Forum Stats

  • 3,875,882 Users
  • 2,266,982 Discussions
  • 7,912,368 Comments

Discussions

Securing forms application (SSL)

juliojgs
juliojgs Member Posts: 615 Silver Badge

Hi, I'm configuring our forms 12.2.1.4 application to be served through ohs1 port 4443 (I believe is the standard)

I'm expecting the delivery of a CA issued certificate for the application server, which I understand I have to replace the demo cert of the ohs wallet (loading it to a custom identity wallet in the weblogic ... seen some good self signed cert tutorials, didn't find much info about true CA certs) .

Now my question:

Do I have to load it also in the WLS_FORMS and WLS reports identity.jks? Or communications between ohs and forms run their way? (I mean, users go https to ohs 4443, but ohs talks with forms through 9001 http)

Can I - or should I - use the same wallets for every server I have listed in the weblogic console? (AdminServer, WLS_FORMS, WLS_REPORTS)

All this CA Certs thing is quite new to me, until now we were running http inside a intranet, but security requirements have logically raised.

Any hint about port number choices would be welcome

Answers

  • Michael Ferrante-Oracle
    Michael Ferrante-Oracle Senior Principal Product Manager USMember Posts: 7,493 Employee

    Technically, you could SSL/TLS enable your web server (OHS) and not WebLogic. This would result in encrypted communication between the user and OHS, but not OHS to WLS. Whether or not this is of concern is something that only you and your organization can decide.

    Of course end to end encryption will offer better security but does add extra setup and maintenance effort. Again, the choice is yours, but end to end will be the most secure.

    Regarding how to obtain a cert from a standard CA, each vendor site offers instructions on how to create the CSR (Certificate Signing Request) and how how to submit it in order to get a proper certificate. The process is essentially the same regardless of whether you need an SSL/TLS certificate or a code signing Cert for JAR files.

    Helpful references:

    https://docs.oracle.com/en/middleware/fusion-middleware/weblogic-server/12.2.1.4/secmg

    https://www.digicert.com/what-is-an-ssl-certificate

    https://www.thawte.com/resources/getting-started

    https://www.godaddy.com/help/ssl-certificates-1000006


    Michael Ferrante

    Senior Principal Product Manager

    Oracle

    Twitter: @OracleFormsPM

  • juliojgs
    juliojgs Member Posts: 615 Silver Badge

    Thanks,

    actually the security issues are decided by the client's organization security IT dept.

    There are three parties here: developers (we) , users dept and security dept.

    Both developers and users dept are subject to security dept requirements, which are being increased in every meeting.

    My question was not about obtaining the cert, which will be done by client's IT with digicert , and delivered to us somehow.

    We will have to load it in the keystores (identity and trust, I believe). I've found several good tutorials about generating and loading self signed certificates to weblogic wallet. I hope with digicert certificates instead of self signed will be similar or even easier.

  • Michael Ferrante-Oracle
    Michael Ferrante-Oracle Senior Principal Product Manager USMember Posts: 7,493 Employee

    When creating a self-generate cert, you do all the work. When obtaining from a third party, all you need to do is make the request. The importing part is the same regardless. That said, if all the user machines are controlled by an admin and all use the same Java version, you could (in theory) perform the import on your own machine then replace the users' cacerts file with yours. This should only be done IF the users are not likely to have different certs from other applications. Obviously if you replace their file with yours, any certs they previously may have imported will be lost unless your file contains the same ones.

    Another point to note is that although Java will try to use its own keystore, you can alternatively point to a different one. So I could imagine the desire to not alter the user's file, but instead insert a customized file (e.g. yours) onto the user machine then change the FSAL call to point to the new file. This would result in FSAL using the customized file while leaving the original file unaltered. So something like this:

    java -Djavax.net.ssl.keystore=C:/somewhere/mycacerts -jar frmsal.jar -url “https://server:port/forms/frmservlet?config=standaloneapp”


    Michael Ferrante

    Senior Principal Product Manager

    Oracle

    Twitter: @OracleFormsPM