.1.13 SSLRequireSSL

Denies access to clients not using SSL. This is a useful directive for absolute protection of a SSL-enabled virtual host or directories in which configuration errors could create security vulnerabilities.

Category	Value
Syntax	`SSLRequireSSL`
Default	None
Context	directory

10.4.1.14 SSLSessionCache

Specifies the global/interprocess session cache storage type. The cache provides an optional way to speed up parallel request processing.

Category	Value
Valid Values	`none`: disables the global/interprocess session cache. Produces no impact on functionality, but makes a major difference in performance. `shmht:`/path/to/datafile[bytes]: Uses a high-performance hash table (`bytes` specifies approximate size) inside a shared memory segment in RAM, which is established by the `/path/to/datafile`. This hash table synchronizes the local SSL memory caches of the server processes. `shmcb:`/path/to/datafile[bytes]: Uses a high-performance Shared Memory Cyclic Buffer (SHMCB) session cache to synchronize the local SSL memory caches of the server processes. The performance of `shmcb` is more uniform in all environments when compared to `shmht`.
Syntax	`SSLSessionCache` `type`
Examples	`SSLSessionCache shmht:` `/ORACLE_HOME/Apache/Apache/logs/ssl_scache(512000)` `SSLSessionCache shmcb: /ORACLE_HOME/Apache/Apache/logs/ssl_scache(512000)`
Default	`SSLSessionCache` none

10.4.1.15 SSLSessionCacheTimeout

Specifies the number of seconds before a SSL session in the session cache expires.

Category	Value
Syntax	`SSLSessionCacheTimeout` `seconds`
Default	300
Context	server configuration

10.4.1.16 SSLVerifyClient

Specifies whether or not a client must present a certificate when connecting.

Category	Value
Valid Values	`none`: No client certificate is required `optional`: Client may present a valid certificate `require`: Client must present a valid certificate
Syntax	`SSLVerifyClient` `level`
Default	None
Context	server configuration, virtual host

Note:

The level optional_no_ca included with mod_ssl (in which the client can present a valid certificate, but it need not be verifiable) is not supported in mod_ossl.

10.4.1.17 SSLWallet

Specifies the location of the wallet with its WRL.

Category	Value
Syntax	`SSLWallet` `wrl` The format of `wrl` is: `file:path to wallet`
Example	`SSLWallet` `file:/etc/ORACLE/WALLETS/server` Other values of wrl may be used as permitted by the Oracle SSL product.
Default	None
Context	server configuration, virtual host

10.4.1.18 SSLWalletPassword

Specifies the Wallet password needed to access the wallet specified within the same context. You can choose either a cleartext wallet password or an obfuscated password. The obfuscated password is created with the command line tool iasobf. If you must use a regular wallet, Oracle recommends that you use the obfuscated password instead of a cleartext password.

See Also:

"Using the iasobf Utility"

Category Value

Syntax

Category	Value
Syntax	`SSLWalletPassword` `password` If no password is required do not set this directive. Note: If a wallet created with the Auto Login feature of Oracle Wallet Manager is used, then do not set this directive because these wallets do not require passwords.
Default	None
Context	server configuration, virtual host

SSLWalletPassword password

If no password is required do not set this directive.

Note: If a wallet created with the Auto Login feature of Oracle Wallet Manager is used, then do not set this directive because these wallets do not require passwords.

Default None

Context server configuration, virtual host

Note:

SSLWalletPassword has been deprecated. A warning message is generated in the Oracle HTTP Server log if this directive is used. For secure wallets, Oracle recommends that you get a SSO wallet, with auto-login enabled, instead. Refer to the"Task 1: Creating a Real Wallet".

10.4.2 Using the iasobf Utility

The iasobf utility enables you to generate an obfuscated wallet password from a cleartext password.

If you are using an Oracle Wallet that has been created with Auto Login enabled (an SSO wallet), then you do not need to use this utility. However, if you must use a regular wallet with a password, then Oracle recommends that you use the password obfuscation tool iasobf, which is located in ORACLE_HOME/Apache/Apache/bin, to generate an obfuscated wallet password from a cleartext password.

To generate an obfuscated wallet password, the command syntax is:

iasobf -p password

The obfuscated password is printed to the terminal. iasobf requires operating system user of httpd process. Accordingly, use the root argument for UNIX or system argument for Windows. For example, on UNIX, the command will be iasobf -password root.

Note:

The corresponding tool for Windows environments is called osslpassword, which can be used in the same way as iasobf.

10.4.3 Using mod_proxy Directives

The following directives are for mod_proxy support only:

SSLProxyCache
SSLProxyCipherSuite
SSLProxyProtocol
SSLProxyWallet
SSLProxyWalletPassword

10.4.3.1 SSLProxyCache

Specifies whether the proxy cache will be used. The proxy will use the same session as the SSL server uses.

Category	Value
Syntax	`SSLProxyCache` `on/off`
Default	`SSLProxyCache off`
Context	server configuration, virtual host

10.4.3.2 SSLProxyCipherSuite

Specifies the proxy server's cipher suite.

Category	Value
Syntax	`SSLCipherSuite` `cipher-spec`
Default	`None`
Context	server configuration, virtual host

10.4.3.3 SSLProxyProtocol

Controls the proxy server's SSL protocol flavors.

Category	Value
Syntax	`SSLProxyProtocol [+-]` `protocol`
Default	`None`
Context	server configuration, virtual host

10.4.3.4 SSLProxyWallet

Specifies the location of the wallet containing the certificates to use when opening proxy connections.

Category	Value
Syntax	`SSLProxyWallet` `wrl`
Default	`None`
Context	server configuration, virtual host

10.4.3.5 SSLProxyWalletPassword

Specifies the proxy wallet password.

Category	Value
Syntax	`SSLProxyWalletPassword` `password`
Default	`None`
Context	server configuration, virtual host

Note:

SSLProxyWalletPassword has been deprecated. A warning message is generated in the Oracle HTTP Server log if this directive is used. For secure wallets, Oracle recommends that you get a SSO wallet instead.