Oracle Database Cloud Service (in Oracle Cloud Infrastructure – Classic) comes with APEX and Oracle Rest Data Services (ORDS) ready and raring to go. ‘
Specifically, this “guide” pertains to ORDS running in standalone mode on Oracle DBCS in OCI-Classic. Standalone mode uses the embedded http server “Jetty”. If you’re using Tomkat or Weblogic then check the appropriate documentation on how to use SSL certs.
By default, it ORDS in Oracle DBCS is listening on port 443 (SSL/TLS) but is using a self-signed certificate. This may be ok for internal uses – i.e. the Database or ORDS is not exposed to the outside world, but if you need to connect other cloud services like Oracle Stream Analytics, a real SSL/TLS cert is required. Required in this sense means that Stream Analytics will not allow a connection to be created to ORDS unless is it using a certificate that is signed by a trusted provider like Verisign or Thawte.
Getting an SSL certificate is out of the scope of this post, but they are reasonably easy to acquire. Services like Lets Encrypt make SSL certs available for free – the caveat is that they expire every 90 days.
For the purposes of this guide – my DBCS hostname is host.domain.com and am putting my certificates and keys in /home/oracle/ords_ssl. Change these as appropriate.
However you get your cert, you need three files to use ORDS:
- A private key – in my case host.domain.com.private-key.pem
- the full chain for the certificate – host.domain.com.fullchain.crt – (this is particularly important when using a Let’s Encrypt certificate
- the SSL/TLS certificate itself – host.domain.com.crt – this can be used in lieu of the full chain certificate. When using Let’s Encrypt – it seems better to use the full chain however as the intermediate and root certificates are also included
If you get the above files in PEM format, then you need to convert them to DER format when running ORDS in standalone mode.
To convert the private key to DER format, use the following OpenSSL command
openssl pkcs8 -topk8 -inform PEM -outform DER -in host.domain.com.key -out host.domain.com.key.der -nocrypt
To convert the certificate to DER format, use the following.
openssl x509 -inform PEM -outform DER -in host.domain.com.crt -out host.domain.com.crt.der
The same command can be used to convert the full chain file if you choose to use that
openssl x509 -inform PEM -outform DER -in host.domain.com.fullchain.crt -out host.domain.com.fullchain.crt.der
Edit the /u01/app/oracle/product/ords/conf/ords/standalone/standalone.properties file to update the following parameters to point to the converted certificates.
Obviously, replace the path and file name as appropriate.
Finally, restart ORDS using
When you browse to https://host.domain.com you should now see that the page is secured with a trusted certificate rather than the self-signed one it was using before.