Thank You Oracle

Yesterday Scott Maziarz got this error in the log of an Oracle Application Server instance:

[Tue May 16 13:27:52 2006] [warn] long lost child came home! (pid 8134)

I can’t decide if this is a good thing or a bad thing.

funny, fun, error, error message, oracle, oracle application server, oas, dba, system administration, sysadmin, database administration

Pearls Of Wisdom From Oracle

From the Oracle Application Server Installation Guide, 10g Release 2 for Linux Part I topic 4.8:

Typically, the computer on which you want to install Oracle Application Server is connected to the network

Typically? I mean, I know you want to write documentation for the broadest case possible, but it seems just a little unlikely that you would have an application server which would not be connected to a network.

Go ahead; correct me if I’m wrong.

oracle, oracle application server, humor, irony, documentation, tech writing

Renewing Secure Certificates in Oracle Application Server

After having to do this several times in the past few weeks I have updated my directions on managing secure certificates in OAS to include importing a renewed OAS certificate.

application administration, oas, oracle application server, sysadmin, system administration, oracle

Secure Certificate Management in Oracle Application Server

Here’s my cliff notes directions for managing secure certificates using Oracle Wallet Manager. These directions were written for Oracle Application Server 10g(9.0.4) and my not work right with other versions. As always, don’t do it if you don’t understand it.

NOTE: When you generate a certificate request within a wallet you must then import the certificate into the EXACT SAME WALLET! So it is important to not forget the path, or password to the wallet, but also a copy can be made of the wallet by copying the ewallet.p12 and cwallet.sso files from the path where you saved the wallet to another directory.

Generate a certificate request:

  1. On the system you want to display the wallet manager on run
    xhost +serverhostname.
  2. ssh to the system the cert is for.
  3. Export the display to somewhere you can view it
    DISPLAY=localhostname:0.0; export DISPLAY
  4. Start Oracle Wallet Manager from $ORACLE_HOME/bin (should be in the path)
    owm
  5. Select New from the Wallet menu.
  6. Answer No to creating the default location.
  7. Give the wallet a secure password and select OK.
  8. Answer Yes to create a certificate request.
  9. Enter the following information to generate the request. If you’re not sure about some of this info, check with someone at your site who has done cert requests before. It is important that it is all accurate.

  10. Common Name: The fully qualified domain name (e.g. gimli.plymouth.edu)
    Organizational Unit: Typically a department name (e.g. Information Technology Services)
    Organization Name: Your organizations official name (e.g. Plymouth State University)
    Locality/City: Plymouth
    State/Provence: New Hampshire
    Country: United States
    Key Size: (1024 is OK, 2048 is better)

  11. Click OK once these values are all correct.
  12. Click OK in the “Please submit” dialogue.
  13. Select Auto Login from the Wallet menu.
  14. Select Save from the Wallet menu and save the wallet to a safe, non-public directory on your server (being careful not to overwrite another wallet.)
  15. Click on the certificate request in the wallet tree then select Export Certificate Request from the Operations menu and export the request to a file.
  16. Send the certificate request file to the certificate authority to obtain a user certificate.

Importing a Certificate:

  1. Follow the instructions above to connect to the server and export the display.
  2. Transfer the certificate you received from your certificate authority to the server.
  3. Open Oracle Wallet Manager and open the wallet the cert request was created from.
  4. Select Import User Certificate from the Operations menu. DO NOT import the certificate as a trusted certificate.
  5. Select Import Certificate From File and then select the file containing the certificate.
  6. If you are prompted to import the CA certificate, select Yes and follow these steps to get the CA cert:
    1. On a Windows box, rename the certificate to have a .cer extention (which should change the icon.)
    2. Double click on the certificate and select the Certification Path tab.
    3. Select the highest level of the certification path (e.g. Thawte Premium Server CA) and click View Certificate.
    4. Select the Details tab and click Copy to File…
    5. Follow the directions on screen to export the CA certificate as a Base-64 Certificate.
    6. Once exported, copy the CA certificate to the host the wallet is on.
    7. In the Import Trusted Certificate dialogue box, choose Select a file that contains the certificate and click OK.
    8. Select the CA Cert file you have just uploaded and click OK.
  7. The certificate should now have the word Ready next to it. That indicates the certificate is ready to use.
  8. Confirm that Auto Login is checked in the Wallet menu.
  9. Save the wallet by choosing Save from the Wallet menu.
  10. Exit the wallet manager.

From here you’ll have to follow the instructions in the Oracle HTTP Server Administration Guide to complete the SSL setup.

Importing a Renewed Certificate

These directions are for when your certificate authority has renewed your cert based on your previous request.

  1. Follow the instructions above to connect to the server and export the display.
  2. Transfer the certificate you received from your certificate authority to the server.
  3. Open Oracle Wallet Manager and open the wallet the cert request was created from.
  4. Click on the existing certificate, select Remove User Certificate from the Operations menu and click Yes to confirm.
  5. Click on the certificate (now in [Requested] status) from the wallet and select Import User Certificate from the Operations menu.
  6. Select Import Certificate From File and then select the file containing the certificate.
  7. The certificate should now have the word Ready next to it. That indicates the certificate is ready to use.
  8. Confirm that Auto Login is checked in the Wallet menu.
  9. Save the wallet by choosing Save from the Wallet menu.
  10. Exit the wallet manager.

oracle, oracle application server, oas, application administration, system administration, sysadmin

(Re)Securing Oracle Application Server Control

OracleIf you’re running an Oracle Application Server 10g instance you are probably familiar with Oracle Enterprise Manager Application Server Control. If not, go back to the manual. This is not a how-to on setting it up or using it. If you want to know how to secure it and refresh the certificate when it expires, read on.

Application Server Control is installed with Application Server 10g and typically runs on a port like 1810. By default it uses the non-secure http protocol. Since your whole application server is controlled through this interface, you probably want to secure it. The instructions below will generate a self signed certificate and get your Application Server Control up and running with https.

As usual this post is written for Oracle Application Server 10g on UNIX. Always review the documentation for your release before trying any of these steps.

Securing Application Server Control

Oracle has provided a simple way to secure Application Server Control.

Note: If $ORACLE_HOME/bin is not in your path you will need to provide this path to emctl.

1. Connect to the command line on the application server and set all the appropriate environment variables for your application instance.

2. Run the command emctl stop iasconsole to stop Application Server Control.

3. Run the command emctl secure em to secure Application Server control. This will perform a few steps including generating a self-signed secure certificate.

4. Run emctl start iasconsole to start Application Server Control.

If all goes well you will now be able to connect to your Application Server Control instance on the same port as before but now with the https protocol. In most browsers you will need to specify ‘https://’ in the URL.

Depending on your browser settings you may get a warning when accessing the site that the secure certificate was not issued by a trusted company. That is normal with a self-signed certificate. You can either tell your browser to trust the certificate or simply disregard the warning when it appears.

Renewing the Certificate

By default the certificate created in the steps above will only be good for six months. Once the cert goes stale you will probably get a warning that the certificate date is invalid. You may additionally get some java errors like below.

When this happens you can simply re-secure Application Server Control with the same steps above. This will create a new certificate which will be valid for another six months.

Some Potential Problems

If the certificate has expired you will likely get a java error like this:

IOException in sending Request :: javax.net.ssl.SSLException: SSL handshake failed: X509CertExpiredErr

If this happens simply re-secure Application Server Control with the instructions above.

Sometimes Application Server Control will not shut down properly and you may get an error like this:

IOException in sending Request :: javax.net.ssl.SSLException: SSL handshake failed: SSLIOClosedOverrideGoodbyeKiss

If this happens you will probably have to kill the enterprise manager process (look for a process called emagent) and re-secure again.

oracle, oracle application server, oracle security