Oracle HTTP Server Powered by Apache provides the communication services within Oracle Application Server. This facilitates deployment of HTML-based applications within a multi-tiered computing environment.
All incoming client requests to Oracle Internet Application Server (AS) are handled by the Communication Services component of AS. The Oracle HTTP Server, powered by Apache Web Server technology accepts and processes these requests. The Apache technology adopted by Oracle HTTP Server provides an extremely stable, scalable, and extensible platform on which to deploy web-based applications. The modular design of the Apache server allows for extension of the capabilities of the Oracle HTTP Server. In addition to the standard Apache modules (often referred to as modules, or simply mods), a number of Oracle specific modules are provided along with an extension to the functionality of several standard modules.
These modules include:
mod_ssl - This module provides secure listener communications using an Oracle provided encryption mechanism using 128-bit Secure Sockets Layer (SSL). The mod_ossl module replaces mod_ssl. In contrast to the OpenSSL module, mod_ossl is based on the Oracle implementation of SSL, which supports SSL version 3 and uses the Oracle Wallet Manager for Certificate Management. The Apache HTTP Server SSL configuration file, ssl.conf, is located in $INST_TOP/ora/10.1.3/Apache/Apache/conf directory.
mod_oc4j - This module routes all servlet requests to the Apache OC4J servlet engine embedded within Oracle HTTP Server. Servlets can be shared across multiple zones.
mod_perl - This module forwards Perl requests to the Perl Interpreter. The Perl Interpreter is embedded within the Oracle HTTP Server, removing the necessity to spawn an external interpreter as well as providing a caching mechanism such that modules and scripts need only be loaded or compiled once. Oracle E-Business Suite does not currently utilize mod_perl.
The Oracle HTTP Server is powered by a standard version of Apache. A number of books have been published describing the operation of the Apache server. To further add to your knowledge of the Apache server, you may wish to consult one of these.
Note: Refer to the Oracle HTTP Server documentation for a more detailed description of the operation and configuration of the Oracle HTTP Server. The information in this section is supplementary to that provided in the Oracle HTTP Server books.
Oracle E-Business Suite Installation Guide: Using Rapid Install should be consulted for additional information on directory structures and file locations referred to in this guide.
Apache is configured through directives contained in one or more configuration files. The directives necessary for operating Apache within the Oracle environment will be entered into the configuration files during the install process. It should not be necessary to modify these files unless the system is being re-configured.
Warning: An invalid directive entered into a configuration file will prevent Apache from starting. An incorrect definition provided to a directive may cause Apache to behave in an unintended fashion.
The Apache configuration files are installed as part of the Oracle E-Business Suite Rapid Install process. On UNIX, for example, the files will be placed in $INST_TOP/ora/10.1.3/Apache/Apache/conf.
Secure Sockets Layer (SSL) allows the Apache listener to encrypt HTML pages and transmit them on the network using the HTTPS protocol for secure transmissions.
SSL uses an encrypting method called public key cryptography, where the server provides the client with a public key for encrypting information. The server's private key is required to decrypt this information. The client uses the public key to encrypt and send information to the server, including its own key which identifies it to the server.
In order for the Oracle HTTP Server, powered by Apache, to function in secure mode it is also necessary to utilize certificates which validate the server's identity. These certificates are used to ensure that the owner of a public key is who they say they are. Typically you will want to use a private key with an officially signed certificate, validated by a Certificate Authority (CA). The CA validates the company details, sets expiration dates on the certificates and may place policies on what information is contained within the certificate. A number of CAs exist, and include such authorities as Verisign, RSA, and GTE CyberTrust.
To obtain a CA approved certificate it is necessary to generate a certificate request, which includes details of the organization applying as well as the public key to be distributed, this is then sent to the CA, validated and returned. Authorities may also require proof of ownership of the company applying for the certificate, as well as proof of ownership of the domain name specified in the certificate request.
It is possible to generate a self-signed certificate that can be used to test SSL operation. Most browsers are configured to accept certificates from a number of recognized authorities. Receiving a certificate from an organization other than one of these will generate a warning, and the user will be prompted to accept or reject this certificate. A self-signed certificate will generate this warning.
The SSL module provides two utilities - Oracle Wallet Manager, and the Oracle Wallet Manager Command Line Interface (orapki) - that can be used to create a self-signed certificate for testing purposes.
Warning: Self-signed certificates are inherently insecure, and should not be used in a environment where security is required.
In order to generate a self-signed certificate, perform the steps below using the Oracle Wallet Manager Command Line Interface:
Follow these steps for the temporary SSL environment setup.
Source your environment
Log on to the application (middle) tier, as the OS user who owns the application tier files.
Source your <APPL_TOP>/<SID_hostname>.env file to set your APPL_TOP variables.
Navigate to the $INST_TOP/ora/10.1.3 and source the <SID_hostname>.env file to set your 10.1.3 ORACLE_HOME variables. When working with wallets and certificates, you must use the 10.1.3 executables.
Create a Wallet
Verify the location of the Web SSL directory:
grep s_web_ssl_directory $CONTEXT_FILE
Navigate to this directory, which will have Apache and opmn subdirectories
Change to the Apache subdirectory
Backup any existing wallets (demo certificates are included in Release 12)
Create your new wallet:
orapki wallet create -wallet . -auto_login -pwd <password>
"-wallet ." (note the ".") tells orapki that you want to create the wallet in the current directory. You can also specify the full path to any directory where you wish to create a wallet.
" -auto_login" tells orapki that you want to create cwallet.sso which is an obfuscated copy of ewallet.p12. With auto login enabled, processes submitted by the OS user who created the wallet will not need to supply the password to access the wallet.
You should now see two wallet files in your directory: cwallet.sso and ewallet.p12.
Add your self-signed certificate to the wallet.
Enter the following command all on one line, substituting the appropriate parameters for your instance:
orapki wallet add -wallet . -dn "CN=server.us.oracle.com,OU=Unit,O=Org,L=Orlando,ST=Florida,C=US" -keysize 1024 -self_signed -validity 3650 -pwd welcome1
Your wallet is now ready for use in environments where security is not required (as mentioned in the warning note above, self-certification is by definition not secure).
Ensure that the following parameters are correctly set in your Oracle E-Business Suite applications context file:
| Variable | Non-SSL Value | SSL Value |
|---|---|---|
| s_url_protocol | http | https |
| s_local_url_protocol | http | https |
| s_webentryurlprotocol | http | https |
| s_active_webport | Same as s_webport | Same as s_webssl_port |
| s_help_web_agent | URL constructed with http protocol and s_webport | URL constructed with http protocol and s_webport (same as non-SSL) |
| s_login_page | URL constructed with http protocol and s_webport | URL constructed with https protocol and s_webssl_port |
Run AutoConfig, either through the Oracle Applications Manager interface, or by using the adautocfg.sh script in the application tier $ADMIN_SCRIPTS_HOME directory.
Additional Information: For more details, see My Oracle Support Knowledge Document 387859.1, Using AutoConfig to Manage System Configurations with Oracle E-Business Suite Release 12.
Restart the application tier Apache services using the adapcctl.sh script in the $ADMIN_SCRIPTS_HOME directory. Ensure that Apache can startup successfully, and that you successfully get an SSL connection to the default Apache banner screen using https:/<host.domain>:<SSL_port>, where <host.domain> is the fully qualified name of the machine running Apache, and <SSL_port> is the SSL port number defined in ssl.conf.
Once you have signed on to Oracle E-Business Suite, select a responsibility and process that will launch a Forms-based application. For example, System Administrator responsibility and the Define User process.
Note: For further details of using SSL, see My Oracle Support Knowledge Document 376700.1, Enabling SSL with Oracle Application Server 10g and E-Business Suite Release 12, and Knowledge Document 376694.1, Using the Oracle Wallet Manager Command Line Interface with Oracle E-Business Suite Release 12.