OCI: Installing a public certificate on OTD

To install a certificate into the soft load balancer Oracle Traffic Director 12c 12.2.1.2 running on the Oracle Public Cloud, you need to own:

  • The certificate certificate.cer, in pem format
  • The intermediate certificate intermediate.cer, in pem format
  • The root certificate root.cer, in perm format
  • The PFX certificate.pfx, in pfx format and remember its password
  • The certificate private key privatekey.txt

 

Transfer these files on the SLB host.

 

Process as follow to to generate the combined certificate chain:

cat certificate.cer intermediate.cer root.cer >combined.cer

 

Then generate the identify store as follow:

. /u01/data/otd-instance/otd_domain/bin/setDomainEnv.sh

export LPATH=<WORK DIRECTORY>
rm ${LPATH}/new_identity_keystore.jks

echo "Convert the pfx, including both the key and the certificate into a pem file"
openssl pkcs12 -in ${LPATH}/certificate.pfx -out ${LPATH}/temp_certificate.crt -nodes

echo "Generating the new identity key store"
java utils.ImportPrivateKey -keystore ${LPATH}/new_identity_keystore.jks -storepass welcome1 -storetype JKS -keypass welcome1 -alias <cert alias> -certfile ${LPATH}/temp_certificate.crt -keyfile ${LPATH}/privatekey.txt -keyfilepass <pfx password>

 

Then import the identity keystore then the combined certificate via wlst

"$ORACLE_HOME/oracle_common/common/bin/wlst.sh 

connect('weblogic','<wls_password>',"t3s://localhost:8989")

svc = getOpssService('KeyStoreService')
svc.importKeyStore(appStripe='OTD', name='opc-config', password='', aliases='<cert alias>', keypasswords='welcome1', type='JKS', filepath='new_identity_keystore.jks',permission=true)
svc.importKeyStoreCertificate(appStripe='OTD', name='opc-config', password='', alias='<cert alias>', keypassword='', type='CertificateChain', filepath='combined.cer')


 

From now on, the certifcate <cert-alias> can be used with any SSL listener configured with OTD.

Advertisements

DB: Configuring wallet for http(s) calls

How to configure the wallet for https call from a 12c database

Before making https calls from the database, a wallet has to be created and an access security list must be created to allow outbound https connection.

In addition, the root or intermediate certificate s of the website being called must be stored into the wallet. With 12c, only the INTERMEDIATE certificate should be stored into the wallet. A good start to find the latest certificate is here.

Also, a database access list has to be created to grant the schema specified the privilege to access the host via the http call. When a proxy is used as a firewall, this access also must be part of this access list.

 

Setup the wallet

Here we create a wallet in the $ORACLE_HOME/wallet/<db> directory.

export LWALLET_DIR=$ORACLE_HOME/wallet/<db>

mkdir -p ${LWALLET_DIR}

orapki wallet create -wallet ${LWALLET_DIR} -pwd welcome1 -auto_login

# Example for www.oracle.com
orapki wallet add -wallet ${LWALLET_DIR} -trusted_cert -cert "GeoTrustSSLCA-G3.crt" -pwd welcome1
# Example for cloud.demo.com
orapki wallet add -wallet ${LWALLET_DIR} -trusted_cert -cert "SymantecClass3SecureServerCA-G4.crt" -pwd welcome1
ls -l ${LWALLET_DIR}

orapki wallet display -wallet ${LWALLET_DIR} -complete

In case of RAC, make sure to replicate the wallet over other RAC nodes.

 

Create the access list

connect sys/<password> as sysdba

ALTER SESSION SET CONTAINER=<pdb>;
begin
dbms_network_acl_admin.append_host_ace
 (host => '*'
 ,lower_port => 80
 ,upper_port => 443
 ,ace => xs$ace_type(privilege_list => xs$name_list('http','http_proxy')
 ,principal_name => 'schema'
 ,principal_type => xs_acl.ptype_db));
dbms_network_acl_admin.append_wallet_ace
 (wallet_path => 'file:/path to ORACLE_HOME/wallet/<db>'
 ,ace => xs$ace_type(privilege_list => xs$name_list('use_client_certificates','use_passwords')
 ,principal_name => 'schema'
 ,principal_type => xs_acl.ptype_db));

commit;
end;
/

 

To check the successful deployment of the wallet and certificate

sqlplus <sysman>/<password>
SQL> execute utl_http.set_wallet('file:<path to wallet>', 'welcome1');
SQL> select utl_http.request ('http://www.oracle.com') from dual;

or with a proxy:

sqlplus <sysman>/<password>
SQL> execute utl_http.set_wallet('file:<path to wallet>', 'welcome1');
SQL> select utl_http.request ('http://www.oracle.com','http://<proxy>:80') from dual;

Download oracle software with wget from OCI

How to download an oracle software from an OPC instance.

To download a software with wget from an Oracle Public Cloud instance, first attempt a download of the required software from your desktop from OTN then, once you have sign-on:

  • Pause the download
  • Export, from your browser, the cookie file. Some browser add-on may comes handy for that, for example cookie-manager
  • Cut/paste this cookie file into the OPC instance, into a file cookie.txt
  • Run the wget command by referencing the cookie text file and the software url.
Example for 12.2 standard edition
wget --load-cookie cookie.txt  http://download.oracle.com/otn/linux/oracle12c/122010/linuxx64_12201_database.zip
Example for the instant client
wget --load-cookie cookie.txt http://download.oracle.com/otn/linux/instantclient/122010/oracle-instantclient12.2-basic-12.2.0.1.0-1.x86_64.rpm
wget --load-cookie cookie.txt http://download.oracle.com/otn/linux/instantclient/122010/oracle-instantclient12.2-sqlplus-12.2.0.1.0-1.x86_64.rpm
wget --load-cookie cookie.txt http://download.oracle.com/otn/linux/instantclient/122010/oracle-instantclient12.2-tools-12.2.0.1.0-1.x86_64.rpm

Example for EMCC 13.2R1
wget --load-cookie cookie.txt http://download.oracle.com/otn/linux/oem/13200/em13200p1_linux64.bin
wget --load-cookie cookie.txt http://download.oracle.com/otn/linux/oem/13200/em13200p1_linux64-2.zip
wget --load-cookie cookie.txt http://download.oracle.com/otn/linux/oem/13200/em13200p1_linux64-3.zip
wget --load-cookie cookie.txt http://download.oracle.com/otn/linux/oem/13200/em13200p1_linux64-4.zip
wget --load-cookie cookie.txt http://download.oracle.com/otn/linux/oem/13200/em13200p1_linux64-5.zip
wget --load-cookie cookie.txt http://download.oracle.com/otn/linux/oem/13200/em13200p1_linux64-6.zip
wget --load-cookie cookie.txt http://download.oracle.com/otn/linux/oem/13200/em13200p1_linux64-7.zip

 

Do not forget to remove the cookie file after the download has completed.