1. OHS 인증서 설치

* $ORACLE_HOME/opmn/conf/opmn.xml 파일 확인하기

[oracle@eznbiz default]$ vi ${ORACLE_INSTANCE}/opmn/conf/opmn.conf

 

< ias-component id="HTTP_Server">

< process-type id="HTTP_Server" module-id="OHS">

< module-data>

< category id="start-parameters">

< data id="start-mode" value="ssl-enabled"/>

* 설명 : disabled 로 되어있을 경우 enabled 로 수정 합니다.

< /category>

< /module-data>

< process-set id="HTTP_Server" numprocs="1"/>

< /process-type>

< /ias-component>

1) OHS의 환경 파일인 httpd.conf 파일을 vi로 편집 합니다.

 

[oracle@eznbiz default]$ vi ${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/http.conf

 

< IfDefine SSL>

LoadModule ossl_module "${ORACLE_HOME}/ohs/modules/mod_ossl.so"

< /IfDefine>

* 설명 : 주석 처리 되어있을 경우 해제

​

# Include the SSL definitions and Virtual Host container

include "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/ssl.conf" 

* 설명 : 참조 된 파일과 경로를 확인 합니다.

 

2) SSL환경 파일인 ssl.conf를 vi로 편집 합니다.

※파란 글씨는 무시하시거나 삭제하시기 바랍니다.

[oracle@eznbiz default]$ vi ${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/ssl.conf

 

###################################################################

# Oracle HTTP Server mod_ossl configuration file: ssl.conf #

###################################################################

 

# OHS Listen Port

Listen 443

* 설명 : SSL포트 활성화

 

< IfModule ossl_module>

##

## SSL Global Context

##

## All SSL configuration in this context applies both to

## the main server and all SSL-enabled virtual hosts.

##

 

# # Some MIME-types for downloading Certificates and CRLs

AddType application/x-x509-ca-cert .crt

AddType application/x-pkcs7-crl .crl

 

# Pass Phrase Dialog:

# Configure the pass phrase gathering process.

# The filtering dialog program (`builtin' is a internal

# terminal dialog) has to provide the pass phrase on stdout.

SSLPassPhraseDialog builtin

 

# Inter-Process Session Cache:

# Configure the SSL Session Cache: First the mechanism 

# to use and second the expiring timeout (in seconds).

SSLSessionCache "shmcb:${ORACLE_INSTANCE}/diagnostics/logs/${COMPONENT_TYPE}/${COMPONENT_NAME}/ssl_scache(512000)"

SSLSessionCacheTimeout 300

 

# Semaphore:

# Configure the path to the mutual exclusion semaphore the

# SSL engine uses internally for inter-process synchronization. 

< IfModule mpm_winnt_module>

SSLMutex "none"

< /IfModule>

< IfModule !mpm_winnt_module>

SSLMutex pthread

< /IfModule>

 

##

## SSL Virtual Host Context

##

* 설명 : 가상호스트 설정

< VirtualHost *:443>

< IfModule ossl_module>

# SSL Engine Switch:

# Enable/Disable SSL for this virtual host.

SSLEngine on

 

# Client Authentication (Type):

# Client certificate verification type and depth. Types are

# none, optional and require.

SSLVerifyClient None

 

# SSL Cipher Suite:

# List the ciphers that the client is permitted to negotiate.

* 설명 : 사용 알고리즘 설정

SSLCipherSuite SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,

TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA

 

# SSL Certificate Revocation List Check

# Valid values are On and Off

SSLCRLCheck Off

 

#Path to the wallet

SSLWallet "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/default"

* 설명 : 인증서 파일 위치 설정 따로 파일명까지 지정할 필요는 없다.

 

< FilesMatch "\.(cgi|shtml|phtml|php)$">

SSLOptions +StdEnvVars

< /FilesMatch>

 

< Directory "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/cgi-bin">

SSLOptions +StdEnvVars

< /Directory>

 

BrowserMatch ".*MSIE.*" \

nokeepalive ssl-unclean-shutdown \

downgrade-1.0 force-response-1.0

 

< /IfModule>

< /VirtualHost>

 

< /IfModule> 

3) 완성 된 인증서를 ssl.conf 파일의 "SSLWallet"에 설정 된 경로로 위치 시킵니다.

 

[oracle@eznbiz default]$ pwd

${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/default

[oracle@eznbiz default]$ ls

ewallet.p12 cwallet.sso

2. OHS 재기동

[oracle@eznbiz default]$ opmnctl stopall

[oracle@eznbiz default]$ opmnctl startall

3. 인증서 확인

​

[root@localhost ~]# netstat -nap | grep httpd

tcp 0 0 :::80 :::* LISTEN 

tcp 0 0 :::443 :::* LISTEN 

 

443포트 Listen 된 상태에서 아래의 명령어를 사용하여 로컬에서 인증서를 확인 합니다.

[root@localhost ~]# openssl s_client -connect 127.0.0.1:443 | openssl x509

 

depth=1 /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 - G2

verify error:num=20:unable to get local issuer certificate

verify return:0

-----BEGIN CERTIFICATE-----

MIIE2jCCA8KgAwIBAgICD/cwDQYJKoZIhvcNAQEFBQAwPDELMAkGA1UEBhMCVVMx

FzAVBgNVBAoTDkdlb1RydXN0LCBJbmMuMRQwEgYDVQQDEwtSYXBpZFNTTCBDQTAe

Fw0xMDEyMTQxMDQ4NTlaFw0xMjAyMTUyMTM4MjBaMIHlMSkwJwYDVQQFEyBrdW9u

SXgyYmI0a0lxZGpvWWE1bklYQWRxNVl6dG9RUDELMAkGA1UEBhMCS1IxGDAWBgNV

BAoTD3d3dy51Y2VydC5jby5rcjETMBEGA1UECxMKR1Q1NDc2OTQxMDExMC8GA1UE

CxMoU2VlIHd3dy5yYXBpZHNzbC5jb20vcmVzb3VyY2VzL2NwcyAoYykxMDEvMC0G

A1UECxMmRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkIC0gUmFwaWRTU0woUikxGDAW

BgNVBAMTD3d3dy51Y2VydC5jby5rcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC

AQoCggEBAMl6qA1dEc/FKw2qSjlh0iZDVGp+zqjBXW/iwkcnEZCzy/wxauh85OwM

G4TZ2FhJQabssuyVocWJGE/Fq3sO6U6lYZwycUKWN45sZTLGhdCbC0ZSb0OUq7tx

A8pDSqH/2/kG8a/Yfn8zGmXgsWi5swgfPKIa7dcmnmglA1x4YDquo0npWMizgt2z

mqQcuY5S/QKCDZo5Ee1BXaS4D7ZHiXzw5W9sDtsqo1nO37gLHTpNhIQrYnzN4ay7

l0FHLxiwEi2O/gndd4Z4/Rr0loFTdemStSPQlIRTag/+8/tMo+BoxHmPFTuWyNAb

MShN1eti+c0qWGsHigjvXMWtyg0NT4UCAwEAAaOCATowggE2MB8GA1UdIwQYMBaA

FGtpPWoYQkrdjwJlOf01JIZ4kRYwMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAU

BggrBgEFBQcDAQYIKwYBBQUHAwIwJwYDVR0RBCAwHoIPd3d3LnVjZXJ0LmNvLmty

ggt1Y2VydC5jby5rcjBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vcmFwaWRzc2wt

Y3JsLmdlb3RydXN0LmNvbS9jcmxzL3JhcGlkc3NsLmNybDAdBgNVHQ4EFgQUkHru

EM3YsHLS8SjMWr7kBkyKu/YwDAYDVR0TAQH/BAIwADBJBggrBgEFBQcBAQQ9MDsw

OQYIKwYBBQUHMAKGLWh0dHA6Ly9yYXBpZHNzbC1haWEuZ2VvdHJ1c3QuY29tL3Jh

cGlkc3NsLmNydDANBgkqhkiG9w0BAQUFAAOCAQEAcjR0KR5MnA8gJFhZ4GRHSfvD

N2WX88pZPtE0BlEOU18HLLg8xL5Bb8exvX5+sExHS9zasRHUIPAYpwALSf4/WP7M

96ZMAEAggR9Dt8pCyFO7QXgkB3QQ7EsEK+s01wSWxMN5/ZcSV7O0k/DF83DH118x

/DFVeGNJsbwC0BEzVe/HnmBo77dxCdG+M16R59s2BjEr9Lq9sNnnE3drqs51qrs+

T0CyUWSpZ9KhlwjcLCMKe/SY8WIXIYaAx+IqJ7XJQU+GV1AJP3zHldhngL7eMMFo

ROpAHbjfkI0XboRtTAVs0K46omCAA4JViVF1DDKaXPZ+swif4GlzY/ijwPLDkA==

-----END CERTIFICATE-----

 

인증서 만료일 확인 방법

설명 : 인증서 시작과 만료일 확인

[root@mail ~]# echo "" | openssl s_client -connect localhost:443 | openssl x509 -noout -dates

notBefore=Jun 30 11:16:09 2016 GMT      인증서 시작일

notAfter=Sep 12 10:58:54 2017 GMT       인증서 만료일

 

설명 : 만료일만 확인

[root@mail ~]# openssl s_client -connect localhost:443 <  /dev/null 2>&1 | openssl x509 -noout -enddate

notAfter=Sep 12 10:58:54 2017 GMT

 

설명 : 로컬에서 인증서 출력이 정상적이고 외부에서 https://[도메인]으로 브라우저 접속 시 통신이 되지 않을 경우

내부 방화벽(예. iptables), 외부 방화벽 등에 SSL포트가 Allow (또는 웹방화벽에 인증서가 설치가) 되어있는지 확인 합니다.