Advertisements



Service Bus 12c– One way SSL

In this post, we will see how to configure Service Bus to use One way SSL.

Here, we are not discussing about the SSL concepts and people who want to go through quick introduction of SSL can go through this.

In Summary, following are the steps to be followed:

  • Generate Custom Identity and Trust stores.
  • Enable SSL port.
  • Setting up the keystores.
  • Configure private keys for SSL

Please note that, JSSE (Java Secure Socket Extension)  is the only supported SSL implementation. The Certicom-based SSL implementation is removed and is no longer supported in WebLogic Server.

Create a folder keystores %FMW_HOME% to store all of your keystores used and issue the following command to generate a keystore for Admin server use as shown below.

keytool -genkeypair -keyalg RSA -alias localadmin -keystore adminkeystore.jks -storepass adjks123 -validity 360 -keysize 2048

createks

This creates keystore adminkeystore.jks having both public and the private keys with alias localadmin. You can observe the contents of keystore using the following command.

keytool -list -v -keystore adminkeystore.jks

jkscontents

Similarly, create other keystores to use for OSB and SOA managed servers and also a keystore to use for the client as shown below.

keystores

Enable SSL port by navigating to Environment –> Severs-> Admin Sever –> General.

sslenable

By Default, WLS uses the Demo Identity and Trust keystores and you can find them in %DOMAIN_HOME/security and %WLS_HOME%/server/lib. Oracle strictly recommends to use the Custom keystores at least for the Production environments. Hence we will use the custom keystores in this post.

Go to Keystores tab and click Change.

demoks

Select Custom Identity and Custom  Trust as shown below and click Save.

customks

Modify Custom Identity and Trust stores as shown below and here you also need to give keystore password. Click Save.

customks1

Go to SSL tab and give the Private key alias as shown below.

sslsetup

Go to Advanced settings and set Hostname verification to None and also set Two way Client Cert Behavior to Clients Certs not Required as we are doing setup for 1-way SSL. This setting will enforce WLS server not to request client certificates.

sslsetup1

Modify EXTRA_JAVA_PROPERTIES  in setDomainEnv.cmd to use following parameters and restart the admin server. This is required as to instruct WLS server to load trusted certificates.

-Dweblogic.security.SSL.trustedCAkeystore=C:\Oracle\Middleware\FMW1213New \keystores\adminkeystore.jks -Djavax.net.ssl.trustStorePassword=adjks123

Now you should be able to access WLS admin console using following URL and this confirm the SSL is configured on your admin server.

http://localhost:7002/console

You can refer to WLS documentation here for more information on this.

The following error is observed when we use a keystore as Trust store with zero trust certificates.

<[Thread[DynamicJSSEListenThread[DefaultSecure3]],9,WebLogicServer]weblogic.security.SSL.jsseadapter: TRUSTSTORE_MANAGER: No certs to
copy.>
<[Thread[DynamicJSSEListenThread[DefaultSecure3]],9,WebLogicServer]weblogic.security.SSL.jsseadapter: TRUSTSTORE_MANAGER: No trusted
CAs available to populate trust anchors.>
<[Thread[DynamicJSSEListenThread[DefaultSecure3]],9,WebLogicServer]weblogic.security.SSL.jsseadapter: TRUSTSTORE_MANAGER: Error initi
alizing trust manager factory: the trustAnchors parameter must be non-empty.
java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120)
at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104)
at weblogic.security.SSL.jsseadapter.JaTrustManager.<init>(JaTrustManager.java:57)
at weblogic.security.SSL.jsseadapter.JaSSLContextImpl.initializeContext(JaSSLContextImpl.java:654)

To debug SSL, modify EXTRA_JAVA_PROPERTIES  in setDomainEnv.cmd to include the following parameters.

-Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true

To enable javax.net debugging include the following parameter.

-Djavax.net.debug=all

To eliminate this error, you can install any trust certificate into localadmin.jks or use cacerts keystore (available in %WLS_HOME%/server/lib) as Trust store. Here i have exported Public Certificate from clientkeystore.jks and got that imported into localadmin.jks.

Use the following command to export:

            keytool -exportcert -alias localclient -keystore clientkeystore.jks -file localclient.cer

Use the following command to import:

             keytool -importcert -alias localclient -keystore adminkeystore.jks -file localclient.cer

Now verify the contents of your keystore as below.

              keytool -list -v -keystore adminkeystore.jks

localcer

Similarly, configure OSB managed server using keystore osbkeystore.jks and use 7005 as the SSL port. Restart the OSB server after your changes.

osbsslport

osbsslks

osbsslks1

To enable your proxy services to be accessed only by SSL, you have to enable HTTPS option as below.

osbsslps

Now if you try to access your Proxy Service WSDL from browser, it will be automatically uses SSL as shown below.

osbwsdl

Most of the people uses SOAP UI to test their webservices. If you try to access this WSDL, you will be able to access from SOAP UI even without adding the required certificates to trust store. This is because SOAP UI trusts all by default as per this forum post.

To confirm the enablement of SSL on the Proxy Service, let us try to create a Webservice Proxy in JDeveloper that prompts to accept/trust the certificate.

jdevcert

Observation:

When you enable SSL debugging, you might observe the following exception in server log though your 1-way SSL works as expected. As per Oracle Support note 1606295.1, this is not a harmful exception.

<1425221899641> <BEA-000000> <Exception processing certificates: peer not authenticated javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:397)
at weblogic.servlet.provider.WlsSecurityProvider.getSSLAttributes(WlsSecurityProvider.java:222)
at weblogic.servlet.internal.VirtualConnection.initSSLAttributes(VirtualConnection.java:165)
at weblogic.servlet.internal.VirtualConnection.init(VirtualConnection.java:75)
at weblogic.servlet.internal.ServletRequestImpl.initFromRequestParser(ServletRequestImpl.java:312)
at weblogic.servlet.internal.HttpConnectionHandler.dispatch(HttpConnectionHandler.java:577)
at weblogic.servlet.internal.MuxableSocketHTTP.dispatch(MuxableSocketHTTP.java:131)
at weblogic.socket.JSSEFilterImpl.dispatch(JSSEFilterImpl.java:216)
at weblogic.socket.MuxableSocketDiscriminator.dispatch(MuxableSocketDiscriminator.java:186)
at weblogic.socket.JSSEFilterImpl.dispatch(JSSEFilterImpl.java:216)
at weblogic.socket.SocketMuxer.readReadySocketOnce(SocketMuxer.java:970)
at weblogic.socket.SocketMuxer.readReadySocket(SocketMuxer.java:907)
at weblogic.socket.NIOSocketMuxer.process(NIOSocketMuxer.java:495)
at weblogic.socket.NIOSocketMuxer.processSockets(NIOSocketMuxer.java:461)
at weblogic.socket.SocketReaderRequest.run(SocketReaderRequest.java:30)
at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:43)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:147)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:119)

Advertisements

3 Responses to “Service Bus 12c– One way SSL”


  1. 1 Rajesh Kanna December 21, 2015 at 6:55 PM

    Hi There,
    Your post is really helpful. I have tried above steps. When i tried to access the proxy service via browser, i am getting an error as “Webpage is not available”. Please could you help me resolve this error?
    Thanks,
    Rajesh


  1. 1 Service Bus 12c – Series of Articles | Siva's Blog Trackback on March 31, 2015 at 6:01 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




Advertisements

Pages

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 341 other followers

Enter your email address to follow this blog and receive notifications of new posts by email.