Advertisements

Posts Tagged 'SSL'

SSL using KSS

In this post, we will use KSS (Keystore Service) for SSL setup. The screenshots showed in this post are based on SOA 12.2.1 but these steps remain same for 12.1.3 as well.

Creating Application Stripe:

ks1

ks2

stripe

Creating KSS Keystore:

kscreate

kssadmin

Creating Keypair:

kssmng

genkeypair

keypair

Oracle recommends key size to be more than equal to 1024. If we want to get it signed by any CA, we can generate CSR by clicking Generate CSR which is recommended for Production env. But for Development purpose we can use this keystore as it is.

keypair1

Clicking on alias name will bring up the following screen showing the certificate information.

cert

Configuring 1-Way SSL:

Enable SSL port by navigating to Environment –> Severs-> Admin Sever –> General.

sslport

Go to Keystores tab. Click Change to select Custom Identity and Custom  Trust as shown below and click Save to save the changes.

customkss

Modify Custom Identity and Trust stores as shown below. observe the usage of system trust store kss://system/trust. Oracle recommends this approach to simplify the trusted certificates setup.

customkss2

Go to SSL tab and give the Private key alias as shown below. Here give the password as “password” and click Save. See related note at end of this post.

ssl

Go to Advanced settings and set Hostname verification to None and also set Two way Client Cert Behavior to Clients Certs not Required as we are doing setup for 1-way SSL. This setting will enforce WLS server not to request client certificates.

advc

Restart the server and now we should be able to access admin console using HTTPS URL like http://localhost:7002/console.

Similarly, configure OSB managed server using same Keystore or by creating a new one similar to above as shown in the following screenshots.. Restart the server after changes.

osbssl

customkss2

ssl

Enable HTTPS for OSB proxy service as shown below.

proxyhttps

And now we should be able to access the proxy service WSDL using HTTPS URL like https://localhost:7008/entity/CustomerService?wsdl

Refer to this post for 2-way SSL setup and follow below steps to import the certificate into trust store.

trust

trust1

importcert

importcert1

Note that KSS does not support certificate in binary format which is the default encoding used by JKS. We can use –rfc option of keytool command to export the certificate into printable encoding format as shown below.

keytool -export -keystore .\soakeystore.jks -file cert.cer -alias localsoa -rfc

Note:

When no Private Key Passphrase is mentioned in the SSL tab, em console is not accessible and following errors are shown in the log.

em

References:

https://docs.oracle.com/middleware/1212/owsm/OWSMS/configure-owsm-ssl.htm#OWSMS119

https://docs.oracle.com/middleware/1212/idm/JISEC/kssadm.htm#JISEC9596

Advertisements

Service Bus 12c– Outbound SSL

In the last 2 posts, we have seen how to configure Service Bus to use 1-Way SSL and 2-Way SSL. In both of these scenarios, our Service Bus managed server is acting as Server but our server can also become a Client when talking to external services using the Business Services having SSL enabled. So we will discuss about Outbound SSL in this post.

1-Way SSL

Before getting into the required OSB setup, enable our SOAP UI mock service to use SSL. Go to File –> Preferences –> SSL Settings and set properties as shown below.

soapuissl

Access your mock service as shown below to confirm that SSL is enabled.

mockssl

Now update the business service endpoint URI with this URL in the Service Bus Console as shown below.

bsendpoint

Now test your business service and you can observe following error in server logs. This is because you have not yet updated the OSB server trust store with the certificate of SOAP UI mock service.

sslerror

sslbserror

So now export the Public Certificate from the keystore used for mock service and import into OSB trust store using following commands.

keytool –exportcert -alias localclient -keystore clientkeystore.jks -file localclient.cer

keytool -importcert -alias localclient -keystore osbkeystore.jks -file localclient.cer

Now test your Business Service to see the response as given below.

bstestsucc

2-Way SSL

In case of 2-way SSL, our Proxy Service acts as client and need to send the corresponding Public Certificate when server requests(in our case, it’s SOAP UI Mock Service).

In Service Bus, the resource Service Key Provider is used to retrieve the required PKI credentials that  includes Private key paired with a certificate. Proxy services use this key-pair to authenticate when acting as a client during an outbound SSL i.e. during routing a message to HTTPS business service or proxy service requiring Client Certificate authentication. You can find more information in Service Bus documentation here.

Service Key Provider makes use of PKI credential mapper  to retrieve the PKI credentials which has to be created first.

PKI Credential Mapper

In WLS admin console, navigate to Security Realms –> myrealm –> Providers –> Credential Mapping. Click New.

pkiprovider1_thumb2_thumb_thumb_thum

Give name and select Type as PKICredentialMapper and Click OK.

pkiprovider2_thumb2_thumb_thumb_thum

Verify that new credential mapping provider is created.

pkiprovider4_thumb3_thumb_thumb_thum

Now click SSLPKIProvider and navigate to Provider Specific tab. Mention the Keystore and Pass Phrase specific to OSB managed server and click Save.

pkiprovider3_thumb3_thumb_thumb_thum

Service Key Provider

We will directly use the sbconsole for creating the Service Key Provider and to make other required changes for Business and Proxy Services.

Create a OSB session and select Service Key Provider from drop down menu as shown below once you select the Service Bus Project.

skp1_thumb[2]

Provide the name and click Create.

skp2_thumb[2]

Now the Service Provider Definition look like as below. Since we are using this for SSL purpose click search icon for SSL Client Authentication Key.

skp4_thumb[3]

Choose the Key Alias as shown below and provide the password.

skp5_thumb[3]

Click OK to bring up following screen and Save your changes done for Service Key Provider. Do activate Service Bus session.

skp6_thumb[3]

Soap UI Settings

Before proceeding with Proxy and Business service changes, you have to enable the SOAP UI mock service to request for Client Certificate.

To do this, navigate to File –> Preferences –> SSL Settings and choose Client Authentication as shown below.

soapuiclient_thumb[2]

Now test your Proxy Service to observe the following errors in response tab, jetty log and Service Bus logs respectively. This happens as we have not yet imported OSB server Public Certificate into clientkeystore.jks and also did not configure our Proxy/Business Service to send the client Certificate.

soapuibadcert_thumb[2]

soapuibadcert1_thumb[2]

osberror_thumb[2]

Export OSB server public certificate and import into clientkeystore.jks using following commands.

keytool -exportcert -alias localosb –keystore osbkeystore.jks –file osbcert.cer

keytool -importcert -alias localosb -keystore clientkeystore.jks –file osbcert.cer

keystoreimport_thumb[2]

With this, we are done with the SOAP UI settings and let us proceed  with the changes required for Proxy and Business Services.

Proxy and Business Service changes

Open business service and navigate to Transport Detail tab. Select Client Certificate as shown below for Authentication and save changes.

bsclientcert_thumb[3]

Open proxy service and navigate to Security –> Security Settings tab. Click search icon for Service Key Provider.

proxyskp_thumb[3]

Click Search and select the one that we have created earlier as shown below and click OK.

psskp1_thumb[3]

Now Security tab should show your selection as below.

psskp2_thumb[2]

Remember that you have to create OSB session before making changes and need to activate it once your changes are done.

You should see successful response as shown below, if you test your proxy service now.

success_thumb[3]

Please note that above logs are generated when following JVM options are set in setDomainEnv.cmd file for EXTRA_JAVA_PROPERTIES.

           -Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true

Service Bus 12c– Two way SSL

In this post, we will see how to enable two-way SSL in Service Bus 12c. The steps mentioned here have to be performed in addition to steps mentioned in the previous post.

Navigate to Servers –> osb_server1 –> SSL in WLS Admin Console. Expand Advanced section and set Two Way Client Cert Behavior as shown below. This would enforce WLS to request the Client certificate during SSL handshake and will result into an error if the client certificate is not present in trust store.

2ssl

Now create a keystore clientkeystore1.jks using following command and will  be used in SOAP UI.

keytool -genkeypair -keyalg RSA -alias localclient1 -keystore clientkeystore1.jks -storepass cljks123 -validity 360 -keysize 2048

Set global SSL Settings in SOAP UI as shown below by navigating to File –> Preferences. Specify the above created keystore and  password.

soapui

Restart OSB managed server. Now if you test your Proxy Service from SOAP UI, you would see an error like below in the server log as the trust store does not have the client certificate.

sslerror

So export and import corresponding Client Certificate into the OSB trust store using following commands.

keytool -exportcert -alias localclient1 -keystore clientkeystore1.jks -file localclient1.cer

keytool -importcert -alias localclient1 -keystore osbkeystore.jks -file localclient1.cer

clientstore

Now test your Proxy Service from SOAP UI and you would see the response as expected without any error. And now the server log will be shown like below.

sslsuccess

Please note that above logs are generated when following JVM options are set in setDomainEnv.cmd file for EXTRA_JAVA_PROPERTIES.

           -Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true

Service Bus 12c– One way SSL

In this post, we will see how to configure Service Bus to use One way SSL.

Here, we are not discussing about the SSL concepts and people who want to go through quick introduction of SSL can go through this.

In Summary, following are the steps to be followed:

  • Generate Custom Identity and Trust stores.
  • Enable SSL port.
  • Setting up the keystores.
  • Configure private keys for SSL

Please note that, JSSE (Java Secure Socket Extension)  is the only supported SSL implementation. The Certicom-based SSL implementation is removed and is no longer supported in WebLogic Server.

Create a folder keystores %FMW_HOME% to store all of your keystores used and issue the following command to generate a keystore for Admin server use as shown below.

keytool -genkeypair -keyalg RSA -alias localadmin -keystore adminkeystore.jks -storepass adjks123 -validity 360 -keysize 2048

createks

This creates keystore adminkeystore.jks having both public and the private keys with alias localadmin. You can observe the contents of keystore using the following command.

keytool -list -v -keystore adminkeystore.jks

jkscontents

Similarly, create other keystores to use for OSB and SOA managed servers and also a keystore to use for the client as shown below.

keystores

Enable SSL port by navigating to Environment –> Severs-> Admin Sever –> General.

sslenable

By Default, WLS uses the Demo Identity and Trust keystores and you can find them in %DOMAIN_HOME/security and %WLS_HOME%/server/lib. Oracle strictly recommends to use the Custom keystores at least for the Production environments. Hence we will use the custom keystores in this post.

Go to Keystores tab and click Change.

demoks

Select Custom Identity and Custom  Trust as shown below and click Save.

customks

Modify Custom Identity and Trust stores as shown below and here you also need to give keystore password. Click Save.

customks1

Go to SSL tab and give the Private key alias as shown below.

sslsetup

Go to Advanced settings and set Hostname verification to None and also set Two way Client Cert Behavior to Clients Certs not Required as we are doing setup for 1-way SSL. This setting will enforce WLS server not to request client certificates.

sslsetup1

Modify EXTRA_JAVA_PROPERTIES  in setDomainEnv.cmd to use following parameters and restart the admin server. This is required as to instruct WLS server to load trusted certificates.

-Dweblogic.security.SSL.trustedCAkeystore=C:\Oracle\Middleware\FMW1213New \keystores\adminkeystore.jks -Djavax.net.ssl.trustStorePassword=adjks123

Now you should be able to access WLS admin console using following URL and this confirm the SSL is configured on your admin server.

http://localhost:7002/console

You can refer to WLS documentation here for more information on this.

The following error is observed when we use a keystore as Trust store with zero trust certificates.

<[Thread[DynamicJSSEListenThread[DefaultSecure3]],9,WebLogicServer]weblogic.security.SSL.jsseadapter: TRUSTSTORE_MANAGER: No certs to
copy.>
<[Thread[DynamicJSSEListenThread[DefaultSecure3]],9,WebLogicServer]weblogic.security.SSL.jsseadapter: TRUSTSTORE_MANAGER: No trusted
CAs available to populate trust anchors.>
<[Thread[DynamicJSSEListenThread[DefaultSecure3]],9,WebLogicServer]weblogic.security.SSL.jsseadapter: TRUSTSTORE_MANAGER: Error initi
alizing trust manager factory: the trustAnchors parameter must be non-empty.
java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120)
at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104)
at weblogic.security.SSL.jsseadapter.JaTrustManager.<init>(JaTrustManager.java:57)
at weblogic.security.SSL.jsseadapter.JaSSLContextImpl.initializeContext(JaSSLContextImpl.java:654)

To debug SSL, modify EXTRA_JAVA_PROPERTIES  in setDomainEnv.cmd to include the following parameters.

-Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true

To enable javax.net debugging include the following parameter.

-Djavax.net.debug=all

To eliminate this error, you can install any trust certificate into localadmin.jks or use cacerts keystore (available in %WLS_HOME%/server/lib) as Trust store. Here i have exported Public Certificate from clientkeystore.jks and got that imported into localadmin.jks.

Use the following command to export:

            keytool -exportcert -alias localclient -keystore clientkeystore.jks -file localclient.cer

Use the following command to import:

             keytool -importcert -alias localclient -keystore adminkeystore.jks -file localclient.cer

Now verify the contents of your keystore as below.

              keytool -list -v -keystore adminkeystore.jks

localcer

Similarly, configure OSB managed server using keystore osbkeystore.jks and use 7005 as the SSL port. Restart the OSB server after your changes.

osbsslport

osbsslks

osbsslks1

To enable your proxy services to be accessed only by SSL, you have to enable HTTPS option as below.

osbsslps

Now if you try to access your Proxy Service WSDL from browser, it will be automatically uses SSL as shown below.

osbwsdl

Most of the people uses SOAP UI to test their webservices. If you try to access this WSDL, you will be able to access from SOAP UI even without adding the required certificates to trust store. This is because SOAP UI trusts all by default as per this forum post.

To confirm the enablement of SSL on the Proxy Service, let us try to create a Webservice Proxy in JDeveloper that prompts to accept/trust the certificate.

jdevcert

Observation:

When you enable SSL debugging, you might observe the following exception in server log though your 1-way SSL works as expected. As per Oracle Support note 1606295.1, this is not a harmful exception.

<1425221899641> <BEA-000000> <Exception processing certificates: peer not authenticated javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:397)
at weblogic.servlet.provider.WlsSecurityProvider.getSSLAttributes(WlsSecurityProvider.java:222)
at weblogic.servlet.internal.VirtualConnection.initSSLAttributes(VirtualConnection.java:165)
at weblogic.servlet.internal.VirtualConnection.init(VirtualConnection.java:75)
at weblogic.servlet.internal.ServletRequestImpl.initFromRequestParser(ServletRequestImpl.java:312)
at weblogic.servlet.internal.HttpConnectionHandler.dispatch(HttpConnectionHandler.java:577)
at weblogic.servlet.internal.MuxableSocketHTTP.dispatch(MuxableSocketHTTP.java:131)
at weblogic.socket.JSSEFilterImpl.dispatch(JSSEFilterImpl.java:216)
at weblogic.socket.MuxableSocketDiscriminator.dispatch(MuxableSocketDiscriminator.java:186)
at weblogic.socket.JSSEFilterImpl.dispatch(JSSEFilterImpl.java:216)
at weblogic.socket.SocketMuxer.readReadySocketOnce(SocketMuxer.java:970)
at weblogic.socket.SocketMuxer.readReadySocket(SocketMuxer.java:907)
at weblogic.socket.NIOSocketMuxer.process(NIOSocketMuxer.java:495)
at weblogic.socket.NIOSocketMuxer.processSockets(NIOSocketMuxer.java:461)
at weblogic.socket.SocketReaderRequest.run(SocketReaderRequest.java:30)
at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:43)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:147)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:119)


Advertisements

Pages

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 349 other followers

Enter your email address to follow this blog and receive notifications of new posts by email.