Enable SSL Certificates for Oracle Apex 18.1 with Oracle Rest Data Services (ORDS) 18.1 hosted on Apache Tomcat 9

If you have a public facing APEX instance it would be mandatory to secure it with TLS 1.2 or SSL. If you want to enable https for a public facing web server, it’s always recommended to use a public certificate authority or at-least use Lets encrypt to generate certificates.Self-signed certificates are not to be put on a public expose service. Ideally, it is better to use a reverse proxy in front (like httpd or NGINX) with tomcat connecting to the DB in backend.
First step is to enable HTTPS from ORDS
——————- STEP A : Enable HTTPS for ORDS ————
Login to your ORDS on http://localhost:8080/ords
Login as “internal” workspace
Go to Manage Instance > Security
Enable HTTPS
Require HTTPS: Always
Require Outbound HTTPS : No
Apply Changes Save..Now go to Step B to enable HTTPS for Apache Tomcat

——————- STEP B :  Self-Signed Certificates for Tomcat which is only used on the local network  ————
Enable HTTPS for Apache Tomcat for localhost (this is only for webserver which is not facing the internet )
1. As Apache Tomcat User, generate a keystore with Java

su - tomcat
cd $HOME
pwd
-- Check java version --
# which java
# java -version
# keytool -genkey -alias tomcat -keyalg RSA

Add below code to server.xml

<Connector SSLEnabled="true" acceptCount="100" clientAuth="false"
disableUploadTimeout="true" enableLookups="false" maxThreads="25"
port="8443" keystoreFile="/home/tomcat/.keystore" keystorePass="yourpassword"
protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
secure="true" sslProtocol="TLS" />

Remove the HTTP connector tag from the server.xml file
Ensure ‘keystoreFile’ parameter correctly reflects where you created the key Java keystore
— Restart tomcat —

Access https://localhost:8443/
also http://localhost:8080/ will work

Configuring your app to work with SSL (Optional)
Add below code to web.xml file before web-app tag ends:

<security-constraint>
<web-resource-collection>
<web-resource-name>securedapp</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

This configuration allows you to set SSL options for all an application’s pages in one place. For example, to disable SSL for all your application’s pages, change “CONFIDENTIAL” to “NONE”.
—————– STEP C : Let’s Encrypt SSL Certificates ————
Install Let’s Encrypt from EPEL repos
# yum install certbot -y
Create a certificate
1. If using httpd (in Apex ORDS this is not required goto step 2)

# certbot certonly --webroot -w /home/whadev/public_html -d whadev.whitehat-staging.com.au

2. If using Tomcat

# certbot certonly --webroot -w /home/oracle/apache-tomcat/webapps -d whadev.whitehat-staging.com.au

-w it is the path of ‘webapps’ directory in your CATALINA_HOME directory
-d your domain
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for whadev.whitehat-staging.com.au
Using the webroot path /home/whadev/public_html for all unmatched domains.
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/whadev.whitehat-staging.com.au/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/whadev.whitehat-staging.com.au/privkey.pem
Your cert will expire on 2018-10-07. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
“certbot renew”
– If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

# cd /etc/letsencrypt/live/whadev.whitehat-staging.com.au

Generate a PFX file, with certificates already issued by certbot:

# openssl pkcs12 -export -out bundle.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:yourpassword

Add in server.xml below connector tag and remove old Connector tag which was defined in Step B

<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreType="PKCS12" keystoreFile="/home/oracle/apache-tomcat/bundle.pfx" keystorePass="yourpassword"
clientAuth="false" sslProtocol="TLS"/>

Restart Tomcat

Category: DatabaseUncategorized

Tags:

3 comments

  1. I was asked to enable HTTPS for ORDS. so I followed your instruction to go to Apex app, Go to Manage Instance > Security, Enable HTTPS
    Require HTTPS: Always
    Require Outbound HTTPS : No
    Then applied changes. the Apex app site is not reachable. I didn’t do anything else yet.
    Now I want to disable the HTTPS so I can open the Apex app. but it is not reachable now. How can I change the setting back to the original so I can open the Apex?

    Thanks a lot,
    Tina

  2. Hi, could you please help with instructions to do the same but for Windows Server OS instead of Linux?

    Thank you,
    Gabriel

Leave a Reply

Article by: Shadab Mohammad