X

A blog about Oracle's Database Cloud Service Technology

  • June 19, 2017

Installing a trusted SSL certificate on Oracle Database Cloud Service for Apex

Kris Bhanushali
Sr. Principal Product Manager

As many of you know, Oracle Rest Data Service (ORDS) front ends APEX to provide http(s) connectivity to your APEX instance running inside an Oracle database. Here's how you would go about installing a signed SSL certificate to your ORDS instance. I am using Comodo as a CA here.

In an Oracle database cloud service instance ORDS configuration is in /u01/app/oracle/product/ords/conf/ords/standalone  by default

The Jetty configuration for certificates is held in 'standalone.properties'.

If ORDS is started without a specific certificate and key, it generates its own self-signed certificate for 'localhost'.

In order to replace this with a valid, trusted certificate - follow the steps below.

Requesting and Installing the Certificate

1) Generate a new RSA private key and PKCS#10 CSR using the key

$ sudo openssl req -new -newkey rsa:2048 -nodes -keyout comodokey.pem -out comodorequest.csr

Note that during this process you are asked for 'Common Name (eg, your name or your server's hostname) []:'. This should be a valid  Fully Qualified Domain Name (FQDN) you point to the IP address of your Oracle Cloud instance. Using the public IP directly will take much longer to validate and issue your certificate, and using a non-public name like 'localhost' or 'myoracle.local' will not work.

2) Take the contents of CSR ('comodorequest.csr') and purchase a certificate with it on Comodo's website.

You may get a 90-day free trial for test purposes - https://ssl.comodo.com/free-ssl-certificate.php?track=8177

$ sudo cat comodorequest.csr

3) Once you have received your signed certificate, extract two files to your server: 'your.fqdn.crt' and 'COMODORSADomainValidationSecureServerCA.crt'.

These need to be copied together into a single file

$ sudo cat <your.fqdn.crt> COMODORSADomainValidationSecureServerCA.crt > comodocert.crt

4) Convert the PEM private key into a format Jetty uses (PKCS8, in DER format)

$ sudo openssl pkcs8 -topk8 -inform PEM -outform DER -in comodokey.pem -out comodokey.key -nocrypt

5) Ensure the permissions of all of the required files are correct

$ sudo chmod 644 comodokey.key comodocert.crt

6) Edit the configuration file to use the new certificate and key

 $ sudo nano standalone.properties

Edit the following lines:

ssl.cert=/u01/app/oracle/product/ords/conf/ords/standalone/comodocert.crt

ssl.cert.key=/u01/app/oracle/product/ords/conf/ords/standalone/comodokey.key

7) Restart ORDS

$ sudo /etc/init.d/ords restart

Your certificate is now installed and will function with no errors or warnings on:

https://your.fqdn.here/

Join the discussion

Comments ( 3 )
  • Socrates Friday, August 11, 2017
    Hi Kris and great work!
    We connected with SSH on Oracle Database Cloud, but When we run the command:
    sudo openssl req -new -newkey rsa:2048 -nodes -keyout comodokey.pem -out comodorequest.csr

    we get asked for oracle password!
    Where is it? I tried the password we set for the instance, it doesn't work.
  • Socrates Thursday, August 24, 2017
    Hi Kris,
    Wonderful article, it helped a lot.
    My questions is:
    Can we updated ORDS on the cloud instance (how?) and if yes, will it affect the SSL we just issued for ORDS 3.0.9 (default on our cloud DBaaS)
  • Ian Monday, February 12, 2018
    I've taken our site pfx file and used it to create a client crt, ca crt and der key file.

    Then concatenated the client and ca crt files and checked the certificates were in the correct order: client, intermediary, root.

    Intermediary and root certificates are from DigiCert.

    Update Jetty configuration to use these files.

    I'm getting "unable to verify the first certificate" error when trying to test my API using SwaggerHub and using the following test tool it indicates the intermediary certificate is missing.

    https://www.geocerts.com/ssl_checker

    api.orix.co.nz:8443

    If I use www.orix.co.nz:443 (different physical server, same pfx file) all looks OK.

    I'm using ords.17.4.1.353.06.48.

    Any suggestions would be appreciated.
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.