If you experience problem accessing the Oracle web interface (https://localhost:1158/em), most probably is because the Microsoft security is blocking it.
Microsoft announces that the use of RSA certificates that have keys that are less than 1024 bits long will be blocked.
The RSA root certificate issued by Oracle is 512 bits and is considered weak by Microsoft. The proper solution is for Oracle to create and issue a proper certificate. Since, in my opinion, this is Oracle's fault on overlooking the security issues. However, there is a work-around, and it is to reduce the security of Microsoft Windows (not advisable but if you have no other choice).
certutil -setreg chain\minRSAPubKeyBitLength 512
You may revert to the default by deleting the registry key:
certutil -delreg chain\minRSAPubKeyBitLength
The flag number 2 tells windows to allow weak certificate signature and disable logging. If you feel there is a need to log weak signatures, use flag number 8. The following are the flag number and meaning:
2 - unblock and do not log
4 - block and log, WeakSignatureLogDir required
6 - block and log, WeakSignatureLogDir required
8 - unblock and log, WeakSignatureLogDir required
certutil -setreg chain\WeakSignatureLogDir "c:\weaksignaturelog"
Ensure c:\weaksignaturelog has proper permissions set.
Note: This setting is only applicable to when a certificate was used to Authenticode sign a time stamped file. If the code is not time stamped, then the current time is used and the WeakRsaPubKeyTime setting is not used.
The WeakRsaPubKeyTime setting allows for the configuration of the date for which to consider older signatures valid. If you have reason to set a different date and time for the WeakRsaPubKeyTime, you will can use certutil to set a different date. For example, if you wanted to set the date to August 29, 2010, you could use the following command:
certutil -setreg chain\WeakRsaPubKeyTime @08/29/2010
If you must set a specific time, such as 6:00 PM on July 4, 2011, then add the number of days and hours in the format +[dd:hh] to the command. Because 6:00 PM is 18 hours after midnight on July 4, 2011, you would run the following command:
certutil -setreg chain\WeakRsaPubKeyTime @01/15/2011+00:18
If you need to delete old Oracle certificates that was accidentally installed, use the Manage Certificate console.
If you accessed via https://localhost, there is a certificate error stating mismatch address because Oracle trusted certificate is for http://pcname.
By default, URL https://pcname is put under the Internet Zone. In order to force this url to the intranet zone, add it into the Trusted Site of the Intranet Zone in the Internet Setting.
https://support.microsoft.com/en-us/help/2661254/microsoft-security-advisory-update-for-minimum-certificate-key-length
Microsoft announces that the use of RSA certificates that have keys that are less than 1024 bits long will be blocked.
The RSA root certificate issued by Oracle is 512 bits and is considered weak by Microsoft. The proper solution is for Oracle to create and issue a proper certificate. Since, in my opinion, this is Oracle's fault on overlooking the security issues. However, there is a work-around, and it is to reduce the security of Microsoft Windows (not advisable but if you have no other choice).
RSA Minimum Public Key Length
By default, this key does not exist in the windows registry and default to 1024 bits. You can change it by using the certutil command.
You may revert to the default by deleting the registry key:
certutil -delreg chain\minRSAPubKeyBitLength
Enable Weak Root Certificate
certutil -setreg chain\EnableWeakSignatureFlags 2The flag number 2 tells windows to allow weak certificate signature and disable logging. If you feel there is a need to log weak signatures, use flag number 8. The following are the flag number and meaning:
2 - unblock and do not log
4 - block and log, WeakSignatureLogDir required
6 - block and log, WeakSignatureLogDir required
8 - unblock and log, WeakSignatureLogDir required
certutil -setreg chain\WeakSignatureLogDir "c:\weaksignaturelog"
Ensure c:\weaksignaturelog has proper permissions set.
Allow signatures that was signed before January 2010
The WeakRsaPubKeyTime is an 8 byte REG_BINARY value that contains a Windows FILETIME data type stored as UTC/GMT. This value is available primarily to reduce potential problems by blocking keys that have a length of less than 1024 bits for Authenticode signatures. Certificates that are used to sign code before the configured date and time are not checked for keys that have a length of less than 1024 bits. By default this registry value is not present and is treated as early morning January 1, 2010 at midnight UTC/GMT.Note: This setting is only applicable to when a certificate was used to Authenticode sign a time stamped file. If the code is not time stamped, then the current time is used and the WeakRsaPubKeyTime setting is not used.
The WeakRsaPubKeyTime setting allows for the configuration of the date for which to consider older signatures valid. If you have reason to set a different date and time for the WeakRsaPubKeyTime, you will can use certutil to set a different date. For example, if you wanted to set the date to August 29, 2010, you could use the following command:
certutil -setreg chain\WeakRsaPubKeyTime @08/29/2010
If you must set a specific time, such as 6:00 PM on July 4, 2011, then add the number of days and hours in the format +[dd:hh] to the command. Because 6:00 PM is 18 hours after midnight on July 4, 2011, you would run the following command:
certutil -setreg chain\WeakRsaPubKeyTime @01/15/2011+00:18
Trusted Root Certificate
You should install the certificate into Windows as Local Machine and Trusted Authority Root Certificate. This is how you do it. When the web interface is accessed with IE, click on the certificate error, then click View Certificate and click Install.If you need to delete old Oracle certificates that was accidentally installed, use the Manage Certificate console.
Security Zone Problem
If you have done all of the above and still receive a blank web page when you access https://pcname:1158/em, it is very likely the Web Security Zone is wrong if you can access via https://localhost:1158/em because localhost is in the Intranet Zone.If you accessed via https://localhost, there is a certificate error stating mismatch address because Oracle trusted certificate is for http://pcname.
By default, URL https://pcname is put under the Internet Zone. In order to force this url to the intranet zone, add it into the Trusted Site of the Intranet Zone in the Internet Setting.
Other reference:
http://www.careexchange.in/install-and-configure-certificate-authority-in-windows-server-2016/https://support.microsoft.com/en-us/help/2661254/microsoft-security-advisory-update-for-minimum-certificate-key-length
No comments:
Post a Comment