Basic SSL

Secure Sockets Layer (SSL) can be used to encrypt communication between a browser and a Web server. Since it is between the Web server and the browser it is transparent for APEX and no configuration is needed in APEX.

SSL uses Public-Private Key encryption where the Web server holds the private key and sends the public key to a client browser in a certificate. Normally you get your keys from a certificate authority (CA) like Verisign, but you can create you own keys if you want to. (Check OpenSSL) Most CAs allow you to get test keys that are valid for a couple of weeks. I tried with keys from Verisign but could not get it working, but with Thawte it worked fine.

To get a server certificate you need to send a Certificate Signing Request (CSR) to the CA. When you make a CSR a public-private key set is generated. The CSR send to the CA contains the public key and some information about the person/organization that is requesting the certificate signing. The whole key thing is a bit complicated for more information checks this.

To securely store CSRs, certificates and keys Oracle uses a Wallet. (For this post I used Windows, if you are using Linux etc. check this post from AntonNielsen's blog.

To create a Wallet you can use the Oracle Wallet Manager. To start the Wallet Manager:

Go to Start => Programs => (Your Oracle Home) => Integrated Management Tools => Wallet Manager.

Create a Wallet:

1. In the menu choose Wallet and then New
2. Input a Wallet password and keep Wallet type as Standard
3. You will now be asked if you want to create a CSR. Press Yes
   1. Common name is you server name and domain. I am not sure if this has to match your real server and domain, it could just be for information in the certificate. But it might be a good idea to use the right names. For example apex.corp.wmdata.net
   2. The rest of the fields are not mandatory
   3. For Key Size I use 1024

Now you are ready to send your CSR to a CA. If you go to this Thawte page, you can copy and paste your CSR from the Wallet Manager. Then you will get your free trial certificate. Copy it to a file like server.crt. You can download the Test CA Root Certificates from the same page. You will get a Zip file with lots of certificates.

In the Wallet Manager right-click on you CSR and choose Import User Certificate. Import your server.crt file. Next you will get an error saying: User certificate import has failed because the CA certificate does not exist. Do you want to import CA certificate now? Press Yes and import this file:

...\Thawte Test Roots\Thawte Test Root.cer

from the Zip file. Now your certificate should have been imported and your CSR replaced by a certificate with status Ready.

Save the wallet somewhere via the menu. Check the wallet directory, there should now be one file: ewallet.p12.

Enable Auto Login via the Wallet menu and save again. Now there should be an extra file in the wallet: cwallet.sso. This an encrypted version of the ewallet.p12 file. If you are using the ewallet.p12 file you need to provide a password every time it is used, with cwallet.sso you don't need this since it is encrypted. I assume that this is so you don't have to provide a password every time the Web server is restarted.

Now you are ready to configure the Oracle HTTP Server or the Oracle XML DB HTTP Server to use the Wallet.


Author: PeterLorenzen - 13 May 2007

Comments