Configuring SSL on Weblogic Server – Custom Identity and Custom Trust

I have been getting a lot of request for creating a very simple document for configuring SSL on Weblogic Server.

Its a pretty straight forward configuration, but most people are not aware of it. WLS is by default configured with DemoIdentity and DemoTrust, we just need to enable SSL port under General Tab of the Server and WLS will start listening over SSL on that port. However using Demo Certificates are not recommended in Production Environment so we can either get our certificates signed by a third party certifying authority or use our own root ca which we can use to sign our own certificates. To keep things simple I have developed a simple build script to generate SELF SIGNED CERTIFICATES. You just need to set the environment by running setWLSEnv.cmd present under WL_HOME\server\bin. Run the build script and the keystores will be generated in that directory. I have used keytool to generate the keystores, you can get more details here

http://download.oracle.com/javase/1.4.2/docs/tooldocs/windows/keytool.html

Follow the steps below to configure WLS with your Custom Certificates. Later you can modify the values in the build.xml to suit your requirement. Which makes it very easy to generate the Keys Just by Modifying the Attribute values….

Step1).Create a Directory somewhere like :

C:\MyCertificates

Step2).Write the following “build.xml” file inside “C:\MyCertificates”

———————————————–

<project name=”Generate Keystores” default=”all” basedir=”.”>
<property name=”alias” value=”alias” />
<property name=”dname” value=”CN=localhost, OU=Customer Support, O=BEA Systems Inc, L=Denver, ST=Colorado, C=US”/>
<property name=”keypass” value=”keypass” />
<property name=”identity.jks” value=”identity.jks” />
<property name=”storepass” value=”storepass” />
<property name=”cert.cer” value=”cert.cer” />
<property name=”trust.jks” value=”trust.jks” />
<property name=”jdk.home” value=”C:/bea/jdk150_06? />
<target name=”all” depends=”create-keystores”/>

<target name=”create-keystores”>
<echo>Generating Identity of the Server</echo>
<exec executable=”${jdk.home}/bin/keytool.exe”>
<arg line=’-genkey -alias ${alias} -keyalg RSA -keysize 1024 -dname “${dname}” -keypass ${keypass} -keystore ${identity.jks} -storepass ${storepass}’ />
</exec>
<echo>Self Signing the Certificate</echo>
<exec executable=”${jdk.home}/bin/keytool.exe”>
<arg line=’-selfcert -alias ${alias} -dname “${dname}” -keypass ${keypass} -keystore ${identity.jks} -storepass ${storepass}’ />
</exec>
<echo>Exporting the Server certificate</echo>
<exec executable=”${jdk.home}/bin/keytool.exe”>
<arg line=’-export -alias ${alias} -file ${cert.cer} -keystore ${identity.jks} -storepass ${storepass}’ />
</exec>
<echo>Creating Trust Store</echo>
<exec executable=”${jdk.home}/bin/keytool.exe”>
<arg line=’-import -alias ${alias} -file ${cert.cer} -keystore ${trust.jks} -storepass ${storepass} -noprompt’ />
</exec>
</target>

</project>
———————————————–

Step3).Now Open a command/Shell Prompt and then run the “. ./setWLSEnv.sh” to setup the Environment.

Step4).Now Just run the ANT script by typing “ant” in the command prompt…. It will create all the required Certificates.
Step5). Now Login to the Amdin Console to Configure these Certificates…

Home >Summary of Servers >AdminServer > General
SSL Listen Port: Enabled (Check)
SSL Listen Port: 7002

Home >Summary of Servers >AdminServer > Keystores
Keystores: Custom Identity Custom Trust
Identity
Custom Identity Keystore: <path>/identity.jks
Custom Identity Keystore Type: JKS
Custom Identity Keystore Passphrase: storepass
Confirm Custom Identity Keystore Passphrase: storepass
Trust
Custom Trust Keystore:<path>/trust.jks
Custom Trust Keystore Type: JKS
Custom Trust Keystore Passphrase: storepass
Confirm Custom Trust Keystore Passphrase: storepass
Click SAVE

Home >Summary of Servers >AdminServer > SSL
Identity and Trust Locations: Keystores
Private Key Alias: alias
Private Key Passphrase: keypass
Confirm Private Key Passphrase: keypass
Click SAVE

Step6).Now try to access the Admin Console…on HTTPS port

https://localhost:7002/console

SSL Exceptions in Admin Server and Node Manager.

javax.net.ssl.SSLKeyException: [Security:090482]BAD_CERTIFICATE alert was received from oracle.test.com – xx.xxx.xx.xx. Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.

<WARNING> <Uncaught exception in server handlerjavax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake>javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:849) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1170)

The above exceptions are  the most common exceptions encountered during the setup of Weblogic Server in an environment. The stack does suggest what could be the reasons but the diagnostics are not mentioned.

To debug this issue, first we need to check the certificates used by Admin Server and the Node Manager. If we have Admin and the Node Manager using demo certificates, then the issue can be due to improper DNS mapping. We can use the nslookup to check the DNS entry. For testing purpose we can provide the ip address as the listen address for the admin server and the node manager and see if the issue is still occurring.

Also we will have to turn of host name verification and the basic validation check of the certificates. We can do it by specifying the following flag in startWeblogic.sh

-Dssl.debug=true -Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.security.SSL.enforceConstraints=off

And the following flag in startNodeManager.sh

-Dssl.debug=true -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false -Dweblogic.security.SSL.enforceConstraints=off

If the Admin Server is using Custom Identity and Custom trust, then its better to configure the node manger with custom identity and custom trust as well.
By default the Node Manager is configured with Demo Identity and Demo Trust. To change it to custom identity and custom trust, we need to specify the following values in the nodemanager.properties file present in nodemanager home

Keystores=CustomIdentityandCustomTrust
CustomIdentityAlias=
CustomIdentityKeyStoreFileName=
CustomIdentityKeyStorePassPhrase = xxxxxx
CustomIdentityKeyStoreType = JKS
CustomIdentityPrivateKeyPassPhrase = xxxxxxx

Apply the same flags as above in the startup script of Admin Server and Node Manger.

Check from the console whether Node Manager is reachable or not.

Another option can be to use PLAIN communication between Admin Server and Node Manager.

We can change the Listen Type to PLAIN for the Node Manager from the console and set the secureListener=false in the nodemanager.properties file present in nodemanager home.

How to Restrict Key Size Larger that 128 bit on Weblogic Server.

To restrict keysize larger than 128 bit we need to select only those cipher suites in the configuration which use 128 bit key.

Sample config:-

<ssl>
<enabled>true</enabled>
<ciphersuite>TLS_RSA_WITH_RC4_128_SHA</ciphersuite>
<ciphersuite>TLS_RSA_WITH_RC4_128_MD5</ciphersuite>
<hostname-verification-ignored>true</hostname-verification-ignored>
<listen-port>7002</listen-port>
<server-private-key-alias>xxxxxxx </server-private-key-alias>
<server-private-key-pass-phrase-encrypted>xxxxxx</server-private-key-pass-phrase-encrypted>
</ssl>

List of Ciphersuites Supported by Weblogic Server are:-

Cipher Suite Symmetric Key Strength
TLS_RSA_WITH_RC4_128_SHA 128
TLS_RSA_WITH_RC4_128_MD5 128
TLS_RSA_WITH_DES_CBC_SHA 56
TLS_RSA_EXPORT_WITH_RC4_40_MD5 40
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA 40
TLS_RSA_WITH_3DES_EDE_CBC_SHA 112
TLS_RSA_WITH_NULL_SHA 0
TLS_RSA_WITH_NULL_MD5 0
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA 56
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA 56
TLS_RSA_WITH_AES_128_CBC_SHA 128
TLS_RSA_WITH_AES_256_CBC_SHA 256

In the past I have seen that AES_256 does not work until we download the unlimited jurisdiction jars from SUN.

Download JCE_policy_1.5_0.zip
Place it in /JRE/lib/Security/
Also Replace localpolicy.jar & US_Export_Policy.jar

This helps in getting rid of Cipher Suite not initialized errors.

Converting certificate formats

Converting Certificate from JKS to P12 Format

keytool -importkeystore -srckeystore Fabrizio.jks -destkeystore Fabrizio.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass weblogic1 -deststorepass weblogic1 -srcalias {4d390f81-7f7a-4a0a-ae76-9a5ea5ba567f} -destalias {4d390f81-7f7a-4a0a-ae76-9a5ea5ba567f} -srckeypass weblogic1 -destkeypass weblogic1

Converting certificate from PFX to JKS Format

java -classpath ./jetty-6.1.1.jar org.mortbay.jetty.security.PKCS12Import Fabrizio.pfx Fabrizio.jks

Converting certificate from P12 to PFX Format

1. Import the certificate in the browser using certificate import wiward by double clicking on the p12 certificate.
2. Go to Internet Options > Content > Certificates > Personal
3. Choose your certificate and click export.
4. Select Yes Export the Private Key
5. Select Personal Information Exchange Format and provide the password.
6. Store the file as .pfx.

Configuring two way SSL between Client and Weblogic server with Apache proxying the request.

Configure Apache for SSL

Create the certificates using openssl (present in apache_home\bin) using the below steps:

openssl genrsa -des3 -out server.key 1024

openssl req -config ..\conf\openssl.cnf -new -key server.key -out localhost

openssl x509 -req -days 730 -in localhost -signkey server.key -out server.crt

Add the following in the httpd.conf file

<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

Listen 443
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile “C:\Program Files\Apache Group\Apache2\conf\server.crt”
SSLCertificateKeyFile “C:\Program Files\Apache Group\Apache2\conf\server.key”
SSLCACertificateFile “C:\Documents and Settings\Administrator\Desktop\cert\IntermediateCA.cer”
#SSLLog “C:\Program Files\Apache Group\Apache2\conf\ssl.log”
#SSLLogLevel debug
</VirtualHost>

Configure SSL between Apache and Weblogic Server

Add the following in the Location Directive

SecureProxy ON
TrustedCAFile C:\bea101\wlserver_10.0\server\lib\CertGenCA.pem
RequireSSLHostMatch false

Configure Apache to Request for Client Certificate

Add the following in the Location Directive

SSLVerifyClient optional_no_ca
SSLOptions +ExportCertData

Configure Weblogic Server for 2-way SSL

mydomain> Servers> myserver>Keystores & SSL > Advanced Options
Hostname Verification: None
Two Way Client Cert Behavior: Client Certs Requested but not enforced

Apache_SSL> Domain Wide Security Settings> Realms> myrealm> Authentication Providers> DefaultIdentityAsserter

Trusted Client Principals: provide CN of the Client Certificate
Types: X509

Details:

Use Default User Name Mapper: Checked
Default User Name Mapper Attribute Type: CN
Base64Decoding Required: Checked

Go the security realm and create a user wih the username as CN of the certificate

Add the following in the config.xml
<Server ClientCertProxyEnabled=”true”

Configure the Web Application

The Web Application should require client cert authentication.

Add the following in the web.xml

<context-param>
<param-name>weblogic.httpd.clientCertProxy</param-name>
<param-value>true</param-value>
</context-param>

Add the following in the weblogic.xml

<principal-name> CN of the certificate</principal-name>

Configuring SSL on Weblogic Server – Custom Identity and Custom Trust

Secure Sockets Layer have very  important  role in how a sensitive data can be protected, accessed over a network.

WebLogic Server supports  have a dedicated SSL listen port which defaults 7002. 

To establish an SSL connection, a Web browser connects to WebLogic Server by supplying the SSL listen port and the HTTPs protocol in the connection URL

Ex: https://<servername>:7002.

The certificate, installation and configuring the certificate to the WebLogic Server. 

1: Generating and procuring the certificate:

Open a command prompt and set the environment by running the setDomainEnv script.

Generate the private – public key pair.

keytool -genkey -alias client -keyalg  RSA -keysize 2048  -keystore identity.jks -<storepass
>password -keypass <password>

Generate a Certificate Signing Request (CSR) and send it to Certifying Authority

keytool -certreq -keyalg RSA -keysize 2048 -alias client -file certreq.csr -keystore identity.jks -storepass password

Import the certificates into the keystore, this can be done in two ways :

• Importing the certificates in an order of RootCA, intermediateCA and then Certificate reply. 
• create a certificate chain clubbing them in an order into a .pem file.

Import it into the identity keystore overriding the private key alias

keytool -import  -file CertChain.pem -alias client -keystore  identity.jks -storepass password

importing your RootCA certificate into another keystore that constitutes the trust.
keytool -import  -file rootCA.cer -alias RootCA -keystore trust.jks -storepass password

To verify the contents of the keystore, you can use the below command,
Keytool –list –v –keystore <keystore-name> -storepass  <keystore-password>

SSL JNDI Client 2 way SSL with Weblogic

his is a Simple demonstration of doing a JNDI lookup using 2 Way SSL client.

Step-1). Create Self Signed Certificate using Open SSL

openssl genrsa 1024 > host.key

openssl req -new -x509 -nodes -sha1 -days 365 -key host.key > host.der

set WLS Environment and convert the der file to pem using the following command line

java utils.der2pem host.der

Step-2). Configure WLS for two way SSL.

Enable SSL on the Server.

Then got to

AdminServer > Configuration > SSL

Click Advanced and Set

Hostname Verification: NONE
Two Way Client Cert Behavior: Client Certs Requested But Not Enforced
Import the certificate into the truststore of WLS

C:\bea\bea1032\wlserver_10.3\server\lib>keytool -v -import -file host.crt -keystore DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase

Owner: CN=myhost, C=IN, ST=MH, L=Pune, EMAILADDRESS=test@MyOrganization, OU=Oracle, O=MyOrganization

Issuer: CN=myhost, C=IN, ST=MH, L=Pune, EMAILADDRESS=test@MyOrganization, OU=Oracle, O=MyOrganization
Serial number: c289a1692a6e8890
Valid from: Wed Jun 09 11:47:27 IST 2010 until: Thu Jun 09 11:47:27 IST 2011
Certificate fingerprints:
MD5: E1:A2:90:AA:D4:12:2E:C2:9E:94:15:81:65:40:47:EB
SHA1: 04:CA:6C:90:B9:3F:EE:DF:8A:81:AB:9F:73:C3:10:FE:95:D4:A8:71
Signature algorithm name: SHA1withRSA
Version: 1
Trust this certificate? [no]:
Certificate was not added to keystore
Restart Server

Step-3). Compile SSLJNDIClient and run it with the following command line

java -Dweblogic.security.TrustKeyStore=DemoTrust -Dweblogic.security.SSL.ignoreHostnameVerification=true -Dssl.debug=true SSLJNDIClient

“SSLJNDIClient.java”
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import weblogic.jndi.Environment;
import weblogic.security.PEMInputStream;
import java.io.InputStream;
import java.io.FileInputStream;

public class SSLJNDIClient
{
public static void main(String[] args) throws Exception
{
Context context = null;
try {
Environment env = new Environment();
env.setProviderUrl(“t3s://localhost:7002?);
env.setSecurityPrincipal(“weblogic”);
env.setSecurityCredentials(“weblogic123?);
InputStream key = new FileInputStream(“host.key”);
InputStream cert = new FileInputStream(“host.pem”);
key = new PEMInputStream(key);
cert = new PEMInputStream(cert);
env.setSSLClientCertificate(new InputStream[] { key, cert});
env.setInitialContextFactory(Environment.DEFAULT_INITIAL_CONTEXT_FACTORY);
context = env.getInitialContext();
context.bind(“name”,new String(“hello”));
}
finally {
if (context != null) context.close();
}
}
}

Check the JNDI for the Object Bound

SSL(Security Socket Layer):

Configure SSL in WebLogic:
1. Generating the certificate:
The following steps are:
Step1: Open a command prompt and set the environment by running the setDomainEnv script.
           ( C:\bea9\user_projects\domains\ram_domain\bin\setDomainEnv.cmd)
Step2: Generate the private – public key pair. For demonstration we would use keytool java utility to do so.            However we can use other utilities like openssl etc.
           keytool  -genkey  -alias mykey   -keyalg RSA   -keysize 2048   -keystore  identity.jks
Step3: Generate a Certificate Signing Request (CSR) and send it to Certifying Authority.
            keytool  -selfcert   -alias mykey  -keystore   identity.jks
Step 4: Create a identity  keystore, this can be done my exporting
            keytool   -export  -alias  mykey  -file  cert.cer  -keystore   identity.jks
Step5: Create a trust keystore, this can be done my importing.
            keytool   -import   -alias   mykey  -file  cert.cer   -keystore   trust.jks    -noprompt
To verify the contents of the keystore, you can use the below command,
            keytool  -list  -v  -keystore <keystore-name>  -storepass <keystore-password>

2)  Configuring the keystore on the WebLogic Server:
Step 1: Log into the Admin Console, Click on servers
Step 2: Click on Lock and Edit
Step 3: select the server on which you want to configure the SSL    certificate.(Ex:ms1)
Step 4: Click on keystores
Step 5: select Custom identity and Custom trust
Identiy:
CustomIdentitykeystore:C:\bea9\user_projects\domains\sai_domain\identity.jks
Custom Identity keystore type: jks
Custom identity passphrase : lakshmi@123
Trust:
Custom trust keystore: C:\bea9\user_projects\domains\sai_domain\trust.jks
Custom trust keystore type: jks
Custom trust passphrase : lakshmi@123
àsave     ---àAcivate changes

Step 6: Click on SSL
Step 7: Enter identity
            Private key alias: mykey
            Privatekey passphrase : lakshmi@123
                        ---àsave     ---à Activate changes

àTo check SSL type browser  https://localhost:5003(ms1 ssl portnumber)/messaging(deploying application)