Oracle HTTP Server Procedures
Creating a Wallet and Installing Certificate for Oracle HTTP Server
A default wallet is automatically installed with Oracle HTTP Server. You must configure a real wallet for each Oracle HTTP Server in your deployment.
Note: Starting 11.2.x, Oracle Wallet Manager is not installed with Oracle HTTP Server. The Oracle Wallet Manager gets installed only if you install the Oracle Database Client. You must use the wallet manager available with Database Client to create the wallet and import the certificate. If you are configuring Oracle HTTP Server for SSL, ensure that you always install the Oracle Database Client 64-bit as part of the installation of your EPM system products.
To create and install Oracle HTTP Server certificate :
- 
                        On each machine that hosts Oracle HTTP Server, launch the Wallet Manager. Select Start, then All Programs, Oracle-OHxxxxxx, then Integrated Management Tools, and then Wallet Manager. xxxxxxis the Oracle HTTP Server instance number.
- 
                        Create a new, empty Wallet. - 
                              In Oracle Wallet Manager, select Wallet, and then New. 
- 
                              Click Yes to create a default wallet directory, or No to create the Wallet file in a location of your choice. 
- 
                              In Wallet Password and Confirm Password on the New Wallet screen, enter the password that you want to use. 
- 
                              Click OK. 
- 
                              In the confirmation dialog box, click No. 
 
- 
                              
- 
                        Optional: If you are not using a CA that is known to Oracle HTTP Server, import the root CA certificate into the Wallet. - 
                              In Oracle Wallet Manager, right-click Trusted Certificates and select Import Trusted Certificate. 
- 
                              Browse and select the root CA certificate. 
- 
                              Select Open. 
 
- 
                              
- 
                        Create a certificate request. - 
                              In Oracle Wallet Manager, right-click Certificate: [Empty] and select Add Certificate Request. 
- 
                              In Create Certificate Request, enter the required information. For the common name, enter the fully qualified server alias; for example, epm.myCompany.comorepminternal.myCompany.com, available in thehostsfile on your system.
- 
                              Click OK. 
- 
                              In the confirmation dialog box, click OK. 
- 
                              Right-click the certificate request that you created, and then select Export Certificate Request. 
- 
                              Specify a name for the certificate request file. 
 
- 
                              
- 
                        Using the certificate request files, obtain signed certificates from the CA. 
- 
                        Import signed certificates. - 
                              In Oracle Wallet Manager, right-click the certificate request that was used to obtain the signed certificate, and then select Import User Certificate. 
- 
                              In Import Certificate, click OK to import the certificate from a file. 
- 
                              In Import Certificate, select the Certificate file, and then click Open. 
 
- 
                              
- 
                        Save the Wallet to a convenient location; for example, EPM_ORACLE_INSTANCE /httpConfig/ohs/config/OHS/ohs_component/keystores/epmsystem.
- 
                        Select Wallet, and then Auto Login to activate auto login. 
Setting Up Oracle Wallet Using ORAPKI (on Linux)
To set up Oracle Wallet using ORAPKI command line, complete the following steps:
- Create a folder for your
                    wallet:$ mkdir /MIDDLEWARE_HOME/oracle_common/wallet
- Add the location of the orapki utility to your
                    path:$ export PATH=$PATH:$MIDDLEWARE_HOME/oracle_common/bin
- Create a wallet to hold your
                    certificate:
 This command prompts you to enter and reenter a wallet password, if no password has been specified on the command line. It creates a wallet in the location specified for>$ MIDDLEWARE_HOME/oracle_common/bin/orapki wallet create -wallet [wallet_location] -auto_login-wallet.
- Generate a certificate signing request (CSR) and add it to your
                    wallet:$ MIDDLEWARE_HOME/oracle_common/bin/orapki wallet add -wallet [wallet_location] -dn 'CN=<CommonName>,OU=<OrganizationUnit>, O=<Company>, L=<Location>, ST=<State>, C=<Country>' -keysize 512|1024|2048|4096 -pwd [Wallet_Password]
- Add the root and intermediate certificate into the trusted
                    keystore$ MIDDLEWARE_HOME/oracle_common/bin/orapki wallet add -wallet [wallet_location] -trusted_cert -cert [certificate_location] [-pwd]
- Use your CA (Cerificate Authority) to sign the CSR (Certificate Signing
                    Request). To export the certtificate request from an Oracle
                    Wallet:$ MIDDLEWARE_HOME/oracle_common/bin/orapki wallet export -wallet [wallet_location] -dn 'CN=<CommonName>,OU=<OrganizationUnit>, O=<Company>, L=<Location>, ST=<State>, C=<Country>' -request [certificate_request_filename] [-pwd]
- Import the signed CSR into the
                    wallet:$ MIDDLEWARE_HOME/oracle_common/bin/orapki wallet add -wallet [wallet_location] -user_cert -cert [certificate_location] [-pwd]
- To display the contents of the
                    wallet:$ MIDDLEWARE_HOME/oracle_common/bin/orapki wallet display -wallet [wallet_location] [-pwd]
SSL-Enabling Oracle HTTP Server
After reconfiguring the web server on each machine that hosts Oracle HTTP Server, update Oracle HTTP Server configuration file by replacing the location of the default Wallet with the location of the wallet that you created.
To configure Oracle HTTP Server for SSL:
- 
                        Reconfigure the web server on each Oracle HTTP Server host machine in your deployment. 
- 
                        Start EPM System Configurator for the instance. 
- 
                        In the configuration task selection screen, complete these steps, and then click Next. - 
                              Clear the selection from Uncheck All. 
- 
                              Expand Hyperion Foundation task group, and then select Configure Web Server. 
 
- 
                              
- 
                        In Configure Web Server, click Next. 
- 
                        In Confirmation, click Next. 
- 
                        In Summary, click Finish. 
- 
                        Using a text editor, open EPM_ORACLE_INSTANCE /httpConfig/ohs/config/fmwconfig/components/OHS/ohs_component/ssl.conf.
- 
                        Ensure that the SSL port you are using is listed under OHS Listen port. similar to the following:If you are using 19443as the SSL communication port, your entries should be as follows:Listen 19443
- 
                        Set SSLSessionCacheparameter value tonone.
- 
                        Update the configuration settings of each Oracle HTTP Server in your deployment. - 
                              Using a text editor, open EPM_ORACLE_INSTANCE /httpConfig//ohs/config/fmwconfig/components/OHS/ohs_component/ssl.conf.
- 
                              Locate the SSLWalletdirective and change its value so that it points to the wallet where you installed the certificate. If you created the wallet in EPM_ORACLE_INSTANCEhttpConfig/ohs/config/OHS/ohs_component/keystores/epmsystem, yourSSLWalletdirective may be as follows:SSLWallet "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/epmsystem"
- 
                              Save and close ssl.conf.
 
- 
                              
- 
                        Update mod_wl_ohs.confon each Oracle HTTP Server in your deployment.- 
                              Using a text editor, open EPM_ORACLE_INSTANCE /httpConfig//ohs/config/fmwconfig/components/OHS/ohs_component/mod_wl_ohs.conf.
- 
                              Ensure that the WLSSLWalletdirective points to the Oracle Wallet where the SSL certificate is stored.WLSSLWallet MIDDLEWARE_HOME/ohs/bin/wallets/myWalletFor example, C:/Oracle/Middleware/ohs/bin/wallets/myWallet
- 
                              Set the value of SecureProxydirective is set toON.SecureProxy ON
- 
                              Ensure that the LocationMatchdefinitions for deployed Oracle Enterprise Performance Management System components are similar to the following Oracle Hyperion Shared Services example, which assumes a Oracle WebLogic Server cluster (onmyserver1andmyserver2using SSL port 28443):<LocationMatch /interop/> SetHandler weblogic-handler pathTrim / WeblogicCluster myServer1:28443,myServer2:28443 WLProxySSL ON </LocationMatch>
- 
                              Save and close mod_wl_ohs.conf.
 
-