LAKSHMI WEBLOGIC/SOA ADMIN

I have been getting a lot of request for creating a very simple document for configuring SSL on Weblogic Server. Its a pretty straight forward configuration, but most people are not aware of it. WLS is by default configured with DemoIdentity and DemoTrust, we just need to enable SSL port under General Tab of the Server and WLS will start listening over SSL on that port. However using Demo Certificates are not recommended in Production Environment so we can either get our certificates signed by a third party certifying authority or use our own root ca which we can use to sign our own certificates. To keep things simple I have developed a simple build script to generate SELF SIGNED CERTIFICATES. You just need to set the environment by running setWLSEnv.cmd present under WL_HOME\server\bin. Run the build script and the keystores will be generated in that directory. I have used keytool to generate the keystores, you can get more details here http://download.oracle.com/javase/1.4.2/do...

javax.net.ssl.SSLKeyException: [Security:090482]BAD_CERTIFICATE alert was received from oracle.test.com – xx.xxx.xx.xx. Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected. <WARNING> <Uncaught exception in server handlerjavax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake>javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:849) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1170) The above exceptions are  the most common exceptions encountered during the setup of Weblogic Server in an environment. The stack does suggest what could be the reasons but the diagnostics are not mentioned. To debug this issue, first we need...

WebLogic Server uses SSL/TLS certificates with varying key sizes for encryption. Some security policies require enforcing a minimum key size (e.g.,  128-bit or larger ). Below are methods to configure this restriction. Restricting Key Size in WebLogic (SSL Configuration): Via Admin Console Navigate to SSL Settings : Go to  Environment  →  Servers  →  [Your_Server]  →  SSL  →  Advanced Set  Minimum Key Size (bits)   to   128   (or higher, e.g.,   256 ). Apply & Restart : To restrict keysize larger than 128 bit we need to select only those cipher suites in the configuration which use 128 bit key. Using WLST (WebLogic Scripting Tool) connect('weblogic', 'password', 't3://localhost:7001') edit() startEdit() cd('/Servers/AdminServer/SSL/AdminServer') cmo.setMinimumKeySize(128)  # Enforce 128-bit minimum save() activate() disconnect() Enforcing at JVM Level (Java Security): WebLogic’s SSL settings are insuffi...

Converting certificate formats is a common task when working with SSL/TLS, web servers, keystores, and certificate authorities. Here’s a guide to help you convert between formats like  PEM ,  DER ,  PKCS#12 (.pfx/.p12) , and  JKS . Converting Certificate from JKS to P12 Format keytool -importkeystore -srckeystore Fabrizio.jks -destkeystore Fabrizio.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass weblogic1 -deststorepass weblogic1 -srcalias {4d390f81-7f7a-4a0a-ae76-9a5ea5ba567f} -destalias {4d390f81-7f7a-4a0a-ae76-9a5ea5ba567f} -srckeypass weblogic1 -destkeypass weblogic1 Converting certificate from PFX to JKS Format java -classpath ./jetty-6.1.1.jar org.mortbay.jetty.security.PKCS12Import Fabrizio.pfx Fabrizio.jks Converting certificate from P12 to PFX Format Import the certificate in the browser using certificate import wiward by double clicking on the p12 certificate. Go to Internet Options > Content > Certificates > Personal Choose you...

Configure Apache for SSL Create the certificates using openssl (present in apache_home\bin) using the below steps: openssl genrsa -des3 -out server.key 1024 openssl req -config ..\conf\openssl.cnf -new -key server.key -out localhost openssl x509 -req -days 730 -in localhost -signkey server.key -out server.crt Add the following in the httpd.conf file <IfModule ssl_module> SSLRandomSeed startup builtin SSLRandomSeed connect builtin </IfModule> Listen 443 <VirtualHost *:443> SSLEngine on SSLCertificateFile “C:\Program Files\Apache Group\Apache2\conf\server.crt” SSLCertificateKeyFile “C:\Program Files\Apache Group\Apache2\conf\server.key” SSLCACertificateFile “C:\Documents and Settings\Administrator\Desktop\cert\IntermediateCA.cer” #SSLLog “C:\Program Files\Apache Group\Apache2\conf\ssl.log” #SSLLogLevel debug </VirtualHost> Configure SSL between Apache and Weblogic Server Add the following in the Location Directive SecureProxy ON TrustedCAFile...

Secure Sockets Layer have very  important  role in how a sensitive data can be protected, accessed over a network. WebLogic Server supports  have a dedicated SSL listen port which defaults 7002.  To establish an SSL connection, a Web browser connects to WebLogic Server by supplying the SSL listen port and the HTTPs protocol in the connection URL Ex:  https://<servername>:7002 . The certificate, installation and configuring the certificate to the WebLogic Server.  1: Generating and procuring the certificate: Open a command prompt and set the environment by running the  setDomainEnv  script. Generate the private – public key pair. keytool -genkey -alias client -keyalg  RSA -keysize 2048  -keystore identity.jks -<storepass >password -keypass <password> Generate a  Certificate Signing Request (CSR)  and send it to Certifying Authority keytool -certreq -keyalg RSA -keysize 2048 -alias ...

This is a Simple demonstration of doing a JNDI lookup using 2 Way SSL client. Step-1). Create Self Signed Certificate using Open SSL openssl genrsa 1024 > host.key openssl req -new -x509 -nodes -sha1 -days 365 -key host.key > host.der set WLS Environment and convert the der file to pem using the following command line java utils.der2pem host.der Step-2). Configure WLS for two way SSL. Enable SSL on the Server. Then got to AdminServer > Configuration > SSL Click Advanced and Set Hostname Verification: NONE Two Way Client Cert Behavior: Client Certs Requested But Not Enforced Import the certificate into the truststore of WLS C:\bea\bea1032\wlserver_10.3\server\lib>keytool -v -import -file host.crt -keystore DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase Owner: CN=myhost, C=IN, ST=MH, L=Pune, EMAILADDRESS=test@MyOrganization, OU=Oracle, O=MyOrganization Issuer: CN=myhost, C=IN, ST=MH, L=Pune, EMAILADDRESS=test@MyOrganization, OU=Oracle, O=...

Configure SSL in WebLogic: 1.   Generating the certificate: The following steps are: Step1: Open a command prompt and set the environment by running the  setDomainEnv  script.            (   C:\bea9\user_projects\domains\ram_domain\bin\setDomainEnv.cmd) Step2: Generate the private – public key pair   use  keytool  java utility to do so.                         keytool    -genkey    -alias mykey     -keyalg RSA     -keysize 2048     -keystore    identity.jks Step3: Generate a  Certificate Signing Request (CSR)  and send it to Certifying Authority.              keytool    -selfcert     -alias mykey    -keystore     identity.jks Step 4: Create a identity    keystore, this can be done...