Enabling TLS/SSL is the first step of securing Oracle E-Business Suite, especially if you have internet facing DMZ nodes. TLS is what powers the Oracle EBS to use https URLs. LetsEncrypt makes this process easy. Let's Encrypt is a certificate authority that provides FREE X.509 certificates for Transport Layer Security (TLS) encryption via an automated process designed to eliminate the complex process of manual creation, validation, signing, installation, and renewal of certificates for secure websites.
Understanding the ACME Protocol and Validation Methods
LetsEncrypt uses the ACME protocol to validate and issue the certificate. There are numerous opensource tools that implement this ACME protocol to issue LetsEncrypt Certs. It uses two methods to verify that you control the domain.
URL-Based Validation
The first method is URL validation. The tool will create an encrypted file on the webhost which is signed by your private key. LetsEncrypt server will access this URL to confirm that you control the domain and issue a certificate which is normally valid for only 90 days. You can renew this certificate anytime during the last 30 days to the expiry. This URL based validation will be most useful for Oracle E-Business Suite installations that have DMZ implementation with Internet facing modules likes iRec, iSupplier etc. As the DMZ url will be accessible from internet, it will be easy to get the URL verification done via ACME client tool.
DNS-Based Validation
The second method of verification is DNS based. Instead of checking the URL, the LetsEncrypt server looks for specific TXT dns records which have encrypted messages signed by requester private key. This process is not as streamlined as URL validation method, But it is useful when we are requesting cert for a domain that has no internet facing hosts. As most Oracle E-Business Suite Servers are not exposed to the internet, DNS based validation method will be most useful for them.
Implementing DNS Validation with acme.sh
The tool I used is acme.sh. This tool has a manual DNS validation method; basically, it will wait for your admin to create a custom TXT DNS record with required values and then let LetsEncrypt verify the record.
Step 1: Initial Registration and Token Generation
The first run registers our account and directs us to create the TXT record
[oracle@apps letsencrypt]$ acme.sh --issue --dns -d ebs.r12dba.com [Thu Mar 8 23:11:26 EST 2018] Registering account [Thu Mar 8 23:11:27 EST 2018] Registered [Thu Mar 8 23:11:27 EST 2018] ACCOUNT_THUMBPRINT='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' [Thu Mar 8 23:11:27 EST 2018] Creating domain key [Thu Mar 8 23:11:27 EST 2018] The domain key is here: /home/oracle/.acme.sh/ebs.r12dba.com/ebs.r12dba.com.key [Thu Mar 8 23:11:27 EST 2018] Single domain='ebs.r12dba.com' [Thu Mar 8 23:11:27 EST 2018] Getting domain auth token for each domain [Thu Mar 8 23:11:27 EST 2018] Getting webroot for domain='ebs.r12dba.com' [Thu Mar 8 23:11:27 EST 2018] Getting new-authz for domain='ebs.r12dba.com' [Thu Mar 8 23:11:27 EST 2018] The new-authz request is ok. [Thu Mar 8 23:11:28 EST 2018] Add the following TXT record: [Thu Mar 8 23:11:28 EST 2018] Domain: '_acme-challenge.ebs.r12dba.com' [Thu Mar 8 23:11:28 EST 2018] TXT value: 'yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy'
Step 2: DNS Record Verification
The second step is to get the network admin to create a TXT DNS record with the name _acme-challenge.hostname. Verify that the record got created with the required value using dig:
[oracle@apps letsencrypt]$ dig txt _acme-challenge.ebs.r12dba.com ;; ANSWER SECTION: _acme-challenge.ebs.r12dba.com. 120 IN TXT "yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy"
Step 3: Certificate Issuance
Rerun the acme.sh tool to generate the certs:
[oracle@apps letsencrypt]$ acme.sh --renew -d ebs.r12dba.com [Thu Mar 8 23:15:15 EST 2018] Renew: 'ebs.r12dba.com' [Thu Mar 8 23:15:19 EST 2018] Success [Thu Mar 8 23:15:20 EST 2018] Cert success.
Converting Certificates for Oracle Wallet
The ACME client tool creates several files: domain.KEY (private key), domain.CER (server certificate), CA.CER (LetsEncrypt root cert), and fullchain.cer (server and root certs). To use these files with Oracle E-Business Suite, we have to convert them to PKCS#12 format.
Creating the PKCS#12 Bundle
Use below commands to convert the files to Oracle EBS compatible p12 format:
[oracle@apps ebs.r12dba.com]$ openssl pkcs12 -export -out ebs.r12dba.com.p12 -inkey ebs.r12dba.com.key -in ebs.r12dba.com.cer -certfile ca.cer [oracle@apps ebs.r12dba.com]$ cp ebs.r12dba.com.p12 ewallet.p12
Initializing the Auto-Login Wallet
Use the Oracle orapki tool to display and create the auto-login wallet.
[oracle@apps ebs.r12dba.com]$ $FMW_HOME/oracle_common/bin/orapki wallet display -wallet . [oracle@apps ebs.r12dba.com]$ $FMW_HOME/oracle_common/bin/orapki wallet create -wallet . -auto_login
Troubleshooting OPMN and Apache Crashes
One issue I noticed is that opmn and apache both crashed on the first attempt to use this wallet. This is caused by LetsEncrypt root CAs not yet being included in keystores used by Java JDK & JRE.
Resolving the "DST Root CA X3" Dependency
To get around this, we need to download the "DST Root CA X3" root cert and include it in the oracle wallet. This is explained in Doc ID 2317291.1.
Adding the Trusted Root Certificate
Download the cert and add it to the wallet
[oracle@apps ebs.r12dba.com]$ $FMW_HOME/oracle_common/bin/orapki wallet add -wallet . -trusted_cert -cert ca2.cer [oracle@apps ebs.r12dba.com]$ $FMW_HOME/oracle_common/bin/orapki wallet display -wallet . Trusted Certificates: Subject: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US Subject: CN=DST Root CA X3,O=Digital Signature Trust Co.
After you have the wallet ready follow the steps in Oracle MOS Note "Enabling TLS in Oracle E-Business Suite Release 12.2 (Doc ID 1367293.1)" to finalize your configuration. Good Luck with TLS implementation in your EBS Environments.
Oracle Database Consulting Services
Ready to optimize your Oracle Database for the future?
.svg){kind=small}
.svg){kind=small}