SSL on Weblogic Made Simple – PART1

                                                    
                                                                    SSL on Weblogic Made Simple – PART1

What is SSL ?

SSL is short for Secure Sockets Layer. The SSL protocol was developed by Netscape and is supported by all popular web browsers such as Internet Explorer, Mozilla Firefox, Google Chrome, and Opera. For SSL to work, a SSL certificate issued by a Certificate Authority must be installed on the web server. SSL can then be used to encrypt the data transmitted (secure SSL transactions) between a browser and web server (and vice versa). Browsers indicate a SSL-secured session by changing the HTTP to HTTPS and displaying a small padlock. Web site visitors can click on the padlock to view the SSL certificate.

Middleware/Weblogic Deals with Identity Keystore and the Trust Keystore

Lot of environments they usually keep these two stores as same , But we can separate it out as well

Custom Identity and Custom Trust is the option we use in weblogic for configuring our own Identity and Trust.

Identity Keystore

What happens when a Client Calls as Server which has SSL listener enabled on it.

At runtime on receiving the digital certificate, the client checks the CA and if the CA is one that the client trusts (or a CA in a chain of trusted CAs), then the identity of the server is established/verified.

Thus the "identity" of the server is established by what's stored in the "identity" keystore, and its contents are what are farmed out to clients establishing secure connections with the server, who then verify the supplied digital certificate's CA against the clients own list of trusted CAs. The "identity keystore" is also referred to as the "server keystore", because it establishes the server's identity (ie. I am who I say I am)

This will be used to store the server certificate (private key/digital certificate pairs). When the client contacts server the digital certificate presented in this keystore will be sent.

Trust Keystore

The trust keystore is typically used for storing CA digital certificates; essentially the CAs who will be used to check any digital certificates that are given to the server at runtime (just the same as the client did above). In the standard 1-way-SSL between a client and the WLS server, the trust keystore doesn't come into the equation as the client has its own trust keystore (containing the CAs) and the server has nothing to verify.

Yet in the case of mutual SSL (aka. 2 way SSL) between the client and server, the client and server actually swap each other digital certificates to establish identity of both parties, and in this case the server must be able to test the identity of the client through the CA of the client's digital certificate.

This will contain all the certificates for the trusted partners (ie partners). When server connects with the partner it will use this key store.

 

Identity Store has the  Key/Root/Intermediate/Server Certificate

Trust Store has the  Root/Intermediate CA’s of trusted servers/hosts/urls’

 JAVA COMMAND LINE OPTIONS for SSL

CLIENT_KEYSTORE="full path to your server's identity keystore"

TRUST_STORE=$JAVA_HOME/jre/lib/security/cacerts

TRUST STORE OPTIONS

SSL_OPTIONS="-Djavax.net.ssl.trustStore=$TRUST_STORE "

SSL_OPTIONS="$SSL_OPTIONS -Djavax.net.ssl.trustStorePassword=$trustpass "

KEYSTORE OPTIONS

SSL_OPTIONS="$SSL_OPTIONS -Djavax.net.ssl.keyStore=$CLIENT_KEYSTORE "

SSL_OPTIONS="$SSL_OPTIONS -Djavax.net.ssl.keyStorePassword=$keypass "

SSL DEBUG OPTIONS

SSL_OPTIONS="$SSL_OPTIONS -Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true "

SSL_OPTIONS="$SSL_OPTIONS -Djavax.net.debug=ssl,handshake,verbose "

Weblogic:

-Dweblogic.security.SSL.trustedCAKeyStore=<your keystore>

(Trusted CA store in weblogic)

DisablehostnameVerification:

-Dweblogic.security.SSL.ignoreHostnameVerification=true (OR)

-Dweblogic.security.SSL.hostnameVerifier=examples.security.sslclient. NulledHostnameVerifier

To diagnose an SSL issue, add the following to the java command line:

-Dweblogic.security.SSL.verbose=true
-Dssl.debug=true
-Dweblogic.StdoutDebugEnabled=true

Certificate Formats

The primary certificate types are:

PEM

DER

PKCS#12

PEM

Can contain all of private keys (RSA and DSA), public keys (RSA and DSA) and (x509) certificates. It stores data Base64 encoded DER format, surrounded by ASCII headers, so is suitable for text mode transfers between systems.

DER

Distinguished Encoding Rules (DER) can contain all of private keys, public keys and certificates. It is the default format for most browsers, and is stored according to the ASN1 DER format. It is headerless -- PEM is text header wrapped DER.

PKCS#12

Public Key Cryptography Standards #12 (PKCS#12) can contain all private keys, public keys, and certificates. It stores in a binary format, and is also known as PFX files.