In this first step you generate a request for ipsCA to issue
a certificate. It involves generating a public/private key-pair and identifying
the server, the organization using it, and its webmaster. The private key is
encrypted and should never leave your server, except for backup purposes.
The public key will become part of the certificate and is therefore sent to
ipsCA, together with the rest of the information identifying your organization
and your server.
To generate a certificate request, you will run the
interactive utility genreq and enter the information for which it prompts you.
When the prompt specifies a default value, you can just press
return to enter that value, or enter a different value if you prefer.
For an example of how to use genreq, see the following sample
genreq session. Before you start, create a directory to store all SSL related
files in, for example $ORACLE_HOME/ows2/ssl. To avoid typing long path names or
moving files later, you can start genreq from this directory.
To run genreq, do the following:
- Start genreq, located in $ORACLE_HOME\OWS20\BIN on NT
(typically c:\orant\ows20\bin) and $ORACLE_HOME/ows2/bin on UNIX:
- Type G to begin creating a certificate request:
- When prompted, type a
password (minimum of 8 characters), used in encrypting your private key.
Remember this password.
- Retype the password for
confirmation. If the password do not match, genreq will not warn you, it will
just repeat step 3.
-
Choose the public exponent you want to use one in generating the key pair. The
only two recognized exponents are 3 and 65537, commonly called Fermat 4 or F4.
- Enter the size in bits of
the modulus you want to use in generating the key pair. For the version of
genreq sold in the United States of America, the size may be from 1 to 1024. The
default size is 768 bits and the maximum is 1024 bits. A modulus size of 1024 is
recommended for most browsers and also by ipsCA. For versions of genreq sold
outside the USA, the maximum (and default) modulus size is 512 bits. (NOTE: 1024
bits would be equal to a 128 bit encryption)
-
Choose one of three methods for generating a random seed to use in generating
the key pair:
- Random file: genreq prompts
you to enter the full pathname of a file in your local file system. This can be
any file that is at least 256 bytes in size, does not contain any secret
information, and has contents that cannot easily be guessed (on UNIX, you can
use /var/adm/messages, on NT you can use \WINNT\System32\config\AppEvent.Evt)
- Random key sequences: genreq
prompts you to enter random keystrokes. genreq uses the variation in time
between keystrokes to generate the seed. Don't use the keyboard's autorepeat
capability, and don't wait longer than two seconds between keystrokes. genreq
prompts you when you have typed enough keystrokes. You must delete any unused
characters typed after this prompt.
- Both: genreq prompts you to
enter both a file name and random keystrokes. This option is recommended.
The next three steps will tell
genreq where it should write certain files. If you've created an ssl directory
and have started genreq from this directory, you can accept the defaults.
Otherwise, you may want to include full pathnames, or plan to move the files
that genreq created later.
- Enter the name of a file in which to store your WebServer's
distinguished name. You can choose the default, or enter any filename with a .der
extension. genreq creates this file in the current directory, though you may
later move it to any convenient location.
- Enter the name of a file in which to store your WebServer's
private key. You can choose the default, or enter any filename with a .der
extension. genreq creates this file in the current directory, though you may
later move it to any convenient location.
- Enter the name of a file in which to store the certificate
request. You can choose the default, or enter any filename with a .pkc
extension.
- Enter the requested identification information for your
organization:
Common Name - The fully
qualified host name of your organization's Internet point of presence as defined
by the Domain Name Service (DNS).
Example: govt.us.oracle.com
Organizational Unit
(optional) - The name of the group, division, or other unit of your organization
responsible for your Internet presence, or an informal or shortened name for
your organization.
Example: Oracle Government
Organization - The
official, legal name of your company or organization. Most CAs require you to
verify this name by providing official documents, such as a business license.
Example: Oracle Corporation
Locality - (optional) The
city, principality, or country where your organization is located.
Example: Bethesda
State or Province - The
full name of the state or province where your organization is located. ipsCA
does not accept abbreviations.
Example: Maryland
Country - The
two-character ISO-format abbreviation for the country where your organization is
located. The country code for the
Example: United States is US.
WebMaster's Name - The
name of the Web Master responsible for the site. This person will serve as a
technical contact.
Example: Sergio Leunissen
WebMaster's Email Address
- The email address where ipsCA can contact the Web Master.
Server Software Version -
The name and version number of the application for which you are getting the
certificate (you should accept the default value).
Installing a SSL123 Certificate on an Oracle Web Application
Server
1. Delete ALL text from this
file that appears before -----BEGIN CERTIFICATE. Your document should contain
only certificate information within this e-mail. After you delete extra text,
save this file inside your temporary directory as TEXT and filename "mycert.der".
2. To configure OAS 4.0.8
listener with your SSL files, go to OAS 4.0.8 Node Manager page (Usually on port
8888). Click on "OAS Manager".
3. Wait for the Java Applet
menu to load and expand -> Website40 Site -> HTTP listener - WWW -> Security ->
SSL.
4. Type in first ROW of data
a. Cert Label - mycert
b. Cert File - Enter path and name of your certificate received. For example:
C:\SSL\mycert.der
c. Dist Name File - Enter path and name for servname.der. For example: C:\SSL\servname.der
d. Private Key File - Enter path and name for privkey.der. For example: C:\SSL\privkey.der
e. CA Dir - Enter a temporary path. This is not used, but you must supply a
valid path. For example: C:\tmp.
f. CRL Dir - Enter a temporary path. This is not used but you must supply a
valid path. For example: C:\tmp.
Click "Apply" to save changes.
5. To configure the Network
section for WWW listener, go to HTTP listener -> WWW -> Network.
Add a new ROW of information:
a. Address - Use same information as DEFAULT ROW. For example: ANY.
b. Port - Type port 443 here. SSL port 443 by DEFAULT.
c. Security - Pick SSL from pull-down menu.
d. Host Name - Use same information as DEFAULT ROW.
e. Base Directory - Use same information as DEFAULT ROW.
f. Log Info Directory - Use same information as DEFAULT ROW.
g. Authentication - Use same information as DEFAULT ROW. (NONE)
h. Certificate Label - Type "mycert". This is the same name used on Step #17
above. This entry maps Step #17 with Step# 18.
Click "Apply" to save changes.
6. Now, you are ready to
recycle OAS for changed to take place. Go to Website40 Site or First Icon on
Your Java Applet menu. Click on "Select All" radio button. Click on the (Reload)
button in toolbar. This will properly shut down and restart all OAS processes in
the right order.
If everything starts successfully, then try to access your secure page. SSL runs
on HTTPS protocol, URL format may look like:
Try to
access that page in your browser. You should get a browser warning stating that
you are entering a SECURE site. Just click OK. Secure page should come up.
If you
get errors while trying to start WWW listener after making these changes, then
check your NT Event Log or svwww.err file. Both logs will point out what is
going wrong. Some common mistakes for SSL configuration include incorrect
filename spellings and directory structures, problems with certificate file
because of copy/pasting, etc. Log files tend to give very specific information
in that case for debugging.
