How can we use SSL and our own domain name in the URL to our site?
Environment:
SSL, Custom Domain, Enablement
Oracle B2C Service
Resolution:
If you want to change the domain name in the URL for your site to a custom domain, an SSL/TLS certificate is required, which is obtained from a Certificate Authority outside of Oracle, but that is recognized by Oracle. Your first step is to purchase an entitlement for Custom Domain SSL Application Hosting through your sales account manager. This will give you the ability to use Oracle's self-service tools (Configuration Assistant) to generate CSR to provide to your certificate authority. The cert authority you choose will have its own included expenses. Once you have the certificate you can install the files through Configuration Assistant (self service tool), or reach out to Technical Support for assistance.
A description of the most common certificate types used for Oracle B2C Service can be found at the following answer:
Answer ID 9251: What type of custom domain SSL certificate is best for my organization's needs?
When your site is first provisioned with Oracle B2C Service, your interfaces are added to our *.custhelp.com wildcard certificate and are provided with SSL/TLS coverage this way. The need for custom domain certificates comes in when you are interested in re-branding your website's domain with a name of your choosing. This will require that you come off our *.custhelp.com certificate and provide us with your own, which we then host in our server environment.
The following answer has a full walkthrough of this process using our self-service tools in Configuration Assistant, which you must use if your account has been 'cloudified':
Answer ID 7988: Managing SSL Certificates using Oracle B2C Service Configuration Assistant
The certificate process in self-service will begin with generating a CSR, or Certificate Signing Request, for the new custom domain. This is effectively an order form for the certificate, and the contents of the CSR will be provided in a hash format. The CSR you use to purchase your certificate must come from our tools in self-service or from Technical Support, otherwise the certificate will not be compatible in our environment, and attempting to upload the certificate through self-service will cause a failure.
This installation process will include a change to the vhosts for the interface(s) you are updating. Every interface must have at least one primary vhost, but can have multiple alternate vhosts. Alternate vhosts always redirect to the primary vhost, and that is their only function.
When you first have your site provisioned, you will notice that an interface's primary vhost matches the example format 'companynamehelp.custhelp.com'. When your custom certificate is installed, the new custom domain you have chosen will become the primary vhost, and the original custhelp.com address will become an alternate that redirects to the new custom address.
This vhost change requires some brief downtime while the new DNS information propagates throughout the web. This is generally lasts about 20 minutes. Nevertheless, it is preferable to schedule the installation for a lower-impact time.
The new vhost is associated to your original interface address by the use of CNAME records in DNS. This is a record type that defines the new custom address as an alias for the original custhelp.com address. A real-world example of this can be seen with our support pages:
id 5066
opcode QUERY
rcode NOERROR
flags QR RD RA
;QUESTION
cx.rightnow.com. IN CNAME
;ANSWER
cx.rightnow.com. 14 IN CNAME rightnow.custhelp.com.
;AUTHORITY
;ADDITIONAL
These will need to be added by your local DNS administrators. The CNAME must be in place prior to making any vhost changes. If they are not in place and the vhost records are changed, you would face a significant site down scenario. For this reason, our self-service system performs a CNAME check and will prevent changes if no record is present, and will lock the user out from further changes.
The most common causes of issues in self-service are attempting to use a CSR that was not generated from our self-service tools, not having the CNAME in place before making vhost changes, or not purchasing a certificate from a major, reputable Certificate Authority.
Oracle sends renewal notices automatically 90 days in advance of their expiration date. You should also receive courtesy notices from your cert vendor. Every year you will need to use a new CSR to purchase the cert, to avoid private key re-use.
Please Note: If you require a www. version of your new domain to be covered with SSL on the certificate, the CSR and resulting certificate must explicitly define a Subject Alternative Name with the 'www.' version of the address. This is because the leading 'www.' is not assumed on the Internet, and must be clearly specified on a certificate in order to provide SSL coverage.
If you encounter issues uploading your certificate, please create a service request and choose 'SSL' as the product in question.
Lastly, Oracle B2C Service Technical Support recommends that you purchase your cert from DigiCert. DigiCert is the authority that has been the most thoroughly tested with our services, and your end-users and agent devices should already have native support, with all required roots installed with no additional input needed.
It is also critical to note any integrations you have that may be dependent on a vhost name and its associated IP address. It is important that all integrations be examined for hard-coded values, and the Oracle B2C Service department should be alerted to these dependencies as part of the vhost change request process.
Note: Oracle charges per IP for custom SSL. If you purchase either a wildcard or a SAN certificate, then all interfaces can use the same certificate and the same IP address. If for some reason you choose separate certificates for each interface, then each interface would require us to assign an IP address and we would need to charge for each IP used. In general, it is in the customer's best interest to cover as many domains as possible, on as few certificates as possible.
Additional Actions
Changing the vhost of an interface will result in the change of multiple application components and deployment files for the Oracle B2C Service admin console.
Please be aware that any instances of your site/interface that were installed previous to a vhost change will require a reinstall using the new launch URL.