Erman Arslan's Oracle Forum EBS 12.2

Unable to add certificates to the wallet

classic Classic list List threaded Threaded
14 messages Options
baig
Reply | Threaded
Open this post in threaded view
|

Unable to add certificates to the wallet

baig
Dear Erman,

I was trying to implement ssl Tls 1.2 on Ebs R12.2.4

I am not able to import the certificates to the wallet. Its throwing matching error.

When I create csr using owm it is creating MD5 algorithm and wallet is not accepting the certs requested on this csr.
I used openssl to create a csr with sha256 algorithm and still tried to import but again its failing to import.

Please assist how to generate csr effectively and also how to avoid import errors.

Thanks
ErmanArslansOracleBlog
Reply | Threaded
Open this post in threaded view
|

Re: Unable to add certificates to the wallet

ErmanArslansOracleBlog
Administrator
Hi Baig,

Please send me the full error message.
baig
Reply | Threaded
Open this post in threaded view
|

Re: Unable to add certificates to the wallet

baig

On Mon, Nov 23, 2020, 2:34 PM ErmanArslansOracleBlog [via Erman Arslan's Oracle Forum] <[hidden email]> wrote:
Hi Baig,

Please send me the full error message.

If you reply to this email, your message will be added to the discussion below:
http://erman-arslan-s-oracle-forum.2340467.n4.nabble.com/Unable-to-add-certificates-to-the-wallet-tp9035p9036.html
To unsubscribe from Unable to add certificates to the wallet, click here.
NAML

20201123_153330.jpg (5M) Download Attachment
ErmanArslansOracleBlog
Reply | Threaded
Open this post in threaded view
|

Re: Unable to add certificates to the wallet

ErmanArslansOracleBlog
Administrator
You are using the correct owm to do that job right? I mean the correct owm from the correct path?
Also check your certificate.. Its contents.. There may be some values missing inside your certificate and that may be reason that makes owm not to like it..

Some refs:

Unable To Import The SSL Certificate Or Getting PKI-02022 After Importing It (Doc ID 1210963.1)
SSL Troubleshooting Guide (Doc ID 166492.1)
Some Trusted Certificates Could Not be Installed - Unable to Import Trusted Certificate into Oracle Wallet (Doc ID 468102.1)
baig
Reply | Threaded
Open this post in threaded view
|

Re: Unable to add certificates to the wallet

baig

Hi,

 

I am launching the right wallet using the below

export PATH=$FMW_HOME/webtier/bin:$FMW_HOME/oracle_common/bin:$PATH

 

owm &

 

when i create csr it is creating in MD5 algorithm only.

 

then i tried openssl

 

 

Use OpenSSL to take the existing wallet and save it as a new PEM format file:

% openssl pkcs12 -in ewallet.p12 -nodes -out nonoracle_wallet.pem

 

 

 

Use OpenSSL to generate the request specifying SHA-2:

$ openssl req -new -key nonoracle_wallet.pem -sha256 -out server.csr

 

submitted the csr and requested the certs tried to import wallet not accepting.

 

Same error screen. I verified the csr its sha256.

Thanks


On Mon, Nov 23, 2020, 3:52 PM ErmanArslansOracleBlog [via Erman Arslan's Oracle Forum] <[hidden email]> wrote:
You are using the correct owm to do that job right? I mean the correct owm from the correct path?
Also check your certificate.. Its contents.. There may be some values missing inside your certificate and that may be reason that makes owm not to like it..

Some refs:

Unable To Import The SSL Certificate Or Getting PKI-02022 After Importing It (Doc ID 1210963.1)
SSL Troubleshooting Guide (Doc ID 166492.1)
Some Trusted Certificates Could Not be Installed - Unable to Import Trusted Certificate into Oracle Wallet (Doc ID 468102.1)


If you reply to this email, your message will be added to the discussion below:
http://erman-arslan-s-oracle-forum.2340467.n4.nabble.com/Unable-to-add-certificates-to-the-wallet-tp9035p9038.html
To unsubscribe from Unable to add certificates to the wallet, click here.
NAML
ErmanArslansOracleBlog
Reply | Threaded
Open this post in threaded view
|

Re: Unable to add certificates to the wallet

ErmanArslansOracleBlog
Administrator
1)Did you try generating the CSR from OWM and then making the CA generate the certificates based on that CSR?
Yes, OWM will generate a MD5 CSR, but CA can still generate SHA-2 certificates using that MD5 CSR..

CA will use the option -sign_alg sha256 to specify SHA-2 algorithm while signing your certificate request..

Lets try that.. MAybe this way, you may import your certificates to your wallet.

This one (literally 1) :) sounds hard I know.. But still I shared it with you.

2) Ensure you are doing it right.. Follow -> Enabling TLS in Oracle E-Business Suite Release 12.2 (Doc ID 1367293.1). Ensure your certificates have all the required fields and values..

3)It seems OWM doesn't support SHA2.
->
The reference doc below says : OWM does not support SHA2 certificates.  Because of this, OWM is no longer recommended to be used with FMW 11g. It is recommended that you apply the latest CPU patches for OHS/OSS 11.1.1.9 and then use only ORAPKI utility to administer certificate..

Reference: How to Create a Wallet via Oracle Wallet Manager in FMW 11g (Doc ID 1226484.1)
baig
Reply | Threaded
Open this post in threaded view
|

Re: Unable to add certificates to the wallet

baig
Hi Erman,

I tried as you advised and was able to convince the CA as per your suggestion and it worked fine.

Now today when I tried to launch the wallet the wallet is not launching its throwing an error message. 

Where as I can launch it from the secondary node. 
I have set the path correctly before launching owm &

Please check the attached screenshot.

Please help.

Thanks & Regards
Baig


On Wed, Nov 25, 2020, 7:08 PM ErmanArslansOracleBlog [via Erman Arslan's Oracle Forum] <[hidden email]> wrote:
1)Did you try generating the CSR from OWM and then making the CA generate the certificates based on that CSR?
Yes, OWM will generate a MD5 CSR, but CA can still generate SHA-2 certificates using that MD5 CSR..

CA will use the option -sign_alg sha256 to specify SHA-2 algorithm while signing your certificate request..

Lets try that.. MAybe this way, you may import your certificates to your wallet.

This one (literally 1) :) sounds hard I know.. But still I shared it with you.

2) Ensure you are doing it right.. Follow -> Enabling TLS in Oracle E-Business Suite Release 12.2 (Doc ID 1367293.1). Ensure your certificates have all the required fields and values..

3)It seems OWM doesn't support SHA2.
->
The reference doc below says : OWM does not support SHA2 certificates.  Because of this, OWM is no longer recommended to be used with FMW 11g. It is recommended that you apply the latest CPU patches for OHS/OSS 11.1.1.9 and then use only ORAPKI utility to administer certificate..

Reference: How to Create a Wallet via Oracle Wallet Manager in FMW 11g (Doc ID 1226484.1)

If you reply to this email, your message will be added to the discussion below:
http://erman-arslan-s-oracle-forum.2340467.n4.nabble.com/Unable-to-add-certificates-to-the-wallet-tp9035p9060.html
To unsubscribe from Unable to add certificates to the wallet, click here.
NAML

20201201_145904.jpg (7M) Download Attachment
baig
Reply | Threaded
Open this post in threaded view
|

Re: Unable to add certificates to the wallet

baig
Dear Erman,

It worked for me. Thanks for your help.

God bless you.

Thanks

On Tue, Dec 1, 2020, 3:00 PM baig [via Erman Arslan's Oracle Forum] <[hidden email]> wrote:
Hi Erman,

I tried as you advised and was able to convince the CA as per your suggestion and it worked fine.

Now today when I tried to launch the wallet the wallet is not launching its throwing an error message. 

Where as I can launch it from the secondary node. 
I have set the path correctly before launching owm &

Please check the attached screenshot.

Please help.

Thanks & Regards
Baig


On Wed, Nov 25, 2020, 7:08 PM ErmanArslansOracleBlog [via Erman Arslan's Oracle Forum] <[hidden email]> wrote:
1)Did you try generating the CSR from OWM and then making the CA generate the certificates based on that CSR?
Yes, OWM will generate a MD5 CSR, but CA can still generate SHA-2 certificates using that MD5 CSR..

CA will use the option -sign_alg sha256 to specify SHA-2 algorithm while signing your certificate request..

Lets try that.. MAybe this way, you may import your certificates to your wallet.

This one (literally 1) :) sounds hard I know.. But still I shared it with you.

2) Ensure you are doing it right.. Follow -> Enabling TLS in Oracle E-Business Suite Release 12.2 (Doc ID 1367293.1). Ensure your certificates have all the required fields and values..

3)It seems OWM doesn't support SHA2.
->
The reference doc below says : OWM does not support SHA2 certificates.  Because of this, OWM is no longer recommended to be used with FMW 11g. It is recommended that you apply the latest CPU patches for OHS/OSS 11.1.1.9 and then use only ORAPKI utility to administer certificate..

Reference: How to Create a Wallet via Oracle Wallet Manager in FMW 11g (Doc ID 1226484.1)

If you reply to this email, your message will be added to the discussion below:
http://erman-arslan-s-oracle-forum.2340467.n4.nabble.com/Unable-to-add-certificates-to-the-wallet-tp9035p9060.html
To unsubscribe from Unable to add certificates to the wallet, click here.
NAML

20201201_145904.jpg (7M) Download Attachment


If you reply to this email, your message will be added to the discussion below:
http://erman-arslan-s-oracle-forum.2340467.n4.nabble.com/Unable-to-add-certificates-to-the-wallet-tp9035p9073.html
To unsubscribe from Unable to add certificates to the wallet, click here.
NAML
ErmanArslansOracleBlog
Reply | Threaded
Open this post in threaded view
|

Re: Unable to add certificates to the wallet

ErmanArslansOracleBlog
Administrator
:) so everything is okay now?
baig
Reply | Threaded
Open this post in threaded view
|

Re: Unable to add certificates to the wallet

baig
  I was preparing to renew my ssl certs for prod server. Under $EBS_DOMAIN_HOME /opmn directory i see EBS_WEB_OHS1 AND EBS_WEB_OHS2 on the primary node and when I cat topology.xml I see the details as attached in screenshot.

The question is do I need to copy primary node cwallet.sso under EBS_WEB_OHS1 and EBS_WEB_OHS2?

And on the dmz node I don't see opmn directory under Under $EBS_DOMAIN_HOME /


I have attached the excel sheet in first section the highlighted OHS2 location on primary server

And the second section highlighted is about the missing opmn directory under EBS_DOMAIN_HOME.

My question is under primary node  OHS2 wallet locations  cwallet.sso needs to be added from primary node wallet or dmz node wallet.

Rest everything is clear.
Its a bit confusing.  Please suggest.  Thanks in advance

On Wed, Dec 2, 2020, 8:00 PM ErmanArslansOracleBlog [via Erman Arslan's Oracle Forum] <[hidden email]> wrote:
:) so everything is okay now?

If you reply to this email, your message will be added to the discussion below:
http://erman-arslan-s-oracle-forum.2340467.n4.nabble.com/Unable-to-add-certificates-to-the-wallet-tp9035p9076.html
To unsubscribe from Unable to add certificates to the wallet, click here.
NAML
baig
Reply | Threaded
Open this post in threaded view
|

Re: Unable to add certificates to the wallet

baig
In reply to this post by ErmanArslansOracleBlog
Please find the attached file

On Wed, Dec 2, 2020, 8:54 PM sumair dba <[hidden email]> wrote:
  I was preparing to renew my ssl certs for prod server. Under $EBS_DOMAIN_HOME /opmn directory i see EBS_WEB_OHS1 AND EBS_WEB_OHS2 on the primary node and when I cat topology.xml I see the details as attached in screenshot.

The question is do I need to copy primary node cwallet.sso under EBS_WEB_OHS1 and EBS_WEB_OHS2?

And on the dmz node I don't see opmn directory under Under $EBS_DOMAIN_HOME /


I have attached the excel sheet in first section the highlighted OHS2 location on primary server

And the second section highlighted is about the missing opmn directory under EBS_DOMAIN_HOME.

My question is under primary node  OHS2 wallet locations  cwallet.sso needs to be added from primary node wallet or dmz node wallet.

Rest everything is clear.
Its a bit confusing.  Please suggest.  Thanks in advance

On Wed, Dec 2, 2020, 8:00 PM ErmanArslansOracleBlog [via Erman Arslan's Oracle Forum] <[hidden email]> wrote:
:) so everything is okay now?

If you reply to this email, your message will be added to the discussion below:
http://erman-arslan-s-oracle-forum.2340467.n4.nabble.com/Unable-to-add-certificates-to-the-wallet-tp9035p9076.html
To unsubscribe from Unable to add certificates to the wallet, click here.
NAML

1606931700721_topologyxml.txt (3K) Download Attachment
ssl renewal loc.xlsx (16K) Download Attachment
ErmanArslansOracleBlog
Reply | Threaded
Open this post in threaded view
|

Re: Unable to add certificates to the wallet

ErmanArslansOracleBlog
Administrator
This one is a new/another issue. Please create a seperate issue for this.
baig
Reply | Threaded
Open this post in threaded view
|

Re: Unable to add certificates to the wallet

baig
Hi.

I am not able to login to your forum. 
Also i didn't receive the password reset link. 
How can I login?

Please help

On Thu, Dec 3, 2020, 10:33 AM ErmanArslansOracleBlog [via Erman Arslan's Oracle Forum] <[hidden email]> wrote:
This one is a new/another issue. Please create a seperate issue for this.

If you reply to this email, your message will be added to the discussion below:
http://erman-arslan-s-oracle-forum.2340467.n4.nabble.com/Unable-to-add-certificates-to-the-wallet-tp9035p9080.html
To unsubscribe from Unable to add certificates to the wallet, click here.
NAML
ErmanArslansOracleBlog
Reply | Threaded
Open this post in threaded view
|

Re: Unable to add certificates to the wallet

ErmanArslansOracleBlog
Administrator
I think it was a temporary problem.. Please check gain.
Free forum by Nabble Edit this page