Thursday, July 13, 2017

How to get A+ on SSL Labs running Tomcat

In my previous posting, we brought our tomcat server to Grade A on SSL Labs.
However, to archive A+, it requires more.

You need to enable HSTS. You can following this post to enable HSTS.

One problem I encountered with SSL Labs is the SNI. If we run the test under the default domain, HSTS test works. But if we run it under other domains, HSTS test will fail. So you end up with Grade A instead of A+.

So make sure you test it using your default domain.

Monday, July 3, 2017

ORDS Install/Upgrade (ORDS Versions 3.0 to 21.4)

Install

If your ords directory is e:\ords, use e:\ below. Do not include \ords

Stop Tomat
copy ords.war apex.war
rmdir $CATALINA_HOME/webapps/apex
copy apex.war $CATALINA_HOME/webapps/
java -jar apex.war configdir e:\
java -jar apex.war

Validate ORDS installation
java -jar apex.war validate

Run this if validation fails
java -jar apex.war schema

Configure Multiple Databases
Do not use workspace-id when adding APEX
java -jar apex.war setup --database dev
java -jar apex.war map-url --type base-path /dev dev
Start Tomcat


Upgrade


Stop Tomat
copy ords.war apex.war
rmdir $CATALINA_HOME/webapps/apex
copy apex.war $CATALINA_HOME/webapps/
java -jar apex.war configdir e:\
java -jar apex.war schema
Start Tomcat

Saturday, July 1, 2017

SSL Reverse Proxy using stunnel without using Oracle Wallet

EDIT: Using nginx is a better solution.

Making https call from oracle is a nightmare. As a minimum, you need to import the site certificate into Oracle wallet.

However, if there is any problem with the certificate, it is next to impossible to debug.
Oracle XE doesn't come with Oracle wallet, utl_http may not support SNI, all depends on the oracle database version, etc...

As a workaround, use stunnel to listen on localhost and let it talk to the remote site via https.

In this example, it is listening on 8103 protocol http and talk to remote site via 8443 protocol https.
doing http://127.0.0.1:8103 just like https://web1.remote.com:8443

stunnel.conf
[web1]
client = yes
accept = 127.0.0.1:8103
connect = web1.remote.com:8443
CAfile = ca-certs.pem