Enabling HTTPS/SSL on Oracle ASR Manager

You can use either a root-signed certificate or a self-signed certificate to enable HTTPS/SSL on Oracle ASR Manager.

Generate and install the SSL Certificate into the Key Store specific to the Java/JDK used by Oracle ASR Manager.

  1. Generate the Certificate Signing Request.
    1. Go to the /java/bin directory and create the keystore file.
      # keytool -genkey -alias aliasName -keyalg keyAlgorithm 
-keysize keySize -sigalg signatureAlgorithm 
-keystore keyStoreFile.jks
    2. Enter the valid key store password and specify the key password.
    3. Enter the Country, Locality, Organization and Common Name.
      If prompted for the first and last name, enter the host name of the machine where Oracle ASR Manager is installed.
    4. Enter the following command:
      # keytool -certreq -alias aliasName -keystore keyStoreFile.jks -sigalg signatureAlgorithm 
-file certRequestFile.cer
    5. Enter the valid key store password and specify the key password.
    6. Submit the Certificate Signing Request certRequestFile.cer to the Certificate Authority, and request a Certificate.
  2. Install the Certificate after you receive it from the Certificate Authority.
    # keytool -import -trustcacerts -alias aliasName -file certFileFromCA 
-keystore keyStoreFile.jks

    After running the keytool -import command, enter the valid key store password and specify the key password.

  3. When the SSL certificate from a trusted authority has been loaded into keystore, perform the following tasks on Oracle ASR Manager:
    Trust Store information is same as the Key Store information.
    1. Set the IP address.
      # asr
asr> set_property org.osgi.service.http.host IP_address_of_ASR_manager
    2. Set the HTTPS port.

      Note:

      The value of org.osgi.service.http.port.secure should match the HTTPs port configured on Oracle ASR Manager. The value should be set to the same value as displayed for "HTTP Port" or "HTTPS/SSL Port" in the output of the command: 

      asr show_http_receiver
      asr> set_property org.osgi.service.http.host set_property org.osgi.service.http.port.secure https_port
    3. Set the path to the keystore file.
      asr> set_property org.apache.felix.https.keystore https_keystore
    4. Set keystore password.
      asr> set_property org.apache.felix.https.keystore.password https_keystore_password
    5. Set the key password.
      asr> set_property org.apache.felix.https.keystore.key.password https_keystore_key_password
    6. Set the path of the truststore to the same as the keystore file.
      asr> set_property org.apache.felix.https.truststore https_truststore
    7. Set the truststore password on the same keystore password value.
      asr> set_property org.apache.felix.https.truststore.password https_truststore_password
    8. Enable HTTPS for Oracle ASR Manager.
      asr> set_property org.apache.felix.https.enable true

    The passwords in the above commands can be plain text or obfuscated, as shown in the following example:

    jar -xvf /opt/asrmanager/lib/com.oracle.asr.http.receiver.jar

java -classpath org.apache.felix.http.bundle-2.2.0.jar  org.mortbay.jetty.security.Password plain-text-password

    After running these Java commands, the output shows the obfuscated password. Obfuscated password values are denoted by the prefix OBF:. Copy and paste the output line starting with OBF: (including the text 'OBF:') into the above Oracle ASR commands instead of the plain text password. The following is an example of the output. 

    2018-05-04 09:34:17.429:INFO::main: Logging initialized @118ms
password
OBF:1v2j20771x1b206z
MD5:5f4dcc9ac6b3e1a84cebb7b40329cf99
  4. Restart Oracle ASR Manager.
    $ service asrm restart
  5. Verify the SSL setup by accessing the following URL from a browser:
    https://<asr_manager_host>/asr
  6. On each database server and storage server, import the certificate used to enable HTTPS/SSL.
    keytool -import -trustcacerts -keystore keystore_location 
-storepass keystore_password -noprompt -alias cert_alias_name -file cert_file_path

    In the keytool command, specify the keystore_location value as follows:

    • On each storage server, specify /opt/oracle/cell/cellsrv/java/lib/security/cacerts.
    • On each database server, use /opt/oracle/dbserver/dbms/java/lib/security/cacerts.
  7. Verify the certificate has been imported.
    keytool -list -v -keystore keystore_location 
-storepass keystore_password

Parent topic: Enabling Automatic DiagPack Upload for Oracle ASR