Solved

Setting up SSL on Oracle using Wallet Manager

Posted on 2006-07-06
10
1,765 Views
Last Modified: 2013-12-03
We are using Windows Server 2003, Oracle, Apache

We are trying to set up SSL using VeriSign. Everything (in theory) is set up correctly. We have done everything technical support has suggested.

The site works well at www.oursite.com. However when we enter https://www.oursite.com then we get the message "This page can not be found"

When we go into Wallet Manager, and open the certificate then it says "Certificate: Ready"

I know I have not provided very much information. However I am at a loss as to what information to provide.

Can anyone help.

gordontm

P.S. I have copied the SSL.conf file below in case it will help
P.P.S. I changed the Wallet Password and site address for privacy reasons


<IfDefine SSL>
    ##  SSL Global Context
##
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.
##



#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
    SSLPassPhraseDialog builtin
    #   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First either `none'
#   or `dbm:/path/to/file' for the mechanism to use and
#   second the expiring timeout (in seconds).
#SSLSessionCache        none
#SSLSessionCache        dbm:logs\ssl_scache
#SSLSessionCache         shmht:logs\ssl_scache(512000)
    SSLSessionCache shmcb:logs\ssl_scache(512000)
    #  SessionCache Timeout:
#  This directive sets the timeout in seconds for the information stored
#  in the global/inter-process SSL Session Cache. It can be set as low as
#  15 for testing, but should be set to higher values like 300 in real life.
    SSLSessionCacheTimeout 300
    #   Semaphore:
#   Configure the path to the mutual explusion semaphore the
#   SSL engine uses internally for inter-process synchronization.
    SSLMutex sem
    #   Logging:
#   The home of the dedicated SSL protocol logfile. Errors are
#   additionally duplicated in the general error log file.  Put
#   this somewhere where it cannot be used for symlink attacks on
#   a real server (i.e. somewhere where only root can write).
#   Log levels are (ascending order: higher ones include lower ones):
#   none, error, warn, info, trace, debug.
    SSLLog logs\ssl_engine_log
    SSLLogLevel warn
    ##
## SSL Virtual Host Context
##
#
# NOTE: this value should match the SSL Listen directive set previously in this
# file otherwise your virtual host will not respond to SSL requests.
#

#
#   Some MIME-types for downloading Certificates and CRLs
#
    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl .crl

    <VirtualHost _default_:443>
        #  General setup for the virtual host
        DocumentRoot "D:\oracle_as\Apache\Apache\htdocs"
        ServerName www.oursite.com
        ServerAdmin you@your.address
        ErrorLog "|D:\oracle_as\Apache\Apache\bin\rotatelogs logs/ssl_log 43200"
        TransferLog "|D:\oracle_as\Apache\Apache\bin\rotatelogs logs/ssl_log 43200"
        Port 443
        #   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
        SSLEngine on
        #   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
        SSLCipherSuite ALL:!ADH:!EXPORT56:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
        #   Server Wallet:
#   The server wallet contains the server's certificate, private key
#   and trusted certificates. Set SSLWallet at the wallet directory
#   using the syntax:  file:<path-to-wallet-directory>
        SSLWallet file:D:\oracle_as\Apache\Apache\ssl
        SSLWalletPassword oursitepassword

        #   Certificate Revocation Lists (CRL):
#   Set the CA revocation path where to find CA CRLs for client
#   authentication or alternatively one huge file containing all
#   of them (file must be PEM encoded)
#   Note: Inside SSLCARevocationPath you need hash symlinks
#         to point to the certificate files. Use the provided
#         Makefile to update the hash symlinks after changes.
#SSLCARevocationPath conf\ssl.crl
#SSLCARevocationFile conf\ssl.crl\ca-bundle.crl

#   Client Authentication (Type):
#   Client certificate verification type and depth.  Types are
#   none, optional and require
#SSLVerifyClient require

#   Access Control:
#   With SSLRequire you can do per-directory access control based
#   on arbitrary complex boolean expressions containing server
#   variable checks and other lookup directives.  The syntax is a
#   mixture between C and Perl.  See the mod_ssl documentation
#   for more details.
#<Location />
#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>

#   SSL Engine Options:
#   Set various options for the SSL engine.
#   o FakeBasicAuth:
#     Translate the client X.509 into a Basic Authorisation.  This means that
#     the standard Auth/DBMAuth methods can be used for access control.  The
#     user name is the `one line' version of the client's X.509 certificate.
#     Note that no password is obtained from the user. Every entry in the user
#     file needs this password: `removed by gordontm'.
#   o ExportCertData:
#     This exports two additional environment variables: SSL_CLIENT_CERT and
#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
#     server (always existing) and the client (only existing when client
#     authentication is used). This can be used to import the certificates
#     into CGI scripts.
#   o StdEnvVars:
#     This exports the standard SSL/TLS related `SSL_*' environment variables.
#     Per default this exportation is switched off for performance reasons,
#     because the extraction step is an expensive operation and is usually
#     useless for serving static content. So one usually enables the
#     exportation for CGI and SSI requests only.
#   o CompatEnvVars:
#     This exports obsolete environment variables for backward compatibility
#     to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this
#     to provide compatibility to existing CGI scripts.
#   o StrictRequire:
#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
#     under a "Satisfy any" situation, i.e. when it applies access is denied
#     and no other module can change it.
#   o OptRenegotiate:
#     This enables optimized SSL connection renegotiation handling when SSL
#     directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
        <Files ~ "\.(cgi|shtml)$">
            SSLOptions +StdEnvVars
        </Files>

        #<Directory "D:\oracle_as\Apache\Apache\cgi-bin">
        <Directory  >
            SSLOptions +StdEnvVars
        </Directory>

        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
        #   Per-Server Logging:
#   The home of a custom SSL log file. Use this when you want a
#   compact non-error SSL logfile on a virtual host basis.
        CustomLog D:\oracle_as\Apache\Apache\logs\ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    </VirtualHost>

</IfDefine>




0
Comment
Question by:gordontm
10 Comments
 
LVL 14

Expert Comment

by:sathyagiri
ID: 17050283
0
 
LVL 2

Author Comment

by:gordontm
ID: 17050340
Thank you, but no....
0
 
LVL 19

Expert Comment

by:actonwang
ID: 17050525
look into  <apache home>/logs/error.log or ssl_log (if any) to see if any error message there.
0
 
LVL 2

Author Comment

by:gordontm
ID: 17050659
Thank you actonwang for your comment:

When I try https://www.oursite.com then the log writes the following error

[Thu Jul 06 15:57:00 2006] [error] [client 199.203.123.185] [ecid: 1152194220:172.23.1.147:3104:2544:2028,0] Invalid method in request \\x80L\\x01\\x03


Does this help?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 19

Expert Comment

by:actonwang
ID: 17050804
>> Invalid method

    looks like it still tries to talk to clear HTTP instead of HTTPS. error happes when it interprets handshake information as HTTP text.
0
 
LVL 2

Author Comment

by:gordontm
ID: 17050848
Thank you actonwang. I will pass this information to the person responsible for installing the SSL.

It may take a little time for me to get back to you as she is very busy.
0
 
LVL 2

Author Comment

by:gordontm
ID: 17099370
Sorry for the delay... have not forgotten... but the person responsible for installing SSL has not yet got back to me
0
 
LVL 2

Author Comment

by:gordontm
ID: 17117256
Hi actonwang

The bug has been fixed. It turns out the problem was that there is a configuration flag that is set to "disabled" by default for Oracle. When the flag was changed to "enabled" then the SSL worked.

Thank you very much for your efforts.
0
 

Accepted Solution

by:
CetusMOD earned 0 total points
ID: 17582967
PAQed with points refunded (400)

CetusMOD
Community Support Moderator
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Delphi selector screen 2 58
oracle query help 36 67
PL/SQL Search for multiple strings 5 22
Oracle Next Available Number 2 19
Have you ever had to make fundamental changes to a table in Oracle, but haven't been able to get any downtime?  I'm talking things like: * Dropping columns * Shrinking allocated space * Removing chained blocks and restoring the PCTFREE * Re-or…
Configuring and using Oracle Database Gateway for ODBC Introduction First, a brief summary of what a Database Gateway is.  A Gateway is a set of driver agents and configurations that allow an Oracle database to communicate with other platforms…
This video shows setup options and the basic steps and syntax for duplicating (cloning) a database from one instance to another. Examples are given for duplicating to the same machine and to different machines
This video shows syntax for various backup options while discussing how the different basic backup types work.  It explains how to take full backups, incremental level 0 backups, incremental level 1 backups in both differential and cumulative mode a…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now