Oracle WebLogic Server in Practice:
SSL Configuration
Jacco Landlust, Oracle

Simon Haslam, Veriton
Jacco & Simon
Jacco:

◦ Domain Architect Director at Oracle Consulting
◦ Oracle ACE

Simon:

◦ Founder of Veriton and now
...
Agenda
Concepts you need
 WebLogic & SSL
 Tools & Commands to manage keys

Essential Concepts


key-pair (asymmetric)



certificate



certificate authority (CA)

◦ one key to encrypt, a differ...
Old school Identity Management
Identity
certificate authority

1. person sends me their cert
2. I look at who it is signed by
3. If I trust the person it...
Trust
certificate authority B

1. Person sends me their cert
2. I look at who it is signed by
3. If I don't trust the pers...
Certificate Chain
root certificate authority

.
.
certificate authority B

certificate authority A

certificate

me
Certificate Chain
root CA

root CA

.
.
certificate authority B

root CA

Trust
Keystore

certificate authority A

certifi...
Establishing my Identity
root CA

.
.
certificate authority B

certificate authority A

Identity
Keystore

me
certificate
What's in the Certificate









The public key
Registered name/details of owner
Validity
Identity of CA
Location ...
How do I know certificate is valid?
Client recreates summary "as they should be" (from
~hostname/validity)
So by now we ha...
Agenda
Concepts you need
 WebLogic & SSL
 Tools & Commands to manage keys

Common tools to manage certificates
keytool
 openssl
 orapki / Oracle Wallet Manager

Overall process for creating certificate
1.

create key pair
◦ could be self signed - not much use unless every recipient ...
Key Stores


For Fusion Middleware we're interested in:
◦ Java Keystores (JKS)
◦ Oracle Wallet (PKCS12 format)



Either...
Type of keystore per component
Type of Keystore

Tasks

Tool

Oracle WebLogic Server

JKS-based Keystore

All Keystore ope...
Type of keystore per component 2
Type of Keystore

Tasks

Tool

Oracle HTTP Server
Oracle Web Cache
Oracle Internet Direct...
How WebLogic states its Identity


Identity comes from a Java Keystore "identity
keystore"
◦ must contain a certificate &...
How WebLogic Establishes Trust



Trust comes from another JKS "trust keystore"
Choice of standalone JKS or to use the o...
WebLogic Identity/Trust Combinations


Demo Identity and Demo Trust (default - not for prod)
◦ CN=hostname, signed by BEA...
Certificates Required


Server sends out its cert when someone tries to
connect over SSL (i.e. one way) but can optionall...
Hostname Verification
◦ None
◦ BEA Hostname Verifier
◦ Custom Hostname Verifier
 e.g. weblogic.security.utils.SSLWLSWildc...
Set ignoreHostnameVerification = true?!?


We strongly recommend enabling hostname
verification in all test and productio...
Agenda
Concepts you need
 WebLogic & SSL
 Tools & Commands to manage keys

Keystore Naming Conventions



Do not use a name longer than 256 characters
Do not use any of the following characters i...
Copying Keystores to File System Not Supported
Creating, renaming, or copying keystores directly to any
directory on the f...
Generate self signed certificate
keytool -genkey -keyalg RSA -alias selfsigned -keystore ${JKS}
-storepass ${JKS_PASSWORD}...
Generate self signed certificate 2
keytool -genkey -keyalg RSA -alias selfsigned
-keystore ${JKS}
-dname "CN=`hostname`, O...
Create key pair
keytool -genkey
-alias `hostname`
-keyalg RSA
-keystore ${JKS}
-keysize 2048
Create certificate signing request
keytool -certreq
-alias `hostname`
-keystore ${JKS}
-file ${REQUEST_FILE}
Import a signed certificate from CA
keytool -import
-trustcacerts
-alias `hostname`
-file ${SIGNED_CERT}
-keystore ${JKS}
List contents of keystore
keytool -list -v -keystore ${JKS} -storepass ${JKS_PASSWORD}
Keystore type: JKS
Keystore provide...
keytool commands for checking


Check a stand-alone certificate
keytool -printcert -v -file ${CERTIFICATE}



Check whic...
Other useful keystore commands


Delete a certificate from a Java Keytool keystore
keytool -delete -alias ${ALIAS} -keyst...
Copy key to other keystore
SRC_ALIAS=cn=`hostname`
keytool -importkeystore
-srckeystore ${JKS}
-srcstorepass ${JKS_PASSWOR...
Convert wallet to keystore
orapki wallet pkcs12_to_jks
-wallet ${WALLET}
-pwd ${WALLET_PASSWORD}
-jksKeyStoreLoc ${JKS}
-j...
Convert keystore to wallet
orapki wallet create -wallet ${WALLET}
-pwd ${WALLET_PASSWORD} -auto_login

orapki wallet jks_t...
About Importing DER-encoded
Certificates




You cannot use Fusion Middleware Control or
the WLST command-line tool to i...
Summary
We discussed how WebLogic uses Identity, Trust & CAs
• Always enable Hostname Verification!
• Never use Demo Certs...
Questions?
Contact us! (e.g. DM on Twitter)
Jacco: @oraclemva
Simon: @simon_haslam
WebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL Configuration
Nächste SlideShare
Wird geladen in ...5
×

WebLogic in Practice: SSL Configuration

7,227

Published on

This presentation describes SSL certificate concepts and how to configure them within WebLogic. It was delivered by myself and Jacco Landlust (@oraclemva) at the UKOUG Tech13 conference.

Published in: Technologie
0 Kommentare
5 Gefällt mir
Statistiken
Notizen
  • Hinterlassen Sie den ersten Kommentar

Keine Downloads
Views
Gesamtviews
7,227
Bei Slideshare
0
Aus Einbettungen
0
Anzahl an Einbettungen
1
Aktionen
Geteilt
0
Downloads
347
Kommentare
0
Gefällt mir
5
Einbettungen 0
No embeds

No notes for slide

WebLogic in Practice: SSL Configuration

  1. 1. Oracle WebLogic Server in Practice: SSL Configuration Jacco Landlust, Oracle Simon Haslam, Veriton
  2. 2. Jacco & Simon Jacco: ◦ Domain Architect Director at Oracle Consulting ◦ Oracle ACE Simon: ◦ Founder of Veriton and now ◦ Oracle ACE Director (Middleware & SOA) ◦ UKOUG App Server & Middleware SIG Chair
  3. 3. Agenda Concepts you need  WebLogic & SSL  Tools & Commands to manage keys 
  4. 4. Essential Concepts  key-pair (asymmetric)  certificate  certificate authority (CA) ◦ one key to encrypt, a different key to decrypt ◦ you make one your private key, the other your public key ◦ unique to you ◦ public key ◦ signed ◦ signs certificates ◦ is independently trusted
  5. 5. Old school Identity Management
  6. 6. Identity certificate authority 1. person sends me their cert 2. I look at who it is signed by 3. If I trust the person it is signed by I accept their identity signed by certificate person I want to communicate with me
  7. 7. Trust certificate authority B 1. Person sends me their cert 2. I look at who it is signed by 3. If I don't trust the person it is signed by I look at who they are signed by and so on certificate authority A certificate person I want to communicate with me
  8. 8. Certificate Chain root certificate authority . . certificate authority B certificate authority A certificate me
  9. 9. Certificate Chain root CA root CA . . certificate authority B root CA Trust Keystore certificate authority A certificate me
  10. 10. Establishing my Identity root CA . . certificate authority B certificate authority A Identity Keystore me certificate
  11. 11. What's in the Certificate       The public key Registered name/details of owner Validity Identity of CA Location of CA Revocation List Hash function summary (encrypted by CA key)
  12. 12. How do I know certificate is valid? Client recreates summary "as they should be" (from ~hostname/validity) So by now we have the  Client hash function on summary and which we server's public key encrypts using can secure traffic with CA public key  Client compares result to public key offered by server  If same client now has the public key for the certificate owner and can check validity, (optionally) CRL, etc 
  13. 13. Agenda Concepts you need  WebLogic & SSL  Tools & Commands to manage keys 
  14. 14. Common tools to manage certificates keytool  openssl  orapki / Oracle Wallet Manager 
  15. 15. Overall process for creating certificate 1. create key pair ◦ could be self signed - not much use unless every recipient is going to add you to their trust keystore create CSR 3. give CSR to CA 4. receive certificate back from CA 2.
  16. 16. Key Stores  For Fusion Middleware we're interested in: ◦ Java Keystores (JKS) ◦ Oracle Wallet (PKCS12 format)  Either: ◦ contains one or more certificates ◦ each certificate has a CN, and usually has an alias ◦ can contain both public and private keys
  17. 17. Type of keystore per component Type of Keystore Tasks Tool Oracle WebLogic Server JKS-based Keystore All Keystore operations JDK Keytool Oracle WebLogic Server JKS-based Keystore Enable SSL Oracle WebLogic Server Administration Console All Java EE applications (for example Oracle Directory Integration Platform, Oracle Directory Services Manager) JKS-based Keystore All Keystore operations JDK Keyt
  18. 18. Type of keystore per component 2 Type of Keystore Tasks Tool Oracle HTTP Server Oracle Web Cache Oracle Internet Directory Oracle Wallet Create Wallet, Create Certificate Request, Delete Wallet, Import Certificate, Export Certificate, Enable SSL Fusion Middleware Control, WLST Oracle Wallet Manager and orapki for PKCS#11 or Hardware Security Modules (HSM)-based wallets. Also for environments where Fusion Middleware Control and WLST are not available (such as a stand-alone upgrade of these components without a domain). Oracle Virtual Directory JKS-based Keystore Create KeyStore, Create Certificate Request, Delete KeyStore, Import Certificate, Export Certificate, Enable SSL Fusion Middleware Control, WLST Oracle SOA Suite JKS-based Keystore All Keystore operations JDK Keytool Oracle WebCenter JKS-based Keystore All Keystore operations JDK Keytool
  19. 19. How WebLogic states its Identity  Identity comes from a Java Keystore "identity keystore" ◦ must contain a certificate & key-pair matching alias  Each WebLogic server instance (Admin Server and Managed Servers) has to have an identity keystore to do SSL
  20. 20. How WebLogic Establishes Trust   Trust comes from another JKS "trust keystore" Choice of standalone JKS or to use the one in the JDK trust (stored with JRE)  Note: ◦ DemoIdentity ◦ DemoTrust
  21. 21. WebLogic Identity/Trust Combinations  Demo Identity and Demo Trust (default - not for prod) ◦ CN=hostname, signed by BEA CA that anyone can sign with  Custom Identity and Java Standard Trust ◦ determine trust from java/…  Custom Identity and Custom Trust ◦ our own identity and trust keystores  Custom Identity and Command Line Trust ◦ our own identity but trust keystore specified in start-up param
  22. 22. Certificates Required  Server sends out its cert when someone tries to connect over SSL (i.e. one way) but can optionally request cert from client (two way) - console options: ◦ Client Certs Not Requested ◦ Client Certs Not Requested but Not Enforced ◦ Client Certs Requested and Enforced
  23. 23. Hostname Verification ◦ None ◦ BEA Hostname Verifier ◦ Custom Hostname Verifier  e.g. weblogic.security.utils.SSLWLSWildcardHostnameVerifier  What does none mean? ◦ Cert is requested but does not have a CN for the host WebLogic is trying to connect to. It could be any old certificate.
  24. 24. Set ignoreHostnameVerification = true?!?  We strongly recommend enabling hostname verification in all test and production environments.  Oracle® Fusion Middleware Securing Oracle WebLogic Server: "Oracle recommends leaving host name verification on in production environments"
  25. 25. Agenda Concepts you need  WebLogic & SSL  Tools & Commands to manage keys 
  26. 26. Keystore Naming Conventions   Do not use a name longer than 256 characters Do not use any of the following characters in a keystore name: | ; , ! @ # $ ( ) < > / " ' ` ~ { } [ ] = + & ^ space tab  Do not use non-ASCII characters in a keystore name  Additionally, follow the operating system-specific rules for directory and file names
  27. 27. Copying Keystores to File System Not Supported Creating, renaming, or copying keystores directly to any directory on the file system is not supported. Any existing pre-11g keystore or wallet that you wish to use must be imported using either Fusion Middleware Control or the WLST utility. http://docs.oracle.com/cd/E21764_01/core.1111/e10105/w allets.htm
  28. 28. Generate self signed certificate keytool -genkey -keyalg RSA -alias selfsigned -keystore ${JKS} -storepass ${JKS_PASSWORD} -validity 360 -keysize 2048 -keypass ${KEY_PASSWORD} What is your first and last name? [Unknown]: somehost.localdomain What is the name of your organizational unit? [Unknown]: Example Department What is the name of your organization? [Unknown]: Example Company What is the name of your City or Locality? [Unknown]: Manchester What is the name of your State or Province? [Unknown]: West Midlands What is the two-letter country code for this unit? [Unknown]: GB Is CN=somehost.localdomain, OU=Example Department, O=Example Company, L=Manchester, ST=West Midlands, C=GB correct? [no]: yes Enter key password for <selfsigned> (RETURN if same as keystore password):
  29. 29. Generate self signed certificate 2 keytool -genkey -keyalg RSA -alias selfsigned -keystore ${JKS} -dname "CN=`hostname`, OU=Example Department, O=Example Company, L=Manchester, ST=West Midlands, C=GB" -storepass ${JKS_PASSWORD} -validity 360 -keysize 2048 This must be the -keypass ${KEY_PASSWORD} hostname that clients use to connect to you. E.g. may be a CNAME or a VIP
  30. 30. Create key pair keytool -genkey -alias `hostname` -keyalg RSA -keystore ${JKS} -keysize 2048
  31. 31. Create certificate signing request keytool -certreq -alias `hostname` -keystore ${JKS} -file ${REQUEST_FILE}
  32. 32. Import a signed certificate from CA keytool -import -trustcacerts -alias `hostname` -file ${SIGNED_CERT} -keystore ${JKS}
  33. 33. List contents of keystore keytool -list -v -keystore ${JKS} -storepass ${JKS_PASSWORD} Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: selfsigned Creation date: Feb 9, 2013 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=somehost.localdomain, OU=Example Department, O=Example Company, L=Manchester, ST=West Midlands, C=GB Issuer: CN=somehost.localdomain, OU=Example Department, O=Example Company, L=Manchester, ST=West Midlands, C=GB Serial number: 51165df7 Valid from: Sat Feb 09 14:32:23 GMT 2013 until: Tue Feb 04 14:32:23 GMT 2014 Certificate fingerprints: MD5: DA:FF:F9:0B:EF:2D:26:DA:E9:48:22:1A:6E:7F:42:DF SHA1: 46:8B:E7:DC:6B:95:69:34:85:43:A3:F7:C2:63:3B:29:F7:BD:9C:AD Signature algorithm name: SHA1withRSA Version: 3
  34. 34. keytool commands for checking  Check a stand-alone certificate keytool -printcert -v -file ${CERTIFICATE}  Check which certificates are in a Java keystore keytool -list -v -keystore ${JKS}  Check a particular keystore entry using an alias keytool -list -v -keystore ${JKS} -alias ${ALIAS}
  35. 35. Other useful keystore commands  Delete a certificate from a Java Keytool keystore keytool -delete -alias ${ALIAS} -keystore ${JKS}  Change a Java keystore password keytool -storepasswd -new ${NEW_PASSWORD} -keystore ${JKS}  Export a certificate from a keystore keytool -export -alias ${ALIAS} -file ${CERTIFICATE} -keystore ${JKS}
  36. 36. Copy key to other keystore SRC_ALIAS=cn=`hostname` keytool -importkeystore -srckeystore ${JKS} -srcstorepass ${JKS_PASSWORD} -destkeystore ${IDENTITY_KS} -deststorepass ${ID_KS_PASSWORD} -srcalias ${SRC_ALIAS} -destalias `hostname` -destkeypass ${ID_KS_PASSWORD} <<EOF yes EOF
  37. 37. Convert wallet to keystore orapki wallet pkcs12_to_jks -wallet ${WALLET} -pwd ${WALLET_PASSWORD} -jksKeyStoreLoc ${JKS} -jksKeyStorepwd ${JKS_PASSWORD} -jksTrustStoreLoc ${TRUSTSTORE} -jksTrustStorepwd ${TRUSTSTORE_PASSWORD}
  38. 38. Convert keystore to wallet orapki wallet create -wallet ${WALLET} -pwd ${WALLET_PASSWORD} -auto_login orapki wallet jks_to_pkcs12 -wallet ${WALLET} -pwd ${WALLET_PASSWORD} -keystore ${JKS} -jkspwd ${JKS_PASSWORD}
  39. 39. About Importing DER-encoded Certificates   You cannot use Fusion Middleware Control or the WLST command-line tool to import DER-encoded certificates or trusted certificates into an Oracle wallet or a JKS keystore. Use these tools instead: To import DER-encoded certificates or trusted certificates into an Oracle wallet, use: ◦ Oracle Wallet Manager or ◦ orapki command-line tool  To import DER-encoded certificates or trusted certificates into a JKS keystore, use the keytool utility
  40. 40. Summary We discussed how WebLogic uses Identity, Trust & CAs • Always enable Hostname Verification! • Never use Demo Certs - do SSL properly or not at all  •
  41. 41. Questions? Contact us! (e.g. DM on Twitter) Jacco: @oraclemva Simon: @simon_haslam
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×