Search This Blog

Tuesday, 28 April 2015

13.a. WebLogic Security: SSL Configuration by Java keytool for Admin Console HTTPS

You can use SSL Listen port enabled Admin console  could be configured. but the Demo Certificates can be applicable only in the development domains. In the domain directory in the security sub directory you could get DemoTrust.jks, DemoIdentity.jks files once you enabled SSL for a WebLogic server.

What are the tools to generate private and public keys?
If you machine installed with JDK then you can use Java Development Kit have default tool keytool will be used.

Alternative to keytool you can also use the OpenSource tool openSSL.

WebLogic domain SSL configurations 1-way SSL, 2way SSL


What is SSL? Why you need SSL?
Secure Socket Layer protocol. which will be combined with other protocol to provide secure communication. Secure means the data that you sender and receiver should be protected. When outside world try to trap or open that then it is unreadable format.

Can I have different identity alias  names and trust alias?
Yes, you could have different alias names. When you deal with digital certificates you need to provide root alias, intermediate cert also different. But when you import the signed certificate it should be using same alias used when keygen was created.


What is JAAS?
Unlike many other Java Specifications, this is also Java Authorization Authentication Service specification. Know about who are connecting to your application this API gives lot of features. Identifying and what customer doing during his online shopping this would give the some kind of input for feature investments. Which is implemented successfully in many Application Servers. WebLogic allows you to configure SSL communication for web application and for RMI based t3s protocol is supported.

Where Can I buy Digital Certificates?

Certificates can be sold from Certificate Authority CA is the acronym. The digital sign request you can only do when you have created a private key in a keystore and generated a root certificate. And then submit the keystore  Some of the best CA are listed below:
  • VeriSign
  • eTrust
  • entrust
  • geotrust
What is Digital Certificate?
There are multiple ways to get digital certificate for your web[WebLogic] server side certificates. Some of the file extensions used in WebLogic admin consoles are here:
  • JKS - Java Key Store
  • JCEKS - Java Cert Key Store
  • KSS - Oracle Wallet
Root Certificate means --
Intermediate Certificate means --

After receiving the certificate authority mail from CA. They will provide you the three levels of authentication. In the Windows platform using the  Base64 X.509 stores single cert file at a time. The regular Encrypted file formats are:
  • pem
  • crt
  • cer

What is Self-Signed Certificate means?

How do I get Self signed Certificate? or What are the command sequence for Certificate generation?

Step1: Creating identity and Trust key store using JKS
Command 1 :
 keytool -genkey -alias vtkey  -keyalg RSA -keysize 1024 -validity 365 -keypass welcome1 -keystore identity.jks -storepass welcome1 



Note : List of keytool commands which are changed in java 1.6 :
  • -export, renamed to -exportcert
  • -genkey, renamed to -genkeypair
  • -import, renamed to -importcert
All previous commands are still supported in this release ( keytool in java 1.6, 1.7, 1.8 and 9 ) and will continue to be supported in future releases.

Step2: Generating Certificate signing certificate and send it to certificate signing authority

Command 2 :
keytool  -export -alias vtkey  -file root.cer -keystore identity.jks -storepass welcome1



Command 3 : importing certifacte authority issued certificate
keytool -import -alias vtkey  -file root.cer -keystore trust.jks -storepass welcome1


To see the contents of the keystore use the following command :
Command :
keytool -list -v -keystore identity.jks -storepass welcome1


To see the contents of an individual certificate ( like root.cer in our case ).
Command :
keytool -printcert -file root.cer


Copy the keystore files into the WebLogic $DOMAIN_HOME location :

Below are the steps to configure Custom Identity and Custom Trust with Weblogic Server :

Step 1 : Login to Weblogic Admin console --> Environment --> Servers -->
< server_name_where_ssl_has_to_be_configured > --> Configuration -> General --> SSL Listen Port Enabled ( Check )

Note : The default SSL Listen Port would be 7002, change it if required.


Step 2 : Click on Keystores tab under " Configuration " tab :



Step 2a : Click on the drop down menu next to Keystores and sleect " Custom Identity and Custom Trust " Step 2b : Now fill in the following information :
---Identity---
Custom Identity Keystore : < location_of_identity_keystore_that_you_have_created>

NOTE : By default WLS will look for this keystore file in domain_home location.

Custom Identity Keystore Type : jks
Custom Identity Keystore Passphrase: < This_would_be_your_storepass >

---Trust---
Custom Trust Keystore : < location_of_trust_keystore_that_you_have_created>
NOTE : By default WLS will look for this keystore file in domain_home location.
Custom Trust Keystore Type : jks
Custom Trust Keystore Passphrase: < This_would_be_your_storepass >

Step 2c : Now save the changes and click on " SSL " tab :
Private Key Alias: < This_would_be_your_certificate_alias >
Private Key Passphrase: < This_would_be_your_keypass >



Step 3 : Save the changes and click on the " >Advanced " field under the " SSL " tab :
  Set the " Hostname Verification: " to None ( from the drop down menu ).
Note : We need to select the hostname verification as None if the CN of the certificate is not the same as the hostname of the machine where WLS is installed.

Now access your Weblogic Admin console over https URL : " https://localhost:7002/console "



Click on the Advanced link and click on 'Proceed' link. This is due that we have not used the digital signature of a Certification Authority.


How to know that it is self-signed or real certificate?
All self-signed certified urls will be shows "Not Secure" as shown above. When you use the real certificates that is Certifying Authority provided certificate used then the accessing HTTPs URL without prompting loads the webpage.


References:

1 comment:

  1. Whenever SSL certificate expired then we need to request for the New Certificate and after receiving the New/Renewal Certificate then after applied it then we must need to restart the WebLogic Domain then only HTTPS will work in the Environment.
    NOTE: This blog is very help to refer for all the WebLogic Environmental issues resolution.

    ReplyDelete

WebLogic Books

  • Oracle WebLogic Server 12c: Administration Handbook
  • WebLogic Diagnostic Framework
  • Advanced WebLogic Server Automation
  • Oracle SOA Suite 11g Administrator's Handbook

Popular Posts