Setting up SSL on Oracle using Wallet Manager

Posted on 2006-07-06
Last Modified: 2013-12-03
We are using Windows Server 2003, Oracle, Apache

We are trying to set up SSL using VeriSign. Everything (in theory) is set up correctly. We have done everything technical support has suggested.

The site works well at However when we enter then we get the message "This page can not be found"

When we go into Wallet Manager, and open the certificate then it says "Certificate: Ready"

I know I have not provided very much information. However I am at a loss as to what information to provide.

Can anyone help.


P.S. I have copied the SSL.conf file below in case it will help
P.P.S. I changed the Wallet Password and site address for privacy reasons

<IfDefine SSL>
    ##  SSL Global Context
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
    SSLPassPhraseDialog builtin
    #   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First either `none'
#   or `dbm:/path/to/file' for the mechanism to use and
#   second the expiring timeout (in seconds).
#SSLSessionCache        none
#SSLSessionCache        dbm:logs\ssl_scache
#SSLSessionCache         shmht:logs\ssl_scache(512000)
    SSLSessionCache shmcb:logs\ssl_scache(512000)
    #  SessionCache Timeout:
#  This directive sets the timeout in seconds for the information stored
#  in the global/inter-process SSL Session Cache. It can be set as low as
#  15 for testing, but should be set to higher values like 300 in real life.
    SSLSessionCacheTimeout 300
    #   Semaphore:
#   Configure the path to the mutual explusion semaphore the
#   SSL engine uses internally for inter-process synchronization.
    SSLMutex sem
    #   Logging:
#   The home of the dedicated SSL protocol logfile. Errors are
#   additionally duplicated in the general error log file.  Put
#   this somewhere where it cannot be used for symlink attacks on
#   a real server (i.e. somewhere where only root can write).
#   Log levels are (ascending order: higher ones include lower ones):
#   none, error, warn, info, trace, debug.
    SSLLog logs\ssl_engine_log
    SSLLogLevel warn
## SSL Virtual Host Context
# NOTE: this value should match the SSL Listen directive set previously in this
# file otherwise your virtual host will not respond to SSL requests.

#   Some MIME-types for downloading Certificates and CRLs
    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl .crl

    <VirtualHost _default_:443>
        #  General setup for the virtual host
        DocumentRoot "D:\oracle_as\Apache\Apache\htdocs"
        ServerAdmin you@your.address
        ErrorLog "|D:\oracle_as\Apache\Apache\bin\rotatelogs logs/ssl_log 43200"
        TransferLog "|D:\oracle_as\Apache\Apache\bin\rotatelogs logs/ssl_log 43200"
        Port 443
        #   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
        SSLEngine on
        #   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
        SSLCipherSuite ALL:!ADH:!EXPORT56:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
        #   Server Wallet:
#   The server wallet contains the server's certificate, private key
#   and trusted certificates. Set SSLWallet at the wallet directory
#   using the syntax:  file:<path-to-wallet-directory>
        SSLWallet file:D:\oracle_as\Apache\Apache\ssl
        SSLWalletPassword oursitepassword

        #   Certificate Revocation Lists (CRL):
#   Set the CA revocation path where to find CA CRLs for client
#   authentication or alternatively one huge file containing all
#   of them (file must be PEM encoded)
#   Note: Inside SSLCARevocationPath you need hash symlinks
#         to point to the certificate files. Use the provided
#         Makefile to update the hash symlinks after changes.
#SSLCARevocationPath conf\ssl.crl
#SSLCARevocationFile conf\ssl.crl\ca-bundle.crl

#   Client Authentication (Type):
#   Client certificate verification type and depth.  Types are
#   none, optional and require
#SSLVerifyClient require

#   Access Control:
#   With SSLRequire you can do per-directory access control based
#   on arbitrary complex boolean expressions containing server
#   variable checks and other lookup directives.  The syntax is a
#   mixture between C and Perl.  See the mod_ssl documentation
#   for more details.
#<Location />
#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/

#   SSL Engine Options:
#   Set various options for the SSL engine.
#   o FakeBasicAuth:
#     Translate the client X.509 into a Basic Authorisation.  This means that
#     the standard Auth/DBMAuth methods can be used for access control.  The
#     user name is the `one line' version of the client's X.509 certificate.
#     Note that no password is obtained from the user. Every entry in the user
#     file needs this password: `removed by gordontm'.
#   o ExportCertData:
#     This exports two additional environment variables: SSL_CLIENT_CERT and
#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
#     server (always existing) and the client (only existing when client
#     authentication is used). This can be used to import the certificates
#     into CGI scripts.
#   o StdEnvVars:
#     This exports the standard SSL/TLS related `SSL_*' environment variables.
#     Per default this exportation is switched off for performance reasons,
#     because the extraction step is an expensive operation and is usually
#     useless for serving static content. So one usually enables the
#     exportation for CGI and SSI requests only.
#   o CompatEnvVars:
#     This exports obsolete environment variables for backward compatibility
#     to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this
#     to provide compatibility to existing CGI scripts.
#   o StrictRequire:
#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
#     under a "Satisfy any" situation, i.e. when it applies access is denied
#     and no other module can change it.
#   o OptRenegotiate:
#     This enables optimized SSL connection renegotiation handling when SSL
#     directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
        <Files ~ "\.(cgi|shtml)$">
            SSLOptions +StdEnvVars

        #<Directory "D:\oracle_as\Apache\Apache\cgi-bin">
        <Directory  >
            SSLOptions +StdEnvVars

        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
        #   Per-Server Logging:
#   The home of a custom SSL log file. Use this when you want a
#   compact non-error SSL logfile on a virtual host basis.
        CustomLog D:\oracle_as\Apache\Apache\logs\ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"


Question by:gordontm
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 14

Expert Comment

ID: 17050283

Author Comment

ID: 17050340
Thank you, but no....
LVL 19

Expert Comment

ID: 17050525
look into  <apache home>/logs/error.log or ssl_log (if any) to see if any error message there.
Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now


Author Comment

ID: 17050659
Thank you actonwang for your comment:

When I try then the log writes the following error

[Thu Jul 06 15:57:00 2006] [error] [client] [ecid: 1152194220:,0] Invalid method in request \\x80L\\x01\\x03

Does this help?
LVL 19

Expert Comment

ID: 17050804
>> Invalid method

    looks like it still tries to talk to clear HTTP instead of HTTPS. error happes when it interprets handshake information as HTTP text.

Author Comment

ID: 17050848
Thank you actonwang. I will pass this information to the person responsible for installing the SSL.

It may take a little time for me to get back to you as she is very busy.

Author Comment

ID: 17099370
Sorry for the delay... have not forgotten... but the person responsible for installing SSL has not yet got back to me

Author Comment

ID: 17117256
Hi actonwang

The bug has been fixed. It turns out the problem was that there is a configuration flag that is set to "disabled" by default for Oracle. When the flag was changed to "enabled" then the SSL worked.

Thank you very much for your efforts.

Accepted Solution

CetusMOD earned 0 total points
ID: 17582967
PAQed with points refunded (400)

Community Support Moderator

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you ever had to make fundamental changes to a table in Oracle, but haven't been able to get any downtime?  I'm talking things like: * Dropping columns * Shrinking allocated space * Removing chained blocks and restoring the PCTFREE * Re-or…
Checking the Alert Log in AWS RDS Oracle can be a pain through their user interface.  I made a script to download the Alert Log, look for errors, and email me the trace files.  In this article I'll describe what I did and share my script.
This video explains at a high level about the four available data types in Oracle and how dates can be manipulated by the user to get data into and out of the database.
This video shows how to copy an entire tablespace from one database to another database using Transportable Tablespace functionality.

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question