Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1846
  • Last Modified:

Setting up SSL on Oracle using Wallet Manager

We are using Windows Server 2003, Oracle, Apache

We are trying to set up SSL using VeriSign. Everything (in theory) is set up correctly. We have done everything technical support has suggested.

The site works well at www.oursite.com. However when we enter https://www.oursite.com then we get the message "This page can not be found"

When we go into Wallet Manager, and open the certificate then it says "Certificate: Ready"

I know I have not provided very much information. However I am at a loss as to what information to provide.

Can anyone help.

gordontm

P.S. I have copied the SSL.conf file below in case it will help
P.P.S. I changed the Wallet Password and site address for privacy reasons


<IfDefine SSL>
    ##  SSL Global Context
##
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.
##



#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
    SSLPassPhraseDialog builtin
    #   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First either `none'
#   or `dbm:/path/to/file' for the mechanism to use and
#   second the expiring timeout (in seconds).
#SSLSessionCache        none
#SSLSessionCache        dbm:logs\ssl_scache
#SSLSessionCache         shmht:logs\ssl_scache(512000)
    SSLSessionCache shmcb:logs\ssl_scache(512000)
    #  SessionCache Timeout:
#  This directive sets the timeout in seconds for the information stored
#  in the global/inter-process SSL Session Cache. It can be set as low as
#  15 for testing, but should be set to higher values like 300 in real life.
    SSLSessionCacheTimeout 300
    #   Semaphore:
#   Configure the path to the mutual explusion semaphore the
#   SSL engine uses internally for inter-process synchronization.
    SSLMutex sem
    #   Logging:
#   The home of the dedicated SSL protocol logfile. Errors are
#   additionally duplicated in the general error log file.  Put
#   this somewhere where it cannot be used for symlink attacks on
#   a real server (i.e. somewhere where only root can write).
#   Log levels are (ascending order: higher ones include lower ones):
#   none, error, warn, info, trace, debug.
    SSLLog logs\ssl_engine_log
    SSLLogLevel warn
    ##
## SSL Virtual Host Context
##
#
# NOTE: this value should match the SSL Listen directive set previously in this
# file otherwise your virtual host will not respond to SSL requests.
#

#
#   Some MIME-types for downloading Certificates and CRLs
#
    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl .crl

    <VirtualHost _default_:443>
        #  General setup for the virtual host
        DocumentRoot "D:\oracle_as\Apache\Apache\htdocs"
        ServerName www.oursite.com
        ServerAdmin you@your.address
        ErrorLog "|D:\oracle_as\Apache\Apache\bin\rotatelogs logs/ssl_log 43200"
        TransferLog "|D:\oracle_as\Apache\Apache\bin\rotatelogs logs/ssl_log 43200"
        Port 443
        #   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
        SSLEngine on
        #   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
        SSLCipherSuite ALL:!ADH:!EXPORT56:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
        #   Server Wallet:
#   The server wallet contains the server's certificate, private key
#   and trusted certificates. Set SSLWallet at the wallet directory
#   using the syntax:  file:<path-to-wallet-directory>
        SSLWallet file:D:\oracle_as\Apache\Apache\ssl
        SSLWalletPassword oursitepassword

        #   Certificate Revocation Lists (CRL):
#   Set the CA revocation path where to find CA CRLs for client
#   authentication or alternatively one huge file containing all
#   of them (file must be PEM encoded)
#   Note: Inside SSLCARevocationPath you need hash symlinks
#         to point to the certificate files. Use the provided
#         Makefile to update the hash symlinks after changes.
#SSLCARevocationPath conf\ssl.crl
#SSLCARevocationFile conf\ssl.crl\ca-bundle.crl

#   Client Authentication (Type):
#   Client certificate verification type and depth.  Types are
#   none, optional and require
#SSLVerifyClient require

#   Access Control:
#   With SSLRequire you can do per-directory access control based
#   on arbitrary complex boolean expressions containing server
#   variable checks and other lookup directives.  The syntax is a
#   mixture between C and Perl.  See the mod_ssl documentation
#   for more details.
#<Location />
#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>

#   SSL Engine Options:
#   Set various options for the SSL engine.
#   o FakeBasicAuth:
#     Translate the client X.509 into a Basic Authorisation.  This means that
#     the standard Auth/DBMAuth methods can be used for access control.  The
#     user name is the `one line' version of the client's X.509 certificate.
#     Note that no password is obtained from the user. Every entry in the user
#     file needs this password: `removed by gordontm'.
#   o ExportCertData:
#     This exports two additional environment variables: SSL_CLIENT_CERT and
#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
#     server (always existing) and the client (only existing when client
#     authentication is used). This can be used to import the certificates
#     into CGI scripts.
#   o StdEnvVars:
#     This exports the standard SSL/TLS related `SSL_*' environment variables.
#     Per default this exportation is switched off for performance reasons,
#     because the extraction step is an expensive operation and is usually
#     useless for serving static content. So one usually enables the
#     exportation for CGI and SSI requests only.
#   o CompatEnvVars:
#     This exports obsolete environment variables for backward compatibility
#     to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this
#     to provide compatibility to existing CGI scripts.
#   o StrictRequire:
#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
#     under a "Satisfy any" situation, i.e. when it applies access is denied
#     and no other module can change it.
#   o OptRenegotiate:
#     This enables optimized SSL connection renegotiation handling when SSL
#     directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
        <Files ~ "\.(cgi|shtml)$">
            SSLOptions +StdEnvVars
        </Files>

        #<Directory "D:\oracle_as\Apache\Apache\cgi-bin">
        <Directory  >
            SSLOptions +StdEnvVars
        </Directory>

        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
        #   Per-Server Logging:
#   The home of a custom SSL log file. Use this when you want a
#   compact non-error SSL logfile on a virtual host basis.
        CustomLog D:\oracle_as\Apache\Apache\logs\ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    </VirtualHost>

</IfDefine>




0
gordontm
Asked:
gordontm
1 Solution
 
gordontmAuthor Commented:
Thank you, but no....
0
 
actonwangCommented:
look into  <apache home>/logs/error.log or ssl_log (if any) to see if any error message there.
0
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

 
gordontmAuthor Commented:
Thank you actonwang for your comment:

When I try https://www.oursite.com then the log writes the following error

[Thu Jul 06 15:57:00 2006] [error] [client 199.203.123.185] [ecid: 1152194220:172.23.1.147:3104:2544:2028,0] Invalid method in request \\x80L\\x01\\x03


Does this help?
0
 
actonwangCommented:
>> Invalid method

    looks like it still tries to talk to clear HTTP instead of HTTPS. error happes when it interprets handshake information as HTTP text.
0
 
gordontmAuthor Commented:
Thank you actonwang. I will pass this information to the person responsible for installing the SSL.

It may take a little time for me to get back to you as she is very busy.
0
 
gordontmAuthor Commented:
Sorry for the delay... have not forgotten... but the person responsible for installing SSL has not yet got back to me
0
 
gordontmAuthor Commented:
Hi actonwang

The bug has been fixed. It turns out the problem was that there is a configuration flag that is set to "disabled" by default for Oracle. When the flag was changed to "enabled" then the SSL worked.

Thank you very much for your efforts.
0
 
CetusMODCommented:
PAQed with points refunded (400)

CetusMOD
Community Support Moderator
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now