SSL Archive

How to configure SSL on Nodemanager for 12c

In Weblogic Server 12.1.2, the java version of Node Manager controls all WLS instances belonging to the same domain.This allows the feasibility to have different nodemanager configurations for different domains.

You can follow the steps below to use one nodemanager per domain running over SSL ( custom identity & custom trust)

1)  Start nodemanager from the following location ( just to create a default nodemanager.properties file).

D:\Oracle\Middleware\wlserver_12.1\server\bin\startNodeManager.cmd

Stop the nodemanager.

2) Copy the nodemanager folder from the this location to your domain folder.

D:\Oracle\Middleware\wlserver_12.1\common\nodemanager

3) Copy startNodeManager.cmd present at the below location to your domain home folder

D:\Oracle\Middleware\wlserver_12.1\server\bin\startNodeManager.cmd

4) Open the script and update the NodeManager home location in the script

set NODEMGR_HOME=D:/Oracle/Middleware/user_projects/domains/base_domain/nodemanager

5) Create Identity Store for the Node Manager in the nodemanger folder.

keytool -genkey -alias mykey -keyalg RSA -keysize 1024 -dname "CN=www.welogic-wonders.com, OU=Customer Support, O=BEA Systems Inc, L=Denver, ST=Colorado, C=US" -keypass mykeypass -keystore identity.jks -storepass mystorepass

keytool -selfcert -v -alias mykey -keypass mykeypass -keystore identity.jks -storepass mystorepass -storetype jks

You can create it anywhere but then you will have to give the complete path in nodemanager.properties file.

6) Add the following in nodemanager.properties file

KeyStores=CustomIdentityAndCustomTrust
CustomIdentityAlias=mykey
CustomIdentityKeyStoreFileName=identity.jks
CustomIdentityKeyStorePassPhrase=password
CustomIdentityKeyStoreType=JKS
CustomIdentityPrivateKeyPassPhrase=password

7) Start your Node Manager from the domain folder at any available port you want.

D:\Oracle\Middleware\user_projects\domains\base_domain>startNodeManager.cmd localhost 6666

D:\Oracle\Middleware\user_projects\domains\base_domain>set CLASSPATH=.;D:\Oracle
\Middleware\patch_wls1211\profiles\default\sys_manifest_classpath\weblogic_patch
.jar;D:\Oracle\Middleware\jrockit_160_29_D1.2.0-10\lib\tools.jar;D:\Oracle\Middl
eware\wlserver_12.1\server\lib\weblogic_sp.jar;D:\Oracle\Middleware\wlserver_12.
1\server\lib\weblogic.jar;D:\Oracle\Middleware\modules\features\weblogic.server.
modules_12.1.1.0.jar;D:\Oracle\Middleware\wlserver_12.1\server\lib\webservices.j
ar;D:\Oracle\Middleware\modules\org.apache.ant_1.7.1/lib/ant-all.jar;D:\Oracle\M
iddleware\modules\net.sf.antcontrib_1.1.0.0_1-0b2/lib/ant-contrib.jar;

D:\Oracle\Middleware\user_projects\domains\base_domain>if not "" == "" set CLASS
PATH=;.;D:\Oracle\Middleware\patch_wls1211\profiles\default\sys_manifest_classpa
th\weblogic_patch.jar;D:\Oracle\Middleware\jrockit_160_29_D1.2.0-10\lib\tools.ja
r;D:\Oracle\Middleware\wlserver_12.1\server\lib\weblogic_sp.jar;D:\Oracle\Middle
ware\wlserver_12.1\server\lib\weblogic.jar;D:\Oracle\Middleware\modules\features
\weblogic.server.modules_12.1.1.0.jar;D:\Oracle\Middleware\wlserver_12.1\server\
lib\webservices.jar;D:\Oracle\Middleware\modules\org.apache.ant_1.7.1/lib/ant-al
l.jar;D:\Oracle\Middleware\modules\net.sf.antcontrib_1.1.0.0_1-0b2/lib/ant-contr
ib.jar;

D:\Oracle\Middleware\user_projects\domains\base_domain>if not "" == "" set CLASS
PATH=.;D:\Oracle\Middleware\patch_wls1211\profiles\default\sys_manifest_classpat
h\weblogic_patch.jar;D:\Oracle\Middleware\jrockit_160_29_D1.2.0-10\lib\tools.jar
;D:\Oracle\Middleware\wlserver_12.1\server\lib\weblogic_sp.jar;D:\Oracle\Middlew
are\wlserver_12.1\server\lib\weblogic.jar;D:\Oracle\Middleware\modules\features\
weblogic.server.modules_12.1.1.0.jar;D:\Oracle\Middleware\wlserver_12.1\server\l
ib\webservices.jar;D:\Oracle\Middleware\modules\org.apache.ant_1.7.1/lib/ant-all
.jar;D:\Oracle\Middleware\modules\net.sf.antcontrib_1.1.0.0_1-0b2/lib/ant-contri
b.jar;;

D:\Oracle\Middleware\user_projects\domains\base_domain>cd D:\Oracle\Middleware\u
ser_projects\domains\base_domain\nodemanager

D:\Oracle\Middleware\user_projects\domains\base_domain\nodemanager>if not "6666"
== "" if not "localhost" == "" goto runNMWithListenAddressAndPort

D:\Oracle\Middleware\user_projects\domains\base_domain\nodemanager>"D:\Oracle\Mi
ddleware\jrockit_160_29_D1.2.0-10\bin\java.exe" -jrockit -Xms128m -Xmx256m -Dbea
.home=D:\Oracle\Middleware -Xverify:none -Djava.endorsed.dirs=D:\Oracle\Middlew
are\jrockit_160_29_D1.2.0-10/jre/lib/endorsed;D:\Oracle\Middleware\wlserver_12.1
/endorsed "-Djava.security.policy=D:\Oracle\Middleware\wlserver_12.1\server\lib\
weblogic.policy" "-Dweblogic.nodemanager.javaHome=D:\Oracle\Middleware\jrockit_1
60_29_D1.2.0-10" -DListenAddress="localhost" -DListenPort="6666" weblogic.NodeMa
nager -v

Apr 23, 2015 8:30:50 PM weblogic.nodemanager.server.NMServerConfig initDomainsMa
p
INFO: Loading domains file: D:\Oracle\Middleware\wlserver_12.1\common\nodemanage
r\nodemanager.domains

Apr 23, 2015 8:30:50 PM weblogic.nodemanager.server.SSLConfig loadKeyStoreConfig

INFO: Loading identity key store: FileName=D:\Oracle\Middleware\user_projects\do
mains\base_domain\nodemanager\identity.jks, Type=JKS, PassPhraseUsed=true

Apr 23, 2015 8:30:50 PM weblogic.nodemanager.server.NMServer 
INFO: Loaded node manager configuration properties from 'D:\Oracle\Middleware\us
er_projects\domains\base_domain\nodemanager\nodemanager.properties'
Node manager v10.3

Configuration settings:

NodeManagerHome=D:\Oracle\Middleware\wlserver_12.1\common\nodemanager
ListenAddress=localhost
ListenPort=6666
ListenBacklog=50
SecureListener=true
AuthenticationEnabled=true
NativeVersionEnabled=true
CrashRecoveryEnabled=false
JavaHome=D:\Oracle\Middleware\jrockit_160_29_D1.2.0-10\jre
StartScriptEnabled=true
StopScriptEnabled=false
StartScriptName=startWebLogic.cmd
StopScriptName=
LogFile=D:\Oracle\Middleware\wlserver_12.1\common\nodemanager\nodemanager.log
LogLevel=INFO
LogLimit=0
LogCount=1
LogAppend=true
LogToStderr=true
LogFormatter=weblogic.nodemanager.server.LogFormatter
DomainsFile=D:\Oracle\Middleware\wlserver_12.1\common\nodemanager\nodemanager.do
mains
DomainsFileEnabled=true
StateCheckInterval=500
UseMACBroadcast=false
DomainRegistrationEnabled=false
DomainsDirRemoteSharingEnabled=false

Domain name mappings:


wl_server -> D:\Oracle\Middleware\wlserver_12.1\samples\domains\wl_server
base_domain -> D:\Oracle\Middleware\user_projects\domains\base_domain
medrec -> D:\Oracle\Middleware\wlserver_12.1\samples\domains\medrec

Apr 23, 2015 8:30:51 PM weblogic.nodemanager.server.SSLListener run
INFO: Secure socket listener started on port 6666, host localhost/127.0.0.1

How to configure SSL Between Weblogic and Apache

SSL between Apache and Weblogic

 

 

1) Set WLS Environment

C:\Oracle\Middleware\wlserver_10.3\server\bin>setWLSEnv.cmd

2) Go to the lib directory and covert WLS Root Certificate to .pem format

C:\Oracle\Middleware\wlserver_10.3\server\lib>java utils.der2pem CertGenCA.der

C:\Oracle\Middleware\wlserver_10.3\server\lib>dir CertGen*
Volume in drive C is Windows8_OS
Volume Serial Number is 8C04-A406

Directory of C:\Oracle\Middleware\wlserver_10.3\server\lib

01/03/2015 09:29 PM 540 CertGenCA.der
01/19/2015 07:47 PM 786 CertGenCA.pem
01/03/2015 09:29 PM 388 CertGenCAKey.der
3) Go to D:\Apache2.2\conf\httpd.conf and add the following entries

LoadModule weblogic_module modules/mod_wl128_22.so

<Location /console>
   SetHandler weblogic-handler
   SecureProxy ON
   TrustedCAFile C:/Oracle/Middleware/wlserver_10.3/server/lib/CertGenCA.pem
   RequireSSLHostMatch false
   WebLogicHost localhost
   WebLogicPort 7002
   WLLogFile D:/temp/wlproxy.log
   WLTempDir D:/temp
   Debug ALL

</Location>

Note: The Admin/Managed Server should be up and running on the ip& port mentioned in the location directive.

If there are any issues you can check the proxy logs. If you are still not able to resolve the issues please feel free to post here.

 

 

Two way SSL Webservice on Weblogic Server

This article provides sample Webservice and Webservice Client for two way SSL. It also demonstrates the use of WLSSSLAdapter class to send certificates to the server.

1. Create a JWS with the following policy  : Wssp1.2-2007-Https-ClientCertReq.xml

 

package examples.webservices.security_jws;

import weblogic.jws.WLHttpTransport;
import weblogic.jws.Policies;
import weblogic.jws.Policy;
import javax.jws.WebService;
import javax.jws.WebMethod;
import javax.jws.soap.SOAPBinding;

@WebService(name="SecureHelloWorldPortType", 
            serviceName="SecureHelloWorldService", 
            targetNamespace="http://www.bea.com")

@SOAPBinding(style=SOAPBinding.Style.DOCUMENT, 
             use=SOAPBinding.Use.LITERAL,
             parameterStyle=SOAPBinding.ParameterStyle.WRAPPED)

@WLHttpTransport(contextPath="SecureHelloWorldService", 
                 serviceUri="SecureHelloWorldService",
		 portName="SecureHelloWorldServicePort")

@Policy(uri = "policy:Wssp1.2-2007-Https-ClientCertReq.xml")

public class SecureHelloWorldImpl {

  @WebMethod()
  public String sayHello(String s) {
    return "Hello " + s;  
  }
}

2. Build and Deploy the service on WebLogic Server

3. Deploy a war file with the following jsp in another server.

<html>
<head>
<title>WS Client App</title>
</head>
<body bgcolor="#cccccc">
<blockquote>
<h2>Protected Page</h2>
</blockquote>

<%@ page import="examples.webservices.security_jws.client.SecureHelloWorldService"%>
<%@ page import="examples.webservices.security_jws.client.SecureHelloWorldService_Impl"%>
<%@ page import="examples.webservices.security_jws.client.SecureHelloWorldPortType"%>

<%@ page import="javax.xml.rpc.Stub"%>
<%@ page import="weblogic.wsee.connection.transport.https.WlsSSLAdapter"%>
<%@ page import="weblogic.security.SSL.TrustManager"%>
<%@ page import="java.security.cert.X509Certificate"%>

<%
 try
 {
    String wsdl = "https://localhost:7002/SecureHelloWorldService/SecureHelloWorldService?WSDL";
    //SecureHelloWorldService service = new SecureHelloWorldService_Impl(wsdl);
    SecureHelloWorldService service = new SecureHelloWorldService_Impl();
    SecureHelloWorldPortType port = service.getSecureHelloWorldServicePort();

    WlsSSLAdapter adapter = new WlsSSLAdapter();
    adapter.setKeystore("C://WSSecurity//LABS//twoway_jws//identity.jks","mystorepass".toCharArray(), "JKS" );
    adapter.setClientCert("mykey","mykeypass".toCharArray());
    adapter.setTrustManager( new TrustManager(){
                 public boolean certificateCallback(X509Certificate[] chain, int validateErr){
                   return true;
                 }
           }); 

   weblogic.wsee.connection.transport.https.HttpsTransportInfo info = new  weblogic.wsee.connection.transport.https.HttpsTransportInfo(adapter);
   Stub stub = (Stub)port;
   stub._setProperty(Stub.ENDPOINT_ADDRESS_PROPERTY,"https://localhost:7002/SecureHelloWorldService/SecureHelloWorldService?WSDL");
   stub._setProperty("weblogic.wsee.client.ssladapter", adapter);

   out.println(port.sayHello("World"));
 } 
catch (Exception e)
{
out.println("File input error"+e);
}           

%>

</body>
</html>

4. Configure SSL on the server on which client app is deployed.

5. On the server on which the service is deployed , do the 2 way SSL configuration.

a) Go to Home >Summary of Servers > YourServer > SSL > Advanced >
Two Way Client Cert Behavior: Client Certs Requested and Enforced
Hostname Verification: None

b) Go to Home >Summary of Security Realms >myrealm >Providers >DefaultIdentityAsserter

Under Common

Chosen Select X509

Under Provider Specific

Trusted Client Principals: <CN of the client’s certificate>
Default User Name Mapper Attribute Type: CN
Use Default User Name Mapper: Checked

c) Create a user in the security realm with the CN value of the certificate.

6) Import the client’s public certificate in the trust store of the server.