(n)code Solutions CA A DIVISION OF GUJARAT NARMADA VALLEY FERTILIZERS COMPANY LIMITED P ROCEDURE F OR D OWNLOADING

Transcription

1 (n)code Solutions CA A DIVISION OF GUJARAT NARMADA VALLEY FERTILIZERS COMPANY LIMITED P ROCEDURE F OR D OWNLOADING a Class IIIc SSL Certificate using BEA Weblogic V ERSION 1.0 Page 1 of 8

2 Procedure for downloading a Class IIIc SSL Certificate using BEA Weblogic Configuring the SSL Protocol The Secure Sockets Layer (SSL) protocol provides secure connections by allowing two applications connecting over a network connection to authenticate the other's identity and by encrypting the data exchanged between the applications. The SSL protocol provides server authentication and optionally client authentication, confidentiality, and data integrity. To configure the SSL protocol, perform the following steps: 1. Obtain a private key and digital certificate for WebLogic Server. You need a digital certificate and private key for each WebLogic Server that will use the SSL protocol. 2. Store the private key and digital certificate for WebLogic Server. 3. Through the Administration Console, set fields for the SSL protocol and the private key, digital certificate, and certificate authorities trusted by WebLogic Server. These fields are defined on a per-server basis; you must define them on any WebLogic Server that will use the SSL protocol. The following sections describe these steps in detail. Requesting a Private Key and Digital Certificate To acquire a digital certificate from (n)code Solutions, you must submit your request in a particular format called a Certificate Signature Request (CSR). WebLogic Server includes a Certificate Request Generator servlet that creates a CSR. The Certificate Request Generator servlet collects information from you and generates a private key file and a certificate request file. You must then submit the CSR to (n)code Solutions. Before you can use the Certificate Request Generator servlet, WebLogic Server must be installed and running. To generate a CSR, perform the following steps: 1. Start the Certificate Request Generator servlet. The.war file for the servlet is located in the \wlserver6.0\config\mydomain\applications directory. The.war file is automatically installed when you start WebLogic Server. 2. In a Web browser, enter the URL for the Certificate Request Generator servlet as follows: The components of this URL are defined as follows: o o hostname is the DNS name of the machine running WebLogic Server. port is the number of the port at which WebLogic Server listens for SSL connections. The default is For example, if WebLogic Server is running on a machine named ogre and it is configured to listen for SSL communications at the default port 7002 to run the Certificate Request Generator servlet, you must enter the following URL in your Web browser: Page 2 of 8

3 3. The Certificate Request Generator servlet loads a form in your web browser. Complete the form displayed in your browser, using the information in the following table: Table Fields on the Certificate Request Generator Form Field Country code Organizational unit name Organization name address Full host name Locality name (city) State name Private Key Password Random String Strength Description The two-letter ISO code for your country. The code for the United States is US. The name of your division, department, or other operational unit of your organization. The name of your organization. (n)code Solutions may require any host names entered in this field belong to a domain registered to this organization. The address of the administrator. The digital certificate is mail to this address. The fully-qualified name of the WebLogic Server on which the digital certificate will be installed. This name is the one used for DNS lookups of the WebLogic Server, for example, node.mydomain.com. Web browsers compare the host name in the URL to the name in the digital certificate. If you change the host name later, you must request a new digital certificate. The name of your city or town. If you operate with a license granted by a city, this field is required; you must enter the name of the city that granted your license. The name of the State or Province in which your organization operates if your organization is in India. Do not abbreviate. The password used to encrypt the private key. If you don't not specify a password, you will get an unencyrpted RSA private key. If you specify a password, you will get a PKCS-8 encrypted private key. When using PKCS-8 encrypted private keys, you need to enable the Use Encrytped Keys field on the SSL tab of the Server window in the Administration Console. A string of characters to be used by the encryption algorithm. You do not have to remember this string in the future. It is used to add an external factor to the encryption algorithm, making it more difficult for anyone to break the encryption. For this reason, you should enter a string that is not likely to be guessed. A long string with a good mixture of uppercase and lowercase letters, digits, spaces, and punctuation characters enhances encryption. (This field is optional.) The length (in bits) of the keys to be generated. The longer the key, the more difficult it is for someone to break the encryption. If you have the domestic version of WebLogic Server, you can choose 512-, 768-, or bit keys. We recommend the 1024-bit key. 4. Click the Generate Request button. Page 3 of 8

4 The Certificate Request Generator servlet displays messages informing you if any required fields are empty or if any fields contain invalid values. Click the Back button in your browser and correct any errors. When all fields have been accepted, the Certificate Request Generator servlet generates the following files in the startup directory of your WebLogic Server: o www_mydomain_com-key.der-the private key file. The name of this file should go into the Server Key File Name field on the SSL tab in the Administration Console. o www_mydomain_com-request.dem-the certificate request file, in binary format. o www_mydomain_com-request.pem-the CSR file that you submit to (n)code Solutions. It contains the same data as the.dem file but is encoded in ASCII so that you can copy it into or paste it into a Web form. 5. When you are instructed to select a server type, choose BEA WebLogic Server to ensure that you receive a digital certificate that is compatible with WebLogic Server. 6. When you receive your digital certificate from (n)code Solutions, you need to store it in the \wlserver6.0\config\mydomain directory. Note: If you obtain a private key file from a source other than the Certificate Request Generator servlet, verify that the private key file is in PKCS#5/PKCS#8 PEM format. 7. Configure WebLogic Server to use the SSL protocol, you need to enter the following information on the SSL tab in the Server Configuration window: o In the Server Certificate File Name field, enter the full directory location and name of the digital certificate for WebLogic Server. o In the Trusted CA File Name field, enter the full directory location and name of the digital certificate for (n)code Solutions who signed the digital certificate of WebLogic Server. o In the Server Key File Name field, enter the full directory location and name of the private key file for WebLogic Server. Defining Fields for the SSL Protocol. 8. Use the following command-line option to start WebLogic Server. - Dweblogic.management.pkpassword=password where password is the password defined when requesting the digital certificate. <>Storing Private Keys and Digital Certificates Once you have a private key and digital certificate, copy the private key file generated by the Certificate Request Generator servlet and the digital certificate you received from (n)code Solutions into the \wlserver6.0\config\mydomain directory. Private key files and digital certificates are generated in either PEM or Definite Encoding Rules (DER) format. The filename extension identifies the format of the digital certificate file. A PEM (.pem) format private key file begins and ends with the following lines, respectively: -----BEGIN ENCRYPTED PRIVATE KEY END ENCRYPTED PRIVATE KEY----- Page 4 of 8

5 A PEM(.pem) format digital certificate begins and ends with the following lines, respectively: -----BEGIN CERTIFICATE END CERTIFICATE----- Note: Your digital certificate may be one of several digital certificates in the file, each of which is bounded by the BEGIN CERTIFICATE and END CERTIFICATE lines. Typically, the digital certificate file for a WebLogic Server is in one file, with either a.pem or.der extension, and the WebLogic Server certificate chain is in another file. Two files are used because different WebLogic Servers may share the same certificate chain. The first digital certificate in the certificate authority file is the first digital certificate in the WebLogic Server's certificate chain. The next certificates in the file are the next digital certificates in the certificate chain. The last certificate in the file is a self-signed digital certificate that ends the certificate chain. A DER (.der) format file contains binary data. WebLogic Server requires that the file extension match the contents of the certificate file so be sure to save the file you receive from (n)code Solutions with the correct file extension. Assign protections to the private key file and digital certificates so that only the system User of WebLogic Server has read privileges and all other users have no privileges to access the private key file or digital certificate. If you are creating a file with the digital certificates of multiple certificate authorities or a file that contains a certificate chain, you must use PEM format. WebLogic Server provides a tool to for converting DER-format files to PEM format, and visa versa. Defining Trusted Certificate Authorities When establishing an SSL connection, WebLogic Server checks the identity of the certificate authority against a list of trusted certificate authorities to ensure the certificate authority currently being used is trusted. Copy (n)code Solutions's root certificate into the \wlserver6.0\config\mydomain directory of your WebLogic Server and set the fields described in Defining Fields for the SSL Protocol. If you want to use a certificate chain (Global Certificate for example), append the additional PEM-encoded digital certificate to the digital certificate that (n)code Solutions issued for WebLogic Server. This is the intermediate CA. The last digital certificate in the file chain will be (n)code Solutions's digital certificate that is self-signed (that is, the rootca certificate). If you want to use mutual authentication, take the root certificates for the certificate authorities you want to accept and include them to the trusted CA file. Defining Fields for the SSL Protocol To define fields for the SSL protocol, perform the following steps: 1. Open the Administration Console. 2. Open the Server Configuration window. 3. Select the SSL tab. Define the fields on this tab by entering values and checking the required checkboxes. (For details, see the following table.) 4. Click the Apply button to save your changes. 5. Reboot WebLogic Server. Page 5 of 8

6 The following table describes each field on the SSL tab of the Server Configuration window. Note: Remember if you are using a PKCS-8 protected private key, you need to specify the password for the private key on the command line when you start WebLogic Server. Table SSL Protocol Fields Field Enabled SSL Listen Port Server Key File Name Server Certificate File Name Server Certificate Chain File Name Client Certificate Enforced Trusted CA File Name CertAuthenticator Use Java Use Encrypted Keys Handler Enabled Description Checkbox that enables the use of the SSL protocol. By default, this field is enabled. The number of the dedicated port on which WebLogic Server listens for SSL connections. The default is The full directory location and name of the private key file for WebLogic Server. The file extension (.DER or.pem) indicates the method that should be used by WebLogic Server to read the contents of the file. The full directory location and name of the digital certificate file for WebLogic Server. The file extension (.DER or.pem) indicates the method that should be used by WebLogic Server to read the contents of the file. The full directory location of the rest of the digital certificates for WebLogic Server. The file extension (.DER or.pem) indicates the method that should be used by WebLogic Server to read the contents of the file. Checkbox that enables mutual authentication. The name of the file that contains the digital certificate for the certificate authority(s) trusted by WebLogic Server. This file specified in this field can contain a single digital certificate or multiple digital certificates for certificate authorities. The file extension (.DER or.pem) tells WebLogic Server how to read the contents of the file The name of the Java class that implements the CertAuthenticator interface. Checkbox that enables the use of native Java libraries. WebLogic Server provides a pure-java implementation of the SSL protocol: native Java libraries enhance the performance for SSL operations on the Solaris, Windows NT, and IBM AIX platforms. By default, this field is not enabled. Field that specifies that the private key for the WebLogic Server has been encyrpted with a password. The default is false. Field that specifies whether or not WebLogic Server rejects SSL connections that fail client authentication for one of the following reasons: The requested client digital certificate was not furnished. The client did not submit a digital certificate The digital certificate from the client was not issued by a certificate authority specified by the Trusted CA Filename field. By default, the SSL Handler allows one WebLogic Server to make outgoing SSL connections to another WebLogic Server. For example, an EJB in WebLogic Server may open an HTTPS stream on another Web server. With the HandlerEnabled field enabled, the Page 6 of 8

7 WebLogic Server acts as a client in an SSL connection. By default this field is enabled. Disable this field only if you want to provide your own implementation for outgoing SSL connections. Note: The SSL Handler has no effect on the ability of WebLogic Server to manage incoming SSL connections. Export Key Lifespan Login Timeout Millis Certificate Cache Size The number of times WebLogic Server uses an exportable key between a domestic server and an exportable client before generating a new one. The more secure you want WebLogic Server to be the fewer times the key should be used before a new one is generated. The default is to use it 500 times. The number of milliseconds that WebLogic Server should wait for an SSL connection before timing out. The default value is 25,000 milliseconds. SSL connections take longer to negotiate than regular connections. If clients are connecting over the Internet, raise the default number to accommodate additional network latency. The number of digital certificates that are tokenized and stored by WebLogic Server. The default is 3. Page 7 of 8

8 Page 8 of 8