Infosys’ blog on industry solutions, trends, business process transformation and global implementation in Oracle.

« Blockchain & Finance - An Introduction for the CFO | Main | Sentiment Analysis with Twitter data using Oracle Analytics Cloud »

Enabling CA Signed Certificate in Oracle JCS and On-Premise Weblogic

Enabling CA Signed Certificate in Oracle JCS and On-Premises WebLogic (How To Series)

Tools: KeyTool, Openssl (Optional)

Introduction

By default Oracle JCS server has self-signed certificate based SSL/TLS. For enhanced security and trust, we have to use CA signed certificates.  This document can be used for both On-premises WebLogic servers and Oracle JCS based Weblogic servers. Implementing CA signed certificate can prevent hacking attack like man-in-the-middle. Using CA signed certificates internal and external communications between services can be secured. Also environment access can be secured.

Key Features covered in Document

1) Brief about CA signed certificates and how chain of certificates are maintained.

2) How to implement chain of CA sign certificate on WebLogic admin and managed server.

Brief about CA signed certificate:

There are two types of CA signed certificates.

1) Internal CA Signed Certificate:

This kind of certificate is only used when services are used within intranet.  Certificate can be issued to oneself using internal CA.

Advantage: One can have full control on certificate like validity, whom to issue etc. This can be used when application is used internally in customer network only.

2) External CA Signed Certificate

This type of certificate can be issued reputable CA like Verisign, Entrust etc. 

AdvantageThis certificate is mostly useful when external service calling is required.

SSL Certificate Chain:

There are two types of certificate authorities. RootCAs and Intermediate CAs. Certificates can be obtained two ways. One is to get directly from root CAs. Second way is to obtain from intermediate CAs which will have different root CAs.

To trust certificate, it must have been issued by certified CA and added to trust store of device. In below section Certificate chain is explained.

Example of Certificate chain.

ABC Customer acquires certificate from UserTrust RSA Certification Authority which is user and intermediate certificates.  UserTrust RSA Certification Authority internally using intermediate CA certificate from Network Solution OV. Network Solution OV is using Root CA certificate issued by Geo Trust RSA.

Hence below certificates chain representation is required.

1) End User certificate from UserTrust RSA Certification

2) Intermediate certificate issued by UserTrust RSA Certification

3) Intermediate certificate issued by Network Solution OV

4) Root Certificate issued by Geo Trust RSA

While installing certificates, End user certificate needs to be installed first. All intermediate certificate must be bundled together and needed to be added in trusted store. Finally root certificate needs to be installed.

NOTE:

1) If Chain is broken for any intermediate certificate then it will not be trusted by any devices.

2) For browser only End user and intermediate certificates are required to be installed. Root certificate are packaged within browser installations.

Validation Sequence.

Validation Sequence.png

Implementation on WebLogic On-Premises and PaaS:

Point 10) is specific to WebLogic on PaaS Cloud remaining can be used for On-Premises WebLogic.

 

1) Create Custom Identity Key store in WebLogic server.

à cd $DOMAIN_HOME/bin

à source setDomainEnv.sh

à Create separate directory called keystores under $FMW_HOME

E.g. $FMW_HOME/keystores: keytool -genkey -alias newsrv_crt -keyalg RSA -keysize 2048 -sigalg SHA256RSA -dname "CN=server.cn.ou.com,OU=Support,O=Organization,L=City,ST=County,C=Country" -keypass keypwd -keystore identitykeystore.jks -storepass storepwd

Server.cn.ou.com is host.domain from the server. (CN =Country Name, OU=Organization Name)

2) Create a certificate request

FMW_HOME/keystores: keytool -certreq -v -alias newsrv_crt -file server.csr -sigalg SHA256RSA -keypass keypwd -storepass storepwd -keystore identitykeystore.jks

NOTE: Use same alias, storepassword and keypass from above step.

Output will look like below.  Send this .csr to Authorized CA.

CSR will look like below.

-----BEGIN NEW CERTIFICATE REQUEST-----

MIIC7zCCAdcCAQAwejELMAkGA1UEBhMCVVMxDzANBgNVBAgTBkhhd2FpaTERMA8G

A1UEBxMISG9ub2x1bHUxGzAZBgNVBAoTElNlcnZjbyBQYWNpZmljIEluYzETMBEG

A1UECxMKU2VydmNvIFRJUzEVMBMGA1UEAwwMKi5zZXJ2Y28uY29tMIIBIjANBgkq

DQYJKoZIhvcNAQELBQADggEBAG+Wfb9F9cxnLCHkZgFFFrE/nGqs8bvCfbRvCA5j

Ab1sauEN9VbzBteP7nDl03XgKDSO/qk5vjLl730hw2uvpz+lTvXc/BuhKMeXYGSM

8zCmPZJITYD1Tatd7FQ2gH0vUXflUP62+IPA+fMp0Mrk4YzUTxsPtod1cOprS9WG

oRwXp/H2o6JxUcYtrUiZee/YmUT6GOwIGTzVLZDUOe+CzS4+sx+W2ALIRnjNuWRu

iiNSAmrd3WHk3Lz5xfBsQOo16kl1b9JcHGo7t57pCyIbGmjX14p4S5DanVd+PEcj

hZDg+qCP5NlaFEeEgjLRFWYSM2BKhhEuL+ioULzuh3mDfjQ=-

----END NEW CERTIFICATE REQUEST-----

3) Once you receive CA signed Certificate, Import certificates in Identity Key store.

First import CA's User certificate then remaining Intermediate certificates and last import root certificate.

E.g.

User Certificate

$FMW_HOME/keystores/ keytool -import -v -noprompt -trustcacerts -alias usercacert

-file User.cer -keystore identitykeystore.jks -storepass storepwd

Intermediate Certificate

$FMW_HOME /keystores/ keytool -import -v -noprompt -trustcacerts -alias intercacert

-file intermeidate.cer -keystore identitykeystore.jks -storepass storepwd

Root Certificate

$ FMW_HOME/keystores/ keytool -import -v -noprompt -trustcacerts -alias rootcasigncert

-file rootsignCA.cer -keystore identitykeystore.jks -storepass storepwd

Repeat this for each Root certificate in the chain and use different alias each time.

4) Import Server Certificate into Identity Key store using below command.

E.g. $FMW_HOME/keytores> keytool -import -v -alias newsrv_crt -file server.cer -keystore identitykeystore.jks -keypass keypwd -storepass storepwd

NOTE: 1) Server certificate will be at last level provided by CA certificate chain.

            2) Here use the same alias used in step-2.

5) Import the Certificate Chain in Trust store of the server.

Import all user, intermediate and root certificate in trust store. Do not import Server certificate.

E.g.

User Certificate

$FMW_HOME/keystores> keytool -import -v -noprompt -trustcacerts -alias usercacert

-file User.cer -keystore trustkeystore.jks -storepass storepwd

Intermediate Certificate

$FMW_HOME /keystores> keytool -import -v -noprompt -trustcacerts -alias intercacert

-file intermeidate.cer -keystore trustkeystore.jks -storepass storepwd

Root Certificate

$FMW_HOME/keystores: keytool -import -v -noprompt -trustcacerts -alias rootcasigncert

-file rootsignCA.cer -keystore trustkeystore.jks -storepass storepwd

6) View and confirm certificate.

keytool -list -v -keystore identitykeystore.jks -storepass storepwd

Your identity store should have server certificate as entry type as a Private Key.

E.g. Output of above command.

Alias name: newsrv_crt

Creation date: April 15, 2018

Entry type: PrivateKeyEntry

7) Configure SSL on WebLogic Server

à Login to WebLogic console.

à Click on Environment then select Servers on which SSL needs to be configured

à Click on Keystore and change

à From drop down box take "Custom Identity and Custome Trust"

à Click on SAVE.

à Enter the required information in the Keystores tab as given below

             Custom Identity Keystore: e.g $FMW_HOME/keystores/identitykeystore.jks

             Custom Identity Keystore: JKS (JKS should be in Uppercase)

             Custom Identity Keystore Passphrase: keypwd

             Confirm Custom Identity Keystore Passphrase: storepwd

             Custom Trust Keystore: $FMW_HOME/keystores/trustkeystore.jks

             Custom Trust Keystore Type: JKS (JSK should be in Uppercase)

             Custom Trust Keystore Passphrase: keypwd

             Confirm Custom Trust Keystore Passphrase: storepwd

             Click on SAVE

    Note: Enter absolute path for certificate e.g. /u01/app/oracle/middleware/keystore/keystore.jks

à Navigate to SSL Tab. Provide below values.

              Private Key Alias: newsrv_crt

              Private Key Password: keypwd

              Confirm Private Key Password: keypwd

              Click on SAVE.

8) Click on Environment then select Servers, after that click the General tab of server configuration

    Make sure 'SSL Listen Port' is enabled

                SSL Listen Port: 9072

                Click on SAVE.

9) Change nodemanager.properties to reflect SSL.

   Add below entries in to the nodemanager.properties and bounce nodemanager.

              KeyStores=CustomIdentityAndCustomTrust

              CustomIdentityAlias=keyname

              CustomIdentityKeyStoreFileName=path/identitykeystore.jks

              CustomIdentityKeyStorePassPhrase= passphrase value

              CustomIdentityKeyStoreType=JKS

              CustomIdentityPrivateKeyPassPhrase= passphrase value

   NOTE: Without this you may not able to start managed server from console.

10) Make below changes into Cloud console to access SSL urls for admin and managed servers.   

     (Specific to Oracle JCS WebLogic)

    This is required since by default all ports are not opened from Oracle Public Cloud.

   Example given below is for admin server.

 à Login to Cloud Console and Navigate to Compute Classic.

 à Select Network and IP or Shared network depends on your configurations.

 à Navigate to Security Applications and Create new security application.

   E.g. To access admin console using SSL with Port 9072, security application will look like below.

Security port for PaaS.png  

 

 

  à Go to Security rules and Create new security rule with above created security application

 

Security role for PaaS.png

 

 

 

 

 

 

 

 

 

 

 

 

 11) Restart the respective server.

 12) Test the certificate accessing WebLogic Console if on admin server or webapplication if on managed server.

https://WebLogichost.com:9072/<uri>

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Please key in the two words you see in the box to validate your identity as an authentic user and reduce spam.

Subscribe to this blog's feed

Follow us on

Blogger Profiles