My Oracle Support Banner

Configuration to Secure Oracle HTTP Server 12.2.1.3 Admin Host After Applying Security Patch Updates (Doc ID 2574209.1)

Last updated on MAY 20, 2021

Applies to:

Oracle HTTP Server - Version 12.2.1.3.0 to 12.2.1.3.0 [Release 12c]
Information in this document applies to any platform.





Details

Overview

Beginning with July 2019, this document is provided to align with patches released with the Critical Patch Update (CPU) program:

https://www.oracle.com/technetwork/topics/security/alerts-086861.html

Refer to the above link to obtain the latest Advisory, and then the Fusion Middleware Patch Availability Document to find the latest patches.

With patches for OHS 12.2.1.3 beginning with July 2019, the following is mentioned in the README and Patch Availability Document:

<Note 2574209.1> Cumulative README Post-Install Steps for Oracle HTTP Server 12.2.1.3 Critical Patch Update

The below information provides the requirements and steps to secure the OHS Admin Host to communicate with the Node Manager using Secure Sockets Layer(SSL).

Actions

Terminology

Introduction

Starting from the July 2019 CPU patch, the OHS plugin for the Node Manager has been enhanced to use SSL for its communication with the OHS admin host. Node Manager chooses to communicate with the admin host over SSL ONLY if the admin host is also configured to support SSL. It is strongly recommended to configure SSL for the communication between the Node Manager and the OHS admin host.

If SSL is not enabled for this communication, a WARNING message indicating plain-text communication is logged to the console and ohs_nm.log during OHS start-up and OHS starts successfully.
    Sample WARNING message -
    “SSL is not enabled for the admin port of 'ohs1'. Thus, the connection between NodeManager and the admin port of 'ohs1' is not secure. SSL must be enabled for this connection. For more information on how to enable SSL for this connection, refer to OHS documentation”.

If you wish to enable SSL for the communication between the Node Manager and the OHS admin host, please see section "Configuring SSL"

Configuring SSL

1) Server-side configuration

The server-side configuration steps mentioned below need to be applied to admin.conf file present in the staging directory in order to enable SSL for the OHS admin host.
See section "Configuring admin.conf file" for more instructions on how to make these changes in admin.conf.

1A. Create a wallet

A wallet that contains a certificate signed by a trusted CA must be created.

Requirements for ensuring the success of the host-name verification step of the SSL handshake must be considered while choosing the “Common Name” attribute of the certificate’s Distinguished Name(DN).
For details about host-name verification, see section “Ensure host-name verification succeeds.”

    For instructions on how to create a wallet for a standalone installation, refer to steps 1-10 in How to Create a Wallet and Keystore with a REAL Certificate Using keytool and orapki Utilities for Use With OHS Standalone 12c 12.2.1.x <Document 2368714.1>.

    For instructions on how to create a wallet for a collocated installation, refer to How to Create a Wallet and Enable SSL for OHS via Fusion Middleware Control in FMW 12.2.1 <Document 2124504.1>.

It is not possible to enable SSL for the admin host using Fusion Middleware Control. Please see section "Enable SSL for the admin host” for information on how to do so.

1B. Enable SSL for the OHS admin host

Enable SSL for the admin host by configuring the mod_ossl directives provided below in a <IfModule ossl_module> block.

• SSLEngine ON
    For more information, refer to SSLEngine Directive.

• SSLProtocol TLSv1.2
   For more information, refer to SSLProtocol Directive.
   It is recommended to set this directive to use TLSv1.2 as other protocols have been deprecated.

• SSLCipherSuite <Cipher List>
   Refer to SSL Configuration Required to Secure Oracle HTTP Server After Applying Security Patch Updates <Document 2314658.1> to obtain the current list of cipher suites to use.

• SSLWallet "<Wallet Location>"
   Set this directive to the wallet created in section “Create a Wallet.”
   For more information, refer to SSLWallet Directive.

• ServerName <HOSTNAME>
   The ServerName directive must be used to set the host name for the OHS admin host.
   For information on how to arrive at the correct host name, see “Ensuring host-name verification succeeds.”

Sample configuration

#[Listen] OHS_PROXY_PORT
Listen <IP>:<PORT>
#[VirtualHost] OHS_PROXY_VH
<VirtualHost <IP>:<PORT>>
ServerName <HOSTNAME>
<Location /dms/>
  SetHandler dms-handler
  Require all granted
</Location>
CustomLog "||${PRODUCT_HOME}/bin/odl_rotatelogs ${ORACLE_INSTANCE}/servers/${COMPONENT_NAME}/logs/admin_log 43200" common
<IfModule ossl_module>
  SSLEngine on
  SSLProtocol TLSv1.2
  SSLCipherSuite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA
  SSLWallet “<WALLET LOCATION>”
 </IfModule>
</VirtualHost>

Note: <IP>, <PORT>, <HOSTNAME>, and <WALLET LOCATION> all require your environments details.

 

2) Client-side configuration

Configure trust for the Node Manager

Ensure that Node Manager is able to trust the certificate configured for the OHS admin host. This can be done by exporting the root CA certificate that signed the user certificate present in the OHS admin host's wallet and importing the same into Node Manager's wallet for the instance as a trusted certificate. The OHS plugin for Node Manager has been enhanced to maintain a per-instance wallet that contains the trusted certificates for the OHS admin host of that instance.
Node Manager’s wallet for an instance can be configured by adding the “nm-wallet” property to the ohs.plugins.nodemanager.properties file present under $DOMAIN_HOME/config/fmwconfig/components/${COMPONENT_TYPE}/${COMPONENT_NAME} and setting it to the full-path of the wallet that contains the trusted certificates.
Sample commands to set up trust for the Node Manager:

1.  Export the root CA certificate that signed the user certificate present in the OHS admin host's wallet-
$ orapki wallet export -wallet <server_wallet_path> -dn "DN for root CA certificate" -cert <root_CA.crt>

2.  Create a wallet for the Node Manager
$orapki wallet create -wallet <DIR>/my_nm_wallet_dir -auto_login_only

This will create a cwallet.sso within the my_nm_wallet_dir directory. The directory name and path can be set as you require.

3.  Import the certificate for the root CA into the “my_nm_wallet_dir” as a trusted certificate
$ orapki wallet add -wallet <DIR>/my_nm_wallet_dir -trusted_cert -cert <root_CA.crt> -auto_login_only

4.  Configure the "nm-wallet" property of ohs.plugins.nodemanager.properties file to point to the Node Manager's wallet directory.
  a. Open ohs.plugins.nodemanager.properties file present under $DOMAIN_HOME/config/fmwconfig/components/${COMPONENT_TYPE}/${COMPONENT_NAME}/ohs.plugins.nodemanager.properties in an editor
  b. Add, nm-wallet=<DIR>/my_nm_wallet_dir to the end of the file. If you have used a different directory, please adjust accordingly.
    For information on how to identify the Trusted Root CA, see How to Identify the Correct Trusted Root Certificate Authority Certificate(s) for a User Certificate? <Document 1368940.1>

Note: It is not possible to use Enterprise Manager Fusion Middleware Control (EM FMWc) or WLST to add nm-wallet property to ohs.plugins.nodemanager.properties file. It must be done manually by opening the file in a text editor.
For detailed steps, Please see Section Modifying an Oracle HTTP Server Configuration File for instances that are part of the Weblogic domain as well as standalone instances.

Oracle Documentation for 12.2.1.4 is published to contain the same information regarding admin host:
Administering Oracle HTTP Server
Configuring SSL for Admin Port
https://docs.oracle.com/en/middleware/fusion-middleware/web-tier/12.2.1.4/administer-ohs/getstart.html#GUID-24E159D9-E7E3-43B5-A4B6-0B29D2B00020

Cross-platform Properties
nm-wallet
https://docs.oracle.com/en/middleware/fusion-middleware/web-tier/12.2.1.4/administer-ohs/cross-platform-properties.html

References

1) Configuring admin.conf file

It is not possible to use Fusion Middleware Control to configure admin.conf. Whenever configuration changes have to be made to admin.conf, they must be done manually by opening the file in a text editor.
For detailed steps,
Please see Modifying an Oracle HTTP Server Configuration File for instances that are part of the Weblogic domain,
Please see Staging and Run-time Configuration Directories for standalone instances.

2) Ensuring host-name verification succeeds

Host name verification happens as part of the SSL handshake between the Node Manager and the OHS admin host. Host name verification succeeds if the host name in the admin host URL to which the Node Manager connects matches the host name in the digital certificate that the OHS admin host sends back as part of the SSL connection. To ensure that this verification step passes, the host name for the OHS admin host must be configured correctly, as described below.

2A. ServerName directive configuration
2B. Listen directive configuration

Additional Notes

Sample User Error and WARNING messages

Configuring a New OHS Instance after Patching

If an instance is created after the application of this patch, the admin.conf generated will be ssl enabled by default. Securing the Admin Host present in the admin.conf occurs by default because the template files used for generation of admin.conf are updated through the patching process. However, the Admin Host of the newly created instance is configured to use the 'default' wallet which has a self-signed certificate. The Admin Host must be changed after configuration to use a CA-signed certificate for security reasons using the process in "Configuring SSL."
Additionally, the self-signed certificate that is generated will not use a common name matching the hostname of your server. If the OHS instance is created with an Admin Host name matching the hostname of your server, OHS will fail to start as Node Manager cannot complete the ssl handshake with the Admin Host. This applies to any method of creating an OHS instance such as config.sh, WLST, and Fusion Middleware Control. To correct this, you will need to obtain a CA-signed certificate with a common name matching your hostname as defined in "Configuring SSL" or disable ssl(not recommended).


If you change the admin host from default IP address to any other IP address during configuration, OHS will fail to start with the following messages in the nodemanager log.

To ensure a functional OHS out of the box via config.sh, the default Admin Host configuration should be used during configuration.

    1. Launch the Configuration Wizard(config.sh/cmd) from the <ORACLE_HOME>/oracle_common/common/bin directory.
    2. Proceed through the screens to create/update a domain and add an OHS system component.
    3. On the 'OHS Server' screen, do not modify the default 'Admin Host' value. You may modify the other values as needed.
    4. Proceed through the remaining screens to complete the configuration.

OHS will now start using the default wallet created during the configuration. The Admin Host and wallet can now be changed at your leisure by following the "Configuring SSL" section.

Deinstallation Instructions

If you experience any problems after installing this patch, disable ssl from admin.conf and remove the patch as follows:

  1. Disable ssl from admin.conf.
    This can be done by changing 'SSLEngine on' to 'SSLEngine off' as you will likely reapply the patch after the issue(s) is(are) solved.
    Alternatively all ssl changes can be rolled back. An example admin.conf can be referenced below:

    #[Listen] OHS_PROXY_PORT
    Listen <IP>:<PORT>
    #[VirtualHost] OHS_PROXY_VH
    <VirtualHost <IP>:<PORT>>
    <Location /dms/>
    SetHandler dms-handler
    Require all granted
    </Location>
    CustomLog "||${PRODUCT_HOME}/bin/odl_rotatelogs ${ORACLE_INSTANCE}/servers/${COMPONENT_NAME}/logs/admin_log 43200" common
    <IfModule ossl_module>
    SSLEngine off
    </IfModule>
    </VirtualHost>


  2. Change to the directory where the patch was unzipped.
    cd PATCH_TOP/<PATCH_NUMBER>

  3. Run OPatch to deinstall the patch.
    opatch rollback -id <PATCH_NUMBER>

IBM JDK

If using IBM JDK. Node Manger will need to be configured to support TLSv1.2. This can be done via nodemanager.sh by adding additional JAVA_OPTIONS.

Refer to: Problems with TLS 1.2 Minimum Cipher Suite for Weblogic Running on IBM JDK <Document 2238984.1>

Contacts

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Details
 Overview
Actions
 Terminology
 Introduction
 Configuring SSL
 1) Server-side configuration
 1A. Create a wallet
 1B. Enable SSL for the OHS admin host
 Sample configuration
 2) Client-side configuration
 References
 1) Configuring admin.conf file
 2) Ensuring host-name verification succeeds
 2A. ServerName directive configuration
 2B. Listen directive configuration
 Additional Notes
 Sample User Error and WARNING messages
 Configuring a New OHS Instance after Patching
 Deinstallation Instructions
 IBM JDK
Contacts
References

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.