Sunday, 30 August 2020

SSL (HTTPS) Implementation in WebLogic and Managed servers.

 All the commands below reference $MIDDLEWARE_HOME for FMW 11g. If using FMW 12c, replace $MIDDLEWARE_HOME with $ORACLE_HOME.

1. Create a directory, for example: $MIDDLEWARE_HOME/keystores

cd /oracle/ofm/Oracle/Middleware ---> (MW_HOME)

$mkdir keystores

2. Run the following to set the environment on UNIX:

ofm11g@host:/ofm/Oracle/Middleware$ cd /ofm/Oracle/Middleware/user_projects/domains/PWCUAT/bin

$./setDomainEnv.sh

3. Create a keystore and private key, by executing the following command:

Syntax: CN=host.DOMAIN.com (Common Name), OU=organization  (Organization Unit), O=Organization (Organization), L=organization  Street (Locality Unit), ST=Doha, (State Province) C=QA (Country)"

ofm11g@host:/ofm/Oracle/Middleware/keystores$ keytool -genkey -alias server_cert -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -dname "CN=host.DOMAIN.com, OU=organization , O=Organization, L=organization  Street, ST=Doha, C=QA" -keypass password -keystore keystore.jks -storepass password

ofm11g@host:/ofm/Oracle/Middleware/keystores$ ls

keystore.jks

4. At this point take a backup of the keystore e.g: keystore.jks

ofm11g@host:/ofm/Oracle/Middleware/keystores$ cp -pr keystore.jks keystore.jks-org

5. To view the contents of the keystore created, execute the following command:

ofm11g@host:/ofm/Oracle/Middleware/keystores$ keytool -list -v -keystore keystore.jks -storepass password

6. Create a Certificate Signing Request (CSR) using the following command:

keytool -certreq -v -alias server_cert -file hpsuaterver.csr -sigalg SHA256withRSA -keypass password -storepass password -keystore keystore.jks

ofm11g@host:/ofm/Oracle/Middleware/keystores$ keytool -certreq -v -alias server_cert -file hpsuaterver.csr -sigalg SHA256withRSA -keypass password -storepass password -keystore keystore.jks

Certification request stored in file <hpsuaterver.csr>

Submit this to your CA

ofm11g@host:/ofm/Oracle/Middleware/keystores$ ls

hpsuaterver.csr   keystore.jks      keystore.jks-org

Make sure you use the same -alias, -storepass and -keypass passwords from Step 3.

The CSR (server.csr) created looks like this:

-----BEGIN NEW CERTIFICATE REQUEST-----

MIIxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-----END NEW CERTIFICATE REQUEST-----

7. Send this CSR to a Certificate Authority (CA) of your choice. They will provide two certificate server certificate and root certificate.

8. Once you have received the Certificate back you will need to import this along with the Trusted Root CA certificate(s) that signed it, into your keystore.

Take the server certificate and save it a file called server.cer. Take the Certificate Authority's root certificate and save to a file called rootCA.cer in your keystore directory e.g $MIDDLEWARE_HOME/keystores. Repeat this step for any more Root CA certificates in the chain e.g rootCA2.cer etc..

ofm11g@host:/ofm/Oracle/Middleware/keystores$ mv certnew.cer server.cer

ofm11g@host:/ofm/Oracle/Middleware/keystores$ mv UATroot.cer rootCA.cer

ofm11g@host:/ofm/Oracle/Middleware/keystores$ ls -lrt

total 26

-rw-r--r--   1 ofm11g   hps         2240 Jul 26 14:28 keystore.jks-org

-rw-r--r--   1 ofm11g   hps         2240 Jul 26 14:28 keystore.jks

-rw-r--r--   1 ofm11g   hps         1035 Jul 26 14:39 hpsuaterver.csr

-rw-r--r--   1 ofm11g   hps         2090 Jul 27 13:40 server.cer

-rw-r--r--   1 ofm11g   hps         1328 Jul 27 13:40 rootCA.cer

ofm11g@host:/ofm/Oracle/Middleware/keystores$

9. Import the CA's root certificate into your keystore using the following command:

Syntax: keytool -import -v -noprompt -trustcacerts -alias <alias> -file <rootca_file> -keystore <keystore> -storepass <password>

ofm11g@host:/ofm/Oracle/Middleware/keystores$ keytool -import -v -noprompt -trustcacerts -alias rootcacert -file rootCA.cer -keystore keystore.jks -storepass password

Certificate was added to keystore

[Storing keystore.jks]

If there are other intermediate trust certificates, repeat this for each trust certificate using a different alias each time.

10. Import the Server Certificate into your keystore using the following command:

Syntax: keytool -import -v -noprompt -trustcacerts -alias <alias> -file <rootca_file> -keystore <keystore> -storepass <password>

ofm11g@host:/ofm/Oracle/Middleware/keystores$ keytool -import -v -alias server_cert -file server.cer -keystore keystore.jks -keypass password -storepass password

Certificate reply was installed in keystore

[Storing keystore.jks]

Make sure you use the same -alias from Step 3.

11. To view the contents of the keystore, execute the following command:

Syntax: keytool -list -v -keystore keystore.jks -storepass <PASSWORD>

ofm11g@host:/ofm/Oracle/Middleware/keystores$ keytool -list -v -keystore keystore.jks -storepass password

12. At this point the keystore is now ready for use. To use this Keystore with WLS please refer back to the Master Note for your version:

Configuring Oracle WebLogic Server (10.3.x - 12.1.x) to Use SSL in Fusion Middleware 11g/12c (Doc ID 1235653.1)

Step II: Configure WebLogic Server for SSL

The steps below take you through configuring SSL for a Managed Server.

The steps assumes the reader understands how to start the Admin Server and Managed Server.

1. Start the Admin Server in the Domain

2. Login to the WLS console e.g: http://10.0.00.11:7001/console

3. Select 'Environment' -> 'Servers' and click on the server you want to configure

4. Select the 'Keystores' tab

5. Select 'Keystore -> 'Change'

6.Select 'Custom Identity and Custome Trust'from the drop down list and click 'Save'

7. Enter the relevant information in the Keystores page:

'Custom Identity Keystore' : /ofm/Oracle/Middleware/keystores/keystore.jks

'Custom Identity Keystore' : JKS

'Custom Identity Keystore Passphrase' : password

'Confirm Custom Identity Keystore Passphrase' : password

'Custom Trust Keystore' : /ofm/Oracle/Middleware/keystores/keystore.jks

'Custom Trust Keystore Type' : JKS 

'Custom Trust Keystore Passphrase' : password

'Confirm Custom Trust Keystore Passphrase' : password

Click 'Save'

13. Select the 'SSL' tab and enter the relevant information:

'Private Key Alias' : server_cert

'Private Key Password' : password

'Confirm Private Key Password': password

Click 'Save'

14. Select 'Environment' -> 'Servers' and click on the Managed Server configured

 In the 'General' tab:

Check 'SSL Listen Port Enabled'

'SSL Listen Port' : <port> e.g 7012 (make sure this is not used by another process)

Click Save

And Click on adnvace and check the Use JSSE SSL and save the changes.

15. Implement the SSL for managed servers. Follow the steps from 12 to 15 for remaining servers.

16 . Click on Environment->Servers-> AdminServer or Managed Server-> Click on SSL -> Click on Advance --> HostnameVerification "Node" --> Click on save -> Activate the changes.

17. Add SSL parameter in nodemanager.

# Added following parameters in nodemanager.properties

KeyStores=CustomIdentityAndCustomTrust

CustomIdentityKeyStoreFileName=/ofm/Oracle/Middleware/keystores/keystore.jks

CustomIdentityKeyStorePassPhrase=password

CustomIdentityAlias=server_cert

CustomIdentityPrivateKeyPassPhrase=password


# added this parameter in startNodeManager.sh

JAVA_OPTIONS="-Dweblogic.security.SSL.enableJSSE=true ${JAVA_OPTIONS}"

export JAVA_OPTIONS

# Validate your certificate.

cd $DOMAIN_HOME/bin

-bash-3.2$ . ./setDomainEnv.sh

-bash-3.2$ java  utils.ValidateCertChain -jks server_cert /ofm/Oracle/Middleware/keystores/keystore.jks

Cert[0]: CN=host.DOMAIN.com,OU=organization ,O=Organization,L=organization  Street,ST=Doha,C=QA

Cert[1]: CN=Organization-BBSFADS001-CA,dc=Organization,dc=local

Certificate chain appears valid

17. Ask your network/security team to allow new SSL ports (7012/9011/9012) between your machine and server.

18. Restart all the weblogic server services.

19. Test the below new SSL URL should be open.

https://10.0.00.11:7012/console

20. Disable http port and restart the services.

1. In WebLogic Administration Console:

2. Click Lock and Edit.

3. Select Environment, Clusters, and select cluster_forms.

4. Select Configuration, and the Replication tab.

5. Select secure replication enabled.

6. Click Save.

7. Click Activate Changes.

Please do the above steps for cluster_reports also.

Note: Please take config.xml back-up before doing any changes in weblogic console.

++++++++++++++Start the Application  services. +++++++++++++====

echo "Starting up the AdminServer ..."

nohup $DOMAIN_HOME/bin/startWebLogic.sh  &

sleep 60

echo "Starting Node Manager ..."

nohup $WL_HOME/server/bin/startNodeManager.sh &

sleep 5

echo "Starting Forms Server 11G................."

nohup $DOMAIN_HOME/bin/startManagedWebLogic.sh WLS_FORMS https://10.0.00.12:7012 &

sleep 60

echo "Starting Reports Server 11G................."

nohup sh $DOMAIN_HOME/bin/startManagedWebLogic.sh WLS_REPORTS https://10.0.00.12:7012 &

sleep 90

echo "Starting OPMN ALL ............................"

opmnctl startall

=====================

Oracle Reference Documents:

=====================

Configuring Oracle WebLogic Server (10.3.x - 12.1.x) to Use SSL in Fusion Middleware 11g/12c (Doc ID 1235653.1)

How To Create a Java Keystore via Keytool in FMW 11g/12c (Doc ID 1230333.1)

No comments:

Post a Comment

OS Watcher Installation in RAC

 Step:1 Download and untar the oswbb812.tar under the grid user in RAC on the both nodes. Follow the OS Watcher User's Guide (Doc ID 153...