Showing posts with label SSL. Show all posts
Showing posts with label SSL. Show all posts

How to extract the root CA from a server certificate?


Your vendor should send you the root CA along with the public key, or have their root CA's posted on their websites. In any case, it's very simple to extract it from the public key. Just follow these steps.

1. Rename the public key file from .pem to .cer
2. On Windows, double click on the file with .cer extension. If your OS is Unix, you will have to transfer the file to a Windows workstation in ASCII mode.
3. You will see 3 tabs: General, Details and Certification Path. Go to Certification Path.
4. In this tab, you will see a list in the form of a tree. The first file in the tree is the root CA, the last one is the server certificate or public key. Click on the root CA (first one). Then click on the "View Certificate" button.
5. The root CA will open up on a separate Window. Go to the "Details" tab.
6. Click on "Copy to File" button.
7. Click on "Next", then select "Base 64" from the list of format options and click "Next" again.
8. Enter a name for your root CA file, anything meaningful to you, like i.e.: VerisignRootCA. The file will be saved with .cer extension.
9. Now you can import this file into your keystore. Cer format works as well as .pem.

Apache Cannot Connect to WebLogic Server with SSL Communication


Trying to configure Apache web servers in front of a cluster WLS server, but can't get the Apache working with SSL communication. In the wl_proxy log it shows:

Fri Nov 19 18:10:29 2010 <3058212901614292> *******Exception type [READ_ERROR_FROM_SERVER] (socket read failure) raised at line 251 of ../nsapi/Reader.cpp
Fri Nov 19 18:10:29 2010 <3058212901614292> caught exception in readStatus: READ_ERROR_FROM_SERVER [os error=104, line 251 of ../nsapi/Reader.cpp]: socket read failure at line 963
Fri Nov 19 18:10:29 2010 <3058212901614292> PROTOCOL_ERROR: Backend Server not responding - isRecycled:0
Fri Nov 19 18:10:29 2010 <3058212901614292> Marking aaa.bb.cc.ddd:7102 as bad
Fri Nov 19 18:10:29 2010 <3058212901614292> got exception in sendRequest phase: Backend Server not responding at line 3702
Fri Nov 19 18:10:29 2010 <3058212901614292> Failing over after sendRequest() exception: PROTOCOL_ERROR as Idempotent is set to ON
Fri Nov 19 18:10:29 2010 <3058212901614292> attempt #2 out of a max of 5
Fri Nov 19 18:10:29 2010 <3058212901614292> general list: trying connect to 'aaa.bb.cc.ddd'/7102/7102 at line 3188 for '/GiftCard_106_UAT/'
Fri Nov 19 18:10:29 2010 <3058212901614292> SSL is not configured for this connection
Fri Nov 19 18:10:29 2010 <3058212901614292> Local Port of the socket is 35895
Fri Nov 19 18:10:29 2010 <3058212901614292> Remote Host aaa.bb.cc.ddd Remote Port 7102
Fri Nov 19 18:10:29 2010 <3058212901614292> URL::connect SSLConn for reader is not set as it is NULL

Cause

The SSL configuration is wrong. You need to add the needed SSL libraries to LD_LIBRARY_PATH into the file /etc/profile. For example, add the following lines at the bottom. You may already have the LD_LIBRARY_PATH variable defined. If so, simply add this path to it.

For instance:
LD_LIBRARY_PATH=/usr/lib/httpd/modules/
export LD_LIBRARY_PATH

Solution

The SSL libraries are missing in LD_LIBRARY_PATH. LD_LIBRARY_PATH MUST be set and MUST have a pointer to the directory where the SSL .so modules are.



Oracle Weblogic Server: Configure Apache With SSL Certificates To Forward Requests To WebLogic Server Environment


This article provides detailed steps to configure Apache with SSL in a WLS environment.
This process will successfully setup SSL communication between the client (browser) and the Apache Web Server as well as SSL (https) communication between the Apache Web Server and the WebLogic Server.
At a high level, the following steps are implemented:
  1. Create a valid certificate from Verisign.
  2. Configure Apache plugin to use SSL using the new certificate.
  3. Configure WLS to use the new certificate.
  4. Test SSL proxy request to WLS.

Solution

Apache configuration

  1. Install Apache 2.2.
  2. Include the following in httpd.conf file:
    LoadModule weblogic_module modules/mod_wl_22.so
    Note that this filename is different in different versions of the WebLogic plug-in: change the filename as needed for your version.
  3. Copy the mod_wl_22.so from the folder: <WebLogic_Home>\server\plugin\win\32 to <Apache_Home>\modules. Note that this filename is different in different versions of the WebLogic plug-in: change the filename as needed for your version.
  4. Uncomment LoadModule ssl_module modules/mod_ssl.so in httpd.conf
  5. Uncomment include conf/extra/httpd-ssl.conf in httpd.conf.
  6. Now run the following commands in apache:
    set OPENSSL_CONF=F:\apache2.2\conf\openssl.cnf
    > />openssl genrsa -des3 -out localhost.key 1024
    Enter pass phrase:
    > />openssl req -new -key localhost.key -out localhost.csr> />> />
    It will generate the CSR file. Place the CSR file in a particular folder.

Oracle WebLogic Server Plug-Ins and SSL

Introduction

This document was created to help users understand their needs when using the WebLogic plugin and SSL. It describes in detail questions to ask when setting up the architecture of the environment. The three web servers that will be used as examples are: Apache, iPlanet (SunOne), and Microsoft IIS.

Prerequisites

Before you start, it is important to understand the handshake process. Refer to the Understanding and Investigating SSL Issues  for information.
Before you start, ask yourself the following questions:
  1. Will I have SSL set up between the client and the web server hosting the proxy (Apache, Sun One. IIS)?

    If the answer is yes, will it need to be 2-way SSL? This design has the advantage of offering the possibility to propagate client certificates to the back-end WebLogic Server (e.g., for authentication).
     
  2. Will I have SSL set up between the plugin and the WebLogic Server?

    If the answer is yes, will I need to "intercept" a client certificate from the first front-end handshake?
     
  3. Is it only 1-way SSL that I need? Is it only to encrypt the data between the plugin and the WebLogic Server?

Oracle Weblogic Server: Understanding and Investigating SSL Issues

What is SSL and how does it work?

SSL is short for Secure Sockets Layer. The SSL protocol was developed by Netscape and is supported by all popular web browsers such as Internet Explorer, Mozilla Firefox, Google Chrome, and Opera. For SSL to work, a SSL certificate issued by a Certificate Authority must be installed on the web server. SSL can then be used to encrypt the data transmitted (secure SSL transactions) between a browser and web server (and vice versa). Browsers indicate a SSL-secured session by changing the HTTP to HTTPS and displaying a small padlock. Web site visitors can click on the padlock to view the SSL certificate.


What is PKC and how does it work?

Public Key Cryptography (PKC) is a method for securely exchanging messages, based on assigning two complimentary keys (one public, one private) to the individuals involved in a transaction. Public Key Cryptography is based on the science of encryption, the mathematical scrambling and unscrambling of messages.
Public key cryptography addresses several of the shortcomings of symmetric key cryptography. In public key cryptography, an individual or organization has two complimentary keys, one called a public key, and one called a private key. Any information encrypted using the private key can only be decrypted using the public key. Conversely, any information encrypted using the public key can only be decrypted using the private key. For example:
  1. Bob has two complimentary keys
  2. What one key encrypts on the other key can decrypt
  3. Bob keeps one key private (Private Key)
  4. Bob makes one key available to the public (Public Key)
  5. If Alice needs to send Bob a message
  6. Bob sends Alice a copy of his public key
  7. Alice encrypts a message with Bob's public key
  8. Bob decrypts the message with his private key

Oracle WebLogic Server: How to Configure SSL on Oracle WebLogic Server with Custom Identity and Java Standard Trust

Create the Identity and Trust Keystores

To create the Identity and Trust Keystores, please follow these steps:
  1. Create a keystore and a private key using the genkeypair (or genkey) command. It will generate a private and public key pair:
    keytool -genkeypair -alias server_cert -keyalg RSA -keysize 1024 -dname "CN=Prakash, OU=GTI, O=JPMC, L=Bangalore, ST=Karnataka,C=IN " -keypass weblogic1234 -keystore server_keystore.jks -storepass weblogic1234
    In the above command CN (COMMON NAME) we can provide a domain name/DNS Name/machine name or any other name. Usually in the real production systems where we implement our own keystores, CN should match with your Domain name.
    NOTE: -genkeypair is the new name for this command in Java SE 6 and higher. In previous Java releases, the name was -genkey. The -genkey command is still supported in Java SE 6, but -genkeypair is preferred. See here for more details.
  2. Create the CSR using the following command:
    keytool -certreq -v -alias server_cert -file csr-for-myserver.pem -keypass weblogic1234 -storepass weblogic1234 -keystore server_keystore.jks
    This creates a file called csr-for-myserver.pem . This gets sent to a Certificate Authority (CA) to have a public certificate created.
  3. Import the intermediate and root certificates into your keystore:
    keytool -import -v -noprompt -trustcacerts -alias ca-root-cert -file rootcacert.cer -keystore server_keystore.jks -storepass weblogic1234
  4. Import the public certificate into the keystore using the private key alias.
    NOTE: In the email that your CA will send to you, there should be 2 links to their website, one to download the root CA and another one for the intermediate CA if any. You will have to go to their website and download them. Another way to obtain them is to double-click on the certificate file and then go to the Certification Path tab. The first cert in the list is the root CA and the second one is the intermediate CA if any. If you highlight the root CA and then click on View Certificate, it will open up the Root CA certificate. Then you can go to the Details tab and click on . Select Base 64 as the format and save the file. Repeat the same steps to copy the intermediate CA to a file.

How to Create and Configure Self Signed Certificates for WebLogic Server Environments in Oracle WebLogic Server


Self-Signed Certificates are meant to secure the communication between servers and WebLogic Server components, such as Node Manager, inside an already secure network.
Below are steps for creating and using Self-Signed Certificates in WebLogic Server.
In this sample, following are the locations and password to consider.


Certificates will be located at: /home/Desktop/csr
Keypass=privatepassword
Storepass=password
Generate the certificate for the machine where the remote Node Manager is.
I. GENERATING THE CERTIFICATE
  1. Create a Directory. For example:
    mkdir /home/Desktop/csr
  2. Get into the directory. For example:
    cd /home/Desktop/csr
  3. Run the following keytool command:
    $keytool -genkey -alias selfsignedcert -keyalg RSA -keypass privatepassword -keystore identity.jks -storepass password -validity 365
    Expected output:
    What is your first and last name?
    [Unknown]: denny.cl.oracle.com => Machine name
    What is the name of your organizational unit?
    [Unknown]: Support => Organizational Unit
    What is the name of your organization?
    [Unknown]: Oracle => Organization
    What is the name of your City or Locality?
    [Unknown]: Santiago => City
    What is the name of your State or Province?
    [Unknown]: Huechuraba => State
    What is the two-letter country code for this unit?
    [Unknown]: CL => Country code
    Is CN=denny.cl.oracle.com, OU=Support, O=Oracle, L=Santiago, ST=Huechuraba, C=CL correct?
    [no]: yes
  4. Export the certificate from the identity keystore into a file, for example root.cer:
    $keytool -export -alias selfsignedcert -file root.cer -keystore identity.jks
    Expected Output:
    Enter keystore password: <password>
    Certificate stored in file <root.cer>
  5. Import the certificate you exported into trust.jks.
    keytool -import -alias selfsignedcert -trustcacerts -file root.cer -keystore trust.jks
    Expected Output:
    Enter keystore password:
    Re-enter new password:
    Owner: CN=denny.cl.oracle.com, OU=Support, O=Oracle, L=Santiago, ST=Huechuraba, C=CL
    Issuer: CN=denny.cl.oracle.com, OU=Support, O=Oracle, L=Santiago, ST=Huechuraba, C=CL
    Serial number: 4e1b67e3
    Valid from: Mon Jul 11 17:15:15 CLT 2011 until: Tue Jul 10 17:15:15 CLT 2012
    Certificate fingerprints:
    MD5: 74:EC:1E:90:05:EC:E6:49:62:52:B9:72:20:BF:30:3F
    SHA1: 5C:6E:80:94:9C:72:15:DC:F7:5F:49:DD:2F:2B:D2:49:7C:4C:0C:A0
    Signature algorithm name: SHA1withRSA
    Version: 3
    Trust this certificate? [no]: yes
    Certificate was added to keystore

Configuring Mod_wl_ohs to use SSL between Oracle HTTP Server and Weblogic Server in ORACLE FUSION MIDDLEWARE 11g

Following this note will result in the following architecture:

Browser --> https --> OHS --> https --> WebLogic Server

There are three steps needed to configure mod_wl_ohs in this setup:
Step I:  Configure OHS for SSL
Step II: Configure Weblogic for SSL
Step III: Configure mod_wl_ohs

Step I: Configure OHS for SSL
1. Configure Oracle HTTP Server so your browser can connect to OHS via SSL. See the following article to accomplish this:  Configuring Oracle HTTP Server to use SSL in Fusion Middleware 11g (11.1.1.X)

Step II: Configure Weblogic for SSL

1. Configure Weblogic so your browser can connect via SSL. See the following article to accomplish this:  Configuring Oracle WebLogic Server (10.3.X) to use SSL in Fusion Middleware 11g (11.1.1.X)

Step III: Configure mod_wl_ohs

This step assumes you have deployed an application to the WebLogic Managed Server where SSL is configured. In this example an application is deployed whose root context is /helloWorld. See  How To Configure mod_wl_ohs with Oracle HTTP Server and Oracle WebLogic Server, to make sure this works via HTTP before attempting the SSL setup

How to Start Node Manager from WLST with JSSE Enabled


To enable JSSE for Node Manager when starting it through WLST requires -Dweblogic.security.SSL.enableJSSE=true to be passed as an argument. 
See http://docs.oracle.com/cd/E23943_01/web.1111/e13707/ssl.htm#BABIJEJD for more information about how to enable JSSE in different contexts.


To enable this option in WLS 12.1.1 and earlier, please apply the patch for unpublished defect 14174803. This patch is not required in WLS 12.1.2 and higher where this functionality is already included.

This patch adds a functionality to pass JVM arguments when starting Node Manager. After applying the patch you can execute the below command:

startNodeManager(NodeManagerHome="/home/oracle/keshav/wls12/wlserver_12.1/common/nodemanager",jvmArgs="-Dweblogic.security.SSL.enableJSSE=true")

Executing the above should enable JSSE on Node Manager when it is started through WLST.

Node Manager Fails with JSSE SSL Configured at the Admin Server


After enabling JSSE on Admin server, Node Manager was throwing the following error and unable to start managed servers using Node Manager.
  SSL header was received from peer aubdc00-ofm03s - aa.bb.cc.dd during SSL handshake.>
javax.net.ssl.SSLHandshakeException: [Security:090476]Invalid/unknown SSL header was received from peer aubdc00-ofm03s - aa.bb.cc.dd during SSL handshake.


       at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown Source)
       at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertSent(Unknown Source)
       at com.certicom.tls.record.ReadHandler.fireAlert(Unknown Source)
       at com.certicom.tls.record.ReadHandler.getProtocolVersion(Unknown Source)
       at com.certicom.tls.record.ReadHandler.checkVersion(Unknown Source)
       at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
       at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
       at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
       at com.certicom.tls.record.ReadHandler.read(Unknown Source)
       at com.certicom.io.InputSSLIOStreamWrapper.read(Unknown Source)
       at sun.nio.cs.StreamDecoder$CharsetSD.readBytes(StreamDecoder.java:452)
       at sun.nio.cs.StreamDecoder$CharsetSD.implRead(StreamDecoder.java:494)
       at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:222)
       at java.io.InputStreamReader.read(InputStreamReader.java:177)
       at java.io.BufferedReader.fill(BufferedReader.java:136)
       at java.io.BufferedReader.readLine(BufferedReader.java:299)
       at java.io.BufferedReader.readLine(BufferedReader.java:362)
       at weblogic.nodemanager.server.Handler.run(Handler.java:71)
       at java.lang.Thread.run(Thread.java:736)

Node Manager: Common Problems and Resolutions

Following are some of the exceptions/errors and resolutions.

Host name verification (Node Manager log)

Following problem is due to Node manager Setup and seen in the node manager log:

<May 3, 2005 1:00:45 PM EDT> <Error> <NodeManager@xxxx11:5559> <NodeManager is not configured to receive commands from host : /10.62.3.215. Please update the trusted hosts file : /home/rbabu/nodemanager.hosts of the node manager by adding the hostname or ip address of /10.62.3.215>

Resolution: Add the host name or IP address to nodemanager.hosts and restart the node manager.
If, after adding the entry to the nodemanager.hostsfile you still see the error, add the following to the node manager start script and admin server.


Node Manager:

-Dweblogic.nodemanager.sslHostNameVerificationEnabled=false
Admin Server:

-Dweblogic.security.SSL.ignoreHostnameVerification=true
Or you can do the same using console as shown below:
Under Keystores & SSL tab, click on "Advanced Options." Change the Hostname verification to None.

Checklist for Troubleshooting Node Manager SSL Problems

  1. Check what certificates are being used. Demo, Commercial, self-signed?
  2. In the case of demo certificates make sure none of the settings are changed. You don't need any entries in the nodemanager.propertiesfile. Nor you do not need to make any changes to the settings in the admin or managed server.
  3. In the case of commercial certificates (Verisign, Thawte, Comodo, etc.) make sure that the certificate chain is complete and the root and intermediate certificates are configured properly.
  4. If the certificates are self-signed, make sure you have followed the sequence mentioned earlier in this document.
  5. Make sure that the validation dates are correct.
  6. Turn on the debug flags on both admin server and managed server to get all possible information.
  7. Node manager debug flag. This flag needs to be added to the start script
  8. (The log files are located under <NodeManagerHome>/nodemanager.log)

  • -Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true
  • -Dweblogic.StdoutDebugEnabled=true -Dweblogic.nodemanager.debugEnabled=true -Dweblogic.nodemanager.debugLevel=90

WebLogic Server: Procedure for configuring Node Manager with SSL

Steps for configuring Node Manager with SSL for WebLogic Server.

First create custom certificates using the keytool command utility:

keytool -genkey -alias mykey -keyalg RSA -keysize 1024 -dname "CN=Tariq, OU=Customer Support, O=BEA Systems Inc, L=Denver, ST=Colorado, C=US" -keypass password -keystore identity.jks -storepass password
keytool -selfcert -v -alias mykey -keypass password -keystore identity.jks -storepass password -storetype jks
keytool -selfcert -v -alias mykey -keypass password -keystore identity.jks -storepass password -storetype jks
keytool -import -v -trustcacerts -alias mykey -file rootCA.der -keystore trust.jks -storepass password


Now configure "Custom Identity and Custom Trust" for admin and managed servers from console
Now enter the Key Alias and Private Key Passphrase under the SSL tab for both the servers from console