The document provides an overview of SSL configuration in Oracle WebLogic Server. It discusses key SSL concepts like key pairs, certificates, and certificate authorities. It describes how WebLogic uses Java keystores for identity and trust, and the tools like keytool and orapki that can be used to manage keys and certificates. The document also covers best practices for SSL configuration in WebLogic like always enabling hostname verification and not using demo certificates in production.

1. Oracle WebLogic Server in Practice:
SSL Configuration
Jacco Landlust, Oracle
Simon Haslam, Veriton

2. Jacco & Simon
Jacco:
◦ Domain Architect Director at Oracle Consulting
◦ Oracle ACE
Simon:
◦ Founder of Veriton and now
◦ Oracle ACE Director (Middleware & SOA)
◦ UKOUG App Server & Middleware SIG Chair

3. Agenda
Concepts you need
 WebLogic & SSL
 Tools & Commands to manage keys


4. Essential Concepts

key-pair (asymmetric)

certificate

certificate authority (CA)
◦ one key to encrypt, a different key to decrypt
◦ you make one your private key, the other your public key
◦ unique to you
◦ public key
◦ signed
◦ signs certificates
◦ is independently trusted

5. Old school Identity Management

6. Identity
certificate authority
1. person sends me their cert
2. I look at who it is signed by
3. If I trust the person it is
signed by I accept their identity
signed
by
certificate
person I want to
communicate with
me

8. Trust
certificate authority B
1. Person sends me their cert
2. I look at who it is signed by
3. If I don't trust the person it
is signed by I look at who
they are signed by and so on
certificate authority A
certificate
person I want to
communicate with
me

9. Certificate Chain
root certificate authority
.
.
certificate authority B
certificate authority A
certificate
me

11. Certificate Chain
root CA
root CA
.
.
certificate authority B
root CA
Trust
Keystore
certificate authority A
certificate
me

13. Establishing my Identity
root CA
.
.
certificate authority B
certificate authority A
Identity
Keystore
me
certificate

14. What's in the Certificate






The public key
Registered name/details of owner
Validity
Identity of CA
Location of CA Revocation List
Hash function summary (encrypted by CA key)

15. How do I know certificate is valid?
Client recreates summary "as they should be" (from
~hostname/validity)
So by now we have the
 Client hash function on summary and which we
server's public key encrypts using
can secure traffic with
CA public key
 Client compares result to public key offered by server
 If same client now has the public key for the certificate
owner and can check validity, (optionally) CRL, etc


16. Agenda
Concepts you need
 WebLogic & SSL
 Tools & Commands to manage keys


17. Common tools to manage certificates
keytool
 openssl
 orapki / Oracle Wallet Manager


18. Overall process for creating certificate
1.
create key pair
◦ could be self signed - not much use unless every recipient is
going to add you to their trust keystore
create CSR
3. give CSR to CA
4. receive certificate back from CA
2.

19. Key Stores

For Fusion Middleware we're interested in:
◦ Java Keystores (JKS)
◦ Oracle Wallet (PKCS12 format)

Either:
◦ contains one or more certificates
◦ each certificate has a CN, and usually has an alias
◦ can contain both public and private keys

20. Type of keystore per component
Type of Keystore
Tasks
Tool
Oracle WebLogic Server
JKS-based Keystore
All Keystore operations
JDK Keytool
Oracle WebLogic Server
JKS-based Keystore
Enable SSL
Oracle WebLogic Server
Administration Console
All Java EE applications (for
example Oracle Directory
Integration Platform, Oracle
Directory Services Manager)
JKS-based Keystore
All Keystore operations
JDK Keyt

21. Type of keystore per component 2
Type of Keystore
Tasks
Tool
Oracle HTTP Server
Oracle Web Cache
Oracle Internet Directory
Oracle Wallet
Create Wallet, Create Certificate
Request, Delete Wallet, Import
Certificate, Export Certificate,
Enable SSL
Fusion Middleware Control,
WLST
Oracle Wallet Manager and
orapki for PKCS#11 or
Hardware Security Modules
(HSM)-based wallets. Also for
environments where Fusion
Middleware Control and WLST
are not available (such as a
stand-alone upgrade of these
components without a domain).
Oracle Virtual Directory
JKS-based Keystore
Create KeyStore, Create
Certificate Request, Delete
KeyStore, Import Certificate,
Export Certificate, Enable SSL
Fusion Middleware Control,
WLST
Oracle SOA Suite
JKS-based Keystore
All Keystore operations
JDK Keytool
Oracle WebCenter
JKS-based Keystore
All Keystore operations
JDK Keytool

22. How WebLogic states its Identity

Identity comes from a Java Keystore "identity
keystore"
◦ must contain a certificate & key-pair matching alias

Each WebLogic server instance (Admin Server and
Managed Servers) has to have an identity keystore to
do SSL

23. How WebLogic Establishes Trust


Trust comes from another JKS "trust keystore"
Choice of standalone JKS or to use the one in the JDK
trust (stored with JRE)

Note:
◦ DemoIdentity
◦ DemoTrust

25. WebLogic Identity/Trust Combinations

Demo Identity and Demo Trust (default - not for prod)
◦ CN=hostname, signed by BEA CA that anyone can sign with

Custom Identity and Java Standard Trust
◦ determine trust from java/…

Custom Identity and Custom Trust
◦ our own identity and trust keystores

Custom Identity and Command Line Trust
◦ our own identity but trust keystore specified in start-up param

26. Certificates Required

Server sends out its cert when someone tries to
connect over SSL (i.e. one way) but can optionally
request cert from client (two way) - console options:
◦ Client Certs Not Requested
◦ Client Certs Not Requested but Not Enforced
◦ Client Certs Requested and Enforced

27. Hostname Verification
◦ None
◦ BEA Hostname Verifier
◦ Custom Hostname Verifier
 e.g. weblogic.security.utils.SSLWLSWildcardHostnameVerifier

What does none mean?
◦ Cert is requested but does not have a CN for the host WebLogic is
trying to connect to. It could be any old certificate.

28. Set ignoreHostnameVerification = true?!?

We strongly recommend enabling hostname
verification in all test and production environments.

Oracle® Fusion Middleware Securing Oracle WebLogic Server: "Oracle
recommends leaving host name verification on in production environments"

29. Agenda
Concepts you need
 WebLogic & SSL
 Tools & Commands to manage keys


30. Keystore Naming Conventions


Do not use a name longer than 256 characters
Do not use any of the following characters in a
keystore name:
| ; , ! @ # $ ( ) < > / " ' ` ~ { } [ ] = + & ^ space tab
 Do not use non-ASCII characters in a keystore name
 Additionally, follow the operating system-specific rules
for directory and file names

31. Copying Keystores to File System Not Supported
Creating, renaming, or copying keystores directly to any
directory on the file system is not supported.
Any existing pre-11g keystore or wallet that you wish to use
must be imported using either Fusion Middleware Control or
the WLST utility.
http://docs.oracle.com/cd/E21764_01/core.1111/e10105/w
allets.htm

32. Generate self signed certificate
keytool -genkey -keyalg RSA -alias selfsigned -keystore ${JKS}
-storepass ${JKS_PASSWORD} -validity 360 -keysize 2048
-keypass ${KEY_PASSWORD}
What is your first and last name?
[Unknown]: somehost.localdomain
What is the name of your organizational unit?
[Unknown]: Example Department
What is the name of your organization?
[Unknown]: Example Company
What is the name of your City or Locality?
[Unknown]: Manchester
What is the name of your State or Province?
[Unknown]: West Midlands
What is the two-letter country code for this unit?
[Unknown]: GB
Is CN=somehost.localdomain, OU=Example Department, O=Example Company, L=Manchester, ST=West Midlands,
C=GB correct?
[no]: yes
Enter key password for <selfsigned>
(RETURN if same as keystore password):

33. Generate self signed certificate 2
keytool -genkey -keyalg RSA -alias selfsigned
-keystore ${JKS}
-dname "CN=`hostname`, OU=Example Department, O=Example
Company, L=Manchester, ST=West Midlands, C=GB"
-storepass ${JKS_PASSWORD}
-validity 360 -keysize 2048
This must be the
-keypass ${KEY_PASSWORD}
hostname that clients
use to connect to you.
E.g. may be a CNAME
or a VIP

34. Create key pair
keytool -genkey
-alias `hostname`
-keyalg RSA
-keystore ${JKS}
-keysize 2048

35. Create certificate signing request
keytool -certreq
-alias `hostname`
-keystore ${JKS}
-file ${REQUEST_FILE}

36. Import a signed certificate from CA
keytool -import
-trustcacerts
-alias `hostname`
-file ${SIGNED_CERT}
-keystore ${JKS}

37. List contents of keystore
keytool -list -v -keystore ${JKS} -storepass ${JKS_PASSWORD}
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: selfsigned
Creation date: Feb 9, 2013
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=somehost.localdomain, OU=Example Department, O=Example Company, L=Manchester, ST=West
Midlands, C=GB
Issuer: CN=somehost.localdomain, OU=Example Department, O=Example Company, L=Manchester, ST=West
Midlands, C=GB
Serial number: 51165df7
Valid from: Sat Feb 09 14:32:23 GMT 2013 until: Tue Feb 04 14:32:23 GMT 2014
Certificate fingerprints:
MD5: DA:FF:F9:0B:EF:2D:26:DA:E9:48:22:1A:6E:7F:42:DF
SHA1: 46:8B:E7:DC:6B:95:69:34:85:43:A3:F7:C2:63:3B:29:F7:BD:9C:AD
Signature algorithm name: SHA1withRSA
Version: 3

38. keytool commands for checking

Check a stand-alone certificate
keytool -printcert -v -file ${CERTIFICATE}

Check which certificates are in a Java keystore
keytool -list -v -keystore ${JKS}

Check a particular keystore entry using an alias
keytool -list -v -keystore ${JKS} -alias ${ALIAS}

39. Other useful keystore commands

Delete a certificate from a Java Keytool keystore
keytool -delete -alias ${ALIAS} -keystore ${JKS}

Change a Java keystore password
keytool -storepasswd -new ${NEW_PASSWORD}
-keystore ${JKS}

Export a certificate from a keystore
keytool -export -alias ${ALIAS} -file ${CERTIFICATE}
-keystore ${JKS}

40. Copy key to other keystore
SRC_ALIAS=cn=`hostname`
keytool -importkeystore
-srckeystore ${JKS}
-srcstorepass ${JKS_PASSWORD}
-destkeystore ${IDENTITY_KS}
-deststorepass ${ID_KS_PASSWORD}
-srcalias ${SRC_ALIAS}
-destalias `hostname`
-destkeypass ${ID_KS_PASSWORD} <<EOF
yes
EOF

41. Convert wallet to keystore
orapki wallet pkcs12_to_jks
-wallet ${WALLET}
-pwd ${WALLET_PASSWORD}
-jksKeyStoreLoc ${JKS}
-jksKeyStorepwd ${JKS_PASSWORD}
-jksTrustStoreLoc ${TRUSTSTORE}
-jksTrustStorepwd ${TRUSTSTORE_PASSWORD}

42. Convert keystore to wallet
orapki wallet create -wallet ${WALLET}
-pwd ${WALLET_PASSWORD} -auto_login
orapki wallet jks_to_pkcs12 -wallet ${WALLET}
-pwd ${WALLET_PASSWORD} -keystore ${JKS}
-jkspwd ${JKS_PASSWORD}

43. About Importing DER-encoded
Certificates


You cannot use Fusion Middleware Control or
the WLST command-line tool to import DER-encoded certificates
or trusted certificates into an Oracle wallet or a JKS keystore.
Use these tools instead:
To import DER-encoded certificates or trusted certificates into
an Oracle wallet, use:
◦ Oracle Wallet Manager or
◦ orapki command-line tool

To import DER-encoded certificates or trusted certificates into a
JKS keystore, use the keytool utility

44. Summary
We discussed how WebLogic uses Identity, Trust & CAs
• Always enable Hostname Verification!
• Never use Demo Certs - do SSL properly or not at all 
•

45. Questions?
Contact us! (e.g. DM on Twitter)
Jacco: @oraclemva
Simon: @simon_haslam