Oracle® Application Server Forms Services Deployment Guide 10g Release 2 (10.1.2) B14032-03 |
|
Previous |
Next |
By default, the HTTPS port is not enabled when installing Oracle Application Server 10g. There are two steps to enable SSL: enable the HTTPS port in Oracle HTTP Server, then enable Web Cache to accept HTTPS connections from Oracle HTTP Server.
Note: If you've coded your Forms application such that the logon dialog appears (because you haven't specified the user/password as part of the configuration for the application you're running) and you're not running your application with SSL/HTTPS, you should be aware that there is a potential security issue. The password that is entered in the logon dialog will be sent across the network. |
When you enable Oracle HTTP Server to use SSL, you modify a portion of the Oracle Process Manager and Notification Server (OPMN) configuration file. After you've modified and saved this file, you will need to restart OPMN processes.
To configure Oracle HTTP Server to use SSL:
Open ORACLE_HOME/opmn/conf/opmn.xml
in a text editor and find this block of code:
<ias-component id="HTTP_Server"> <process-type id="HTTP_Server" module-id="OHS"> <module-data> <category id="start-parameters"> <data id="start-mode" value="ssl-disabled"/> </category> </module-data> <process-set id="HTTP_Server" numprocs="1"/> </process-type> </ias-component>
Change the start-mode
parameter value to ssl-enabled
:
<ias-component id="HTTP_Server"> <process-type id="HTTP_Server" module-id="OHS"> <module-data> <category id="start-parameters"> <data id="start-mode" value="ssl-enabled"/> </category> </module-data> <process-set id="HTTP_Server" numprocs="1"/> </process-type> </ias-component>
Force OPMN to reload the modified opmn.xml configuration file:
opmnctl reload
Use the Web Cache Admin page to enable HTTPS connections from Oracle HTTP Server.
To configure Web Cache to use SSL:
Open the Web Cache Manager page. If you configured OracleAS Web Cache during installation, you can access it as http://hostname.domain:port
. Its default port is 4000, or as the Web Cache HTTP Listen port number as listed in:
Solaris: ORACLE_HOME/install/portlist.ini
Windows: ORACLE_HOME\install\portlist.ini
Login as the application server administrator.
Locate the Port section in the navigator frame and click Listen Ports.
Click Add.
From the For Cache dropdown list, select the target Web Cache.
Enter the following information, as shown in Table 6-1:
Table 6-1 HTTPS Port Configuration Information
Setting | Description |
---|---|
IP Address |
Any valid IP address |
Port Number |
443 |
Protocol |
HTTPS |
Enable or disable client-side certificates.Select Require Client-Side Certificate to enable OracleAS Web Cache to require browsers to provide SSL certificates. You'll need to import ewallet.p12 file from A client-side certificate is a method for verifying the identity of the client. It binds information about the client user to the user's public key and must be digitally signed by a trusted certificate authority. |
|
Enter the directory location of the wallet. This directory must contain an existing wallet. This wallet is used for administration, invalidation, and statistics monitoring of HTTPS requests for sites hosted by OracleAS Web Cache.Oracle recommends entering the location, even if the default is being used. The default location is |
Note: When selecting and using client-side certification, you must use Sun Java Plug-in 1.4.2 or later. Visithttp://java.sun.com/ for more information. |
Click Apply Changes.
Restart Web Cache.
Running a Forms application that uses an HTTPS port requires a certificate to be imported. If you access Web Cache through port 4443, you need to import the Web Cache certificate. If you access Oracle HTTP Server through port 4444, you need to import the Oracle HTTP Server certificate.
To import the Web Cache certificate:
Invoke Wallet Manager:
Windows: Invoke Wallet manager launch.exe
Solaris: owm
Open ORACLE_HOME\WebCache\wallets\default
.
Enter welcome
as the password.
Select Auto Login.
Select FOR TEST PURPOSES ONLY.
Choose [Operations]-[Export Trusted Certificate] and provide a name.
Open this file in a text editor and copy all of its contents and append it to C:\Program Files\Oracle\JInitiator 1.3.1.21\lib\security\certdb.txt
.
Run the Form Servlet as https://computer.mycompany.com:4443/forms/frmservlet
.
Verify that the JInitiator log window shows the HTTPS protocol.
To import the Oracle HTTP Server Certificate:
Invoke Wallet manager:
Windows: Invoke Wallet manager launch.exe
Solaris: owm
Open ORACLE_HOME\Apache\Apache\conf\ssl.wlt\default
.
Enter welcome
as the password.
Select Auto Login.
Select FOR TEST PURPOSES ONLY.
Choose [Operations]-[Export Trusted Certificate] and provide a name.
Open this file in a text editor and copy all of its contents and append it to C:\Program Files\Oracle\JInitiator 1.3.1.21\lib\security\certdb.txt
.
Run the Form Servlet as https://computer.mycompany.com:4444/forms/frmservlet
.
Verify that the JInitiator log window displays the HTTPS protocol.
Running a Forms application that uses an HTTPS port requires a certificate to be imported. If a Forms server is behind a load balancing router, and SSL terminates at it, you need to import the certificate from the load balancing router.
Follow these steps to enable SSL with your Forms applications over a load balancing router:
Open the Security Alert dialog by opening https://mycomputer.us.oracle.com:443/forms/frmservlet
in a Web browser.
Click View Certificate.
Click the Details tab in the Certificate dialog.
Click Copy to File...
In the Welcome page of the Certificate Export Wizard, click Next.
In the Export File Format page, select Base-64 encoded X.509 (.CER), then click Next.
Enter a file name such as c:\temp\forms
, then click Next.
Click Finish.
A message appears saying that the export was successful.
Click OK.
Close the Certificate Export Wizard, but keep the Security Alert dialog open.
Open c:\temp\forms.cer
in a text editor.
Copy the contents of the file into JInitiator's certdb.txt file in lib\security
.
Save certdb.txt
.
Reopen the Security Alert dialog and click Yes.