enabling ssl in oracle applications release 12
TRANSCRIPT
Enabling SSL in Release 12 [ID 376700.1]
Modified 22-JUL-2011 Type WHITE PAPER Status PUBLISHED
Enabling SSL in Oracle Applications Release 12
Last Updated: August 12, 2010
In This Document
Section 1: IntroductionSection 2: Concepts and TerminologySection 3: Middle Tier SetupSection 4: Database Tier SetupSection 5: Advanced SSL SetupSection 6: Converting Existing CertificatesSection 7: Creating your Certifying Authority's CertificateSection 8: Oracle Application Server Certifcate AuthoritySection 9: Disabling SSL v2 and Weak Ciphers
This document explains the setup steps for enabling SSL.
The most current version of this document can be obtained in Oracle MetaLink Note 376700.1.
There is a change log at the end of this document.
Section 1: Introduction
The most significant change for Secure Sockets Layer (SSL) support in E-Business Suite Release 12 is the use of the mod_ossl module for the Oracle HTTP Server. Like mod_ssl, the mod_ossl plug-in enables strongcryptography for Oracle HTTP Server. In contrast to the OpenSSL module, mod_ossl is based on the Oracle implementation of SSL, which supports SSL 3, and is based on Certicom and RSA Security technology.
In Release 12 SSL certificates will be managed by the Oracle Wallet Manager 10g, which will be accessible via the familiar OWM graphical user interface (GUI) or the new ORAPKI command line interface (CLI). SinceRelease 12 will be using the Forms Listener Servlet a separate certificate is no longer needed for Forms. Forms will share the same wallet as the Oracle HTTP Server.
Note: The use of the Forms Server Listener with ConnectMode=https is not supported. ConnectMode=https only works with JInitiator which includes the Oracle SSL libraries. Release 12 uses the Sun Java Pluginand if you need to use https for the forms communication layer, you must use the servlet architecture.
Section 2: Concepts and Terminology
Secure Sockets Layer (SSL)
SSL is a technology that defines the essential functions of mutual authentication, data encryption, and data integrity for secure transactions. Exchange of data between the client and server in such secure transactions issaid to use the Secure Sockets Layer (SSL).
SSL uses 2 types of Certificates:
1. User certificatesThese are Certificates issued to servers or users to prove their identity in a public key/private key exchange.
2. Trusted certificatesThese are Certificates representing entities whom you trust - such as certificate authorities who sign the user certificates they issue.
How SSL works with Middle Tier Oracle HTTP Server:
1. The client sends a request to the server using HTTPS connection mode.2. The server presents its certificate to the client. This certificate contains the server's identifying information.3. The client checks its list of Trust points and compares the information in the certificate with the server's public key. If it matches, the server is authenticated as a trusted server.4. The client sends the server a list of the encryption levels, or ciphers, that it can use.5. The server receives the list and selects the strongest level of encryption that they have in common.6. The client creates a session key which is used to encrypt the data and sends this session key to the server which can decrypt the data with its private key
How SSL works with Oracle Database Server:
1. The UTL_HTTP package is used for making HTTP callouts from SQL and PL/SQL to a Web Node (Oracle HTTP server).2. When the package fetches data from a Web site using HTTPS, it specifies the location to the Oracle Wallet that resides on the database server. This wallet contains the certificate for the Certifying Authority (CA)
who signed the Web node's server certificate.
Certificate Authority (CA)
A Certificate Authority is a trusted third party responsible for issuing, revoking, and renewing digital certificates. All digital certificates are signed with the Certificate Authority's private key to ensure authenticity. Certificate Authority's Public Key is widely distributed.
Certificate Signing Request (CSR)
A Certificate Signing Request (CSR) is a digital file which contains your public key and your name. You send the CSR to a Certifying Authority (CA) to be converted into a real Certificate.
Digital Certificate (Public Key)
A digital certificate is an electronic document that binds an identity to a pair of electronic keys that can be used to encrypt and sign digital information. Certificates are issued by a trusted third party, called a CertificationAuthority (CA). The document is usually in a standard X509 format and contains three elements:
1. Entity attributes (information about your organization)2. Public key (which is bound to your organization)3. Digital signature of the trusted CA private key
Verisign (http://verisign.com/) will allow your organization to apply for a free trial certificate which will be valid for 2 weeks for testing purposes.
Private (Server) Key
Rate this document
The private key file is a digital file that you generate and for use to decrypt messages sent to you. The certificate request (CSR) that you send to your Certificate Authority (CA) is derived from this private key. Therefore,the resulting digital certificate (containing your public key) which is issued by your CA, is bound to this private key.
Secure Server Certificates
Secure Server Certificates are 128 bit certificates which provide 128 bit SSL encryption. If a browser has 128 bit support, then encryption is negotiated to 128 bits. However, if the browser only supports 40 bit encryption,the level of encryption, regardless of a 128 bit certificate, will be negotiated down to 40 bits.
Global Server Certificates
Global Server Certificates, also referred to as Server Gated Cryptography, are 128 bit certificates that enable all browsers to use 128 bit encryption, even if the browser only supports 40 bit encryption. A global servercertificate usually has 2 parts: the certificate itself and an extra intermediate certificate which is used to provide the step-up. The marketing names of these certificates vary depending on the company that issues thecertificate, for example, Thawte calls them 128 bit SuperCerts. It is not possible to get trial versions of global server certificates; therefore it is not possible to test unless one is purchased.
Secure Socket Layer Accelerators
Secure Socket Layer (SSL) Accelerators can be used to reduce the SSL traffic and workload off the web servers. Usually SSL accelerators are the primary targets for https requests from the user's desktop and thus arethe initial target for all desktop client communication. They are responsible for converting "https" SSL requests to non-SSL "http" requests, directing the request to the http server which is running in non-SSL mode.Before sending the response back to the desktop they again convert the non-SSL requests to SSL requests.
Section 3: Middle Tier Setup
The default location for the wallet in Release 12 is $INST_TOP/certs/Apache. This directory contains a wallet with demo certificates. If you wish to use these certificates for testing start with SSL, and then do Steps 1 through 7 when you are ready to switch to real certificates.
The demo certificates are not secure and should never be used in a production environment.
The main steps for setting up SSL on the Middle Tier are:
1. Set Your Environment.2. Create a wallet.3. Create a Certificate Request.4. Submit the Certificate Request to a Certifying Authority.5. Import your Server Certificate to the Wallet.6. Copy the Apache Wallet to the OPMN Wallet.7. Update the JDK Cacerts File.8. Update the Context File.9. Run Autoconfig.
10. Restart the middle tier services.
These instructions involve the use of the Oracle Wallet Manager Graphical User Interface. If you would prefer to use the Oracle Wallet Manager Command Line Interface refer to Note 376694.1: Using the Oracle WalletManager Command Line Interface in Release 12.
If you have unexpired certificates from your Release 11i SSL instance you can convert them using the instructions in Section 5 .
Note: DISCOVERER USERS who enable SSL for the E-Business Suite must also enable SSL for Discoverer. Please refer to the following documents: Oracle Application Server Business Intelligence documentation Metalink Note 338071.1 - How To Configure Discoverer 10g (10.1.2) Plus/Viewer For HTTPS (SSL) Access This document is for users who have installed Discoverer without Portal or Single SignOn (SSO).
Metalink Note 339448.1 - Quick Start to Configure Discoverer Plus/Viewer/Portlet Provider 10.1.2.0.2 in SSL + SSO This document is for users who have installed Discoverer with Portal and/or Single SignOn (SSO).
Step 1- Set Your Environment
Logon to the application middle tier as the OS user who owns the middle tier files.Source your middle tier environment file (APPS<sid_machine>.env) located in the APPL_TOP directory.Navigate to the $INST_TOP/ora/10.1.3 and source the <sid_machine>.env file to set your10.1.3 ORACLE_HOME variables.
When work ing with wallets and certificates you MUST use the 10.1.3 executables.
Step 2 - Create a wallet
Navigate to the $INST_TOP/certs/Apache directory. Move the existing wallet files to a backup directory in case you wish to use them again in the future.Open the Wallet manager as a background process: owm &On the Oracle Wallet Manager Menu navigate to Wallet -> New.Answer NO to: “Your default wallet directory doesn't exist. Do you wish to create it now?” The new wallet screen will now prompt you to enter a password for your wallet.
Click YES when prompted: “A new empty wallet has been created. Do you wish to create a certificate request at this time?”
Step 3 - Create a Certificate Request
After clicking "Yes" in step 2 the Create Certificate Request Screen will pop up:
Fill in the appropriate values where:
Common Name: is the name of your server including the domain.Organizational Unit: (optional) The unit within your organization..Organization: is the name of your organization.Locality/City: is your locality or city.State/Province: is the full name of your State or Province - do not abbreviate.
Select your Country from the drop down list.Click OK.
Step 4 - Submit the Certificate Request to a Certifying Authority
You will need to export the Certificate Request before you can submit it to a Certifying Authority. To do so:
Click on Certificate [Requested] to Highlight it.From the menu click Operations -> Export Certificate RequestSave the file as server.csrFrom the menu click Wallet and then click Save.On the Select Directory screen change the Directory to your fully qualified wallet directory.Click OK.From the menu click Wallet and check the Auto Login box.Be sure to make this password something you will remember. You will need to use the password whenever you open the wallet with Oracle Wallet Manager or perform operations on the wallet usingthe Command Line Interface. With auto login enabled processes submitted by the OS user who created the wallet will not need to supply the password to access the wallet.Exit the Wallet Manager.
The wallet directory will now contain the following files: cwallet.sso ewallet.p12 server.csr
You may now submit server.csr to your Certifying Authority to request a Server Certificate.
Step 5 - Import your Server Certificate to the Wallet.
After you receive your Server Certificate from your Certifying Authority you will need to import it into your wallet. Copy the certificate to server.crt in the wallet directory on your server by one of the methods:
1. ftp the certificate (in binary mode)2. copy and paste the contents into server.crt
Follow these steps to import server.crt into your wallet:
Open the Wallet Manager as a background process: owm &From the menu click Wallet then Open.Answer Yes when prompted: Your default wallet directory does not exist. Do you want to continue?On the Select Directory screen change the Directory to your fully qualified wallet directory and click OKEnter your wallet password and click OK.On the Oracle Wallet Manager Menu navigate to Operations - Import User Certificate.Server certificates are a type of user certificate. Since the Certifying Authority issued a certificate for the server, placing its distinguished name (DN) in the Subject field, the server is the certificateowner, thus the "user" for this user certificate. Click OK.Double Click on server.crt to import it.Save the wallet: On the Oracle Wallet Manager Menu click Wallet. Verify the Auto Login box is checked. Click Save.
Note: If all trusted certificates that make up the chain of server.crt are not present in the wallet then adding the certificate will fail. When the wallet was created the certificates for the most Verisign, GTE, and Entrust were included automatically. Contact your certifying authority if you need to add their certificate, and save the provided file as ca.crt in the wallet directory. Another option the instructions in Section 7 to create ca.crt from your server certificate (server.crt).
If you need to import the CA Certificate you'll also need to add the contents of ca.crt file to b64InternetCertificate.txt file located in the 10.1.2 ORACLE_HOME/sysman/config directory:
cat ca.crt >> <10.1.2 ORACLE_HOME>/sysman/config/b64InternetCertificate.txt
Step 6 - Modify the OPMN wallet.
The Oracle Applications Rapid Install process creates a default "demo" opmn wallet in the $INST_TOP/certs/opmn directory that can be used in test instances for basic SSL testing. Now that the Apachewallet has been created you will need to to use these same certificates for opmn. Use the following steps to backup and copy the wallets:
Navigate to the $INST_TOP/certs/opmn directory.Create a new directory named BAKMove the ewallet.p12 and cwallet.sso files to the BAK directory just created.Copy the ewallet.p12 and cwallet.sso files from the $INST_TOP/certs/Apache directory to the $INST_TOP/certs/opmn directory.
Step 7 - Update the JDK Cacerts File.
Oracle Web Services requires the Certificate of the Certifying Authority who issued your server certificate (ca.crt from the previous step) to be present in the JDK cacerts file. In addition, some features ofXML Publisher and BI Publisher require the server certficate (server.crt from previous step) to be present, Follow these steps to be sure these requirements are met:
Navigate to the $OA_JRE_TOP/lib/security directoryBackup the existing cacerts file.Copy your ca.crt and server.crt files to this directory Issue the following command to insure that cacerts has write permissions:
chmod u+w cacerts
Add your Apache ca.crt and server.crt to cacerts:
keytool -import -alias ApacheRootCA -file ca.crt -trustcacerts -v -keystore cacerts keytool -import -alias ApacheServer -file server.crt -trustcacerts -v -keystore cacerts
When prompted enter the keystore password (default password is changeit).
Step 8 - Update the Context File.
Use the Oracle Applications Manager (OAM) Context Editor to change the SSL related variables as shown in this table:
SSL Related Variables in the Context File
Variable Non-SSL Value SSL Value
s_url_protocol http https
s_local_url_protocol http https
s_webentryurlprotocol http https
s_active_webport same as s_webport same as s_webssl_port
s_webssl_port not applicable default is 4443
s_https_listen_parameter not applicable same as s_webssl_port
s_help_web_agent url constructed with http protocol and s_webport url constructed with https protocol and s_webssl_port
s_login_page url constructed with http protocol and s_webport url constructed with https protocol and s_webssl_port
s_external_url url constructed with http protocol and s_webport url constructed with https protocol and s_webssl_port
Changes when using an SSL Accelerator
Variable Non-SSL Value SSL Value
s_url_protocol http http
s_local_url_protocol http http
s_webentryurlprotocol http https
s_active_webport same as s_webport value of the SSL Accelerator's external interfacing port
s_webentryhost same as s_webhost SSL Accelerator hostname
s_webentrydomain same as s_domainname SSL Accelerator domain name
s_enable_sslterminator # remove the '#' to use ssl_terminator.conf in ssl terminated
s_login_page url constructed with http protocol and s_webporturl constructed with https protocol, s_webentryhost, s_active_webport
s_external_url url constructed with http protocol and s_webporturl constructed with https protocol, s_webentryhost, s_active_webport
Step 9 - Run Autoconfig
Autoconfig can be run by using the adautocfg.sh script in the Middle Tier $ADMIN_SCRIPTS_HOME directory.
Step 10 - Customizations (optional)
In Release 12 we keep a non-ssl port open for those products which need to access some of their pages via the http protocol, as well as the Oracle Applications Help System. If you wish to disable the port and force all users to access your pages via the https protocol you can add a redirect rule to $INST_TOP/ora/10.1.3/Apache/Apache/conf/custom.conf file. RewriteRule /̂$ https://<servername.domain:<port>/OA_HTML/AppsLogin [R,L]:
RewriteRule ^/$ https://<servername.domain:<port>/OA_HTML/AppsLogin [R,L]
Any updates you make to the custom.conf file will be preserved when Autoconfig is run.
Step 11 - Restart the middle tier services.
Use the adapcctl.sh script in the $ADMIN_SCRIPTS_HOME directory to stop and restart the middle tier Apache services.
Section 4: Database Tier Setup
Oracle products such as Oracle Configurator, Order Management, iStore, Order Capture, Quoting, iPayment, iStore, and Pricing access data over the Internet in HTTP or HTTPS connection mode. The implementation ofSSL for the Oracle Database Server (which acts as a client sending requests to the Web server) makes use of the Oracle Wallet Manager for setting up an Oracle wallet.
To enable SSL on the Database Tier you need only create a wallet. You do not need a server certificate for this wallet. If you were required to import your ca.crt into the middle tier wallet you will need to do it wallet also.
After setting your environment for the database tier, navigate to the $ORACLE_HOME/appsutil directory. Create a new wallet directory named: walletNavigate to the newly created wallet directory.Open the Wallet Manager as a background process: owm &On the Oracle Wallet Manager Menu navigate to Wallet -> New.Answer NO to: “Your default wallet directory doesn't exist. Do you wish to create it now?” The new wallet screen will now prompt you to enter a password for your wallet.
Click NO when prompted: “A new empty wallet has been created. Do you wish to create a certificate request at this time?”If you need to import ca.crt: On the Oracle Wallet Manager menu navigate to Operations -> Import Trusted Certificate. Click OK. Double click on ca.crt to import it.Save the wallet: On the Oracle Wallet Manager Menu click Wallet. Verify the Auto Login box is checked. Click Save.
To test that the wallet is properly set up and accessible, login to SQLPLUS as the apps user and execute the following:
select utl_http.request('[address to access]', '[proxy address]', 'file:[full path to wallet directory]', null) from dual;
where:
'[address to access]' = the url for your Oracle Applications Rapid Install Portal.
'[proxy address]' = the url of your proxy server, or NULL if not using a proxy server.
'file:[full path to wallet directory]' = the location of your wallet directory.
The final parameter is the wallet password, which is set to null by default.
NOTE: You must use the prefix 'file:' and only the directory is specified, not the actual wallet files.
Examples:
select utl_http.request('https://www.oracle.com:4443','http://proxy.com:80', 'file:/d1/oracle/db/tech_st/10.2.0/appsutil/wallet', null) from dual;
select utl_http.request('https://www.oracle.com:4443',null, 'file:/d1/oracle/db/tech_st/10.2.0/appsutil/wallet', null) from dual;
If the wallet has been properly set up, you will be returned the first 2,000 characters of the html page.
Section 5: Advanced SSL Configuration (Optional)
In Release 12 the Oracle Application Server environment is managed by OPMN (Oracle Process Monitoring and Notification services) which is a set of processes that include the Oracle HTTP Server (Apache) and OC4Jcontainers (where J2EE processes run). In Release 12.1 we have introduced support for secure communication between these layers as well as for the SQL*Net layer. This advanced configuration should only be doneon top of the basic SSL configuration.
The instructions in this section are divided into 2 parts. The first part is for Oracle Application Server, the second part is for Encrypting Network Traffic using Advance Security. Both parts are optional and notinterdependent. This gives you three options for advanced SSL configuration:
1. Oracle Application Server only.2. Encrypting Network Traffic using Advanced Security only.3. Both Oracle Application Server and Encrypting Network Traffic using Advanced Security.
Part 1 - ORACLE APPLICATION SERVER
OC4J supports SSL communication between Oracle HTTP Server and OC4J using AJPS. This is the secure version of Apache JServ Protocol which is the protocol that Oracle HTTP Server uses to communicate withOC4J.
Note: the AJPS protocol used between Oracle HTTP Server and OC4J is not visible to the end user
There are 3 certificate options available to you when you creating your keystore for the Advanced SSL Configuration:
1. Self-Signed Certificates Self-signed certificates are appropriate to use for testing the Advanced SSL configurations. These are sometimes also used for Advanced SSL Configuration in a production environment where you areeffectively your own client. Be sure you understand the limitations of self-signed certificates when using them in any environment.
2. Certificates signed by the OracleAS Certificate Authority (see Section 8) .These certificates were designed to be used within your Oracle Application Server environment.
3. Certificates signed by a Certificate Authority such as Verisign, Thawte, etc.These certificates are appropriate for use in any environment and provide the highest level of security.
Some steps will be slightly different if you are using Self-Signed Certificates. When a step contains a section for both Self-Signed Certificates and Certificates Signed by a Certificate Authority (includes OracleASCertificate Authority, Versign, Thawte, etc) be sure to follow the steps in the appropriate section.
Step 1- Set Your Environment
Logon to the application middle tier as the OS user who owns the middle tier files.
Source your middle tier environment file (APPS<sid_machine>.env) located in the APPL_TOP directory.
Navigate to the $INST_TOP/ora/10.1.3 and source the <sid_machine>.env file to set your 10.1.3 ORACLE_HOME variables.
Remember: When work ing with wallets and certificates you MUST use the 10.1.3 executables.
Step 2- Create your java keystore
Navigate to the web ssl directory as defined in the context file: grep s_web_ssl_directory $CONTEXT_FILE
Note: Unless you have change the default settings this should be the same directory as $INST_TOP/certs which we will use in subsequent steps to identify this directory.
Create a new directory with the name j2ee and then change to this directory. mkdir j2ee cd j2ee
Determine the values for the following parameters which will be used when you create the keystore for your instance:
Parameter Value
server name of the server where you are creating the keystore
domain the fully qualified domain of the server
passwordIn Release 12 the default keystore password is "changeit". Please make note of yourpassword as you will need it when changing the default password in Step 5.
O name of your Organization
l your City or Locality
ST your State or Province
C your 2 letter Country Code
Create your keystore by entering the following command all on 1 line substituting the appropriate parameters (in bold) for your instance:
keytool -genkey -keyalg "RSA" -keystore server.jks -keypass password -storepass password -validity 365 -dname "CN=server.domain, OU=JKS, O=O, ST=ST, C=C"
You should now see the file <server>.jks in your directory.
Note: We are using OU=JKS to distinquish this certificate from the Apache certficate. Since we have not specified an alias the default alias "mykey" will be used.
Step 3- Create your Certificate Request
A. Self-Signed CertificatesThis step is not applicable for self-signed certificates. If using self-signed certificates proceed to Step 4.
B. Certificates Signed by a Certificate AuthorityTo generate a certificate request enter the following command all on 1 line substituting the appropriate parameters (in bold) for your instance:
keytool -certreq -keystore server.jks -file server.csr
Submit the file server.csr to your Certificate Authority.
Note: if using Thawte as your Certificate Authortiy you should check the box: PKCS #7 Select this option for servers that use Java JDK keystore - including Tomcat and Jetty."
When you receive your signed certificate copy it to this directory ($INST_TOP/certs/j2ee) as jks_server.crt along with the Certificate Authority's root certificate which should be re-named jks_ca.crtand the Authorities intermediate certifcate (if applicable) which should be renamed jks_intca.crt.
Note: we are naming the certificate jks_server.crt to distinquish it from the Apache server.crt
If you want to create jks_ca.crt and/or jks_intca.crt using your jks_server.crt file you can do so by following the directions in Section 7: Creating your Certifying Authority's Certificate
Step 4 - Add your Signed Certificate to the Keystore
A. Self-Signed CertificatesThis step is applicable only if you are using self-signed certificates. If your certificates were signed by a Certifying Authority continue with Step 4 B.
1. You will not have a signed certficate to add to the keystore. You will sign the certificate in the keystore using the keytool's selfcert command. Enter the following all on 1 line substituting theappropriate parameters (in bold) for your instance:
keytool -selfcert -keystore server.jks -keypass password -storepass password -dname "cn=server.domain, ou=OU, o=O, c=C"
2. After signing the certificate you will need to extract the certificate so it can be imported into the Apache and OPMN wallets This will be done using the keytool list command:
keytool -list -rfc -keystore server.jks -storepass password
This command will return the following information:
Alias name: mykeyCreation date: Nov 21, 2007Entry type: PrivateKeyEntryCertificate chain length: 1Certificate[1]:-----BEGIN CERTIFICATE-----MIICCzCCAXSgAwIBAgIER0SUrjANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEMMAoGA1UEChMDVFhLMQwwCgYDVQQLEwCBDAcxHzAdBgNVBAMTFmFwNjY2d2dzLnVzLm9yYWNsZS5jb20wHhcNMDcxMTIxMjAyNzI2WhcNMDgwMjE5MjAyNzI2WjBKMQswCQYDVQQGEwJVUzEMMAoGA1UEChMDVFhLMQwwCgYDVQQLEwNBVEcxHzAdBgNVBAMTFmFwNjY2d2dzLnVzLm9yYWNsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALaNY6QpChZPem7nXF7NJ5tmW1UFNqOgVW37fW4YiJH10yHKMLhBzx6z9QxuJiNKiNzjckJ4KfnLp8xG58lZlubKPSei7yz1KJxeM8j39NbbIifsPYfqtT/EPdDDGK+Bkg0lK4c09TvxL93y0mFW7IG0PyqB0/ZTnBAcv2Fdyrg/AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEA
R/EeD4iJXuYV5eQmkp64D/aguNeyGu4qn67tU+iGDjDNtaO1qTPbTiDngD/H8WpPjmxPcJxszp6zfcKsFVgNmUC4js5U3DGA8Bcdl1ZGYvP7PUU0wZceHjD+KBB1sdV8KzL94OW41/RPXXUxIW6/UHRPhuFcDlIK2ExiXu7c5vw=-----END CERTIFICATE-----
Copy the lines from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- as indicated in bold. Using the text editor of your choice, save these lines as jks_ca.crt.
B. Certificates Signed by a Certificate AuthorityThis step is not applicable if you are using self-signed certificates - continue with "C. Either Type Certificate"
In Step 3 you copied jks_ca.crt, jks_intca.crt, and jks_server.crt to the $INST_TOP/certs/j2ee directory. Now you will use the import command to add it to the keystore substituting the appropriateparameters (in bold) for your instance :
keytool -import -alias myca -keystore server.jks -storepass password -file jks_ca.crtkeytool -import -alias myintca -keystore server.jks -storepass password -file jks_intca.crtkeytool -import -keystore server.jks -storepass password -file jks_server.crt
Enter "yes" when prompted with: Trust this certificate? [no]: yes
Note: You may not have an intermediate ca certificate. It will depend on the Certifying Authority and certficate type. We are not specifying an alias when importing jks_server.crt. The default alias "mykey" will be used. (This is because the -dname on the certifcate matches the -dname on the key generatedwhen the keystore was created.)
You can use either of the following commands to see the contents of your keystore. The -list command by default prints the MD5 fingerprint of a certificate. If the -v option is specified,the certificate is printed in human-readable format:
keytool -list -keystore <keystore> -storepass <password>keytool -list -v -keystore <keystore> -storepass <password>
For more information on the keytool see:http://java.sun.com/j2se/1.4.2/docs/tooldocs/solaris/keytool.html
C. Either Type Certificate This step is applicable for both self-signed certificates and certificates which have been signed by a certifying authority.
If you used a different Certificate Authority for your Apache Wallet than you used for the j2ee Java Keystore you will need to import the Apache Wallet's root CA Certificate into the keystore so it willbe recognized as a trusted Certifying Authority. If this is not done not, you will get handshake errors. To import a the certificate for a Certifying Authority into your keystore:
1. Copy the $INST_TOP/certs/Apache/ca.crt file to the $INST_TOP/certs/j2ee directory.2. Use the keytool import command to add ca.crt to the keystore:
keytool -import -alias ApacheCA -file ca.crt -trustcacerts -v -keystore server.jks -storepass password
Enter "yes" when prompted with: Trust this certificate? [no]: yes
Step 5 - Add the Keystore CA Certificates to the Apache and OPMN Wallets (conditional)
This step is only necessary if you have used self-signed certificates to create the keystore OR you used different Certifying Authorities for the keystore and Apache Wallet.
Copy $INST_TOP/certs/j2ee/jks_ca.crt to both the $INST_TOP/certs/Apache and $INST_TOP/certs/opmn directories.Add jks_ca.crt it to each wallet using the orapki command line interface:
orapki wallet add -wallet . -trusted_cert -cert jks_ca.crt -pwd <your wallet password>
Step 7 - Update the Context File
Use the Oracle Applications Manager (OAM) Context Editor to change the SSL related variables as shown in this table:
Advanced SSL Related Variables in the Context File
Variable Non-SSL Value Advanced SSL Value
s_oc4j_secure false true
s_ajp_protocol ajp ajps
s_forms_tracking_cookies disabled enabled
s_oc4j_ssl off on
Step 8 - Run Autoconfig
If you have upgraded to Release 12.1 by applying the 12.1 patchset to a previous release you will need to delete the following files so that the new versions will be instantiated when autoconfig made any customizations to these files (custom user credentials, etc) be sure to back the files up before deleting so you can re-add your customizations to the new files. $ORA_CONFIG_HOME/10.1.3/j2ee/oacore/config/system-jazn-data.xml $ORA_CONFIG_HOME/10.1.3/j2ee/forms/config/system-jazn-data.xml $ORA_CONFIG_HOME/10.1.3/j2ee/oafm/config/system-jazn-data.xml
Note: Deleting these 3 files is not necessary if you used the 12.1 Rapid Install.
Use the adstpall.sh script in the Middle Tier $ADMIN_SCRIPTS_HOME directory to stop all services.
Run autoconfig using the adautocfg.sh script in the Middle Tier $ADMIN_SCRIPTS_HOME directory.
Update the newly instantiated files with your previous customizations if required.
Step 9- Update the Keystore Password in the system-jazn-data.xml files.
A. Navigate to the $ORA_CONFIG_HOME/10.1.3/j2ee/oacore/config directory and follow these steps: 1. Open the system-jazn-data.xml file in the editor of your choice.
2. Find the lines in the <users> section that read: <user> < name>oc4jkeystoreadmin</name> <display-name>OC4J keystore admin user</display-name> <guid>7D1943D0AF0411DC8F65CFCE4073EF3D</guid> <description>E-Business OC4J keystore admin user</description> < credentials>{903}Gfqv+nvfuUrfiQpcW7XcpptrOknyC0nj< credentials> </user>
Note: the guid and credentials will be different on your system.
3. Change the < credentials> line to read: < credentials>!password< credentials>where password = the password you assigned when you created your keystore. Be sure to include the !.This will encrypt the password the next time the service is started.
4. Save the file and exit.
Example: <user> < name>oc4jstore</name> <display-name>OC4J keystore admin user</display-name> < guid>7D1943D0AF0411DC8F65CFCE4073EF3D</guid> <description>E-Business OC4J keystore admin user</description> < credentials>!password< credentials> < /user>
B. Navigate to the $ORA_CONFIG_HOME/10.1.3/j2ee/oafm/config directory and repeat steps 1-4.
C. Navigate to the $ORA_CONFIG_HOME/10.1.3/j2ee/forms/config directory and repeat steps 1-4.
Step 10 - Restart the Middle Tier Services
Use the $ADMIN_SCRIPTS_HOME/adstrtal.sh script to restart the middle tier services.
Advanced SSL Configuration for the Oracle Application Server is now complete. If there are any issues logging into Oracle Applications or launching Forms these should be resolved before proceeding with Part 2 if youhave chosen to also implement SQL*Net Encryption.
Part 2 - ENCRYPTING NETWORK TRAFFIC USING ADVANCED SECURITY
To configure the E-Business Suite Release 12 to encrypt network traffic sent over the TNS protocol we use the Advanced Networking Option (ANO) that is part of the Advanced Security Option (ASO) of the Oracledatabase and included with the Release 12.1 E-Business Suite Technology Suite.
TNS (Transparent Networking Substrate) is an Oracle protocol running on top of a number of supported network protocols - typically TCP/IP.ANO/ASO encryption prevents sending TNS traffic "in-the-clear" over a network connection.
CERTIFICATION: This configuration is certified for Oracle Applications Release 12 using Forms listener Servlet (the default mode) on the following platforms: Linux-x86 Solaris-32 AIX4-32 Tru64 HP-UX Windows-32
Advanced security encryption can be configured, based on a combination of client and server configuration parameters as REJECTED, ACCEPTED, REQUESTED or REQUIRED.
The following matrix - taken from the database documentation - shows how a connection attempt will succeed or fail to provide an encrypted connection with various combinations of the ENCRYPTION variable sqlnet.ora file on client and server.
Client
REJECTED ACCEPTED REQUESTED REQUIRED
S e r v e r
REJECTED OFF OFF OFF No Connection
ACCEPTED OFF OFF ON ON
REQUESTED OFF ON ON ON
REQUIRED No Connection ON ON ON
Oracle has certified EBS Release 12 with the server parameter set to REQUIRED - this ensures that all EBS TNS network traffic is being encrypted.
Although ANO/ASO supports a number of different encryption algorithms, the supported algorithms are version dependent. For Release 12 certification the the server's preference is set to AES256, AES192, 3DES168.
Appendix A - Using Network Traffic Encryption contains information on Enabling Trace, Verifying ANO is Functioning Correctly, and the Types of Encryptions Allowed and Supported.
The remainder of this section will help you enable the encryption in each of the different ORACLE_HOME’s in an EBS deployment.
Step 1 - Shutdown Middle Tier Server Processes and Database Listener
On the database server node, shut down the database listener:
$ORACLE_HOME/appsutil/scripts/<sid_machine>/addlnctl.sh stop <ORACLE_SID>
On each middle tier server, shut down all processes or services:
$ADMIN_SCRIPTS_HOME/adstpall.sh <apps user> / <apps password>
The Applications will be unavailable to users until the remaining tasks in this section are completed.
Step 2 - DB Tier Changes
Logon to the DB Tier server as the file system owner.Source the DB Tier environment file located in Oracle Home directory.Take a backup of the $TNS_ADMIN/sqlnet_ifile.ora file.Open the $TNS_ADMIN/sqlnet_ifile.ora file with the editor of your choice and add the following lines replacing [crypto seed] with a string consisting of 10 - 70 alphanumeric characters of your choosing. Thecharacters that form the value fo this parameter will be used when generating cryptographic keys. The more random the characters entered into this field are, the stronger the keys are.
SQLNET.ENCRYPTION_TYPES_SERVER=(AES256, AES192, 3DES168) SQLNET.ENCRYPTION_SERVER=REQUIRED SQLNET.CRYPTO_SEED=[crytpo seed]
Note: Oracle Corporation recommends that you enter as many characters as possible, up to 70, for the crypto seed to make the resulting key more random and therefore
After the changes have been made, restart the listener:
$ORACLE_HOME/appsutil/scripts/<sid_machine>/addlnctl.sh start <ORACLE_SID>
Step 3 - Create $TNS_ADMIN/sqlnet.ora and sqlnet_ifile.ora files on each Middle Tier.
By default, the Oracle Applications Middle Tier installations do not have either a sqlnet.ora or sqlnet_ifile.ora file so we will need create these. We keep the ANO/ASO directives in the sqlnet_ifile.ora file toisolate it from any future autoconfig updates that affect the sqlnet.ora file.
Logon to the Middle Tier server as the file system owner.
Source your middle tier environment file (APPS<sid_machine>.env) located in the APPL_TOP directory.
Navigate to the $TNS_ADMIN directory.
Use the editor of you choice to create the sqlnet.ora file with the following lines:
################################################################# sqlnet.ora file for middle tier sqlnet encryption with Advanced SSL Configuration################################################################IFILE = <full path to TNS_ADMIN>/sqlnet_ifile.ora
Use the editor of you choice to create the sqlnet_ifile.ora file with the following lines:
################################################################# sqlnet_ifile.ora for middle tier sqlnet encryption with Advanced SSL Configuration################################################################SQLNET.ENCRYPTION_TYPES_CLIENT=(AES256, AES192, 3DES168)SQLNET.ENCRYPTION_CLIENT=REQUIREDSQLNET.CRYPTO_SEED=somelongandrandomstringfordeploymentUpTo70characters
Note: the SQLNET.CRYPTO_SEED does not need to be the same as used on the db tier.
Step 4 - Update the Context File
Use the Oracle Applications Manager (OAM) Context Editor to change the SSL related variables on each middle tier server as shown in this table:
Advanced SSL Related Variables in the Context File
Variable Non-SSL Value Advanced SSL Value
s_custom_dbc_params ENCRYPTION_CLIENT=REQUIRED ENCRYPTION_TYPES_CLIENT=(3DES168)
Note: This step sets the configuration for JDBC client connections and is OPTIONAL.
If the value is not set and the parameter on the DB server is set to REQUIRED, the JDBC client connection value will be ACCEPTED (which is the default value). The connection will continue withouterror and the security service enabled as long as an encryption or integrity algorithm match is found.
Step 5 - Run Autoconfig (conditional)
If you updated the context file in Step 4 you now need to run autoconfig on each middle tier server:
$ADMIN_SCRIPTS_HOME/adautocfg.sh appspass=<apps password>
Check the autoconfig log file for errors.
Step 6 - Restart the Middle Tier Services
On each middle tier server, restart all processes and services:
$ADMIN_SCRIPTS_HOME/adstrtall.sh <apps user> / <apps password>
Section 6: Converting Existing Certificates
If you have existing un-expired certificates from a previous implementation of SSL in Release 11i they can be converted and imported into a Release 12 wallet using the tools: SSL2OSSL (Unix) SSLCONVERT (Windows NT/2000)
Step 1- Set Your Environment
Logon to the application middle tier as the OS user who owns the middle tier files.Navigate to the $INST_TOP/ora/10.1.3 and source the <sid_machine>.env file to set your10.1.3 ORACLE_HOME variables.
When work ing with wallets and certificates you MUST use the 10.1.3 executables.
Step 2 - Copy your Certificates
Copy server.key, server.crt, and ca.crt to the $INST_TOP/certs/Apache directory.
Step 3 - Issue the command:
$ORACLE_HOME/Apache/Apache/bin/ssl2ossl -cert ./server.crt -key ./server.key -cafile ./ca.crt -wallet . -ssowallet yes
If your server certificate was issued by a Certifying Authority other than Verisign, Entrust, GTE, or RSA Data Security you'll also need to add it to b64InternetCertificate.txt file located in the 10.1.2ORACLE_HOME/sysman/config directory:
cat ca.crt >> <10.1.2 ORACLE_HOME>/sysman/config/b64InternetCertificate.txt
Section 7: Creating your Certifying Authority's Certificate
To create ca.crt
Copy server.crt to your PC (if necessary) using one of the following methods:ftp (in binary mode) server.crt to your pccopy the contents of server.crt and paste into notepad on the PC. Save the file as server.crt
Double click on server.crt to open it with the Cyrpto Shell Extension.On the Certification Path tab click on the first (top) line and then View Certificate.On Details tab click Copy to File, this will start the export wizard.Click Next to continue.Select Base-64 encoded X.509 (.CER) and click next.Click Browse and navigate to the directory of your choice.Enter ca.crt as the name and click ok to export the certificate.Close the wizard.Copy ca.crt back to your wallet directory (if necessary) using one of the following methods:
ftp (in binary mode) ca.crt to your middle tier wallet directorycopy the contents of ca.crt and paste into a new file in your middle tier wallet directory using a text editor. Save the file as ca.crt
Section 8: Oracle Application Server Certificate Authority
The Oracle Application Server Certificate Authority is a Certificate Authority (CA) for use within your Oracle Application Server environment where you are essentially both the client and the server. It is part of the OracleIdentity Management option and is bundled with the Oracle Application Server 10g Enterprise Edition. It can also be licensed separately as an option for the Oracle Application Server 10g Standard Edition.
For more information please refer to the Oracle Application Server Certificate Authority 10g White Paper.
Section 9: Disabling SSLv2 and Weak Ciphers
In R12.TXK.B.delta.3 (patch 8919489) we have modifed the configuration files according to recommendations made by the APPS Security Team. We now permit only strong ciphers (minimum of 128 bit keys). The SSLv2.0 protocol is no longer enabled - only TLS v1.0 and SSL v3.0 are allowed. If you wish to take advantage of this increased security before you ready to upgrade to R12.TXK.B.delta.3 you may do so by following theseinstructions:
1. Review Note 387859.1 - Using AutoConfig to Manage System Configurations in Oracle E-Business Suite Release 12 and be sure you are comfortable with and understand the concepts before 2. On the Middle Tier(s):
a. Navigate to the $FND_TOP/admin/template directoryb. Create a new directory called custom c. Copy either ssl_conf_1013.tmp (Unix) or ssl_conf_1013_nt.tmp (Windows) to the $FND_TOP/admin/template/custom directory. d. Edit the file in the $FND_TOP/admin/template/custom directory and make these changes:
Find and comment (using #) the line that reads: SSLCipherSuite ALL:!ADH:!EXPORT56:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXPImmediately below add these lines: # # Adding the following directives per recommendation from apps security # SSLProtocol -all +TLSv1 +SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
Your file should now look like this:
# SSL Cipher Suite:# List the ciphers that the client is permitted to negotiate.#SSLCipherSuite ALL:!ADH:!EXPORT56:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP## Adding the following directives per recommendation from apps security#SSLProtocol -all +TLSv1 +SSLv3SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
e. Run autoconfigf. Verify the change is present in your $INST_TOP/ora/10.1.3/Apache/Apache/conf/ssl.conf file
g. Stop and restart the Mid Tier services.
Note(s): We have not tested which clients (browsers) do not work with stronger ciphers or SSLv3 / TLSv1. You may have to make changes to your client (browser) settings to enable the use of SSLv3 and TLSv1.
Appendix A - Using Network Traffic Encryption
1. How to Enable Tracing
Tracing is a helpful tool that will enable you to verify that encryption is active and/or help diagnose where errors are ocurring during the transactions.
To enable tracing, the following SQLNET parameters should be added to the SQLNET.ORA file.
TRACE_DIRECTORY_SERVER= < a valid directory to which the OS user running the listener can write to>TRACE_LEVEL_SERVER= 16TRACE_UNIQUE_SERVER= ON
TRACE LEVEL can be set to the level of tracing required.
The tns listener must be bounced for the trace setting to take effect.
Note: tracing at this level generates many large files in the trace directory. You should only run in tracing mode while verifying that encryption takes place. Once satisfied that TNS traffic is indeedencrypted, uncomment (or remove) the lines relating to tracing from sqlnet.ora file and bounce the tnslistener.
2. Verifying that ANO is Functioning Correctly
After enabling tracing, check the trace files in the appropriate directories to verify that ANO functionality is in use:
Review the resulting sqlnet trace (.trc) files.
In the trace directory you will see a number of trace files with names such as svr_NNNNN.trc.
Below is section of a trace file where encryption is being successful used:
....na_tns: authentication is not activena_tns: encryption is active, using 3DES168na_tns: exit ....
Note: If you have not defined a tnsnav.ora file, then the following message will appear in the sqlnet trace (.trc) file and can be safely ignored: nrigbni: Unable to get data from navigation file tnsnav.ora
Some of the trace files are small, approximately 3kb, and they do not contain any information concerning enabled encryption. These files are generated for connections originating from the database host, by thedatabase instance itself, and thus do not traverse the network. You will see these files getting generated even when only the database and its tnslistener are running.
$ cd $TNS_ADMIN/../../trace
$ ls -ltr | awk '$5 > 3000 && $5 < 4000' | tail -3-rw-r--r-- 1 oracle dba 3601 Sep 24 13:57 svr_13815.trc-rw-r--r-- 1 oracle dba 3062 Sep 24 13:58 svr_13817.trc-rw-r--r-- 1 oracle dba 3062 Sep 24 13:59 svr_13819.trc
Other files are larger, some quite large, and they will contain "encryption is active, using CRYPTOALGORITHM..." messages.
There will be two different algorithms in use, 3DES168 and AES256
$ cd $TNS_ADMIN/trace
$ ls -ltr | tail -3-rw-r--r-- 1 oracle dba 28427064 Sep 24 14:20 svr_11547.trc-rw-r--r-- 1 oracle dba 70609051 Sep 24 14:20 svr_29270.trc-rw-r--r-- 1 oracle dba 763726186 Sep 24 14:20 svr_29144.trc
$ grep 'encryption is active' svr_29270.trc svr_29270.trc svr_29144.trcsvr_29270.trc:[20-SEP-2007 16:47:20:369] na_tns: encryption is active, using 3DES168svr_29270.trc:[20-SEP-2007 16:47:20:369] na_tns: encryption is active, using 3DES168svr_29144.trc:[20-SEP-2007 16:46:48:914] na_tns: encryption is active, using AES256
The connections using AES256 are generated by the executables linked to the OCI C libraries (sqlplus, FNDLIBR, RCVOLTM,...) and the 3DES168 connections originate from the connections via the JDBCinterface.
3. Types of Encryptions that are Allowed and Supported
This section provides you with background information – taken from the database documentation – that will help you understand now the selection of encryption algorithms takes place on a per connection basis.You do not have to use this information; you can use the sample configuration examples earlier in the document. However if you wish to use different algorithms or have 3rd party tools that do not encryption you will have to create your own configuration files.
ACTIVATING ENCRYPTION AND INTEGRITY
In any network connection, it is possible for both the client and server to each support more than one encryption algorithm and more than one integrity algorithm. When a connection is made, the server selectswhich algorithm to use, if any, from those algorithms specified in its sqlnet.ora file.
The server searches for a match between the algorithms available on both the client and the server, and picks the first algorithm in its own list that also appears in the client list. If one side of the connection doesnot specify an algorithm list, all the algorithms installed on that side are acceptable. The connection fails with error message ORA-12650 if either side specifies an algorithm that is not installed.
Encryption and integrity parameters are defined by modifying the sqlnet.ora file on the clients and the servers on the network.
You can choose to configure any or all of the available Oracle Advanced Security encryption algorithms and either or both of the available integrity algorithms Only one encryption algorithm and
algorithm is used for each connect session.
NOTE: Advanced Security selects the first encryption algorithm and the first integrity algorithm enabled on the client and the server. Oracle Corporation recommends that you select algorithms and keylengths in the order in which you prefer negotiation--probably with the strongest key length first.
NEGOTIATING ENCRYPTION AND INTEGRITY
To negotiate whether to turn on encryption or integrity, you can specify four possible values for the Oracle Advanced Security encryption and integrity configuration parameters. The four values are listed in the orderof increasing security. The value REJECTED provides the minimum amount of security between client and server communications, and the value REQUIRED provides the maximum
REJECTEDACCEPTEDREQUESTEDREQUIRED
The default value for each of the parameters is ACCEPTED.
REJECTED
Select this value if you do not elect to enable the security service, even if required by the other side.
In this scenario, this side of the connection specifies that the security service is not permitted. If the other side is set to REQUIRED, the connection terminates with error message ORA-12650. If the other side isset to REQUESTED, ACCEPTED, or REJECTED, the connection continues without error and without the security service enabled.
ACCEPTED
Select this value to enable the security service if required or requested by the other side.
In this scenario, this side of the connection does not require the security service, but it is enabled if the other side is set to REQUIRED or REQUESTED. If the other side is set to REQUIRED or REQUESTED, andan encryption or integrity algorithm match is found, the connection continues without error and with the security service enabled. If the other side is set to REQUIRED and no algorithm connection terminates with error message ORA-12650.
If the other side is set to REQUESTED and no algorithm match is found, or if the other side is set to ACCEPTED or REJECTED, the connection continues without error and without the securityservice enabled.
REQUESTED
Select this value to enable the security service if the other side permits it.
In this scenario, this side of the connection specifies that the security service is desired but not required. The security service is enabled if the other side specifies ACCEPTED, REQUESTED, or REQUIRED.There must be a matching algorithm available on the other side--otherwise the service is not enabled. If the other side specifies REQUIRED and there is no matching algorithm, the
REQUIRED
Select this value to enable the security service or preclude the connection.
In this scenario, this side of the connection specifies that the security service must be enabled. The connection fails if the other side specifies REJECTED or if there is no compatible algorithm on the other
The following table shows whether the security service is enabled, based on a combination of client and server configuration parameters. If either the server or client has specified REQUIRED, the lack of a commonalgorithm causes the connection to fail. Otherwise, if the service is enabled, lack of a common service algorithm results in the service being disabled.
Encryption and Data Integrity Negotiation Table
Client
REJECTED ACCEPTED REQUESTED REQUIRED
Server
REJECTED OFF OFF OFF Connection fails
ACCEPTED OFF OFF ON ON
REQUESTED OFF ON ON ON
REQUIRED Connection fails ON ON ON
4. Displaying the encryption options available from the Tools and Database ORACLE_HOME.
After setting your environment to either the Tools or Database ORACLE_HOME using the "adapters" command:
. $ORACLE_HOME/bin/adapters
will display a list of the encryption options available for the following:
a. Installed Oracle Net transport protocolsb. Installed Oracle Net naming methodsc. Installed Oracle Advanced Security options
Note: The following errors -if received - may be safely ignored:
Error!!! SDP/IB is not completely installed! Present in libntcp10, but missing from ntcontab.o...
Error!!! Oracle Names Server Naming is not completely installed!
Change Log
Date Description
Aug 12, 2010 Added Section 9 - Disabling SSL v2 and Weak Ciphers
Oct 28, 2009 Updated iHelp url settings.
May 1, 2009 Published 12.1 updates to Metalink
Dec 23, 2008Processed remarks and added Certificate Provisioning for XML Publisher or Business IntelligencePublisher.
Nov 3, 2008 Added ANO/ASO and Appendix A
Oct 7, 2008 Added Discoverer Notes.
July 17, 2008 Updated for Release 12.1 and Advanced SSL Configuration.
Nov 5, 2007 Added custom.conf section.
Oct 4, 2007 Added note that use of the Forms Server Listener with ConnectMode=https is not supported.
July 20, 2007 Modified SSL Accelerator changes.
Jan 24, 2007 Initial creation.
Note 376700.1 by Oracle E-Business Suite DevelopmentCopyright 2008 Oracle CorporationLast updated: August 12, 2010
Attachments
Create CSR jpg (35.54 KB)
Related
Products
Oracle E-Business Suite > Applications Technology > Technology Components > Oracle Applications Technology StackOracle E-Business Suite > Applications Technology > Application Object Library > Oracle Application Object Library
Keywords
R12
Errors
ORA-12650
Back to top
Copyright (c) 2007, 2010, Oracle. All rights reserved. Legal Notices and Terms of Use | Privacy Statement