SSL Archive

How to configure SSL on Nodemanager for 12c

In Weblogic Server 12.1.2, the java version of Node Manager controls all WLS instances belonging to the same domain.This allows the feasibility to have different nodemanager configurations for different domains.

You can follow the steps below to use one nodemanager per domain running over SSL ( custom identity & custom trust)

1)  Start nodemanager from the following location ( just to create a default nodemanager.properties file).

D:\Oracle\Middleware\wlserver_12.1\server\bin\startNodeManager.cmd

Stop the nodemanager.

2) Copy the nodemanager folder from the this location to your domain folder.

D:\Oracle\Middleware\wlserver_12.1\common\nodemanager

3) Copy startNodeManager.cmd present at the below location to your domain home folder

D:\Oracle\Middleware\wlserver_12.1\server\bin\startNodeManager.cmd

4) Open the script and update the NodeManager home location in the script

set NODEMGR_HOME=D:/Oracle/Middleware/user_projects/domains/base_domain/nodemanager

5) Create Identity Store for the Node Manager in the nodemanger folder.

keytool -genkey -alias mykey -keyalg RSA -keysize 1024 -dname "CN=www.welogic-wonders.com, OU=Customer Support, O=BEA Systems Inc, L=Denver, ST=Colorado, C=US" -keypass mykeypass -keystore identity.jks -storepass mystorepass

keytool -selfcert -v -alias mykey -keypass mykeypass -keystore identity.jks -storepass mystorepass -storetype jks

You can create it anywhere but then you will have to give the complete path in nodemanager.properties file.

6) Add the following in nodemanager.properties file

KeyStores=CustomIdentityAndCustomTrust
CustomIdentityAlias=mykey
CustomIdentityKeyStoreFileName=identity.jks
CustomIdentityKeyStorePassPhrase=password
CustomIdentityKeyStoreType=JKS
CustomIdentityPrivateKeyPassPhrase=password

7) Start your Node Manager from the domain folder at any available port you want.

D:\Oracle\Middleware\user_projects\domains\base_domain>startNodeManager.cmd localhost 6666

D:\Oracle\Middleware\user_projects\domains\base_domain>set CLASSPATH=.;D:\Oracle
\Middleware\patch_wls1211\profiles\default\sys_manifest_classpath\weblogic_patch
.jar;D:\Oracle\Middleware\jrockit_160_29_D1.2.0-10\lib\tools.jar;D:\Oracle\Middl
eware\wlserver_12.1\server\lib\weblogic_sp.jar;D:\Oracle\Middleware\wlserver_12.
1\server\lib\weblogic.jar;D:\Oracle\Middleware\modules\features\weblogic.server.
modules_12.1.1.0.jar;D:\Oracle\Middleware\wlserver_12.1\server\lib\webservices.j
ar;D:\Oracle\Middleware\modules\org.apache.ant_1.7.1/lib/ant-all.jar;D:\Oracle\M
iddleware\modules\net.sf.antcontrib_1.1.0.0_1-0b2/lib/ant-contrib.jar;

D:\Oracle\Middleware\user_projects\domains\base_domain>if not "" == "" set CLASS
PATH=;.;D:\Oracle\Middleware\patch_wls1211\profiles\default\sys_manifest_classpa
th\weblogic_patch.jar;D:\Oracle\Middleware\jrockit_160_29_D1.2.0-10\lib\tools.ja
r;D:\Oracle\Middleware\wlserver_12.1\server\lib\weblogic_sp.jar;D:\Oracle\Middle
ware\wlserver_12.1\server\lib\weblogic.jar;D:\Oracle\Middleware\modules\features
\weblogic.server.modules_12.1.1.0.jar;D:\Oracle\Middleware\wlserver_12.1\server\
lib\webservices.jar;D:\Oracle\Middleware\modules\org.apache.ant_1.7.1/lib/ant-al
l.jar;D:\Oracle\Middleware\modules\net.sf.antcontrib_1.1.0.0_1-0b2/lib/ant-contr
ib.jar;

D:\Oracle\Middleware\user_projects\domains\base_domain>if not "" == "" set CLASS
PATH=.;D:\Oracle\Middleware\patch_wls1211\profiles\default\sys_manifest_classpat
h\weblogic_patch.jar;D:\Oracle\Middleware\jrockit_160_29_D1.2.0-10\lib\tools.jar
;D:\Oracle\Middleware\wlserver_12.1\server\lib\weblogic_sp.jar;D:\Oracle\Middlew
are\wlserver_12.1\server\lib\weblogic.jar;D:\Oracle\Middleware\modules\features\
weblogic.server.modules_12.1.1.0.jar;D:\Oracle\Middleware\wlserver_12.1\server\l
ib\webservices.jar;D:\Oracle\Middleware\modules\org.apache.ant_1.7.1/lib/ant-all
.jar;D:\Oracle\Middleware\modules\net.sf.antcontrib_1.1.0.0_1-0b2/lib/ant-contri
b.jar;;

D:\Oracle\Middleware\user_projects\domains\base_domain>cd D:\Oracle\Middleware\u
ser_projects\domains\base_domain\nodemanager

D:\Oracle\Middleware\user_projects\domains\base_domain\nodemanager>if not "6666"
== "" if not "localhost" == "" goto runNMWithListenAddressAndPort

D:\Oracle\Middleware\user_projects\domains\base_domain\nodemanager>"D:\Oracle\Mi
ddleware\jrockit_160_29_D1.2.0-10\bin\java.exe" -jrockit -Xms128m -Xmx256m -Dbea
.home=D:\Oracle\Middleware -Xverify:none -Djava.endorsed.dirs=D:\Oracle\Middlew
are\jrockit_160_29_D1.2.0-10/jre/lib/endorsed;D:\Oracle\Middleware\wlserver_12.1
/endorsed "-Djava.security.policy=D:\Oracle\Middleware\wlserver_12.1\server\lib\
weblogic.policy" "-Dweblogic.nodemanager.javaHome=D:\Oracle\Middleware\jrockit_1
60_29_D1.2.0-10" -DListenAddress="localhost" -DListenPort="6666" weblogic.NodeMa
nager -v

Apr 23, 2015 8:30:50 PM weblogic.nodemanager.server.NMServerConfig initDomainsMa
p
INFO: Loading domains file: D:\Oracle\Middleware\wlserver_12.1\common\nodemanage
r\nodemanager.domains

Apr 23, 2015 8:30:50 PM weblogic.nodemanager.server.SSLConfig loadKeyStoreConfig

INFO: Loading identity key store: FileName=D:\Oracle\Middleware\user_projects\do
mains\base_domain\nodemanager\identity.jks, Type=JKS, PassPhraseUsed=true

Apr 23, 2015 8:30:50 PM weblogic.nodemanager.server.NMServer 
INFO: Loaded node manager configuration properties from 'D:\Oracle\Middleware\us
er_projects\domains\base_domain\nodemanager\nodemanager.properties'
Node manager v10.3

Configuration settings:

NodeManagerHome=D:\Oracle\Middleware\wlserver_12.1\common\nodemanager
ListenAddress=localhost
ListenPort=6666
ListenBacklog=50
SecureListener=true
AuthenticationEnabled=true
NativeVersionEnabled=true
CrashRecoveryEnabled=false
JavaHome=D:\Oracle\Middleware\jrockit_160_29_D1.2.0-10\jre
StartScriptEnabled=true
StopScriptEnabled=false
StartScriptName=startWebLogic.cmd
StopScriptName=
LogFile=D:\Oracle\Middleware\wlserver_12.1\common\nodemanager\nodemanager.log
LogLevel=INFO
LogLimit=0
LogCount=1
LogAppend=true
LogToStderr=true
LogFormatter=weblogic.nodemanager.server.LogFormatter
DomainsFile=D:\Oracle\Middleware\wlserver_12.1\common\nodemanager\nodemanager.do
mains
DomainsFileEnabled=true
StateCheckInterval=500
UseMACBroadcast=false
DomainRegistrationEnabled=false
DomainsDirRemoteSharingEnabled=false

Domain name mappings:


wl_server -> D:\Oracle\Middleware\wlserver_12.1\samples\domains\wl_server
base_domain -> D:\Oracle\Middleware\user_projects\domains\base_domain
medrec -> D:\Oracle\Middleware\wlserver_12.1\samples\domains\medrec

Apr 23, 2015 8:30:51 PM weblogic.nodemanager.server.SSLListener run
INFO: Secure socket listener started on port 6666, host localhost/127.0.0.1

How to configure SSL Between Weblogic and Apache

SSL between Apache and Weblogic

 

 

1) Set WLS Environment

C:\Oracle\Middleware\wlserver_10.3\server\bin>setWLSEnv.cmd

2) Go to the lib directory and covert WLS Root Certificate to .pem format

C:\Oracle\Middleware\wlserver_10.3\server\lib>java utils.der2pem CertGenCA.der

C:\Oracle\Middleware\wlserver_10.3\server\lib>dir CertGen*
Volume in drive C is Windows8_OS
Volume Serial Number is 8C04-A406

Directory of C:\Oracle\Middleware\wlserver_10.3\server\lib

01/03/2015 09:29 PM 540 CertGenCA.der
01/19/2015 07:47 PM 786 CertGenCA.pem
01/03/2015 09:29 PM 388 CertGenCAKey.der
3) Go to D:\Apache2.2\conf\httpd.conf and add the following entries

LoadModule weblogic_module modules/mod_wl128_22.so

<Location /console>
   SetHandler weblogic-handler
   SecureProxy ON
   TrustedCAFile C:/Oracle/Middleware/wlserver_10.3/server/lib/CertGenCA.pem
   RequireSSLHostMatch false
   WebLogicHost localhost
   WebLogicPort 7002
   WLLogFile D:/temp/wlproxy.log
   WLTempDir D:/temp
   Debug ALL

</Location>

Note: The Admin/Managed Server should be up and running on the ip& port mentioned in the location directive.

If there are any issues you can check the proxy logs. If you are still not able to resolve the issues please feel free to post here.

 

 

Two way SSL Webservice on Weblogic Server

This article provides sample Webservice and Webservice Client for two way SSL. It also demonstrates the use of WLSSSLAdapter class to send certificates to the server.

1. Create a JWS with the following policy  : Wssp1.2-2007-Https-ClientCertReq.xml

 

package examples.webservices.security_jws;

import weblogic.jws.WLHttpTransport;
import weblogic.jws.Policies;
import weblogic.jws.Policy;
import javax.jws.WebService;
import javax.jws.WebMethod;
import javax.jws.soap.SOAPBinding;

@WebService(name="SecureHelloWorldPortType", 
            serviceName="SecureHelloWorldService", 
            targetNamespace="http://www.bea.com")

@SOAPBinding(style=SOAPBinding.Style.DOCUMENT, 
             use=SOAPBinding.Use.LITERAL,
             parameterStyle=SOAPBinding.ParameterStyle.WRAPPED)

@WLHttpTransport(contextPath="SecureHelloWorldService", 
                 serviceUri="SecureHelloWorldService",
		 portName="SecureHelloWorldServicePort")

@Policy(uri = "policy:Wssp1.2-2007-Https-ClientCertReq.xml")

public class SecureHelloWorldImpl {

  @WebMethod()
  public String sayHello(String s) {
    return "Hello " + s;  
  }
}

2. Build and Deploy the service on WebLogic Server

3. Deploy a war file with the following jsp in another server.

<html>
<head>
<title>WS Client App</title>
</head>
<body bgcolor="#cccccc">
<blockquote>
<h2>Protected Page</h2>
</blockquote>

<%@ page import="examples.webservices.security_jws.client.SecureHelloWorldService"%>
<%@ page import="examples.webservices.security_jws.client.SecureHelloWorldService_Impl"%>
<%@ page import="examples.webservices.security_jws.client.SecureHelloWorldPortType"%>

<%@ page import="javax.xml.rpc.Stub"%>
<%@ page import="weblogic.wsee.connection.transport.https.WlsSSLAdapter"%>
<%@ page import="weblogic.security.SSL.TrustManager"%>
<%@ page import="java.security.cert.X509Certificate"%>

<%
 try
 {
    String wsdl = "https://localhost:7002/SecureHelloWorldService/SecureHelloWorldService?WSDL";
    //SecureHelloWorldService service = new SecureHelloWorldService_Impl(wsdl);
    SecureHelloWorldService service = new SecureHelloWorldService_Impl();
    SecureHelloWorldPortType port = service.getSecureHelloWorldServicePort();

    WlsSSLAdapter adapter = new WlsSSLAdapter();
    adapter.setKeystore("C://WSSecurity//LABS//twoway_jws//identity.jks","mystorepass".toCharArray(), "JKS" );
    adapter.setClientCert("mykey","mykeypass".toCharArray());
    adapter.setTrustManager( new TrustManager(){
                 public boolean certificateCallback(X509Certificate[] chain, int validateErr){
                   return true;
                 }
           }); 

   weblogic.wsee.connection.transport.https.HttpsTransportInfo info = new  weblogic.wsee.connection.transport.https.HttpsTransportInfo(adapter);
   Stub stub = (Stub)port;
   stub._setProperty(Stub.ENDPOINT_ADDRESS_PROPERTY,"https://localhost:7002/SecureHelloWorldService/SecureHelloWorldService?WSDL");
   stub._setProperty("weblogic.wsee.client.ssladapter", adapter);

   out.println(port.sayHello("World"));
 } 
catch (Exception e)
{
out.println("File input error"+e);
}           

%>

</body>
</html>

4. Configure SSL on the server on which client app is deployed.

5. On the server on which the service is deployed , do the 2 way SSL configuration.

a) Go to Home >Summary of Servers > YourServer > SSL > Advanced >
Two Way Client Cert Behavior: Client Certs Requested and Enforced
Hostname Verification: None

b) Go to Home >Summary of Security Realms >myrealm >Providers >DefaultIdentityAsserter

Under Common

Chosen Select X509

Under Provider Specific

Trusted Client Principals: <CN of the client’s certificate>
Default User Name Mapper Attribute Type: CN
Use Default User Name Mapper: Checked

c) Create a user in the security realm with the CN value of the certificate.

6) Import the client’s public certificate in the trust store of the server.

Mutual Authentication with Weblogic Server

Mutual authentication is a process in which the Server sends its certificate to the client ( thin client / fat client) and the client validates the certificates, then the server requests for a certificate from the client and validates it.

In this example we have created a .pfx certificate which contains the public and the private keys. We installed the pfx certificate in the browser.

1

 

 

Then we exported the public key and imported it into the trust store of Weblogic Server.

C:\bea103\wlserver_10.3\server\lib>keytool -v -import -keystore DemoTrust.jks -f
ile Fabrizio.cer -alias fabrizio -storepass DemoTrustKeyStorePassPhrase
Owner: CN=Fabrizio
Issuer: CN=Fabrizio
Serial number: 0
Valid from: Fri May 15 20:02:49 IST 2009 until: Mon May 13 20:02:49 IST 2019
Certificate fingerprints:
MD5: 6B:45:89:C2:F0:4A:35:EB:8C:54:06:9F:5C:F1:D4:DB
SHA1: CE:2F:81:25:73:E0:52:77:C2:48:0E:70:FC:52:AE:3E:66:C6:33:9B
Signature algorithm name: MD5withRSA
Version: 1
Trust this certificate? [no]: yes
Certificate was added to keystore
[Storing DemoTrust.jks]

Created a user Fabrizio in the Default Authenticator

4

Configured the DefaultIdentityAsserter to process X509 Tokens

Home >Summary of Security Realms >myrealm >Providers >DefaultIdentityAsserter

Common
Active Types: X.509

2

Provider Specific
Trusted Client Principals: Fabrizio
Default User Name Mapper Attribute Type: CN
Use Default User Name Mapper : Checked

3

Enabled SSL Port

5

Configured the Server to request for Client Certificates.

AdminServer > SSL > Advanced

Hostname Verification: None
Two Way Client Cert Behavior: Client Certs Requested and Enforced

6

Deployed an application that uses CLIENT-CERT authentication and accessed it. Will cover the details of such an application in another post.

access the protected application

Once we select the appropriate certificate we were able to access the application.

Please let us know if you have any queries related to the configuration or require additional details.

Cheers!
Wonders Team

Configuring SSL on Weblogic Server using WLST Script

Create a certs folder in your C Drive and copy the setWLSEnv.cmd from your
WL_HOME\bin to this location. Run the script from the command line to set the environment.

C:\certs>setWLSEnv.cmd

Generate Key Pair

C:\certs>keytool -genkey -alias mykey -keyalg RSA -keysize 1024 -dname “CN=local
host, OU=Customer Support, O=BEA Systems Inc, L=Denver, ST=Colorado, C=US” -keyp
ass password -keystore identity.jks -storepass password

Self Sign the certificates

C:\certs>keytool -selfcert -v -alias mykey -keypass password -keystore identity.
jks -storepass password -storetype jks
New certificate (self-signed):
[
[
Version: V3
Subject: CN=localhost, OU=Customer Support, O=BEA Systems Inc, L=Denver, ST=Co
lorado, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

Key: Sun RSA public key, 1024 bits
modulus: 108342965006068643588893180491570939949736584519654598627176377967838
26940447697831537132527381459459266829807329604009020938875414181382044292466705
89819838780374644650699373537069348379731906983832802029884351785733351834411699
83101988490742211602827902735858231021288915845653840773351114087084563504850163

public exponent: 65537
Validity: [From: Tue Sep 10 20:15:56 IST 2013,
To: Mon Dec 09 20:15:56 IST 2013]
Issuer: CN=localhost, OU=Customer Support, O=BEA Systems Inc, L=Denver, ST=Col
orado, C=US
SerialNumber: [ 522f30a4]

]
Algorithm: [SHA1withRSA]
Signature:
0000: 2F 39 D1 80 63 BC FD 49 D0 EC CC 1B B7 D4 B0 01 /9..c..I……..
0010: C4 CE 50 F3 B1 3D 3D 37 F2 3F 08 B5 12 D9 45 D5 ..P..==7.?….E.
0020: FC FA FA AB 07 28 DD 97 86 CE A2 CA C3 8D 78 95 …..(……..x.
0030: 6C 34 37 D5 DE BE 53 8E 33 7F 11 85 3F D2 0C A0 l47…S.3…?…
0040: 17 8D 38 E0 FB BD 5E 73 8F CE 2A 5B F2 6E 69 6B ..8…^s..*[.nik
0050: 09 9D 76 AD 55 5F D6 DD 07 97 59 95 A7 D8 7C B5 ..v.U_….Y…..
0060: A1 A2 E8 D2 B5 14 30 45 7B 36 9E 55 E8 7E 2C 48 ……0E.6.U..,H
0070: D6 F2 69 B3 C7 03 B9 8D 3A 22 E1 49 3E 09 B4 21 ..i…..:”.I>..!

]
[Storing identity.jks]

Export your public key

C:\certs>keytool -export -v -alias mykey -file rootCA.der -keystore identity.jks
-storepass password
Certificate stored in file

Create a trust store.

C:\certs>keytool -import -v -trustcacerts -alias mykey -file rootCA.der -keystor
e trust.jks -storepass password
Owner: CN=localhost, OU=Customer Support, O=BEA Systems Inc, L=Denver, ST=Colora
do, C=US
Issuer: CN=localhost, OU=Customer Support, O=BEA Systems Inc, L=Denver, ST=Color
ado, C=US
Serial number: 522f30a4
Valid from: Tue Sep 10 20:15:56 IST 2013 until: Mon Dec 09 20:15:56 IST 2013
Certificate fingerprints:
MD5: 59:49:CD:AD:13:B0:98:A2:16:88:6B:3B:13:1A:C8:58
SHA1: A8:B5:7A:B8:A1:19:40:EB:8F:18:6D:33:EE:8C:1B:62:6E:94:BF:05
Signature algorithm name: SHA1withRSA
Version: 3
Trust this certificate? [no]: yes
Certificate was added to keystore
[Storing trust.jks]

Execute the WLST Script

C:\certs>java weblogic.WLST setupSSL.py

connect('weblogic','weblogic123','t3://localhost:7001')
edit()
startEdit()
cd('/Servers/AdminServer')
cmo.setCustomIdentityKeyStoreFileName("C:\\certs\\identity.jks")
set('CustomIdentityKeyStorePassPhrase', 'password')
cmo.setCustomTrustKeyStoreFileName("C:\\certs\\trust.jks")
set('CustomTrustKeyStorePassPhrase', 'password')
cmo.setKeyStores('CustomIdentityAndCustomTrust')
cmo.setCustomIdentityKeyStoreType('JKS')
cmo.setCustomTrustKeyStoreType('JKS')
cd('/Servers/AdminServer/SSL/AdminServer')
cmo.setServerPrivateKeyAlias('mykey')
set('ServerPrivateKeyPassPhrase', 'password')
cd('/Servers/AdminServer/SSL/AdminServer')
cmo.setEnabled(true)
cmo.setListenPort(7002)
save()
activate()
exit()

You should see this message in the stdout once the script runs successfully.

<10 Sep, 2013 8:43:19 PM IST>
<10 Sep, 2013 8:43:20 PM IST>