roshith on How to enable SSL for OHS (Ora… krishna on How to enable SSL for OHS (Ora… roshithwp on Eclipse crashes and the proces… Leonard on Eclipse crashes and the proces…
Eclipse crashes and the process stack shows org.eclipse.swt.internal.mozilla.XPCOM._NS_InitXPCOM2(JJJ)I+0
While working with Eclipse IDE when you open Java docs or try auto complete or do anything that requires it to launch the internal browser, Eclipse crashes. The process dump generated shows the below stack.
This indicates that,
a. You have an Eclipse version of 3.8-4.2
b. You have forefox 13 or above installed , which Eclipse is using as the default browser using XULRunner.
The problem here is that the above Eclipse versions support XULRunner 10 and not 13 which comes with Firefox installation by default.
So the fix is to have XULRunner 10 binaries on you box with Eclipse pointing to it.
1. Download XULRunner 10
2. Extract it
>tar -xvjf xulrunner-10.0.en-US.linux-x86_64.tar.bz2
3. Edit eclispe.ini and add the following to point Eclipse to XULRunner10
Well, it is going to be all command line and no GUI as the later hides a lot of details from you.
OHS is a ‘rebranded’ Apache HTTP server and there are slight differences between them when it comes to configuring SSL.
In OHS you have mod_ossl in place of mod_ssl as the SSL module and it doesn’t support the following directives,
The gist of it is that we cannot use Certificate and Key directly in the configuration but instead need to have a wallet.
Generally to establish an SSL channel of communication between a client and server we need
- Server certificate (read public key)
- CA certificate which signed it.
We are talking about one way SSL where Server proves its identity to the Client.
Server certificate and the associated private key need to be imported into the Wallet, which our server (OHS) can access and the CA certificate need to be imported to the client, say Browser so the browser can verify the server certificate.
We need to create a CA signed server certificate exclusively for our server which it can produce to the clients during SSL handshake. For that we need to create a CSR (Certificate Signing Request) with our domain details and send it to CA, say VeriSign, who, after accepting the ‘payment’ verifies the CSR details and signs it to provide us the Certificate.
Now as I don’t have that kind of money to pay the CA, I will be my own CA!
First we will a create ‘self signed’ CA certificate which can sign our server Certificate and OpenSSL is our go to guy for all such tasks!
Create CA certificate.
Edit /etc/pki/tls/openssl.cnf to change dir to /etc/pki/CA under CA_default
1. Create the following directories under /etc/pki/CA
- certs (To store CA certificate)
- crl (Revocation list , if any)
- newcerts (to store server certificate signed by CA)
- private (Stores CA private key)
2. Create the below files under /etc/pki/CA
- index.txt (Database index file for tracking certificates)
- serial (Current serial number , will match with index.txt)
We can start the numbering from say 1000
$echo 1000 > serial
3. View/Edit the /etc/pki/tls/openssl.cnf to make sure [usr_cert] and [v3_ca] have the following contents
4. Now create the key pair (private key and CSR – Certificate Signing Request) for CA
$openssl req -new -newkey rsa:2048 -keyout /etc/pki/CA/private/MyCAKey.pem -out /etc/pki/CA/private/MyCAReq.pem -config /etc/pki/tls/openssl.cnf
You will be prompted to provide password for CSR.
You will also need to provide CSR details like Country Name, CN etc. No need to worry much about this as its going to be self signed. I prefer giving Organizational Name and Common Name as MyCA being simple!
The private key will be created as /etc/pki/CA/private/MyCAKey.pem and the CSR under /etc/pki/CA/private/MyCAReq.pem
5. Self sign the CSR to create CA certificate
$openssl ca -out /etc/pki/CA/certs/MyCACert.pem -days 365 -keyfile /etc/pki/CA/private/MyCAKey.pem -selfsign -extensions v3_ca -config /etc/pki/tls/openssl.cnf -infiles /etc/pki/CA/private/MyCAReq.pem
When prompted provide the password (used to keep private key secret) you gave while creating CSR.
The CA certificate will be created as /etc/pki/CA/certs/MyCACert.pem
Create a CSR for server certificate.
Now just like we created a CSR for CA we are going to create one for our server certificate; but there is a twist. We will snub OpenSSL go for ‘orapki’ this time.
oarapki is a command line utility from Oracle to manage certificates and wallets and can be located under $ORACLE_HOME/oracle_common/bin of your OHS installation.
If we create a CSR with orapki we will save one step of copying the private key into the Wallet as it will be automatically saved into the wallet in the process.
- Create Wallet$./orapki wallet create -wallet /wallet/mywallet -auto_login_only-auto_login_only – Otherwise you will have to provide the wallet password every single time the server starts.The wallet cwallet.sso will be created under /wallet/mywallet
- Create a CSR for server certificate$./orapki wallet add -dn “cn=<domain>,ou=<OU>,o=<Org>” -keysize 2048 -wallet /wallet/mywallet – auto_login_only<domain> — Your server domain like mycompany.com<OU> — Org Unit , say Finance<O> — Org , say mycompanyNo when you display the wallet contents the CSR will be listed$./orapki wallet display -wallet /wallet/mywallet
- Export the CSR to signExport the server CSR from wallet so we can sign it using our CA.$./orapki wallet export -wallet /wallet/mywallet -dn “cn=mycompany.com,ou=Finance,o=mycompany” –request /wallet/mywallet/mysrvcsr.csrThe CSR will be exported as /wallet/mywallet/mysrvcsr.csr
Sign the server CSR using CA.
$openssl ca –keyfile /etc/pki/CA/private/MyCAKey.pem –cert /etc/pki/CA/certs/MyCACert.pem –extensions usr_cert –notext –md sha256 –in /scratch/wallet/mywallet/mysrvcsr.csr –out /scratch/wallet/mywallet/mysrvcert.cert
You will be prompted to enter the CA private key password.
The server certificate will be created as /wallet/mywallet/mysrvcsr.cert and you can view it using openssl
$openssl x509 –in /wallet/mywallet/mysrvcert.cert –text –noout
Import CA and server certificate into the wallet.
1. Import the CA certificate to wallet
./orapki wallet add –wallet /wallet/mywallet –trusted_cert –cert /etc/pki/CA/certs/MyCACert.pem –auto_login_only
2. Import the server certificate to wallet
$./orapki wallet add –wallet /scratch/wallet/mywallet –user_cert –cert /scratch/wallet/mywallet/mysrvcert.cert –auto_login_only
You can display the wallet contents and see that both server and CA certificates.
Sigh! We have completed all the difficult steps. It’s all easy now on.
Move the wallet ,cwallet.sso, to <ORACLE_HOME>/instances/instance1/config/OPMN/opmn/wallet
- Edit the ssl.conf to help OHS locate the wallet using SSLWallet directive.
If your OHS acts as a proxy to an application server, say Weblogic, where the application is actually deployed
- Set the SSLWallet pointing to the above path under the SSL VirtualHost
- Use mod_wl_ohs module to proxy the requests to the app server.
Note: In such configurations SSL ends at the OHS and all the communication between OHS and WL is http.
Import CA certificate into a browser.
1. Before importing the CA certificate to Firefox we need to convert it from PEM to DER format which FF understands.
$openssl x509 –in /etc/pki/CA/certs/MyCACert.pem –outform der –out /scratch/wallet/mywallet/MyCACert.crt
2. Import the certificate to Firefox
Options > Certificates > View Certificates > Import
3. Point Firefox to your server URL
You will get the following when you click on the lock button in the browser!
We are done!