Wednesday, January 7, 2015

Oracle Apps R12: How To Renew SSL Certificate on Apps Tier in 5 minutes




1.      Set Your Environment
·         Logon to the application middle tier as the OS user who owns the middle tier files.
·         Source your middle tier environment file.
·         Navigate to the $INST_TOP/ora/10.1.3 and source the .env file to set your 10.1.3 ORACLE_HOME variables.

Note:- When working with wallets and certificates you MUST use the 10.1.3 executables.

2.      Deploy Certificate across Environment
export SYSTEM=ajiebs
export SSLDIR=/u01/app/applmgr${SYSTEM}/ssl_renew
export SSLENV=ajiebs.lab.com
mkdir -p $SSLDIR
chmod 700 $SSLDIR

3.      Copy new certificate and the CA certificate to the $SSLDIR directory e.g.
-rw-r--r--  1 applmgr oinstall 4198 Jul 26 10:30 chain.cer
-rw-r--r--  1 applmgr oinstall 1794 Jul 26 10:30 ajiebs.lab.com.cer
-rw-r--r--  1 applmgr oinstall  887 Jul 26 10:30 ajiebs.lab.com.key

4.      Create the wallet
cd $SSLDIR

$ORACLE_HOME/Apache/Apache/bin/ssl2ossl -cert ${SSLENV}.cer -key ${SSLENV}.key -cafile ./chain.cer -wallet . -ssowallet yes

5.      The content of wallet can be listed e.g.
orapki wallet display -wallet $SSLDIR

Requested Certificates:
Subject:        CN=ajiebs.lab.com,OU=Information Technology,O=Lab Inc.,L=Bangalore,ST=India,C=IN
User Certificates:
Trusted Certificates:
Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US
Subject:        CN=ajiebs.lab.com,OU=Information Technology,O=Lab Inc., L=Bangalore,ST=India,C=IN
Subject:        CN=Lab Inc. Enterprise Issuing CA1,O=Lab Inc.
Subject:        CN=Lab Inc. Enterprise CA,O=Lab Inc.

6.      Determine the current Apache's wallet directory
·         Which is the value of s_web_ssl_directory + Apache, by default it's $INST_TOP/certs/Apache
·         Create a new directory named BAK and move the default wallet's files to there
·         Install the new wallet

cd $SSLDIR/../
mv ssl ssl_bak_`date +%Y`
mv ssl_renew ssl
Some features of XML Publisher and BI Publisher require the server certficate to be present in cacerts file.

7.      Backup the existing cacerts file.
cp $OA_JRE_TOP/lib/security/cacerts $OA_JRE_TOP/lib/security/cacerts.bak.`date +%Y`

8.      Add new server cert to cacerts:
chmod u+w $OA_JRE_TOP/lib/security/cacerts

keytool -importcert -keystore $OA_JRE_TOP/lib/security/cacerts -alias ${SSLENV}.`date +%Y`.lab.com -file ${SSLENV}.cer -v

9.      When prompted enter the keystore password.
10.  Restart APP Web Tier
11.  Restart oacore, forms, web listener processes


HAPPY LEARNING!