WebLogic in Practice: SSL Configuration

Oracle WebLogic Server in Practice:
SSL Configuration
Jacco Landlust, Oracle

Simon Haslam, Veriton

Jacco & Simon
Jacco:

◦ Domain Architect Director at Oracle Consulting
◦ Oracle ACE

Simon:

◦ Founder of Veriton and now
◦ Oracle ACE Director (Middleware & SOA)
◦ UKOUG App Server & Middleware SIG Chair

Agenda
Concepts you need
 WebLogic & SSL
 Tools & Commands to manage keys


Essential Concepts


key-pair (asymmetric)



certificate



certificate authority (CA)

◦ one key to encrypt, a different key to decrypt
◦ you make one your private key, the other your public key
◦ unique to you
◦ public key
◦ signed
◦ signs certificates
◦ is independently trusted

Old school Identity Management

Identity
certificate authority

1. person sends me their cert
2. I look at who it is signed by
3. If I trust the person it is
signed by I accept their identity

signed
by
certificate

person I want to
communicate with

me

Trust
certificate authority B

1. Person sends me their cert
2. I look at who it is signed by
3. If I don't trust the person it
is signed by I look at who
they are signed by and so on

certificate authority A

certificate
person I want to
communicate with

me

Certificate Chain
root certificate authority

.
.


certificate

me

Certificate Chain
root CA

root CA

.
.

root CA

Trust
Keystore


certificate

me

Establishing my Identity
root CA

.
.


Identity
Keystore

me
certificate

What's in the Certificate









The public key
Registered name/details of owner
Validity
Identity of CA
Location of CA Revocation List
Hash function summary (encrypted by CA key)

How do I know certificate is valid?
Client recreates summary "as they should be" (from
~hostname/validity)
So by now we have the
 Client hash function on summary and which we
server's public key encrypts using
can secure traffic with
CA public key
 Client compares result to public key offered by server
 If same client now has the public key for the certificate
owner and can check validity, (optionally) CRL, etc


Common tools to manage certificates
keytool
 openssl
 orapki / Oracle Wallet Manager


Overall process for creating certificate
1.

create key pair
◦ could be self signed - not much use unless every recipient is
going to add you to their trust keystore

create CSR
3. give CSR to CA
4. receive certificate back from CA
2.

Key Stores


For Fusion Middleware we're interested in:
◦ Java Keystores (JKS)
◦ Oracle Wallet (PKCS12 format)



Either:

◦ contains one or more certificates
◦ each certificate has a CN, and usually has an alias
◦ can contain both public and private keys

Type of keystore per component
Type of Keystore

Tasks

Tool

Oracle WebLogic Server

JKS-based Keystore

All Keystore operations

JDK Keytool


JKS-based Keystore

Enable SSL

Administration Console

All Java EE applications (for
example Oracle Directory
Integration Platform, Oracle
Directory Services Manager)

JKS-based Keystore


JDK Keyt

Type of keystore per component 2
Type of Keystore

Tasks

Tool

Oracle HTTP Server
Oracle Web Cache
Oracle Internet Directory

Oracle Wallet

Create Wallet, Create Certificate
Request, Delete Wallet, Import
Certificate, Export Certificate,
Enable SSL

Fusion Middleware Control,
WLST
Oracle Wallet Manager and
orapki for PKCS#11 or
Hardware Security Modules
(HSM)-based wallets. Also for
environments where Fusion
Middleware Control and WLST
are not available (such as a
stand-alone upgrade of these
components without a domain).

Oracle Virtual Directory

JKS-based Keystore

Create KeyStore, Create
Certificate Request, Delete
KeyStore, Import Certificate,
Export Certificate, Enable SSL

Fusion Middleware Control,
WLST

Oracle SOA Suite

JKS-based Keystore


JDK Keytool

Oracle WebCenter

JKS-based Keystore


JDK Keytool

How WebLogic states its Identity


Identity comes from a Java Keystore "identity
keystore"
◦ must contain a certificate & key-pair matching alias



Each WebLogic server instance (Admin Server and
Managed Servers) has to have an identity keystore to
do SSL

How WebLogic Establishes Trust



Trust comes from another JKS "trust keystore"
Choice of standalone JKS or to use the one in the JDK
trust (stored with JRE)



Note:

◦ DemoIdentity
◦ DemoTrust

WebLogic Identity/Trust Combinations


Demo Identity and Demo Trust (default - not for prod)
◦ CN=hostname, signed by BEA CA that anyone can sign with



Custom Identity and Java Standard Trust
◦ determine trust from java/…



Custom Identity and Custom Trust
◦ our own identity and trust keystores



Custom Identity and Command Line Trust

◦ our own identity but trust keystore specified in start-up param

Certificates Required


Server sends out its cert when someone tries to
connect over SSL (i.e. one way) but can optionally
request cert from client (two way) - console options:
◦ Client Certs Not Requested
◦ Client Certs Not Requested but Not Enforced
◦ Client Certs Requested and Enforced

Hostname Verification
◦ None
◦ BEA Hostname Verifier
◦ Custom Hostname Verifier
 e.g. weblogic.security.utils.SSLWLSWildcardHostnameVerifier



What does none mean?

◦ Cert is requested but does not have a CN for the host WebLogic is
trying to connect to. It could be any old certificate.

Set ignoreHostnameVerification = true?!?


We strongly recommend enabling hostname
verification in all test and production environments.



Oracle® Fusion Middleware Securing Oracle WebLogic Server: "Oracle
recommends leaving host name verification on in production environments"

Keystore Naming Conventions



Do not use a name longer than 256 characters
Do not use any of the following characters in a
keystore name:
| ; , ! @ # $ ( ) < > / " ' ` ~ { } [ ] = + & ^ space tab
 Do not use non-ASCII characters in a keystore name
 Additionally, follow the operating system-specific rules
for directory and file names

Copying Keystores to File System Not Supported
Creating, renaming, or copying keystores directly to any
directory on the file system is not supported.
Any existing pre-11g keystore or wallet that you wish to use
must be imported using either Fusion Middleware Control or
the WLST utility.
http://docs.oracle.com/cd/E21764_01/core.1111/e10105/w
allets.htm

Generate self signed certificate
keytool -genkey -keyalg RSA -alias selfsigned -keystore ${JKS}
-storepass ${JKS_PASSWORD} -validity 360 -keysize 2048
-keypass ${KEY_PASSWORD}
What is your first and last name?
[Unknown]: somehost.localdomain
What is the name of your organizational unit?
[Unknown]: Example Department
What is the name of your organization?
[Unknown]: Example Company
What is the name of your City or Locality?
[Unknown]: Manchester
What is the name of your State or Province?
[Unknown]: West Midlands
What is the two-letter country code for this unit?
[Unknown]: GB
Is CN=somehost.localdomain, OU=Example Department, O=Example Company, L=Manchester, ST=West Midlands,
C=GB correct?
[no]: yes

Enter key password for <selfsigned>
(RETURN if same as keystore password):

Generate self signed certificate 2
keytool -genkey -keyalg RSA -alias selfsigned
-keystore ${JKS}
-dname "CN=`hostname`, OU=Example Department, O=Example
Company, L=Manchester, ST=West Midlands, C=GB"
-storepass ${JKS_PASSWORD}
-validity 360 -keysize 2048
This must be the
-keypass ${KEY_PASSWORD}
hostname that clients
use to connect to you.
E.g. may be a CNAME
or a VIP

Create key pair
keytool -genkey
-alias `hostname`
-keyalg RSA
-keystore ${JKS}
-keysize 2048

Create certificate signing request
keytool -certreq
-alias `hostname`
-keystore ${JKS}
-file ${REQUEST_FILE}

Import a signed certificate from CA
keytool -import
-trustcacerts
-alias `hostname`
-file ${SIGNED_CERT}
-keystore ${JKS}

List contents of keystore
keytool -list -v -keystore ${JKS} -storepass ${JKS_PASSWORD}
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: selfsigned
Creation date: Feb 9, 2013
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=somehost.localdomain, OU=Example Department, O=Example Company, L=Manchester, ST=West
Midlands, C=GB
Issuer: CN=somehost.localdomain, OU=Example Department, O=Example Company, L=Manchester, ST=West
Midlands, C=GB
Serial number: 51165df7
Valid from: Sat Feb 09 14:32:23 GMT 2013 until: Tue Feb 04 14:32:23 GMT 2014
Certificate fingerprints:
MD5: DA:FF:F9:0B:EF:2D:26:DA:E9:48:22:1A:6E:7F:42:DF
SHA1: 46:8B:E7:DC:6B:95:69:34:85:43:A3:F7:C2:63:3B:29:F7:BD:9C:AD
Signature algorithm name: SHA1withRSA
Version: 3

keytool commands for checking


Check a stand-alone certificate
keytool -printcert -v -file ${CERTIFICATE}



Check which certificates are in a Java keystore
keytool -list -v -keystore ${JKS}



Check a particular keystore entry using an alias
keytool -list -v -keystore ${JKS} -alias ${ALIAS}

Other useful keystore commands


Delete a certificate from a Java Keytool keystore
keytool -delete -alias ${ALIAS} -keystore ${JKS}



Change a Java keystore password
keytool -storepasswd -new ${NEW_PASSWORD}
-keystore ${JKS}



Export a certificate from a keystore
keytool -export -alias ${ALIAS} -file ${CERTIFICATE}
-keystore ${JKS}

Copy key to other keystore
SRC_ALIAS=cn=`hostname`
keytool -importkeystore
-srckeystore ${JKS}
-srcstorepass ${JKS_PASSWORD}
-destkeystore ${IDENTITY_KS}
-deststorepass ${ID_KS_PASSWORD}
-srcalias ${SRC_ALIAS}
-destalias `hostname`
-destkeypass ${ID_KS_PASSWORD} <<EOF
yes
EOF

Convert wallet to keystore
orapki wallet pkcs12_to_jks
-wallet ${WALLET}
-pwd ${WALLET_PASSWORD}
-jksKeyStoreLoc ${JKS}
-jksKeyStorepwd ${JKS_PASSWORD}
-jksTrustStoreLoc ${TRUSTSTORE}
-jksTrustStorepwd ${TRUSTSTORE_PASSWORD}

Convert keystore to wallet
orapki wallet create -wallet ${WALLET}
-pwd ${WALLET_PASSWORD} -auto_login

orapki wallet jks_to_pkcs12 -wallet ${WALLET}
-pwd ${WALLET_PASSWORD} -keystore ${JKS}
-jkspwd ${JKS_PASSWORD}

About Importing DER-encoded
Certificates




You cannot use Fusion Middleware Control or
the WLST command-line tool to import DER-encoded certificates
or trusted certificates into an Oracle wallet or a JKS keystore.
Use these tools instead:
To import DER-encoded certificates or trusted certificates into
an Oracle wallet, use:
◦ Oracle Wallet Manager or
◦ orapki command-line tool



To import DER-encoded certificates or trusted certificates into a
JKS keystore, use the keytool utility

Summary
We discussed how WebLogic uses Identity, Trust & CAs
• Always enable Hostname Verification!
• Never use Demo Certs - do SSL properly or not at all 
•

Questions?
Contact us! (e.g. DM on Twitter)
Jacco: @oraclemva
Simon: @simon_haslam

WebLogic in Practice: SSL Configuration

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to WebLogic in Practice: SSL Configuration

Similar to WebLogic in Practice: SSL Configuration (20)

More from Simon Haslam

More from Simon Haslam (20)

Recently uploaded

Recently uploaded (20)

WebLogic in Practice: SSL Configuration