Few days
back I started getting notification that the application certificate is soon
going to expired. It's a discoverer 11g application, so we created PKCS12
compliant wallet that can be used with the C based system components for
example, Oracle HTTP Server, Oracle Web Cache, Oracle Internet Directory, and
OPMN
To create a wallet
To create
the wallet based PKCS12 compliant keys I used a tool Oracle Wallet
Manager GUI (OWM)
You can
use any wallet manager GUI that comes with oracle 11g client installation under
Integration management tool or you may also find this tool in Unix oracle home
software directory
cd
$ORACLE_HOME/bin
PATH=$PATH:/usr/X11/bin:/usr/openwin/bin
export
DISPLAY=<hostname:portno>
./owm
Select
Wallet --> New
It will
prompt for password.
Specify the
password here and save it for future purpose, as this password you will
need for every wallet based operation like Open wallet, Import
Certificates, Export Certificates etc.
Here you
need to fill the corresponding details and is important to select key
size - 2048 or higher. NOTE - common name need to be Server or DNS name
like xyz.com
once all
the details are entered save it.
After certificate request is created, export it and submit it to certificate
authority.
Here we
need to wait for receiving SSL certificate from certificate
authority. The file we receive shall have name <xyz>.com.crt with
certificate extension
now
import this certificate into wallet we created before.
You can
also specify the "Auto-Login" option via a checkbox in OWM
When
creating a Wallet, a file called "ewallet.p12" is
generated. further, specifying Auto-Login, an additional file called
"cwallet.sso" is also generated.
To import these keys in discoverer
1) login
to discoverer application
2)
Shutdown the opmn services
3) Go
to $ORACLE_INSTANCE/config/OHS/ohs1
grep –i
SSLWallet ssl.conf
4) Go to
$ORACLE_INSTANCE/config/OHS/ohs1/keystores/default
Place both
the keys here 1) ewallet.p12 2) cwallet.sso
5) now
restart the opmnctl services
opmnctl
startall
6) now
access the discoverer application and you will find the certificate key
information in lock box
To verify
that your website is secure and/or when the SSL certificate expires there are a
few methods of testing this.
You can
view the site information from your browser to view basic information about the
SSL certificate. Including if the connection is secure and when the certificate
will expire.
Firefox
In the address bar click on the
lock icon to the left of 'https://'
This will show if the connection
is encrypted
Click on 'More information'
Click 'View Certificate'
This will show the expiry date
Opera
In the address bar click on the
lock icon to the left of 'https://'
This will show if the connection
is encrypted
Click on the linked domain name
This will show the expiry date
Chrome
In the address bar click on the
lock icon to the left of 'https://'
Click on the 'Connection'
This will show if the connection
is encrypted
Click on 'Certificate
information'
This will show the expiry date
IE
In the address bar click on the
lock icon on the right hand side
This will show if the connection
is encrypted
Click 'View Certificates'
This will show the expiry date
Safari
In the address bar click on the
lock icon on the right hand side
If you can see certificate
information this will indicate that the connection is encrypted
You will also be able to see the
expiry date
If you see an exclamation mark or
another icon in place of the lock icon, then that could either indicate that
SSL is not working or that the website is displaying a mix of secure and
non-secure content?
