weblogic in practice: ssl configuration
Post on 19-Oct-2014
5.002 views
DESCRIPTION
This presentation describes SSL certificate concepts and how to configure them within WebLogic. It was delivered by myself and Jacco Landlust (@oraclemva) at the UKOUG Tech13 conference.TRANSCRIPT
![Page 1: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/1.jpg)
Oracle WebLogic Server in Practice:
SSL Configuration
Simon Haslam, Veriton Jacco Landlust, Oracle
![Page 2: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/2.jpg)
Jacco & Simon
Jacco: ◦ Domain Architect Director at Oracle Consulting ◦ Oracle ACE
Simon: ◦ Founder of Veriton and now ◦ Oracle ACE Director (Middleware & SOA) ◦ UKOUG App Server & Middleware SIG Chair
![Page 3: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/3.jpg)
Agenda
Concepts you need
WebLogic & SSL
Tools & Commands to manage keys
![Page 4: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/4.jpg)
Essential Concepts
key-pair (asymmetric) ◦ one key to encrypt, a different key to decrypt ◦ you make one your private key, the other your public key
certificate ◦ unique to you ◦ public key ◦ signed
certificate authority (CA) ◦ signs certificates ◦ is independently trusted
![Page 5: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/5.jpg)
Old school Identity Management
![Page 6: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/6.jpg)
Identity
certificate
certificate authority
person I want to communicate with
me
1. person sends me their cert 2. I look at who it is signed by 3. If I trust the person it is signed by I accept their identity
signed
by
![Page 7: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/7.jpg)
![Page 8: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/8.jpg)
Trust
certificate
certificate authority A
person I want to communicate with
me
1. Person sends me their cert 2. I look at who it is signed by 3. If I don't trust the person it
is signed by I look at who they are signed by and so on
certificate authority B
![Page 9: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/9.jpg)
Certificate Chain
certificate
certificate authority A
me
certificate authority B
root certificate authority
.
.
![Page 10: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/10.jpg)
![Page 11: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/11.jpg)
Certificate Chain
certificate
certificate authority A
me
certificate authority B
root CA
.
.
root CA root CA
Trust Keystore
![Page 12: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/12.jpg)
![Page 13: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/13.jpg)
Establishing my Identity
certificate
certificate authority A
me
certificate authority B
root CA
.
.
Identity Keystore
![Page 14: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/14.jpg)
What's in the Certificate
The public key
Registered name/details of owner
Validity
Identity of CA
Location of CA Revocation List
Hash function summary (encrypted by CA key)
![Page 15: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/15.jpg)
How do I know certificate is valid?
Client recreates summary "as they should be" (from ~hostname/validity)
Client hash function on summary and encrypts using CA public key
Client compares result to public key offered by server If same client now has the public key for the certificate
owner and can check validity, (optionally) CRL, etc
So by now we have the server's public key which we
can secure traffic with
![Page 16: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/16.jpg)
Agenda
Concepts you need
WebLogic & SSL
Tools & Commands to manage keys
![Page 17: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/17.jpg)
Common tools to manage certificates
keytool
openssl
orapki / Oracle Wallet Manager
![Page 18: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/18.jpg)
Overall process for creating certificate
1. create key pair ◦ could be self signed - not much use unless every recipient is
going to add you to their trust keystore
2. create CSR
3. give CSR to CA
4. receive certificate back from CA
![Page 19: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/19.jpg)
Key Stores
For Fusion Middleware we're interested in: ◦ Java Keystores (JKS) ◦ Oracle Wallet (PKCS12 format)
Either: ◦ contains one or more certificates ◦ each certificate has a CN, and usually has an alias ◦ can contain both public and private keys
![Page 20: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/20.jpg)
Type of keystore per component
Type of Keystore Tasks Tool
Oracle WebLogic Server JKS-based Keystore All Keystore operations JDK Keytool
Oracle WebLogic Server JKS-based Keystore Enable SSL Oracle WebLogic Server Administration Console
All Java EE applications (for example Oracle Directory Integration Platform, Oracle Directory Services Manager)
JKS-based Keystore All Keystore operations JDK Keyt
![Page 21: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/21.jpg)
Type of keystore per component 2
Type of Keystore Tasks Tool
Oracle HTTP Server Oracle Web Cache Oracle Internet Directory
Oracle Wallet Create Wallet, Create Certificate Request, Delete Wallet, Import Certificate, Export Certificate, Enable SSL
Fusion Middleware Control, WLST Oracle Wallet Manager and orapki for PKCS#11 or Hardware Security Modules (HSM)-based wallets. Also for environments where Fusion Middleware Control and WLST are not available (such as a stand-alone upgrade of these components without a domain).
Oracle Virtual Directory JKS-based Keystore Create KeyStore, Create Certificate Request, Delete KeyStore, Import Certificate, Export Certificate, Enable SSL
Fusion Middleware Control, WLST
Oracle SOA Suite JKS-based Keystore All Keystore operations JDK Keytool
Oracle WebCenter JKS-based Keystore All Keystore operations JDK Keytool
![Page 22: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/22.jpg)
How WebLogic states its Identity
Identity comes from a Java Keystore "identity keystore" ◦ must contain a certificate & key-pair matching alias
Each WebLogic server instance (Admin Server and Managed Servers) has to have an identity keystore to do SSL
![Page 23: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/23.jpg)
How WebLogic Establishes Trust
Trust comes from another JKS "trust keystore" Choice of standalone JKS or to use the one in the JDK
trust (stored with JRE)
Note: ◦ DemoIdentity ◦ DemoTrust
![Page 24: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/24.jpg)
![Page 25: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/25.jpg)
WebLogic Identity/Trust Combinations
Demo Identity and Demo Trust (default - not for prod) ◦ CN=hostname, signed by BEA CA that anyone can sign with
Custom Identity and Java Standard Trust ◦ determine trust from java/…
Custom Identity and Custom Trust ◦ our own identity and trust keystores
Custom Identity and Command Line Trust ◦ our own identity but trust keystore specified in start-up param
![Page 26: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/26.jpg)
Certificates Required
Server sends out its cert when someone tries to connect over SSL (i.e. one way) but can optionally request cert from client (two way) - console options:
◦ Client Certs Not Requested
◦ Client Certs Not Requested but Not Enforced
◦ Client Certs Requested and Enforced
![Page 27: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/27.jpg)
Hostname Verification
◦ None ◦ BEA Hostname Verifier ◦ Custom Hostname Verifier
e.g. weblogic.security.utils.SSLWLSWildcardHostnameVerifier
What does none mean? ◦ Cert is requested but does not have a CN for the host WebLogic is
trying to connect to. It could be any old certificate.
![Page 28: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/28.jpg)
Set ignoreHostnameVerification = true?!?
We strongly recommend enabling hostname verification in all test and production environments.
Oracle® Fusion Middleware Securing Oracle WebLogic Server: "Oracle recommends leaving host name verification on in production environments"
![Page 29: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/29.jpg)
Agenda
Concepts you need
WebLogic & SSL
Tools & Commands to manage keys
![Page 30: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/30.jpg)
Keystore Naming Conventions
Do not use a name longer than 256 characters Do not use any of the following characters in a
keystore name: | ; , ! @ # $ ( ) < > / \ " ' ` ~ { } [ ] = + & ^ space tab
Do not use non-ASCII characters in a keystore name Additionally, follow the operating system-specific rules
for directory and file names
![Page 31: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/31.jpg)
Copying Keystores to File System Not Supported
Creating, renaming, or copying keystores directly to any directory on the file system is not supported. Any existing pre-11g keystore or wallet that you wish to use must be imported using either Fusion Middleware Control or the WLST utility. http://docs.oracle.com/cd/E21764_01/core.1111/e10105/wallets.htm
![Page 32: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/32.jpg)
Generate self signed certificate keytool -genkey -keyalg RSA -alias selfsigned -keystore ${JKS}
-storepass ${JKS_PASSWORD} -validity 360 -keysize 2048 -keypass ${KEY_PASSWORD}
What is your first and last name? [Unknown]: somehost.localdomain What is the name of your organizational unit? [Unknown]: Example Department What is the name of your organization? [Unknown]: Example Company What is the name of your City or Locality? [Unknown]: Manchester What is the name of your State or Province? [Unknown]: West Midlands What is the two-letter country code for this unit? [Unknown]: GB Is CN=somehost.localdomain, OU=Example Department, O=Example Company, L=Manchester, ST=West Midlands, C=GB correct? [no]: yes Enter key password for <selfsigned> (RETURN if same as keystore password):
![Page 33: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/33.jpg)
Generate self signed certificate 2
keytool -genkey -keyalg RSA -alias selfsigned -keystore ${JKS} -dname "CN=`hostname`, OU=Example Department, O=Example Company, L=Manchester, ST=West Midlands, C=GB" -storepass ${JKS_PASSWORD}
-validity 360 -keysize 2048 -keypass ${KEY_PASSWORD} This must be the
hostname that clients use to connect to you. E.g. may be a CNAME
or a VIP
![Page 34: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/34.jpg)
Create key pair
keytool -genkey -alias `hostname` -keyalg RSA
-keystore ${JKS}
-keysize 2048
![Page 35: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/35.jpg)
Create certificate signing request
keytool -certreq -alias `hostname`
-keystore ${JKS}
-file ${REQUEST_FILE}
![Page 36: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/36.jpg)
Import a signed certificate from CA
keytool -import -trustcacerts -alias `hostname` -file ${SIGNED_CERT} -keystore ${JKS}
![Page 37: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/37.jpg)
List contents of keystore keytool -list -v -keystore ${JKS} -storepass ${JKS_PASSWORD}
Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: selfsigned Creation date: Feb 9, 2013 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=somehost.localdomain, OU=Example Department, O=Example Company, L=Manchester, ST=West Midlands, C=GB Issuer: CN=somehost.localdomain, OU=Example Department, O=Example Company, L=Manchester, ST=West Midlands, C=GB Serial number: 51165df7 Valid from: Sat Feb 09 14:32:23 GMT 2013 until: Tue Feb 04 14:32:23 GMT 2014 Certificate fingerprints: MD5: DA:FF:F9:0B:EF:2D:26:DA:E9:48:22:1A:6E:7F:42:DF SHA1: 46:8B:E7:DC:6B:95:69:34:85:43:A3:F7:C2:63:3B:29:F7:BD:9C:AD Signature algorithm name: SHA1withRSA Version: 3
![Page 38: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/38.jpg)
keytool commands for checking
Check a stand-alone certificate keytool -printcert -v -file ${CERTIFICATE}
Check which certificates are in a Java keystore keytool -list -v -keystore ${JKS}
Check a particular keystore entry using an alias keytool -list -v -keystore ${JKS} -alias ${ALIAS}
![Page 39: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/39.jpg)
Other useful keystore commands
Delete a certificate from a Java Keytool keystore keytool -delete -alias ${ALIAS} -keystore ${JKS}
Change a Java keystore password keytool -storepasswd -new ${NEW_PASSWORD} -keystore ${JKS}
Export a certificate from a keystore keytool -export -alias ${ALIAS} -file ${CERTIFICATE} -keystore ${JKS}
![Page 40: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/40.jpg)
Copy key to other keystore
SRC_ALIAS=cn=`hostname`
keytool -importkeystore
-srckeystore ${JKS}
-srcstorepass ${JKS_PASSWORD}
-destkeystore ${IDENTITY_KS}
-deststorepass ${ID_KS_PASSWORD}
-srcalias ${SRC_ALIAS}
-destalias `hostname`
-destkeypass ${ID_KS_PASSWORD} <<EOF
yes
EOF
![Page 41: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/41.jpg)
Convert wallet to keystore
orapki wallet pkcs12_to_jks -wallet ${WALLET} -pwd ${WALLET_PASSWORD} -jksKeyStoreLoc ${JKS} -jksKeyStorepwd ${JKS_PASSWORD} -jksTrustStoreLoc ${TRUSTSTORE} -jksTrustStorepwd ${TRUSTSTORE_PASSWORD}
![Page 42: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/42.jpg)
Convert keystore to wallet
orapki wallet create -wallet ${WALLET} -pwd ${WALLET_PASSWORD} -auto_login
orapki wallet jks_to_pkcs12 -wallet ${WALLET} -pwd ${WALLET_PASSWORD} -keystore ${JKS} -jkspwd ${JKS_PASSWORD}
![Page 43: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/43.jpg)
About Importing DER-encoded
Certificates
You cannot use Fusion Middleware Control or the WLST command-line tool to import DER-encoded certificates or trusted certificates into an Oracle wallet or a JKS keystore. Use these tools instead:
To import DER-encoded certificates or trusted certificates into an Oracle wallet, use: ◦ Oracle Wallet Manager or ◦ orapki command-line tool
To import DER-encoded certificates or trusted certificates into a JKS keystore, use the keytool utility
![Page 44: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/44.jpg)
Summary
• We discussed how WebLogic uses Identity, Trust & CAs
• Always enable Hostname Verification!
• Never use Demo Certs - do SSL properly or not at all
![Page 45: WebLogic in Practice: SSL Configuration](https://reader030.vdocuments.mx/reader030/viewer/2022020115/54440788afaf9fa0098b473c/html5/thumbnails/45.jpg)
Questions?
Contact us! (e.g. DM on Twitter)
Jacco: @oraclemva
Simon: @simon_haslam