SSL Certificates are tiny data files with digitally signed encryption keys to an organization. When installed on the server, it converts it from HTTP to a secure HTTPS platform.
SSL (Secure Socket Layer): This internet security protocol is encryption-based and formulated to use TCP (Transmission Control Protocol) to offer dependable end-to-end connectivity. SSL is a set of guidelines to manage the authenticated and encrypted data communication between the Client (The entity browsing the Internet) and the Server (Website).
This blog will discuss secure connection/communication between Oracle Engagement Cloud and other third-party applications via Oracle SOA.
SSL Certificate works in network layers. It rests between the Application Layer and the Transport layer and performs encryption-related activities:
SSL Certificate Renewal:
SSL renewal keeps encryption up to date, which makes everyone safer. SSL certificates have expiration dates hardcoded into them. When they expire, web browsers warn their users about the website. SSL certificates expire to keep connection encryption up to date with the latest encryption standards.
Renewing Oracle Cloud SSL Certificate:
User's/Admins get a notification about a certificate renewal if needed. Upon Oracle notification, if any external integration has old certificates, they should be replaced with new certificates as soon as Oracle installs the new one.
The network team confirms-the certificates they place on the load balancer should NOT be imported into the client certificate store. These are for the Oracle Load Balancers only. The client should use the proper CA (Certificate-Authority) in their store.
Some user has inbound connection set up to communicate with the Oracle Cloud Fusion environment from external sources (e.g., On-Premises or Oracle PaaS/SaaS Services) and have embedded Akamai Certificates. A notification will be sent to users for certificate renewal at the Akamai end. To avoid any interruption, plan to re-import certificates On or before the certificate renewal date.
Steps to log Service Request for Oracle Support to obtain certificates:
- Log an SR via My Oracle Support
- In-Service Type select any of the Fusion Applications Cloud Services
- Select - Environment field value for which the SSL Certificates are needed (Please log separate SR for each Environment/POD)
- In Problem Type drop-down, select - Cloud Hosting Services (Outage, P2T/T2T, Enable SSO, Resize, CloudPortal, MyServices, User/Password, Network, Schedule Maintenance)
- Enter the Problem Summary, Description, Severity
- Click Next to log the Service-Request
- In the Guided Problem Definition, Select the Option - Fusion SaaS SSL Certificate Renewal
- Continue with the flow to log the SR
How can we test the new Certificate before renewal?
Following are instructions that support can provide the customer with to test the Certificate before renewal:
If the customer plan to test via the Web browser:
Steps that can be passed over to the customers,
- Testing should be over an open internet connection.
- To determine Akamai Staging IP, do the following:
- Look up the app domain you want to test.
Format as below
<APP> = fa
<DC>= us2, ap5
- Look up pods-fa.us2.oraclecloud.com.edgekey-staging.net
- Take the IP address from the Address Section. In the above example, it is 126.96.36.199
- Add the IP address to your local host's file or /etc/hosts for Linux-based systems:
- Goto C:\Windows\System32\drivers\etc\hosts
- Open the hosts file and add as below
- <IP address from Step 1> < testing hostname> E.g., 188.8.131.52 edlq.fa.us2.oraclecloud.com
- Turn off the Proxy in your Browser
- In Firefox,
- Tools -> Options -> Advanced -> Network
- Under Connections -> Settings
- Restart browser
- Conduct a test against the environment. Users should now be seeing a new Certificate while accessing the respective Pods.
How can our Network/Application administrators and integration partners import the Fusion SSL Certificates?
The basic key tool commands below can be used to import the certificate provided. The generic command to import certs:
<JAVA_HOME>/bin/keytool -import -trustcacerts -alias <give name for rootCA> -keystore <Keystore name>-keystore.jks -file <rootCA file>
<JAVA_HOME>/bin/keytool -import -trustcacerts -alias <give name for intermediateCA> -keystore <Keystore name>-keystore.jks -file<intermediaCA file>
<JAVA_HOME>/bin/keytool -import -alias <name for server certificate> -keystore <Keystore name>-keystore.jks -file <server cert file>
Getting Certificate as per the Data Center (us2 for Lattice):
|S.No||Data centre||DC CODE||Certificate Zip Attachment|
|1||CA2 - Toronto||ca2||_.fa.ca2.oraclecloud.com.zip|
|2||CA3 - Calgary||ca3||_.fa.ca3.oraclecloud.com.zip|
|4||AP2 - Singapore||ap2||_.fa.ap2.oraclecloud.com.zip|
|5||AP4 - Melbourne||ap4||_.fa.ap4.oraclecloud.com.zip|
|6||AP5 - Tokyo||ap5||_.fa.ap5.oraclecloud.com.zip|
|7||EM2 - Amsterdam||em2||_.fa.em2.oraclecloud.com.zip|
|10||EM5 - Munich||em5||_.fa.em5.oraclecloud.com.zip|
|12||US2 - Chicago||us2||_.fa.us2.oraclecloud.com.zip|
Once the Certificate is downloaded, DBAs will import it into the server.