007-012181-001 - OracleHTTPServer - SafeNetLunaHSM - Integration Guide - RevD PDF

Oracle HTTP Server
Integration Guide
All information herein is either public information or is the property of and owned solely by Gemalto NV. and/or
its subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual
property protection in connection with such information.
Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise, under
any intellectual and/or industrial property rights of or concerning any of Gemaltos information.
This document can be used for informational, non-commercial, internal and personal use only provided that:
The copyright notice below, the confidentiality and proprietary legend and this full warning notice appear in
all copies.
This document shall not be posted on any network computer or broadcast in any media and no modification
of any part of this document shall be made.
Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities.
The information contained in this document is provided AS IS without any warranty of any kind. Unless
otherwise expressly agreed in writing, Gemalto makes no warranty as to the value or accuracy of information
contained herein.
The document could include technical inaccuracies or typographical errors. Changes are periodically added to
the information herein. Furthermore, Gemalto reserves the right to make any change or improvement in the
specifications data, information, and the like described herein, at any time.
Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein,
including all implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In
no event shall Gemalto be liable, whether in contract, tort or otherwise, for any indirect, special or consequential
damages or any damages whatsoever including but not limited to damages resulting from loss of use, data,
profits, revenues, or customers, arising out of or in connection with the use or performance of information
contained in this document.
Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall not
incur, and disclaims, any liability in this respect. Even if each product is compliant with current security
standards in force on the date of their design, security mechanisms' resistance necessarily evolves according to
the state of the art in security and notably under the emergence of new attacks. Under no circumstances, shall
Gemalto be held liable for any third party actions and in particular in case of any successful attack against
systems or equipment incorporating Gemalto products. Gemalto disclaims any liability with respect to security
for direct, indirect, incidental or consequential damages that result from any use of its products. It is further
stressed that independent testing and verification by the person using the product is particularly encouraged,
especially in any application in which defective, incorrect or insecure functioning could result in damage to
persons or property, denial of service or loss of privacy.
2016 Gemalto. All rights reserved. Gemalto and the Gemalto logo are trademarks and service marks of
Gemalto N.V. and/or its subsidiaries and are registered in certain countries. All other trademarks and service
marks, whether registered or not in specific countries, are the property of their respective owners.
Document Part Number: 007-012181-001, Rev. D

Release Date: March 2016
Oracle HTTP Server 2

Document PN: 007-012181-001, Rev. D, Copyright 2016 Gemalto, Inc., All rights reserved.
Contents
Contents
Preface .................................................................................................................................. 4
Scope .............................................................................................................................................................. 4
Document Conventions .................................................................................................................................. 4
Command Syntax and Typeface Conventions ......................................................................................... 5
Support Contacts ...................................................................................................................................... 6
1 Introduction ...................................................................................................................... 7
Overview ......................................................................................................................................................... 7
Understanding the Oracle HTTP Server ......................................................................................................... 7
3rd Party Application Details ............................................................................................................................ 7
Supported Platforms ....................................................................................................................................... 7
Prerequisites ................................................................................................................................................... 8
SafeNet Network HSM Setup ................................................................................................................... 8
Oracle HTTP Server Setup ...................................................................................................................... 9
2 Integrating Oracle HTTP Server with SafeNet Luna HSM .............................................. 10

Configuring SafeNet Luna HSM with Oracle HTTP Server .......................................................................... 10
Configuring the Oracle HTTP Server ..................................................................................................... 10
3 Troubleshooting ............................................................................................................. 14
Troubleshooting ............................................................................................................................................ 14
Problem .................................................................................................................................................. 14
Solution................................................................................................................................................... 14

Preface
Preface
This document is intended to guide administrators through the steps for Oracle HTTP Server and SafeNet Luna
HSM integration, and also covers the necessary information to install, configure and integrate Oracle HTTP
Server with SafeNet Luna HSM.
Scope
This technical information guide provides instructions for setting up a small test lab with Oracle HTTP Server
running with SafeNet Luna HSM for securing the SSL certificate private keys. It explains how to install and
configure software that is required for setting up an Oracle HTTP Server while storing certificate private key on
SafeNet Luna HSM.
Document Conventions
This section provides information on the conventions used in this template.
Notes
Notes are used to alert you to important or helpful information. These elements use the following format:
NOTE: Take note. Contains important or helpful information.
Cautions
Cautions are used to alert you to important information that may help prevent unexpected results or data loss.
These elements use the following format:
CAUTION: Exercise caution. Caution alerts contain important information that may
help prevent unexpected results or data loss.
Warnings
Warnings are used to alert you to the potential for catastrophic data loss or personal injury. These elements use
the following format:
WARNING: Be extremely careful and obey all safety and security measures. In
this situation you might do something that could result in catastrophic data loss or
personal injury.

Preface
Command Syntax and Typeface Conventions

Convention Description
bold The bold attribute is used to indicate the following:

Command-line commands and options (Type dir /p.)
Button names (Click Save As.)
Check box and radio button names (Select the Print Duplex check box.)
Window titles (On the Protect Document window, click Yes.)
Field names (User Name: Enter the name of the user.)
Menu names (On the File menu, click Save.) (Click Menu > Go To > Folders.)
User input (In the Date box, type April 1.)
italic The italic attribute is used for emphasis or to indicate a related document. (See the
Installation Guide for more information.)
Consolas Denotes syntax, prompts, and code examples.

Preface
Support Contacts
If you encounter a problem while installing, registering or operating this product, please make sure that you have
read the documentation. If you cannot resolve the issue, contact your supplier or Gemalto Customer Support.
Gemalto Customer Support operates 24 hours a day, 7 days a week. Your level of access to this service is
governed by the support plan arrangements made between Gemalto and your organization. Please consult this
support plan for further information about your entitlements, including the hours when telephone support is
available to you.
Contact Method Contact Information
Address Gemalto, Inc.

4690 Millennium Drive
Belcamp, Maryland 21017, USA
Phone US 1-800-545-6608
International 1-410-931-7520
Technical Support https://serviceportal.safenet-inc.com

Customer Portal Existing customers with a Technical Support Customer Portal account can log in to
manage incidents, get the latest software upgrades, and access the Gemalto Knowledge
Base.

1 Introduction
1
Introduction
Overview
SafeNet Luna HSM integrates with the Oracle HTTP Server to provide significant performance improvements by
off-loading cryptographic operations from the Server to the SafeNet Luna HSMs. In addition, SafeNet Luna HSM
provides extra security by protecting and managing the servers high value SSL private key within a FIPS 140-2
certified hardware security module.
Understanding the Oracle HTTP Server

Oracle HTTP Server is the Web server component for Oracle Fusion Middleware. It provides a HTTP listener for
Oracle Web Logic Server and the framework for hosting static pages, dynamic pages, and applications over the
Web. Key aspects of Oracle HTTP Server are its technology, its serving of both static and dynamic content and
its integration with both Oracle and non-Oracle products.
Technology: Oracle HTTP Server is based on the proven, open source technology of Apache. Oracle HTTP
Server 11g is based on Apache 2.2 infrastructure, and includes all base Apache modules and modules
developed specifically by Oracle.
3rd Party Application Details

Oracle HTTP Server
You can download the Oracle HTTP Server from the Oracle Support site:
http://www.oracle.com/technetwork/middleware/webtier/downloads/index2-303202.html
Supported Platforms
Oracle HTTP Server Platforms Tested SafeNet Network HSM Luna Client Software
Software version / f/w version
version
11gR1 v11.1.1.7.0 RHEL 6.5 6.2.0 f/w 6.24.0 6.x

(v6.2)

1 Introduction
Oracle HTTP Server Platforms Tested SafeNet Network HSM Luna Client Software
Software version / f/w version
version
11gR1 v11.1.1.7.0 RHEL 6.5 6.1.0 f/w 6.10.9 6.x

(v6.1.0)
11gR1 v11.1.1.6.0 Solaris 10 x86 (64 bit) 5.2.1 f/w 6.10.1 5.x
(v5.2.1)
11gR1 v11.1.1.6.0 Solaris 10 SPARC (64 bit) 5.2.1 f/w 6.10.1 5.x
(v5.2.1)
11gR1 v11.1.1.6.0 Oracle Linux 5.8 (64 bit) 5.1 f/w 6.2.1 5.x
(v5.1)
11gR1 v11.1.1.6.0 RHEL 5.8 (64 bit) 5.1 f/w 6.2.1 5.x
(v5.1)
11gR1 v11.1.1.6.0 Solaris 10 SPARC (64 bit) 4.4.3 f/w 4.8.1 4.x
(v4.4.1)
11gR1 v11.1.1.6.0 Solaris 10 x86 (64 bit) 4.4.3 f/w 4.8.1 4.x
(v4.4.1)
Prerequisites
SafeNet Network HSM Setup
Please refer to the SafeNet Network HSM documentation for installation steps and details regarding configuring
and setting up the box on Windows/linux systems. Before you get started ensure the following:
SafeNet Network HSM appliance and a secure admin password.
SafeNet Network HSM, and a hostname, suitable for your network.
SafeNet Network HSM, network parameters are set to work with your network.
Initialize the HSM on the SafeNet Network HSM appliance.
Create and exchange certificates between the SafeNet Network HSM and Client system.

1 Introduction
Create a partition on the HSM, remember the partition password that will be later used by Oracle HTTP
Server. Register the Client with the partition. And run the "vtl verify" command on the client system to
display a partition from SafeNet Network HSM.
Enable Partition "Activation" and "Auto Activation" (Partition policy settings 22 and 23 are applicable to
SafeNet Network HSM with Trusted Path Authentication, which is FIPS 140-2 level 3).
Oracle HTTP Server Setup

It is recommended that you should have knowledge of the Oracle HTTP Server. Refer to the Oracle
documentation for more information on installation requirement and installation process.
http://docs.oracle.com/cd/E15523_01/install.1111/e14317/qinwt.htm
http://docs.oracle.com/cd/E15586_01/web.1111/e10144/intro_ohs.htm
NOTE: It is recommended to create the oracle user and oinstall group and provide
the ownership of the Oracle Home, where you want to install the Oracle HTTP
Server.

2 Integrating Oracle HTTP Server with SafeNet Luna HSM
2
Integrating Oracle HTTP Server with
SafeNet Luna HSM
Configuring SafeNet Luna HSM with Oracle HTTP Server

To set up SafeNet Network HSM for Oracle HTTP Server, perform the following steps:
Configuring the Oracle HTTP Server

On the Solaris/Linux machine, add the path (LD_LIBRARY_PATH) of the SafeNet Network HSM and HTTP
Server library:
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:<Path to SafeNet Network HSM installation
directory>/lib:<Path to Oracle HTTP Server installation directory>/lib
For example:
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/safenet/lunaclient/lib:/u01/app/oracle/Oracle_WT1/lib
Configuring the Oracle HTTP Server for SafeNet Network HSM

The following steps are required to configure Oracle HTTP Server for SafeNet Network HSM:
Create Wallet and Generate Certificate Request
Importing the CA signed Certificate using Oracle Wallet Manager
Enabling SSL in Oracle HTTP Server configuration files
Create Wallet and Generate Certificate Request

To create a wallet to store credentials on a SafeNet Network HSM that complies with PKCS #11, perform the
following tasks:
1. Open Oracle Wallet Manager.
#<Path to Oracle HTTP Server installation directory>/bin/owm
The Oracle Wallet Manager window pop ups.
2. Choose Wallet > New; the New Wallet dialog box displays.
3. Follow the guidelines for creating wallet passwords and enter a password in the Wallet Password field.
4. Re-enter the password in the Confirm Password field.

5. Choose PKCS11 from the Wallet Type list, and click OK to continue. The New PKCS11 Wallet window
displays.
6. Choose a vendor name from the Select Hardware Vendor list. Select Other.
7. In the PKCS11 library filename field, enter the path to the directory in which the PKCS11 library is stored.
Alternatively, click Browse to find it by searching the file system. The path will be:
/usr/safenet/lunaclient/lib/libCryptoki2_64.so or /usr/ safenet/lunaclient/lib/libcklog2.so if
cklog in been setup.
8. Enter the Smart Card password, and click OK. The password would be the registered SafeNet Network
HSM partition password.
9. An alert is displayed, and informs you that a new empty wallet has been created. It prompts you to decide
whether you want to add a certificate request.
10. Click Yes. The Create Certificate Request window displays.
11. Enter the details such as, Common Name, Organizational Unit, Country, etc.
12. Select Key Size and click OK.
13. An alert is displayed, and informs you that a certificate request has been created. It prompts you to submit
the certificate request to CA.
14. Click OK and select Wallet > Certificate: [Requested].
15. Copy the Certificate Request from -----BEGIN NEW CERTIFICATE REQUEST----- to -----END NEW
CERTIFICATE REQUEST----- . Submit the certificate request and obtain signed certificate from the
Certificate Authority such as, VeriSign, GlobalSign, etc.
Importing the CA signed Certificate using Oracle Wallet Manager

1. Open Oracle Wallet Manager
Oracle wallet manager window will pop ups.
2. Choose Operations > Import User Certificate..., the Import Certificate dialog box displays.
3. Select Paste the Certificate option and click OK, you can select either option as per convenience.
4. Copy the signed certificate received from Certificate Authority from -----BEGIN CERTIFICATE----- to -----
END CERTIFICATE-----.
5. Paste the Base64 format certificate and click OK.
6. Your certificate will successfully import, if your certificate is signed by trusted Certificate Authority, else you
will get an alert that certificate import has failed because the CA certificate does not exist. Do you want to
import the CA certificate now?
7. Click Yes and repeat the steps 3-5 to import user certificate successfully.
8. A message Your certificate has been successfully imported. displays at the bottom left corner.
9. Choose Wallet > Certificate: [Ready] to verify certificate details.
10. Click the Save button, the Select Directory dialog box displays.
11. Choose the directory path to save the wallet, for example: <oracle home directory>/owm/wallet/oracle.
12. Click OK and you will get the message Wallet saved successfully in: <oracle home
directory>/owm/wallets/oracle at bottom left corner.
13. Select Wallet > Auto Login. Ensure the Auto Login check box is selected.

14. Click Save and Exit.
Enabling SSL in Oracle HTTP Server configuration files

1. Open the ssl.conf in the text editor from the following location:
#<Path to Oracle HTTP Server installation directory>/instances/<instance-name>/config/OHS/<ohs-
name>/ssl.conf.
For Example: /u01/app/oracle/Oracle_WT1/instances/instance1/config/OHS/ohs1/ssl.conf.
2. Change the SSLWallet location, where you have saved your wallet.
For example: SSLWallet /u01/app/oracle/owm/wallets/oracle.
3. Save and Close the ssl.conf file.
4. Edit the opmn.xml file to enable the SSL at the following location.
#<Path to Oracle HTTP Server installation directory>/instances/<instance-
name>/Config/OPMN/opmn/opmn.xml.
For Example: /u01/app/oracle/Oracle_WT1/instances/instance1/config/OPMN/opmn/opmn.xml.
5. In the <ias-component id="<ohs-name>"> entry, change the start mode from "ssl-disabled" to "ssl-
enabled". After modification is made, the entry should look like the following:
<data id="start-mode" value="ssl-enabled"/>
In RHEL and Oracle Linux default start mode is already set to ssl-enabled, however still verify it and modify
if needed.
6. Save and Close the opmn.xml file.
7. Reload the OPMN using the following command:
#<Path to Oracle HTTP Server installation directory>/instances/<instance-name>/bin/opmnctl
verbose reload
For Example: /u01/app/oracle/Oracle_WT1/instances/instance1/bin/opmnctl verbose reload
For RHEL and Oracle Linux command would be:
reload
8. Stop the OPMN managed process using the following command:
verbose stopproc ias-component=<ohs-name>
For Example: /u01/app/oracle/Oracle_WT1/instances/instance1/bin/opmnctl verbose stopproc ias-
component=ohs1
stopproc ias-component=<ohs-name>
9. Start the OPMN managed process using the following command:
verbose startproc ias-component=<ohs-name>
For Example: /u01/app/oracle/Oracle_WT1/instances/instance1/bin/opmnctl verbose startproc ias-
component=ohs1


startproc ias-component=<ohs-name>
Verification of accessibility of web server HTTPS port

1. Open the Firefox or any web browser.
2. In the address bar, type https://<fully qualified domain name or IP>:4443, for example:
https://localhost:4443
3. On the certificate navigation page, accept the security exception. The Oracle HTTP Server page displays.
4. View the certificate details. Verify and match the certificate that you have created using Oracle Wallet
Manager.
You have successfully created the SSL connection using the certificate whose private key is stored on the
SafeNet Network HSM.

3 Troubleshooting
3
Troubleshooting
Troubleshooting
Problem
Error message wrong ELF class: ELFCLASS64 (Possible cause: architecture word width mismatch) on Solaris
x86 (64bit) while creating the certificate request.
Solution
a) Ensure that 64-bit JVM is running on the machine on which you are using 64 bit client because 32 bit
JVM would not able to use the 64 bit library. If you are providing the JAVA_HOME other than installed
by Oracle HTTP Server.
b) Oracle HTTP Server installs own JDK, ensure that it is in mixed mode (supported both 32 and 64 bit)
and then edit the Oracle Wallet Manager script at the bin folder:
Add the following under the PLATFORM to run the java with d64 option in 64-bit mode:
case $PLATFORM in "SunOS")
PLATFORM_ARCH=`isainfo -b`
case $PLATFORM_ARCH in "64")
JAVAMODE=-d64
JRE_CLASSPATH=$JAVA_HOME/lib/amd64:$JAVA_HOME/lib/amd64/rt.jar:$JAVA_HOME/lib/amd64/i18n.jar
esac
esac


007-012181-001 - OracleHTTPServer - SafeNetLunaHSM - Integration Guide - RevD PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

007-012181-001 - OracleHTTPServer - SafeNetLunaHSM - Integration Guide - RevD PDF

Uploaded by

Copyright:

Available Formats

Oracle HTTP Server

Document Part Number: 007-012181-001, Rev. D

Oracle HTTP Server 2

2 Integrating Oracle HTTP Server with SafeNet Luna HSM .............................................. 10

Oracle HTTP Server 3

NOTE: Take note. Contains important or helpful information.

Oracle HTTP Server 4

Command Syntax and Typeface Conventions

bold The bold attribute is used to indicate the following:

Consolas Denotes syntax, prompts, and code examples.

Oracle HTTP Server 5

Contact Method Contact Information

Address Gemalto, Inc.

Technical Support https://serviceportal.safenet-inc.com

Oracle HTTP Server 6

Understanding the Oracle HTTP Server

3rd Party Application Details

11gR1 v11.1.1.7.0 RHEL 6.5 6.2.0 f/w 6.24.0 6.x

Oracle HTTP Server 7

11gR1 v11.1.1.7.0 RHEL 6.5 6.1.0 f/w 6.10.9 6.x

Oracle HTTP Server 8

Oracle HTTP Server Setup

Oracle HTTP Server 9

Configuring SafeNet Luna HSM with Oracle HTTP Server

Configuring the Oracle HTTP Server

Configuring the Oracle HTTP Server for SafeNet Network HSM

Create Wallet and Generate Certificate Request

Oracle HTTP Server 10

Importing the CA signed Certificate using Oracle Wallet Manager

Oracle HTTP Server 11

14. Click Save and Exit.

Enabling SSL in Oracle HTTP Server configuration files

Oracle HTTP Server 12

#<Path to Oracle HTTP Server installation directory>/instances/<instance-name>/bin/opmnctl

Verification of accessibility of web server HTTPS port

Oracle HTTP Server 13

Oracle HTTP Server 14

You might also like