Setting up SSL on Oracle using Wallet Manager

Posted on 2006-07-06
Last Modified: 2013-12-03
We are using Windows Server 2003, Oracle, Apache

We are trying to set up SSL using VeriSign. Everything (in theory) is set up correctly. We have done everything technical support has suggested.

The site works well at However when we enter then we get the message "This page can not be found"

When we go into Wallet Manager, and open the certificate then it says "Certificate: Ready"

I know I have not provided very much information. However I am at a loss as to what information to provide.

Can anyone help.


P.S. I have copied the SSL.conf file below in case it will help
P.P.S. I changed the Wallet Password and site address for privacy reasons

<IfDefine SSL>
    ##  SSL Global Context
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
    SSLPassPhraseDialog builtin
    #   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First either `none'
#   or `dbm:/path/to/file' for the mechanism to use and
#   second the expiring timeout (in seconds).
#SSLSessionCache        none
#SSLSessionCache        dbm:logs\ssl_scache
#SSLSessionCache         shmht:logs\ssl_scache(512000)
    SSLSessionCache shmcb:logs\ssl_scache(512000)
    #  SessionCache Timeout:
#  This directive sets the timeout in seconds for the information stored
#  in the global/inter-process SSL Session Cache. It can be set as low as
#  15 for testing, but should be set to higher values like 300 in real life.
    SSLSessionCacheTimeout 300
    #   Semaphore:
#   Configure the path to the mutual explusion semaphore the
#   SSL engine uses internally for inter-process synchronization.
    SSLMutex sem
    #   Logging:
#   The home of the dedicated SSL protocol logfile. Errors are
#   additionally duplicated in the general error log file.  Put
#   this somewhere where it cannot be used for symlink attacks on
#   a real server (i.e. somewhere where only root can write).
#   Log levels are (ascending order: higher ones include lower ones):
#   none, error, warn, info, trace, debug.
    SSLLog logs\ssl_engine_log
    SSLLogLevel warn
## SSL Virtual Host Context
# NOTE: this value should match the SSL Listen directive set previously in this
# file otherwise your virtual host will not respond to SSL requests.

#   Some MIME-types for downloading Certificates and CRLs
    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl .crl

    <VirtualHost _default_:443>
        #  General setup for the virtual host
        DocumentRoot "D:\oracle_as\Apache\Apache\htdocs"
        ServerAdmin you@your.address
        ErrorLog "|D:\oracle_as\Apache\Apache\bin\rotatelogs logs/ssl_log 43200"
        TransferLog "|D:\oracle_as\Apache\Apache\bin\rotatelogs logs/ssl_log 43200"
        Port 443
        #   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
        SSLEngine on
        #   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
        SSLCipherSuite ALL:!ADH:!EXPORT56:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
        #   Server Wallet:
#   The server wallet contains the server's certificate, private key
#   and trusted certificates. Set SSLWallet at the wallet directory
#   using the syntax:  file:<path-to-wallet-directory>
        SSLWallet file:D:\oracle_as\Apache\Apache\ssl
        SSLWalletPassword oursitepassword

        #   Certificate Revocation Lists (CRL):
#   Set the CA revocation path where to find CA CRLs for client
#   authentication or alternatively one huge file containing all
#   of them (file must be PEM encoded)
#   Note: Inside SSLCARevocationPath you need hash symlinks
#         to point to the certificate files. Use the provided
#         Makefile to update the hash symlinks after changes.
#SSLCARevocationPath conf\ssl.crl
#SSLCARevocationFile conf\ssl.crl\ca-bundle.crl

#   Client Authentication (Type):
#   Client certificate verification type and depth.  Types are
#   none, optional and require
#SSLVerifyClient require

#   Access Control:
#   With SSLRequire you can do per-directory access control based
#   on arbitrary complex boolean expressions containing server
#   variable checks and other lookup directives.  The syntax is a
#   mixture between C and Perl.  See the mod_ssl documentation
#   for more details.
#<Location />
#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/

#   SSL Engine Options:
#   Set various options for the SSL engine.
#   o FakeBasicAuth:
#     Translate the client X.509 into a Basic Authorisation.  This means that
#     the standard Auth/DBMAuth methods can be used for access control.  The
#     user name is the `one line' version of the client's X.509 certificate.
#     Note that no password is obtained from the user. Every entry in the user
#     file needs this password: `removed by gordontm'.
#   o ExportCertData:
#     This exports two additional environment variables: SSL_CLIENT_CERT and
#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
#     server (always existing) and the client (only existing when client
#     authentication is used). This can be used to import the certificates
#     into CGI scripts.
#   o StdEnvVars:
#     This exports the standard SSL/TLS related `SSL_*' environment variables.
#     Per default this exportation is switched off for performance reasons,
#     because the extraction step is an expensive operation and is usually
#     useless for serving static content. So one usually enables the
#     exportation for CGI and SSI requests only.
#   o CompatEnvVars:
#     This exports obsolete environment variables for backward compatibility
#     to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this
#     to provide compatibility to existing CGI scripts.
#   o StrictRequire:
#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
#     under a "Satisfy any" situation, i.e. when it applies access is denied
#     and no other module can change it.
#   o OptRenegotiate:
#     This enables optimized SSL connection renegotiation handling when SSL
#     directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
        <Files ~ "\.(cgi|shtml)$">
            SSLOptions +StdEnvVars

        #<Directory "D:\oracle_as\Apache\Apache\cgi-bin">
        <Directory  >
            SSLOptions +StdEnvVars

        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
        #   Per-Server Logging:
#   The home of a custom SSL log file. Use this when you want a
#   compact non-error SSL logfile on a virtual host basis.
        CustomLog D:\oracle_as\Apache\Apache\logs\ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"


Question by:gordontm
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 14

Expert Comment

ID: 17050283

Author Comment

ID: 17050340
Thank you, but no....
LVL 19

Expert Comment

ID: 17050525
look into  <apache home>/logs/error.log or ssl_log (if any) to see if any error message there.
MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.


Author Comment

ID: 17050659
Thank you actonwang for your comment:

When I try then the log writes the following error

[Thu Jul 06 15:57:00 2006] [error] [client] [ecid: 1152194220:,0] Invalid method in request \\x80L\\x01\\x03

Does this help?
LVL 19

Expert Comment

ID: 17050804
>> Invalid method

    looks like it still tries to talk to clear HTTP instead of HTTPS. error happes when it interprets handshake information as HTTP text.

Author Comment

ID: 17050848
Thank you actonwang. I will pass this information to the person responsible for installing the SSL.

It may take a little time for me to get back to you as she is very busy.

Author Comment

ID: 17099370
Sorry for the delay... have not forgotten... but the person responsible for installing SSL has not yet got back to me

Author Comment

ID: 17117256
Hi actonwang

The bug has been fixed. It turns out the problem was that there is a configuration flag that is set to "disabled" by default for Oracle. When the flag was changed to "enabled" then the SSL worked.

Thank you very much for your efforts.

Accepted Solution

CetusMOD earned 0 total points
ID: 17582967
PAQed with points refunded (400)

Community Support Moderator

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Working with Network Access Control Lists in Oracle 11g (part 1) Part 2: So, you upgraded to a shiny new 11g database and all of a sudden every program that used UTL_MAIL, UTL_SMTP, UTL_TCP, UTL_HTTP or any oth…
Note: this article covers simple compression. Oracle introduced in version 11g release 2 a new feature called Advanced Compression which is not covered here. General principle of Oracle compression Oracle compression is a way of reducing the d…
This video explains at a high level with the mandatory Oracle Memory processes are as well as touching on some of the more common optional ones.
This videos aims to give the viewer a basic demonstration of how a user can query current session information by using the SYS_CONTEXT function

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question