Oracle WebLogic Server in Practice: SSL Configuration Simon Haslam, Veriton Jacco Landlust, Oracle
Oct 19, 2014
Oracle WebLogic Server in Practice:
SSL Configuration
Simon Haslam, Veriton Jacco Landlust, Oracle
Jacco & Simon
Jacco: ◦ Domain Architect Director at Oracle Consulting ◦ Oracle ACE
Simon: ◦ Founder of Veriton and now ◦ Oracle ACE Director (Middleware & SOA) ◦ UKOUG App Server & Middleware SIG Chair
Agenda
Concepts you need
WebLogic & SSL
Tools & Commands to manage keys
Essential Concepts
key-pair (asymmetric) ◦ one key to encrypt, a different key to decrypt ◦ you make one your private key, the other your public key
certificate ◦ unique to you ◦ public key ◦ signed
certificate authority (CA) ◦ signs certificates ◦ is independently trusted
Old school Identity Management
Identity
certificate
certificate authority
person I want to communicate with
me
1. person sends me their cert 2. I look at who it is signed by 3. If I trust the person it is signed by I accept their identity
signed
by
Trust
certificate
certificate authority A
person I want to communicate with
me
1. Person sends me their cert 2. I look at who it is signed by 3. If I don't trust the person it
is signed by I look at who they are signed by and so on
certificate authority B
Certificate Chain
certificate
certificate authority A
me
certificate authority B
root certificate authority
.
.
Certificate Chain
certificate
certificate authority A
me
certificate authority B
root CA
.
.
root CA root CA
Trust Keystore
Establishing my Identity
certificate
certificate authority A
me
certificate authority B
root CA
.
.
Identity Keystore
What's in the Certificate
The public key
Registered name/details of owner
Validity
Identity of CA
Location of CA Revocation List
Hash function summary (encrypted by CA key)
How do I know certificate is valid?
Client recreates summary "as they should be" (from ~hostname/validity)
Client hash function on summary and encrypts using CA public key
Client compares result to public key offered by server If same client now has the public key for the certificate
owner and can check validity, (optionally) CRL, etc
So by now we have the server's public key which we
can secure traffic with
Agenda
Concepts you need
WebLogic & SSL
Tools & Commands to manage keys
Common tools to manage certificates
keytool
openssl
orapki / Oracle Wallet Manager
Overall process for creating certificate
1. create key pair ◦ could be self signed - not much use unless every recipient is
going to add you to their trust keystore
2. create CSR
3. give CSR to CA
4. receive certificate back from CA
Key Stores
For Fusion Middleware we're interested in: ◦ Java Keystores (JKS) ◦ Oracle Wallet (PKCS12 format)
Either: ◦ contains one or more certificates ◦ each certificate has a CN, and usually has an alias ◦ can contain both public and private keys
Type of keystore per component
Type of Keystore Tasks Tool
Oracle WebLogic Server JKS-based Keystore All Keystore operations JDK Keytool
Oracle WebLogic Server JKS-based Keystore Enable SSL Oracle WebLogic Server Administration Console
All Java EE applications (for example Oracle Directory Integration Platform, Oracle Directory Services Manager)
JKS-based Keystore All Keystore operations JDK Keyt
Type of keystore per component 2
Type of Keystore Tasks Tool
Oracle HTTP Server Oracle Web Cache Oracle Internet Directory
Oracle Wallet Create Wallet, Create Certificate Request, Delete Wallet, Import Certificate, Export Certificate, Enable SSL
Fusion Middleware Control, WLST Oracle Wallet Manager and orapki for PKCS#11 or Hardware Security Modules (HSM)-based wallets. Also for environments where Fusion Middleware Control and WLST are not available (such as a stand-alone upgrade of these components without a domain).
Oracle Virtual Directory JKS-based Keystore Create KeyStore, Create Certificate Request, Delete KeyStore, Import Certificate, Export Certificate, Enable SSL
Fusion Middleware Control, WLST
Oracle SOA Suite JKS-based Keystore All Keystore operations JDK Keytool
Oracle WebCenter JKS-based Keystore All Keystore operations JDK Keytool
How WebLogic states its Identity
Identity comes from a Java Keystore "identity keystore" ◦ must contain a certificate & key-pair matching alias
Each WebLogic server instance (Admin Server and Managed Servers) has to have an identity keystore to do SSL
How WebLogic Establishes Trust
Trust comes from another JKS "trust keystore" Choice of standalone JKS or to use the one in the JDK
trust (stored with JRE)
Note: ◦ DemoIdentity ◦ DemoTrust
WebLogic Identity/Trust Combinations
Demo Identity and Demo Trust (default - not for prod) ◦ CN=hostname, signed by BEA CA that anyone can sign with
Custom Identity and Java Standard Trust ◦ determine trust from java/…
Custom Identity and Custom Trust ◦ our own identity and trust keystores
Custom Identity and Command Line Trust ◦ our own identity but trust keystore specified in start-up param
Certificates Required
Server sends out its cert when someone tries to connect over SSL (i.e. one way) but can optionally request cert from client (two way) - console options:
◦ Client Certs Not Requested
◦ Client Certs Not Requested but Not Enforced
◦ Client Certs Requested and Enforced
Hostname Verification
◦ None ◦ BEA Hostname Verifier ◦ Custom Hostname Verifier
e.g. weblogic.security.utils.SSLWLSWildcardHostnameVerifier
What does none mean? ◦ Cert is requested but does not have a CN for the host WebLogic is
trying to connect to. It could be any old certificate.
Set ignoreHostnameVerification = true?!?
We strongly recommend enabling hostname verification in all test and production environments.
Oracle® Fusion Middleware Securing Oracle WebLogic Server: "Oracle recommends leaving host name verification on in production environments"
Agenda
Concepts you need
WebLogic & SSL
Tools & Commands to manage keys
Keystore Naming Conventions
Do not use a name longer than 256 characters Do not use any of the following characters in a
keystore name: | ; , ! @ # $ ( ) < > / \ " ' ` ~ { } [ ] = + & ^ space tab
Do not use non-ASCII characters in a keystore name Additionally, follow the operating system-specific rules
for directory and file names
Copying Keystores to File System Not Supported
Creating, renaming, or copying keystores directly to any directory on the file system is not supported. Any existing pre-11g keystore or wallet that you wish to use must be imported using either Fusion Middleware Control or the WLST utility. http://docs.oracle.com/cd/E21764_01/core.1111/e10105/wallets.htm
Generate self signed certificate keytool -genkey -keyalg RSA -alias selfsigned -keystore ${JKS}
-storepass ${JKS_PASSWORD} -validity 360 -keysize 2048 -keypass ${KEY_PASSWORD}
What is your first and last name? [Unknown]: somehost.localdomain What is the name of your organizational unit? [Unknown]: Example Department What is the name of your organization? [Unknown]: Example Company What is the name of your City or Locality? [Unknown]: Manchester What is the name of your State or Province? [Unknown]: West Midlands What is the two-letter country code for this unit? [Unknown]: GB Is CN=somehost.localdomain, OU=Example Department, O=Example Company, L=Manchester, ST=West Midlands, C=GB correct? [no]: yes Enter key password for <selfsigned> (RETURN if same as keystore password):
Generate self signed certificate 2
keytool -genkey -keyalg RSA -alias selfsigned -keystore ${JKS} -dname "CN=`hostname`, OU=Example Department, O=Example Company, L=Manchester, ST=West Midlands, C=GB" -storepass ${JKS_PASSWORD}
-validity 360 -keysize 2048 -keypass ${KEY_PASSWORD} This must be the
hostname that clients use to connect to you. E.g. may be a CNAME
or a VIP
Create key pair
keytool -genkey -alias `hostname` -keyalg RSA
-keystore ${JKS}
-keysize 2048
Create certificate signing request
keytool -certreq -alias `hostname`
-keystore ${JKS}
-file ${REQUEST_FILE}
Import a signed certificate from CA
keytool -import -trustcacerts -alias `hostname` -file ${SIGNED_CERT} -keystore ${JKS}
List contents of keystore keytool -list -v -keystore ${JKS} -storepass ${JKS_PASSWORD}
Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: selfsigned Creation date: Feb 9, 2013 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=somehost.localdomain, OU=Example Department, O=Example Company, L=Manchester, ST=West Midlands, C=GB Issuer: CN=somehost.localdomain, OU=Example Department, O=Example Company, L=Manchester, ST=West Midlands, C=GB Serial number: 51165df7 Valid from: Sat Feb 09 14:32:23 GMT 2013 until: Tue Feb 04 14:32:23 GMT 2014 Certificate fingerprints: MD5: DA:FF:F9:0B:EF:2D:26:DA:E9:48:22:1A:6E:7F:42:DF SHA1: 46:8B:E7:DC:6B:95:69:34:85:43:A3:F7:C2:63:3B:29:F7:BD:9C:AD Signature algorithm name: SHA1withRSA Version: 3
keytool commands for checking
Check a stand-alone certificate keytool -printcert -v -file ${CERTIFICATE}
Check which certificates are in a Java keystore keytool -list -v -keystore ${JKS}
Check a particular keystore entry using an alias keytool -list -v -keystore ${JKS} -alias ${ALIAS}
Other useful keystore commands
Delete a certificate from a Java Keytool keystore keytool -delete -alias ${ALIAS} -keystore ${JKS}
Change a Java keystore password keytool -storepasswd -new ${NEW_PASSWORD} -keystore ${JKS}
Export a certificate from a keystore keytool -export -alias ${ALIAS} -file ${CERTIFICATE} -keystore ${JKS}
Copy key to other keystore
SRC_ALIAS=cn=`hostname`
keytool -importkeystore
-srckeystore ${JKS}
-srcstorepass ${JKS_PASSWORD}
-destkeystore ${IDENTITY_KS}
-deststorepass ${ID_KS_PASSWORD}
-srcalias ${SRC_ALIAS}
-destalias `hostname`
-destkeypass ${ID_KS_PASSWORD} <<EOF
yes
EOF
Convert wallet to keystore
orapki wallet pkcs12_to_jks -wallet ${WALLET} -pwd ${WALLET_PASSWORD} -jksKeyStoreLoc ${JKS} -jksKeyStorepwd ${JKS_PASSWORD} -jksTrustStoreLoc ${TRUSTSTORE} -jksTrustStorepwd ${TRUSTSTORE_PASSWORD}
Convert keystore to wallet
orapki wallet create -wallet ${WALLET} -pwd ${WALLET_PASSWORD} -auto_login
orapki wallet jks_to_pkcs12 -wallet ${WALLET} -pwd ${WALLET_PASSWORD} -keystore ${JKS} -jkspwd ${JKS_PASSWORD}
About Importing DER-encoded
Certificates
You cannot use Fusion Middleware Control or the WLST command-line tool to import DER-encoded certificates or trusted certificates into an Oracle wallet or a JKS keystore. Use these tools instead:
To import DER-encoded certificates or trusted certificates into an Oracle wallet, use: ◦ Oracle Wallet Manager or ◦ orapki command-line tool
To import DER-encoded certificates or trusted certificates into a JKS keystore, use the keytool utility
Summary
• We discussed how WebLogic uses Identity, Trust & CAs
• Always enable Hostname Verification!
• Never use Demo Certs - do SSL properly or not at all
Questions?
Contact us! (e.g. DM on Twitter)
Jacco: @oraclemva
Simon: @simon_haslam