Skip Headers
Oracle® HTTP Server Administering a Standalone Deployment Based on Apache 1.3
10g Release 2 (10.1.2)
B14008-02
  Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
Next
Next
 

10 Enabling SSL for Oracle HTTP Server

This chapter contains information about enabling and configuring SSL for Oracle HTTP Server. Topics discussed are:

10.1 Overview

Secure Sockets Layer (SSL) is an encrypted communication protocol that is designed to securely send messages across the Internet. It resides between Oracle HTTP Server on the application layer and the TCP/IP layer, transparently handling encryption and decryption when a secure connection is made by a client.

One common use of SSL is to secure Web HTTP communication between a browser and a Web server. This case does not preclude the use of non-secured HTTP. The secure version is simply HTTP over SSL (named HTTPS). The differences are that HTTPS uses the URL scheme https:// rather than http://, and its default communication port is 4443 on UNIX or 443 on Windows.

mod_ossl is a plug-in to Oracle HTTP Server that enables the server to use SSL.

10.2 Configuring SSL

By default, SSL is disabled when you install Oracle Application Server. Perform these tasks to enable and configure SSL:

10.2.1 Task 1: Creating a Real Wallet

To configure Oracle HTTP Server for SSL, you need a wallet that contains the certificate for the server. Wallets store your credentials, such as certificate requests, certificates, and private keys.

The default wallet that is automatically installed with Oracle HTTP Server is for testing purposes only. A real wallet has to be created for your production server. The default wallet is located in ORACLE_HOME/Apache/Apache/conf/ssl.wlt/default. You can either place the new wallet in that location, or change the SSLWallet directive in ORACLE_HOME/Apache/Apache/conf/ssl.conf to point to the location of your real wallet.


See Also:

Oracle Application Server Administrator's Guide for instructions on creating a wallet. It is important that you do the following:
  1. Generate a certificate request: For the Common Name, specify the name or alias of the site you are configuring.

  2. Set the auto-login feature for your wallet: Make sure that you enable this auto-login feature. The default wallet has this feature disabled.


10.2.2 Task 2: Enabling SSL

Perform the following steps to enable SSL manually:

  1. Open opmn.xml in a text editor.

  2. In the <ias-component id="HTTP_Server"> entry, change the start mode from "ssl-disabled" to "ssl-enabled". After modification is made, the entry should look like the following:

    <data id="start-mode" value="ssl-enabled"/>
    
    
  3. Save and close opmn.xml.

  4. Reload OPMN using the following command:

    opmnctl reload
    
    
  5. Stop Oracle HTTP Server using the following command:

    • UNIX: ORACLE_HOME/opmn/bin> opmnctl [verbose] stopproc ias-component=HTTP_Server

    • Windows: ORACLE_HOME\opmn\bin> opmnctl [verbose] stopproc ias-component=HTTP_Server

  6. Start Oracle HTTP Server using the following command:

    • UNIX: ORACLE_HOME/opmn/bin> opmnctl [verbose] startproc ias-component=HTTP_Server

    • Windows: ORACLE_HOME\opmn\bin> opmnctl [verbose] startproc ias-component=HTTP_Server


      Note:

      Be sure that you stop and start Oracle HTTP Server as per the instructions. Restarting Oracle HTTP Server does not yield the same result as stopping and starting it.

  7. You can verify if SSL was enabled successfully by navigating to the SSL port, for example:

    HTTPS://hostname:4443
    
    

10.2.3 Task 3: (Optional) Customizing Your Configuration

Optionally, you can further customize your configuration using mod_ossl directives.


Note:

The templates files installed during installation contain all the necessary SSL configuration directives and a default setup for SSL.

To enable client authentication, do the following:

  1. Specify SSLVerifyClient on the server side.

  2. Use proper client certificate on your client side for the HTTPS connection. Refer to your client documentation for information on getting and using a client certificate. Be sure that your client certificate is trusted by the server wallet.


    See Also:

    Oracle Application Server Administrator's Guide for instructions on how to import a trusted certificate into your wallet.

10.3 Additional SSL Features

This section contains SSL features that are supported for this release.

10.3.1 Global Server ID Support

This feature adds support SSL protocol features called variously "step-up", "server gated crypto" or "global server ID". "Step-up" is a feature that allows old, weak encryption browsers, to "step-up" so that public keys greater than 512 bits and bulk encryption keys greater than 64 bits can be used in the SSL protocol. This means that server X.509 certificates that contain public keys in excess of 512 bits and which contain "step-up" digital rights can now be used by Oracle Application Server. Such certificates are often called "128 bit" certificates, even though the certificate itself typically contains a 1024 bit certificate. The Verisign Secure Site Pro is an example of such a certificate which can now be used by Oracle Application Server.

Global Server ID functionality is provided by default, there is no configuration necessary.

10.3.2 PKCS #11 Support

Public-Key Cryptography Standards #11, or PKCS #11 for short, is a public key cryptography specification that outlines how systems use hardware security modules, which are basically "boxes" where cryptographic functions (encryption/decryption) are performed and where encryption keys are stored.

Oracle HTTP Server supports the option of having dedicated SSL hardware through nCipher. nCipher is a certified third party accelerator that improves the performance of the PKI cryptography that SSL uses.

10.4 Using SSL Configuration Directives

mod_ossl provides standard support for HTTPS protocol connections to Oracle Application Server. It enables secure connections between Oracle HTTP Server and a browser client by using an Oracle-provided encryption mechanism over SSL. It may also be used for authentication over the Internet through the use of digital certificate technology. It supports SSL v. 3.0, and provides:

The following mod_ssl directives are not supported by mod_ossl.

10.4.1 Using mod_ossl Directives

To configure SSL for your Oracle HTTP Server, enter the mod_ossl directives you want to use in the httpd.conf file.

The following directives are described:

10.4.1.1 SSLAccelerator

Specifies if SSL accelerator is used. Currently only nFast card is supported.

Category Value
Valid Values yes/no
Syntax SSLAccelerator yes|no
Default SSLAccelerator no
Context server configuration


Note:

The SSLAccelerator directive has been deprecated. For information on enabling SSL acceleration support using a wallet, refer to the Oracle Advanced Security Administrator's Guide on http://www.oracle.com/technology/documentation.

10.4.1.2 SSLCARevocationFile

Specifies the file where you can assemble the Certificate Revocation Lists (CRLs) from CAs (Certificate Authorities) that you accept certificates from. These are used for client authentication. Such a file is the concatenation of various PEM-encoded CRL files in order of preference. This directive can be used alternatively or additionally to SSLCARevocationPath.

Category Value
Syntax SSLCARevocationFile file_name
Example SSLCARevocationFile /ORACLE_HOME/Apache/conf/ssl.crl/ca_bundle.crl
Default None
Context server configuration, virtual host

10.4.1.3 SSLCARevocationPath

Specifies the directory where PEM-encoded Certificate Revocation Lists (CRLs) are stored. These CRLs come from the CAs (Certificate Authorities) that you accept certificates from. If a client attempts to authenticate itself with a certificate that is on one of these CRLs, then the certificate is revoked and the client cannot authenticate itself with your server.

Category Value
Syntax SSLCARevocationPath path/to/CRL_directory/
Example SSLCARevocationPath /ORACLE_HOME/Apache/conf/ssl.crl/
Default None
Context server configuration, virtual host

10.4.1.4 SSLCipherSuite

Specifies the SSL cipher suite that the client can use during the SSL handshake. This directive uses a colon-separated cipher specification string to identify the cipher suite. Table 10-2 shows the tags you can use in the string to describe the cipher suite you want.

Tags are joined together with prefixes to form cipher specification string.

Category Value
Valid Values none: Adds the cipher to the list

+ : Adds the cipher to the list and place them in the correct location in the list

- : Remove the cipher from the list (can be added later)

! : Remove the cipher from the list permanently

Example SSLCipherSuite ALL:!LOW:!DH

In this example, all ciphers are specified except low strength ciphers and those using the Diffie-Hellman key negotiation algorithm.

Syntax SSLCipherSuite cipher-spec

Default ALL:!ADH:!EXPORT56:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
Context server configuration, virtual host, directory

Table 10-1 SSLCipher Suite Tags

Function Tag Meaning

Key exchange

kRSA

RSA key exchange

Key exchange

kDHr

Diffie-Hellman key exchange with RSA key

Authentication

aNULL

No authentication

Authentication

aRSA

RSA authentication

Authentication

aDH

Diffie-Hellman authentication

Encryption

eNULL

No encryption

Encryption

DES

DES encoding

Encryption

3DES

Triple DES encoding

Encryption

RC4

RC4 encoding

Data Integrity

MD5

MD5 hash function

Data Integrity

SHA

SHA hash function

Aliases

SSLv3

All SSL version 3.0 ciphers

Aliases

EXP

All export ciphers

Aliases

EXP40

All 40-bit export ciphers only

Aliases

EXP56

All 56-bit export ciphers only

Aliases

LOW

All low strength ciphers (export and single DES)

Aliases

MEDIUM

All ciphers with 128-bit encryption

Aliases

HIGH

All ciphers using triple DES

Aliases

RSA

All ciphers using RSA key exchange

Aliases

DH

All ciphers using Diffie-Hellman key exchange



Note:

There are restrictions if export versions of browsers are used. Oracle module, mod_ossl, supports RC4-40 encryption only when the server uses 512 bit key size wallets.

Table 10-2 Cipher Suites Supported in Oracle Advanced Security 10i

Cipher Suite Authentication Encryption Data Integrity

SSL_RSA_WITH_3DES_EDE_CBC_SHA

RSA

3DES (168)

SHA

SSL_RSA_WITH_RC4_128_SHA

RSA

RC4 (128)

SHA

SSL_RSA_WITH_RC4_128_MD5

RSA

RC4 (128)

MD5

SSL_RSA_WITH_DES_CBC_SHA

RSA

DES (56)

SHA

SSL_DH_anon_WITH_3DES_EDE_CBC_SHA

DH anon

3DES (168)

SHA

SSL_DH_anon_WITH_RC4_128_MD5

DH anon

RC4 (128)

MD5

SSL_DH_anon_WITH_DES_CBC_SHA

DH anon

DES (56)

SHA

SSL_RSA_EXPORT_WITH_RC4_40_MD5

RSA

RC4 (40)

MD5

SSL_RSA_EXPORT_WITH_DES40_CBC_SHA

RSA

DES40 (40)

SHA

SSL_RSA_WITH_AES_128_CBC_SHA

RSA

AES (128)

SHA

SSL_RSA_WITH_AES_256_CBC_SHA

RSA

AES (256)

SHA

SSL_DHE_DSS_EXPORT_WITH_DES40_CBS_SHA

DH DSS

DES (40)

SHA

SSL_DHE_DSS_WITH_DES_CBC_SHA

DH DSS

DES (50)

SHA

SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA

DH DSS

3DES (168)

SHA

SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA

DH RSA

DES (40)

SHA

SSL_DHE_RSA_WITH_DES_CBC_SHA

DH RSA

DES (56)

SHA

SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA

DH RSA

3DES (168)

SHA

SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA

DH DSS

DES (40)

SHA

SSL_DHE_DSS_WITH_RC4_128_SHA

DH DSS

RC4 (128)

SHA

SSL_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA

DH DSS

RC4 (56)

SHA


10.4.1.5 SSLEngine

Toggles the usage of the SSL Protocol Engine. This is usually used inside a <VirtualHost> section to enable SSL for a particular virtual host. By default, the SSL Protocol Engine is disabled for both the main server and all configured virtual hosts. Example 10-1 is an example for using SSLEngine directive. The default SSL is 4443 on UNIX and 443 on Windows.

Example 10-1 Using SSLEngine Directive

<VirtualHost_dafault_:4443>
  SSLEngine on
  ...
</VirtualHost>

Category Value
Syntax SSLEngine on|off
Default SSLEngine off
Context server configuration, virtual host

10.4.1.6 SSLLog

Specifies where the SSL engine log file will be written. (Error messages will also be duplicated to the standard Oracle HTTP Server log file specified by the ErrorLog directive.)

Place this file at a location where only root can write, so that it cannot be used for symlink attacks. If the filename does not begin with a slash (/), it is assumed to be relative to the ServerRoot. If the filename begins with a bar (|), then the string following the bar is expected to be a path to an executable program to which a reliable pipe can be established.

This directive should occur only once per virtual server configuration.

Category Value
Syntax SSLVerifyClient path/to/filename
Default None
Context server configuration, virtual host

10.4.1.7 SSLLogLevel

Specifies the verbosity degree of the SSL engine log file.

Category Value
Valid Values The levels are (in ascending order, where each level is included in the levels preceding it):
  • none: No dedicated SSL logging is done. Messages of type 'error' are duplicated to the standard HTTP server log file specified by the ErrorLog directive.

  • error: Only messages of the type 'error' (conditions that stop processing) are logged.

  • warn: Messages that notify of non-fatal problems (conditions that do not stop processing) are logged.

  • info: Messages that summarize major processing actions are logged.

  • trace: Messages that summarize minor processing actions are logged.

  • debug: Messages that summarize development and low-level I/O operations are logged.

Syntax SSLLogLevel level
Default None
Context server configuration, virtual host

10.4.1.8 SSLMutex

Type of semaphore (lock) for SSL engine's mutual exclusion of operations that have to be synchronized between Oracle HTTP Server processes.

Category Value
Valid Values
  • none: Uses no mutex at all. Not recommended, because the mutex synchronizes the write access to the SSL session cache. If you do not configure a mutex, the session cache can become garbled.
  • file:path/to/mutex: Uses a file for locking. The process ID (PID) of the Oracle HTTP Server parent process is appended to the filename to ensure uniqueness. If the filename does not begin with a slash (/), it is assumed to be relative to ServerRoot. This setting is not available on Windows.

  • sem: Uses an operating system semaphore to synchronize writes. On UNIX, it would be a Sys V IPC semaphore; on Windows, it is a Windows Mutex. This is the best choice, if the operating system supports it.

Example SSLMutex file:/usr/local/apache/logs/ssl_mutex
Syntax SSLMutex type
Default SSLMutex none
Context server configuration

10.4.1.9 SSLOptions

Controls various runtime options on a per-directory basis. In general, if multiple options apply to a directory, the most comprehensive option is applied (options are not merged). However, if all of the options in an SSLOptions directive are preceded by a plus ('+') or minus ('-') symbol, then the options are merged. Options preceded by a plus are added to the options currently in force, and options preceded by a minus are removed from the options currently in force.

Category Value
Valid Values
  • StdEnvVars: Creates the standard set of CGI/SSI environment variables that are related to SSL. This is disabled by default because the extraction operation uses a lot of CPU time and usually has no application when serving static content. Typically, you only enable this for CGI/SSI requests.
  • ExportCertData: Enables the following additional CGI/SSI variables:

    SSL_SERVER_CERT

    SSL_CLIENT_CERT

    SSL_CLIENT_CERT_CHAIN_n (where n= 0, 1, 2...)

    These variables contain the Privacy Enhanced Mail (PEM)-encoded X.509 certificates for the server and the client for the current HTTPS connection, and can be used by CGI scripts for deeper certificate checking. All other certificates of the client certificate chain are provided. This option is "Off" by default because there is a performance cost associated with using it.

    SSL_CLIENT_CERT_CHAIN_n variables are in the following order: SSL_CLIENT_CERT_CHAIN_0 is the intermediate CA who signs SSL_CLIENT_CERT. SSL_CLIENT_CERT_CHAIN_1 is the intermediate CA who signs SSL_CLIENT_CERT_CHAIN_0, and so forth, with SSL_CLIENT_ROOT_CERT as the root CA.

  • FakeBasicAuth: Translates the subject distinguished name of the client X.509 certificate into an HTTP basic authorization user name. This means that the standard HTTP server authentication methods can be used for access control. Note that no password is obtained from the user; the string 'password' is substituted.

Valid Values (for SSLOptions continued)
  • StrictRequire: Denies access when, according to SSLRequireSSL or directives, access should be forbidden. Without StrictRequire, it is possible for a 'Satisfy any' directive setting to override the SSLRequire or SSLRequireSSL directive, allowing access if the client passes the host restriction or supplies a valid user name and password.

    Thus, the combination of SSLRequireSSL or SSLRequire with SSLOptions +StrictRequire gives mod_ossl the ability to override a 'Satisfy any' directive in all cases.

  • CompatEnvVars: Exports obsolete environment variables for backward compatibility to Apache SSL 1.x, mod_ssl 2.0.x, Sioux 1.0, and Stronghold 2.x. Use this to provide compatibility to existing CGI scripts.

  • OptRenegotiate: This enables optimized SSL connection renegotiation handling when SSL directives are used in a per-directory context.

Syntax SSLOptions [+-] option
Default None
Context server configuration, virtual host, directory

10.4.1.10 SSLPassPhraseDialog

Type of pass phrase dialog for wallet access. mod_ossl asks the administrator for a pass phrase in order to access the wallet.

Category Value
Valid Values
  • builtin: when the server is started, mod_ossl prompts for a password for each wallet.

    This cannot be used when Oracle HTTP Server is managed by OPMN. No user interaction is allowed when Oracle HTTP Server is started by OPMN.

  • exec:path/to/program - when the server is started, mod_ossl calls an external program configured for each wallet. This program is invoked with two arguments: servername:portnumber and RSA or DSA.

Syntax SSLPassPhraseDialog type
Example SSLPassPhraseDialog exec:/usr/local/apache/sbin/pfilter
Default SSLPassPhraseDialog builtin
Context server configuration

10.4.1.11 SSLProtocol

Specifies SSL protocol(s) for mod_ossl to use when establishing the server environment. Clients can only connect with one of the specified protocols.

Category Value
Valid Values SSLv2, SSLv3, TLSv1, ALL
Example To specify only SSL version 3.0, set this directive to the following:

SSLProtocol +SSLv3

Syntax SSLProtocol [+-] protocol
Default SSLProtocol ALL
Context server configuration, virtual host

10.4.1.12 SSLRequire

Denies access unless an arbitrarily complex boolean expression is true.

Category Value
Syntax SSLRequire expression
Default None
Context directory

The expression must match the following syntax (given as a BNF grammar notation):

expr ::= "true" | "false"
"!" expr
expr "&&" expr
expr "||" expr
"(" expr ")"

comp ::=word "==" word | word "eq" word
word "!=" word |word "ne" word
word "<" word |word "lt" word
word "<=" word |word "le" word
word ">" word |word "gt" word
word ">=" word |word "ge" word
word "=~" regex
word "!~" regex
wordlist ::= word
wordlist "," word

word ::= digit
cstring
variable
function

digit ::= [0-9]+

cstring ::= "..."

variable ::= "%{varname}"

Table 10-3 and Table 10-4 list standard and SSL variables. These are valid values for varname.

function ::= funcname "(" funcargs ")"

For funcname, the following function is available:

file(filename)

The file function takes one string argument, the filename, and expands to the contents of the file. This is useful for evaluating the file's contents against a regular expression.

Table 10-3 lists the standard variables for SSLRequire varname.

Table 10-3 Standard Variables for SSLRequire Varname

Standard Variables Standard Variables Standard Variables

HTTP_USER_AGENT

PATH_INFO

AUTH_TYPE

HTTP_REFERER

QUERY_STRING

SERVER_SOFTWARE

HTTP_COOKIE

REMOTE_HOST

API_VERSION

HTTP_FORWARDED

REMOTE_IDENT

TIME_YEAR

HTTP_HOST

IS_SUBREQ

TIME_MON

HTTP_PROXY_CONNECTION

DOCUMENT_ROOT

TIME_DAY

HTTP_ACCEPT

SERVER_ADMIN

TIME_HOUR

HTTP:headername

SERVER_NAME

TIME_MIN

THE_REQUEST

SERVER_PORT

TIME_SEC

REQUEST_METHOD

SERVER_PROTOCOL

TIME_WDAY

REQUEST_SCHEME

REMOTE_ADDR

TIME

REQUEST_URI

REMOTE_USER

ENV:variablename

REQUEST_FILENAME

 


 



Table 10-4 lists the SSL variables for SSLRequire varname.

Table 10-4 SSL Variables for SSLRequire Varname

SSL Variables SSL Variables SSL Variables

HTTPS

SSL_PROTOCOL

SSL_CIPHER_ALGKEYSIZE

SSL_CIPHER

SSL_CIPHER_EXPORT

SSL_VERSION_INTERFACE

SSL_CIPHER_USEKEYSIZE

SSL_VERSION_LIBRARY

SSL_SESSION_ID

SSL_CLIENT_V_END

SSL_CLIENT_M_SERIAL

SSL_CLIENT_V_START

SSL_CLIENT_S_DN_ST

SSL_CLIENT_S_DN

SSL_CLIENT_S_DN_C

SSL_CLIENT_S_DN_CN

SSL_CLIENT_S_DN_O

SSL_CLIENT_S_DN_OU

SSL_CLIENT_S_DN_G

SSL_CLIENT_S_DN_T

SSL_CLIENT_S_DN_I

SSL_CLIENT_S_DN_UID

SSL_CLIENT_S_DN_S

SSL_CLIENT_S_DN_D

SSL_CLIENT_I_DN_C

SSL_CLIENT_S_DN_Email

SSL_CLIENT_I_DN

SSL_CLIENT_I_DN_O

SSL_CLIENT_I_DN_ST

SSL_CLIENT_I_DN_L

SSL_CLIENT_I_DN_T

SSL_CLIENT_I_DN_OU

SSL_CLIENT_I_DN_CN

SSL_CLIENT_I_DN_S

SSL_CLIENT_I_DN_I

SSL_CLIENT_I_DN_G

SSL_CLIENT_I_DN_Email

SSL_CLIENT_I_DN_D

SSL_CLIENT_I_DN_UID

SSL_CLIENT_CERT

SSL_CLIENT_CERT_CHAIN_n

SSL_CLIENT_ROOT_CERT

SSL_CLIENT_VERIFY

SSL_CLIENT_M_VERSION

SSL_SERVER_M_VERSION

SSL_SERVER_V_START

SSL_SERVER_V_END

SSL_SERVER_M_SERIAL

SSL_SERVER_S_DN_C

SSL_SERVERT_S_DN_ST

SSL_SERVER_S_DN

SSL_SERVER_S_DN_OU

SSL_SERVER_S_DN_CN

SSL_SERVER_S_DN_O

SSL_SERVER_S_DN_I

SSL_SERVER_S_DN_G

SSL_SERVER_S_DN_T

SSL_SERVER_S_DN_D

SSL_SERVER_S_DN_UID

SSL_SERVER_S_DN_S

SSL_SERVER_I_DN

SSL_SERVER_I_DN_C

SSL_SERVER_S_DN_Email

SSL_SERVER_I_DN_L

SSL_SERVER_I_DN_O

SSL_SERVER_I_DN_ST

SSL_SERVER_I_DN_CN

SSSL_SERVER_I_DN_T

SSL_SERVER_I_DN_OU

SSL_SERVER_I_DN_G

SSL_SERVER_I_DN_I

 



10.4.1.13 SSLRequireSSL

Denies access to clients not using SSL. This is a useful directive for absolute protection of a SSL-enabled virtual host or directories in which configuration errors could create security vulnerabilities.

Category Value
Syntax SSLRequireSSL
Default None
Context directory

10.4.1.14 SSLSessionCache

Specifies the global/interprocess session cache storage type. The cache provides an optional way to speed up parallel request processing.

Category Value
Valid Values
  • none: disables the global/interprocess session cache. Produces no impact on functionality, but makes a major difference in performance.
  • shmht:/path/to/datafile[bytes]: Uses a high-performance hash table (bytes specifies approximate size) inside a shared memory segment in RAM, which is established by the /path/to/datafile. This hash table synchronizes the local SSL memory caches of the server processes.

  • shmcb:/path/to/datafile[bytes]: Uses a high-performance Shared Memory Cyclic Buffer (SHMCB) session cache to synchronize the local SSL memory caches of the server processes. The performance of shmcb is more uniform in all environments when compared to shmht.

Syntax SSLSessionCache type
Examples SSLSessionCache shmht: /ORACLE_HOME/Apache/Apache/logs/ssl_scache(512000)

SSLSessionCache shmcb: /ORACLE_HOME/Apache/Apache/logs/ssl_scache(512000)

Default SSLSessionCache none

10.4.1.15 SSLSessionCacheTimeout

Specifies the number of seconds before a SSL session in the session cache expires.

Category Value
Syntax SSLSessionCacheTimeout seconds
Default 300
Context server configuration

10.4.1.16 SSLVerifyClient

Specifies whether or not a client must present a certificate when connecting.

Category Value
Valid Values
  • none: No client certificate is required
  • optional: Client may present a valid certificate

  • require: Client must present a valid certificate

Syntax SSLVerifyClient level
Default None
Context server configuration, virtual host


Note:

The level optional_no_ca included with mod_ssl (in which the client can present a valid certificate, but it need not be verifiable) is not supported in mod_ossl.

10.4.1.17 SSLWallet

Specifies the location of the wallet with its WRL.

Category Value
Syntax SSLWallet wrl

The format of wrl is: file:path to wallet

Example SSLWallet file:/etc/ORACLE/WALLETS/server

Other values of wrl may be used as permitted by the Oracle SSL product.

Default None
Context server configuration, virtual host

10.4.1.18 SSLWalletPassword

Specifies the Wallet password needed to access the wallet specified within the same context. You can choose either a cleartext wallet password or an obfuscated password. The obfuscated password is created with the command line tool iasobf. If you must use a regular wallet, Oracle recommends that you use the obfuscated password instead of a cleartext password.

Category Value
Syntax SSLWalletPassword password

If no password is required do not set this directive.

Note: If a wallet created with the Auto Login feature of Oracle Wallet Manager is used, then do not set this directive because these wallets do not require passwords.

Default None
Context server configuration, virtual host


Note:

SSLWalletPassword has been deprecated. A warning message is generated in the Oracle HTTP Server log if this directive is used. For secure wallets, Oracle recommends that you get a SSO wallet, with auto-login enabled, instead. Refer to the"Task 1: Creating a Real Wallet".

10.4.2 Using the iasobf Utility

The iasobf utility enables you to generate an obfuscated wallet password from a cleartext password.

If you are using an Oracle Wallet that has been created with Auto Login enabled (an SSO wallet), then you do not need to use this utility. However, if you must use a regular wallet with a password, then Oracle recommends that you use the password obfuscation tool iasobf, which is located in ORACLE_HOME/Apache/Apache/bin, to generate an obfuscated wallet password from a cleartext password.

To generate an obfuscated wallet password, the command syntax is:

iasobf -p password 

The obfuscated password is printed to the terminal. iasobf requires operating system user of httpd process. Accordingly, use the root argument for UNIX or system argument for Windows. For example, on UNIX, the command will be iasobf -password root.


Note:

The corresponding tool for Windows environments is called osslpassword, which can be used in the same way as iasobf.

10.4.3 Using mod_proxy Directives

The following directives are for mod_proxy support only:

10.4.3.1 SSLProxyCache

Specifies whether the proxy cache will be used. The proxy will use the same session as the SSL server uses.

Category Value
Syntax SSLProxyCache on/off
Default SSLProxyCache off
Context server configuration, virtual host

10.4.3.2 SSLProxyCipherSuite

Specifies the proxy server's cipher suite.

Category Value
Syntax SSLCipherSuite cipher-spec
Default None
Context server configuration, virtual host

10.4.3.3 SSLProxyProtocol

Controls the proxy server's SSL protocol flavors.

Category Value
Syntax SSLProxyProtocol [+-] protocol
Default None
Context server configuration, virtual host

10.4.3.4 SSLProxyWallet

Specifies the location of the wallet containing the certificates to use when opening proxy connections.

Category Value
Syntax SSLProxyWallet wrl
Default None
Context server configuration, virtual host

10.4.3.5 SSLProxyWalletPassword

Specifies the proxy wallet password.

Category Value
Syntax SSLProxyWalletPassword password
Default None
Context server configuration, virtual host


Note:

SSLProxyWalletPassword has been deprecated. A warning message is generated in the Oracle HTTP Server log if this directive is used. For secure wallets, Oracle recommends that you get a SSO wallet instead.