Configuring SSL in Oracle Fusion Middleware 6-33 3. In the URL text box, enter the JDBC connect string. Ensure that the protocol is TCPS and that SSL_SERVER_CERT_DN contains the full DN of the database certificate. Use the following syntax: jdbc:oracle:thin:DESCRIPTION=ADDRESS_ LIST=ADDRESS=PROTOCOL=TCPSHOST=host-namePORT=port-numberCONNECT_ DATA=SERVICE_NAME=serviceSECURITY=SSL_SERVER_CERT_DN=CN=server_ test,C=US 4. Test and verify the connection. Your data source is now configured to use SSL.

6.7 Advanced SSL Scenarios

This section explains how to handle additional SSL configuration scenarios beyond the basic topologies described earlier: ■ Hardware Security Modules and Accelerators ■ CRL Integration with SSL ■ Oracle Fusion Middleware FIPS 140-2 Settings

6.7.1 Hardware Security Modules and Accelerators

A Hardware Security Module HSM is a physical plug-in card or an external security device that can be attached to a computer to provide secure storage and use of sensitive content. Oracle Fusion Middleware supports PKCS11-compliant HSM devices that provide a secure storage for private keys. Take these steps to implement SSL for a component using a PKCS11 wallet: 1. Install the HSM libraries on the machine where the component is running. This is a one-time task and is device-dependent. 2. Next, create a wallet using Oracle Wallet Manager OWM or the orapki command-line tool. Note the following: a. Choose PKCS11 as the wallet type. b. Specify the device-specific PKCS11 library used to communicate with the device. This library is part of the HSM software. On Linux, the library is located at: For LunaSA Safenet: usrlunasaliblibCryptoki2.so For nCipher: optnfasttoolkitspkcs11libcknfast.so On Windows, the library is located at: For LunaSA Safenet: C:\Program Files\LunaSA\cryptoki.dll 3. Now follow the standard procedure for obtaining third-party certificates, that is, creating a certificate request, getting the request approved by a Certificate Authority CA, and installing the certificate signed by that CA. Note: This discussion applies only to Oracle HTTP Server, Oracle Web Cache, and Oracle Internet Directory, which are the system components supporting HSM. 6-34 Oracle Fusion Middleware Administrators Guide The wallet you set up is used like any other wallet. 4. Verify the wallet with the orapki utility. Use the following command syntax: orapki wallet p11_verify [-wallet [wallet]] [-pwd password] 5. Configure SSL on your component listener using the configureSSL WLST command, providing a properties file as input. Your properties file should specify the full path of the PKCS11 wallet directory on the machine where the component is running. Note: Do not save the PKCS11 wallet in the instance home directory. Only wallets created and managed through Fusion Middleware Control or WLST should reside in the instance home. A sample properties file could look like this: SSLEnabled=true AuthenticationType=Server PKCS11Wallet=tmplunasawallet

6.7.2 CRL Integration with SSL

Components that use SSL can optionally turn on certificate validation using a certificate revocation list CRL. This allows them to validate the peer certificate in the SSL handshake and ensure that it is not on the list of revoked certificates issued by the Certificate Authority CA. This section describes how to configure a component to use CRL-based validation, and how to create and set up CRLs on the file system.

6.7.2.1 Configuring CRL Validation for a Component

Configure SSL on your component listener using the configureSSL WLST command, providing a properties file as input. The properties file must be set up as follows: 1. The CertValidation attribute must be set to url. 2. The CertValidationPath attribute must be of the form file:file_path or dir:directory_path. ■ Use the first format if you are using a single CRL file for certificate validation. This CRL file should contain a concatenation of all CRLs. See Also: Appendix H, Oracle Wallet Manager and orapki for details about orapki Note: You must use the WLST command configureSSL to configure the PKCS11 wallet. You cannot do this task using Fusion Middleware Control or any other tool. Note: ■ This discussion applies only to Oracle HTTP Server and Oracle Web Cache. ■ CRL validation is managed through WLST; you cannot perform this task through Fusion Middleware Control. Configuring SSL in Oracle Fusion Middleware 6-35 ■ Use the second format if you are specifying a directory path that contains multiple CRL files in hashed form. See Section 6.7.2.2, Manage CRLs on the File System on how to create CRLs in hashed form. In this example, the properties file specifies a single CRL file: SSLEnabled=true AuthenticationType=Server CertValidation=crl KeyStore=ohs1 CertValidationPath=file:tmpfile.crl In this example, the properties file specifies a directory path to multiple CRL files: SSLEnabled=true AuthenticationType=Server KeyStore=ohs1 CertValidation=crl CertValidationPath=dir:tmp

6.7.2.2 Manage CRLs on the File System

You use the orapki command-line tool to manage CRLs on the file system. For details on this topic, see Section H.2.5, Managing Certificate Revocation Lists CRLs with orapki Utility. CRL Renaming to Hashed Form If specifying a fleshiest directory, the CRL must be renamed. This enables CRLs to be loaded in an efficient manner at runtime. This operation creates a symbolic link to the actual CRL file. On Windows, the CRL is copied to a file with a new name. To rename a CRL: orapki crl hash [-crl [url|filename]] [-wallet wallet] [-symlink directory] [-copy directory] [-summary] [-pwd password] For example: orapki crl hash -crl nzcrl.txt -symlink wltdir -pwd password If the CRL file name is specified at runtime, multiple CRLs can be concatenated in that file. The CRL created in this example is in Base64 format, and you can use a text editor to concatenate the CRLs. CRL Creation Note: LDAP-based CRLs or CRL distribution points are not supported. Note: CRL creation and Certificate Revocation are for test purposes and only used in conjunction with self-signed certificates. For production use, obtain production certificates from well-known CAs and obtain the CRLs from those authorities.