Go Premium for a chance to win a PS4. Enter to Win


installing mod_ssl on Oracle9iAS with apache 1.3

Posted on 2014-07-23
Medium Priority
Last Modified: 2014-08-05
Our Windows server is running Oracle8i, using Oracle9iAS with Apache 1.3 for Internet access (neither oracle or apache can be upgraded). I'm trying to set up SSL on one of the virtual sites.

What I've done so far:
 - installed OpenSSL and used it to create a certificate request and private key.
 - I have received a valid certificate from a CA and placed all the certificates on the server as instructed by the CA
 - I've edited my httpd.conf file as best I can with info I've gathered from researching the Internet to allow for a SSL connection.

So far I've tried to get SSL working on Apache using mod_ossl, Oracle's version of the mod_ssl module (which I don't have on Apache 1.3). Everything I've read tells me Apache needs mod_ssl to make SSL work and I was hoping I could use the already installed mod_ossl from Oracle but I can't seem to get it working.

Does anyone know if it's possible to use a certificate created through OpenSSL with Oracle's mod_ossl? If not, how do I go about installing mod_ssl? I have already downloaded and expanded the mod_ssl tar file but not installed (build).

I've attached the SSL section of my httpd.conf file.
Question by:uomobello
  • 4
  • 3
LVL 65

Expert Comment

ID: 40217030
you probably can take a look at this - There are two major steps needed to configure SSL in 9iAS:
   I.  Create an Oracle Wallet which contains an SSL Certificate
   II. Configure httpd.conf directives to enable SSL with OHS    


    * Common Name has to match the hostname.domainname that the webserver is
      known as. This is the Servername parameter in the httpd.conf file, and
      is the hostname.domainname that users will enter in the browser URL.

For the purposes of a basic SSL configuration, you should only need to
change the following directives:
   - Change the SSLWallet directive to the path where you saved your wallet, i.e:
     SSLWallet file:/tmp/wallets

If you intend to have more than one Virtual Host using ssl
1. Each SSL Virtual Host must have a different port. There are no Named
   Based Virtual Hosts for SSL.
2. Each SSL Virtual Host must have a different wallet or must get a wildcard certificate

I believe you have saw this appendix describes the method of enabling SSL for Apache using Openssl, do remember to restart Apache and below too ...

#Certificate Authority (CA):
#Set the CA certificate verification path where to find CA
#certificates for client authentication or alternatively one
#huge file containing all of this (file must be PEM encoded).
#Note: Inside SSLCACertificatePath you beed hash symlinks
#to point to the certificate files. Use the provided
#Makefile to update the hash symlinks after changes.
#SSLCACertificateFile conf\ssl.crt\ca-bundle.crt

Author Comment

ID: 40217250
I tried using Oracle Wallet but the old version of Oracle I have creates a private key of only 1024 bits and the minimum these days is 2048. (cannot upgrade because management refuses to pay for it)

I have bypassed Oracle Wallet and created a certificate request within Apache using OpenSSL and have received a certificate from a CA. My question is can I use Oracle's module mod_ossl in Apache for SSL or must I install the Apache module mod_ssl? If it's the latter I need to know how to install mod_ssl - my old version of Apache (1.3) doesn't have it. (I cannot upgrade Apache because of the old version of Oracle).
LVL 65

Expert Comment

ID: 40218409
Pls see http://lpic2.unix.nl/ch09s02.html

mod_ssl is not a replacement for Apache-SSL - it is an alternative. It is a matter of personal choice which you use. mod_ssl is what is known as a “fork” - i.e., it was originally derived from Apache-SSL, but has been extensively redeveloped. Many people find it very easy to install.

To use mod_ssl you will need to acquire and install Apache, patch it with the latest updates, and install and configure the module. You will also need to acquire and install OpenSSL, generate a key-pair, and either sign the public part of it yourself, thus creating a certificate, or have it signed by a commercial Certificate Authority (CA).

The mod_ssl package consists of the SSL module itself - and, surprisingly, a set of patches for Apache itself. This may puzzle you at first: why do we need to patch Apache to install the mod_ssl module? Well, the standard API that Apache uses for it's modules is unable to communicate with the SSL module. Therefore, the source patches add the Extended API (EAPI). In other words: you can only use the mod_ssl module when Apache's core code contains the Extended API. When building mod_ssl, the Apache source tree is automatically altered for you, adding the Extended API.

After installation of the software you will need to configure Apache with Apache-SSL. Some additional directives should be used to configure the secure server - for example the location of the key-files.

To Install SSL-aware Apache

Requirements for Using Apache Web Server
Generating a Certificate Signing Request (CSR) using Apache (with mod_ssl) & OpenSSL
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.


Author Comment

ID: 40230160
Ok, so it appears the mod_ossl module that comes with the Oracle application server 9iAS (which has Apache 1.3 built-in) makes Apache SSL-aware without using mod_ssl but I can't configure the Apache config file to make it work with the security request/certificate I already generated using OpenSSL.

My problem seems to be that I'm stuck with an old version of Apache that is tied to an old version of Oracle application server.

Thanks for trying.
LVL 65

Expert Comment

ID: 40230773
The base Apache 1.3 Web server does not use SSL for browser connections (responding to https:// requests). An add-on module for SSL support known as mod_ssl. The Oracle Access Manager plug-ins for base Apache servers are different from those for Apache with mod_ssl (also referred to as using EAPI).
e.g. Oracle Access Manager supports Apache with mod_ssl only.
e.g. No SSL-specific features of Oracle Access Manager operate with the version of Apache 1.3 known as Apache-SSL.

Openssl is needed by mod_ssl when building Apache to support SSL. Openssl should be part of the Apache server built with mod_ssl.

You can download the latest version of Apache 1.3 from the Apache Web site:

The SSL plug-in mod_ssl is available from:

In order for the Apache Web server to support Oracle Access Manager plug-ins, the module mod-so must be compiled into the server binary. To compile Apache or Apache with mod_ssl with mod-so: Include the configuration option before compiling:
Ensure the configuration meets other Oracle Access Manager requirements and compile.

If you do not find a solution for your problem, log a service request

More reference
Apache source code—http://www.apache.org/dist/httpd
Mod_SSL source code—http://www.modssl.org/source/
OpenSSL source code—http://www.openssl.org/source/
What is ApacheSSL—http://www.apache-ssl.org/#What_is_Apache-SSL
Compiling and Installing Apache 1.3—http://httpd.apache.org/docs/install.html
ApacheSSL build instructions for Win32—http://www.galatea.com/flashguides/apache-ssl-win32.xml

Author Comment

ID: 40235267
The company I work for does not want to pay for an upgrade to our Oracle database. Neither have we been paying for Oracle support so I can't submit a service request.

I am stuck with this old version Oracle database (8i) and Oracle Application Server (9iAS) (web server) and therefore also stuck with the old version of Apache that came as part of 9iAS and DOES NOT have mod_ssl. This Apache uses an Oracle module called mod_ossl INSTEAD of mod_ssl for SSL connections.

Oracle 8i does NOT have Oracle Access Manager. I cannot reinstall another Apache web server that has open_ssl and mod_ssl and still use Oracle....at least I haven't found a way to do that.

Thank you for all the reference material but none of it relates to my particular situation.
LVL 65

Accepted Solution

btan earned 2000 total points
ID: 40235492
. pretty stuck then for no upgrade but then as the ref stated you can install mod_ssl which you have asked originally.

Nonetheless, mod_ossl is very similar to the OpenSSL module, mod_ssl. The mod_ossl module is based on the Oracle implementation of SSL, which supports SSL version 3 and TLS version 1, and is based on Certicom and RSA Security technology.
Oracle no longer supports mod_ssl. A tool is provided to enable you to migrate from mod_ssl to mod_ossl, and convert your text certificates to Oracle wallets.
Actually even with upgrade to Oracle Advanced Security 10i, it also does not support greater than 1024bits RSA
coming back, from mod_ssl to mod_ossl is documented with changes as in the reference link - mainly make the following global changes to the httpd.conf file and LoadModule directives etc.
Pls ref http://docs.oracle.com/html/B14401_01/post_inst_task.htm
(Make Global Changes) (Modify the List of LoadModule Directives)(Migrate Your Server Certificate and Private Key)

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Imagine a situation that you have installed SSL (http://en.wikipedia.org/wiki/Secure_Sockets_Layer) Certificate on your Cisco ASA (Cisco Adaptive Security Appliance) firewall. Installation of SSL certificate on ASA is an another topic for which you …
From implementing a password expiration date, to datatype conversions and file export options, these are some useful settings I've found in Jasper Server.
This video shows how to Export data from an Oracle database using the Original Export Utility.  The corresponding Import utility, which works the same way is referenced, but not demonstrated.
This videos aims to give the viewer a basic demonstration of how a user can query current session information by using the SYS_CONTEXT function

783 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question