[Webinar] Streamline your web hosting managementRegister Today


Setting up SSL on Oracle using Wallet Manager

Posted on 2006-07-06
Medium Priority
Last Modified: 2013-12-03
We are using Windows Server 2003, Oracle, Apache

We are trying to set up SSL using VeriSign. Everything (in theory) is set up correctly. We have done everything technical support has suggested.

The site works well at www.oursite.com. However when we enter https://www.oursite.com then we get the message "This page can not be found"

When we go into Wallet Manager, and open the certificate then it says "Certificate: Ready"

I know I have not provided very much information. However I am at a loss as to what information to provide.

Can anyone help.


P.S. I have copied the SSL.conf file below in case it will help
P.P.S. I changed the Wallet Password and site address for privacy reasons

<IfDefine SSL>
    ##  SSL Global Context
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
    SSLPassPhraseDialog builtin
    #   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First either `none'
#   or `dbm:/path/to/file' for the mechanism to use and
#   second the expiring timeout (in seconds).
#SSLSessionCache        none
#SSLSessionCache        dbm:logs\ssl_scache
#SSLSessionCache         shmht:logs\ssl_scache(512000)
    SSLSessionCache shmcb:logs\ssl_scache(512000)
    #  SessionCache Timeout:
#  This directive sets the timeout in seconds for the information stored
#  in the global/inter-process SSL Session Cache. It can be set as low as
#  15 for testing, but should be set to higher values like 300 in real life.
    SSLSessionCacheTimeout 300
    #   Semaphore:
#   Configure the path to the mutual explusion semaphore the
#   SSL engine uses internally for inter-process synchronization.
    SSLMutex sem
    #   Logging:
#   The home of the dedicated SSL protocol logfile. Errors are
#   additionally duplicated in the general error log file.  Put
#   this somewhere where it cannot be used for symlink attacks on
#   a real server (i.e. somewhere where only root can write).
#   Log levels are (ascending order: higher ones include lower ones):
#   none, error, warn, info, trace, debug.
    SSLLog logs\ssl_engine_log
    SSLLogLevel warn
## SSL Virtual Host Context
# NOTE: this value should match the SSL Listen directive set previously in this
# file otherwise your virtual host will not respond to SSL requests.

#   Some MIME-types for downloading Certificates and CRLs
    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl .crl

    <VirtualHost _default_:443>
        #  General setup for the virtual host
        DocumentRoot "D:\oracle_as\Apache\Apache\htdocs"
        ServerName www.oursite.com
        ServerAdmin you@your.address
        ErrorLog "|D:\oracle_as\Apache\Apache\bin\rotatelogs logs/ssl_log 43200"
        TransferLog "|D:\oracle_as\Apache\Apache\bin\rotatelogs logs/ssl_log 43200"
        Port 443
        #   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
        SSLEngine on
        #   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
        SSLCipherSuite ALL:!ADH:!EXPORT56:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
        #   Server Wallet:
#   The server wallet contains the server's certificate, private key
#   and trusted certificates. Set SSLWallet at the wallet directory
#   using the syntax:  file:<path-to-wallet-directory>
        SSLWallet file:D:\oracle_as\Apache\Apache\ssl
        SSLWalletPassword oursitepassword

        #   Certificate Revocation Lists (CRL):
#   Set the CA revocation path where to find CA CRLs for client
#   authentication or alternatively one huge file containing all
#   of them (file must be PEM encoded)
#   Note: Inside SSLCARevocationPath you need hash symlinks
#         to point to the certificate files. Use the provided
#         Makefile to update the hash symlinks after changes.
#SSLCARevocationPath conf\ssl.crl
#SSLCARevocationFile conf\ssl.crl\ca-bundle.crl

#   Client Authentication (Type):
#   Client certificate verification type and depth.  Types are
#   none, optional and require
#SSLVerifyClient require

#   Access Control:
#   With SSLRequire you can do per-directory access control based
#   on arbitrary complex boolean expressions containing server
#   variable checks and other lookup directives.  The syntax is a
#   mixture between C and Perl.  See the mod_ssl documentation
#   for more details.
#<Location />
#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/

#   SSL Engine Options:
#   Set various options for the SSL engine.
#   o FakeBasicAuth:
#     Translate the client X.509 into a Basic Authorisation.  This means that
#     the standard Auth/DBMAuth methods can be used for access control.  The
#     user name is the `one line' version of the client's X.509 certificate.
#     Note that no password is obtained from the user. Every entry in the user
#     file needs this password: `removed by gordontm'.
#   o ExportCertData:
#     This exports two additional environment variables: SSL_CLIENT_CERT and
#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
#     server (always existing) and the client (only existing when client
#     authentication is used). This can be used to import the certificates
#     into CGI scripts.
#   o StdEnvVars:
#     This exports the standard SSL/TLS related `SSL_*' environment variables.
#     Per default this exportation is switched off for performance reasons,
#     because the extraction step is an expensive operation and is usually
#     useless for serving static content. So one usually enables the
#     exportation for CGI and SSI requests only.
#   o CompatEnvVars:
#     This exports obsolete environment variables for backward compatibility
#     to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this
#     to provide compatibility to existing CGI scripts.
#   o StrictRequire:
#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
#     under a "Satisfy any" situation, i.e. when it applies access is denied
#     and no other module can change it.
#   o OptRenegotiate:
#     This enables optimized SSL connection renegotiation handling when SSL
#     directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
        <Files ~ "\.(cgi|shtml)$">
            SSLOptions +StdEnvVars

        #<Directory "D:\oracle_as\Apache\Apache\cgi-bin">
        <Directory  >
            SSLOptions +StdEnvVars

        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
        #   Per-Server Logging:
#   The home of a custom SSL log file. Use this when you want a
#   compact non-error SSL logfile on a virtual host basis.
        CustomLog D:\oracle_as\Apache\Apache\logs\ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"


Question by:gordontm
LVL 14

Expert Comment

ID: 17050283

Author Comment

ID: 17050340
Thank you, but no....
LVL 19

Expert Comment

ID: 17050525
look into  <apache home>/logs/error.log or ssl_log (if any) to see if any error message there.
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.


Author Comment

ID: 17050659
Thank you actonwang for your comment:

When I try https://www.oursite.com then the log writes the following error

[Thu Jul 06 15:57:00 2006] [error] [client] [ecid: 1152194220:,0] Invalid method in request \\x80L\\x01\\x03

Does this help?
LVL 19

Expert Comment

ID: 17050804
>> Invalid method

    looks like it still tries to talk to clear HTTP instead of HTTPS. error happes when it interprets handshake information as HTTP text.

Author Comment

ID: 17050848
Thank you actonwang. I will pass this information to the person responsible for installing the SSL.

It may take a little time for me to get back to you as she is very busy.

Author Comment

ID: 17099370
Sorry for the delay... have not forgotten... but the person responsible for installing SSL has not yet got back to me

Author Comment

ID: 17117256
Hi actonwang

The bug has been fixed. It turns out the problem was that there is a configuration flag that is set to "disabled" by default for Oracle. When the flag was changed to "enabled" then the SSL worked.

Thank you very much for your efforts.

Accepted Solution

CetusMOD earned 0 total points
ID: 17582967
PAQed with points refunded (400)

Community Support Moderator

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Note: this article covers simple compression. Oracle introduced in version 11g release 2 a new feature called Advanced Compression which is not covered here. General principle of Oracle compression Oracle compression is a way of reducing the d…
Shell script to create broker configuration file using current broker Configuration, solely for purpose of backup on Linux. Script may need to be modified depending on OS-installation. Please deploy and verify the script in a test environment.
This video shows how to copy a database user from one database to another user DBMS_METADATA.  It also shows how to copy a user's permissions and discusses password hash differences between Oracle 10g and 11g.
Via a live example, show how to restore a database from backup after a simulated disk failure using RMAN.
Suggested Courses

608 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question