Cloud Account Sign in to Cloud Sign Up for Free Cloud Tier

Oracle Account

X.509 Certificate Revocation Checking Using the OCSP Protocol with Oracle WebLogic Server 12c

by Abhijit Patil

November 2012

Introduction

Oracle WebLogic Server 12c's Java Secure Socket Extension (JSSE) implementation supports X.509 Certificate Revocation (CR) checking using Online Certificate Status Protocol (OCSP) protocol, which checks a certificate's revocation status as part of the Secure Sockets Layer (SSL) certificate path validation process. CR checking improves the security of certificate usage by ensuring that received certificates have not been revoked by the issuing certificate authority.

This article focuses on how to use X.509 Certificate Revocation Checking Functionality with the OCSP protocol to validate in-bound certificates. Although this article focuses on inbound OCSP validation using OCSP, Oracle WebLogic Server 12c also supports outbound OCSP validation.

The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. Note that although Oracle WebLogic Server supports the Certificate Revocation list (CRL) mechanism, CRL is beyond the scope of this article.

Certificate Creation

We need to first create the X.509 certificates we will be using in our scenario to check the certificate revoke functionality. We will use the OpenSSL command line tool to create these certificates.

You can download all files used in this article (including certificates, openssl conf file, jks, etc.) here (patil-certrevoc-files.zip).

We will be creating three certificates:

Certificate Authority (CA) Certificate (root certificate)
Valid Certificate (signed by CA Certificate)
Revoked Certificate (signed by CA Certificate)

Figure 1 illustrates the certification chain.

Figure 1: Certificate Chain used for Certificate Revocation functionality

1. Download and setup openssl

Download and unzip openSSL tool in an empty directory. Documentation for openSSL tool is available here. The file openssl.cnf that comes with the installation contains configuration information used by the openssl commands. The file provides default values that are used when corresponding options are omitted from the commands; it also provides default prompts and other values that affect the way the commands interact with the user. Make sure you add the following entry in the openssl.cnf file…



authorityInfoAccess = OCSP;URI: http://host:port

…where host and port represent the host and port of OCSP server (which we will set up later in the article). This command will add the OCSP extension, including the OCSP server url, in the certificates we will generate in the next sections. The authority information access extension gives details about how to access certain information relating to the CA. Its syntax is accessOID;location, where location has the same syntax as subject alternative name. In our case, the value of accessOID is OCSP, and the location points to the OCSP server that needs to be used to check revoked certificates. Setting up the OCSP server is covered in step 6. OCSP Server Set-up.

2. Create a Certification Authority Certificate

Execute following command in openSSL installation directory to generate the "certificate authority." certificate (root certificate):



openssl req -nodes -new -x509 -keyout private/cakey.pem -out cacert.pem -days 3650

This will create two new files:

private/cakey.pem contains the "certificate authority" private RSA key
cacert.pem contains a self-signed "certificate authority" certificate

The self-signed "certificate authority" certificate will resemble the following:



bash-3.2$ openssl x509 -in cacert.pem -noout -text  
Certificate:   
Data:         
Version: 3 (0x2)  
Serial Number:          
a8:5c:c0:90:db:6f:be:db   
Signature Algorithm: sha1WithRSAEncryption  
Issuer: C=US, ST=California, L=Pleasanton, O=Oracle   
Validity        
Not Before: Aug 26 16:56:32 2011 GMT   
Not After : Aug 23 16:56:32 2021 GMT    
Subject: C=US, ST=California, L=Pleasanton, O=Oracle    
Subject Public Key Info:            
Public Key Algorithm: rsaEncryption     
RSA Public Key: (1024 bit)         
Modulus (1024 bit):              
00:c1:93:54:b1:07:fd:6a:a1:9d:1d:72:71:45:41:
...                
Exponent: 65537 (0x10001)      
X509v3 extensions:          
X509v3 Subject Key Identifier:    
08:98:91:7A:0D:0D:02:AF:29:D9:C5:8A:6C:DF:0B:88:4F:FB:DA:2B  
X509v3 Authority Key Identifier:      
keyid:08:98:91:7A:0D:0D:02:AF:29:D9:C5:8A:6C:DF:0B:88:4F:FB:DA:2B           
DirName:/C=US/ST=California/L=Pleasanton/O=Oracle     
serial:A8:5C:C0:90:DB:6F:BE:DB              
X509v3 Basic Constraints:             
CA:TRUE     
Signature Algorithm: sha1WithRSAEncryption       
73:04:85:0d:e2:f0:98:fe:c3:9a:cf:d8:12:33:4b:09:25:c8:  ...

3. Generate Valid Certificate

Next we'll generate a Valid Certificate signed by the CA certificate we created in previous section.

First we make a new certificate request and private RSA key by running following command (make sure you provide following values for subject: C=US, ST=California, L=Dublin, O=Home, OU=Home, CN=Home):



openssl req -nodes -newkey rsa:1024 -out newreq.pem -days 3650

This will create two new files:

private/privkey.pem contains the private RSA key
newreq.pem contains a certificate request

Next we generate a valid certificate with "certificate authority" private RSA key from a "certificate request":



openssl ca -policy policy_anything -out validcert.pem -infiles newreq.pem

This will give you a valid certificate file.

validcert.pem contains a certificate signed with private/cakey.pem



bash-3.2$ openssl x509 -in validcert.pem -noout -text
Certificate: 
Data:        
Version: 3 (0x2)  
Serial Number: 12 (0xc)
Signature Algorithm: sha1WithRSAEncryption  
Issuer: C=US, ST=California, L=Pleasanton, O=Oracle  
Validity         
Not Before: Sep  1 22:24:09 2011 GMT   
Not After : Aug 29 22:24:09 2021 GMT   
Subject: C=US, ST=California, L=Dublin, O=Home, OU=Home, CN=Home  
Subject Public Key Info:      
Public Key Algorithm: rsaEncryption    
RSA Public Key: (1024 bit)         
Modulus (1024 bit):         
00:9f:92:27:d3:fa:45:ec:13:5e:42:95:58:38:13:  ….      
Exponent: 65537 (0x10001)   
X509v3 extensions:         
X509v3 Basic Constraints:         
CA:FALSE      
Netscape Comment:      
OpenSSL Generated Certificate    
X509v3 Subject Key Identifier:     
F0:3E:51:E5:76:E6:3C:BC:3C:D4:4E:E3:2E:57:2B:79:08:64:DA:03   
X509v3 Authority Key Identifier:    
keyid:08:98:91:7A:0D:0D:02:AF:29:D9:C5:8A:6C:DF:0B:88:4F:FB:DA:2B   
Authority Information Access:     
OCSP - URI:http://host.domain.com:8888    
X509v3 CRL Distribution Points:       
URI:http://host.domain.com:8000/testcrl.crl   
Signature Algorithm: sha1WithRSAEncryption     
af:1e:6b:14:d0:93:37:5d:fc:0f:3c:d1:4f:da:ad:48:b6:34:

4. Generate Revoked Certificate

Next we need to generate another certificate which we will tag as "revoke" (see section 5. Revoke Certificate). Basically, we repeat the same process as in section 3 to generate the certificate.

First we make a new certificate request and private RSA key by running following command (make sure you provide following values for subject: C=DK, ST=Dummy, L=Fraud, O=Careful, OU=Beware, CN=Warning):



openssl req -nodes -newkey rsa:1024 -out newreq.pem -days 3650

This will create two new files:

private/privkey.pem contains the private RSA key
newreq.pem contains a certificate request

Next we generate a valid certificate with the "certificate authority" private RSA key from a "certificate request":



openssl ca -policy policy_anything -out revokecert.pem -infiles newreq.pem

This will give you a revoke certificate file.

revokecert.pem contains a certificate signed with private/cakey.pem



bash-3.2$ openssl x509 -in revokecert.pem -noout -text  
Certificate:    
Data:        
Version: 3 (0x2)   
Serial Number: 11 (0xb)   
Signature Algorithm: sha1WithRSAEncryption 
Issuer: C=US, ST=California, L=Pleasanton, O=Oracle   
Validity        
Not Before: Sep  1 22:09:59 2011 GMT   

Not After : Aug 29 22:09:59 2021 GMT 
Subject: C=DK, ST=Dummy, L=Fraud, O=Careful, OU=Beware, CN=Warning   
Subject Public Key Info:       
Public Key Algorithm: rsaEncryption     
RSA Public Key: (1024 bit)    
Modulus (1024 bit):       
00:c7:f8:3d:d6:a6:59:67:c1:38:4a:d1:6c:95:fd: 
…      
Exponent: 65537 (0x10001)  
X509v3 extensions:        
X509v3 Basic Constraints:  
CA:FALSE         
Netscape Comment:       
OpenSSL Generated Certificate  
X509v3 Subject Key Identifier:   
4A:B2:62:8A:74:D8:28:55:55:3D:C6:1D:99:B5:57:EB:2C:7E:B3:06  
X509v3 Authority Key Identifier:       
keyid:08:98:91:7A:0D:0D:02:AF:29:D9:C5:8A:6C:DF:0B:88:4F:FB:DA:2B  
Authority Information Access:  
OCSP - URI:http://host.domain.com:8888     
X509v3 CRL Distribution Points:     
URI:http://host.domain.com:8000/testcrl.crl  
Signature Algorithm: sha1WithRSAEncryption

5. Revoke Certificate

Let's assume the need to revoke the revokecert.pem certificate (maybe it has been compromised or has simply expired. Run following command to revoke the certificate:



openssl ca -revoke revokecert.pem

6. OCSP Server Set-Up

Start the OCSP server by specifying the host and port indicated in openssl.cnf (see section 1. Download and Set Up openssl. To make things simple we'll start the ocsp server on the same machine as Oracle WebLogic Server, although you can start on a different host after installing openssl and copying the certificate to that host.



openssl ocsp -index index.txt -CA cacert.pem -rsigner cacert.pem -rkey
private/cakey.pem -port 8888

In above examples the server will start and listen at port 8888. The OCSP server is now up and running and waiting for requests from Oracle WebLogic Server.

Import certificates and private keys into jks

Import all generated certificates (CA, valid and revoke certificates) into a jks file (ClientCerts.jks in our case). You can use Oracle WebLogic utility utils.ImportPrivateKey for this step.



java utils.ImportPrivateKey -keystore mykeystore -storepass mypasswd -keyfile 
mykey -keyfilepass mykeyfilepass -certfile newcerts.pem -keyfile testkey.pem 
-alias passalias

Enable certificate revocation check functionality in Oracle WebLogic Server

CR checking is disabled by default in Oracle WebLogic Server. But using either the Oracle WebLogic Server Administration Console or WLST you can enable CR checking and configure the properties. When you enable CR checking, Oracle WebLogic Server provides, on a domain-wide basis, a comprehensive set of mechanisms to obtain the current revocation status of each certificate it validates.

Figure 2 illustrates the location in which to enable CR checking in the Oracle WebLogic Server console:

Figure 2: Enable Certificate Revocation checking using WLS console

Figure 3 illustrates the OCSP tab where you can customize OCSP settings:

Figure 3: OCSP tab in WLS console

For convenience, in our case, all default values are retained. But you can customize settings based on your requirements

For example, by default, when checking a certificate's revocation status, Oracle WebLogic Server first uses OCSP. If OCSP returns the certificate's status as unknown, Oracle WebLogic Server then uses CRLs (the OCSP Then CRL option). However, you can change the CR checking method used, or the sequence in which the methods are used, to one of the following:

OCSP only
CRL only
OCSP then CRL - If the OCSP status for a certificate is returned as unknown, CRL is checked for certificate status.
CRL then OCSP - If a certificate's revocation status cannot be determined by checking available CRLs, its OCSP status is checked.

For more customization options (e.g. fail on Unknown revocation status, using nonce, setting response timeout interval, response cache), refer to the Oracle documentation.

Note: Please make sure you pass the -Dweblogic.debug.CertRevocCheck=true parameter to Oracle Weblogic Server for the certificate revocation debug log.

Create and run a sample client application

Create a sample java client application to connect to any resource in Oracle Weblogic (for example: servlet / jsp). Here's sample code to be used for the sample client application:



// Open the keystore, retrieve the private key, and certificate chain   
System.out.println("Loading keystore: " + keystore + "     
keystore alias: " + keystoreAlias);  
KeyStore ks = KeyStore.getInstance(keystoreType);   
ks.load(new FileInputStream(keystore), null);    
PrivateKey key = (PrivateKey)ks.getKey(keystoreAlias,  
pkPassword.toCharArray());    
Certificate [] certChain = ks.getCertificateChain(keystoreAlias);   
sconnection.loadLocalIdentity(certChain, key);    
try  
{     
tryConnection(sconnection);    
System.out.println("tryConnection returned normally");  
}     
catch (Exception e)  
{       
System.out.println("tryConnection threw exception");   
System.out.println(e.toString());   
}    
}

In the code above, the client loads the local identity certificate chain and key for the client before connecting to an Oracle WebLogic resource. In our case, we will pass a valid certificate alias (which is the alias of the certificate imported in ClientCerts.jks, as created in the Import certificates and private keys into jks section) to the keystoreAlias variable in above code to get a positive case (the certificate is not revoked in this case). We will pass the revoked certificate alias (which is the alias of the certificate imported in ClientCerts.jks, as created in the Import certificates and private keys into jks section) to the keyStoreAlias variable above to get a negative case (the certificate is revoked as shown in Generate revoked Certificate).

When you execute the client containing the above code with a valid certificate you should be able to see the following debug comments in the Oracle WebLogic Server logs.



<May 7, 2012 4:10:42 PM PDT> <Debug> <CertRevocCheck> <BEA-000000> 
<The revocation status of certificate CN=Home, OU=Home, O=Home, L=Dublin, 
ST=California, C=US is: 
Status=NOT REVOKED  
Source=OCSP  
Subject="CN=Home,OU=Home,O=Home,L=Dublin,ST=California,C=US"  
Issuer="O=Oracle,L=Pleasanton,ST=California,C=US" 
SerialNumber=e  
StatusValid=Mon 7 May 2012 16:10:42.000 -0700 
StatusExpires=null
NonceIgnored=false  
RevocationTime=null 
ReasonCode=null 
Flags=0 
ProducedAt=Mon 7 May 2012 16:10:42.000 -0700 
.>

When you execute the client containing the above code with a revoked certificate you should see the following debug comments in the Oracle WebLogic Server logs:



<May 7, 2012 4:13:35 PM PDT> <Debug> <CertRevocCheck> <BEA-000000>
<The revocation status of certificate CN=Warning, OU=Beware, O=Careful, L=Fraud, 
ST=Dummy, C=DK is:  
Status=REVOKED 
Source=OCSP  
Subject="CN=Warning,OU=Beware,O=Careful,L=Fraud,ST=Dummy,C=DK"  
Issuer="O=Oracle,L=Pleasanton,ST=California,C=US" 
SerialNumber=10 
StatusValid=Mon 7 May 2012 16:13:35.000 -0700 
StatusExpires=null 
NonceIgnored=false  
RevocationTime=Tue 17 Jan 2012 13:27:37.000 -0800
ReasonCode=-1  
Flags=0  
ProducedAt=Mon 7 May 2012 16:13:35.000 -0700 
.>

Oracle WebLogic Server allows a connection only if the incoming certificate is not revoked. It verifies a certificate by connecting to the OCSP server (as we set up earlier) which does the certificate verification and sends back either REVOKED or NOT REVOKED as the status for a valid certificate or a revoked certificate, respectively. (For example, the status of the certificate may be marked unknown if Oracle WebLogic Server is unable to connect to the OCSP server.) If the status of inbound certificate is NOT REVOKED, Oracle WebLogic Server allows a connection from the client application; otherwise it refuses the connection and throws following Exception:



<Jun 13, 2012 1:59:22 PM PDT> <Warning> <Security> <BEA-090917>  
<Revoked certificate causing validation failure, certificate with subject:   
CN=Warning,OU=Beware,O=Careful,L=Fraud,ST=Dummy,C=DK>  
<Jun 13, 2012 1:59:22 PM PDT> <Debug> <SecuritySSL> <BEA-000000> 
<[Thread[ExecuteThread: '1' for queue: 'weblogic.socket.Muxer',5,  
Thread Group for Queue:'weblogic.socket.Muxer']]weblogic.security.SSL.jsseadapter:   
SSLENGINE: Exception occurred during SSLEngine.wrap(ByteBuffer,ByteBuffer).
javax.net.ssl.SSLHandshakeException: General SSLEngine problem  
  at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1364)  
  at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)   
  at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1197)  
  at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1169)

Figures 4 and 5 illustrate the message flow:

Figure 5: Message flow for Certificate with status REVOKED

Conclusion

Oracle WebLogic Server's JSSE implementation supports X.509 certificate revocation (CR) checking, which checks a certificate's revocation status as part of the SSL certificate path validation process. Oracle WebLogic Server offers a complete solution for certificate revocation checking using the OCSP mechanism, providing performance, scalability and interoperability with open standards.

References

openSSL documentation
Oracle Weblogic Server documentation for certificate revocation checking

About the Author

Abhijit Patil is a Principal Member of the Technical Staff with the Oracle Weblogic Server Group. He has more than ten years of experience working on various Weblogic Server technologies, including security, web service, server clustering.