Securing OHS environments with latest SSL TLS protocols and SHA-2 certificates

31

Customer case

A while ago I was contacted by a customer about their old Oracle Application and Weblogic Server environment.
They were receiving complaints from users that they can’t connect to the secure site any longer. Most of the complaints came from users that just recently updated their tablet or smartphone.
After a quick look in the logs of the OHS servers, I found out that the problem had to do with the SSL protocols being used.
The servers were providing connections through either SSLv3 or TLSv1.0, while the devices requested at least TLSv1.1.

The environment comprises of an Oracle HTTP server 10.1.x, for SSO, in front of their Application Server.
For the applications they are using OHS 11.1.1.x. in front of a mix of applications. Varying from oc4j 10.1.2 all the way up to 11.1.1, including Oracle Forms and Reports.
Unfortunately, due to this complexity of components, they were not able to upgrade the environment in time.

 

Requirements

The customer asked to provide a solution with the following requirements.

  • Disable the old, insecure, SSLv3
  • Enable TLSv1.1 and TLSv1.2 for all sites
  • Current hostnames for the url’s must not change
  • Support SHA-2 SSL certificates for all sites

Circumstances I had to take into account

  • Oracle HTTP Server (OHS) 10.1.x and 11.1.1.x do not support TLS 1.1 and TLS 1.2.
    This is due to the Oracle NZ layer used by OHS 10g/11g for its SSL implementation which doesn’t support TLS 1.1/1.2.
  • There is no support for SHA2 certificates (SHA256 or SHA512) or algorithms in Oracle Application Server 10g (10.1.2.X.X/10.1.3.X.X)
  • SHA2 is certified for Fusion Middleware 11g (11.1.1.X) with caveats
  • As part of their SHA-2 migration plan, Microsoft, Google, and Mozilla have announced that they will stop trusting SHA-1 certificates.
    Google will begin phasing out trust in SHA-1 certificates in November 2014.
  • Replacing the old 11.1.1.x OHS with FMW Webtier 12.1.3.0. is not an option.
    OSSO from the 10.1.x appserver is being used and in FMW Webtier 12.1.x the mod_osso module is no longer supported.

note. Oracle Traffic Director on Exalogic is also based on FMW 11.1.1.x !!

Solution

There are several options to meet the requirements set by the customer.
Unfortunately the best solution, upgrading the environment, cannot yet be implemented.

In this case the requirements were met by placing a reverse proxy in front of the entire environment.
The reverse proxy acts as an SSL terminator for client connections using the latest SHA-2 SSL Certificates.
To encrypt the connection, using TLSv1.0, between the reverse proxy and the backend OHS, I generated Self-Signed SHA-1 certificates compatible with the old servers .

As a reverse proxy I had the choice between using Oracle Fusion Middleware 12c 12.1.3 Webtier or the plain Apache HTTP Server.
I decided to go with Apache HTTP Server.

The reason for this choice were.

(Security) Updates – (Security) updates are released more frequent for plain Apache than for Webtier
Easier to maintain – The server will be managed by Linux engineers, not the Oracle Engineers
Smaller footprint – I only need the reverse proxy functionality, not all the fancy stuff that comes with Oracle Webtier.

Pretty much all requirements were met by using the latest Apache with the correct SSL settings and new SSL Certificates.

For one requirement we needed to play a little trick:

Current hostnames for the url’s must not change
After setup of the reverse proxy, all DNS entries for the url’s hostnames where changed to the IP-addresses of the reverse proxy.
For the reverse proxy to be able to do its work, I placed the old IP-addresses in the local hosts file of the server running Apache HTTP Server.
So the clients browsers are accessing the url’s via DNS resolving to the reverse proxy which on his turn resolves the hostsnames on the backend using /etc/hosts.

Final thoughts

It was not my intension to describe the complete setup of an Apache based reverse proxy here.
There are tons of how-to’s, blogs, etc. that describe all the setups and features.
The main purpose of this article is to make people aware of the fact that there are some changes in SSL security upcoming that can have a direct impact on your environment.

In the case described above, users were already experiencing problems with mobile devices and tablets. And as I finished the setup, their developers discovered that Java 1.8 uses TLSv1.2 by default.
So a problem, they did not yet relate to SSL protocols, was solved in the process.

As reminder

Oracle supports the use of TLSv1.1 and TLSv1.2 as of version FMW 12.1.x
Oracle supports the use of SHA-2 as of FMW 11.1.1.x (with caveats)

Related Oracle support notes:
Does Oracle HTTP Server (OHS) 10g Or Higher Support TLS 1.1 and TLS 1.2? (Doc ID 1503476.1)
Using OHS 12c With TLS 1.1 and 1.2 Protocols as an SSL Reverse-Proxy to OHS 11g (Doc ID 1920143.1)
Is SSLHonorCipherOrder and TLS 1.1/1.2 Supported for Oracle HTTP Server? (Doc ID 1485047.1)
How to Change SSL Protocols (to Disable SSL 3.0) in Oracle Fusion Middleware Products (Doc ID 1936300.1)

About Author

Jaap Poot was a Principal Oracle Consultant at AMIS, an Oracle, Java, and SOA specialist based in The Netherlands. He worked as a consultant with the main focus on Fusion Middleware products. With wide knowledge in other areas such as Exalogic, ODA, Oracle VM, Linux, Database, provisioning, networking and several scripting languages.

31 Comments

  1. mynameisjona on

    Dude!!!! I figured out how to do this with Nginx. Mannnnnn it is awesome 🙂 Thank you!!!

  2. hi Jaap

    We also have a similar requirement, only in our case it’s all oracle application server 10g rel 2 (latest patches) – we succeeded with all the setups, with the exception of the ORACLE Forms, we’re getting java.lang.ClassNotFoundException:oracle.forms.engine.Main and from the Jinitator console: java.io.IOException: javax.net.ssl.SSLException: SSL handshake failed: SSLSessionNotFoundErr.
    it seems that for the oracle forms, the sha256 ssl is not terminating. tried to look everywhere for a solution – but we’re running out time.
    Hoping you had same situation
    Thanks for any insight
    Yafa

    PS – I left similar comment on your other blog, please excuse duplication

    • Hi Yafa,
      I responded on my own blog.
      I don’t terminate ssl at forms, I have an OHS in front of it. I terminate the sh256 ssl at the reverse proxy which is in front of the OHS. Communication between the reverse proxy and the older ohs is ssl with a self-signed certificate.

      Regards
      Jaap

      • yes, thanks – this is what we also have in place, an apache in front of the ohs with reverse proxy. the apache has a sha256 cert, and the oracle application server with interal CA. still the oracle forms not working. does the root ca for the new web tier have to be a sha1 cert?
        I just saw you replied below that you added an additional proxy pass for the oracle forms – we will try that.
        Thank you very much for your reply
        Yafa

  3. Hello Jap,

    In your solution, there is no mention of re-configuring osso to work with Apache proxy. Are you able to get sso login/logout working while still having osso pointing to the host server instead of proxy?

    Thanks!

    • Hi RPM,

      I didn’t have to change any osso settings, since osso was still handles by the backend OHS servers. I just put a reverse proxy in front of them. So t answer your question, osso stil points tot de OHS servers.

      Regards,
      Jaap

        • Hi RPM,

          Since all osso handling is done by the Backend OHS, the reverse proxy I put in front doesn’t have to do anything with it.
          I also did not configured the osso plugin for apache on that revsere proxy.

          Regards,
          Jaap

          • Jaap … you wouldn’t have step by step instructions on this would you? Not a lot of instructions on this and Oracle does not certify 11g reverse proxy to 10g it’s. We have 10g architecture and can’t upgrade to 11g or 12c at this time. Applications are all OC4J.

          • Jaap

            DO you have any step by step instructions for this procedure? I am working on a system that is 10g architecture (OHS and 10.1.4) that is protecting OC4J applications. The system cannot be upgraded at this point due to lack of funding, and Oracle states that a reverse proxy of 11g in front of 10g is not supported/certified.

            Not a lot of documentation out there on the specifics of this.

            Any help would be appreciated.

            Thanks

          • HI Jim,

            The reverse proxy is just an ordinary Apache http server with the module in place to do reverse proxy.
            I don’t have a step by step instruction on how to setup a reverse proxy using Apache.
            There are a lot of examples available on several blogs out there on how to setup a reverse proxy using Apache. Including the ones using SSL. I also used those examples.

            It does not matter if you are running 10g, 11g or even 12c. Oracle doesn’t even know there is a reverse proxy in front of it.

            Regards,
            Jaap

  4. Hi Jaap,

    Thank you for the post. I am trying to get rid of Self signed cert errors in the browser using the SSLProxyCACertificateFile directive on Apache proxy with no luck.

    Here’s what i tried
    1) I initially created a simple self signed cert in a wallet on OHS server and exported it to Apache proxy, with SSLProxyCACertificateFile pointing to it. I was still getting the browser warning/error

    2) When i tried going the other way around, creating a self-signed cert through openssl and creating a wallet from it on OHS server, OHS would not start- unknown wallet error. I can display the wallet contents which looks like this

    orapki wallet display -wallet /u01/infra_sso/Apache/Apache/conf/ssl.wlt/Self_Signed
    Requested Certificates:
    User Certificates:
    Subject: CN=myhost.domain.coml\, L=Arlington\, ST=VA\, C=US
    Trusted Certificates:
    Subject: CN=ROOT\, L=Arlington\, ST=VA\, C=US

    Am i missing something here. Any ideas will be greatly appreciated.

    It also seems like a lot of folks used the following Apache directives(on proxy) to successfully suppress self signed cert errors on the browser. These directives help me move forward but i still get the warning/error message on the browser.

    SSLProxyVerify none
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerExpire off

    Thanks!
    Raj

  5. Nice post, do you a link to know to to create a self-signed certificate with SHA1? It looks like using openssl but I can’t find a full procedure

    • Hi Edwin,

      If you search with Google on “create self signed certificate openssl sha1” you will find several full procedures.

      Gr.
      Jaap

  6. Hi Jaap,

    i apologize for my english, but your post about securing OHS Environments reflects exactly our issue!

    We configured, a reverse proxy with 2.4 apache version. But we’re stuck in the SSL settings with the backend app server (weblogic 10.3.6 and FMW/OHS 11.1.7), specifically when we try to create a self CA and a client certificate. These are our steps:

    1.- generate CA and CA key (reverse proxy side)
    2.- create a new oracle wallet (app side)
    3.- generate a CSR in the wallet (app side)
    4.- sign that CSR with openssl an the CA / KEY (reverse proxy side)
    5.- configure wallet as “optional client authentication” (app side)
    6.- import the CA and the new certificate in the oracle wallet (app side)
    7.- configure virtualhost to accept client certificates (reverse proxy side):

    SSLProxyEngine on
    SSLProxyCACertificateFile /some/path/CA.crt
    SSLProxyVerify optional
    SSLProxyVerifyDepth 5
    ProxyPass / https://my_backend_app:8080/
    ProxyPassReverse / https://my_backend_app:8080/

    i tried many differents settings, but i always get this result in the browser:

    “Proxy Error

    The proxy server received an invalid response from an upstream server.
    The proxy server could not handle the request GET /.

    Reason: Error reading from remote server”

    if i try without HTTPS it works!

    Cheers,

  7. Another very good solution is use stunnel as an ssl terminator and run ohs behind your firewall on port 80.

    • Hi Brian,

      That is true.
      However, that would introduce another product for the support department. They are used to Apache already.
      Also the communication between de reverse proxy and the backend servers needed to be https.

      Gr.
      Jaap

      • Apache as a reverse proxy sounds like a good fit for your client.

        So that there is no confusion, I wanted to mention that Stunnel can communicate to ohs on a secure port TSL1.0 if needed.

        Stunnel has amazing abilities. It can be used to encrypt client/server communications such as toad to oracle (or sqlplus to oracle). Also it can be used to make https communications from stored procedures( utl_http.request()) without the use a wallet.

        All in all stunnel is a amazing tool which handles many of the same functions as Oracle’s Advanced Security module without the craziness of adding each certificate to a wallet.

  8. Hi

    We have a lot of apps servers running oracle 10.1.2.3(modplsql and reports) and oracle 10.1.3.5 (J2ee) that we have to upgrade to weblogic to support SHA2 algorithm. I guess your article just describes about the proxy that we can setup which will help us from not upgrading atleast postponing the upgrade until we are ready. From what i gathered, i install the Apache http server client and configure SHA2 certificate, terminate the SSL at that end and go http from there to oracle apps server. Is that what you are recommending. Can you please elaborate on this and how it will work for my setup. Thanks.

    • since the older oracle apps server does not accept SHA2 ewallet.p12 and cwallet.sso file what should the older apps server have when the reverse proxy is configured with the newer one. Will it just have the chain certificate location. Please advice.

    • Hi Naras,
      Communication between Apache HTTP Server and the Oracle Apps Server is also using SSL. I have created a selfsigned certificate with SHA-1 and put this in the wallet of the older apps server.
      Since the customer didn’t want to make any changes to the configuration, so I was bound to using https on the older apps server.

      • I am not sure if we can keep generating SHA-1 using the selfsign forever. If i configure using SSL termination, will there be a security compromise. Please advice.

        • do you have steps to generate the .p12 and .sso using self sign. Also, with selfsign, i am assuming, you can give how many every days you want the certificate to be valid. Is that correct.

          • We are planning to leave the old certificate on the apps server since the requests will not be called from there. But the URL of the old apps server with a port other than 443 should be secured or should be rewritten to 443 port that is in the proxy. Do you know how to take care of it. Right now it is going on an infinite loop. I dont want anyone to access the old apps server by itself directly. It should redirect them to the apache port. Please advice.

          • Hi

            We are planning to upgrade Apache to 2.4, do you think it is a better idea instead the 2.2.12 that we have now for the proxy. With 2.4 we having issues with SHA2 certificate when converting our .p12 file to .cer and .pem and it gives certificate mismatch and keeps dying. Apache 2.2.12 is very stable so far. What is your suggestion. Which apache version did you configure for the client to setup proxy.

  9. Hi
    i followed the steps here but when I try to view the ebusiness url in browser, I get message, certificate is not trusted. This is because it is self signed certificate. How did you overcome this problem so that users don’t see this message

    • Hi Sarveswara,

      We added the SSLProxyCACertificateFile directive with the CA Certificate file for the self-signed certificate to the ssl.conf.
      Example
      SSLProxyProtocol +TLSv1
      SSLProxyCipherSuite HIGH:MEDIUM
      SSLProxyCACertificateFile /pathtoCAcertificate/ca-certificate.crt

      This is inserted right below the ProxyPass/ProxyPassReverse directives.

      Greetings
      Jaap