It might be an organizational requirement that web applications must have HTTPS enabled even for internal use. If you are hosting Oracle APEX on premise, you can still configure Oracle APEX to use HTTPS.

HTTPS encrypts data transferred between the server and the user’s browser. You never know that a non IT department employee is actually a computer wizard that can sniff out confidential information. Like it or not anybody with an Internet connection these days can learn how to hack.

So to safeguard your data, you must configure Oracle Apex to use HTTPS. Better safe than sorry my dear administrators.

If you’ve followed my article on how to setup Oracle APEX and ORDS on Windows 10, the next logical step surely is to secure it.

Configure Oracle APEX to use HTTPS: Generating a keystore file

The first step to configure Oracle APEX to use HTTPS is by generating a .keystore file. In your Java JRE installation there should be a keytool generator to create the .keystore file.

What is a keystore file?

The keystore file (.jsk) contains the server’s certification, including its private key which is used for cryptographic. The keystore file is protected with a password. Each keystore entry has a unique alias that refers to a particular certificate.Courtesy of Refinitiv

Open up Command Prompt and run it as an Administrator and then change the directory to the bin folder. Usually you can locate your Java installation at the below path:

C:\Program Files (x86)\Java\jre1.8.0_152\bin

or

C:\Program Files\Java\jre1.8.0_152\bin
Command used:

cd C:\Program Files (x86)\Java\jre1.8.0_152\bin
change-directory-java-folder-command
Configure Oracle APEX to use HTTPS: Change directory to bin folder in Java JRE installation location.

Then run the keytool.exe program with the following parameters.

keytool -genkey -alias localhost -keyalg RSA -keystore /temp/keystore/localhost.keystore

genkey: generate the .keystore file
alias: name of your host
keyalg: key algorithm
keystore: location for the keystore file

It will then prompt you with several questions as below. Answer it according to your preferences and when you reach the “(RETURN if same as keystore password)” just press ‘Enter’ to proceed with the .keystore file generation. You can view the image below for my inputs as your reference too.

C:\Program Files (x86)\Java\jre1.8.0_152\bin>keytool -genkey -alias localhost -keyalg RSA -keystore /temp/keystore/localhost.keystore

Enter keystore password: "Enter your preferred password"

Re-enter new password: "Verify your password"

What is your first and last name?
  [Unknown]:  "Enter info based on your preference"

What is the name of your organizational unit?
  [Unknown]:  "Enter info based on your preference"

What is the name of your organization?
  [Unknown]:  "Enter info based on your preference"

What is the name of your City or Locality?
  [Unknown]:  "Enter info based on your preference"

What is the name of your State or Province?
  [Unknown]:  "Enter info based on your preference"

What is the two-letter country code for this unit?
  [Unknown]:  "Enter info based on your preference"

Is CN=tech 201, OU=tech201, O=tech201, L=New York, ST=New York, C=US correct?
  [no]:  yes (type in 'yes')

Enter key password for <localhost>
        (RETURN if same as keystore password): "Press Enter"
keystore-generate-command
Configure Oracle APEX to use HTTPS: Generating a .keystore file.

You can either choose to use the default proprietary .jks file or convert it to an industry standard PKCS12 file. Use the command below to convert your .jks file to .p12.

When prompted for the password, type back the password you entered prior to generating the .keystore file.

keytool -importkeystore -srckeystore /temp/keystore/localhost.keystore -destkeystore /temp/keystore/localhost.p12 -srcstoretype JKS -deststoretype PKCS12

*replace localhost with your own file name.

A copy of the .jks file will be kept at the same location with the .OLD extension in case you need to use it again in the future.

convert-jks-to-p12
Configure Oracle APEX to use HTTPS: Convert .jks to .p12.

Configure Oracle APEX to use HTTPS: Creating a self signed certificate signing request

Once you’ve generated your keystore file, the next step is to self sign it. Use the command below and replace where necessary.

C:\Program Files (x86)\Java\jre1.8.0_152\bin>keytool -certreq -keyalg RSA -alias localhost -file localhost.csr -keystore /temp/keystore/localhost.keystore

Enter keystore password: "Type in password used when creating .keystore file"

*Replace localhost with the name that you used.

Configure Oracle APEX to use HTTPS: Configure the Apache Tomcat server.xml file

Open up the the Apache Tomcat 9 server.xml file in Notepad which is located in the conf folder. It is usually located at the following path:

C:\Program Files (x86)\Apache Software Foundation\Tomcat 9.0\conf

or

C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf

Add the below statement just before the line “<!– Define an AJP 1.3 Connector on port 8009 –>”, edit where necessary :

<Connector 
port="8443" 
protocol="HTTP/1.1" 
SSLEnabled="true"
maxThreads="150" 
scheme="https" 
secure="true"
keystoreFile="/temp/keystore/localhost.keystore" 
keystorePass="Your password used when creating .keystore file"
clientAuth="false" 
sslProtocol="TLS" 
sslVerifyClient="optional"
sslEnabledProtocols="TLSv1.2,TLSv1.1,SSLv2Hello"/>

Find and deactivate other HTTPS (HTTP1 and HTTP2) connectors (use <!– and –> the as in bold and italic) by editing as below:

<!--

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

-->

and

<!--

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
               maxThreads="150" SSLEnabled="true" >
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
        <SSLHostConfig>
            <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
                         certificateFile="conf/localhost-rsa-cert.pem"
                         certificateChainFile="conf/localhost-rsa-chain.pem"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

-->

Configure Oracle APEX to use HTTPS: Configure the Apache Tomcat web.xml file

Open up the the Apache Tomcat 9 web.xml file in Notepad which is located in the conf folder. It is usually located at the following path:

C:\Program Files (x86)\Apache Software Foundation\Tomcat 9.0\conf

or

C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf

Add the following statement in the block below just before the </web-app> tag (bottom of the window) ends:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>securedapp</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

The tag <url pattern> is set to /*. By default any web applications hosted on your Apache Tomcat server will only be accessible or redirected to an HTTPS connection.

The tag <transport-guarantee> tag is set to CONFIDENTIAL. This ensures that the web applications in your Apache Tomcat server will work on HTTPS.

If you need to switch off HTTPS, just simply edit the value in the <transport-guarantee> tag from CONFIDENTIAL to NONE.

Last but not least, launch services.msc and restart the Apache Tomcat 9.0 service.

Configure Oracle APEX to use HTTPS: Accessing your Oracle APEX 20.2 instance via HTTPS

Now for the moment of truth, if everything is configured properly you should be able to access the Apache Tomcat web management portal and your Oracle APEX 20.2 instance securely via HTTPS. Enter the link below into your web browser and accept the invalid certificate notification:

Tomcat web management page: https://localhost:8443/ 

Oracle APEX 20.2 instance: https://localhot:8443/ords
oracle-apex-https
Configure Oracle APEX to use HTTPS: Accessing APEX on HTTPS.

Congratulations! Now your Oracle APEX 20.2 instance is accessible via HTTPS and data flow between your server and browser are now encrypted. If you have other apps installed on your Apache Tomcat web server, they as well will be accessible via HTTPS.

If you look closely, you’ll see that there is a caution sign on the padlock. This is because the certificate generated is only self signed. You’d need to fork out some dough to get it valid from certificate authority such as Comodo.

If your Oracle APEX is not internet facing, then it would be okay to leave it as it is. The HTTPS connection still encrypts your data and it is still secured.

Conclusion on how to configure Oracle APEX to use HTTPS

The guide assumes that your Oracle APEX 20.2, ORDS and Apache Tomcat 9 setup are the same with my previous related articles which most of them are using default values. If yours is different, you will need to adjust some of the values in the code or command.

Setting up HTTPS for your APEX instance requires some technical knowledge. I believe that this guide is simple enough for many system administrators to follow. If you found a better one, do let me know in the comments so that we can all improve our setups.

I hope you enjoyed this tutorial and do feel free to ask any related questions or correct me if there is anything wrong within this article.

Leave a Comment

Your email address will not be published. Required fields are marked *

This div height required for enabling the sticky sidebar