Quick and easy SSL in OC4J Standalone

24

During development it is sometimes necessary to able to run your webapplication under SSL. To obtain a test certificate from verisign can sometimes take a little too much time and effort. Especially when there is a bug waiting to be fixed.

This post describes an easy way to create a certificate yourself using SUN’s keytool and configure OC4J to use it. It originates almost one to one from the Oracle Application Server Containers for J2ee Stand Alone User’s Guide (how about that for a title).

I assume that you have at least JDK 1.3 installed and setup correctly. Make sure that the you set the PATH to include the JDK’s bin directory.


1. Create a certificate

  • Open a command prompt and change directory to the config directory of your OC4J instance
  • type the following:keytool -genkey -keyalg "RSA" -keystore sslfile -storepass simanoel -validity 365

Where:

  1. the keystore option sets the filename where the keys are stored
  2. the storepass option sets the password for the keystore
  3. the validity sets the number of days the certificate is valid

The keytool will prompt several questions to you. Just answer these as you please.
The new keystore file ( sslfile in my case ) is created in the current directory (config in this case)

2 . Setting up OC4J

  • If you don’t already have a secure-web-site.xml file in your OC4J config directory, create one by copying the existing http- web-site.xml and renaming the copy to secure-web-site.xml
  • Edit secure-web-site.xml
    • add secure=”true” to the website element
    • add the following line inside the web-site element

      use the keystore name and password you used when creatiung the certificate

    • te port number, to use an available port. The default for SSL is normally 443, but you have to be a super user to use it, I therefore used (4443)
    • Save the changes
    • It should look something like this
      < <?xml version="1.0" standalone="yes"?>
      <!DOCTYPE web-site PUBLIC "Oracle9iAS XML Web-site" "http://xmlns.oracle.com/ias/dtds/web-site.dtd">
      <web-site port="4443" display-name="Oracle9iAS Containers for J2EE HTTP Web Site" secure="true">
      <ssl-config keystore="sslfile" keystore-password="simanoel"/>
      <default -web-app application="default" name="defaultWebApp"/>
      <web-app application="default" name="dms0" root="/dms0"/>
      <web-app application="default" name="dms" root="/dmsoc4j"/>
      <web-app application="udo" name="web" root="/udo"/>
      <access-log path="../log/http-web-access.log"/>
      

      </>

  • edit server.xml
  • Uncomment or add the following line
       &lt;web-site path="./secure-web-site.xml" /&gt;
    
  • Save the changes
  • it will something like:
      &lt;?xml version="1.0" standalone="yes"?&gt;
      &lt;!DOCTYPE application-server PUBLIC "Orion Application Server Config" "http://xmlns.oracle.com/ias/dtds/application-server.dtd"&gt;
      &lt;application-server application-directory="../applications" deployment-directory="../application-deployments" connector-directory="../connectors"&gt;
        &lt;rmi-config path="./rmi.xml"/&gt;
        &lt;jms-config path="./jms.xml"/&gt;
        &lt;log&gt;
          &lt;file path="../log/server.log"/&gt;
        &lt;/log&gt;
        &lt;global-application name="default" path="application.xml"/&gt;
        &lt;global-web-app-config path="global-web-application.xml"/&gt;
        &lt;web-site path="./secure-web-site.xml" /&gt;
        &lt;web-site path="./http-web-site.xml"/&gt;
        &lt;application name="udo" path="../applications/udo" auto-start="true"/&gt;
    &lt;/application-server&gt;
    

Restart OC4J. Now OC4J will listen for both SSL request (port 4443) and non-SSL requests (port 8888). In my case the urls would be

  • http://localhost:8888/udo/
  • https://localhost:4443/udo/

You can switch either of them off by removing the corresponding entry in server.xml

Share.

About Author

24 Comments

  1.  

     

     

    Hi I have enabled SSL in oc4j but getting null pointer exception in client. The code is given below java.security.cert.X509Certificate[] ClientCertificates = (java.security.cert.X509Certificate[])request.getAttribute(

    “javax.servlet.request.X509Certificate”);
     

     

     

     

    for

     

     
    (int i=0;i<ClientCertificates.length

    ;i++)
    {
    user_cert = (X509Certificate) ClientCertificates[i];
    }

  2. Hey, way cool! Had to play around with the XML config files a bit, but finally got it working with JDev 10.1.3.5. Make sure your “” statement in secure-web-site.xml is the same as the one in default-web-site.xml. Note that the config files are located in folder “..\embedded-oc4j\config”

  3. Jerry Russell on

    Just a comment in case someone else runs into trouble. When using the keystore tool, there are two passwords, if you do not enter the same password for both, you may get “”Cannot recover key” errors when deploying your application. Thanks for the instructions!

  4. Hi,
    This setting works in my jdeveloper version 10.1.3.0…
    Now i already migrates my application using version 10.1.3.1 and suddenly jdeveloper found an error…(handshake alert: no_certificate)
    so it’s a bug or what in jdeveloper?

  5. Gianluca Vannozzi on

    I resolved the problem, my http-web-site.xml is :

    < ?xml version="1.0" ?>
    < !DOCTYPE web-site (View Source for full doctype...)>
    -




    secure-web-site.xml:

    < ?xml version="1.0" standalone="yes" ?>web-site (View Source for full doctype…)>
    -





    server.xml:

    < ?xml version="1.0" ?>application-server (View Source for full doctype…)>
    -


    -

    application name=”default” path=”application.xml” />






  6. Hi, I’ve the same problem using standalone OC4J provided with JDeveloper.

    please help us …

    Thanks, Rem

  7. Gianluca Vannozzi on

    I did what you have explained in the article but I have this problem :

    Error starting HTTP-Server: Unable to intialize SSLServerSocketFactory ‘com.ever
    mind.server.JSSESSLServerSocketFactory’: com.evermind.server.JSSESSLServerSocket
    Factory

    What was wrong ????
    Someone can help me ????

  8. Nilesh Ghorpade on

    The article was simple great :-) It helped me save a lot of time in setting up an SSL environment for OC4J.

  9. Pingback: Quick and easy SSL in OC4J Standalone

  10. Pingback: Quick and easy SSL in OC4J Standalone

  11. Carla Ribeiro on

    When I type https://:4443/ I have gotten the error message: The page cannot be displayed
    if I type http://:4443/
    I have gotten 
    Where is the error?

  12. Naveed Zafar on

    Bingo !! That was exactly what I wanted.. Amazing thing is that you have explained everything soooooooo clearly that
    everything goes fine… well done (Y)

  13. Thanks very much yours steps have already help me to get a easy way to build a ssl certificate in oc4j.

  14. Dragan-Sassler on

    Hello,

    wenn I set in ssl-config from secure-web-site.xml needs-client-auth=”true”,
    I get no login window and the exception:
    handling exception: javax.net.ssl.SSLHandshakeException: null cert chain.
    Without needs-client-auth the application runs.

    Have you an ideea why?

    Thanks a lot.

    dragan-sassler

  15. Your this comment help me lot in configuring the SSL in Oracle 9i App. Server.
    just gr8!!! Documentation.
    thank yuo very mcuh for providing this kind of gr8! help.

    cheers!
    Chirag from India

  16. Leon,
    You may not know where Bulgaria is, but you sure helped a guy form there (namely me ;->) with your OC4J+SSL howto. Thank you very much.