white paper: enabling ssl on oracle weblogic cluster · pdf fileenabling ssl on oracle...

White Paper

Abstract

This white paper describes the procedure to enable SSL on WebLogic Cluster using self-signed certificates September 2013

Enabling SSL on Oraclereg WebLogic Cluster Using Self-Signed Certificates

2 Enabling SSL on Oracle WebLogic Cluster

Copyright copy 2013 EMC Corporation All Rights Reserved EMC believes the information in this publication is accurate of its publication date The information is subject to change without notice The information in this publication is provided ldquoas isrdquo EMC Corporation makes no representations or warranties of any kind with respect to the information in this publication and specifically disclaims implied warranties of merchantability or fitness for a particular purpose Use copying and distribution of any EMC software described in this publication requires an applicable software license For the most up-to-date listing of EMC product names see EMC Corporation Trademarks on EMCcom VMware is a registered trademark of VMware Inc All other trademarks used herein are the property of their respective owners Part Number H12383


Table of Contents

Introduction 4

Audience 4

Related documents 4

Enabling Production Mode 4

Production and Development Modes 4

Generating the Identity KeyStore 5

Generating the Trust KeyStore 6

Configuring the Identity and Trust KeyStores 6

Identity 6

Trust 6

Configure the Identity KeyStore details 8

Configure the SSL port on WebLogic Managed Server 8

Configuring the Second WebLogic Managed Server 9

Restart and Verification of WebLogic Managed Servers 9

Generate Trust CA file for Apache Webserver 10

Apache Webserver Configuration 10

Troubleshooting 11

Sample Keytool Commands 13

References 15


Introduction This white paper discusses the steps to enable SSL with self-signed certificates on an Oracle WebLogic application server in a clustered Environment Enable one way SSL communication between the WebLogic Managed Server and Apache Webserver The procedure for generating self-signed certificate and configuring the certificate to the WebLogic Server involves the following steps

1 Enabling Production Mode

2 Generating the Identity KeyStore

3 Generating the Trust KeyStore

4 Configuring the Identity and Trust KeyStores

5 Configure the Identity KeyStore details

6 Configure the SSL port on WebLogic Managed Server

7 Configure the second WebLogic Managed Server

8 Restart and Verification of WebLogic Managed Servers

9 Generate Trust CA file for Apache Webserver

10 Apache Webserver Configuration

Audience

This white paper is intended for testers who want to understand the process of generating self-signed certificates and configuring SSL an Oracle WebLogic application server in a clustered environment

Related documents Installing and Configuring an Oracle WebLogic Application server for EMC Documentum WDKWebtop

Enabling Production Mode

Production and Development Modes

WebLogic Managed Servers in domain can be configured to start in one of two modes development or production

Development mode is used while developing applications Development mode uses a relaxed security configuration and enables us to auto-deploy applications In development mode the demonstration digital certificates provided by the WebLogic Server security services can be used The demonstration digital certificates private keys and trusted CA certificates should be used in a development environment only

Production mode when application is running in its final form A production domain uses full security and may use clusters or other advanced features Sun Microsystems keytool utility can be used to generate a private key a self-signed


digital certificate for WebLogic Server and a Certificate Signing Request (CSR) Submit the CSR to a certificate authority to obtain a digital certificate for WebLogic Server Use keytool to update the self-signed digital certificate with a new digital certificate Use the keytool utility to obtain trust and identity when using WebLogic Server in a production environment

In the WebLogic Admin Console navigate to Domain Node

On the Configurations gt General Tab ensure the Production Mode option is true

Generating the Identity KeyStore Identity KeyStore is generated for each WebLogic Managed Servers

Using Keytool Utility an Identity KeyStore of JKS Type is generated

Run the below command to generate Identity KeyStore Provide the machine fully qualified domain name for Common Name


keytool -genkey -alias node1 -keyalg RSA -keysize 1024 -keystore

identity1jks -storepass password -keypass password

Generating the Trust KeyStore

Trust KeyStore of JKS type is generated for each of the WebLogic Managed Servers

The Certificate file is exported from Identity KeyStore and imported as Trusted CA file in Trust KeyStore Provide the machine fully qualified domain name for Common Name while generating the Trust KeyStore

Exporting the Certificate file from Identity KeyStore keytoolexe -exportcert -alias node1 -file node1certcer -keystore

Identity1jks -storetype JKS

Generating Trust KeyStore of JKS type and importing the certificate as Trusted CA file keytoolexe -importcert -trustcacerts ndashalias node1 -file node1certcer -

keystore Truststore1jks -storetype JKS

Configuring the Identity and Trust KeyStores In the WebLogic Admin Console (eg httpWebLogicServerIP7001console) Under Domain gt Servers - select the Managed server [Managed Node1] to configure the SSL

On the settings for Managed Server ndash navigate to Configuration gt KeyStores tab

For the KeyStores field from the dropdown list select the ldquoCustom Identity and Custom Trustrdquo

Provide the Identity KeyStore and Trust KeyStore details

Identity Custom Identity KeyStore Provide the path and file name of the Identity KeyStore

Custom Identity KeyStore Type JKS

Custom Identity KeyStore Passphrase storepass (Identity KeyStorersquos storepass value)

Trust Custom Trust KeyStore Provide the path and file name of the Trust KeyStore

Custom Trust KeyStore Type JKS

Custom Trust KeyStore Passphrase storepass (Trust KeyStorersquos storepass value)



Configure the Identity KeyStore details In the Admin Console navigate to Configuration gt SSL tab of the Managed Servers

Provide the details for Private Key Alias and Private Key Passphrase These are the values given while generating the Identity KeyStore keytool -genkey -alias node1 -keyalg RSA -keysize 1024 -keystore

csslidentity1jks -storepass password -keypass password

In the above command

Private Key Alias = node1

Private Key PassPhrase = password (keypass value)

NOTE By default SSL enabled on WebLogic managed server is One Way SSL To change to Two Way SSL select the

two way SSL behavior from the ldquoAdvancedrdquo option list

Configure the SSL port on WebLogic Managed Server In the WebLogic Admin Console navigate to Configuration - gt General Tab of Managed Server The SSL port for the WebLogic Managed Server is defined here


Check ldquoSSL listen Port Enablerdquo Provide the SSL Listen port details

Configuring the Second WebLogic Managed Server The Identity and Trust KeyStores are generated for the second WebLogic Managed Server

Configure the Identity and Trust KeyStores Follow the steps 1 to 6

Restart and Verification of WebLogic Managed Servers After generating and configuring the Identity and Trust Stores for each WebLogic Managed Servers in WebLogic Admin Console restart the WebLogic Managed Servers

The below messages in the server logs indicate that the certificates are loaded

ltNoticegt ltSecuritygt ltBEA-090171gt ltLoading the identity certificate and private key stored under the alias client from the JKS keystore file CWondersWebLogicSecuritySSL-CertsVerisignidentityVerisignjksgt

ltNoticegt ltSecuritygt ltBEA-090169gt ltLoading trustedcertificates from the JKS keystore file CWondersWebLogicSecuritySSL-CertsVerisigntrustVerisignjksgt


Access the Application URL from the WebLogic Managed Server httpsManagedServerIpSSLportapplication_name

Click on the certificate details and verify the certificate information

Generate Trust CA file for Apache Webserver SSL Communication between the Apache webserver plug-in and the WebLogic Server the below parameters need to be added in ldquohttpdconfldquo

SecureProxy set to On

TrustedCAFile point to the file that contains the digital certificates for the trusted certificate authorities

To generate the Trusted CA file follow the below steps

Import the Identity Stores of each WebLogic Managed Server into a single temporary Keystore using keytool Keytool ndashimportkeystore -srckeystore identity1jks -destkeystore

tempkeystorejks -srcstoretype JKS -deststoretype JKS -srcstorepass

password -deststorepass password

Keytool ndashimportkeystore -srckeystore identity2jks -destkeystore



Convert the JKS format temporary keystore to PKCS12 and then PEM format

Conversion from JKS to PKCS12 format using keytool keytool -importkeystore -srckeystore keystore3jks -destkeystore

trustpkcs -srcstoretype JKS -deststoretype PKCS12

Conversion from PKCS12 to PEM format using openssl openssl pkcs12 -in trustpkcs -out trustpem

Apache Webserver Configuration On the Apache webserver used for clustering WebLogic do the following changes

The PEM file generated in the previous step is used as trusted CA file

Copy the trusted CA file to the Apache webserver machine

For the parameter lsquoTrustedCAFilersquo in httpdconf file point the trusted CA file

In ldquohttpdconfrdquo file add one of the below lines depending on Apache Webserver Version LoadModule WebLogic_module modulesmod_wl_22so (for apache webserver

22x)


LoadModule WebLogic_module modulesmod_wl_20so (for apache webserver

20xx)

Next add the following lines in rdquohttpdconfrdquo ltIfModule mod_WebLogiccgt

SetHandler WebLogic-handler

WebLogicCluster IPSSLPort1 IPSSLPort2

MatchExpression

SecureProxy On

WLProxySSL ON

RequireSSLHostMatch false

TrustedCAFile ctrustpem

EnforceBasicConstraints false

DEBUG

WLLogFile Cwlproxylog

Debug ALL

DebugConfigInfo ON

ConnectTimeoutSecs 600

ltIfModulegt

Troubleshooting

Sl No

Issues Possible Cause Solution

1

From Client SSLexception javasecuritycertCertificateException No name ldquohostnamerdquo matching found

Accessing the URL with different hostnameIP which is not used in specific certificate

While accessing Application server Webserver URL hostname should be used as full CN name in URL That same CN has been set while creating the keystore

IP should not be used for creating the keystore or accessing the URLs

2

From WebLogic Side javaioFileNotFoundException Keystore was tampered with or

Wrong keystore password is provided while configuring for lsquokeystorePassrsquo

Check and provide the correct password for keystore as lsquokeystorePassrsquo attribute in Identity keystore


password was incorrect

attribute page

Or

User can create a new keystore with new password and reconfigure the same

3 From WebLogic Side ltWarninggt ltSecuritygt ltBEA-090164gt ltFailed to load

trusted certificates from keystore COracleMIDDLE~1WLSERV~13serverlibDemo

Trustjks of type JKSgt

ltWarninggt ltSecuritygt ltBEA-090172gt ltNo trusted cert

ificates have been loaded Server will not trust to any certificate it receives

gt

Trust Keystore is not generate properly

Recreate the Trust Keystore and configure

4

From Webserver Side

INFO No CA was trusted validation failed

WARN DeleteSessionCallback No match found

ERROR SSLWrite failed

SEND failed (ret=-1) at 793 of file nsapiURLcpp

Exception type [WRITE_ERROR_TO_SERVER] raised at line 794 of nsapiURLcpp

Correct Trusted CA file is not configured on Webserver

Recreate the Trusted CA file and reconfigure the webserver with the Trusted CA file


Marking 101010107002 as bad

got exception in sendRequest phase WRITE_ERROR_TO_SERVER [os error=0 line 794 of nsapiURLcpp] at line 3160

INFO Closing SSL context

Sample Keytool Commands

Generate Key in Appserver1(Identity1jks) and appserver2(identity2jks)

COracleMiddlewarejdk160_29bingtkeytoolexe -genkey -alias newclient1 -keyalg RSA -keysize 1024 -keystore cSSLIdentity1jks

Enter keystore password

Re-enter new password

What is your first and last name

[Unknown] AS1Prathimaemcswatemcccsacom (- dns name of the host machine)

What is the name of your organizational unit

[Unknown] IIG

What is the name of your organization

[Unknown] EMC

What is the name of your City or Locality

[Unknown] BAng

What is the name of your State or Province

[Unknown] KAr

What is the two-letter country code for this unit

[Unknown] IN

Is CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN corre

ct

[no] yes

Enter key password for ltnewclient1gt


(RETURN if same as keystore password)


Generate Certificate in Appserver1(cert1jks and client newclient1) and appserver2(cert2jks and client newclient2)

COracleMiddlewarejdk160_29bingtkeytoolexe -exportcert -alias newclient1 -file ccert1cer -keystore cSSLIdentity1jks -storetype JKS


Certificate stored in file ltccert1cergt

Generate Truststore in Appserver1(Truststore1jks) and Appserver2(Truststore2jks)

COracleMiddlewarejdk160_29bingtkeytoolexe -importcert -trustcacerts -alias

newclient1 -file ccert1cer -keystore cSSLTruststore1jks -storetype JKS



Owner CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN

Issuer CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN

Serial number 51b171f7

Valid from Thu Jun 06 223903 PDT 2013 until Wed Sep 04 223903 PDT 2013

Certificate fingerprints

MD5 339AE6887716A10E3C128196F958FC5A

SHA1 CC843B67EC385B337D8B906374253215AE384727

Signature algorithm name SHA1withRSA

Version 3

Trust this certificate [no] yes

Certificate was added to keystore


References The following documents provide additional relevant information Access to the following Documentum documents is based on your Support site login credentials If you do not have access to the following content contact your EMC representative

Installing and Configuring an Oracle WebLogic Application server for EMC Documentum WDKWebtop

The following are third-party references

httpdocsoraclecomcdE13222_01wlsdocs81secmanagesslhtml

httpdocsoraclecomcdE23943_01web1111e13707identity_trusthtm

httpdocsoraclecomcdE13222_01wlsdocs81pluginsplugin_paramshtml

Introduction

Audience

Related documents



Generating the Identity KeyStore


Configuring the Identity and Trust KeyStores

Identity

Trust

Configure the Identity KeyStore details

Configure the SSL port on WebLogic Managed Server

Configuring the Second WebLogic Managed Server

Restart and Verification of WebLogic Managed Servers

Generate Trust CA file for Apache Webserver

Apache Webserver Configuration

Troubleshooting


References


Copyright copy 2013 EMC Corporation All Rights Reserved EMC believes the information in this publication is accurate of its publication date The information is subject to change without notice The information in this publication is provided ldquoas isrdquo EMC Corporation makes no representations or warranties of any kind with respect to the information in this publication and specifically disclaims implied warranties of merchantability or fitness for a particular purpose Use copying and distribution of any EMC software described in this publication requires an applicable software license For the most up-to-date listing of EMC product names see EMC Corporation Trademarks on EMCcom VMware is a registered trademark of VMware Inc All other trademarks used herein are the property of their respective owners Part Number H12383


Table of Contents

Introduction 4

Audience 4

Related documents 4






Identity 6

Trust 6







Troubleshooting 11


References 15













Audience












































































22x)



20xx)




MatchExpression

SecureProxy On

WLProxySSL ON




DEBUG


Debug ALL

DebugConfigInfo ON


ltIfModulegt

Troubleshooting

Sl No


1





2






attribute page

Or







gt



4

From Webserver Side




















[Unknown] IIG


[Unknown] EMC


[Unknown] BAng


[Unknown] KAr


[Unknown] IN


ct

[no] yes



















MD5 339AE6887716A10E3C128196F958FC5A

SHA1 CC843B67EC385B337D8B906374253215AE384727


Version 3










Introduction

Audience

Related documents






Identity

Trust







Troubleshooting


References


Table of Contents

Introduction 4

Audience 4

Related documents 4






Identity 6

Trust 6







Troubleshooting 11


References 15













Audience












































































22x)



20xx)




MatchExpression

SecureProxy On

WLProxySSL ON




DEBUG


Debug ALL

DebugConfigInfo ON


ltIfModulegt

Troubleshooting

Sl No


1





2






attribute page

Or







gt



4

From Webserver Side




















[Unknown] IIG


[Unknown] EMC


[Unknown] BAng


[Unknown] KAr


[Unknown] IN


ct

[no] yes



















MD5 339AE6887716A10E3C128196F958FC5A

SHA1 CC843B67EC385B337D8B906374253215AE384727


Version 3










Introduction

Audience

Related documents






Identity

Trust







Troubleshooting


References













Audience












































































22x)



20xx)




MatchExpression

SecureProxy On

WLProxySSL ON




DEBUG


Debug ALL

DebugConfigInfo ON


ltIfModulegt

Troubleshooting

Sl No


1





2






attribute page

Or







gt



4

From Webserver Side




















[Unknown] IIG


[Unknown] EMC


[Unknown] BAng


[Unknown] KAr


[Unknown] IN


ct

[no] yes



















MD5 339AE6887716A10E3C128196F958FC5A

SHA1 CC843B67EC385B337D8B906374253215AE384727


Version 3










Introduction

Audience

Related documents






Identity

Trust







Troubleshooting


References





































































22x)



20xx)




MatchExpression

SecureProxy On

WLProxySSL ON




DEBUG


Debug ALL

DebugConfigInfo ON


ltIfModulegt

Troubleshooting

Sl No


1





2






attribute page

Or







gt



4

From Webserver Side




















[Unknown] IIG


[Unknown] EMC


[Unknown] BAng


[Unknown] KAr


[Unknown] IN


ct

[no] yes



















MD5 339AE6887716A10E3C128196F958FC5A

SHA1 CC843B67EC385B337D8B906374253215AE384727


Version 3










Introduction

Audience

Related documents






Identity

Trust







Troubleshooting


References



20xx)




MatchExpression

SecureProxy On

WLProxySSL ON




DEBUG


Debug ALL

DebugConfigInfo ON


ltIfModulegt

Troubleshooting

Sl No


1





2






attribute page

Or







gt



4

From Webserver Side




















[Unknown] IIG


[Unknown] EMC


[Unknown] BAng


[Unknown] KAr


[Unknown] IN


ct

[no] yes



















MD5 339AE6887716A10E3C128196F958FC5A

SHA1 CC843B67EC385B337D8B906374253215AE384727


Version 3










Introduction

Audience

Related documents






Identity

Trust







Troubleshooting


References



attribute page

Or







gt



4

From Webserver Side




















[Unknown] IIG


[Unknown] EMC


[Unknown] BAng


[Unknown] KAr


[Unknown] IN


ct

[no] yes



















MD5 339AE6887716A10E3C128196F958FC5A

SHA1 CC843B67EC385B337D8B906374253215AE384727


Version 3










Introduction

Audience

Related documents






Identity

Trust







Troubleshooting


References













[Unknown] IIG


[Unknown] EMC


[Unknown] BAng


[Unknown] KAr


[Unknown] IN


ct

[no] yes



















MD5 339AE6887716A10E3C128196F958FC5A

SHA1 CC843B67EC385B337D8B906374253215AE384727


Version 3










Introduction

Audience

Related documents






Identity

Trust







Troubleshooting


References


















MD5 339AE6887716A10E3C128196F958FC5A

SHA1 CC843B67EC385B337D8B906374253215AE384727


Version 3










Introduction

Audience

Related documents






Identity

Trust







Troubleshooting


References








Introduction

Audience

Related documents






Identity

Trust







Troubleshooting


References

white paper: enabling ssl on oracle weblogic cluster · pdf fileenabling ssl on oracle...

Documents