Wednesday, April 17, 2013

Setting Up Two Way SSL for WebLogic Server - Self Signed Certificates

Hello There, 

In this blog post we will be seeing step by step instructions to setup 2 - Way SSL in WebLogic, we have seen 1 - Way SSL set up already here by the way what are these One Way SSL and Two Way SSL?

One Way SSL
-----------------

Here Server needs to present the certificate to the Client, Certificates from clients are not really verified as a part of Authentication process, but client needs to understand if it has reached the valid server or not by verifying the server certificates.

Example : Simple Banks Web Site, Whenever we are hitting netbanking site, it will present the certificate to the Browser to trust



Two Way SSL
------------------
Here client needs to authenticate to server resources by providing its certificate, it depends on how strong the server requirement is to verify the clients certificate, Here Client verifies server certificate and server verifies client certificates.

Example : WebServer Connecting to WebLogic Server and exchanging certificates for their communication to establish.

Following Fig. Shows how the client and server go through the initial communication when they are setup in 2 Way SSL


As above picture is self explanatory, I do not see space to explain the whole process, we will proceed to the practicals directly.

Step 1. Create the Identity and Trust Key Store for the WebLogic Server.

Identity Key Store is required to define identity of the WebLogic Server, so that clients can use to Trust the server

And Trust Keystore is required to store the Root Certificates of the clients so that it can trust or Identity the incoming requests from the clients.

Create A Server Identity Keystore with your Public Key and Private Key

D:\Oracle\Middleware\user_projects\domains\TwoWaySSLDomain>keytool -genkey -alias server_cert -keyalg RSA -keysize 2048 -keystore server_identity.jks
Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  ShaileshDyade
What is the name of your organizational unit?
  [Unknown]:  Personal
What is the name of your organization?
  [Unknown]:  Technology
What is the name of your City or Locality?
  [Unknown]:  Bangalore
What is the name of your State or Province?
  [Unknown]:  Karnataka
What is the two-letter country code for this unit?
  [Unknown]:  IN
Is CN=ShaileshDyade, OU=Personal, O=Technology, L=Bangalore, ST=Karnataka, C=IN correct?
  [no]:  yes

Enter key password for <server_cert>
        (RETURN if same as keystore password):
Re-enter new password:

D:\Oracle\Middleware\user_projects\domains\TwoWaySSLDomain>


Note : Here I have used Keystore and Key Passwords as different

I am done with creating server identity key store file (.JKS extension stands for Java Key Store). you have multiple formats of Keystore available for use with WebLogic Server.

Generate Certificate Signing Request

D:\Oracle\Middleware\user_projects\domains\TwoWaySSLDomain>keytool -certreq -v -alias server_cert -file csr_for_mysite.csr -keystore server_identity.jks
Enter keystore password:
Enter key password for <server_cert>
Certification request stored in file <csr_for_mysite.pem>
Submit this to your CA


Open your CSR file and Go to this link for Getting it Signed from Authorized CA's  (Certificate Authorities)

-----BEGIN NEW CERTIFICATE REQUEST-----
MIICwjCCAaoCAQAwfTELMAkGA1UEBhMCSU4xEjAQBgNVBAgTCUthcm5hdGFrYTESMBAGA1UEBxMJ
QmFuZ2Fsb3JlMRMwEQYDVQQKEwpUZWNobm9sb2d5MREwDwYDVQQLEwhQZXJzb25hbDEeMBwGA1UE
AxMVd3d3LnNoYWlsZXNoZHlhZGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
l3BDvo48cqxwHH1KrzAHeABRpkrzxnxi7tLt3SK5ces1hHGMG6Vu7FKttDijssA0t//nDFGIVIub
Q049Do+gvbeWEPHy2N0HD1zglNdBTC+qD1LmbMQeNqW0Fl+DBnAoW0/RyltfRT6xcfg6h/c5o+7h
Id9TH8VpXvCs9GCxMaEKlxz5TKJYY+mkfitvI714jIvhH++xOMCiUXkqsSZa6mZROVE5vDx3SHje
Ea+eYiEhWMg3SgO9fmch/kIzmD094GBIK/uQllDnZcAx6ltXENX3KDcFrNviT7O3Wcxt4M7MI+Fs
sIvWGEi+/Lw5/3FIZ0G9mzrpeTnPFvmu1Ssx5QIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBAD+B
+RDwGoOc8isMrcS+/fCTIbFg+4wkrV457GC6/+stK6o71uyYxJl/Aunr05cqp8htO5WQa6BWKxB1
OQNoHXr2O0NkxDBllfPFKBO7w8HG2ewzHcCvJow/hlV+9feJ7LZ4BEGX3c6PCyq7+kOXk0u/8B/D
hivs9/TU0w+AJpgEiwsb3C11WuT0KoS7ceqHOzXLBsriLPG5yQ5N6PNBinJcvNN96cGuK2jEKMhn
NKqJga6p06fWSmjX2GCrxvGM1ijHe6vwdcpvi1XhahdQPUg/RUSbHTCDWbc6GtvhiRuRFCWbpURs
UDr6uU9yqzmKe/nvFs28xAvALDlrFmoni8o=
-----END NEW CERTIFICATE REQUEST-----


Here I am using GeoTrust as my CA for Signing my Certificate Request

Go to the Link and Provide necessary details.

  1. Click on Order Now for the Free Rapid SSL Certificates
  2. Provide necessary details on next page, for server type select WebLogic - All Versions
  3. Next Page Provide your contact information in case if you would like GeoTrust to contact for any further business, but remember to some mandatory fields which are required without which it will not understand you.
  4. On Next Page Select, I Already have my own CSR
  5. And paste the contents of your CSR file to the Text Box shown in that page (DO NOT COPY AND PASTE ABOVE CERT REQUEST)  - CONTINUE...
  6. On Next Page you will be able to see the summary of your certificate - Just Verify it
  7. Common Name: www.shaileshdyade.com
    Organization : Technology
    Organizational Unit : Personal
    Locality : Bangalore
    State : Karnataka
    Country : IN
     
  8.  Continue.
  9.  Well this is embarrassing, it went on to check my domain and wants to get the approval of the my site's administrator - admin@shaileshdyade.com
  10.  Well you need to click couple of Continue's.. then you will arrive at Complete Order Summery
  11. At the end you will get the message like :

    Your Free Trial SSL Certificate Has Been Processed

Once you approve it, you will get the mail to your email id which you have specified during certificate request, then you can follow the process of installing the certificate which is given in this link

But we are here to explain the process of installing certificate and setting Two Way SSL with Self Signed Certificates.

Note : Here I have used little modified Keystore, in which I have used the Common Name as ShaileshDyade where as in old file it was www.shaileshdyade.com, please notice this in below commands.

Create Self Signed Certificate

D:\Oracle\Middleware\user_projects\domains\TwoWaySSLDomain>keytool -export -alias server_cert -file MyRoot.cer -keystore server_identity.jks -storepass keystorepass
Certificate stored in file <MyRoot.cer>


Create Trust Store for Trusting Incoming Connections

D:\Oracle\Middleware\user_projects\domains\TwoWaySSLDomain>keytool -import -alias server_cert -trustcacerts -file MyRoot.cer -keystore server_trust.jks
Enter keystore password:
Re-enter new password:
Owner: CN=ShaileshDyade, OU=Personal, O=Technology, L=Bangalore, ST=Karnataka, C=IN
Issuer: CN=ShaileshDyade, OU=Personal, O=Technology, L=Bangalore, ST=Karnataka, C=IN
Serial number: 516e3df0
Valid from: Wed Apr 17 11:45:12 IST 2013 until: Tue Jul 16 11:45:12 IST 2013
Certificate fingerprints:
         MD5:  F3:E4:DE:8C:D8:66:7D:56:FD:B9:22:52:BF:D5:17:3F
         SHA1: 7A:D3:50:DE:A7:9C:FA:B7:B4:C6:20:87:DB:12:51:9E:64:78:C7:C0
         Signature algorithm name: SHA1withRSA
         Version: 3
Trust this certificate? [no]:  yes
Certificate was added to keystore

D:\Oracle\Middleware\user_projects\domains\TwoWaySSLDomain> 


Files we have right now are : server_identity.jks, server_trust.jks and MyRoot.cer.

You can try to list them by using following command : 

D:\Oracle\Middleware\user_projects\domains\TwoWaySSLDomain>keytool -import -alias server_cert -trustcacerts -file MyRoot.cer -keystore server_trust.jks
Enter keystore password:
Re-enter new password:
Owner: CN=ShaileshDyade, OU=Personal, O=Technology, L=Bangalore, ST=Karnataka, C=IN
Issuer: CN=ShaileshDyade, OU=Personal, O=Technology, L=Bangalore, ST=Karnataka, C=IN
Serial number: 516e3df0
Valid from: Wed Apr 17 11:45:12 IST 2013 until: Tue Jul 16 11:45:12 IST 2013
Certificate fingerprints:
         MD5:  F3:E4:DE:8C:D8:66:7D:56:FD:B9:22:52:BF:D5:17:3F
         SHA1: 7A:D3:50:DE:A7:9C:FA:B7:B4:C6:20:87:DB:12:51:9E:64:78:C7:C0
         Signature algorithm name: SHA1withRSA
         Version: 3
Trust this certificate? [no]:  yes
Certificate was added to keystore

D:\Oracle\Middleware\user_projects\domains\TwoWaySSLDomain>keytool -list -v -keystore server_identity.jks
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: server_cert
Creation date: Apr 17, 2013
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=ShaileshDyade, OU=Personal, O=Technology, L=Bangalore, ST=Karnataka, C=IN
Issuer: CN=ShaileshDyade, OU=Personal, O=Technology, L=Bangalore, ST=Karnataka, C=IN
Serial number: 516e3df0
Valid from: Wed Apr 17 11:45:12 IST 2013 until: Tue Jul 16 11:45:12 IST 2013
Certificate fingerprints:
         MD5:  F3:E4:DE:8C:D8:66:7D:56:FD:B9:22:52:BF:D5:17:3F
         SHA1: 7A:D3:50:DE:A7:9C:FA:B7:B4:C6:20:87:DB:12:51:9E:64:78:C7:C0
         Signature algorithm name: SHA1withRSA
         Version: 3

*******************************************
*******************************************



D:\Oracle\Middleware\user_projects\domains\TwoWaySSLDomain>keytool -list -v -keystore server_trust.jks
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: server_cert
Creation date: Apr 17, 2013
Entry type: trustedCertEntry

Owner: CN=ShaileshDyade, OU=Personal, O=Technology, L=Bangalore, ST=Karnataka, C=IN
Issuer: CN=ShaileshDyade, OU=Personal, O=Technology, L=Bangalore, ST=Karnataka, C=IN
Serial number: 516e3df0
Valid from: Wed Apr 17 11:45:12 IST 2013 until: Tue Jul 16 11:45:12 IST 2013
Certificate fingerprints:
         MD5:  F3:E4:DE:8C:D8:66:7D:56:FD:B9:22:52:BF:D5:17:3F
         SHA1: 7A:D3:50:DE:A7:9C:FA:B7:B4:C6:20:87:DB:12:51:9E:64:78:C7:C0
         Signature algorithm name: SHA1withRSA
         Version: 3


*******************************************
*******************************************

 


70% of the job is done with this...

Now next step is to configure the files in WebLogic Server..

Login to WebLogic Server console.

Navigate to  Home >Summary of Servers >AdminServer>Keystores

 
In Keystores - Change and Select Custom Identity and Custom Trust as We have Both Identity and Trust Files.

And Fill the required values in field as below.




Custom Identity Keystore: D:\Oracle\Middleware\user_projects\domains\TwoWaySSLDomain\server_identity.jks
Custom Identity Keystore Type: JKS
Custom Identity Keystore Passphrase: keystorepass
Confirm Custom Identity Keystore Passphrase: keystorepass

Custom Trust Keystore:D:\Oracle\Middleware\user_projects\domains\TwoWaySSLDomain\server_trust.jks
Custom Trust Keystore Type:JKS
Custom Trust Keystore Passphrase:keystorepass (Note: I have given same password while creating both of the jks files)
Confirm Custom Trust Keystore Passphrase:keystorepass

Navigate to  Home >Summary of Servers >AdminServer>SSL


Here you need to provide the details to open and access the private key information of the server.

Private Key Alias : server_cert

Private Key Passphrase: keypass
Confirm Private Key Passphrase : keypass




On this page Click on Advanced Options.


If you would like authenticate the client on the basis of their hostname then you can very well write your own or use default BEA Hostname Verifier in Hostname Verification field, I will change to None as I do not have valid hostname, for LAB purpose.

In Two Way Client Cert Behavior we need too select the behavior of the Two Way SSL -  Select Client Cert Requested But Not Enforced - This is for Negotiation with Client, if you select the other one Client Cert Requested and Enforced, that will now allow connections from the client if client does not show up its certificates.

And the third one "Client Certs Not Requested", its as good as One Way SSL.

Save the changes and Navigate to Home >Summary of Servers >AdminServer>General

Enable the SSL Listen Port, Save it and Restart the Server, While you access console over SSL port (7002) in my example


You should be able to see a Lock Icon before the address in address bar above, if you click on that and click on More Information you will be able to see the below information.


While you navigate you will see complete certificate information here, its Issued To, Validity and Finger Prints etc..

If you do not specify any time period during the certificate creation, this certificate will be valid for 30 Days.




Work at the WebLogic Server is almost done, but this post still not done, I need to configure how 2 Way SSL works when there is a web server involved here, I will configure Apache Web Server and configure certificate at Apache side and will show you how 2 Way works.

Thanks
Shailesh Dyade

1 comment:

Luís Dias said...

Hi,

After configuring the two way ssl how can you get the certificate DN from the client request?

I'm trying

@Resource WebServiceContext wsContext;
wsContext.getUserPrincipal().getName()

but getting

Thank you!