Solved

installing mod_ssl on Oracle9iAS with apache 1.3

Posted on 2014-07-23
7
474 Views
Last Modified: 2014-08-05
Our Windows server is running Oracle8i, using Oracle9iAS with Apache 1.3 for Internet access (neither oracle or apache can be upgraded). I'm trying to set up SSL on one of the virtual sites.

What I've done so far:
 - installed OpenSSL and used it to create a certificate request and private key.
 - I have received a valid certificate from a CA and placed all the certificates on the server as instructed by the CA
 - I've edited my httpd.conf file as best I can with info I've gathered from researching the Internet to allow for a SSL connection.

So far I've tried to get SSL working on Apache using mod_ossl, Oracle's version of the mod_ssl module (which I don't have on Apache 1.3). Everything I've read tells me Apache needs mod_ssl to make SSL work and I was hoping I could use the already installed mod_ossl from Oracle but I can't seem to get it working.

Does anyone know if it's possible to use a certificate created through OpenSSL with Oracle's mod_ossl? If not, how do I go about installing mod_ssl? I have already downloaded and expanded the mod_ssl tar file but not installed (build).

I've attached the SSL section of my httpd.conf file.
httpd-edited.txt
0
Comment
Question by:uomobello
  • 4
  • 3
7 Comments
 
LVL 61

Expert Comment

by:btan
Comment Utility
you probably can take a look at this - There are two major steps needed to configure SSL in 9iAS:
   I.  Create an Oracle Wallet which contains an SSL Certificate
   II. Configure httpd.conf directives to enable SSL with OHS    

http://www.entrust.net/knowledge-base/technote.cfm?tn=6220

    * Common Name has to match the hostname.domainname that the webserver is
      known as. This is the Servername parameter in the httpd.conf file, and
      is the hostname.domainname that users will enter in the browser URL.

For the purposes of a basic SSL configuration, you should only need to
change the following directives:
        SSLWallet
        SSLWalletPassword
   - Change the SSLWallet directive to the path where you saved your wallet, i.e:
     SSLWallet file:/tmp/wallets

Note:
If you intend to have more than one Virtual Host using ssl
1. Each SSL Virtual Host must have a different port. There are no Named
   Based Virtual Hosts for SSL.
2. Each SSL Virtual Host must have a different wallet or must get a wildcard certificate
   "*.domain.com

I believe you have saw this appendix describes the method of enabling SSL for Apache using Openssl, do remember to restart Apache and below too ...

#Certificate Authority (CA):
#Set the CA certificate verification path where to find CA
#certificates for client authentication or alternatively one
#huge file containing all of this (file must be PEM encoded).
#Note: Inside SSLCACertificatePath you beed hash symlinks
#to point to the certificate files. Use the provided
#Makefile to update the hash symlinks after changes.
#SSLCACertificateFile conf\ssl.crt\ca-bundle.crt
http://docs.oracle.com/cd/A95431_01/install/ssl.htm
0
 

Author Comment

by:uomobello
Comment Utility
I tried using Oracle Wallet but the old version of Oracle I have creates a private key of only 1024 bits and the minimum these days is 2048. (cannot upgrade because management refuses to pay for it)

I have bypassed Oracle Wallet and created a certificate request within Apache using OpenSSL and have received a certificate from a CA. My question is can I use Oracle's module mod_ossl in Apache for SSL or must I install the Apache module mod_ssl? If it's the latter I need to know how to install mod_ssl - my old version of Apache (1.3) doesn't have it. (I cannot upgrade Apache because of the old version of Oracle).
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
Pls see http://lpic2.unix.nl/ch09s02.html

mod_ssl is not a replacement for Apache-SSL - it is an alternative. It is a matter of personal choice which you use. mod_ssl is what is known as a “fork” - i.e., it was originally derived from Apache-SSL, but has been extensively redeveloped. Many people find it very easy to install.

To use mod_ssl you will need to acquire and install Apache, patch it with the latest updates, and install and configure the module. You will also need to acquire and install OpenSSL, generate a key-pair, and either sign the public part of it yourself, thus creating a certificate, or have it signed by a commercial Certificate Authority (CA).

The mod_ssl package consists of the SSL module itself - and, surprisingly, a set of patches for Apache itself. This may puzzle you at first: why do we need to patch Apache to install the mod_ssl module? Well, the standard API that Apache uses for it's modules is unable to communicate with the SSL module. Therefore, the source patches add the Extended API (EAPI). In other words: you can only use the mod_ssl module when Apache's core code contains the Extended API. When building mod_ssl, the Apache source tree is automatically altered for you, adding the Extended API.

After installation of the software you will need to configure Apache with Apache-SSL. Some additional directives should be used to configure the secure server - for example the location of the key-files.

To Install SSL-aware Apache
http://docs.oracle.com/cd/E19528-01/819-4740/fxxut/index.html

Requirements for Using Apache Web Server
http://docs.oracle.com/cd/E19528-01/819-4740/fwboh/index.html
Generating a Certificate Signing Request (CSR) using Apache (with mod_ssl) & OpenSSL
http://www.networksolutions.com/support/csr-for-apache-with-mod-ssl-openssl/
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:uomobello
Comment Utility
Ok, so it appears the mod_ossl module that comes with the Oracle application server 9iAS (which has Apache 1.3 built-in) makes Apache SSL-aware without using mod_ssl but I can't configure the Apache config file to make it work with the security request/certificate I already generated using OpenSSL.

My problem seems to be that I'm stuck with an old version of Apache that is tied to an old version of Oracle application server.

Thanks for trying.
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
The base Apache 1.3 Web server does not use SSL for browser connections (responding to https:// requests). An add-on module for SSL support known as mod_ssl. The Oracle Access Manager plug-ins for base Apache servers are different from those for Apache with mod_ssl (also referred to as using EAPI).
e.g. Oracle Access Manager supports Apache with mod_ssl only.
e.g. No SSL-specific features of Oracle Access Manager operate with the version of Apache 1.3 known as Apache-SSL.

Openssl is needed by mod_ssl when building Apache to support SSL. Openssl should be part of the Apache server built with mod_ssl.

You can download the latest version of Apache 1.3 from the Apache Web site:
http://apache.org

The SSL plug-in mod_ssl is available from:
http://www.modssl.org

In order for the Apache Web server to support Oracle Access Manager plug-ins, the module mod-so must be compiled into the server binary. To compile Apache or Apache with mod_ssl with mod-so: Include the configuration option before compiling:
--enable-module=so
Ensure the configuration meets other Oracle Access Manager requirements and compile.

If you do not find a solution for your problem, log a service request
http://www.oracle.com/technology/deploy/security/index.html

More reference
Apache source code—http://www.apache.org/dist/httpd
Mod_SSL source code—http://www.modssl.org/source/
OpenSSL source code—http://www.openssl.org/source/
What is ApacheSSL—http://www.apache-ssl.org/#What_is_Apache-SSL
Compiling and Installing Apache 1.3—http://httpd.apache.org/docs/install.html
ApacheSSL build instructions for Win32—http://www.galatea.com/flashguides/apache-ssl-win32.xml
0
 

Author Comment

by:uomobello
Comment Utility
The company I work for does not want to pay for an upgrade to our Oracle database. Neither have we been paying for Oracle support so I can't submit a service request.

I am stuck with this old version Oracle database (8i) and Oracle Application Server (9iAS) (web server) and therefore also stuck with the old version of Apache that came as part of 9iAS and DOES NOT have mod_ssl. This Apache uses an Oracle module called mod_ossl INSTEAD of mod_ssl for SSL connections.

Oracle 8i does NOT have Oracle Access Manager. I cannot reinstall another Apache web server that has open_ssl and mod_ssl and still use Oracle....at least I haven't found a way to do that.

Thank you for all the reference material but none of it relates to my particular situation.
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
Comment Utility
. pretty stuck then for no upgrade but then as the ref stated you can install mod_ssl which you have asked originally.

Nonetheless, mod_ossl is very similar to the OpenSSL module, mod_ssl. The mod_ossl module is based on the Oracle implementation of SSL, which supports SSL version 3 and TLS version 1, and is based on Certicom and RSA Security technology.
Oracle no longer supports mod_ssl. A tool is provided to enable you to migrate from mod_ssl to mod_ossl, and convert your text certificates to Oracle wallets.
Actually even with upgrade to Oracle Advanced Security 10i, it also does not support greater than 1024bits RSA
http://docs.oracle.com/cd/B14099_19/web.1012/b14009/ssl.htm
coming back, from mod_ssl to mod_ossl is documented with changes as in the reference link - mainly make the following global changes to the httpd.conf file and LoadModule directives etc.
Pls ref http://docs.oracle.com/html/B14401_01/post_inst_task.htm
(Make Global Changes) (Modify the List of LoadModule Directives)(Migrate Your Server Certificate and Private Key)
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

I remember the day when someone asked me to create a user for an application developement. The user should be able to create views and materialized views and, so, I used the following syntax: (CODE) This way, I guessed, I would ensure that use…
Checking the Alert Log in AWS RDS Oracle can be a pain through their user interface.  I made a script to download the Alert Log, look for errors, and email me the trace files.  In this article I'll describe what I did and share my script.
This video shows, step by step, how to configure Oracle Heterogeneous Services via the Generic Gateway Agent in order to make a connection from an Oracle session and access a remote SQL Server database table.
This video shows how to recover a database from a user managed backup

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now