X

The Latest Technology Stack News Directly from EBS Development

SHA-2 Signed PKI Certificates Certified with EBS 12.1.3

Elke Phelps
Product Management Director

I'm pleased to announce that SHA-2 signed PKI certificates are now certified for inbound connections to the Oracle HTTP Server (OHS) delivered with Oracle E-Business Suite 12.1.3.

As published in a prior blog article, SHA-2 signed PKI certificates are already certified for outbound connections from Oracle E-Business Suite 12.1.3.

Required Steps

If you are enabling SSL/TLS for the first time for Oracle E-Business Suite 12.1.3, refer to the following for all prerequisite requirements and post steps:

Enabling SSL/TLS in Oracle E-Business Suite Release 12, Section 3 (Note 376700.1)

If you have already enabled SSL or TLS and are updating to a SHA-2 signed PKI certificate with the OHS for Oracle E-Business Suite 12.1.3, refer to the following for all prerequisite requirements and post steps:

Enabling SSL/TLS in Oracle E-Business Suite Release 12, Section 11 (Note 376700.1)  

Overview of the Requirements

The following is a summary of the requirements for deploying a SHA-2 signed PKI certificate for inbound connections to the OHS for Oracle E-Business Suite 12.1.3 include the following:

  • Update OPatch

If you have not already updated to the OPatch 9i, 10.1 version 1.0.0.0.63 or later, download and install it. For the latest OPatch information, refer to the following:

OPatch for Oracle Application Server 10g (10.1.2, 10.1.3, 10.1.4), (Note 283367.1)
  • Apply the minimum required patch level for the Oracle Fusion Middleware 10.1.3 Oracle Home

The minimum requirement is to upgrade the Oracle Fusion Middleware 10.1.3 Oracle Home to 10.1.3.5 per the following:

Upgrading to the Latest OracleAS 10g 10.1.3.x Patch Set in Oracle E-Business Suite Release 12 (Note 454811.1)

  • Apply the October 2015 CPU to the Oracle Fusion Middleware 10.1.3 Oracle Home

The minimum CPU requirement for the Oracle Fusion Middleware 10.1.3.5 is the October 2015 CPU level (Patch 21845960) per the following:

Oracle E-Business Suite Releases 11i and 12 Critical Patch Update Knowledge Document (October 2015) (Note 2051000.1)

Note: Testing is performed with all CPU patches applied across the technology stack components and the Oracle E-Business Suite. It is possible to apply the October 2015 CPU (Patch 21845960) to FMW 10g without applying the Oracle E-Business Suite October 2015 CPU or Oracle Database October 2015 CPU/PSU; however, we recommend that customers apply the latest CPU across all technology stack components and the Oracle E-Business Suite.

  • Perform all necessary post steps.

Post steps include generating the CSR to obtain the SHA-2 signed PKI certificate from your certificate authority (CA). Once you have the certificate, you will import it using Oracle Wallet.

Refer to the appropriate section in the following My Oracle Support note for the complete list of post-steps for your environment:

Enabling SSL/TLS in Oracle E-Business Suite Release 12, Section 11 (Note 376700.1)

Pending Platform Certifications

For AIX, HP Itanium and Windows, there will be an additional patch required on top of the FMW 10g Oracle Home October 2015 CPU. The required patch is currently in development.

Oracle's revenue recognition policy prohibits us from providing time lines and dates for future certifications and releases. Please monitor this blog for the latest in certification announcements.

Related Articles

References

Join the discussion

Comments ( 24 )
  • Ramasamy Wednesday, October 21, 2015

    Hi Elke,

    This certification is ONLY for Linux and or Solaris?

    Thanks


  • Elke Phelps (Oracle Development) Friday, October 23, 2015

    Ramasamy,

    This announcement regarding the certification of SHA-2 signed PKI certificates for the inbound Oracle HTTP Server with Oracle E-Business Suite 12.1.3 currently includes the following platforms:

    Linux, Solaris and HP PA-RISC.

    We are actively working on the certification for the following platforms: AIX, HP Itanium and Windows

    Please continue to monitor this blog for the latest in certification announcements.

    Regards,

    Elke


  • Joseph Mathew Friday, October 23, 2015

    We have a custom program that uses a certificate in the existing wallet in our PRODUCTION environment that expires OCT 31, 2015.

    This cert is being replaced by a SHA2 cert - but for some reason, I cannot import this trusted cert using the Oracle Wallet Manager in the $ORACLE_HOME/bin directory. This is for the APP tier

    It appears that the OWM for a 12.1.3 install can only handle the import of SHA1 certifications.

    Is there a workaround for this?

    Thanks


  • guest Tuesday, October 27, 2015

    Hi Elke,

    Can I implement on EBS 12.1.2

    Regards

    Prihatno


  • prihatno Tuesday, October 27, 2015

    Hi Elke,

    Can I implement on EBS 12.1.2

    Regards

    Prihatno


  • Elke Phelps (Oracle Development) Tuesday, October 27, 2015

    Prihatno,

    In order to receive security updates for Oracle E-Business Suite 12.1, you must be at the minimum required support levels. Please refer to the following for additional information:

    1. Oracle's Lifetime Support Policy

    http://www.oracle.com/us/support/lifetime-support/index.html

    2. E-Business Suite Error Correction Support Policy (Note 1195034.1)

    https://metalink.oracle.com/metalink/plsql/showdoc?db=NOT&id=1195034.1

    Thanks,

    Elke


  • Chandran Tuesday, November 3, 2015

    Hi,

    We are on 12.1.3 and followed the necessary steps and its not working as expected. We contacted Oracle support and they are asking us to upgrade to R12.2.x.

    Please advise.

    Thanks,

    Chandran


  • Steven Chan Tuesday, November 3, 2015

    Chandran,

    I'm sorry that you're having trouble with this. The answer you've gotten doesn't make much sense to me.

    Can you provide me with the SR number so that we can investigate?

    Regards,

    Steven


  • Chandran Wednesday, November 4, 2015

    Steven,

    Here is the SR number.

    SR 3-11605502531 : SHA-2 SSL certificates not working with E-business Suite 12.1.3 wallet

    Please verify and direct us to fix this issue.

    Thanks,

    Chandran


  • Sudhir Thursday, November 12, 2015

    Dear Steven/Elke,

    We currently import vendor SHA-1 certificates (for XML transmission & punchouts) into $INST_TOP/Apache/certs using wallet manager (10.1.3 owm)

    Our vendor has sent a new SHA-2 cert, which when tried failed to import.

    We are on 12.1.3, with 11.2.0.4 database. We have applied Oct2015 CPU patches & product patches for XML & iProc

    For successful importing of SHA-2 certs, do we enable SSL/TLS for "inbound" (following 376700.1)? I thought the connection is going from EBS to vendor, hence it should be outbound.

    Request more clarity.

    Thank You,

    Sudhir


  • Elke Phelps (Oracle Development) Friday, November 13, 2015

    Sudhir,

    You are correct in that XML Gateway and Punchout are outbound connections. Outbound connections should not require inbound SSL/TLS to be enabled; however, our secure configuration recommendations are for customers to encrypt all traffic: inbound, loopback and outbound.

    When using SHA-2 signed PKI certificates with XML Gateway and Punchout, you should confirm that you have performed any required patching and configuration. Refer to the following:

    Using SHA-2 Signed Certificates with EBS

    https://blogs.oracle.com/stevenChan/entry/using_sha2_signed_certificates_with

    XML Gateway

    Follow the instructions in the patch README and apply the following patch: 19909850

    Punchout

    For Punchout configuration follow the instruction in MOS Doc ID 1177725.1

    For additional details and answers, refer to the following:

    FAQ: Secure Oracle E-Business Suite with SSL, TLS, SHA-2, and Stronger Cipher Suites (Doc ID 2063486.1)

    https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=2063486.1

    If you continue to have issues, please log a service request. You may email me the SR #.

    Thanks.

    Elke


  • guest Friday, December 11, 2015

    Steven,

    We are having the issue and not getting much response from the support team. We have a very tight timeline to make this change in production, could you please verify and direct us to fix this issue quickly.

    SR 3-11605502531 : SHA-2 SSL certificates not working with E-business Suite 12.1.3 wallet

    Thanks,

    Chandran


  • Steven Chan Friday, December 11, 2015

    Hello, Chandran,

    I'm sorry that you're encountering issues with this.

    I've followed up with Support on this. We will get you back on the road as quickly as possible. Please monitor your SR for updates.

    Regards,

    Steven


  • guest Wednesday, January 6, 2016

    Steven/Elke,

    We are having issues trying to implement the SHA2 SSL certificates, as well. We've been working with support since November and don't seem to be making any progress.

    SR 3-11764959931 : Error importing SHA2 SSL certificate using Oracle Wallet Manager

    Thanks,

    Michelle


  • Karan Kukreja Thursday, February 11, 2016

    Dear Steven,

    We are facing a hard time to figure out which one to use ( SHA1 or SHA2). The steps in the note 376700.1 with respect to point "Section 3: Application Tier Setup" are very confusing. It says we can use SHA-2 with 12.1.3 , however the engineer on the SR :3-12032736591 has a contradicting response.

    Moreover , if i follow the steps as is from the note undedr section 3 which reads as below :

    If you are enabling SSL/TLS for the first time, follow steps in Section 3.

    Then the csr generated is MD5 and not SHA2. To make the CSR SHA-2 we had to refer to Section-9 : Signature Algorithm Changes.

    Can you please sort out the confusion.


  • guest Thursday, February 11, 2016

    Hi Steven,

    We are having issues importing SHA2 certificates into 12.1.3. After months of following up with the EBS team and security team, we are told this is as the 10gAS (10.1.3) Wallet Manager DOES NOT support these certificates natively.

    3-12032736591 : Is SHA2 signed certificate compatible with EBS R12.1.3?

    Regards,

    Arvind


  • Elke Phelps (Oracle Development) Thursday, February 11, 2016

    Michelle,

    I'm sorry to hear that you encountered issues when importing the SHA-2 signed PKI certificate.

    I reviewed your service request, SR 3-11764959931. It seems that the issue you encountered was due to a corrupt wallet.

    Thank you for your patience as the support engineers worked through the issue to help determine root cause and provide a solution.

    Regards,

    Elke


  • Elke Phelps (Oracle Development) Thursday, February 11, 2016

    Karan,

    I'm sorry to hear that you are encountering issues with deploying SHA-2 signed PKI certificates with Oracle E-Business Suite 12.1.3.

    Please note:

    - SHA-2 signed PKI certificates are certified for inbound connections to Oracle E-Business Suite 12.1.3.

    - Many certificate authorities are recommending or mandating SHA-2 as the minimum signature algorithm for issuing certificates.

    - Customers may use SHA-1 or SHA-2 signed PKI certificates.

    Which steps you follow in MOS Note 376700.1 are dependent upon whether you are using SHA-1 or SHA-2 signed PKI certificates.

    Your actions:

    1. Decide if you going to use SHA-1 or SHA-2 signed PKI certificates.

    This is your choice. Both SHA-1 and SHA-2 are certified.

    2. Submit the request to your certificate authority based upon your decision from 1.

    3. Apply all required patches to all nodes in the environment.

    Note:

    What is required is dependent upon your decision to use SHA-1 or SHA-2 signed PKI certificates. (note: There are minimum patch levels required for SHA-2 signed PKI certificates for inbound connections)

    All nodes (external and internal) in an EBS environment must be at the same patching levels.

    I've raised your SR to support management. Please monitor your SR for next steps.

    Regards,

    Elke


  • Joseph Mathew Thursday, February 11, 2016

    I have an SR open for this exact same issue - importing SHA2 certificates using the OWM executables in the 10.1.3 $OH.

    I've had several SR's open for this - and was able to get to the point where I was able to import the wallet.

    However, on SR 3-12163355871, I have encountered a new issue after patching was complete and I was successfully able to import the wallet into the wallet using the OWM executables in the 10.1.3 $OH.

    I am unable to start up the APP tier - the adalnctl.sh step fails with the error

    ----------------------------------------------------------------------

    Connecting to (ADDRESS=(PROTOCOL=TCP)(Host=$HOSTNAME)(Port=1631))

    TNS-12541: TNS:no listener

    TNS-12560: TNS:protocol adapter error

    TNS-00511: No listener

    Linux Error: 111: Connection refused

    adalnctl.sh: exiting with status 0

    ----------------------------------------------------------------------

    Have you seen this with any other customer who has completed the patches required for the OCT 2015 CPU.


  • Elke Phelps (Oracle Development) Thursday, February 11, 2016

    Arvind,

    I'm sorry to hear that you are having issues importing SHA-2 signed PKI certificates into Oracle E-Business Suite 12.1.3.

    As announced in this blog article, Oracle E-Business Suite 12.1.3 is certified with SHA-2 signed PKI certificates for inbound connections.

    I've reviewed your SR, 3-12032736591. Please see my previous response to Karan for this same SR.

    Regards,

    Elke


  • Elke Phelps (Oracle Development) Thursday, February 11, 2016

    Joseph,

    I'm pleased to hear that you were able to resolve your issues importing importing SHA-2 signed PKI certificates. It's unfortunate that you are now encountering issues when trying to start the application listener.

    To my knowledge, issues starting the application listener after applying the October 2015 CPU have not been reported by other customers Please monitor your SR for next steps troubleshooting this issue.

    Regards,

    Elke


  • Karan Kukreja Monday, February 15, 2016

    Hi Dear Elke ,

    Thanks for your response. I am preparing a step by step doc for the steps we have followed will share the same with you shortly. Note : We have not sent a request yet to the CA. Post your validation only we will go ahead with that.

    I'll share the URL of the doc shortly. Thanks again.

    - Karan


  • Elke Phelps (Oracle Development) Monday, February 15, 2016

    Karan,

    We in Oracle E-Business Suite Development are here to answer your questions and provide general guidelines and direction; however, the blog and emails are not the best place to get technical support for specific issues like the current item you are encountering. When you are encountering issues with a deployment you should use Oracle Support.

    Please post your questions in the SR and review the subsequent updates for confirmation of next actions.

    In addition to Oracle Support, if you require consultation assistance with your deployment, you should consider contacting your Oracle account manager who can put you in contact with someone from Oracle consulting.

    Regards,

    Elke


  • Karan Kukreja Tuesday, February 16, 2016

    Thanks. We are following up on the SR.

    Best Regards,

    Karan


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.