1 2 Previous Next 25 Replies Latest reply: Oct 27, 2014 6:14 AM by 2722975 RSS

    ssl in weblogic

    2722975


      Hi,

       

        We are planning to impliment the ssl in our enviornemnts. Planning to use the keytool utility to generate the certiifcate.We have 3 Hp-Ux machine and 6 managed servers. in each machine 2 managed servers each. All are in one domain and same application is deployed to all managed servers.

       

        I want to know whether we need to create the ssl certificate for each machine.? when i tried to create the CSR, it is askinfg for Common name (CN) what exactly i should give? Please provide the detailed steps to impliment ssl in my architecture.

       

      Br,

      sreejith

        • 1. Re: ssl in weblogic
          Sharmela-Oracle

          Hi Sreejith,

           

          Since you are configuring SSL for managed servers that are on different machines, I assume that the listen address also is different for these servers.

          So you need to create ssl certificate for each machine (each listen address)

           

          CN is nothing but the actual listen address being used by that particular managed server.

           

          Thanks,

          Sharmela

          • 2. Re: ssl in weblogic
            2722975


            Thanks Sharmela

            • 3. Re: ssl in weblogic
              Maran Viswarayar

              Your server name may server.company.com but common name is a full qualified domain name (FQDN)

               

              server.company.com can server.company.com and you need to generate certificate for this name - this is actual hostname of the SERVER

              server.company.com= <anyname>.domain.com  ...eg. erp.company.com  and geenrate certificate for this new name but erp.company.com should be registered in the DNS so that it will resolve to reach the server.company.com

               

              If your system is external facing syststem your should register this erp.company.com with Service providers so that they wil route to your server. If its intranet, you need to register in the company DNS

              • 4. Re: ssl in weblogic
                Igoroshka

                1. Define what hash algorithm, ciphers will you use. Define where do you want to have encrypted data exchange, what servers do you want to have encryption.

                2. Update java policies to be able to use high-bit keys on all hosts.

                3. Create CA if you do not have your root certificate. Create root certificate and self sign it. Generate public certificate.

                4. On each host create identity keystore and (depending on your needs) trust keystore.

                5. Issue on each host certificate request for sign  (crs).

                6. Sign host's crs with your root certificate. Copy signed certificate with root public certificate to each corresponding host.

                7. For each app server define keystores model. Configure location, type, passphrase for identity and (possibly) trust stores.

                8. Configure SSL.

                9. Configure ports to be used for SSL.

                10. Define ciphers to be used.

                11. Configure nodemanager to possibly use SSL.

                12. Configure wlst to use SSL.

                13. Configure AdminServer to use SSL.

                14. Test app servers, AdminServer, nodemanager, wlst.

                • 5. Re: ssl in weblogic
                  2722975

                  We do not have a node manager. In that case can we run the Admin server alone in http and all other manager servers in https. Aslo when i submitted the csr to authority i got two certificates.

                  1. domainname.cer

                  2. one certificate chain with trusted certificate.

                   

                  So advice me which certificate should import to identity and trust keystore.

                  • 6. Re: ssl in weblogic
                    Igoroshka

                    1. You may specify which servers will use ssl and which will not. But keep in mind that setting SSL Listen Port Enabled without disabling Listen Port Enabled will result in listening both secure and unsecure ports.

                    2. As for the names domainname.cer is expected to contain your domain certificate (root for your organization) signed by CA. The other one probably has a list of the public trust certificates.

                    You may list the context with openssl or keytool:

                    openssl x509 -in domainname.cer -noout -text

                    keytool -printcert -v -file domainname.cer

                     

                    • 7. Re: ssl in weblogic
                      Nicholas Mans-Oracle

                      Another option would be to use wild card certificates.

                      How To Configure WebLogic Server To Support Wildcard Certificates (Doc ID 1474989.1)

                      Instead of having a certificate for each host you have one for the whole domain.

                      • 8. Re: ssl in weblogic
                        2722975

                        Hi,

                         

                        I have two certificate got from authority.

                        1. mydomains certificate

                        2.root and intermediate certificate.

                         

                        Which one should i should pass to the clients which are accessing my application.? client applications are facing ssl handshake issue

                        • 9. Re: ssl in weblogic
                          Igoroshka

                          Normally no certificates are sent to clients.

                          You should:

                          1. Strictly protect your mydomains certificate. This is your domain identity key.

                          2. On your servers you should create keystores (java) or wallets (db, ohs) for storing server identity.

                          3. Issue on each server certificate sign request (CSR).

                          4. Copy this CSR to your company certificate authority (CA) server.

                          5. Sign CSR with your mydomain certificate. You will get CRS -- signed certificate for a server. Because your mydomain certificate is verified by external authority and you signing server's certificate with such verified certificate your server's certificates will also be verified.

                          6. Copy each signed CRS together with root and intermediate certificate(s) to corresponding server.

                          7. Import CRS into your identity store and place it in the directory with restricted access. It is hosts (and apps) digital identity that is verified by your mydomain, by intermediate, by root. If everything is ok you may delete CRS.

                          8. Import you root and intermediate certificates into your trust store -- store that holds public certificates of well known CA.

                          9. Customize your weblogic servers to use your identity and trust and created certificates.

                          10. Check with external tools that your ssl connections are using strong encryption.

                          11. Configure Admin console, wlst, scripts to use ssl connection. Check it.

                          12. If necessary configure weblogic-db encryption.

                           

                          Keep in mind that encrypting results in more system resources in comparison with non-encrypted connections.

                          • 10. Re: ssl in weblogic
                            2722975

                            But there are some other java processes(clients) are connecting the application servers.They were getting the ssl connection exception.Once i configured the root and intermediate certificate which i got in their trusted keystore issue got resolved,

                            • 11. Re: ssl in weblogic
                              Igoroshka

                              To verify server identity clients should have access to the chain of signing public certificates. Trust store is used for this. Or you may directly import intermediate and root certificates to clients stores.

                              • 12. Re: ssl in weblogic
                                Igoroshka

                                Even if java clients does not explicitly use sores java uses there own store in $JAVA_HOME/jre/lib/security/cacerts

                                • 13. Re: ssl in weblogic
                                  2722975

                                  Thanks!  Finally i have enabled the SSL in my managed servers. But i am getting  the below warning message in managed servers logs.

                                  <Invalid/unknown SSL header was received from peer strapp20.apis.dhl.com -  during SSL handshake.>. I have noticed that this is coming from  Admin server. because when i stopped admin server. this warning message is not coming in the logs.

                                  Please help to resolve this issue.

                                  • 14. Re: ssl in weblogic
                                    Igoroshka

                                    Hi.

                                    If you are using linux please issue:

                                    lsof -Pi:5556,7001,7002

                                     

                                    5556 is a default nodemanager port, 7001/2 -- default ports of admin server.

                                    1 2 Previous Next