Transport Layer Security (TLS) is a newer cryptographic protocol. We started to work on enabling TLS1.x and disabling SSLv3 with EBS R12.1 (Doc ID 1937646.1) in February 2015. At that time, two requirements are necessary:
- OracleAS 10g must be 10.1.3.5 in EBS R12. If not, use Doc ID 454811.1 to upgrade it.
- Apply latest CPU patch. The latest EBS apps patch was October 2014 (Doc ID 1923805.1), which points 10GiAS 10.1.3.5 CPU patch to 16802901: CPUJUL2013 TRACKING BUG FOR APPLICATION SERVER 10.1.3.5 UNIX. Find and then download it through a link in document 1923805.1, not by patch number. Without it, EBS login page may not work after TLS1.x is enabled.
1. Verify Apache version: $IAS_ORACLE_HOME/Apache/Apache/bin/httpd -v
Server version: Oracle-Application-Server-10g/10.1.3.5.0 Oracle-HTTP-Server
Server built: Jul 21 2009 11:12:22
2. download / copy file p16802901_101350_LINUX.zip
and unzip it to 1680291 folder.
3. vi /etc/oraInst.loc
to make sure the central Oracle inventory is right.
4. shutdown apps services
5. $ cd $INST_TOP/ora/10.1.3
then, source the .env file.
6. make sure $ORACLE_HOME points to 10.1.3
$ echo $ORACLE_HOME
7. $ "opatch lsinventory -detail" to verify most patches are NOT installed
$ cd 16802901
$ opatch napply Notes: it will rollback some patches.
$ opatch lsinventory to verify the patches are installed.
$ sh remove_demo.sh (optional)
Notes: after opatch completed, "opatch lsinventory" shows 16802900, but not 16802901, was installed.
8. start a new Linux session to get EBS normal env variables.
9. modify $FND_TOP/admin/template/ssl_conf_1013.tmp (per Doc ID 1937646.1)
SSLProtocol all +TLSv1 -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM:!SSLv3:!SSLv2
10. run autoconfig
Then, verify file $ORA_CONFIG_HOME/10.1.3/Apache/Apache/conf/ssl.conf
11. start apps services
12. go to an EBS webpage, right click ==> Properties. The Properties box shall show "Connection TLS 1.0 AES ...". The same message may be in Apache log as well.
13. If the site URL is https://siteName.domain.com:4439, below line will display certificate info if TLS1 is enabled:
$ openssl s_client -connect siteName.domain.com:4439 -tls1
$ openssl s_client -connect siteName.domain.com:4439 -tls1 | grep Cipher
(try "openssl s_client -connect siteName.domain.com:4439 -ssl3" to check if ssl3 is still enabled)
UPDATES in January 2016:
1) 1680291 is a very old patch.
If patch 19568561 or 21845960 (CPU Oct2015 patch) was installed, 1680291
is not needed. CPU Oct2015 patch 21845960 works better (and it rollback
patch 1680291 during installation). Doc ID 1937646.1 Change Log on 02-Nov-2015 shows patch 21845960 was also added to its "Release-Specific Requirements" section.
2) As of today, EBS12.1 only supports TLS1.0 and does not support TLS1.1 or TLS1.2.
3) If TLS1.0 is not enabled, EBS site may not work with Chrome and Firefox because they do not support SSLv3 now.
Google Chrome 49.0.2623.108
This site can’t provide a secure connection
sitename.domain.com sent an invalid response.
ERR_SSL_PROTOCOL_ERROR
Firefox 44.0.2
Secure Connection Failed
An error occurred during a connection to sitename.domain.com. SSL peer rejected a handshake message for unacceptable content. (Error code: ssl_error_illegal_parameter_alert)
No comments:
Post a Comment