CHAPTER 7
7.1 Configuration and Testing of SSL
Nowadays, it’s very big challenge to handle the enterprise applications as they are much complex and it is a very sensitive to communicate the data over the network or internet.
Over the internet or network when we send the sensitive data, not sure how much it’s protected. SSL is a technology that can protect the data over the internet or network.
Through SSL, we can make secure connections by allowing two applications connecting over a network connection to authenticate the other’s identity and by encrypting the data exchanged between the applications. Authentication allows a server and optionally a client to verify the identity of the application on the other end of a network connection. Encryption makes data transmitted over the network intelligible only to the intended recipient.
SSL certificate are provided by the industry like Verisign, GeoTrust etc and it provide the transport level security by using this certificate.
There is dedicated listen port, 7002 (by default) in which weblogic server support SSL. A Web browser connects to WebLogic Server by using the SSL listen port and the HTTPs protocol in the connection URLs to make an SSL connection.
Here is the step by step procedure about generating the certificate, installing and configuring the certificate to the WebLogic Server.
1] Create and importing procedure of Certificate
A] First we have to run the script “setDomainEnv” under the bin directory of domain to set the
environment.
B] Generate the private and public key pair; I have used the keytool utility for it. Before running this
utility need to make sure java bin path should be set as below.
Figure 129
C] Send Certificate Signing Request (CSR) to Certifying Authority after generating it through keytool
utility.
Figure 130
Certify Authority provide three certificate (I) SSL
(II) (II) root and
(III) III) intermediate certificate
D] In our keystore, we need to import these certificates; This can be perform, either importing the
For Example, create a certificate chain file <myfile>.pem and import this file into the identity keystore overriding the private key alias which is client in this example.
Figure 131
E] Now need to create a trust keystore or we can say create a trust file by importing RootCA.
Figure 132
Here is the command that we can use to verify the content of our keystore,
Figure 133
2] Weblogic Server Configuring for Keystore
A] Now we need to select the server for which we want to configure SSL certificate after login into
admin console
Click on server in left side and then select the Keystore tab in right. Here we can see it points to Demo Certificates that is default certificate.
Select, “Custom Identity and Custom Trust” from drop down box. Enter the detail of identity and trust keystore
Figure 134
Figure 136 B] Configure server identity:
Enter the alias of the private key by clicking SSL tab on right end.
NOTE: By default it is a one way SSL, if we enable the SSL for a Weblogic Server. For two way SSL, we need to with advance option and need to select two way SSL behavior.
C] Configure the SSL port.
7002 is the default port for it.
Select the server left end and then click on General tab and enter the value for SSL listen port Enable.
Figure 138
After that we can check the server logs and below lines will be there for loading certificate
<Notice> <Security> <BEA-090171> <Loading the identity certificate and private key stored under the alias client from the JKS keystore file C:\Wonders\WebLogic\Security\SSL-Certs\Verisign\identityVerisign.jks.>
7.2 Test SSL Setup
Now can check any application that is deployed in managed server and configured SSL by accessing through https rather than and http. Here is the figure below.
https://localhost:7002/console
Figure 139
Figure 140
Always keep in mind Common name of the certificate match with the server host for a production environment
Weblogic Managed server Signed by itself (certificate)
Weblogic managed server use its self-signed certificate which will be signed by you and not by any external authority. You can use these certs in non-production environments:
NOTE: You need to create keystores on each physical machine where you have servers running.
A] Generating self signed certificates:
1] Create a certs directory under domain directory of weblogic.
3] Change directory to certs and Execute below command to create identity.jks:
Figure 141
Now we have created a private key in identity.jks file. As we are configuring self signed certificate we will not be creating CSR to order certs from external authority.
4] As its self signed cert we will export same cert which will be also called root in this case from identity.jks:
D:\Oracle\Middleware\user_projects\domains\BankingDomain\certs>keytool -export - alias mycert -file root.cer -keystore identity.jks -storepass weblogic1
Certificate stored in file <root.cer>
5] Now we will import same cert into trust.jks which generally contains only root cert.
NOTE: We can use same identity.jks file in place of trus.jks as we will be having same cert in both but as a good practice we should have both separate. In prod where we have chain of certs it recommended to create two jks stores.
D:\Oracle\Middleware\user_projects\domains\BankingDomain\certs>keytool import alias mycert -trustcacerts -file root.cer -keystore trust.jks -storepass weblogic1
Issuer: CN=GAPANDEY-IN.in.oracle.com, OU=Middleware, O=Oracle, L=noida, ST=U.P.,C=IN Serial number: 50758d88
Valid from: Wed Oct 10 20:30:24 IST 2012 until: Thu Oct 10 20:30:24 IST 2013 Certificate fingerprints:
MD5: AE:50:7C:58:21:B0:45:5F:51:FC:6E:AF:BB:08:D5:62
SHA1: 51:F7:15:A7:F3:0A:D4:B2:95:A5:9E:CB:4B:05:0D:B0:A7:5C:FA:61 SHA1withRSA is the name of Signature algorithm and the version is 3. Trust this certificate? [no]: Yes
Here in keystore, certificate is added
Here both keystores are ready for configuration. Repeat this process on all physical machines where weblogic servers are hosted
2] Configuring jks with weblogic A] Login to admin console
B] Navigate to servers-> [server name] ->Configuration->Keystores C] Select Custom Identity and Custom Trust and provide below details:
Enter the path of Location of identity.jks in Custom Identity Keystore field Type is jks for Custom Identity Keystore value, enter the vale jks
Enter the value for Passphrase that is weblogic1 and filed name is Custom Identity Keystore Passphrase And confirm the same Passphrase as weblogic1 after entering the same value is confirm field
Enter the path of trust. Jks in Custom Trust Keystore
Jks would be the value for Custom Trust Keystore field, enter the same in filed. Enter the confirm Passphrase for Custom Trust Keystore as Weblogic 1
D] Then click on SSL tab next to Keystores and provide values for below parameters:
Enter and confirm Passphrase for private key as weblogic1
NOTE: As I have given identity keystore password same as private key password I will give same password here. If you have given different make sure to give different password
E] Then enable SSL port for that particular weblogic server by navigating servers->[server
name]->Configuration->General
Also provide Fully Qualified Domain Name (FQDN) in Listen Address field.
F] Save and activate changes. Repeat this 2nd half procedure for all weblogic servers which intend to use
SSL
3] CONFIGURING NODE MANAGER
Modify nodemanager.properties file available in $WL_HOME/common/nodemanager folder. Insert the following lines at the end:
Figure 142
NOTE: Make sure Secure Listener is set to true which is already present in this file. Also mention Fully Qualified Domain Name (FQDN) in Listen Address field which is blank by default.
4] DISABLING HOSTNAME VERIFICATION
A] Disable host name verification at server level
Navigate to servers-> [server name] ->Configuration>SSL Make Hostname Verification NONE after clicking in advance. To save the changes click on save and active changes button.
Repeat these steps for all servers in domain for which self signed certs are configured Disable host name verification for Node manager
Add parameter
Set the vale as false for theparameterDweblogic.nodemanager.sslHostNameVerificationEnabled in the start script of Nodemanager
“D:\Programfiles\Java\jrockit-jdk1.6.0_29-R28.2.2-4.1.0/bin/java” ${ VM JAVA} ${MEMORY ARGUMENTS} ${OPTION JAVA} Dweblogic.nodemanager.sslHostNameVerificationEnabled=false Djava.security.policy=”${WEBLOGIC HOME}/server/lib/weblogic.policy”
- Dweblogic.nodemanager.javaHome=”${D:\Programfiles\Java\jrockit-jdk1.6.0_29-R28.2.2-4.1.0/bin/java}” -DListenAddress=”${listenaddress}” -DListenPort=”${Listenport}”
weblogic.NodeManager –v else
“D:\Programfiles\Java\jrockit-jdk1.6.0_29-R28.2.2-4.1.0/bin/java” ${ VM JAVA} ${MEMORY ARGUMENTS} ${OPTION JAVA} Dweblogic.nodemanager.sslHostNameVerificationEnabled=false Djava.security.policy=”${WEBLOGIC HOME}/server/lib/weblogic.policy”
- Dweblogic.nodemanager.javaHome=”${D:\Programfiles\Java\jrockit-jdk1.6.0_29-R28.2.2-4.1.0/bin/java}” -DListenPort=”${Listenport}” weblogic.NodeManager –vfi
And below will parameter if there is value for listen address will not equal to Null.
“D:\Programfiles\Java\jrockit-jdk1.6.0_29-R28.2.2-4.1.0/bin/java” ${ VM JAVA} ${MEMORY ARGUMENTS} ${OPTION JAVA} Dweblogic.nodemanager.sslHostNameVerificationEnabled=false Djava.security.policy=”${WEBLOGIC HOME}/server/lib/weblogic.policy”
- Dweblogic.nodemanager.javaHome=”${D:\Programfiles\Java\jrockit-jdk1.6.0_29-R28.2.2-4.1.0/bin/java}” -DListenAddress=”${listenaddress}” weblogic.NodeManager –v
else
“D:\Programfiles\Java\jrockit-jdk1.6.0_29-R28.2.2-4.1.0/bin/java” ${ VM JAVA} ${MEMORY ARGUMENTS} ${OPTION JAVA} Dweblogic.nodemanager.sslHostNameVerificationEnabled=false Djava.security.policy=”${WEBLOGIC HOME}/server/lib/weblogic.policy”
Now restart Node manager, Need not to start the server if they are already running. This completes SSL configuration with self signed certs.
NOTE: Sometimes you might get some SSL issue at Node manager, in that case import CertGenCA.der into custom trust store trust.jks so that Admin server can trust Node manager.
> keytool -import -alias mycert-trustcacerts -file “<location of CertGenCA.der>” -keystore trust.jks
Creating a new CSR
By visiting URL, https://<hostname>:port/certficate , we can see the generator of CSR certificate. 443 is the default port for the URL which is mentioned above.
For CSR, Our company information is required to server, below points need to take care during creation of our CSR
Country/State/City - Here we need to provide the information about the locality form where we are
operating our business rather than the locality of the server. Here we need to give the complete name of locality. Like, if we are operating our business from NOIDA, need to user state as "NOIDA" rather than "ND". If we are operating our business as an international customer and states or province, then state field should be a country name.
Organization - Like State, full name with any suffix is also needed for organization name also. if the
company is registered then use that as organization name.
Common Name - This is main information because when we type web address in any browser, So it
should be correct. Like If both www.banking.co.in and banking.co.in are acceptable, in that never use http or https.
Below point need to keep in mind
Our RSA private key become in an unencrypted form on server if password for private key is not specified. Our private key be found in encrypted form if have specified the password. Meaning to say, through admin console select Use Encrypted Keys from SSL tab. If we do not select this option, our server is not able to utilized private key.
Now there are three different file are created by web interface.
Private Key is ourdomain-key.der CSR file ourdomain-request.dem
CSR Submitting to Trustwave
Open CSR file that is in form of ASCII format (ourdomain-request.pem) and copy this entire file to clipboard. There are some dashed lines are also there in CSR file at beginning and end, copy with complete content and for continuing, need to paste in Trustwave Control Center.
HARDWARE LOAD BALANCER SSL Certificate Installation: f5 BIG-IP
F5 BIG-IP Loadbalancer is the hardware Loadbalancer and below is the procedure to Install SSL Certificate on f5 BIG-IP
There is web interface or URL for f5 BIG-I that we need to open. SSL Certificates Option needs to select under local traffic.
We have assigned a name to certificate and that name we need to click under General Properties during CSR creation.
From DigiCert we have received a file, called your_domain_name.crt file that we need to browse. After that need to import after open it.
Now installation of SSL Certificate is complete
Below is procedure to Enable Intermediate Certificate
Now through web URL or we can say Graphical user interface, we need to import the certificate. For it we need to select SSL certificates from Local Traffic after than we can import the certificate.
We need to select create new and put the name as DigiCertCA when he ask about to choose certificate from option import type.
Now we have received a file called DigiCertCA.crt from DigiCert, and then have to open this file and then need to import.
Now import of intermediate certificate should be complete. Configure SSL for server.
For this certificate, we will use a SSL profile that we need to open or create.
During starting section we have installed a SSL certificate and this certificate need to select from configuration utility [First select local traffic from configuration utility, then select profiles from local traffic and finally select client from profiles and then select advanced option from menu]
Now our server is ready to use with installed SSL certificate. F5 BIG-IP Pre Version
We can download our certificate files from our DigiCert account. We have required below crt files as primary.
your_domain_name.crt DigiCertCA.crt
About both file are require for proper installation with your BIGIP, into BIG IP device need to move both primary and intermediate certificate.
Through ftp or sftp we can move crt files to BIGIP box Certificate files name need to change and move.
In folder /config/bigconfig/ssl.crt/, we need to copy certificate from your_domain_name.crt to your.domain.name.crt after changing its name.
Intermediate-ca.crt file, need to the /config/bigconfig/ssl.crt/ folder. Restart the Proxy
Figure 143
Installation of certification is completed.
7.3 Procedure to configure WebLogic to use SSL with Apache
Here is the simple configuration that I have used for my testing.
I have created create a certificate, a keystore and will perform all the different steps needed to get us started. Then I have configured WebLogic to use that keystore.
I have configured Apache Webserver to use SSL with WebLogic after browser is able to access weblogic.
Once install the
Once we have installed weblogic, we can use the Keytool from Sun to create these components. For me it's : %BEA_HOME%\jdk160_05\bin\keytool.exe
Here I am using to use Keytool UI, which is a graphical version of keytool. Here, creating a sample and empty JKS. (JKS stands for Java KeyStore)
Figure 144
Here is the password used is "weblogic".
Then just create a CSR (Certificate Signing Request)
Figure 145
Figure 146
Figure 147
Here we can see the content of Keystroke.
Figure 148
I have used the following for the private key: alias: privatekey
2] Here Configuring WebLogic to use the previously created keystore This is simplest part
First need to start weblogic server should started and SSL port should be enable.
Figure 149
After click on Keystores tab then just change the identity of the server to point towards our keystore.
Figure 150
Here we are seeing different option from drop down box but for my testing I have selected “Custom identity & Java Standard Trust".
(%BEA_HOME%\jdk160_05\jre\lib\security\cacerts)
All the trusted certificates are in trust store that is Keystore. We can aslo print the trust store, just to see what's inside:
Figure 151
You can see that Verisign, Thawte and many other CA (Certificate Authorities) are listed.
Figure 153
We only have to specify the keystore we created, the type which is JKS and the password. As for the Trust, just type the default password, which is "changeit".
A quick look in the WLS console shows:
<10 nov. 2012 23 h 47 CET> <Error> <WebLogicServer> <BEA-000297>
<Inconsistent security configuration, weblogic.management.configuration.ConfigurationException: Cannot retrieve identity certificate and private key on server Adminserver, because the keystore entry alias is not specified.>
<10 nov. 2012 23 h 47 CET> <Error> <Server> <BEA-002618>
<An invalid attempt was made to configure a channel for un configured protocol "Cannot retrieve identity certificate and private key on server Adminserver, because the keystore entry alias is not specified.".>
Figure 154
Just type the alias (privatekey) and the password (weblogic) and save. This time, WLS seems to be happier :
<10 nov. 2012 23 h 52 CET> <Notice> <Security> <BEA-090171>
<Loading the identity certificate and private key stored under the alias privateKey from the JKS keystore file D:\BEA_ROOT\user_projects\domains\essex\ssl\blog\mbutton.jks.>
<10 nov. 2012 23 h 52 CET> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file
D:\BEA_ROOT\WLS_10.3\JDK160~1\jre\lib\security\cacerts.> <10 nov. 2012 23 h 52 CET> <Notice> <Server> <BEA-002613>
<Channel "DefaultSecure" is now listening on 192.168.1.4:7002 for protocols iiops, t3s, CLUSTER-BROADCAST-SECURE, ldaps, https.>
<Channel "DefaultSecure[1]" is now listening on 127.0.0.1:7002 for protocols iiops, t3s, CLUSTER-BROADCAST-SECURE, ldaps, https.>
Let's try to access the console using the secure port (7002). Here below popup will came.
Figure 155
Here some warning message will come that will say the certificate has been emitted by someone, I don't trust and that the certificate name doesn't match the site name.
Figure 156
3 - Display the certificate presented by WebLogic To display the certificate, we've got two possibilities:
Click the lock in the browser window and use the built-in functionality to display the certificates.
Figure 157
When we or client connect to secure server so their data or information is safe because he know about what he are calming and that is transaction that is going to do is well encrypted.
