Sunday 11 February 2018

Weblogic Server as Server:(Two Way SSL Communications:)-1

Weblogic Server as Server:
Mozilla Firefox as the Client:
1: Weblogic Server is configured for SSL:
2: Certificate used by Weblogic Server is: ServerCert
3: Private Key used by Weblogic Server is: ServerKey
4: Trust Store used by Weblogic Server is: DemoTrust.
Two Way SSL Communications:
1: Client initiates a SSL connection with the Server.
2: Server Sends its Identity Certificate to Client.
3: Client will Trust this Identity Certificate from the Server.
4: Server will ask for the Identity Certificate from the Client.
5: Client will send its own Identity certificate to the Server.
6: Server will trust the Certificate send by the Client.
7: Client will ask for a Cipher negotiation from the Server.
8: Server will confirm over a common cipher presented by the Client.
9: Handshake is successful and encrypted data will start flowing over the network.
So From the above process we have to following requirements for configuring two way SSL on Weblogic Server.
1: Identity Certificate for Weblogic Server.
2: Identity Certificate for Client (Mozilla Firefox).
3: Trust Store of Weblogic Server which should contain the root Certificate of the CA which issued the Client Identity Certificate.
4: Trust Store of Client which should contain the root certificate of the CA which issued the Identity Certificate of the Weblogic Server.
Now we will be creating the Certificates required for Weblogic Server:
From the above we need an Identity Certificate for Weblogic Server issued by CA.
Here we will be creating a certificate using the Weblogic CertGen utility and we will be using the Weblogic CertGenCA.der and the Certificate Authority.
  1. Create a Weblogic Server Domain ssl_domain.
  2. Open a command prompt and move to ssl_domain/bin directory.
  3. Run the setDomainEnv.cmd file to set the environment on the command prompt.
  4. Then create a Directory anywhere on the file system named: ServerCert.
  5. From the already opened command prompt go to the ServerCert directory.
  6. Run the following command:
java utils.CertGen -certfile ServerCert -keyfile ServerKey -keyfilepass keypass
The above Command will be creating four files:
ServerCert.der and ServerCert.pem: This is the Identity Certificate in DER and PEM format.
ServerKey.der and ServerKey.pem: This is the Private Key for above certificate in DER and PEM.
Keypass: This is the Private Key password required to read the Private Key.
  1. Since the CA used above is CertGenCA.der which is by default used by the CertGen utility if it is not explicitly mentioned.
  2. We need to concatenate the CertGenCA certificate to the end of above created certificate ServerCer.pem.
  3. In order to concatenate the CertGen.der we have to convert the certificate into PEM format and for that we will be using the Weblogic der2pem utility.
10.  First copy the CertGenCA.der file from %BEA_HOME%/wlserver_103/server/lib directory to your newly created ServerCert dir.
11.  From the command prompt used above run the following command:
java utils.der2pem CertGenCA.der
12.  The above command will convert the CertGenCA.der into CertGenCA.pem format.
13.  Now add the contents of the CertGenCA.pem to the end of the contents of ServerCert.pem using the below command:type serverCert.pem CertGenCA.pem >> myCert.pem
14.  Since Weblogic Server uses JKS file store for SSL configuration, hence we will have to import the above create myCert.pem and the Private Key in the JKS file using the Weblogic ImportPrivateKey utility.
15.  From the same command Prompt run the below command:
java utils.ImportPrivateKey -keystore  SeverIdentity.jks -storepass storepass -storetype JKS -keypass keypass -alias mykey -certfile myCert.pem -keyfile ServerKey.pem -keyfilepass keypass

 Keystore:  SeverIdentity.jks —This is the JKS file in which the certificate and key will be imported.
Storepass: storepass – This is the password of the keystore file severIdentity.jks
Storetype: JKS – This is the type of keystore to be used. It can be PKCS12, PEM etc.
Keypass: keypass – This password required to read the Private Key from the keystore. For simplicity we will be using keypass only.
Alias: mykey – This is the alias used for reading the Private Key from the Keystore.
Certfile: myCert.pem – This is the certificate to be imported into the Keystore.
Keyfile: ServerKey.pem – This is the Private Key to be imported into the Keystore.
Keyfilepass: keypass – This is the Password used in the CertGen utility command required to read the Private Key from the ServerKey.pem file.
16.  The above Command will be creating a file: ServerIdentity.jks file. This file will be used for configuring SSL on Weblogic.
17.  As the Certificate Authority for the above Created certificate is the Default CertGenCA.der and this CA is by default present in the Demotrust.jks file.
18.  So for the Trust Store of Weblogic Server we will be using the default DemoTrust.jks file present in the %BEA_HOME%wlserver_103/server/lib directory.
19.  So Copy the DemoTrust.jks file from the above mentioned directory to our working directory i.e. ServerCert.
20.  Now Start the Admin Server of the Weblogic Server and log into the Admin Console.
21.  Click on the Admin Server:
22.  Enable the SSL port from the General configuration tab of the Admin Server and save it.
23.  By Default the Admin Server SSL Port is: 7002.
24.  Now click on the keystores tab of the Admin Server.
25.  Fill in the Following entries:
  • Keystores: Custom Identity Custom Trust.
  • Custom Identity Keystore:  C:serverCertSeverIdentity.jks
  • Custom Identity Keystore Type: JKS
  • Custom Identity Keystore Passphrase: storepass (same as –storepass value of ImportPrivateKey)
  • Confirm Custom Identity Keystore Passphrase: storepass
  • Custom Trust Keystore: C:serverCertDemoTrust.jks
  • Custom Trust Keystore Type: JKS
  • Custom Trust Keystore Passphrase: DemoTrustKeyStorePassPhrase
  • Custom Trust Keystore Passphrase: DemoTrustKeyStorePassPhrase
26.  Save it.
27.  Click on the SSL tab:
  • Identity and Trust Locations: Keystores
  • Private Key Alias: mykey
  • Private Key Passphrase: keypass (same as –keypass value of ImportPrivateKey utility used above)
28.  Click on Advanced option and select the value of Hostname Verification to NONE.
29.  Save it.
30.  Restart the Admin Server.
31.  This completes the SSL configuration of the Weblogic Server.
32.  Now after restarting the Admin Server check whether the Admin Console is accessible over the https port or not by using the following URL in the Mozilla Firefox:
https://localhost:7002/console.
If the above url is accessible then this confirms that the SSL configuration is correct for the Weblogic Admin Server.
Posted by at 1 comment:

Two Way SSL

Here client needs to authenticate to server resources by providing its certificate, it depends on how strong the server requirement is to verify the clients certificate, Here Client verifies server certificate and server verifies client certificates.

 Example : WebServer Connecting to WebLogic Server and exchanging certificates for their communication to establish.

 Following Fig. Shows how the client and server go through the initial communication when they are setup in 2 Way SSL 



As above picture is self explanatory, I do not see space to explain the whole process, we will proceed to the practicals directly.

Step 1. Create the Identity and Trust Key Store for the WebLogic Server.

Identity Key Store is required to define identity of the WebLogic Server, so that clients can use to Trust the server

And Trust Keystore is required to store the Root Certificates of the clients so that it can trust or Identity the incoming requests from the clients.

 Create A Server Identity Keystore with your Public Key and Private Key 

D:\Oracle\Middleware\user_projects\domains\TwoWaySSLDomain>keytool -genkey -alias server_cert -keyalg RSA -keysize 2048 -keystore server_identity.jks
Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  ShaileshDyade
What is the name of your organizational unit?
  [Unknown]:  Personal
What is the name of your organization?
  [Unknown]:  Technology
What is the name of your City or Locality?
  [Unknown]:  Bangalore
What is the name of your State or Province?
  [Unknown]:  Karnataka
What is the two-letter country code for this unit?
  [Unknown]:  IN
Is CN=ShaileshDyade, OU=Personal, O=Technology, L=Bangalore, ST=Karnataka, C=IN correct?
  [no]:  yes

Enter key password for <server_cert>
        (RETURN if same as keystore password):
Re-enter new password:

D:\Oracle\Middleware\user_projects\domains\TwoWaySSLDomain>

 Note : Here I have used Keystore and Key Passwords as different

 I am done with creating server identity key store file (.JKS extension stands for Java Key Store). you have multiple formats of Keystore available for use with WebLogic Server.

Generate Certificate Signing Request

 D:\Oracle\Middleware\user_projects\domains\TwoWaySSLDomain>keytool -certreq -v -alias server_cert -file csr_for_mysite.csr -keystore server_identity.jks
Enter keystore password:
Enter key password for <server_cert>
Certification request stored in file <csr_for_mysite.pem>
Submit this to your CA


Posted by at No comments:
Subscribe to: Posts (Atom)