SSL / HTTPS · Phase 1 Prerequisite
How to Enable HTTPS on Oracle EBS R12.2 — Step by Step
Before Okta SSO can work, your EBS environment needs HTTPS. This guide covers Oracle Wallet creation, OHS configuration, and going live on port 443 — with exact commands for your environment.
punitoracledba
·
EBS R12.2.13 · RHEL 8 · OHS 12.2.x
·
~10 min read
Series — EBS R12.2.13 + Okta SSO Implementation
6-part series covering the full SSO integration
● Part 1 — Enable HTTPS on EBS R12.2 (this post)
→ Part 2 — Installing Oracle EBS Asserter on WebLogic
→ Part 3 — Configuring Okta SAML 2.0 App for EBS
→ Part 4 — EBS Profile Options for SSO — Complete Guide
→ Part 5 — Testing EBS SSO Integration — Full Checklist
→ Part 6 — Go-Live, Cutover & Hardening Guide
Why HTTPS First?
Okta is a cloud-based Identity Provider (IdP) that communicates over SAML 2.0. Every SAML assertion it sends contains sensitive authentication tokens. Without HTTPS, those tokens travel in plain text — and Okta simply refuses to integrate with HTTP endpoints. No SSL = no SSO. Full stop.
In this post, we configure HTTPS on Oracle HTTP Server (OHS) for EBS R12.2.13 running on RHEL 8, using an Oracle Wallet with a self-signed certificate on port 443.
Note: For production environments, replace the self-signed certificate with one from your internal CA or a trusted CA (DigiCert, Sectigo, etc.). All other steps remain identical.
Environment Reference
| Component |
Value |
| Application server | pc.app.com |
| Database server | pc.db.com : 1533 |
| Current EBS URL | http://pc.app.com:8012 |
| Target HTTPS URL | https://pc.app.com:443 |
| OS | RHEL 8 |
| OHS version | OHS 12.2.x (EBS R12.2.13) |
| Certificate type | Self-signed (lab/dev) |
Step 1
Locate Your OHS Instance & Wallet Directory
Log in to pc.app.com as your EBS OS user (typically applmgr) and run:
bash — find OHS paths
echo $INST_TOP
find $INST_TOP -name "cwallet.sso" 2>/dev/null
find $INST_TOP -name "wallet" -type d 2>/dev/null
Typical wallet location:
$INST_TOP/ora/10.1.3/Apache/Apache/conf/ssl.wlt/default/
Step 2
Verify orapki Is Available
EBS R12.2 OHS uses the Oracle Wallet — not openssl. The tool is orapki.
bash — verify orapki
export PATH=$ORACLE_HOME/bin:$PATH
which orapki
orapki version
Tip: If orapki is not found, source your EBS env file:
source $INST_TOP/ora/10.1.3/Apache/Apache/bin/envvar.sh
Step 3
Create the Oracle Wallet
bash — create wallet directory
mkdir -p $INST_TOP/ora/10.1.3/Apache/Apache/conf/ssl.wlt/default
cd $INST_TOP/ora/10.1.3/Apache/Apache/conf/ssl.wlt/default
bash — create wallet with auto-login
orapki wallet create \
-wallet $INST_TOP/ora/10.1.3/Apache/Apache/conf/ssl.wlt/default \
-pwd WalletPasswd123 \
-auto_login
The -auto_login flag creates cwallet.sso — allows OHS to start without a password prompt on server restarts.
Step 4
Generate the Self-Signed Certificate
bash — add self-signed certificate (10-year validity)
orapki wallet add \
-wallet $INST_TOP/ora/10.1.3/Apache/Apache/conf/ssl.wlt/default \
-pwd WalletPasswd123 \
-dn "CN=pc.app.com,OU=IT,O=YourOrg,L=City,ST=State,C=US" \
-keysize 2048 \
-self_signed \
-validity 3650
Verify the certificate was added:
bash — display wallet contents
orapki wallet display \
-wallet $INST_TOP/ora/10.1.3/Apache/Apache/conf/ssl.wlt/default \
-pwd WalletPasswd123
expected output
User Certificates:
Subject: CN=pc.app.com,OU=IT,O=YourOrg,L=City,ST=State,C=US
Step 5
Configure ssl.conf for Port 443
bash — backup and edit ssl.conf
cp $INST_TOP/ora/10.1.3/Apache/Apache/conf/ssl.conf \
$INST_TOP/ora/10.1.3/Apache/Apache/conf/ssl.conf.bkp_$(date +%Y%m%d)
vi $INST_TOP/ora/10.1.3/Apache/Apache/conf/ssl.conf
Set these key directives inside ssl.conf:
ssl.conf — key settings
Listen 443
SSLEngine on
<VirtualHost pc.app.com:443>
ServerName pc.app.com:443
SSLWallet "$INST_TOP/ora/10.1.3/Apache/Apache/conf/ssl.wlt/default"
SSLProtocol TLSv1.2
SSLCipherSuite HIGH:!aNULL:!MD5
</VirtualHost>
Always back up config files before editing. The $(date +%Y%m%d) suffix keeps backups organised by date.
Step 6
Update httpd.conf
httpd.conf — verify these lines exist
Listen 80
Listen 443
Include conf/ssl.conf
Step 7
Update EBS Context File & Run AutoConfig
This is the step most DBAs miss. The context file drives all generated EBS configuration. Skip this and your EBS URLs will still point to HTTP even after OHS is serving HTTPS.
context file — update these parameters
<s_webentryhost>pc.app.com</s_webentryhost>
<s_webentryurlport>443</s_webentryurlport>
<s_login_page>https://pc.app.com:443/OA_HTML/AppsLocalLogin.jsp</s_login_page>
<s_external_url>https://pc.app.com:443</s_external_url>
bash — run AutoConfig
cd $ADMIN_SCRIPTS_HOME
./adautocfg.sh
Step 8
Open Port 443 on RHEL 8 Firewall
bash — firewalld + SELinux
sudo firewall-cmd --permanent --add-port=443/tcp
sudo firewall-cmd --reload
# If SELinux is Enforcing
getenforce
sudo semanage port -a -t http_port_t -p tcp 443
Step 9
Bounce OHS & Test HTTPS
bash — restart and verify
$ADMIN_SCRIPTS_HOME/adapcctl.sh stop
$ADMIN_SCRIPTS_HOME/adapcctl.sh start
$ADMIN_SCRIPTS_HOME/adapcctl.sh status
# Test HTTPS (-k bypasses self-signed cert warning)
curl -k -I https://pc.app.com/OA_HTML/AppsLocalLogin.jsp
Expected result: HTTP/1.1 200 OK — HTTPS is live!
Final Verification Checklist
| Check |
Command |
Expected |
| Wallet created | ls ssl.wlt/default/ | ✓ cwallet.sso + ewallet.p12 |
| Certificate added | orapki wallet display | ✓ CN=pc.app.com |
| OHS running | adapcctl.sh status | ✓ Running |
| Port 443 open | curl -k https://pc.app.com | ✓ HTTP 200 OK |
| AutoConfig done | adautocfg.sh | ✓ Completed |
| Context file updated | grep 443 $CONTEXT_FILE | ✓ Shows port 443 |
What's Next?
With HTTPS confirmed on https://pc.app.com, your environment is ready to receive Okta SAML assertions securely. In Part 2 of this series, we deploy the Oracle EBS Asserter on WebLogic — the middleware that translates Okta's SAML token into an EBS session.
Hit any issues? Drop a comment with the error message and I'll help troubleshoot.
Oracle EBS R12.2
HTTPS
OHS
Oracle Wallet
orapki
SSL
Okta SSO
RHEL 8
Written by
punitoracledba
Oracle DBA Specialist Lead | Oracle EBS DBA | AWS & AI Learner. Turning real-world database experience into practical knowledge. Follow the full EBS R12.2 + Okta SSO series at punitoracledba.blogspot.com
No comments:
Post a Comment