X

The Latest Technology Stack News Directly from EBS Development

Using a Reverse Proxy as an SSL/TLS Termination Point for EBS 12.1.3

Elke Phelps
Product Management Director

[Contributing Author:  Madhu Majari]

We are currently working on the certification of SHA-2 with the Oracle HTTP Server (OHS) delivered with Oracle E-Business Suite 12.1.3.  As described in this blog article, a reverse proxy or load balancer can be used until that certification is available.  You can use a reverse proxy or load balancer as the end-point for the encrypted connection that is initiated by a client (for example, a browser). In other words, the reverse proxy or load balancer -- not Oracle HTTP Server -- acts as the TLS termination point. Since that article was published, many customers have requested that we certify a reverse proxy for use as the TLS termination point with Oracle E-Business Suite Release 12.1. I’m pleased to announce that we have completed the certification of HAProxy 1.5.2 with Oracle E-Business Suite 12.1.3. HAProxy is an open source offering that provides load balancing and proxy solutions. The certification of HAProxy 1.5.2 with Oracle E-Business Suite 12.1.3 provides the following configuration options:

  • Certificates signed with SHA-2 for inbound HTTP connections
  • TLS 1.2 with stronger cipher suites

Note: There are many reverse proxies and load balancers that can be used as an TLS termination point for Oracle E-Business Suite. If you already have a reverse proxy or load balancer deployed you may configure it as the TLS termination point for your Oracle E-Business Suite 12.1.3 environment. 

Deploying and Configuring HAProxy

For detailed installation instructions, refer to the following My Oracle Support Knowledge Document:

You may deploy HAProxy as follows:

  • On an existing Oracle E-Business Suite application tier
  • On a separate server or virtual machine

HAProxy is available as an installable RPM package as part of the Oracle Linux distribution. You can also download HAProxy and compile it for other operating systems (refer to the installation note for more details). On Oracle Linux you may install it as the root user with the following command: 

#yum install haproxy The main configuration file is located here:

/etc/haproxy/haproxy.cfg

A summary of the configuration steps for HAProxy includes the following:

  • Define the IP address and and port for the Oracle E-Business Suite 12.1.3 environment.
  • Setup TLS protocols and avoid SSL 3.0. (This will the mitigate POODLE vulnerability.)
  • Enable strong cipher suites. (This will mitigate the FREAK vulnerability.)
  • Define the certificate (chain) with PEM files.
Example Deployment of HAProxy with Oracle E-Business Suite 12.1.3

If you have an existing Oracle E-Business Suite 12.1.3 environment configured with SSL/TLS per Enabling SSL in Oracle E-Business Suite Release 12 (Note 376700.1), then you may easily configure HAProxy to serve as the TLS termination point.

For example, given the following conditions for your Oracle E-Business Suite Oracle HTTP Server listener configuration:

  1. HTTP requests use port 8000
  2. HTTPS requests use port 4443

 Then, you may perform the following:

  1. Shutdown the Oracle HTTP Server HTTPS listener (port 4443)
  2. Install, configure and start HAProxy to listen on port 4443

Related Articles

References

Join the discussion

Comments ( 2 )
  • Wade Friday, July 24, 2015

    Elke or Madhu,

    Do you have any update as to when EBS 12.1.3 will support incoming connections utilizing SHA-2 certificates? I've seen postings for over 6 months saying that this is a high priority enhancement within Oracle development. I was hoping to see this addressed with the July CPU.

    Besides putting a proxy in the middle, are there any other options to make the software work with SHA-2 certificates from an external CA?

    Can you give any details as to what is being modified to support SHA-2? I'm sure many Oracle clients have CAs who are restricting SHA-1 certificates and now many browsers are stopping support for SHA-1. This is becoming a major issues for many people I have spoken with.

    SHA-1 has been known to be weak for years and only now being addressed?

    Thanks,

    Wade


  • Elke Phelps (Oracle Development) Friday, July 24, 2015

    Wade,

    Thanks for the inquiry. This continues to be a high priority for Oracle Development. We understand your concerns and the issues being faced by our customers.

    It is the Oracle HTTP Server (OHS) delivered with Oracle E-Business Suite 12.1 that requires updates for the SHA-2 inbound connection certification. The delay in our progress is due to some technical challenges that we've encountered. The technical challenges may not be resolvable - it's still too early to tell if that is the case.

    Currently, the only workaround is to use a reverse proxy or load balancer as the end-point for the encrypted connection that is initiated by a client (for example, a browser).

    If you could, please drop me an email with your company name and the impact this is having with your Oracle E-Business Suite deployment. I will add this information to the BUG that is being tracked for this issue.

    Thanks.

    Elke


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha