Oracle® Fusion Middleware Release Notes 11g Release 1 (11.1.1) for IBM AIX on POWER System (64-Bit) Part Number E14771-34 |
|
|
PDF · Mobi · ePub |
This chapter describes issues associated with SSL configuration in Oracle Fusion Middleware. It includes the following topics:
This section describes general issues and workarounds. It includes the following topics:
Section 28.1.1, "Replacement User Certificates for Oracle Wallets"
Section 28.1.2, "Incorrect Message or Error when Importing a Wallet"
The Oracle wallets used by Oracle HTTP Server, Oracle Web Cache, and Oracle Internet Directory, as well as the keystore used by Oracle Virtual Directory, include a Verisign root key (Serial#: 02:ad:66:7e:4e:45:fe:5e:57:6f:3c:98:19:5e:dd:c0 ) that expires Jan 07, 2010 15:59:59 PST.
Customers using the user certificate signed by this root key will need to obtain a replacement user certificate signed by their Certificate Authority (CA), and import that CA's root key into the Oracle wallet.
See "Common Certificate Operations" in the "Wallet Management" section of the Oracle Fusion Middleware Administrator's Guide for steps to import a root key into an Oracle wallet.
Problem 1
Fusion Middleware Control displays an incorrect message when you specify an invalid wallet password while attempting to import a wallet. The issued message "Cannot create p12 without password." is incorrect. Instead, it should notify the user that the password is incorrect and request a valid password.
Problem 2
Fusion Middleware Control displays an incorrect message when you attempt to import a password-protected wallet as an autologin wallet. The issued message "Cannot create p12 without password." does not provide complete information. Instead, it should notify the user that importing a password-protected wallet requires a password.
Problem 3
If you attempt to import an autologin wallet as a password-protected wallet using either Fusion Middleware Control or WLST, a NullPointerException error is displayed.
This section describes configuration issues and their workarounds. It includes the following topics:
Section 28.2.1, "Tools for Importing DER-encoded Certificates"
Section 28.2.2, "Using a Keystore Not Created with WLST or Fusion Middleware Control"
Section 28.2.3, "Components May Enable All Supported Ciphers"
You cannot use Oracle Enterprise Manager Fusion Middleware Control or the WLST
command-line tool to import DER-encoded certificates or trusted certificates into an Oracle wallet or a JKS keystore.
Instead, use other tools that are available for this purpose.
To import DER-encoded certificates or trusted certificates into an Oracle wallet, use:
Oracle Wallet Manager or
orapki
command-line tool
To import DER-encoded certificates or trusted certificates into a JKS keystore, use the keytool
utility.
If an Oracle wallet or JKS keystore was created with tools such as orapki
or keytool
, it must be imported prior to use. Specifically:
For Oracle HTTP Server, Oracle Webcache, and Oracle Internet Directory, if a wallet was created using orapki
or Oracle Wallet Manager, in order to view or manage it in Fusion Middleware Control you must first import it with either Fusion Middleware Control or the WLST importWallet
command.
For Oracle Virtual Directory, if a keystore was created using keytool
, in order to view or manage it in Fusion Middleware Control you must first import it with either Fusion Middleware Control or the WLST importKeyStore
command.
Customers should be aware that when no cipher is explicitly configured, some 11g Release 1 (11.1.1) components enable all supported SSL ciphers including DH_Anon
(Diffie-Hellman Anonymous) ciphers.
At this time, Oracle HTTP Server is the only component known to set ciphers like this.
Configure the components with the desired cipher(s) if DH_Anon
is not wanted.