Quy trình cài đặt dành cho máy chủ chạy Oracle HTTP Server
Oracle HTTP Server (OHS) cơ bản là Apache tuy nhiên có một số khác biệt trong quy trình triển khai chứng chỉ số. Chúng ta sẽ thực hiện nhờ tiện ích Oracle Wallet Manager (OWM). Hai bước chính cần thực hiện là:
1. Tạo một Wallet để chứa chứng chỉ số.
2. Cấu hình httpd.conf (và ssl.conf) để OHS hỗ trợ SSL.
I. CẤU HÌNH OWM:
1. Start Oracle Wallet Manager:
Note: If you wish to use AutoLogin features you must start OWM as the user who owns the httpd parent process.
To start Oracle Wallet Manager:
On Windows: select Start > Programs > Oracle - ORACLE_HOME >
Integrated Management Tools > Wallet Manager
On UNIX: enter owm at the command line.
2. Create an Oracle Wallet which contains an SSL Certificate:
- Select Wallet -> New
- Enter a password for the wallet e.g Welcome1
- Create a Certificate Request.
- Enter the details for the request. For example:
Common Name: ebanking.abcbank.com.vn
Organizational Unit: IT Department
Organization: ABC Bank
Location: Ho Chi Minh
State: HCMC
Country: VN
Key Size: 1024bits (Đối với chứng chỉ số EV, cần dùng 2048bits)
* Common Name has to match the hostname.domainname that the webserver is
known as. This is the Servername parameter in the httpd.conf file, and
is the hostname.domainname that users will enter in the browser URL.
- Click OK.
- Click 'Certificate:[Requested]' and select from the Menu 'Operations' and
'Export Certificate Request'
- Save to a file e.g server.csr
- Open the file in a text editor and copy the contents of the certificate
signing request, to be pasted in a Certificate Authority (VeriSign) form.
An example is shown below:
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBtzCCASACAQAwdzELMAkGA1UEBhMCR0IxEjAQBgNVBAgTCWJlcmtzaGlyZTEQMA4GA1UEBxMH
cmVhZGluZzEPMA0GA1UEChQGb3JhY2xlMRAwDgYDVQQLFAdzdXBwb3J0MR8wHQYDVQQDFBZ1a2Ro
MTkzNC51ay5vcmFjbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYkFMb9x4ehsG3
yQ2ub319GxPW+/TC3NSIYRLzEa49EziqBUr08R3Ssn9+6nolVjj1eb3rzwCfjiOSzsp1lSa/B9Vo
63pwP6xLbCgF8J86YfcZvavgLzY0Yc1fPfRxpZkb/jjt+F1zkaI6Lilm5YU3bRNYMb36TAWxUYL1
m6wZOwIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEACKXTmPHaSe3Lx3onnKJk/qI8SzpKyQC/B29v
JGg1+7Lb7gl052Y9WKxbKHzOQOYr8yYxMXNBCUwW6kBAFoxTWSpIxIQOpJXcsu1RlHKaLfAnw053
LiwpRB6do7MBrVgMRiv3AyTkJkgRzSxABWAgNpBPbhH+L6PZj5tSjOPErKA=
-----END NEW CERTIFICATE REQUEST-----
3. Request a Certificate from a Certificate Authority (VeriSign)
Your CSR should look similar to the following format.
-----BEGIN CERTIFICATE-----
MIICnDCCAgWgAwIBAgIDD9m+MA0GCSqGSIb3DQEBBAUAMIGHMQswCQYDVQQGEwJa
QTEiMCAGA1UECBMZRk9SIFRFU1RJTkcgUFVSUE9TRVMgT05MWTEdMBsGA1UEChMU
VGhhd3RlIENlcnRpZmljYXRpb24xFzAVBgNVBAsTDlRFU1QgVEVTVCBURVNUMRww
GgYDVQQDExNUaGF3dGUgVGVzdCBDQSBSb290MB4XDTAxMTAyNDE0MDIxOVoXDTAx
MTExNDE0MDIxOVowdzELMAkGA1UEBhMCR0IxEjAQBgNVBAgTCUJlcmtzaGlyZTEQ
MA4GA1UEBxMHUmVhZGluZzEPMA0GA1UEChQGT3JhY2xlMRAwDgYDVQQLFAdTdXBw
b3J0MR8wHQYDVQQDFBZ1a3AxNTkxOC51ay5vcmFjbGUuY29tMIGfMA0GCSqGSIb3
DQEBAQUAA4GNADCBiQKBgQDiQbg8KHjQ8hazvFe+OFhQa6ka+i5oShUty1MhlH+/
/xXP+j82h4VlyPG6IGKeQdXLhnKXgLuxTZ8/VDtLZyucmpIB95o2A3Betjp7UdIm
C572rKrQTA+1mCt/KLWcNE+fQuCmhloaERh3jsWTng0TKsDpJeAJdW2F4tCy/E/E
MwIDAQABoyUwIzATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMA0G
CSqGSIb3DQEBBAUAA4GBACffzyC3qvAlvNWc6mBPMjFu6XWUGZBuNawFCz8qGw5/
ce3rWFNI4zOjc1OncoJg7FjDJgAWqiJFHgdV4gwQm/8lTJX6wD1FhMtrJDXf29ei
1DAe8kBOBWiFMio8Qjp24TdxoI6/53/32ydl91CPtTKAix3SaC2bBS5lG73AbKRr
-----END CERTIFICATE-----
Lưu ý: Một điều rất quan trọng là kể từ lúc tạo ra CSR và gửi cho VeriSign, chúng ta phải "giữ nguyên hiện trạng" của server, tức là không được tạo CSR khác, nếu không thì sau khi VeriSign xác thực và cấp chứng chỉ số, chúng ta cũng không dùng được.
Once you receive your signed certificate back from VeriSign
- Copy the certificate to a file called server.crt
- Get the Trusted CA Root certificate by accessing:
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR657
Lưu ý: Đối với các chứng chỉ số EV, chúng ta cần download cả hai phần: Intermediate CA Certificates (có hai phần là Primary và Secondary) và Root CA Bundle. Tức là tổng cộng cần install tổng cộng 3 lần ở bước này, dù VeriSign hướng dẫn là chỉ cần Root CA Bundle là đủ (thực tế đa số nếu chỉ install một phần này thì không chạy).
Sau đó:
- Ftp or move the files to a directory on your server
- In Wallet Manager select Operations -> Import User Certificate.
- It will then ask you if you want to Paste the certificate or load from a file. Choose 'Select a file that contains a certificate'.
- Select the file server.crt and hit OK.
- At this point, the Wallet Manager may complain that the Trusted CA Root Certificate does not exist in the wallet. It will ask if you want to import it now. Select Yes. *See Below*
- Select 'Select a file that contains a certificate' and select the verisign_ssl_ca.cer file. Ở đây có thể chọn Paste để install lần lượt 3 cái certificates phía trên.
- If this completes successfully you should see Certificate:[Ready] and the VeriSign Secure Server CA root will appear in the list of trusted certificates.
- If you desire Oracle HTTP Server to AutoLogin to the Wallet, then select AutoLogin. (Wallet Manager must have been started as the owner of the httpd parent process for this to work).
- From the menu, File -> Save
Save the Wallet in a directory where the 9iAS user has permission to access
II. CẤU HÌNH OHS:
Please review the default directives in the httpd.conf file that relate to SSL by
opening the file in a text editor and search on "SSL". If you have not already
done so, please make a back up of this file. Do NOT hand edit this file without reading
the precautions in the 9iAS Documentation. You should use the Enterprise Manager (EM)
Website to modify this file. For SSL to work, the SSL 'listen' port must match the
"VirtualHost _default_" directive within the file. All other SSL parameters are
set to the default, and you can modify at a later time, depending on your needs.
---
## SSL Support
Listen 80
Listen 443
#443 is the SSL port number.
##Further down in file:
<VirtualHost _default_:443>
---
For the purposes of a basic SSL configuration, you should only need to
change the following directives:
SSLWallet
SSLWalletPassword
- Change the SSLWallet directive to the path where you saved your wallet, i.e:
SSLWallet file:/tmp/wallets
- If you get an error, ADMN-906025 with exception 806212, when starting OHS
after modifying httpd.conf, it is because you need to supply this password.
You may also see errors such as the following:
Error Failed to restart HTTP Server.
Timeout has been reached. Timeout has been reached.
If you did not select AutoLogin, then you need to change the SSLWalletPassword
to your clear text Wallet password by adding the following into your httpd.conf
SSLWalletPassword <yourPassword>
- If you wish to encrypt the SSLWalletPassword refer to the following: How to Use IASOBF to Encrpyt a Wallet Password
- Save the configuration, and restart Oracle HTTP Server
- Test a URL to Oracle HTTP Server in SSL mode:
:https://<hostname.domainname>:<port>
Note:
If you intend to have more than one Virtual Host using ssl
1. Each SSL Virtual Host must have a different port. There are no Named
Based Virtual Hosts for SSL.
2. Each SSL Virtual Host must have a different wallet or must get a wildcard certificate
"*.domain.com"
