As many of you know, Oracle Rest Data Service (ORDS) front ends APEX to provide http(s) connectivity to your APEX instance running inside an Oracle database. Here’s how you would go about installing a signed SSL certificate to your ORDS instance. I am using Comodo as a CA here.

In an Oracle database cloud service instance ORDS configuration is in /u01/app/oracle/product/ords/conf/ords/standalone  by default

The Jetty configuration for certificates is held in ‘standalone.properties’.

If ORDS is started without a specific certificate and key, it generates its own self-signed certificate for ‘localhost’.

In order to replace this with a valid, trusted certificate – follow the steps below.

Requesting and Installing the Certificate

1) Generate a new RSA private key and PKCS#10 CSR using the key

$ sudo openssl req -new -newkey rsa:2048 -nodes -keyout comodokey.pem -out comodorequest.csr

Note that during this process you are asked for ‘Common Name (eg, your name or your server’s hostname) []:’. This should be a valid  Fully Qualified Domain Name (FQDN) you point to the IP address of your Oracle Cloud instance. Using the public IP directly will take much longer to validate and issue your certificate, and using a non-public name like ‘localhost’ or ‘myoracle.local’ will not work.

2) Take the contents of CSR (‘comodorequest.csr’) and purchase a certificate with it on Comodo’s website.

You may get a 90-day free trial for test purposes – https://ssl.comodo.com/free-ssl-certificate.php?track=8177

$ sudo cat comodorequest.csr

3) Once you have received your signed certificate, extract two files to your server: ‘your.fqdn.crt’ and ‘COMODORSADomainValidationSecureServerCA.crt’.

These need to be copied together into a single file

$ sudo cat <your.fqdn.crt> COMODORSADomainValidationSecureServerCA.crt > comodocert.crt

4) Convert the PEM private key into a format Jetty uses (PKCS8, in DER format)

$ sudo openssl pkcs8 -topk8 -inform PEM -outform DER -in comodokey.pem -out comodokey.key -nocrypt

5) Ensure the permissions of all of the required files are correct

$ sudo chmod 644 comodokey.key comodocert.crt

6) Edit the configuration file to use the new certificate and key

 $ sudo nano standalone.properties

Edit the following lines:

ssl.cert=/u01/app/oracle/product/ords/conf/ords/standalone/comodocert.crt

ssl.cert.key=/u01/app/oracle/product/ords/conf/ords/standalone/comodokey.key

7) Restart ORDS

$ sudo /etc/init.d/ords restart

Your certificate is now installed and will function with no errors or warnings on:

https://your.fqdn.here/