TLS1.2 For Oracle Applications

TLS 1.
2 Configuration for
Oracle E-Business Suite 12.2 and 12.1
Elke Phelps, Senior Principal Product Manager

Applications Technology
E-Business Suite Development
Oracle
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Confidential – Oracle Internal/Restricted/Highly Restricted
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole discretion of Oracle.
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 3

TLS 1.2 for Oracle E-Business Suite 12.2 and 12.1
1. Migrating from SSL/TLS 1.0 to TLS 1.2
2. Enabling TLS for the first time
Steps performed for both scenarios may differ depending upon

• Enabling/Migrating is the same for EBS 12.1 for inbound
connections due to OpenSSL
• Special considerations for inbound, outbound & loopback
• Optional configurations
MOS Note 1367293.1 and 376700.1
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 4
Program Agenda
1 Key Terminology and Concepts

2 TLS 1.2 Certification with EBS 12.2 and 12.1
3 Overview of Key Prerequisites and Configuration Steps
4 Optional Configurations
5 TLS 1.2 Configuration Checklist

Program Agenda
1 Key Terminology and Concepts

5 TLS 1.2 Checklist for Support

Program Agenda
A SSL vs TLS
B TLS Connections in Oracle E-Business Suite

Program Agenda
A SSL vs TLS

Transport Layer Security (TLS) vs Secure Socket Layer (SSL)
Review
• TLS creates an encrypted connection between two machines allowing for private
information to be transmitted without the problems of eavesdropping, data tampering,
or message forgery
• TLS is the successor to SSL; SSL 3.0 is no longer recommended (dead)
• TLS 1.2 is what we will talk about for Oracle E-Business Suite going forward
• HTTPS is HTTP working on top of TLS
• Industry standards mandating the move to TLS 1.2
– OMB NIST mandate (800-52 rev1) to move to TLS 1.2
– PCI council (PCI DSS v3.1) requires new implementations to be on at least TLS 1.1
• Migrate to a minimum of TLS 1.1, preferably TLS 1.2 by June 2018
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

“everything less than TLS 1.2 … is
cryptographically broken”
– Adam Langley, Google Chrome
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Confidential – Oracle Internal/Restricted/Highly Restricted 10
TLS Addresses Recent Security Vulnerabilities
• POODLE • FREAK, Logjam, RC4-NO-MORE
– Padding Oracle On Downgraded Legacy Encryption – Factoring Attack on RSA-EXPORT Keys
– Migration to TLS (SSLv3 is turned off) – Weak DH parameters (<2048), RC4)
– Disable weak cipher suites
– Strong cipher suites by default
• For example, EBS R12.2 (FMW 11.1.1.9):
[000a] RSA_DES_192_CBC3_SHA
[002f] RSA_WITH_AES_128_SHA
[0035] RSA_WITH_AES_256_SHA Available
[003c] RSA_WITH_AES_128_CBC_SHA256 with
[003d] RSA_WITH_AES_256_CBC_SHA256 TLS 1.2
[009c] RSA_WITH_AES_128_GCM_SHA256
[009d] RSA_WITH_AES_256_GCM_SHA384
Program Agenda
A SSL vs TLS

TLS Connections in Oracle E-Business Suite
• Inbound Connections • Loopback connections • Outbound connections
from a client to the Oracle from Oracle E-Business from Oracle E-Business
HTTP Server Suite to itself Suite to External Site(s)
External Internal
Internet Application Node Application Node Intranet
User EBS Database User
External
Site
DMZ

Examples of TLS Connections in Oracle E-Business Suite
Inbound Connections Loopback Connections Outbound Connections

• Browser access • Workflow notification • Punchout in iProcurement
• Forms access emails from Concurrent • XML Gateway connection
• Incoming XML Gateway Manager tier to a partner application
message • Payment call back from • Payments credit card
• Mobile access via a database tier processing
REST service • OAM log viewer

Program Agenda
1 Review Key Terminology and Concepts


Program Agenda
A What’s New with the Certification of EBS with TLS 1.2?

B Special Considerations for Inbound, Outbound & Loopback

Program Agenda
A What’s New with the Certification of EBS with TLS 1.2?


What’s New with the Certification of EBS and TLS 1.2?
• Oracle E-Business Suite Release 12.2 and 12.1 Certified with TLS 1.2
– “TLS 1.2 with Backward Compatibility” aka “TLS 1.2 w/BC”
– Mandatory prerequisites and configuration
• Oracle E-Business Suite Release 12.1 Uses OpenSSL
• Optional Configurations
– Configuring “TLS 1.2 Only”
– Disabling HTTP Port
– Enabling TLS from Oracle HTTP Server (OHS) to Application Server (OC4J / WLS)
• Certified for EBS 12.1: OHS to OC4J
• Pending certification for EBS 12.2: OHS to WebLogic Server (WLS )
What’s New with the Certification of EBS and TLS 1.2?
For Reference Only for
Existing SSL/TLS 1.0 Customers
EBS 12.2 EBS 12.2

MOS Note 1367293.1 MOS Note 2143101.1 New
Note ID
New Structure
Contentand Content
for SSLv3 andfor TLS
TLS 1.01.2
EBS 12.1 EBS 12.1

MOS Note 376700.1 MOS Note 2143099.1 New
Note ID
New Structure
Contentand Content
for SSLv3 andfor TLS
TLS 1.01.2
Program Agenda
A What’s New with this Certification?


Special Considerations - Inbound Connections
TLS Termination
A TLS termination point is the end-point server for the encrypted

connection that has been initiated by a client
Option 1: OHS as the TLS Termination Point

Option 2: Alternate TLS Termination Point
(eg, load balancer or reverse proxy)
Option 1
• OHS is the TLS termination point

• Configuration requirements
– OHS as the TLS Termination Point
Web
Node 2
Option 2
• Alternate TLS termination point

– Load Balancer
– Reverse proxy
Load Balancer
• Configuration requirements
– Load balancer must behave as TLS
Termination Point
• Should also encrypt the connection to OHS
– Certified for EBS 12.2 and EBS 12.1 Web Web Web
Node 1 Node 2 Node 3
Special Considerations – Outbound & Loopback Connections
• Trust stores need root certificate information of all servers they are
communicating with
• Loopback connections need the root cert associated with the web entry
point
– Database tier (UTL_HTTP uses Oracle Wallet)
– WLS Administrative interfaces
• Outbound connections need the root cert of external site
– For products communicating with external servers such as Punchout, XML Gateway
MOS Note 1367293.1 and 376700.1
Program Agenda


Program Agenda
A EBS 12.2: Migrating/Enabling TLS 1.2 w/BC

B EBS 12.1: Migrating/Enabling TLS 1.2 w/BC

How EBS Works After Enabling/Migrating to TLS 1.2 w/BC
• EBS 12.2 and 12.1 is configured to use TLS 1.2, 1.1 or 1.0
• Connection will use the highest version of TLS enabled by the two parties
Connection
Established External Internal
Internet Using TLS 1.2 Application Node Application Node Intranet
Browser supports
Browser supports
TLS 1.2
TLS 1.2
Connection
External Established
Site Using TLS 1.2
External Site
supports TLS 1.2 Connection
Established
DMZ
Using TLS 1.2
MOS Note 1367293.1 and 376700.1, Section 4.2
How EBS Works After Enabling/Migrating to TLS 1.2 w/BC
• EBS 12.2 and 12.1 is configured to use TLS 1.2, 1.1 or 1.0
• Connection will use the highest version of TLS enabled by the two parties
Connection
Browser supports
Browser supports
TLS 1.2
TLS 1.1
Connection
Site Using TLS 1.1
External Site
Established
DMZ
Using TLS 1.0
Program Agenda


EBS 12.2: Migrating from SSL/TLS1.0 to TLS 1.2 w/BC
• Upgrade Technology Stack
– FMW 11.1.1.9
– JDK 7 or JDK 6u121 (July 2016 CPU)
– Apply required patches
• Make configuration changes in the middle tier
– Inbound (Section 5.2)
• Specify TLS protocol versions and cipher suites in opmn.xml, admin.conf , and ssl.conf
– Loopback and outbound (Section 5.3)
• JVM parameter for all managed servers and the WebLogic administration server
– “-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2”
MOS Note 1367293.1
EBS 12.2: Enabling TLS w/BC
Customer implementing encryption for the first time should follow section 5
– FMW 11.1.1.9
• Create a wallet and request a server certificate
• Make configuration changes in the middle tier for
inbound/loopback/outbound connections
• Setup a wallet in the database tier
MOS Note 1367293.1
Program Agenda


EBS 12.1: Migrating from SSL/TLS 1.0 to TLS 1.2 w/BC
– FMW 10.1.3.5
• Create an openssl configuration file and request a server certificate
– Inbound (Section 5.2)
• Specify TLS protocol versions and cipher suites in a few custom templates
– Loopback and outbound (Section 5.3)
• Set https.protocols=TLSv1,TLSv1.1,TLSv1.2 in a few custom templates
MOS Note 376700.1
EBS 12.1: Enabling TLS 1.2 w/BC
Customer implementing encryption for the first time should follow section 5
– FMW 10.1.3.5
• Create an OpenSSL configuration file and request a server certificate
• Make configuration changes in the middle tier for
inbound/loopback/outbound connections
• Setup a wallet in the database tier
MOS Note 376700.1
EBS 12.1: Key Requirements for TLS 1.2 and OpenSSL
• FMW 10.1.3.5 One Off Patches
– OHS patch 22447165 and OPMN patch 22458773 contain new FMW code as well as
the OpenSSL (version 1.0.2) binary
....
22447165/files/Apache/Apache/libexec/mod_ssl.so
22447165/files/Apache/Apache/libexec/mod_oc4j.so
22447165/files/Apache/open_ssl/bin/openssl
....
MOS Note 376700.1
EBS 12.1: Switching To OpenSSL
All EBS 12.1 customers must get a new certificate or ask CA to rekey their existing certificate
SSL/ TLS1.0 TLS1.2
New
10g NZ Library OpenSSL 1.0.2
%s_web_ssl_directory%/opmn/ewallet.p12 openssl-certfile - opmn.crt

%s_web_ssl_directory%/opmn/cwallet.sso openssl-keyfile - server.key
%s_web_ssl_directory%/Apache/ewallet.p12
%s_web_ssl_directory%/Apache/cwallet.sso SSLCertificateFile - server.crt
SSLCertificateKeyFile - server.key
SSLCertificateChainFile - intermediate.crt
Oracle Wallet Manager (owm) OpenSSL (openssl)
Note: See Section 5.2.1, Step 2

• Make sure to use the openssl delivered with the FMW patches
• Prepend the OpenSSL directory to your PATH. For example:
PATH=(<10.1.3 OH>/Apache/open_ssl/bin):$PATH
EBS 12.1 Inbound Connections
TLS 1.2 Key Configuration – AutoConfig Customizations
• Create the custom template directory <FND_TOP>/admin/template/custom
• Copy the following template files from <FND_TOP>/admin/template to the
custom template directory:
opmn_xml_1013.tmp, httpd_conf_1013.tmp, ssl_conf_1013.tmp
• Known Issues
If a patch is applied to EBS that updates the above template files, AutoConfig will fail with the following error:
"Version Conflicts among development maintained and customized templates encountered;
aborting AutoConfig run."
Solution: Copy the newer template to the custom folder and re-apply the modification listed in this document.
MOS Note 376700.1
EBS 12.1 Outbound/Loopback Connections
TLS 1.2 Key Configuration –AutoConfig Customizations
• Copy the following files from <FND_TOP>/admin/template to the custom
directory, <FND_TOP>/admin/template/custom:
oc4j_properties_1013.tmp, oafm_oc4j_properties_1013.tmp,
forms_oc4j_properties_1013.tmp
• Known Issues
– Same AutoConfig known issue as with the inbound connection configuration
MOS Note 376700.1
Program Agenda


Program Agenda
A Configuring TLS 1.2 Only

B Disabling HTTP Only Port
C TLS for OHS to OC4J

Program Agenda

C EBS 12.1: TLS for OHS to OC4J

How EBS Works When Configured with TLS 1.2 Only
• EBS 12.2 and 12.1 is configured to only connect with TLS 1.2
• Connection will use TLS 1.2
Connection
Browser supports
Browser supports
TLS 1.2
TLS 1.2
Connection
Site Using TLS 1.2
External Site
Established
DMZ
Using TLS 1.2
How EBS Works When Configured with TLS 1.2 Only
• EBS 12.2 and 12.1 is configured to only connect with TLS 1.2
• Connection will use TLS 1.2
Connection
Browser supports
TLS 1.2
X Browser supports
TLS 1.1
ERROR!
External Connection
Site
External Site
X Not Established
supports TLS 1.0 ERROR!

Connection
DMZ
Not Established
Additional Considerations When Configuring TLS 1.2 Only
• Product Certifications with TLS 1.2
– Mobile Applications V6 (minimum)
– Oracle E-Business Suite Information Discovery V7 (minimum)
• JRE Versions
– JRE 8 : TLS1.2 enabled by default
– JRE 7 : TLS1.2 to be enabled manually
Java Control Panel > Advanced tab > Advanced Security Settings section > Use TLS 1.2.
• Browser Enabled TLS1.2 by Default
– IE 11/Firefox ESR 45.x/Chrome v49
EBS 12.2: Migrating from SSL/TLS 1.0 to TLS 1.2 Only
– FMW 11.1.1.9
– Database 12.1.0.2
– Inbound: Same as in section 5.2 for TLS 1.2 w/BC except for the following:
• Step 7: Set SSLProtocol nzos_Version_1_0 nzos_Version_1_1 nzos_Version_1_2
in admin.conf
Set ssl-versions=”TLSv1.0” in opmn.xml
• Step 9: Set SSLProtocol TLSv1.2 in ssl.conf
– Known Issues: Bug 23630525
• Workaround for inbound connections per Step 7 above. Set SSLProtocol for TLS 1.2, 1.1. and 1.0
MOS Note 1367293.1
• Make configuration changes in the middle tier (continued)

– Loopback and outbound (section 5.3): Same as TLS 1.2 w/BC except for the following:
• Step 1: Set JVM parameter “-Dhttps.protocols=TLSv1.2” for all managed
servers and the WebLogic administration server
MOS Note 1367293.1
– FMW 10.1.3.5
– Database 12.1.0.2
– Inbound, Same as in section 5.2 for TLS 1.2 w/BC except for the following:
• Section 5.2.1, Step 6: Use the value listed in Section 6.1.2, Step 1 instead
– Loopback and Outbound: Same as in Section 5.3 except for the following:
• Section 5.3.1, Step 1: Set https.protocols=TLSv1.2 in a few custom template files
MOS Note 376700.1
Program Agenda

B Disabling HTTP Port

Disabling HTTP Port
• EBS 12.2 and 12.1 are now certified with only the HTTPS port accessible.
• After HTTPS (e.g. port 4443) is enabled, the HTTP port (e.g., port 8000) is
still accessible. You now may manually disable the HTTP port.
MOS Note 1367293.1 & 376700.1 Section 6.2
EBS 12.2: Disabling HTTP Port
• TXK and FMW minimum requirement
– Requirements from section 5.1 and section 6.2 “Required Patches”
• TXK Delta 7 bundle patch 21846184 (enable JSSE)
• OPMN patch 20493440
• FMW 11.1.1.9 patch 22288381
– Recommend to apply the latest FMW CPU patch
• Update httpd.conf through FMW Control Console
– Comment out the “listen ####” line
– Switch the order of the include statement so that the ssl.conf is before admin.conf
• Known Issues
– iHELP search failure (Bug 20472035)
MOS Note 1367293.1
EBS 12.1: Disabling HTTP Port
• TXK and FMW minimum requirement
– Requirements from section 5.1
• Copy the template file, httpd_conf_1013.tmp, to the
<FND_TOP>/admin/template/custom directory
• Comment out "Listen %s_http_listen_parameter%“
• Known Issues
– iHELP search failure (20472035)
MOS Note 376700.1
Program Agenda


EBS 12.1: Enable TLS for OHS To OC4J Connection
• Enabling TLS for OHS to OC4J connection is certified
• Edit txkChkFormsDeployment.pl to comment a line of code
#instantiateNewConfigFile($template_config_file, $actual_config_file)
–Known Issues : Bug 23645824
• If other modifications (via a patch application or rollback or manual) needs
to happen to $ORA_CONFIG_HOME/10.1.3/j2ee/forms/config/system-jazn-
data.xml, then need to repeat the modification and reset the password for
the oc4jadmin user – see the MOS Note for details
MOS Note 376700.1, Section 6.3
Program Agenda

5 TLS 1.2 Configuration Checklist

TLS Configuration Checklist
What to Do What to Review
Source the apps environment and execute the following: Sample output:
$OA_JRE_TOP/bin/java –version java version "1.7.0_45“

or
java version “1.6.0_121”
Note:
• JDK 1.6.0_121 (July 2016 update) or 1.7.0_xx can be
used with TLS 1.2.
• Follow the steps in MOS Note 455492.1 to upgrade to
JDK 6 or MOS Note 1530033.1 to upgrade to JDK 1.7
For EBS 12.2, execute the following in the FMW 11g Under ‘Installed Top-level Products’,
WebTier Oracle Home: look for ' Oracle WebTier and Utilities CD‘
$opatch lsinventory –detail The version should show ‘11.1.1.9.0’.
For EBS 12.1, execute the following in the FMW 10g Check the FMW inventory for the required patches
WebTier Oracle Home: TLS 1.2
• FMW 10.1.3.5 20080288, 22447165 and 22458773.
$opatch lsinventory –detail SHA-2
• FMW 10.1.3.5 Oct 2015 CPU patch: 20080288
and
• For AIX/HP: 21948197
• For Windows: 22251660
To research errors with an inbound connections (see Review the configuration in the ssl.conf file.
Section 4.1 for definition), check the following file:
If you are enabling “TLS 1.2 w/BC” the following lines are
ssl.conf required:
Located in the following directory SSLProtocol TLSv1 TLSv1.1 TLSv1.2
<s_ohs_instance_loc>/config/OHS/<s_ohs_ SSLCipherSuite
component> HIGH:MEDIUM:!aNULL:!RC4:+HIGH:+MEDIUM
If you are enabling “TLS 1.2 Only” the following lines are
required:
SSLProtocol TLSv1.2
SSLCipherSuite
HIGH:MEDIUM:!aNULL:!RC4:+HIGH:+MEDIUM
To research errors with inbound connections (see The following lines should be in the
Section 4.1 for definition), check the following file: httpd_conf_1013.tmp file:
httpd_conf_1013.tmp , located in the <IfDefine SSL>

<FND_TOP>/admin/template/custom #LoadModule ossl_module
directory libexec/mod_ossl.so
LoadModule ssl_module
libexec/mod_ssl.so
</IfDefine>
References
Documentation
Title Doc ID
FAQ: Oracle E-Business Suite Security 2063486.1
Oracle E-Business Suite Security Guide, Release 12.2 – Secure Configuration Chapter N/A
Secure Configuration for Oracle E-Business Suite Release 12 403537.1
Enabling TLS in Oracle E-Business Suite Release 12.2 1367293.1
Enabling SSL or TLS in Oracle E-Business Suite Release 12.2 2143101.1
Enabling TLS in Oracle E-Business Suite Release 12.1 376700.1
Enabling SSL or TLS in Oracle E-Business Suite Release 12 2143099.1
CVE-2014-3566 - Instructions to Mitigate the SSLv3 Vulnerability ("POODLE Attack") in Oracle E-Business Suite 1937646.1
Where to Find More Information
Oracle E-Business Suite Release 12.2
EBS 12.2 Information Center
• EBS Documentation and Training
– EBS 12.2 Information Center
MOS Note 1581299.1
Includes link to the EBS Documentation Web Library
– EBS Release Content Documents

MOS Note 1302189.1
– EBS Transfer of Info (TOI) Online Training

MOS Note 807319.1

Transfer of Information (TOI) Online Training
Learn More About Oracle E-Business Suite 12.2 New Features
• Implement and Use Application Object Library - SECURITY: Redirect Filter

• Implement and Use E-Business Suite Secure Configuration - Allowed JSPs
• Implement and Use E-Business Suite Secure Configuration - Cookie Domain
Scoping
MOS Note 807319.1
Oracle E-Business Suite Learning Subscription
Stay Up-to-Date on Everything Oracle E-Business Suite
• Free access to hundreds of videos

– Virtual Conference, What’s New, User
Experience, Advice from Development
• Paid subscription access to over 500
technical and functional training sessions
– In-depth courses with hands-on labs
– Supplemental learning modules with demos
– 12.2 solution overviews with demos
• Continuous updates and additions
education.oracle.com/subscriptions/ebs
Applications Technology Channel
Here you will find the

following recordings:
• Managing Oracle E-
Business Suite Security and
Auditing
• Ready or Not: Applying
Secure Configuration to
Oracle E-Business Suite
• TLS 1.2 Configuration for
Oracle E-Business Suite
• …and more technology
related sessions
Oracle E-Business Suite and Oracle Cloud
Oracle E-Business Suite and Oracle Cloud
• Channel Dedicated to “EBS and Oracle Cloud” with
Focus on:
– EBS on Oracle Cloud (IaaS + PaaS)
– EBS Coexistence with Cloud HCM/ERP/CX
– SaaS on PaaS Cloud Applications
• Available Today:
– Running EBS on Oracle Cloud: Why, What and How?
– Deploying EBS on Oracle Cloud: Getting Started
– Deploying EBS on Oracle Cloud: Multi-Node Topologies
– Oracle E-Business Suite Coexistence with Oracle HCM Cloud
….and more related sessions
• Coming Soon:
– Secure Configuration for Oracle E-Business Suite in Oracle Cloud
…and more

Oracle E-Business Suite Technology Blog
blogs.oracle.com/stevenchan
• Direct from EBS Development

• Latest news
• Certification announcements
• Primers, FAQs, tips
• Desupport reminders
• Latest upgrade recommendations
• Statements of Direction
• Subscribe via email or RSS

Blog: Oracle E-Business Suite and Oracle Cloud
https://blogs.oracle.com/EBSandOracleCloud/
• Live since 1st June 2016

• 20 Articles since 1st June 2016
• Dedicated to EBS and Oracle Cloud Topics
• Sponsored by EBS Development Executives
Subscribe by Email

Oracle E-Business Suite: Applications Technology
facebook.com/groups/EBS.SysAdmin
Join us on Facebook

TLS1.2 For Oracle Applications

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

TLS1.2 For Oracle Applications

Hochgeladen von

Copyright:

Verfügbare Formate

TLS 1.

Elke Phelps, Senior Principal Product Manager

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 3

1. Migrating from SSL/TLS 1.0 to TLS 1.2

2. Enabling TLS for the first time

Steps performed for both scenarios may differ depending upon

1 Key Terminology and Concepts

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 5

1 Key Terminology and Concepts

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 6

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 7

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 8

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

– Adam Langley, Google Chrome

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 12

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 13

Inbound Connections Loopback Connections Outbound Connections

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 14

1 Review Key Terminology and Concepts

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 15

A What’s New with the Certification of EBS with TLS 1.2?

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 16

A What’s New with the Certification of EBS with TLS 1.2?

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 17

EBS 12.2 EBS 12.2

EBS 12.1 EBS 12.1

A What’s New with this Certification?

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 21

A TLS termination point is the end-point server for the encrypted

Option 1: OHS as the TLS Termination Point

• OHS is the TLS termination point

• Alternate TLS termination point

MOS Note 1367293.1 and 376700.1

1 Review Key Terminology and Concepts

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 26

A EBS 12.2: Migrating/Enabling TLS 1.2 w/BC

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 27

MOS Note 1367293.1 and 376700.1, Section 4.2

MOS Note 1367293.1 and 376700.1, Section 4.2

A EBS 12.2: Migrating/Enabling TLS 1.2 w/BC

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 30

MOS Note 1367293.1

A EBS 12.2: Migrating/Enabling TLS 1.2 w/BC

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 33

MOS Note 376700.1

MOS Note 376700.1

MOS Note 376700.1

%s_web_ssl_directory%/opmn/ewallet.p12 openssl-certfile - opmn.crt

Oracle Wallet Manager (owm) OpenSSL (openssl)

Note: See Section 5.2.1, Step 2

MOS Note 376700.1

MOS Note 376700.1

1 Review Key Terminology and Concepts

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 40

A Configuring TLS 1.2 Only

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 41

A Configuring TLS 1.2 Only

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 42

MOS Note 1367293.1 and 376700.1, Section 6.1

supports TLS 1.0 ERROR!

MOS Note 1367293.1 and 376700.1, Section 6.1

• Make configuration changes in the middle tier (continued)

MOS Note 1367293.1