Yesterday Scott Maziarz got this error in the log of an Oracle Application Server instance:
[Tue May 16 13:27:52 2006] [warn] long lost child came home! (pid 8134)
I can’t decide if this is a good thing or a bad thing.
From the Oracle Application Server Installation Guide, 10g Release 2 for Linux Part I topic 4.8:
Typically, the computer on which you want to install Oracle Application Server is connected to the network
Typically? I mean, I know you want to write documentation for the broadest case possible, but it seems just a little unlikely that you would have an application server which would not be connected to a network.
Go ahead; correct me if I’m wrong.
After having to do this several times in the past few weeks I have updated my directions on managing secure certificates in OAS to include importing a renewed OAS certificate.
Here’s my cliff notes directions for managing secure certificates using Oracle Wallet Manager. These directions were written for Oracle Application Server 10g(9.0.4) and my not work right with other versions. As always, don’t do it if you don’t understand it.
NOTE: When you generate a certificate request within a wallet you must then import the certificate into the EXACT SAME WALLET! So it is important to not forget the path, or password to the wallet, but also a copy can be made of the wallet by copying the ewallet.p12 and cwallet.sso files from the path where you saved the wallet to another directory.
Generate a certificate request:
DISPLAY=localhostname:0.0; export DISPLAY
Common Name: The fully qualified domain name (e.g. gimli.plymouth.edu)
Organizational Unit: Typically a department name (e.g. Information Technology Services)
Organization Name: Your organizations official name (e.g. Plymouth State University)
State/Provence: New Hampshire
Country: United States
Key Size: (1024 is OK, 2048 is better)
Importing a Certificate:
From here you’ll have to follow the instructions in the Oracle HTTP Server Administration Guide to complete the SSL setup.
Importing a Renewed Certificate
These directions are for when your certificate authority has renewed your cert based on your previous request.
If you’re running an Oracle Application Server 10g instance you are probably familiar with Oracle Enterprise Manager Application Server Control. If not, go back to the manual. This is not a how-to on setting it up or using it. If you want to know how to secure it and refresh the certificate when it expires, read on.
Application Server Control is installed with Application Server 10g and typically runs on a port like 1810. By default it uses the non-secure http protocol. Since your whole application server is controlled through this interface, you probably want to secure it. The instructions below will generate a self signed certificate and get your Application Server Control up and running with https.
As usual this post is written for Oracle Application Server 10g on UNIX. Always review the documentation for your release before trying any of these steps.
Securing Application Server Control
Oracle has provided a simple way to secure Application Server Control.
Note: If $ORACLE_HOME/bin is not in your path you will need to provide this path to emctl.
1. Connect to the command line on the application server and set all the appropriate environment variables for your application instance.
2. Run the command
emctl stop iasconsole to stop Application Server Control.
3. Run the command
emctl secure em to secure Application Server control. This will perform a few steps including generating a self-signed secure certificate.
emctl start iasconsole to start Application Server Control.
If all goes well you will now be able to connect to your Application Server Control instance on the same port as before but now with the https protocol. In most browsers you will need to specify ‘https://’ in the URL.
Depending on your browser settings you may get a warning when accessing the site that the secure certificate was not issued by a trusted company. That is normal with a self-signed certificate. You can either tell your browser to trust the certificate or simply disregard the warning when it appears.
Renewing the Certificate
By default the certificate created in the steps above will only be good for six months. Once the cert goes stale you will probably get a warning that the certificate date is invalid. You may additionally get some java errors like below.
When this happens you can simply re-secure Application Server Control with the same steps above. This will create a new certificate which will be valid for another six months.
Some Potential Problems
If the certificate has expired you will likely get a java error like this:
IOException in sending Request :: javax.net.ssl.SSLException: SSL handshake failed: X509CertExpiredErr
If this happens simply re-secure Application Server Control with the instructions above.
Sometimes Application Server Control will not shut down properly and you may get an error like this:
IOException in sending Request :: javax.net.ssl.SSLException: SSL handshake failed: SSLIOClosedOverrideGoodbyeKiss
If this happens you will probably have to kill the enterprise manager process (look for a process called
emagent) and re-secure again.