Monday, August 05, 2019

Enabling SSL or TLS in Oracle E-Business Suite Release 12.2

Enabling TLS in Oracle Apps R12.2

Here  we would be looking at the detailed steps for Enabling TLS in Oracle Apps R12.2

Introduction:

The data between web browser and web server travels unencrypted in R12 application So the password and other information can be tracked by sniffer. We are avoiding this by implementing SSL in R12.

With SSL implementation, the data travels in the encrypted forms and Only web browser and web server can decrypt it.

The implementation requires the SSL certificate and configuration in the R12 environment   as per the configuration

What is SSL?

SSL and TLS are the cryptographic protocol that ensures privacy between communicating applications and their users on the Internet

What is Transport Layer Security (TLS)

Transport Layer Security, or TLS, is the successor of SSL. TLS, like SSL, is a protocol that encrypts traffic between a client and a server. TLS creates an encrypted connection between two machines allowing for private information to be transmitted without the problems of eavesdropping, data tampering, or message forgery.

How SSL works

The client sends a request to the server using HTTPS connection mode.
The server presents its digital certificate to the client. This certificate contains the server’s identifying information like server name, Organization and server public key and digital signature of the CA private key
The client (web browser) has the public keys of the all the CA. It decrypts the digital certificate private key This verification proves that the sender had access to the private key, and therefore is likely to be the person associated with the public key. If the verification goes good, the server is authenticated as a trusted server.
The client sends the server a list of the encryption levels, or ciphers, that it can use.
The server receives the list and selects the strongest level of encryption that they have in common.
The client encrypts a random number with the server’s public key and sends the result to the server (which only the server should be able to decrypt with its private key); both parties then using the random number to generate a unique session key for subsequent encryption and decryption of data during the session
The ssl Implementation will depend on the topology of the R12 implementation. I am here highlighting all the major one.

Actual Implementation starts from here..


Follow Note: Enabling TLS in Oracle E-Business Suite Release 12.2 (Doc ID 1367293.1)
                       Enabling SSL or TLS in Oracle E-Business Suite Release 12.2 (Doc ID 2143101.1)

Apply Required Updates and Patches

Step 1 - Upgrade to Java Development Kit (JDK) 7 or to a minimum of Java Development Kit (JDK) 6 update 121 which was released in July 2016.

[oracle@oraebs ~]$  $ADJVAPRG -version
java version "1.7.0_25"

Step 2 - Upgrade Oracle Fusion Middleware.The use of TLS 1.2 requires Oracle Fusion Middleware 11.1.1.9. Refer to My Oracle Support Knowledge Document 1590356.1, Upgrading Oracle Fusion Middleware WebTier of Oracle E-Business Suite Release 12.2 to the latest 11gR1 (11.1.1.x) PatchSet.

Answer: We are on 11.1.1.7.0 for both WebTier home and Common Home, We need to upgrade to 11.1.1.9

$ export ORACLE_HOME=$FMW_HOME/webtier 
$ $ORACLE_HOME/OPatch/opatch lsinventory -detail -invPtrLoc $ORACLE_HOME/oraInst.loc

Application Server 11g Cloning Component                             11.1.1.7.0
Application Server 11g OHS T2P Component                             11.1.1.7.0
Enterprise Manager Application Server Plugin -- Common Support       11.1.1.7.0
Oracle Application Server Configuration                              11.1.1.7.0
Oracle Application Server Non J2EE Management Files                  11.1.1.7.0

[oracle@oraebs ~]$ export ORACLE_HOME=$FMW_HOME/oracle_common
[oracle@oraebs ~]$ $ORACLE_HOME/OPatch/opatch lsinventory -detail -invPtrLoc $ORACLE_HOME/oraInst.loc | grep -i "Application Server"
Application Server 11g Common Cloning Component                      11.1.1.7.0
Enterprise Manager Application Server Integrator Plugin -- Agent Support11.1.1.7.0
Enterprise Manager Application Server Integrator Plugin -- Management Service Support11.1.1.7.0
Enterprise Manager Application Server Integrator Plugin -- SOA       11.1.1.7.0
Enterprise Manager Application Server Plugin -- AS Management Service Support11.1.1.7.0
Enterprise Manager Application Server Plugin -- Common Management Service Support11.1.1.7.0
Enterprise Manager Application Server Plugin -- Common Support       11.1.1.7.0
Oracle Application Server Kernel Files JRF                           11.1.1.7.0
Oracle Enterprise Manager Application Server WLS Support             11.1.1.7.0
Oracle Enterprise Manager Application Server WLS Support             11.1.1.7.0

Step 3 - Apply AD and TXK patches.

Note :Applying the Latest AD and TXK Release Update Packs to Oracle E-Business Suite Release 12.2 (Doc ID 1617461.1)

+ Section 2: Apply Required Database Patches and Update Database Initialization Parameters

AD-TXK Delta 10 requires a number of database bug fixes to install and operate correctly.

Before you apply the AD and TXK Delta 10 release update packs (RUPs), you must run the latest version (available via Patch 17537119) of the EBS Technology Codelevel Checker (ETCC). Use the command checkDBpatch.sh (on UNIX) or checkDBpatch.cmd (on Windows).

Running the latest version is required in order to:

Check that all the required database patches have been applied. To learn more about the prerequisite database patches needed for applying the Delta 10 RUPs, refer My Oracle Knowledge Document 1594274.1, Oracle E-Business Suite Release 12.2: Consolidated List of Patches and Technology Bug Fixes.
Ensure all the required ETCC database objects will be found by the Delta 10 RUP installation process. This means that you must still run the latest version of ETCC on your database, even if you already have all the required database patches installed.

+ Section 3: Apply the R12.AD.C.Delta.10 and R12.TXK.C.Delta.10 Release Update Packs

We are on Delta.8 on both AD and TXK, we need to apply below patches to go for Delta 10

Download and unzip the following patches:

Patch 25820806 (R12.AD.C.Delta.10) 
Patch 25828573 (R12.TXK.C.Delta.10)
Patch 26720905:R12.AD.C

column name format a40
select  ABBREVIATION, NAME, codelevel FROM AD_TRACKABLE_ENTITIES where abbreviation in ('txk','ad');SQL> SQL> 

ABBREVIATION        NAME CODELEVEL
------------------------------ ---------------------------------------- ------------------------------
ad        Applications DBA C.8
txk        Oracle Applications Technology Stack C.8

+ Section 4: Apply Additional Critical Patches

4.1 Critical AD Patches

Patch 24591000:R12.AD.C - We need to apply
Patch 26482811:R12.AD.C - We need to apply

4.2 Critical TXK Patches

Patch 26400116:R12.TXK.C - We need to apply
Patch 26720231:R12.TXK.C - We need to apply
Patch 25994411:R12.TXK.C - We need to apply

4.3 Product Interoperability Patches

Patch 24965740:R12.MSC.C : R12.SCP_PF.C.delta.6 or Release 12.2.5 customers 

Step 4- Apply product specific patches.

+ Oracle Workflow - Apply patch 22806350:R12.OWF.C to address an Oracle Workflow Notification Mailer issue. - Need to apply

+ Oracle iProcurement - Apply the patch(es) mentioned in My Oracle Support Knowledge Document 1937220.1, Oracle iProcurement, Exchange and OSN Fail After Supplier Site Migrates From SSLv3 to TLS Protocol (with SSL Handshake SSLIOClosedOverrideGoodbyeKiss), which corresponds to the appropriate application versions.

This is not required (Release 12.2: Patch 19835592:R12.ICX.D "Fix for Bug 19835592" (fix is included in R12.2.5 and later)

+ Oracle iPayment - Apply patch 22522877:R12.IBY.C. - Need to apply

+ Oracle XML Gateway - Apply patch 22326911:R12.ECX.C. Need to apply

+ Section 5: Update Database Tier to Latest Code

Step 5 - Apply FMW patch 23630525 and patch 26045188 version 11.1.1.9.

It is safe to rollback patch 25072950 in the case of a conflict.

After applying patch 23630525, remove the NonJ2EEManagement deployment from the WebLogic console and then proceed with redeployment by following the detail steps below: 

Navigate to the WebLogic Server's Admin Console at http://<s_wls_admin_host>.<s_wls_admin_domain>:<s_wls_admin port>/console and derive context variable values using the patch edition context file:

Navigation: From the Domain Structure panel, choose Deployments.
Locate in the list of deployments NonJ2EEManagement (11.1.1).
Stop the application “NonJ2EEManagement (11.1.1)”.
In the Change Center panel click 'Lock & Edit'.
Click the check box beside the deployed application NonJ2EEManagement (11.1.1).
Delete the NonJ2EEManagement (11.1.1) application.
Click 'Activate Changes'.
Redeploy the $ORACLE_HOME/opmn/applications/NonJ2EEManagement.ear file delivered by this patch:
$ $ORACLE_HOME/opmn/bin/opmnctl redeploy -adminHost <ADMINSERVER_HOST> -adminPort <ADMINSERVER_PORT>

The main steps for setting up SSL on the application tier are outlined below:

3.1 Set Your Environment
3.2 Create a Wallet
3.3 Create a Certificate Request
3.4 Submit the Certificate Request to a Certificate Authority
3.5 Import Server Certificate to the Wallet
3.6 Modify the Oracle HTTP Server Wallet 
3.7 Modify the OPMN Wallet
3.8 Fusion Middleware Control Console
3.9 Update the JDK Cacerts File
3.10 Update the Context File and Config Files 
3.11 Run AutoConfig
3.13 Restart the Application Tier Services
3.14 Synchronization Between Run and Patch File System

3.1 Set Your Environment

1. Log on to the Oracle E-Business Suite Release 12.2 application tier as the OS user who owns the installation files.
2. set your environment first, -- dont use owm from the Oracle 10.1.2 home..We need to use the owm in FMW home
          Set the PATH environment variable to include the Fusion Middleware location. 
         
          For example: 
export PATH=$FMW_HOME/webtier/bin:$FMW_HOME/oracle_common/bin:$PATH
3. Set the DISPLAY environment variable. 
For example: 
export DISPLAY=<hostname or ip address>:0.0


3.2 Create a Wallet

1. Navigate to the s_web_ssl_directory>/Apache directory. If it does not exist, create it.
<web_ssl_directory oa_var="s_web_ssl_directory">/oratst/apps/fs_ne/inst/ORATST_Linux36/certs</web_ssl_directory>

2. Move any existing wallet files to a backup directory in case you wish to use them again in the future.

3. Open the Wallet manager as a background process:
owm &

applmgr> export PATH=$FMW_HOME/webtier/bin:$FMW_HOME/oracle_common/bin:$PATH

applmgr> owm & (open the wallet manager in background .. note that you must have X window privileges, I mean with root xclock + ,and you must have necessary rpms installed on your system for example: LibXrender 32 bit :))

4. On the Oracle Wallet Manager menu, navigate to Wallet > New.
Answer No to: “Your default wallet directory doesn't exist. Do you wish to create it now?” 
The new wallet screen will now prompt you to enter a password for your wallet. Be sure to make the password something you will remember. You will need to use the password whenever you open the wallet with Oracle Wallet Manager or perform operations on the wallet using the command line interface. With auto login enabled processes submitted by the OS user who created the wallet, there is no need to supply the password to access the wallet.
Click YES when prompted:
“A new empty wallet has been created. Do you wish to create a certificate request at this time?”







Once we created our wallet, the OWM asks us if we want to create a certificate request.. We answer yes, and fill the form accordingly. ( We use the information that our customer provides, I mean OU, State,Country, Key Size etc..)


3.3 Create a Certificate Request

After clicking "Yes" in 3.2 Create a Wallet, the Create Certificate Request Screen will appear.
Enter the appropriate values


Create new certificate request file by passing appropriate details as input which is used for generating a SSL Certificate.

1. Below are the details required to be passed to generate csr file.

Common Name name of server with domain, e.g. mylinux.domain.com
Organizational Unit: The unit within your organization, e.g. HR
Organization: is the name of your organization, e.g. Home
Locality/City: is your locality or city, e.g. New York
State/Province: is the full name of your State or Province - do not abbreviate,
Country: Select country from drop down list, e.g. USA
Keysize: Encryption level and min is 1024, recommended value – 2048


1. From the menu, click Wallet and then click Save.
2. On the Select Directory screen, change the directory to your fully qualified wallet directory and click OK.
3. From the menu, click Wallet and check the Auto Login box.
4. Exit Oracle Wallet Manager.
The wallet directory will contain the following files:
cwallet.sso
ewallet.p12

After creating our certificate request, we need to export it



While exporting, note the directory name when prompted. This is the default directory of our wallet..



Declare a name for your csr , for example: server.crs and save.. It will create a server.csr file in your wallet directory: For example under : /apps/fs2/EBSapps/10.1.2/owm/wallets/applmgr. It will report the file as saved as below


3.4 Submit the Certificate Request to a Certificate Authority

Submit the generated request file(server.crs) to Certifying authority to request a self-signed certificate.
(send this to our customer, as they should submit this Certificate Authority to request a Server Certificate.)

3.5 Import Server Certificate to the Wallet

After you receive your server certificate from your certificate authority, you will need to import it into your wallet. Copy the certificate to a file server.crt (example filename) in the wallet directory on your server by one of the following methods:

Use ftp (in binary mode) to copy the certificate
Copy and paste the certificate contents into server.crt (example filename)

Steps to import server.crt into your wallet:
Note: If all trusted certificates that make up the chain of server certificate are not present in the wallet, adding the certificate will fail. When the wallet was created only the certificates for the most common CAs were included automatically. Contact your certificate authority if you need to add their certificate, and save the provided file (for example, as ca.crt) in the wallet directory. If your certificate authority provided an intermediate certificate (to complete the chain) then save the provided file (for example, as intca.crt), this will need to be imported into Oracle Wallet Manager prior to importing the server certificate (server.crt if you used the example name)


1. Open the Oracle Wallet Manager as a background process:
owm &
For Windows: 
The Oracle Wallet Manager can be launched from the run file system as follows:
Start > Run > Input <FMW_Home>\webtier\bin\launch.exe "<FMW_Home>\webtier\bin" owm.cl and click OK.
2. From the menu, click Wallet > Open.
3. Answer Yes when prompted:
Your default wallet directory does not exist.
Do you want to continue?
4. On the Select Directory screen, change the directory to your fully qualified wallet directory <s_web_ssl_directory>/Apache and click OK.
5. Enter your wallet password and click OK.
6. On the Oracle Wallet Manager menu, navigate to Operations - Import Trusted Certificate
These are comprised of the root CA and intermediate certificates.
7. Click OK.
8. Select the ca.crt (root certificate provided by your certificate authority).
9. Do the same with the intca.crt (intermediate certificate provide by your certificate authority).
10. On the Oracle Wallet Manager menu, navigate to Operations - Import User Certificate.
Server certificates are a type of user certificate. Since the certificate authority issued a certificate for the server, placing its distinguished name (DN) in the Subject field, the server is the certificate owner, and thus the "user" for this user certificate.
11. Click OK.
12. Double-click server.crt to import it. 
13. Save the wallet:
1. On the Oracle Wallet Manager menu, click Wallet.
2. Verify the Auto Login box is checked.
3. Click Save.

If you need to import the CA certificate, you'll also need to add the contents of root certificate (ca.crt) file to the b64InternetCertificate.txt file located in the 10.1.2 ORACLE_HOME/sysman/configdirectory.
$ cat ca.crt >> <10.1.2 ORACLE_HOME>/sysman/config/b64InternetCertificate.txt
If you were also provided an intermediate certificate (intca.crt), then you will also need to add that to the b64InternetCertificate.txt:
$ cat intca.crt >> <10.1.2 ORACLE_HOME>/sysman/config/b64InternetCertificate.txt

3.6 Modify the Oracle HTTP Server Wallet

The default location for the Oracle HTTP Server configuration is in a location specific to the Oracle Fusion Middleware web tier. The <s_web_ssl_directory>/Apache is still used by some Oracle E-Business Suite Release 12.2 components, but is not used by the Oracle HTTP Server. Use the following instructions to copy the <s_web_ssl_directory>/Apache wallet to <s_ohs_instance_loc>/config/OHS/<s_ohs_component>/keystores/default directory location:

1. Navigate to the <s_ohs_instance_loc>/config/OHS/<s_ohs_component>/keystores/default directory location. Refer to the Application context file for the exact location of the ohs_instance_loc variable (details the ohs instance location) and the ohs_component variables (name of a specific ohs component for example OHS).
2. Move the existing wallet files to a backup directory in case you wish to use them again in the future.
3. Copy the cwallet.sso from <s_web_ssl_directory>/Apache into the current directory.

3.7 Modify the OPMN wallet

The default location for the OPMN wallet is in the <s_ohs_instance_loc>/config/OPMN/opmn/wallet directory. Refer to the Application Context file for the exact location of the <ohs_instance_loc> variable (gives details of the OHS instance location).
Now that the web tier wallet has been created, you will need to use these same certificates for OPMN. Use the following steps to backup and copy the wallets:

1. Navigate to the <s_ohs_instance_loc>/config/OPMN/opmn/wallet directory.
2. Move the existing wallet files to a backup directory in case you wish to use them again in the future.
3. Copy the cwallet.sso files from the s<s_ohs_instance_loc>/config/OHS/<s_ohs_component>/keystores/default directory to the current directory.

3.8 Fusion Middleware Control Console

Fusion Middleware Control Console utilizes the functionality of OPMN to manage your Oracle Fusion Middleware Enterprise. Using a Web browser, Fusion Middleware Control Console provides a graphical interface that enables management of all system components in your network and enterprise. Changes made in the previous steps to the OPMN wallet also need to be made to the wallet used by Fusion Middleware Control MBeans, which rely on successful SSL communication to manage the OPMN based components.

Use the following steps to backup and copy the wallets. If the Fusion Middleware Control wallets contain additional certificates that are not stored in the web tier OPMN wallet, you may want to export them and then re-import them after the following steps have been completed:

1. Move the existing wallet files to a backup directory in case you wish to use them again in the future. Refer to the Application context file for the variables for your instance:
o $EBS_DOMAIN_HOME/opmn/<s_ohs_instance>/<s_ohs_component>/wallet
o $EBS_DOMAIN_HOME/opmn/<s_ohs_instance>/wallet
o $FMW_HOME/webtier/instances/<s_ohs_instance>/config/OHS/<s_ohs_component>/proxy-wallet
2. Copy the cwallet.sso file from the <s_ohs_instance_loc>/config/OPMN/opmn/wallet directory to all three locations mentioned above.


3.9 Update the JDK Cacerts File

Oracle Fusion Middleware components (including Oracle WebLogic Server, Oracle Web Services) requires the certificate of the certificate authority who issued your root certificate (ca.crt from the previous step) to be present in the JDK cacerts file. In addition, some features of Oracle BI Publisher require the server certificate (server.crt from previous step) to be present.

Note: Whenever you upgrade your JDK version on the server, any additional certificate you added to your cacerts file will be lost. You will need to re-import the root certificate or keep a copy of your original cacerts file which you can copy back in.

Follow the steps below for all application tier nodes:
1. Navigate to the <s_fmw_jdktop>/jre/lib/security directory. Refer to the Application context file for the exact location of the <s_fmw_jdktop> variable.
2. Back up the existing cacerts file.
3. Copy your ca.crt and server.crt files to this directory, and issue the following command to ensure that cacerts has write permissions: 
$ chmod u+w cacerts
4. Add your root ca.crt and Oracle HTTP Server server.crt to cacerts: 
$ keytool -import -alias OHSRootCA -file ca.crt -trustcacerts -v -keystore cacerts
$ keytool -import -alias OHSServer -file server.crt -trustcacerts -v -keystore cacerts
If you were also provided an intermediate certificate (intca.crt) then you will also need to add that to the cacerts before adding the server.crt:
$ keytool -import -alias OHSRootCA -file ca.crt -trustcacerts -v -keystore cacerts
$ keytool -import -alias OHSIntCA -file intca.crt -trustcacerts -v -keystore cacerts
$ keytool -import -alias OHSServer -file server.crt -trustcacerts -v -keystore cacerts
When prompted, enter the keystore password (the default password is "changeit").
When you have completed the modifications to the cacerts, reset the permissions:
$ chmod u-w cacerts


Note: For Oracle E-Business Suite Release 12.2 installations that use 64-bit JDK for Oracle Fusion Middleware, the steps in this section must be repeated for the 32-bit JDK keystore location that is still in use by some products. If the Application context file <s_fmw_java_use_64> variable is set to 'true', then repeat the steps for the 32-bit cacerts in $OA_JRE_TOP/lib/security. Some UNIX platforms such as Oracle Solaris have a single JDK location.

3.10 Update the Context File and Config Files

In Oracle E-Business Suite Release 12.2 some configuration files are no longer maintained by AutoConfig (including httpd.conf and ssl.conf). Oracle Enterprise Manager 11g Fusion Middleware Control should be used to maintain these configuration files as well as making additional changes to context file variables.

Standard SSL Setup
Use Oracle Fusion Middleware Control to make some additional configuration file changes:

1. Login to Oracle Fusion Middleware Control Console (for example, http://<hostname>.<domain>:<AdminServer Port>/em).
2. Select Web Tier Target under EBS Domain.
3. Select Administration > Advanced Configuration.
4. Select ssl.conf file for edit.
5. Update the Listen <port> and the VirtualHost _default_:<port> directives to SSL port, for example Listen 4443.
6. Click Apply.

The following command should be run (on all application tier nodes) to propagate the changes made through the Oracle Fusion Middleware Control Console to the context file variables:

perl $AD_TOP/bin/adSyncContext.pl contextfile=$CONTEXT_FILE
Enter the APPS user password:
Enter the WebLogic AdminServer password:

Review the adSyncContext.log for the changes that have been picked up and made to the context file.
Note: When setting up SSL for the first time, the default protocol will be set to 'http' and only the port related context variables will be updated by running adSyncContext.pl. Additional URL-based context variables <s_login_page> and <s_external_url> will need to be updated using Oracle Applications Manager (OAM). On an instance where the protocol is already set to 'https', then these context variables will be updated as long as the <port> matches the existing value defined for s_active_webport. Otherwise, it is assumed that the login related URLs have been customized and should not be automatically changed.

Use the Oracle E-Business Suite 12.2 - OAM Context Editor to change the SSL related variables shown in this table:


The value of the s_webport is based on the default port prior to any SSL configuration, and remains unchanged when switching to SSL.

3.11 Run AutoConfig

Run AutoConfig using the adautocfg.sh script in the application tier $ADMIN_SCRIPTS_HOME directory.

3.13 Restart the Application Tier Services

Use the adstpall.sh/adstrtal.sh script in the $ADMIN_SCRIPTS_HOME directory to stop and restart all services.

3.14 Synchronization Between Run and Patch File Systems

The following steps must be performed in order to synchronize the SSL setup between the two file systems:
1. Edit $APPL_TOP_NE/ad/custom/adop_sync.drv.
2. Assuming the rsync command is available on UNIX, the following directives must be copied and pasted between the <Begin Customization> and <End Customization> section after the existing <#Copy Ends>:
Example commands:
#SSL SECTION - START
# Required for SSL setup migration from RUN to PATCH file-system.
# Please alter the commands in the event that rsync is not available or the platform does not support the example syntax. 

#10.1.2 b64InternetCertificate.txt
rsync -zr %s_current_base%/EBSapps/10.1.2/sysman/config/b64InternetCertificate.txt %s_other_base%/EBSapps/10.1.2/sysman/config/b64InternetCertificate.txt

#Oracle HTTP Server Wallet - cwallet.sso
rsync -zr %s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/keystores/default/cwallet.sso %s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/keystores/default/cwallet.sso

#OPMN Wallet - cwallet.sso
rsync -zr %s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OPMN/opmn/wallet/cwallet.sso %s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OPMN/opmn/wallet/cwallet.sso

#Fusion Middleware Control Wallets - cwallet.sso
rsync -zr %s_current_base%/FMW_Home/user_projects/domains/EBS_domain_%s_dbSid%/opmn/%s_ohs_instance%/%s_ohs_component%/wallet/cwallet.sso %s_other_base%/FMW_Home/user_projects/domains/EBS_domain_%s_dbSid%/opmn/%s_ohs_instance%/%s_ohs_component%/wallet/cwallet.sso

rsync -zr %s_current_base%/FMW_Home/user_projects/domains/EBS_domain_%s_dbSid%/opmn/%s_ohs_instance%/wallet/cwallet.sso %s_other_base%/FMW_Home/user_projects/domains/EBS_domain_%s_dbSid%/opmn/%s_ohs_instance%/wallet/cwallet.sso

rsync -zr %s_current_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/proxy-wallet/cwallet.sso %s_other_base%/FMW_Home/webtier/instances/%s_ohs_instance%/config/OHS/%s_ohs_component%/proxy-wallet/cwallet.sso
Refer to the Application context file variable <s_fmw_jdktop> to determine the JDK version currently being used, then add either the JDK 6/JRockit or JDK 7 copy directive, detailed below.

JDK 7
Example command for UNIX:
#JDK keystore
rsync -zr --include=jdk* --include=jdk*/jre --include=jdk*/jre/lib --include=jdk*/jre/lib/security --include=cacerts --exclude=* %s_current_base%/EBSapps/comn/util/ %s_other_base%/EBSapps/comn/util/ 
#SSL SECTION - END


SSL Settings for DB Tier:

To enable SSL on the database tier you need to only create a wallet, you do not need a separate server certificate for this wallet. If you were required to import a root certificate (for example, ca.crt) and an intermediate certificate (for example, intca.crt, if it exists) into the application tier wallet, you will need to do it for this wallet also. If communication is required to an external application that is also SSL enabled then you may need to import that applications certificate (to establish the chain of trust).

1. After setting your environment for the database tier, navigate to the $ORACLE_HOME/appsutil directory.
2. Create a new wallet directory named: wallet.
3. Navigate to the newly created wallet directory.
4. Open the Oracle Wallet Manager as a background process:
owm &
5. On the Oracle Wallet Manager menu, navigate to Wallet > New.
Answer NO to: “Your default wallet directory doesn't exist. Do you wish to create it now?” 
The new wallet screen will now prompt you to enter a password for your wallet.
Click NO when prompted:
“A new empty wallet has been created. Do you wish to create a certificate request at this time?”

6. If you need to import ca.crt:
1. On the Oracle Wallet Manager menu, navigate to Operations > Import Trusted Certificate.
2. Click OK.
3. Double click on ca.crt to import it. 

7. Save the wallet:
1. On the Oracle Wallet Manager menu, click Wallet.
2. Verify that the Auto Login box is checked.
3. Click Save.
To test that the wallet is properly set up and accessible, login to:
SQL>select utl_http.request('<url to access>', '<proxy address>', 'file:<full path to wallet directory>', null) from dual;
where:
'<url to access>' = the url for your Oracle E-Business Suite Rapid Install Portal.
'<proxy address>' = the url of your proxy server, or NULL if not using a proxy server.
'file:<full path to wallet directory>' = the location of your wallet directory (do not specify the actual wallet files). Check the profile option value for 'FND: DB Wallet Directory'.
The final parameter is the wallet password, which is set to null by default. If you are in SQL as a user that is not also the owner of the wallet, a password must be supplied.
Examples:
SQL>select utl_http.request('https://www.oracle.com:4443','http://www-proxy:80', 'file:/d01/R122_EBS/11.2.0/appsutil/wallet', null) from dual;
SQL>select utl_http.request('https://www.oracle.com:4443',null, 'file:/d01/R122_EBS/11.2.0/appsutil/wallet', null) from dual;
If the wallet has been properly set up, you will be returned the first 2,000 characters of the HTML page.

SSL Setup is completed now

Enabling SSL or TLS in Oracle E-Business Suite Release 12.2

Enabling TLS in Oracle Apps R12.2 Here  we would be looking at the detailed steps for Enabling TLS in Oracle Apps R12.2 Introduction: ...