My Oracle Support Banner

Support of SSL FIPS 140-2 Standard for Oracle HTTP Server 12.1.3 (Doc ID 2160983.1)

Last updated on FEBRUARY 03, 2019

Applies to:

Oracle HTTP Server - Version 12.1.3.0.0 to 12.1.3.0.0 [Release 12c]
Oracle Fusion Middleware - Version 12.1.3.0.0 to 12.1.3.0.0 [Release 12c]
Information in this document applies to any platform.
- Patches in this document are strongly recommended for security, even if SSLFIPS is not enabled.

Details

SSL FIPS 140-2 Standard for Oracle HTTP Server 12.1.3

Configuration of Oracle HTTP Server (OHS) 12.1.3 to meet FIPS 140-2 standards is essentially setting an "SSLFIPS On" setting and ensuring certificate, protocol and cipher requirements are met. Patches are supplied to help configure correctly, fix security issues and ensure the code is FIPS 140-2 compliant.

This has been a post-release certification for OHS 12.1.3 as installed from OHS 12.1.3 distribution media. It does not include other environments where OHS is integrated. Surrounding components may also have requirements to meet FIPS 140-2 standards.

See the below information for OHS 12.1.3 patching and configuration requirements. This document supersedes "<Note:2051048.1> Oracle HTTP Server 12.1.3 Will Not Start With FIPS Mode Turned On", however see the Known Issue at the bottom of this document for a similar issue.

Actions

Patches Required

Testing for this with Oracle HTTP Server 12.1.3 was performed on the following platforms:

Linux x86-64, Windows 64-bit, Solaris SPARC 64, Solaris x86-64, HP Itanium 64, and IBM AIX 64

The below patches are required in the following order before beginning the steps to use orapki and configure ssl.conf/admin.conf:

 

Component  Patch Patch Description on My Oracle Support Additional Comments
General/OUI/Inventory <Patch 19360945> OPATCH 13.2.0.0.0 FAILS TO GET PRODUCT DIRECTORIES FOR A GIVEN SYMBOL

- Previously released, may already be applied. Check with "opatch lsinventory".

- Required before any patching with OPatch, reference "<Note 1587524.1> Using OUI NextGen OPatch 13 for Oracle Fusion Middleware 12c (12.1.2+)"

Oracle HTTP Server (OHS) * <Patch 27244723>

MERGE REQUEST ON TOP OF 12.1.3.0.0 FOR BUGS 26398022 19901079 20222451 25191174 (CPUJan2018)

- CPUJan2018 or newer for OHS.  Includes fixes for SSLFIPS certification, security fixes and two other SSLSessionCache issues as described in <Note 2000409.1>. Ensure to also follow configuration advice in <Note 2314658.1>. *

SSL/Networking
(OSS) *
<Patch 27369653>

MERGE REQUEST ON TOP OF 12.1.3.0.0 FOR BUGS 26591558 26318200 (CPUApr2018)

- CPUApr2018 or newer for SSL/Networking (OSS) includes fixes for SSLFIPS certification and the SSLSessionCache / LIBAPRUTIL core dump issue as described in <Note 2000409.1>. *

* OHS and SSL/Networking are two separate components which have separate patches released through the Critical Patch Update (CPU) program for security vulnerabilities. Going forward, the fixes required for SSLFIPS are merged and will be included in the Critical Patch Update program and you should be applying the latest Check here for the latest in case this is not updated.

 

Configuration Steps

Configuring the Oracle HTTP Server (OHS) 12.1.3 for FIPS 140-2 (aka SSLFIPS) is scheduled to be updated in a future Oracle Documentation refresh.

Internal Bug:
<BUG 23522548> - UPDATES REQUIRED TO OHS 12.1.3 FIPS DOCUMENTATION

 

New SSLFIPS Mode configuration is documented here:

Fusion Middleware Administering Oracle HTTP Server
  - What's New in Oracle HTTP Server 12c (12.1.3)
    - SSL FIPS Mode Can Be Configured as a SSLFIPS Directive
      https://docs.oracle.com/middleware/1213/webtier/administer-ohs/whats_new.htm#HSADM1173

 

The above documentation has replaced older original doc versions. Points and steps to consider when following original documentation:


1) The following note from the original documentation is no longer applicable:

"FIPS support for Oracle HTTP Server Windows platform is not available in the current release"

 -- FIPS is now supported on Windows with the above patches applied.

 

2) The cipher suites supported in SSLFIPS mode are:

SSL_RSA_WITH_3DES_EDE_CBC_SHA  * see update below
SSL_RSA_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_AES_256_CBC_SHA
RSA_WITH_AES_128_CBC_SHA256
RSA_WITH_AES_256_CBC_SHA256
RSA_WITH_AES_128_GCM_SHA256
RSA_WITH_AES_256_GCM_SHA384
ECDHE_ECDSA_WITH_AES_128_CBC_SHA
ECDHE_ECDSA_WITH_AES_256_CBC_SHA
ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
ECDHE_RSA_WITH_3DES_EDE_CBC_SHA  * see update below
ECDHE_RSA_WITH_AES_128_CBC_SHA
ECDHE_RSA_WITH_AES_256_CBC_SHA

NOTE: The ciphers marked in bold were originally missing from the OHS 12.1.3 documentation.


3) When configuring SSLFIPS mode, you may now implement a standard RSA or newer ECC certificate from your Certificate Authority. Note the following when configuring:

4) Update January 21, 2018:  The following was released with the Critical Patch Update October 2017 to align with patches released. The table above includes the newer cumulative January 2018 patches, but you should always apply the latest and follow any additional instructions from the Critical Patch Update to secure the server. Related to SSL is the following to adjust your SSLCipherSuite on existing configured instances:

<Note 2314658.1> - SSL Configuration Required to Secure Oracle HTTP Server After Applying Security Patch Updates

 

Known Issues

1.  Problem: 

OHS server may fail to start with the following message seen in the OHS server log(<OHS_instance>.log):

"A full restart is needed when wallet file changed on-the-fly!"

Solution:

This occurs if AES encrypted wallet is not used with SSLFIPS ON (FIPS mode on). Enabling SSLFIPS mode in Oracle HTTP Server requires a wallet created with AES encrypted (compat_v12) headers.  A wallet may be configured in different locations, ensure to check all. An Oracle wallet is typically configured in the ssl.conf and admin.conf, but may also be in other locations depending on your environment and custom configuration.

To create a new wallet or to convert an existing wallet with AES encryption, see these sections in Administering Oracle Fusion Middleware:

"orapki"
  https://www.oracle.com/pls/topic/lookup?ctx=fmw121300&id=ASADM10177

"Creating an Oracle Wallet with AES Encryption"
  https://www.oracle.com/pls/topic/lookup?ctx=fmw121300&id=ASADM12006

"Converting an Existing Wallet to Use AES Encryption"
  https://www.oracle.com/pls/topic/lookup?ctx=fmw121300&id=ASADM12007

 
2. Problem:

Installed Oracle Cloud Control 13c (which also installs Oracle HTTP Server 12.1.3). Followed required steps herein and <Note 2202569.1>, "EM 13c, 12c: How to Configure the Enterprise Manager Management Service (OMS) with Secure Socket Layer (SSL) Certificates". After configuring Oracle Management Server (OMS)'s OHS to use SSLFIPS, the following results in the OHS error log:
 

"caught SIGTERM, shutting down"  and  "A full restart is needed when wallet filechanged on-the-fly!" 

Answer:

Oracle HTTP Server has been certified for FIPS 140-2 with this document.  Certification testing and approval does not include integrations with other product installations which may install OHS 12.1.3. Other product may use SSL, either wallet, keystores, cipher or protocol configuration not up to the FIPS 140-2 specifications.   OEM Cloud Control 13c environments have not tested and certified for FIPS compliance. This is in the product roadmap, tracked by ER <Bug 23017209> FIPS 140 COMPLIANCE EVALUATION AND CERTIFICATION OF ENTERPRISE MANAGER.

If any of the components in EM stack like OHS, WLS or DB are configured for FIPS and any issue is encountered, it will need to be reverted until the complete EM stack is tested and approved to be FIPS compliant. Contact EM team for more information.



Contacts

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Details
 SSL FIPS 140-2 Standard for Oracle HTTP Server 12.1.3
Actions
 Patches Required
 Configuration Steps
 Known Issues
Contacts
References

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.