Showing posts with label SECURITY. Show all posts
Showing posts with label SECURITY. Show all posts

How to extract the root CA from a server certificate?


Your vendor should send you the root CA along with the public key, or have their root CA's posted on their websites. In any case, it's very simple to extract it from the public key. Just follow these steps.

1. Rename the public key file from .pem to .cer
2. On Windows, double click on the file with .cer extension. If your OS is Unix, you will have to transfer the file to a Windows workstation in ASCII mode.
3. You will see 3 tabs: General, Details and Certification Path. Go to Certification Path.
4. In this tab, you will see a list in the form of a tree. The first file in the tree is the root CA, the last one is the server certificate or public key. Click on the root CA (first one). Then click on the "View Certificate" button.
5. The root CA will open up on a separate Window. Go to the "Details" tab.
6. Click on "Copy to File" button.
7. Click on "Next", then select "Base 64" from the list of format options and click "Next" again.
8. Enter a name for your root CA file, anything meaningful to you, like i.e.: VerisignRootCA. The file will be saved with .cer extension.
9. Now you can import this file into your keystore. Cer format works as well as .pem.

Oracle Weblogic : Enabling the Administration Port by using WLST

  1. Log in to the shell as the user wls and start WLST:
    [wls@prod01]$ $WL_HOME/common/bin/wlst.sh 
  2. Connect to the Administration Server using wlsadmin as the user, <pwd> as the password, and t3://adminhost.domain.local:7001 as the server URL:
    wls:/offline> connect("wlsadmin","<pwd>","t3://adminhost.domain.local:7001")
  3. Run the following WLST commands:
    edit()
    startEdit()
    
    cmo.setAdministrationPortEnabled(true)
    cmo.setAdministrationPort(17002)activate()
    exit()

Oracle Weblogic : Enabling the Administration Port

The Administration Port is a domain wide configuration that segregates all administrative traffic from the application traffic.The Administration Port requires all WebLogic Server instances, including the Administration Server and the Managed Server, to already be configured to use SSL.

To enable the Administration Port, access the Administration Console:
  1. Access the Administration Console by pointing your web browser to http://adminhost.domain.local:7001/console.
  2. Click on the Lock & Edit button to start a new edit session.
  3. Click on the PROD_DOMAIN link on the left-hand side navigation tree.
  4. Check the Enable Administration Port checkbox and enter 17002 in the Administrative Port text field (as shown in the following screenshot). Click on the Save button.
    How to do it...
  5. Click on Activate Changes to finish.
  6. The Administration Console now is accessible only from the URL https://adminhost.domain.local:17002/console.
With the Administration Port enabled, the WebLogic Server creates a new internal network administrative channel that is now used to transfer administrative data between the Administration Server and the Managed Servers.
The Administration Port also allows the segregation of application and administrative traffic through different channels.

Oracle Weblogic Server : Securing a web application with basic authentication

Apply security to an application for example  myAuthApp.war by following these steps:
  1. Click on the myAuthApp link from the Deployments page.
  2. Open the Security tab and then click on the Policies tab from the Application Scope. Click on the Add Condition button, as shown in the following screenshot:
    How to do it...
  3. Choose the Group option from the Predicate List drop-down menu and click on the Next button.
  4. Enter myAuthGroup in the Group Argument Name text field and click on the Add button (see the following screenshot) to add it to the list below. Click on the Finish button.
    How to do it...
  5. Click on the Save button on the Policies page to finish.
The myAuthApp.war application can now be accessed only by users that match the security policy. In this case, the security policy checks whether the user belongs to the group myAuthGroup.


Oracle weblogic : Assigning a user to a group

Here a new group called myAuthGroup will be created and a new user, authUser, will be created and assigned to this group. PRODSQLProvider will be used.

Create a new group, myAuthGroup, and a new user, authUser, for PRODSQLProvider:
  1. Access the Administration Console again by pointing your web browser to http://adminhost.domain.local:7001/console.
  2. Click on the Security Realms option in the left-hand navigation box, and then click on the myrealm link.
  3. Click on the Users and Groups tab.
  4. Click on the Groups tab and click on the New button.
  5. Enter myAuthGroup in the Name text field and choose PRODSQLProvider from the Provider drop-down menu. Click on the OK button.
  6. Click on the Users tab and then on the New button.
  7. Enter authUser in the Name text field, choose PRODSQLProvider from the Provider drop-down menu, and enter authpwd123 in the Password and Confirm Password text fields. Click on the OK button.
  8. Click on the authUser user for PRODSQLProvider and click on the Groups tab.
  9. Associate the myAuthGroup group with the user by checking the myAuthGroup checkbox in the Available table and then clicking on the > button. Click on the Save button.

Oracle Weblogic server : Creating a new SQL authentication provider

DefaultAuthenticator(which is created by defult) authenticates the users and groups stored in the internal LDAP mechanism on the WebLogic Server. The Administration Server runs the master LDAP and the Managed Servers run the LDAP as replicas.


In this recipe, a new SQL authentication provider named PRODSQLProvider will be configured and added to the PROD_DOMAIN domain to store and handle the users and groups in an Oracle database.
A new data source, ds-Provider, will be created. The database runs at the dbhost hostname and listens to the port 1521. The listener accepts requests to the service name dbservice. The database username is dbuser, and the password is dbpwd.

Create the tables needed in your database:
  1. Run the following script to create the tables in your Oracle database:
    CREATE TABLE USERS
    (
    U_NAME VARCHAR(200) NOT NULL,
    U_PASSWORD VARCHAR(50) NOT NULL,
    U_DESCRIPTION VARCHAR(1000)
    );
    ALTER TABLE USERS
    ADD CONSTRAINT PK_USERS PRIMARY KEY (U_NAME);
    CREATE TABLE GROUPS
    (
    G_NAME VARCHAR(200) NOT NULL,
    G_DESCRIPTION VARCHAR(1000) NULL
    );
    ALTER TABLE GROUPS
    ADD CONSTRAINT PK_GROUPS PRIMARY KEY (G_NAME);
    CREATE TABLE GROUPMEMBERS
    (
    G_NAME VARCHAR(200) NOT NULL,
    G_MEMBER VARCHAR(200) NOT NULL
    );
    ALTER TABLE GROUPMEMBERS
    ADD CONSTRAINT PK_GROUPMEMS PRIMARY KEY ( G_NAME, G_MEMBER );
    ALTER TABLE GROUPMEMBERS
    ADD CONSTRAINT FK1_GROUPMEMBERS FOREIGN KEY ( G_NAME ) REFERENCES GROUPS (
    G_NAME) ON DELETE CASCADE;
2.Populate the tables with the default WebLogic groups:

INSERT INTO GROUPS (G_NAME,G_DESCRIPTION) 
VALUES ('AdminChannelUsers','AdminChannelUsers can access the admin channel.');
INSERT INTO GROUPS (G_NAME,G_DESCRIPTION) 
VALUES ('Administrators','Administrators can view and modify all resource attributes and start and stop servers.');
INSERT INTO GROUPS (G_NAME,G_DESCRIPTION) 
VALUES ('AppTesters','AppTesters group.');
INSERT INTO GROUPS (G_NAME,G_DESCRIPTION) 
VALUES ('CrossDomainConnectors','CrossDomainConnectors can make inter-domain calls from foreign domains.');
INSERT INTO GROUPS (G_NAME,G_DESCRIPTION) 
VALUES ('Deployers','Deployers can view all resource attributes and deploy applications.');
INSERT INTO GROUPS (G_NAME,G_DESCRIPTION) 
VALUES ('Monitors','Monitors can view and modify all resource attributes and perform operations not restricted by roles.');
INSERT INTO GROUPS (G_NAME,G_DESCRIPTION) 
VALUES ('Operators','Operators can view and modify all resource attributes and perform server lifecycle operations.');
INSERT INTO GROUPS (G_NAME,G_DESCRIPTION) 
VALUES ('OracleSystemGroup','Oracle application software system group.');COMMIT;


Access the Administration Console to create the new data source ds-Provider:
  1. Access the Administration Console by pointing your web browser to http://adminhost.domain.local:7001/console.
  2. Click on the Lock & Edit button to start a new edit session.
  3. Expand the Services tree to the left, and then click on Data Sources.
  4. Click on the New button and then click on Generic Data Source.
  5. Enter ds-Provider in the Name field and jdbc/ds-Provider in the JNDI Name field. Leave the Database Type drop-down menu with the Oracle option selected. Click on the Next button.
  6. Choose *Oracle's Driver (Thin) for Service connections; Versions:9.0.1 and later from the Database Driver drop-down menu. Click on the Next button.
  7. Leave Transaction Options with the default values and click on the Next button.
  8. On the Connection Properties page, enter dbservice in the Database Name field, dbhost in the Host Name field, and 1521 in the Port field. Fill the Database User Name, Password, and Confirm Password fields with dbuser and dbpwd. Click on the Next button.
  9. Click on the Next button on the Test Database Connection page.
  10. Select the PROD_AdminServer checkbox and the All servers in the cluster radio button from the PROD_Cluster cluster. Click on the Finish button.
  11. Click on the Activate Changes button.
Create a new security provider, PRODSQLProvider:
  1. Click on the Lock & Edit button to start a new edit session.
  2. Click on the Security Realms option (shown in the following screenshot) in the left-hand navigation box and then click on the myrealm link.
    How to do it...
  3. On the Settings for myrealm page, click on the Providers tab.
  4. Click on the New button on the Authentication Providers page.
  5. Enter PRODSQLProvider in the Name text field and choose SQLAuthenticator in the Type drop-down menu. Click on the OK button.
  6. Click on PRODSQLProvider and then click on the Provider Specific tab.
  7. Enter ds-Provider in the Data Source Name text field (as shown in the following screenshot) and click on the Save button. Leave all other options at their default values.
    How to do it...
  8. Click on the Activate Changes button.
  9. Restart all instances of PROD_DOMAIN.
Create a new user, wlsadmin, for your new provider:
  1. Access the Administration Console again by pointing your web browser to http://adminhost.domain.local:7001/console.
  2. Click on the Security Realms option in the left-hand navigation box, and then click on the myrealm link.
  3. Click on the Users and Groups tab.
  4. On the Users page, click on the New button.
  5. Enter wlsadmin in the Name text field, choose the PRODSQLProvider from the Provider drop-down menu, and enter wlspwd123 in the Password and Confirm Password text fields. Click on the OK button, as shown in the following screenshot:
    How to do it...
  6. Click on the previously created wlsadmin user for PRODSQLProvider and click on the Groups tab.
  7. Associate the Administrators group with the user by selecting the Administrators checkbox in the Available: table and then clicking on the > button (as shown in the following screenshot). Click on the Save button.
    How to do it...
Assign PRODSQLProvider as the first provider and leave DefaultAuthenticator as the second provider. To do this, follow the steps mentioned below:
  1. Click on the Lock & Edit button to start a new edit session.
  2. Click on the Security Realms option in the left-hand navigation box and then click on the myrealm link.
  3. On the Settings for myrealm page, click on the Providers tab.
  4. Click on the Reorder button.
  5. Select the PRODSQLProvider checkbox in the Available table and click on the upper arrow on the right to move PRODSQLProvider to the top of the list (as shown in the following screenshot). Click on the OK button.
    How to do it...
  6. Click on PRODSLQProvider again. Change the Control Flag drop-down menu to SUFFICENT. Click on the Save button.
  7. Go back to the Providers page and click on DefaultAuthenticator. Change the Control Flag drop-down menu selection to SUFFICENT. Click on the Save button.
  8. Click on the Activate Changes button.
  9. Shut down the Administration Server and all instances of the PROD_DOMAIN.
Change the boot.properties file of the Administration Server to look up for the user PRODSQLProvider wlsadmin by following these steps:
  1. Go to the Administration Server root folder:
    [wls@prod01]$ cd $DOMAIN_HOME/servers/PROD_AdminServer/security


  • Recreate the boot.properties file to match the wlsadmin user created:
    [wls@prod01]$ echo -ne "username=wlsadmin\npassword=wlspwd123" > boot.properties
    [wls@prod01]$ cat boot.properties username=wlsadmin password=wlspwd123
  • Start the Administration Server.
  • Ignoring the trusted CA certificate warnings when connecting to Node Manager using WLST nmConnect()

    Symptoms

    When using Weblogic Scripting Tool (WLST) nmConnect() to connect to the node manager, notice warnings are seen for unsupported certificates (after running setWLSEnv.cmd or .sh)


    Connecting to Node Manager ...
    CA certificate "CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object:
    1.2.840.113549.1.1.11.>
    <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
    <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
    <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "OU=Security Communication RootCA2,O=SECOM Trust Systems CO.\,LTD.,C=JP". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
    <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=KEYNECTIS ROOT CA,OU=ROOT,O=KEYNECTIS,C=FR". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
    Successfully Connected to Node Manager.

    Steps

    Oracle Weblogic Server: How to Change Oracle Weblogic Server User Password Using WLST

    1. Setting environment variable
        a. go to directory $WLS_HOME/wlserver_10.3/server/bin
        b. source file setWLSEnv.sh  as command: . setWLSEnv.sh .


    2. Create a domain which name is test1032,
    3. Weblogic admin user name is weblogic, password is weblogic1.
    4. Create test user, which name is test and password is weblogic1.



    Instruction 

    $java weblogic.WLST changepw.py <Domain Name> <Admin URI> <Admin user> <Admin password> <user name> <user password>

    <Domain Name> : the domain name which need to change user password. e.g. test1032
    <Admin URI>   : weblogic server adminstration URL, e.g. t3://localhost:7001
    <Admin user>  : weblogic admin user, e.g. weblogic
    <Admin password>  : admin user password, e.g. weblogic1
    <user name>       : the user who need to change password. e.g. test
    <user password>   : new user password. .e.g welcome1
     

     1. create file named changepw.py which contents as below:

    if len(sys.argv) != 7:
    print 'Usage: java weblogic.WLST changepw.py <Domain Name> <Admin URI> <Admin user> <Admin password> <user name> <user password> '
    sys.exit(1)

    DomainName = sys.argv[1]
    ADMINUrl = sys.argv[2]
    ADMINuser = sys.argv[3]
    ADMINPwd = sys.argv[4]
    UserToChange = sys.argv[5]
    NewUserPassword=sys.argv[6]

    print "DomainName: %s" % (DomainName)
    print "ADMINUrl: %s" % (ADMINUrl)
    print "ADMINuser: %s" % (ADMINuser)
    print "AdminPassword: %s" % (ADMINPwd)
    print "UserToChange: %s" % (UserToChange)
    print "NewUserPassword: %s" % (NewUserPassword)


    print ' ---- Connecting to domain with user: '+ADMINuser+' ------- '
    print ' '
    connect(ADMINuser,ADMINPwd,ADMINUrl)
    cd('/SecurityConfiguration/'+DomainName+'/Realms/myrealm/AuthenticationProviders/DefaultAuthenticator')
    print 'Changing password for user: '+UserToChange
    cmo.resetUserPassword(UserToChange,NewUserPassword)

    print ' ---- Password for User: '+UserToChange+' changed Successfully --- '
    print ' '
    disconnect()
    print ' '

    disconnect()

    2. The command to run above script, e.g. change password from weblogic1 to weblogic
    java weblogic.WLST changepw.py test1032 t3://localhost:7001 weblogic weblogic1 test welcome1

    Sample Output

    [zsy@ofmpc1 bin]$ java weblogic.WLST changepw.py test1032 t3://localhost:7001 weblogic weblogic1 test welcome1

    Welcome to WebLogic Server Administration Scripting Shell

    Type help() for help on available commands

    DomainName: test1032
    ADMINUrl: t3://localhost:7001
    ADMINuser: weblogic
    AdminPassword: weblogic1
    UserToChange: test
    NewUserPassword: welcome1
    ---- Connecting to domain with user: weblogic -------

    Connecting to t3://localhost:7001 with userid weblogic ...
    Successfully connected to Admin Server 'AdminServer' that belongs to domain 'test1032'.

    Warning: An insecure protocol was used to connect to the
    server. To ensure on-the-wire security, the SSL port or
    Admin port should be used instead.

    Changing password for user: test
    ---- Password for User: test changed Successfully ---

    Disconnected from weblogic server: AdminServer


    You will need to be connected to a running server to execute this command

    How to Start Node Manager from WLST with JSSE Enabled


    To enable JSSE for Node Manager when starting it through WLST requires -Dweblogic.security.SSL.enableJSSE=true to be passed as an argument. 
    See http://docs.oracle.com/cd/E23943_01/web.1111/e13707/ssl.htm#BABIJEJD for more information about how to enable JSSE in different contexts.


    To enable this option in WLS 12.1.1 and earlier, please apply the patch for unpublished defect 14174803. This patch is not required in WLS 12.1.2 and higher where this functionality is already included.

    This patch adds a functionality to pass JVM arguments when starting Node Manager. After applying the patch you can execute the below command:

    startNodeManager(NodeManagerHome="/home/oracle/keshav/wls12/wlserver_12.1/common/nodemanager",jvmArgs="-Dweblogic.security.SSL.enableJSSE=true")

    Executing the above should enable JSSE on Node Manager when it is started through WLST.

    Node Manager Fails with JSSE SSL Configured at the Admin Server


    After enabling JSSE on Admin server, Node Manager was throwing the following error and unable to start managed servers using Node Manager.
      SSL header was received from peer aubdc00-ofm03s - aa.bb.cc.dd during SSL handshake.>
    javax.net.ssl.SSLHandshakeException: [Security:090476]Invalid/unknown SSL header was received from peer aubdc00-ofm03s - aa.bb.cc.dd during SSL handshake.


           at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown Source)
           at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertSent(Unknown Source)
           at com.certicom.tls.record.ReadHandler.fireAlert(Unknown Source)
           at com.certicom.tls.record.ReadHandler.getProtocolVersion(Unknown Source)
           at com.certicom.tls.record.ReadHandler.checkVersion(Unknown Source)
           at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
           at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
           at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
           at com.certicom.tls.record.ReadHandler.read(Unknown Source)
           at com.certicom.io.InputSSLIOStreamWrapper.read(Unknown Source)
           at sun.nio.cs.StreamDecoder$CharsetSD.readBytes(StreamDecoder.java:452)
           at sun.nio.cs.StreamDecoder$CharsetSD.implRead(StreamDecoder.java:494)
           at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:222)
           at java.io.InputStreamReader.read(InputStreamReader.java:177)
           at java.io.BufferedReader.fill(BufferedReader.java:136)
           at java.io.BufferedReader.readLine(BufferedReader.java:299)
           at java.io.BufferedReader.readLine(BufferedReader.java:362)
           at weblogic.nodemanager.server.Handler.run(Handler.java:71)
           at java.lang.Thread.run(Thread.java:736)