Oracle strongly recommends that you use the Secure Socket Layer (SSL) protocol and HTTPS for all connections to the Oracle Enterprise Manager Web site. There are two methods for setting up the Enterprise Manager Web site for secure connections:
■ Using SSL For Your Testing Environment
■ Using SSL for Your Production Environment The following sections describe these methods in detail.
Using SSL For Your Testing Environment
In your testing or development environment, you can enable SSL for the Enterprise Manager Web site without performing any significant configuration steps.
However, this method of enabling security is based on a standard SSL Server Identity that is not trustworthy. Consider this method of setting up SSL if you are investigating SSL for the first time. This method of setting up security is not recommended for production systems.
To enable SSL for the Enterprise Manager Web site in your testing environment:
1. Stop the Enterprise Manager Web site.
For more information, see"Starting and Stopping the Oracle Enterprise Manager Web Site" on page 3-9
2. Enter the followingemctl command:
emctl set ssl test
Note: The emctl command used in the following procedures is located in the following directory:
(UNIX)ORACLE_HOME/bin (Windows)ORACLE_HOME\bin
About the Oracle Enterprise Manager Web Site
3. Restart the Enterprise Manager Web site.
4. Connect to the Web site using the following HTTPS address:
https://server_name:1810
To disable SSL in your testing environment:
1. Stop the Enterprise Manager Web site.
For more information, see"Starting and Stopping the Oracle Enterprise Manager Web Site" on page 3-9.
2. Enter the followingemctl command:
emctl set ssl off
3. Restart the Enterprise Manager Web site.
4. Connect to the Enterprise Manager Web site using the following unsecured address:
http://server name:1810
Using SSL for Your Production Environment
For your production systems, Oracle strongly recommends that you set up security for the Enterprise Manager Web site using a valid security certificate. For more information about security certificates, see the Oracle9i Application Server Security Guide.
To set up SSL for Enterprise Manager Web site in your production environment:
1. Generate a Request for a new SSL Server Site Certificate by entering the following command:
emctl gencertrequest
Note: Perform each of the steps in this section in the order specified. Do not repeat the same step multiple times or skip any steps. You may repeat this procedure any number of times provided that you start at Step 1 each time.
About the Oracle Enterprise Manager Web Site
Enterprise Manager generates a Certificate Request, stores the request in a file calledserver.csr, and shows you the location of this file. The content of the file looks similar to the output shown inExample 3–1.
2. Copy the Certificate Request text, paste it into an e-mail message, and send the message to a certificate authority.
For more information about certificate authorities, see the Oracle9i Application Server Security Guide.
The Certificate Authority returns to you two certificate files. One is the
Certificate Authority Certificate and the other is the SSL Server Site Certificate.
The content of each Certificate file looks similar to the one shown in Example 3–2.
3. Install the Certificate Authority Certificate, as follows:
a. Save the Certificate Authority Certificate and note the location of the file.
b. Enter the following command:
emctl installcert -ca certificate_authority_certificate_path For example:
emctl installcert -ca /home/myfiles/cacertificate.cer
If the certificate is installed successfully, the following message appears:
OC4J keystore was updated at
$ORACLE_HOME/sysman/j2ee/server/keystore.secure 4. Install the SSL Server Site Certificate, as follows:
a. Save the Server Site Certificate and note the location of the file.
b. Enter the following command:
emctl installcert -cert SSL_Server_Site_Certificate_path For example:
emctl installcert -cert /home/myfiles/ssl_certificate.cer
If the SSL Site Certificate is installed successfully, the following message appears:
OC4J keystore was updated at
$ORACLE_HOME/sysman/j2ee/server/keystore.secure
About the Oracle Enterprise Manager Web Site
OC4J keystore is ready for SSL.
5. Password protect your new SSL Server Site Certificate.
Steps 1 through 4 establish the material needed for the Enterprise Manager Web site to act as a unique and trustworthy SSL Server Site. Oracle recommends that you protect this material with a password. The initial default password is
"welcome". To modify the password, enter the following command:
emctl set ssl password old_password new_password For example:
emctl set ssl password welcome manchester123
6. Enable SSL for the Enterprise Manager Web site as follows:
a. Stop the Enterprise Manager Web site.
For more information, see"Starting and Stopping the Oracle Enterprise Manager Web Site" on page 3-9.
b. Enter the followingemctl command:
emctl set ssl test
c. Restart the Enterprise Manager Web site.
d. Connect to the Web site using the following HTTPS address:
https://server_name:1810
Example 3–1 Sample Certificate Request ---BEGIN NEW CERTIFICATE
REQUEST---MIIBpzCCARACAQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDDAKBgNVBAcT A0VNRDEMMAoGA1UEChMDRU1EMQwwCgYDVQQLEwNFTUQxGTAXBgNVBAMTEFRFU1QgQ0VSVElGSUNB VEUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM1saVui7S/f+bFLMBmP2nFhHcAf/RNMViWg 5-MRTBBCIanSPTtABle54VOrTEXPACbmbedDIeMbr+585=wjC+MHaJoEtEXSUVrOYin4OP-XOX-H I2GfwYnYf4G6ZmbvopKPYx9NxfKdqathbiR8ayG+TH92YsoOJdsyry2nnDltAgMBAAGgADANBgkq hkiG9w0BAQQFAAOBgQClZmkgwhQUjmFMaFCx2+wMZQNpQ0AQEtaz3MNQeChIIVkZLeGRoZ0g4HFX CL1SOp2Jl2+dKuW4N+xa9y9Vo0vVtAAY7l7a4r83CyotaMOLXW70YuxRxzs6a3OxwlH1AUFr3KUY xyr/IjOxYRyMOnk4INLK6EC1ght+BnYHo77imw==
---END NEW CERTIFICATE
REQUEST---About the Oracle Enterprise Manager Web Site
Example 3–2 Sample SSL Certificate ---BEGIN