WebLogic in Practice: SSL Configuration
•
12 likes•12,590 views
The document provides an overview of SSL configuration in Oracle WebLogic Server. It discusses key SSL concepts like key pairs, certificates, and certificate authorities. It describes how WebLogic uses Java keystores for identity and trust, and the tools like keytool and orapki that can be used to manage keys and certificates. The document also covers best practices for SSL configuration in WebLogic like always enabling hostname verification and not using demo certificates in production.
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to WebLogic in Practice: SSL Configuration
Similar to WebLogic in Practice: SSL Configuration (20)
More from Simon Haslam
More from Simon Haslam (20)
Recently uploaded
Recently uploaded (20)
WebLogic in Practice: SSL Configuration
- 1. Oracle WebLogic Server in Practice: SSL Configuration Jacco Landlust, Oracle Simon Haslam, Veriton
- 2. Jacco & Simon Jacco: ◦ Domain Architect Director at Oracle Consulting ◦ Oracle ACE Simon: ◦ Founder of Veriton and now ◦ Oracle ACE Director (Middleware & SOA) ◦ UKOUG App Server & Middleware SIG Chair
- 3. Agenda Concepts you need WebLogic & SSL Tools & Commands to manage keys
- 4. Essential Concepts key-pair (asymmetric) certificate certificate authority (CA) ◦ one key to encrypt, a different key to decrypt ◦ you make one your private key, the other your public key ◦ unique to you ◦ public key ◦ signed ◦ signs certificates ◦ is independently trusted
- 5. Old school Identity Management
- 6. Identity certificate authority 1. person sends me their cert 2. I look at who it is signed by 3. If I trust the person it is signed by I accept their identity signed by certificate person I want to communicate with me
- 8. Trust certificate authority B 1. Person sends me their cert 2. I look at who it is signed by 3. If I don't trust the person it is signed by I look at who they are signed by and so on certificate authority A certificate person I want to communicate with me
- 9. Certificate Chain root certificate authority . . certificate authority B certificate authority A certificate me
- 11. Certificate Chain root CA root CA . . certificate authority B root CA Trust Keystore certificate authority A certificate me
- 13. Establishing my Identity root CA . . certificate authority B certificate authority A Identity Keystore me certificate
- 14. What's in the Certificate The public key Registered name/details of owner Validity Identity of CA Location of CA Revocation List Hash function summary (encrypted by CA key)
- 15. How do I know certificate is valid? Client recreates summary "as they should be" (from ~hostname/validity) So by now we have the Client hash function on summary and which we server's public key encrypts using can secure traffic with CA public key Client compares result to public key offered by server If same client now has the public key for the certificate owner and can check validity, (optionally) CRL, etc
- 16. Agenda Concepts you need WebLogic & SSL Tools & Commands to manage keys
- 17. Common tools to manage certificates keytool openssl orapki / Oracle Wallet Manager
- 18. Overall process for creating certificate 1. create key pair ◦ could be self signed - not much use unless every recipient is going to add you to their trust keystore create CSR 3. give CSR to CA 4. receive certificate back from CA 2.
- 19. Key Stores For Fusion Middleware we're interested in: ◦ Java Keystores (JKS) ◦ Oracle Wallet (PKCS12 format) Either: ◦ contains one or more certificates ◦ each certificate has a CN, and usually has an alias ◦ can contain both public and private keys
- 20. Type of keystore per component Type of Keystore Tasks Tool Oracle WebLogic Server JKS-based Keystore All Keystore operations JDK Keytool Oracle WebLogic Server JKS-based Keystore Enable SSL Oracle WebLogic Server Administration Console All Java EE applications (for example Oracle Directory Integration Platform, Oracle Directory Services Manager) JKS-based Keystore All Keystore operations JDK Keyt
- 21. Type of keystore per component 2 Type of Keystore Tasks Tool Oracle HTTP Server Oracle Web Cache Oracle Internet Directory Oracle Wallet Create Wallet, Create Certificate Request, Delete Wallet, Import Certificate, Export Certificate, Enable SSL Fusion Middleware Control, WLST Oracle Wallet Manager and orapki for PKCS#11 or Hardware Security Modules (HSM)-based wallets. Also for environments where Fusion Middleware Control and WLST are not available (such as a stand-alone upgrade of these components without a domain). Oracle Virtual Directory JKS-based Keystore Create KeyStore, Create Certificate Request, Delete KeyStore, Import Certificate, Export Certificate, Enable SSL Fusion Middleware Control, WLST Oracle SOA Suite JKS-based Keystore All Keystore operations JDK Keytool Oracle WebCenter JKS-based Keystore All Keystore operations JDK Keytool
- 22. How WebLogic states its Identity Identity comes from a Java Keystore "identity keystore" ◦ must contain a certificate & key-pair matching alias Each WebLogic server instance (Admin Server and Managed Servers) has to have an identity keystore to do SSL
- 23. How WebLogic Establishes Trust Trust comes from another JKS "trust keystore" Choice of standalone JKS or to use the one in the JDK trust (stored with JRE) Note: ◦ DemoIdentity ◦ DemoTrust
- 25. WebLogic Identity/Trust Combinations Demo Identity and Demo Trust (default - not for prod) ◦ CN=hostname, signed by BEA CA that anyone can sign with Custom Identity and Java Standard Trust ◦ determine trust from java/… Custom Identity and Custom Trust ◦ our own identity and trust keystores Custom Identity and Command Line Trust ◦ our own identity but trust keystore specified in start-up param
- 26. Certificates Required Server sends out its cert when someone tries to connect over SSL (i.e. one way) but can optionally request cert from client (two way) - console options: ◦ Client Certs Not Requested ◦ Client Certs Not Requested but Not Enforced ◦ Client Certs Requested and Enforced
- 27. Hostname Verification ◦ None ◦ BEA Hostname Verifier ◦ Custom Hostname Verifier e.g. weblogic.security.utils.SSLWLSWildcardHostnameVerifier What does none mean? ◦ Cert is requested but does not have a CN for the host WebLogic is trying to connect to. It could be any old certificate.
- 28. Set ignoreHostnameVerification = true?!? We strongly recommend enabling hostname verification in all test and production environments. Oracle® Fusion Middleware Securing Oracle WebLogic Server: "Oracle recommends leaving host name verification on in production environments"
- 29. Agenda Concepts you need WebLogic & SSL Tools & Commands to manage keys
- 30. Keystore Naming Conventions Do not use a name longer than 256 characters Do not use any of the following characters in a keystore name: | ; , ! @ # $ ( ) < > / " ' ` ~ { } [ ] = + & ^ space tab Do not use non-ASCII characters in a keystore name Additionally, follow the operating system-specific rules for directory and file names
- 31. Copying Keystores to File System Not Supported Creating, renaming, or copying keystores directly to any directory on the file system is not supported. Any existing pre-11g keystore or wallet that you wish to use must be imported using either Fusion Middleware Control or the WLST utility. http://docs.oracle.com/cd/E21764_01/core.1111/e10105/w allets.htm
- 32. Generate self signed certificate keytool -genkey -keyalg RSA -alias selfsigned -keystore ${JKS} -storepass ${JKS_PASSWORD} -validity 360 -keysize 2048 -keypass ${KEY_PASSWORD} What is your first and last name? [Unknown]: somehost.localdomain What is the name of your organizational unit? [Unknown]: Example Department What is the name of your organization? [Unknown]: Example Company What is the name of your City or Locality? [Unknown]: Manchester What is the name of your State or Province? [Unknown]: West Midlands What is the two-letter country code for this unit? [Unknown]: GB Is CN=somehost.localdomain, OU=Example Department, O=Example Company, L=Manchester, ST=West Midlands, C=GB correct? [no]: yes Enter key password for <selfsigned> (RETURN if same as keystore password):
- 33. Generate self signed certificate 2 keytool -genkey -keyalg RSA -alias selfsigned -keystore ${JKS} -dname "CN=`hostname`, OU=Example Department, O=Example Company, L=Manchester, ST=West Midlands, C=GB" -storepass ${JKS_PASSWORD} -validity 360 -keysize 2048 This must be the -keypass ${KEY_PASSWORD} hostname that clients use to connect to you. E.g. may be a CNAME or a VIP
- 34. Create key pair keytool -genkey -alias `hostname` -keyalg RSA -keystore ${JKS} -keysize 2048
- 35. Create certificate signing request keytool -certreq -alias `hostname` -keystore ${JKS} -file ${REQUEST_FILE}
- 36. Import a signed certificate from CA keytool -import -trustcacerts -alias `hostname` -file ${SIGNED_CERT} -keystore ${JKS}
- 37. List contents of keystore keytool -list -v -keystore ${JKS} -storepass ${JKS_PASSWORD} Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: selfsigned Creation date: Feb 9, 2013 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=somehost.localdomain, OU=Example Department, O=Example Company, L=Manchester, ST=West Midlands, C=GB Issuer: CN=somehost.localdomain, OU=Example Department, O=Example Company, L=Manchester, ST=West Midlands, C=GB Serial number: 51165df7 Valid from: Sat Feb 09 14:32:23 GMT 2013 until: Tue Feb 04 14:32:23 GMT 2014 Certificate fingerprints: MD5: DA:FF:F9:0B:EF:2D:26:DA:E9:48:22:1A:6E:7F:42:DF SHA1: 46:8B:E7:DC:6B:95:69:34:85:43:A3:F7:C2:63:3B:29:F7:BD:9C:AD Signature algorithm name: SHA1withRSA Version: 3
- 38. keytool commands for checking Check a stand-alone certificate keytool -printcert -v -file ${CERTIFICATE} Check which certificates are in a Java keystore keytool -list -v -keystore ${JKS} Check a particular keystore entry using an alias keytool -list -v -keystore ${JKS} -alias ${ALIAS}
- 39. Other useful keystore commands Delete a certificate from a Java Keytool keystore keytool -delete -alias ${ALIAS} -keystore ${JKS} Change a Java keystore password keytool -storepasswd -new ${NEW_PASSWORD} -keystore ${JKS} Export a certificate from a keystore keytool -export -alias ${ALIAS} -file ${CERTIFICATE} -keystore ${JKS}
- 40. Copy key to other keystore SRC_ALIAS=cn=`hostname` keytool -importkeystore -srckeystore ${JKS} -srcstorepass ${JKS_PASSWORD} -destkeystore ${IDENTITY_KS} -deststorepass ${ID_KS_PASSWORD} -srcalias ${SRC_ALIAS} -destalias `hostname` -destkeypass ${ID_KS_PASSWORD} <<EOF yes EOF
- 41. Convert wallet to keystore orapki wallet pkcs12_to_jks -wallet ${WALLET} -pwd ${WALLET_PASSWORD} -jksKeyStoreLoc ${JKS} -jksKeyStorepwd ${JKS_PASSWORD} -jksTrustStoreLoc ${TRUSTSTORE} -jksTrustStorepwd ${TRUSTSTORE_PASSWORD}
- 42. Convert keystore to wallet orapki wallet create -wallet ${WALLET} -pwd ${WALLET_PASSWORD} -auto_login orapki wallet jks_to_pkcs12 -wallet ${WALLET} -pwd ${WALLET_PASSWORD} -keystore ${JKS} -jkspwd ${JKS_PASSWORD}
- 43. About Importing DER-encoded Certificates You cannot use Fusion Middleware Control or the WLST command-line tool to import DER-encoded certificates or trusted certificates into an Oracle wallet or a JKS keystore. Use these tools instead: To import DER-encoded certificates or trusted certificates into an Oracle wallet, use: ◦ Oracle Wallet Manager or ◦ orapki command-line tool To import DER-encoded certificates or trusted certificates into a JKS keystore, use the keytool utility
- 44. Summary We discussed how WebLogic uses Identity, Trust & CAs • Always enable Hostname Verification! • Never use Demo Certs - do SSL properly or not at all •
- 45. Questions? Contact us! (e.g. DM on Twitter) Jacco: @oraclemva Simon: @simon_haslam