Enable SSL Certificates for Oracle Apex 18.1 with Oracle Rest Data Services (ORDS) 18.1 hosted on Apache Tomcat 9

If you have a public facing APEX instance it would be mandatory to secure it with TLS 1.2 or SSL. If you want to enable https for a public facing web server, it’s always recommended to use a public certificate authority or at-least use Lets encrypt to generate certificates.Self-signed certificates are not to be put on a public expose service. Ideally, it is better to use a reverse proxy in front (like httpd or NGINX) with tomcat connecting to the DB in backend.

First step is to enable HTTPS from ORDS

——————- STEP A : Enable HTTPS for ORDS ————

Login to your ORDS on http://localhost:8080/ords

Login as “internal” workspace

Go to Manage Instance > Security

Enable HTTPS

Require HTTPS: Always
Require Outbound HTTPS : No

Apply Changes Save..Now go to Step B to enable HTTPS for Apache Tomcat

 

——————- STEP B :  Self-Signed Certificates for Tomcat which is only used on the local network  ————

Enable HTTPS for Apache Tomcat for localhost (this is only for webserver which is not facing the internet )

1. As Apache Tomcat User, generate a keystore with Java

su – tomcat

cd $HOME

pwd

— Check java version —

# which java

# java -version

# keytool -genkey -alias tomcat -keyalg RSA

Add below code to server.xml

 

<Connector SSLEnabled=”true” acceptCount=”100″ clientAuth=”false”
disableUploadTimeout=”true” enableLookups=”false” maxThreads=”25″
port=”8443″ keystoreFile=”/home/tomcat/.keystore” keystorePass=”yourpassword”
protocol=”org.apache.coyote.http11.Http11NioProtocol” scheme=”https”
secure=”true” sslProtocol=”TLS” />

 

 

Remove the HTTP connector tag from the server.xml file
Ensure ‘keystoreFile’ parameter correctly reflects where you created the key Java keystore

— Restart tomcat —

 

Access https://localhost:8443/
also http://localhost:8080/ will work

 

Configuring your app to work with SSL (Optional)
Add below code to web.xml file before web-app tag ends:

 

<security-constraint>
<web-resource-collection>
<web-resource-name>securedapp</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

 

This configuration allows you to set SSL options for all an application’s pages in one place. For example, to disable SSL for all your application’s pages, change “CONFIDENTIAL” to “NONE”.
—————– STEP C : Let’s Encrypt SSL Certificates ————

Install Let’s Encrypt from EPEL repos

# yum install certbot -y

Create a certificate

1. If using httpd (in Apex ORDS this is not required goto step 2)
# certbot certonly –webroot -w /home/whadev/public_html -d whadev.whitehat-staging.com.au

2. If using Tomcat
# certbot certonly –webroot -w /home/oracle/apache-tomcat/webapps -d whadev.whitehat-staging.com.au

-w it is the path of ‘webapps’ directory in your CATALINA_HOME directory
-d your domain

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for whadev.whitehat-staging.com.au
Using the webroot path /home/whadev/public_html for all unmatched domains.
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/whadev.whitehat-staging.com.au/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/whadev.whitehat-staging.com.au/privkey.pem
Your cert will expire on 2018-10-07. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
“certbot renew”
– If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

# cd /etc/letsencrypt/live/whadev.whitehat-staging.com.au

Generate a PFX file, with certificates already issued by certbot:

# openssl pkcs12 -export -out bundle.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:yourpassword

Add in server.xml below connector tag and remove old Connector tag which was defined in Step B

 

<Connector
protocol=”org.apache.coyote.http11.Http11NioProtocol”
port=”443″ maxThreads=”200″
scheme=”https” secure=”true” SSLEnabled=”true”
keystoreType=”PKCS12″ keystoreFile=”/home/oracle/apache-tomcat/bundle.pfx” keystorePass=”yourpassword”
clientAuth=”false” sslProtocol=”TLS”/>

 

Restart Tomcat

 

 

Leave a Reply