CHAPTER 7 SSL CONFIGURATION AND TESTING

CHAPTER 7 SSL CONFIGURATION AND TESTING

7.1 Configuration and Testing of SSL Nowadays, it s very big challenge to handle the enterprise applications as they are much complex and it is a very sensitive to communicate the data over the network or internet. Over the internet or network when we send the sensitive data, not sure how much it s protected. SSL is a technology that can protect the data over the internet or network. Through SSL, we can make secure connections by allowing two applications connecting over a network connection to authenticate the other s identity and by encrypting the data exchanged between the applications. Authentication allows a server and optionally a client to verify the identity of the application on the other end of a network connection. Encryption makes data transmitted over the network intelligible only to the intended recipient. SSL certificate are provided by the industry like Verisign, GeoTrust etc and it provide the transport level security by using this certificate. There is dedicated listen port, 7002 (by default) in which weblogic server support SSL. A Web browser connects to WebLogic Server by using the SSL listen port and the HTTPs protocol in the connection URLs to make an SSL connection. Here is the step by step procedure about generating the certificate, installing and configuring the certificate to the WebLogic Server. 1] Create and importing procedure of Certificate A] First we have to run the script setdomainenv under the bin directory of domain to set the environment. Figure 128

B] Generate the private and public key pair; I have used the keytool utility for it. Before running this utility need to make sure java bin path should be set as below. Figure 129 C] Send Certificate Signing Request (CSR) to Certifying Authority after generating it through keytool utility. Certify Authority provide three certificate Figure 130 (I) (II) (III) SSL (II) root and III) intermediate certificate D] In our keystore, we need to import these certificates; This can be perform, either importing the certificate importing in an order of RootCA, intermediateca and then Certificate reply. Or we can create a file called.pem file and put all certificate into this file.

For Example, create a certificate chain file <myfile>.pem and import this file into the identity keystore overriding the private key alias which is client in this example. Figure 131 E] Now need to create a trust keystore or we can say create a trust file by importing RootCA. Figure 132 Here is the command that we can use to verify the content of our keystore, Figure 133 2] Weblogic Server Configuring for Keystore A] Now we need to select the server for which we want to configure SSL certificate after login into admin console Click on server in left side and then select the Keystore tab in right. Here we can see it points to Demo Certificates that is default certificate. Select, Custom Identity and Custom Trust from drop down box. Enter the detail of identity and trust keystore See the screens in next pages

Figure 134 Figure 135

Figure 136 B] Configure server identity: Enter the alias of the private key by clicking SSL tab on right end. Figure 137

NOTE: By default it is a one way SSL, if we enable the SSL for a Weblogic Server. For two way SSL, we need to with advance option and need to select two way SSL behavior. C] Configure the SSL port. 7002 is the default port for it. Select the server left end and then click on General tab and enter the value for SSL listen port Enable. Figure 138 After that we can check the server logs and below lines will be there for loading certificate <Notice> <Security> <BEA-090171> <Loading the identity certificate and private key stored under the alias client from the JKS keystore file C:\Wonders\WebLogic\Security\SSL- Certs\Verisign\identityVerisign.jks.> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the JKS keystore file C:\Wonders\WebLogic\Security\SSL-Certs\Verisign\trustVerisign.jks.>

7.2 Test SSL Setup Now can check any application that is deployed in managed server and configured SSL by accessing through https rather than and http. Here is the figure below. https://localhost:7002/console Figure 139 Now need to check certificate that we have configure is correct or not. We can find detail about the identity and RootCA along with certificate by clicking on certificate.

Figure 140 Always keep in mind Common name of the certificate match with the server host for a production environment Weblogic Managed server Signed by itself (certificate) Weblogic managed server use its self-signed certificate which will be signed by you and not by any external authority. You can use these certs in non-production environments: NOTE: You need to create keystores on each physical machine where you have servers running. A] Generating self signed certificates: 1] Create a certs directory under domain directory of weblogic. 2] Run setdomainenv.cmd file to set the environment variable, this will exist under the domain directory.

3] Change directory to certs and Execute below command to create identity.jks: Figure 141 Now we have created a private key in identity.jks file. As we are configuring self signed certificate we will not be creating CSR to order certs from external authority. 4] As its self signed cert we will export same cert which will be also called root in this case from identity.jks: D:\Oracle\Middleware\user_projects\domains\BankingDomain\certs>keytool -export - alias mycert -file root.cer -keystore identity.jks -storepass weblogic1 Certificate stored in file <root.cer> 5] Now we will import same cert into trust.jks which generally contains only root cert. NOTE: We can use same identity.jks file in place of trus.jks as we will be having same cert in both but as a good practice we should have both separate. In prod where we have chain of certs it recommended to create two jks stores. D:\Oracle\Middleware\user_projects\domains\BankingDomain\certs>keytool -import -alias mycert - trustcacerts -file root.cer -keystore trust.jks -storepass weblogic1 Owner: CN=GAPANDEY-IN.in.oracle.com, OU=Middleware, O=Oracle, L=noida, ST=U.P.,C=IN

Issuer: CN=GAPANDEY-IN.in.oracle.com, OU=Middleware, O=Oracle, L=noida, ST=U.P.,C=IN Serial number: 50758d88 Valid from: Wed Oct 10 20:30:24 IST 2012 until: Thu Oct 10 20:30:24 IST 2013 Certificate fingerprints: MD5: AE:50:7C:58:21:B0:45:5F:51:FC:6E:AF:BB:08:D5:62 SHA1: 51:F7:15:A7:F3:0A:D4:B2:95:A5:9E:CB:4B:05:0D:B0:A7:5C:FA:61 SHA1withRSA is the name of Signature algorithm and the version is 3. Trust this certificate? [no]: Yes Here in keystore, certificate is added Here both keystores are ready for configuration. Repeat this process on all physical machines where weblogic servers are hosted 2] Configuring jks with weblogic A] Login to admin console B] Navigate to servers-> [server name] ->Configuration->Keystores C] Select Custom Identity and Custom Trust and provide below details: Enter the path of Location of identity.jks in Custom Identity Keystore field Type is jks for Custom Identity Keystore value, enter the vale jks Enter the value for Passphrase that is weblogic1 and filed name is Custom Identity Keystore Passphrase And confirm the same Passphrase as weblogic1 after entering the same value is confirm field Enter the path of trust. Jks in Custom Trust Keystore Jks would be the value for Custom Trust Keystore field, enter the same in filed. Enter the confirm Passphrase for Custom Trust Keystore as Weblogic 1 D] Then click on SSL tab next to Keystores and provide values for below parameters: Enter the value as mycert in Private Key Alias field

Enter and confirm Passphrase for private key as weblogic1 NOTE: As I have given identity keystore password same as private key password I will give same password here. If you have given different make sure to give different password E] Then enable SSL port for that particular weblogic server by navigating servers->[server name]- >Configuration->General Also provide Fully Qualified Domain Name (FQDN) in Listen Address field. F] Save and activate changes. Repeat this 2nd half procedure for all weblogic servers which intend to use SSL 3] CONFIGURING NODE MANAGER Modify nodemanager.properties file available in $WL_HOME/common/nodemanager folder. Insert the following lines at the end: Figure 142 NOTE: Make sure Secure Listener is set to true which is already present in this file. Also mention Fully Qualified Domain Name (FQDN) in Listen Address field which is blank by default. 4] DISABLING HOSTNAME VERIFICATION NOTE: As we are using self signed certs we need to disable host name verification whereas in production environment we should keep it enabled by configuring certificates authorized by internal or external certificate authority.

A] Disable host name verification at server level Navigate to servers-> [server name] ->Configuration>SSL Make Hostname Verification NONE after clicking in advance. To save the changes click on save and active changes button. Repeat these steps for all servers in domain for which self signed certs are configured Disable host name verification for Node manager Add parameter Set the vale as false for theparameterdweblogic.nodemanager.sslhostnameverificationenabled in the start script of Nodemanager D:\Programfiles\Java\jrockit-jdk1.6.0_29-R28.2.2-4.1.0/bin/java ${ VM JAVA} ${MEMORY ARGUMENTS} ${OPTION JAVA} -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false - Djava.security.policy= ${WEBLOGIC HOME}/server/lib/weblogic.policy - Dweblogic.nodemanager.javaHome= ${D:\Programfiles\Java\jrockit-jdk1.6.0_29-R28.2.2-4.1.0/bin/java} -DListenAddress= ${listenaddress} -DListenPort= ${Listenport} weblogic.nodemanager v else D:\Programfiles\Java\jrockit-jdk1.6.0_29-R28.2.2-4.1.0/bin/java ${ VM JAVA} ${MEMORY ARGUMENTS} ${OPTION JAVA} -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false - Djava.security.policy= ${WEBLOGIC HOME}/server/lib/weblogic.policy - Dweblogic.nodemanager.javaHome= ${D:\Programfiles\Java\jrockit-jdk1.6.0_29-R28.2.2-4.1.0/bin/java} -DListenPort= ${Listenport} weblogic.nodemanager vfi And below will parameter if there is value for listen address will not equal to Null. D:\Programfiles\Java\jrockit-jdk1.6.0_29-R28.2.2-4.1.0/bin/java ${ VM JAVA} ${MEMORY ARGUMENTS} ${OPTION JAVA} -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false - Djava.security.policy= ${WEBLOGIC HOME}/server/lib/weblogic.policy - Dweblogic.nodemanager.javaHome= ${D:\Programfiles\Java\jrockit-jdk1.6.0_29-R28.2.2-4.1.0/bin/java} -DListenAddress= ${listenaddress} weblogic.nodemanager v else D:\Programfiles\Java\jrockit-jdk1.6.0_29-R28.2.2-4.1.0/bin/java ${ VM JAVA} ${MEMORY ARGUMENTS} ${OPTION JAVA} -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false - Djava.security.policy= ${WEBLOGIC HOME}/server/lib/weblogic.policy - Dweblogic.nodemanager.javaHome= ${D:\Programfiles\Java\jrockit-jdk1.6.0_29-R28.2.2-4.1.0/bin/java} weblogic.nodemanager -v

Now restart Node manager, Need not to start the server if they are already running. This completes SSL configuration with self signed certs. NOTE: Sometimes you might get some SSL issue at Node manager, in that case import CertGenCA.der into custom trust store trust.jks so that Admin server can trust Node manager. > keytool -import -alias mycert-trustcacerts -file <location of CertGenCA.der> -keystore trust.jks Creating a new CSR By visiting URL, https://<hostname>:port/certficate, we can see the generator of CSR certificate. 443 is the default port for the URL which is mentioned above. For CSR, Our company information is required to server, below points need to take care during creation of our CSR Country/State/City - Here we need to provide the information about the locality form where we are operating our business rather than the locality of the server. Here we need to give the complete name of locality. Like, if we are operating our business from NOIDA, need to user state as "NOIDA" rather than "ND". If we are operating our business as an international customer and states or province, then state field should be a country name. Organization - Like State, full name with any suffix is also needed for organization name also. if the company is registered then use that as organization name. Common Name - This is main information because when we type web address in any browser, So it should be correct. Like If both www.banking.co.in and banking.co.in are acceptable, in that never use http or https. Below point need to keep in mind Our RSA private key become in an unencrypted form on server if password for private key is not specified. Our private key be found in encrypted form if have specified the password. Meaning to say, through admin console select Use Encrypted Keys from SSL tab. If we do not select this option, our server is not able to utilized private key. Now there are three different file are created by web interface. Private Key is ourdomain-key.der CSR file ourdomain-request.dem And same CSR file in form of ASCII format will ourdomain-request.pem

CSR Submitting to Trustwave Open CSR file that is in form of ASCII format (ourdomain-request.pem) and copy this entire file to clipboard. There are some dashed lines are also there in CSR file at beginning and end, copy with complete content and for continuing, need to paste in Trustwave Control Center. HARDWARE LOAD BALANCER SSL Certificate Installation: f5 BIG-IP F5 BIG-IP Loadbalancer is the hardware Loadbalancer and below is the procedure to Install SSL Certificate on f5 BIG-IP There is web interface or URL for f5 BIG-I that we need to open. SSL Certificates Option needs to select under local traffic. We have assigned a name to certificate and that name we need to click under General Properties during CSR creation. From DigiCert we have received a file, called your_domain_name.crt file that we need to browse. After that need to import after open it. Now installation of SSL Certificate is complete Below is procedure to Enable Intermediate Certificate Now through web URL or we can say Graphical user interface, we need to import the certificate. For it we need to select SSL certificates from Local Traffic after than we can import the certificate. We need to select create new and put the name as DigiCertCA when he ask about to choose certificate from option import type. Now we have received a file called DigiCertCA.crt from DigiCert, and then have to open this file and then need to import. Now import of intermediate certificate should be complete. Configure SSL for server. For this certificate, we will use a SSL profile that we need to open or create. During starting section we have installed a SSL certificate and this certificate need to select from configuration utility [First select local traffic from configuration utility, then select profiles from local traffic and finally select client from profiles and then select advanced option from menu] At last steps, we have imported a file DigiCertCA that we need to browse under chain section. Now need to save the configuration and exit from it.

Now our server is ready to use with installed SSL certificate. F5 BIG-IP Pre Version We can download our certificate files from our DigiCert account. We have required below crt files as primary. your_domain_name.crt DigiCertCA.crt About both file are require for proper installation with your BIGIP, into BIG IP device need to move both primary and intermediate certificate. Through ftp or sftp we can move crt files to BIGIP box Certificate files name need to change and move. In folder /config/bigconfig/ssl.crt/, we need to copy certificate from your_domain_name.crt to your.domain.name.crt after changing its name. Intermediate-ca.crt file, need to the /config/bigconfig/ssl.crt/ folder. Restart the Proxy Figure 143 Installation of certification is completed. 7.3 Procedure to configure WebLogic to use SSL with Apache Here is the simple configuration that I have used for my testing. I have created create a certificate, a keystore and will perform all the different steps needed to get us started. Then I have configured WebLogic to use that keystore. I have configured Apache Webserver to use SSL with WebLogic after browser is able to access weblogic. 1] Creating a CSR & a keystore

Once install the Once we have installed weblogic, we can use the Keytool from Sun to create these components. For me it's :%BEA_HOME%\jdk160_05\bin\keytool.exe Here I am using to use Keytool UI, which is a graphical version of keytool. Here, creating a sample and empty JKS. (JKS stands for Java KeyStore) Figure 144 Here is the password used is "weblogic". Then just create a CSR (Certificate Signing Request) Specify the previously created JKS and the algorithm to use:

Figure 145 Figure 146 Fill all the fields, as you would with Keytool: Here there will be small popup for creation.

Figure 147 Here we can see the content of Keystroke. Figure 148 I have used the following for the private key: alias: privatekey password: weblogic

2] Here Configuring WebLogic to use the previously created keystore This is simplest part First need to start weblogic server should started and SSL port should be enable. Figure 149 After click on Keystores tab then just change the identity of the server to point towards our keystore. Figure 150 Here we are seeing different option from drop down box but for my testing I have selected Custom identity & Java Standard Trust". "Custom Identity" means we are using our own keystore and "Java Standard Trust" means we use the trust store from the JDK.

(%BEA_HOME%\jdk160_05\jre\lib\security\cacerts) All the trusted certificates are in trust store that is Keystore. We can aslo print the trust store, just to see what's inside: Figure 151 You can see that Verisign, Thawte and many other CA (Certificate Authorities) are listed. Figure 152

Figure 153 We only have to specify the keystore we created, the type which is JKS and the password. As for the Trust, just type the default password, which is "changeit". A quick look in the WLS console shows: <10 nov. 2012 23 h 47 CET> <Error> <WebLogicServer> <BEA-000297> <Inconsistent security configuration, weblogic.management.configuration.configurationexception: Cannot retrieve identity certificate and private key on server Adminserver, because the keystore entry alias is not specified.> <10 nov. 2012 23 h 47 CET> <Error> <Server> <BEA-002618> <An invalid attempt was made to configure a channel for un configured protocol "Cannot retrieve identity certificate and private key on server Adminserver, because the keystore entry alias is not specified.".> It came due to didn t supply the private key alias.

Figure 154 Just type the alias (privatekey) and the password (weblogic) and save. This time, WLS seems to be happier : <10 nov. 2012 23 h 52 CET> <Notice> <Security> <BEA-090171> <Loading the identity certificate and private key stored under the alias privatekey from the JKS keystore file D:\BEA_ROOT\user_projects\domains\essex\ssl\blog\mbutton.jks.> <10 nov. 2012 23 h 52 CET> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file D:\BEA_ROOT\WLS_10.3\JDK160~1\jre\lib\security\cacerts.> <10 nov. 2012 23 h 52 CET> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure" is now listening on 192.168.1.4:7002 for protocols iiops, t3s, CLUSTER-BROADCAST-SECURE, ldaps, https.> <10 nov. 2012 23 h 52 CET> <Notice> <Server> <BEA-002613>

<Channel "DefaultSecure[1]" is now listening on 127.0.0.1:7002 for protocols iiops, t3s, CLUSTER-BROADCAST-SECURE, ldaps, https.> Let's try to access the console using the secure port (7002). Here below popup will came. Figure 155 Here some warning message will come that will say the certificate has been emitted by someone, I don't trust and that the certificate name doesn't match the site name. It works. Figure 156

3 - Display the certificate presented by WebLogic To display the certificate, we've got two possibilities: Click the lock in the browser window and use the built-in functionality to display the certificates. Figure 157 When we or client connect to secure server so their data or information is safe because he know about what he are calming and that is transaction that is going to do is well encrypted. Apache 2 is the best leading Linux web server software, and Secure Sockets Layer, a secure communication protocol. Transport Layer Security (TLS) is the successor to SSL, but they work in basically the same way.