Weblogic Server 12c(12.2.1):Configuring SSL

Before You Begin

Purpose

This tutorial shows you how to configure SSL certificates using keytool, and configuring WebLogic servers to use those certificates to establish secure SSL connections.

Time to Complete

Approximately 20 Minutes.

Background

SSL: An Introduction

SSL stands for Secure Sockets Layer, which is used primarily for two purposes:

To verify the identity of a website and, optionally, client identities
To establish a secure encrypted connection between programs

The SSL protocol offers security to applications that are connected through a network.

Specifically, the SSL protocol provides the following:

Encryption of the data that is exchanged by applications
A mechanism that the applications can use to authenticate each other’s identity
Data integrity, whereby the data that flows between a client and a server is protected from tampering by a third party

When the SSL protocol is used, the target always authenticates itself to the initiator. Optionally, if the target requests it, the initiator can authenticate itself to the target. Encryption makes the data that is transmitted over the network intelligible only to the intended recipient. An SSL connection begins with a handshake during which time the applications exchange digital certificates, agree on the encryption algorithms to be used, and generate the encryption keys to be used for the remainder of the session.

Note: The only SSL stack supported by Oracle WebLogic Server 12c is the Java Secure Socket Extension (JSSE) stack. The Certicom-based SSL implementation is removed and no longer supported.

SSL Communications

There are two SSL approaches between a client and a server:

One-way SSL - Enables a server to identify itself to the client
Two-way SSL - Enables the client to identify itself to the server

WebLogic and SSL

WebLogic uses SSL artifacts stored in keystores

Identity - Private key and digital certificate
Trust - Digital certificates of trusted certificate authorities

Demo Certificates

Demonstration certificates are provided out-of-the-box for development:

DemoIdentity.jks for identity - Separate demo certificates per domain
DemoTrust.jks for trust

In this tutorial you will perform the following:

Deploy an application SimpleAuctionWebApp to a cluster
Use keytool to generate an identity keystore that contains a private key and a self-signed public certificate
Configure keystore in the administration console
Configure SSL for a managed server
Use a web browser to access the application

Note:

The web browser uses the HTTPS protocol to access the server
The server returns its SSL certificate to the web browser and the user adds an SSL exception, thus allowing the connection

What Do You Need?

Operating System and Software Requirements

A Linux machine with version 6 or greater of Oracle Linux or Red Hat Linux
JDK 1.8 update 51 and above
Oracle WebLogic Server 12c (12.2.1) software

Prerequisites

You should have completed the following tutorials:

Oracle WebLogic Server 12c (12.2.1): Installing WebLogic Server Using the Generic Installer
Oracle WebLogic Server 12c (12.2.1): Creating a Domain
Important Note: Make sure to add a Cluster while creating the domain - the cluster is named cluster1 and members include server1 and server2. In this OBE the addition of Cluster has NOT been instructed. Also, the managed servers and machine configurations shown in reference tutorial slightly differ from the configurations shown in this tutorial.

Deploying and Starting SimpleAuctionWebApp Application

To deploy a Java web application and start it by using the administration console, perform the following steps:

Download the SimpleAuctionWebApp.war file to the machine where your domain's administration server is located. This is a sample Java web application archive to deploy.
If the administration server of the domain is not already running, start it.
1. Open a Terminal window and navigate to the domain directory. In this tutorial, the directory is
  /u01/domains/mydomain
2. In the domain directory, enter the following command:
  $ ./startWebLogic.sh
3. At the prompt, enter the administrator username and password that you entered when you created the domain.
  In this tutorial, the username is weblogic and the password is Welcome1.
If the server1 managed server is not already running, start it.
1. Open a Terminal window and navigate to the bin directory under your domain directory. In this tutorial, the domain directory is /u01/domains/mydomain.
  
  $ cd /u01/domains/mydomain/bin
2. In the bin directory, enter the following command to start the Managed server server1:
  $ ./startManagedWebLogic server1
3. At the prompt, enter the administrator username and password.
  Note: The password is not displayed.
After both servers are up and running, access the WebLogic Server administration console.
1. Open a web browser and enter the URL: http://hostname:port/console.
  In this tutorial, that is http://host01.example.com:7001/console.
2. On the Welcome screen, log in by using the username and password that you entered to start the administration server.
Under Domain Structure, click Deployments.
Deploying an application is a change to the domain's configuration, so you must first lock it. In the Change Center, click Lock & Edit.
On the right, above the Deployments table, click Install.
Locate the downloaded archive file.
1. To the right of Current Location, click the links to browse to the location where you placed the downloaded SimpleAuctionWebApp.war file. In this tutorial, the file is in the /home/oracle/Downloads directory.
2. Select the SimpleAuctionWebApp.war option that is displayed after you click the link and locate the SimpleAuctionWebApp.war file. The console fills in the Path field for you.
  Alternatively, you can manually enter the path and the file name in the Path field.
3. Click Next.
On the next screen, ensure that Install this deployment as an application is selected, and then click Next.
On the targets screen, select server1, and then click Next.
On the next screen, keep all the default values and click Next.
On the review screen, select No, I will review the configuration later, and then click Finish.

Messages indicate that the deployment was installed, but changes must be activated. The SimpleAuctionWebApp application is listed in the Deployments table.
To activate the changes, click Activate Changes in the Change Center.
Under Summary of Deployments, select Control tab.
In the Deployments table, select the check box to the left of the SimpleAuctionWebApp application, and then select Servicing all requests in the Start list.
Click Yes to continue.

A message indicates that a start request was sent. Momentarily, the state of the SimpleAuctionWebApp application becomes "Active." This means that the application is available to those who have access to the server.

Using keytool to generate an Identity Keystore

What is a Keystore?

A keystore is a repository of security certificates, either authorization certificates or public key certificates, which are used mainly in SSL encryption.

The Java Development Kit (JDK) maintains a default CA keystore stored in
<JAVA_HOME>/jre/lib/security/cacerts.

The well-known password is “changeit”.
Best practice:
- Copy the default keystore to a new location.
- Reset the password.
- Configure WebLogic to use the new location.

`keytool` Utility

keytool is a standard Java SE SDK utility for managing:

The generation of private keys and the corresponding digital certificates
Keystores (databases) of private keys and the associated certificates

The keytool utility can display certificate and keystore contents.

You can specify an algorithm that is different from Digital Signature Algorithm (DSA) when generating digital keys by using keytool.

Perform the following steps to create a new key pair using the Java keytool utility and configure server1 to use your custom keystore:

Execute the following command to run keytool to create a keystore and a key pair within the keystore (all in one line). You can use the genkey.sh script for convenience.

Note: You can execute this command from any location/directory. The certificate will get saved in the directory/location where you executed the command. In this tutorial, the command is executed under /scratch/scripts directory. Hence, the file wls_identity.jks got generated and saved in the same directory.
$ keytool -genkey -v -alias wlskey -keyalg RSA -keysize 2048 -sigalg MD5withRSA -dname "CN=wls-sysadm" -keypass wlskeypass -validity 365 -keystore wls_identity.jks -storepass wlsstorepass
In the Administration Console, click Environment > Servers under Domain Structure.
Click server1 in the Servers table on the Summary of Servers page.
On the Settings for server1 page, select the Keystores tab.
In the Change Center, click Lock & Edit.

On the Keystores page, specify the following properties and click Save.

Description	Choices or Values
Keystores	Custom Identity and Java Standard Trust
Custom Identity Keystore	`/scratch/scripts/wls_identity.jks`
Custom Identity Keystore Type	JKS
Custom Identity Keystore PassPhrase	`wlsstorepass`
Java Standard Trust Keystore PassPhrase	`changeit`

Configuring SSL for a managed server

Perform the following steps to configure server1 to enable and support SSL using your custom identity keystore:

On the Settings for server1 page, select the SSL tab.

On the SSL page, specify the following properties and click Save.

Description	Choices or Values
Identity and Trust Locations	Keystores
Private Key Alias	`wlskey`
Private Key Passphrase	`wlskeypass`

On the Settings for server1 page, select the General tab.
Select the check box next to SSL Listen Port Enabled and set the SSL Listen Port as 8011. Then click Save.
To activate the changes, click Activate Changes in the Change Center.

The resulting message indicates that 1 items must be restarted for the changes to take effect.
Restart both the WebLogic Admin Server and Managed Server server1.

Test your SSL configuration

Perform the following steps to test your SSL configuration:

In another browser window or tab, access the URL:

https://host01.example.com:8011/SimpleAuctionWebApp/index.jsp

(do not forget: httpS).
You may receive an error or warning.
Click the Technical Details link to see why the warning is displayed. It will say that the certificate is not truly trusted because it is self-signed rather than being signed by a known certificate authority.
Click the I Understand the Risks link to add an exception and click Add Exception (different web browsers may display this dialog differently):
Then click Get Certificate to add the server certificate to your browser. You can also click View to see details about the certificate.
Deselect Permanently store this exception so that the browser continues to perform this security check for this certificate in the future. Click Confirm Security Exception. If you make this exception permanent by selecting the Permanently store this exception check box, then the browser will no longer validate the certificate for subsequent requests to this server.
Now, you can access the application on server1.

If you see the main application landing page then Congratulations!, you have successfully created a custom security certificate and configured WebLogic SSL to use it.