how to encrypt all connections for Oracle E-Business Suite Release 12.2 using Transport Layer Security (TLS).
Section 1:
Introduction
This document describes how to increase
communication security by encrypting all Oracle E-Business Suite Release 12.2
network connections using Transport Layer Security (TLS). TLS is the successor
to SSL and is a protocol that ensures privacy between communicating
applications.
Note: As of June 2022, this document was
changed to stop replacing the FMW auto-generated, self-signed certificate for
the OPMN Remote Port and OHS Admin Port in the following locations:
$FMW_HOME/webtier/instances/<s_ohs_instance>/config/OHS/<s_ohs_componet>/proxy-wallet
$FMW_HOME/webtier/instances/<s_ohs_instance>/config/OPMN/opmn/wallet/cwallet.sso
$EBS_DOMAIN_HOME/opmn/<s_ohs_instance>/<s_ohs_component>/wallet
$EBS_DOMAIN_HOME/opmn/<s_ohs_instance>/wallet
If you have followed this document in
the past, you will most likely have short-lived CA signed certificates being
used for FMW internal communication. You should create a self-sign certificate
and copy them to the locations above. You should keep the CA signed certificate
in the following location as is:
$FMW_HOME/webtier/instances/<s_ohs_instance>/config/OHS/<s_ohs_component>/keystores/default/
Note: Before you begin,
it is important to understand your current configuration and what you're trying
to accomplish. This will help determine the relevant instructions in this
document.
Begin by reading Section 3: Terminology and Concepts and Section 4: Oracle E-Business Suite Connections to
understand the terminology and concepts used in this document.
Section 5: Configure the Latest TLS Versions Certified with
Oracle E-Business Suite has been broken up into requirements
that are needed for inbound, loopback, and outbound connections. Some of the
outbound connection requirements in 5.3 Configure Loopback and Outbound Connections may
depend on the specific configuration of the server that Oracle E-Business Suite
is communicating with.
Section 6: Optional Configurations covers
some optional configurations that can be used to further restrict the protocols
that Oracle E-Business Suite uses. These include areas such as enabling support
for TLS 1.0/1.1, enabling TLS for the Oracle WebLogic Server (WLS) managed
servers, disabling the HTTP ports, enabling HTTP Strict Transport Security
(HSTS), and enabling support for Forward Secrecy.
Section 7: Configure Optional Integrations covers
the specific configurations that will be required to encrypt communications
between Oracle E-Business Suite and some of the optional integrations.
Section 8: Managing Certificates covers the
case where you have an existing SSL/TLS instance and only need to renew your
certificate. The certificate request remains unchanged, and depending on the
Certifying Authority that issued the certificate, will only require the
original certificate request to renew the certificate. This section outlines
the steps for this process.
Section 9: Use an Alternate TLS Termination Point covers
the configuration of Oracle E-Business Suite with an alternate TLS termination
point, such as a reverse proxy or load balancer. This section also covers the
configuration of end-to-end TLS, where both Oracle E-Business Suite has been
configured for TLS, in addition to making use of an alternate TLS termination
point.
Section 10: Creating an Identity Wallet covers
the steps needed to create a new certificate request, submitting this to a
certified authority, and setting up the required certificate files. This also
covers wildcard, SAN (Subject Alternative Name), self-signed, and ECC
certificates.
- Transport
Layer Security (TLS)
Transport Layer Security, or TLS, is the successor of SSL. TLS, like SSL, is a protocol that encrypts traffic between a client and a server. TLS creates an encrypted connection between two machines allowing for private information to be transmitted without the problems of eavesdropping, data tampering, or message forgery. There is no distinction between TLS certificates and SSL certificates issued by certifying authorities.
- Secure
Sockets Layer (SSL)
SSL is a technology that defines the essential functions of mutual authentication, data encryption, and data integrity for secure transactions. Exchange of data between the client and server in such secure transactions is said to use the Secure Sockets Layer (SSL). This has been deprecated in favor of TLS.
- HTTP
and HTTPS
HTTP is the primary communication protocol for the World Wide Web. HTTPS is a combination of HTTP and TLS.
- Public
Key Infrastructure
The term public key infrastructure (PKI) is used to describe the processes, technologies and practices that are required to provide a secure infrastructure. A PKI should provide the following: authentication, non-repudiation, confidentiality, integrity, access control.
- Certificate
Authority (CA)
A certificate (or certification) authority is a trusted third party responsible for issuing, revoking, and renewing digital certificates. All digital certificates are signed with the certificate authority's private key to ensure authenticity. The certificate authority's public key is widely distributed.
- Certificate
Signing Request (CSR)
A certificate signing request (CSR) is a digital file which contains your public key and your name. You send the CSR to a certificate authority (CA) to be converted into a real certificate.
- Digital
Certificate (Public Key)
A digital certificate is an electronic document that binds an identity to a pair of electronic keys that can be used to encrypt and sign digital information. Certificates are issued by a trusted third party, called a certificate authority (CA). The document is usually in a standard X509 format and contains three elements: - Entity
attributes (information about your organization)
- Public
key (which is bound to the private key)
- Digital
signature by the trusted CA's private key
- Private
(Server) Key
The private key file is a digital file that you generate as part of a key pair (private key and public key) and use to encrypt/decrypt messages. The certificate request (CSR) that you send to your certificate authority (CA) is derived from this private key. Therefore, the resulting digital certificate (containing your public key) which is issued by your CA is bound to this private key. - Types
of Digital Certificates
To reduce the number of certificates required for an environment, the following options are available:
- Subject
Alternative Name (SAN) Certificate
The use of the Subject Alternative Name field allows you to specify multiple host names to be protected by a single public key certificate. Use of SAN will also allow for using a single certificate for multiple domains. - Wild
Card Certificate
A public key certificate which can be used with multiple subdomains of a domain. - In-House
and Self-Signed Certificates
These types of certificates are not publicly available and are used either for internal security reasons, testing purposes, or cost savings. The up side is that customers have full control over these types of certificates, but the down side is that they require additional steps that are not needed in the case of general production certificates. Certificates of this type are still comprised of a root certificate, an intermediate certificate, and the primary server certificate. Server and client side truststores would need to be updated with the full certificate chain in this case. If any component of the certificate chain is not found, errors may be encountered. Be sure you understand the limitations of these certificates when using them in any environment.
- TLS
Termination Point
A TLS termination point is the end-point server for the encrypted connection that has been initiated by a client (for example, a browser).
In the case of Oracle E-Business Suite, the Oracle HTTP Server can act as a TLS termination point. An alternate TLS termination point, such as a reverse proxy or load balancer, can be configured in front of the Oracle HTTP Server.
4.1 Types of Connections
4.2 TLS Versions Certified with Oracle E-Business Suite
Connections
4.3 Additional Requirements for Java Web Start (JWS) Users
Oracle E-Business Suite connections fall into the
following three categories:
We recommend that you configure TLS encryption for
all connections in an Oracle E-Business Suite environment.
Inbound connections are from a client to the Oracle
HTTP Server (OHS) delivered with the Oracle E-Business Suite applications
technology stack. With inbound connections, the SHA-2 signed PKI certificate is
requested from a CA by your company for your Oracle E-Business Suite OHS.
Examples include, but are not limited to, the following:
- User
accesses Oracle E-Business Suite applications pages through the network
using a browser.
- User
accesses Oracle E-Business Suite application through Oracle Forms when
using Forms Servlet mode.
- An
XML Gateway message originating from a customer is sent to Oracle
E-Business Suite.
- Mobile
phone communications with the Oracle E-Business Suite through a REST
service.
The following process describes how TLS works with
inbound connections to OHS:
- The
client sends the server its best protocol and a list of cipher suites that
it can use.
- The
server suggests a protocol and a cipher suite from the list.
- The
server presents its certificate and certificate chain (except the root CA
certificate) to the client. This certificate contains the server's
identifying information.
- The
server may also optionally ask for a client certificate from the client
(which is validated in a similar manner by the server).
- The
client checks its trust store (root CA certificates) and validates the
chain of trust with the given certificate and certificate chain. If it
validates, the server is authenticated as a trusted server.
- The
client and server perform a key exchange to generate a session key which
is used to encrypt subsequent data.
Loopback connections are from Oracle E-Business
Suite back to the Oracle HTTP Server (OHS) delivered with the Oracle E-Business
Suite applications technology stack. Examples include, but are not limited to,
the following:
- Workflow
notification emails from the concurrent manager tier
- Payments
call back from the database tier
- Oracle
Process Manager and Notification (OPMN)
- Oracle
Applications Manager Log Viewer
- Integrated
SOA Gateway's Security Services
Outbound connections are from Oracle E-Business
Suite to external site(s). For outbound connections, the SHA-2 signed PKI
certificate is requested from a CA by a site you are connecting to from Oracle
E-Business Suite. For this case, Oracle E-Business Suite is acting as an HTTPS
client. You must trust the root CA of the remote server's certificate chain in
your truststore. Examples include, but are not limited to, the following:
- Punchout
in Oracle iProcurement
- XML
Gateway connection to partner applications
- Payments
credit card processing
- Dunn
& Bradstreet (HZ)
- International
Trade Management (ITM) for screening orders and deliveries
- CIS
Tax Module
- Integrated
SOA Gateway's Service Invocation Framework
4.2 TLS Versions Certified with Oracle E-Business
Suite Connections
Oracle E-Business Suite inbound, outbound, and
loopback connections are currently certified with TLS 1.2, 1.1, and 1.0. The
default Oracle E-Business Suite configuration provided in Section 5: Configure the Latest TLS Versions Certified with
Oracle E-Business Suite allows for the handshake between the
client and server to negotiate and use the highest version of TLS (1.2)
supported by both parties.
Example 1: If the outbound connection used by
Oracle iProcurement is by default configured for TLS 1.2 and if a call is made
from Oracle E-Business Suite iProcurement to an external site that supports TLS
1.2 and a common cipher suite is found, then TLS 1.2 will be used.
Example 2: If the Oracle E-Business Suite Oracle
HTTP Server (OHS) for inbound connections is by default configured for TLS 1.2.
If a client using a browser that supports TLS 1.2 attempts to connect to the
OHS, then TLS 1.2 will be used.
You may optionally configure Oracle E-Business
Suite to support older protocols with Oracle E-Business Suite Release
12.2. See 6.1 Configure Latest TLS with Backward Compatibility for
more details.
The default requirements and configuration provided
in Section 5: Configure the Latest TLS Versions Certified with
Oracle E-Business Suite provides the ability to use SHA-2
signed PKI certificates.
While RSA is the most commonly used certificate key
type and is supported by Oracle E-Business Suite, Oracle Fusion Middleware
supports the use of an Elliptic Curve Cryptography (ECC) certificate if the
entire chain is ECC and the server cert is signed using ecdsasha256. We
currently do not support an ECC certificate with the server cert signed using
sha256WithRSAEncryption, and intermediate and root CA using RSA. The procedures
in this note apply to customers using either RSA or ECC certificates unless otherwise
noted.
4.3 Additional
Requirements for Java Web Start (JWS) Users
SSL and TLS users running Java Web Start (JWS)
require a chain of trust to the Java certificate store for their server
certificate on the desktop. This is in addition to the usual chain of trust to
the browser.
If using a recognized certificate authority (CA),
there should be no further requirements as the server certificate will already
be included be in the Java 'System' store by default.
If using your own in-house CA, you must import the
server root certificate into the Java 'Secure Site CA' certificate store
through the Java Control Panel. To do so:
- Navigate
to the Security tab in the Java Control Panel.
- Click Manage
Certificates.
- For Certificate
Type, select "Secure Site CA" from the drop-down list.
- Click Import.
Without this chain of trust, you will see a
Security Warning dialog box stating "The connection to this website is
untrusted" when trying to run Java content within Oracle E-Business Suite.
This section details the steps necessary to enable
the latest version of TLS. As part of this process, you will also migrate to
new OpenSSL libraries which will change the method by which you generate and
import your SHA signed PKI certificate. The configuration and patches in this
section also address vulnerabilities including weak cipher suites, FREAK,
POODLE, and DROWN.
To configure Oracle E-Business Suite Release 12.2
to use TLS 1.2 only, you must ensure that you fulfill the following additional
requirements:
- Upgrade
Oracle Database
Perform either of the following to enable TLS 1.2 support for Oracle Database: - Upgrade
to Oracle Database 12.1.0.2 following the instructions in My Oracle
Support Knowledge Document 1926201.1, Interoperability
Notes Oracle E-Business Suite Release 12.2 with Oracle Database 12c
Release 1 (12.1.0).
- Upgrade
to Oracle Database 11.2.0.4 following the instructions in My Oracle
Support Knowledge Document 1623879.1, Interoperability
Notes Oracle E-Business Suite Release 12.2 with Database 11g Release 2
(11.2.0.4).
Note: For customers using
Oracle Database 11.2.0.4, it is required to apply a supported version of
Database PSU which is OCT PSU 2018 or later (see MOS Document 1147107.1, Database Patch Set
Update Overlay Patches Required for Use with PSUs and Oracle E-Business Suite).
- Configure
Java Runtime Environment on the Desktop Client
Ensure that your desktop client has either: - JRE
8 - TLS 1.2 enabled by default; or
- JRE
6/7 - Starting with the January 2017 JAVA CPU, TLS 1.1 and TLS 1.2 are
enabled by default. The specific minimum versions are JRE 1.6.0_141 and
JRE 1.7.0_131.
Note: For any JRE 6/7
version older than Jan '17 CPU, TLS 1.2 can be enabled in JRE 6/7 through the
Java Control Panel by navigating to Java Control Panel, Advanced tab, Advanced
Security Settings section, Use TLS 1.2.
- Use
a TLS-Supported Browser
Currently supported Windows browsers are as follows, with TLS 1.2 enabled by default: - Microsoft
Internet Explorer 11
- Mozilla
Firefox ESR 45.x
- Google
Chrome v49
- Microsoft
Edge Legacy (up to v44)
- Microsoft
Edge v83 and later (Chromium Based)
5.1 Apply Required Updates and Patches
5.2 Configure Inbound Connections
5.3 Configure Loopback and Outbound Connections
5.4 Enable TLS for WLS AdminServer
5.1 Apply Required Updates and Patches
Install the following prerequisite software updates
and components on your Oracle E-Business Suite Release 12.2 instance. These
software updates are fully compatible with Oracle E-Business Suite environments
regardless of whether or not you proceed with TLS configuration. You may
therefore choose to install these software updates at an earlier date, even
before performing any of the subsequent steps in this document to complete TLS
configuration. You may combine these updates with other regularly-scheduled
maintenance in your environment. You can choose to install these software
updates during an Oracle E-Business Suite R12.2 Online Patching cycle to your
patch file system (recommended) or on your run file system.
For details about Oracle E-Business Suite Release
12.2 online patching, refer to Patching
Procedures in the Oracle E-Business Suite Maintenance
Guide Release 12.2.
Perform the following steps to apply the necessary
updates and patches.
Step 1 - Upgrade to
Latest Java Development Kit (JDK) 7
Note: AIX customers must
upgrade their application tier JDK to a minimum of JDK 1.7 SR10 FP1.
Upgrade to the latest JDK version in Section 3
of Document 1530033.1, Using the Latest JDK
7.0 Update with Oracle E-Business Suite Release 12.2.
Starting with the January 2017 Java CPU, TLS 1.1
and TLS 1.2 are enabled by default. The specific minimum versions are JDK
1.7.0_131.
We recommend that you continue to update the JDK
quarterly per our CPU patching recommendations.
Step 2 - Upgrade
Oracle Fusion Middleware
The use of TLS 1.2 requires Oracle Fusion
Middleware 11.1.1.9. For more information, see Document 1590356.1, Upgrading Oracle
Fusion Middleware WebTier of Oracle E-Business Suite Release 12.2 to the latest
11gR1 (11.1.1.x) PatchSet.
On top of Oracle Fusion Middleware 11.1.1.9, it is
required that you apply the July 2016 Critical Patch Update (CPU) or later for
TLS 1.2 support. we highly recommend you take up the latest CPU. For the latest
CPU, see Document 2484000.1, Identifying the
Latest Critical Patch Update for Oracle E-Business Suite Release 12.
Step 3 - Apply AD
and TXK Patches
We highly recommend that you apply the latest AD
and TXK Delta Release Update Packs. Refer to Document 1617461.1, Applying the Latest
AD and TXK Release Update Packs to Oracle E-Business Suite Release 12.2,
for the latest information on known issues. Within that same note, review
Section 4: Apply Additional Critical Patches for any AD/TXK patches that may be
applicable.
Step 4 - Apply
Product-Specific Patches
Apply the following product-specific patches:
· Oracle Workflow
Apply Patch 22806350: R12.OWF.C
to address an Oracle Workflow Notification Mailer issue. This patch is required
when E-Business Suite Web Tier is enabled for TLS 1.2 only.
Apply Patch 22323006: SU Patch
[DI8E] Update JavaMail API Library to 1.5.4 in WLS 10.3.6.
Apply latest AD and TXK RUPs: R12.AD.C.Delta.12 Patch 30628681 and
R12.TXK.C.Delta.12 Patch 30735865.
· Oracle iProcurement
Apply the patch or patches as mentioned in Document 1937220.1, Punchout in Oracle
iProcurement and Exchange Fails After Supplier Site Migrates From SSLv3 to TLS
Protocol (with SSL Handshake SSLIOClosedOverrideGoodbyeKiss), which
corresponds to the appropriate application versions.
· Oracle XML Gateway
Apply Patch 22326911:R12.ECX.C.
· Oracle iPayment
Apply Patch 22522877:R12.IBY.C.
Note: For Oracle Payments
and Paymentech integration there is a new parameter for SSL Enabled in the
transmission configuration for the protocol for Paymentech Online Spec Socket.
This is available in controlled released Patch 29179872. Refer
to Document 2531952.1, Oracle Payments 12.2:
After uptake to TLS 1.2 Paymentech Authorizations No Longer Working.
Step 5 - Apply
Oracle Fusion Middleware Patch 20429551, Patch 23630525, and Patch 26045188 Version
11.1.1.9
As part of the patching process in this step, set
the $ORACLE_HOME to point to the $FMW_HOME/webtier directory.
Patch 20429551 provides
the updated orapki utility needed to support SHA2 certificate requests.
It is safe to roll back Patch 25072950 in the
case of a conflict.
After applying Patch 26045188, remove the
NonJ2EEManagement deployment from the WebLogic console and then proceed with
redeployment by performing the following steps:
1. Navigate to the
WebLogic Server Admin console at http://<s_wls_admin_host>.<s_wls_admin_domain>:<s_wls_admin port>/console and derive context variable
values using either the run or patch edition context file, dependent on your
current patching state.
2. From the Domain
Structure panel, navigate to Deployments.
3. Locate in the list of
deployments NonJ2EEManagement (11.1.1).
4. Stop the application
“NonJ2EEManagement (11.1.1)”.
5. In the Change Center
panel, click Lock & Edit.
6. Select the check box
beside the deployed application NonJ2EEManagement (11.1.1).
7. Delete the NonJ2EEManagement
(11.1.1) application.
8. Click Activate
Changes.
9. Navigate to $FMW_HOME
and source the SetWebtier.env file.
10. Redeploy the $ORACLE_HOME/opmn/applications/NonJ2EEManagement.ear file delivered
by this patch:
$ $ORACLE_HOME/opmn/bin/opmnctl
redeploy -adminHost <ADMINSERVER_HOST> -adminPort <ADMINSERVER_PORT>