JAR CODE SIGN

 1.###KEY CREATION####adjkey -initialize -keysize 2048 -alias LKcorp

2.####CSR CREATION#####keytool -sigalg SHA256withRSA -certreq -keystore adkeystore.dat -file adkeystore.csr -alias LKcorp

3.######CSR VALIDATION#####openssl req -text -noout -verify -in adkeystore.csr

***BEFORE THAT REMOVE .dat file and adsign.txt file*****NE_BASE LOCATION**

3.###IMPORT###adjkey -keystore adkeystore.dat -storepass myxuan -import -alias LKcorp -trustcacerts -file adkeystore64.cer

4.###KEY VIEW###keytool -list -v -keystore adkeystore.dat

5.###INCASE OF USING KEYTOOL###

keytool -import -file adkeystore64.cer -trustcacerts -alias LKcorp -keystore adkeystore.dat -storepass oraclest -keypass oracle12 -v

   (or)

keytool -import -trustcacerts -alias LKcorp -file LK*Corporation.p7b -keystore adkeystore.dat -storepass oraclest -keypass oracle12 -v

   

6.###KEY VIEW###keytool -list -v -keystore adkeystore.dat

7.REGEN PRODUCT JAR USING ADADMIN

##############################################################################

The most current version of this document can be obtained through My Oracle Support Knowledge Document 1591073.1.

############VALIDATION#####

[applmgr@server scripts]$ cd $COMMON_TOP/java/classes/oracle/apps/fnd/jar

[applmgr@server jar]$ jarsigner -verify -verbose -certs fndall.jar|head -10

ssl certification updation after expiry using orapk

### Check wallet and OHS home locations ###
[user@servername ~]$ export ORACLE_HOME=/xxxq1/xxxapp/ohshome
[user@servername ~]$ cd $ORACLE_HOME/wallet_bisuctproject
[user@servername wallet_bisuctproject]$ ls
AddTrustExternalCARoot.ccc  cwallet.sso      ewallet.p12      servername_cloud_ge_com.ccc  TrustedSecureCertificateAuthority5.ccc
certs                       cwallet.sso.lck  ewallet.p12.lck  server.csr                     USERTrustRSAAddTrustCA.ccc


[user@servername wallet_bisuctproject]$ cat server.csr
----BEGIN NEW CERTIFICATE REQUEST-----
MIICyDCCAbACAQAwgYIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJNQTEPMA0GA1UE
BxMGQm9zdG9uMRgwFgYDVQQKEw9CYWtlciBIdWdoZXMgR0UxFzAVBgNVBAsTDkVu
dGVycHJpc2UgU1NMMSIwIAYDVQQDExlvZ2VycGwzOTE1cXYuY2xvdWQuZ2UuY29t
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWEEEEEEEEEEEEEEEEEEEEEEEEEE9o2V
wtgfJd9Fbd9fonxizbzxKhEzQ3i0yAins48iEC00dMUF+AoG1ETgyyPV5FrGaGUT
iimgdLsiFnRqDonmgHORmfDcakW6AJJT/AtwFXaRRhc6q3GMZxu3e3q5aGSHL/7P
Ce9ArmykeLWrNocuOiuM3tD3H830vWmJMKaEQBdhKKJQNONymruvBKPvXXWul52r
AY8+ohjTJ12Eh4ndLimyikq2HYk7Sh1Ci/QrqNiGM2P5MEot7w+9Ng57gpp0Xxzp
yHTWnc6RuH2YggNGEb5Sy1y2JQDVClFYrRLbwI1FC5iIskFHST4nXXT8Q6E=
-----END NEW CERTIFICATE REQUEST-----


###CHECK WALLET HOME LOCATION###
cd $ORACLE_HOME/wallet_bisuctproject

###MOVE OLD CERTS directory and CREATE NEW CERTS DIRECTORY######
mv -i certs certsold
mkdir certs

###COPY GIVEN CERTIFICATES TO THIS FOLDER####
[user@servername wallet_bisuctproject]$ cd certs
[user@servername certs]$ ls
AddTrustExternalCARoot.ccc  servername_cloud_ge_com.ccc  TrustedSecureCertificateAuthority5.ccc  USERTrustRSAAddTrustCA.ccc
[user@servername certs]$ pwd
/xxxq1/xxxapp/ohshome/wallet_bisuctproject/certs

###TO ADD TRUST CERTIFICATES####
[user@servername certs]$
 $ORACLE_HOME/oracle_common/bin/orapki wallet add -wallet $ORACLE_HOME/wallet_bisuctproject -trusted_cert -cert $ORACLE_HOME/wallet_bisuctproject/certs/USERTrustRSAAddTrustCA.ccc -pwd welcomegrc123
  946  $ORACLE_HOME/oracle_common/bin/orapki wallet add -wallet $ORACLE_HOME/wallet_bisuctproject -trusted_cert -cert $ORACLE_HOME/wallet_bisuctproject/certs/TrustedSecureCertificateAuthority5.ccc -pwd welcomegrc123
  947  $ORACLE_HOME/oracle_common/bin/orapki wallet add -wallet $ORACLE_HOME/wallet_bisuctproject -user_cert -cert $ORACLE_HOME/wallet_bisuctproject/certs/servername_cloud_ge_com.ccc -pwd welcomegrc123

####TO DISPLAY WATLET INFORMATION###
[user@servername ~]$ $ORACLE_HOME/oracle_common/bin/orapki wallet display -wallet $ORACLE_HOME/wallet_bisuctproject  -summary -pwd welcomegrc123
Oracle PKI Tool : Version 12.2.1.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
Subject:        CN=servername.domainname.com,OU=Enterprise SSL,O=BISCUT COMPANY ,L=Boston,ST=MA,C=US
User Certificates:
Trusted Certificates:
Subject:        CN=Trusted Secure Certificate Authority 5,O=Corporation Service Company,L=Wilmington,ST=DE,C=US
Subject:        CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
Subject:        CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US 

SSO configuration

Ø  Take Backup of httpd.config file

Ø  place the osso.conf file in any location of the server

Ø  modify httpd.config file by adding osso.conf file and required consoles needs to be added to autantication type as sso in if module

example

 RewriteEngine On

    RewriteOptions inherit

 LoadModule osso_module "/p01/pnfmwp01/ren/soa/fmwhm/oraohs/ohs/modules/mod_osso.so"

 <IfModule osso_module>

 OssoIpCheck off

 OssoIdleTimeout off

 OssoConfigFile "/p01/pnfmwp01/ren/soa/admin/osso/soa_osso/osso.conf"

 OssoSecureCookies off

 <Location /console>

 require valid-user

 AuthType Osso

 </Location>

 <Location /em>

 require valid-user

 AuthType Osso

 </Location>

 <Location /consolehelp>

 require valid-user

 AuthType Osso

 </Location>

 <Location /wsm-pm>

 require valid-user

 AuthType Osso

 </Location>

 #<Location /soa-infra>

 #require valid-user

 #AuthType Osso

 #</Location>

 # SOA inspection.wsil

 <Location /inspection.wsil>

 require valid-user

 AuthType Osso

 </Location>

 # Worklist

 #Adam Advised to comment out done by rajesh

 #<Location /integration>

 #require valid-user

 #AuthType Osso

 #</Location>

 <Location /b2bconsole>

 require valid-user

 AuthType Osso

 </Location>

 # SOA composer application

 <Location /soa/composer>

 require valid-user

 AuthType Osso

 </Location>

 <Location /bpm/composer>

 require valid-user

 AuthType Osso

 </Location>

 # BPM

 <Location /bpm/workspace>

 require valid-user

 AuthType Osso

 </Location>

 <Location /OracleBAM >

 require valid-user

 AuthType Osso

 </Location>

 #Adam asked to comment out done by Rajesh

 #<Location /OracleBAMWS >

 #require valid-user

 #AuthType Osso

 #</Location>

 # Commented for Oracle DI agent

 # ODI Agent

 #<Location /odiconsole>

 #require valid-user

 #AuthType Osso

 #</Location>

 #ODI Explorere

 #<Location /odirepex>

 #require valid-user

 #AuthType Osso

 #</Location>

 #ODI Webservices

 #<Location /oracledisdkws>

 #require valid-user

 #AuthType Osso

 #</Location>

 Create service Provider

Ø  Create Service Provider

o   Home >Summary of Security Realms >myrealm >Providers

SSL Implementation on Standalone OHS 12

Ø Create a Wallet or Keystore

Ø Generate a Certificate Signing Request (CSR)

Ø  Send the CSR to a Certificate Authority (CA)

Ø  Import the Trusted CA Certificate(s)

Ø  Import the Server Certificate

Ø Modifications in ssl config file

Ø Validation of ohs with ssl port

Ø Port modification according to sso enabled port

Ø Bounce application

Ø Sanity checks.

Create a Wallet or Keystore:

[xxxxxxd1@oxxxxxxx3dv ohshome]$ $ORACLE_HOME/oracle_common/bin/orapki wallet create -wallet $ORACLE_HOME/wallet -auto_login

Oracle PKI Tool : Version 12.2.1.1.0

Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Enter password:  

Enter password again:  

Operation is successfully completed.

Generate a Certificate Signing Request (CSR):

Export the Certificate Signing Request:

[xxxxxxd1@oxxxxxxx3dv wallet]$ $ORACLE_HOME/oracle_common/bin/orapki wallet export -wallet $ORACLE_HOME/wallet -dn 'CN=oxxxxxxx3dv.bom.com, OU=Enterprise SSL, O=Biscut Electric Company, L=Boston, ST=MA, C=US' -request $ORACLE_HOME/wallet/server.csr -pwd Welcome1

Oracle PKI Tool : Version 12.2.1.1.0

Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.

Send server.csr to CA team for Certificatate signing

1.            Root: AddTrustExternalCARoot

2.            Intermediate 1: USERTrustRSAAddTrustCA

3.            Intermediate 2: TrustedSecureCertificateAuthority5

4.            Domain: oxxxxxxx3dv_bcom_com

We have Received above 4 certificates from CA Team.

Import the Trusted Certificates into the Wallet:

[xxxxxxd1@oxxxxxxx3dv wallet]$ $ORACLE_HOME/oracle_common/bin/orapki wallet add -wallet $ORACLE_HOME/wallet -trusted_cert -cert $ORACLE_HOME/wallet/AddTrustExternalCARoot.ccc -pwd Welcome1

Oracle PKI Tool : Version 12.2.1.1.0

Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.

[xxxxxxd1@oxxxxxxx3dv wallet]$ $ORACLE_HOME/oracle_common/bin/orapki wallet add -wallet $ORACLE_HOME/wallet -trusted_cert -cert $ORACLE_HOME/wallet/USERTrustRSAAddTrustCA.ccc -pwd Welcome1

Oracle PKI Tool : Version 12.2.1.1.0

Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.

[xxxxxxd1@oxxxxxxx3dv wallet]$ $ORACLE_HOME/oracle_common/bin/orapki wallet add -wallet $ORACLE_HOME/wallet -trusted_cert -cert $ORACLE_HOME/wallet/TrustedSecureCertificateAuthority5.ccc -pwd Welcome1

Oracle PKI Tool : Version 12.2.1.1.0

Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.

[xxxxxxd1@oxxxxxxx3dv wallet]$ $ORACLE_HOME/oracle_common/bin/orapki wallet add -wallet $ORACLE_HOME/wallet -user_cert -cert $ORACLE_HOME/wallet/oxxxxxxx3dv_bcom_com.ccc -pwd Welcome1

Oracle PKI Tool : Version 12.2.1.1.0

Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.

Modifications in ssl config file:

Update the wallet path in ssl.conf

<    #SSLWallet "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/keystores/default"

<     SSLWallet "/orpacgd1/grcapp/ohshome/wallet"  

The Wallet is now ready to use with Oracle HTTP Server (OHS):

Verify whether we are able to open ohs with ssl port upon completion of OHS bounce.

Modify the ssl port with sso enable port in ssl.conf file

[xxxxxxd1@oxxxxxxx3dv ohs1]$ diff ssl.conf ssl.conf-bkp12mar18

8c8

< Listen oxxxxxxx3dv.bom.com:8000

---

> Listen oxxxxxxx3dv.bom.com:8443

37c37

< <VirtualHost oxxxxxxx3dv.bom.com:8000>

---

> <VirtualHost oxxxxxxx3dv.bom.com:8443>

Sanity checks:

Do full bounce of application which are running with OHS

   

OHS and Webgate installation

  oxxxxxd1< OTM OG VG –11G SSO Migration>

    Table of Contents

Contents

1.       Table of Contents. 2

2.       Introduction. 3

2.1.      Scope and Objective. 3

3.       Software Installation. 3

3.1.      Install OHS 11.1.1.9. 3

3.2.      Install WebGate and Configure WebGate with OHS. 11

3.3.      Update httpd.conf 16

4.       OTM Application Setup. 17

4.1.      Update application config files. 17

4.2.      Update parameter is custom jsp files. 17

5.       Cache Clear. 18

4.   Introduction

4.1. Scope and Objective

This document defines the processes for implementing SSO for HPPPM with OAM 11g.

5.   Software Installation

5.1. Install OHS 11.1.1.9

Summary:

OHS  Home: /oxxxapp/ohs11119/websrvr

Instance Home: /oxxxapp/ohs11119/websrvr/instances/instance1

Working Installer /oxxxapp/stage/webtier/Disk1/runInstaller

Install rpm compat-libstdc++-33.i686

After Install is started – it will take almost 15 minutes to progress the bar from 0%

The installation should complete in around 25 minutes.

Stop WebTier is up

$ cd /oxxxapp/ohs11119/websrvr/instances/instance1/bin

$ ./opmnctl stopall

Modify port as per old configurations requirement

Add OG VG and SOA Virtual host entries as per old configuration

5.2. Install WebGate and Configure WebGate with OHS

Run the following command to copy the required bits of agent from the WebGate_Home directory to the WebGate_Instance location:

$./deployWebGateInstance.sh -w /oxxxapp/ohs11119/websrvr/instances/instance1/config/OHS/ohs1  -oh /oxxxapp/ohs11119/Oracle_OAMWebGate1

$export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/oxxxapp/ohs11119/websrvr/lib

$cd /oxxxapp/ohs11119/Oracle_OAMWebGate1/webgate/ohs/tools/setup/InstallTools

$./EditHttpConf -w /oxxxapp/ohs11119/websrvr/instances/instance1/config/OHS/ohs1/ -oh /oxxxapp/oraohs/Oracle_OAMWebGate1

The web server configuration file was successfully updated

5.3. Update httpd.conf

$ pwd

/oxxxapp/ohs11119/websrvr/instances/instance1/config/OHS/ohs1

$

$

$ diff httpd.confGOLD httpd.conf

193c193,194

< Listen 7777

---

> Listen 8000

> #Listen 7777

206a208,224

> ############ PPM

> LoadModule jk_module "/oxxxapp/ohs11119/websrvr/ohs/modules/mod_jk.so"

> 

> <IfModule jk_module>

> 

> JkWorkersFile /oxxxapp/ppm/integration/webserverplugins/configuration/workers.properties

> 

> JkMountFile /oxxxapp/ppm/integration/webserverplugins/configuration/uriworkermap.properties

> 

> JkLogFile /oxxxapp/ohs11119/jklogs/jk.log

> 

> JkLogLevel debug

> #JkMount /itg load_balancer

> #JkMount /itg/* load_balancer

> 

> </IfModule>

> ############ PPM

1049d1066

< include "moduleconf/*.conf"

1052c1069,1070

< include  "/oxxxapp/ohs11119/websrvr/instances/instance1/config/OHS/ohs1/webgate.conf"

\ No newline at end of file

---

> include  "/oxxxapp/ohs11119/websrvr/instances/instance1/config/OHS/ohs1/webgate.conf"

> include "moduleconf/*.conf"

Note: OAM Team supplies WebGate Configuration from OAM Server.

ObAccessClient.xml

cwallet.sso

Please place them, in

$ pwd

/oxxxapp/ohs1119/websrvr/instances/instance1/config/OHS/ohs1/webgate/config

-rw------- 1 oxxxxxd1 oxxxxxd1  3133 Mar 19 09:16 cwallet.sso

-rw-r----- 1 oxxxxxd1 oxxxxxd1  5157 Mar 19 09:17 ObAccessClient.xml

6.   OTM Application Setup

6.1. Update application config files

Update below mentioned parameter in glog.properties file in all noder

= == = = == =  ==  ==

OAM_REMOTE_USER

== = = = = = == = = =

6.2. Update parameter is custom jsp files

Goto application home in nodes update header to OAM_REMOTE USER in all required files as per customization with OAM_REMOTE_USER

Ex- location

/oxxxxxp1/oxxxxp/apptmtp1x01/apache/htdocs/xsql

7.   Cache Clear

·         Clear cache in tomcat

·         OTM Dmoin

·         SOA Application  

·                  Admin (adminserver)

·                   WSM (Managed Server)

·                    SOA (Managed Server)