Thursday, July 16, 2020

Configure SSL on WebLogic 12c with CA Issued Certificate

Weblogic 12c has demo identity keystore shipped with installation, it makes it very easy to implement SSL communication for WebLogic managed servers in non-production environment. However,  if you are deploying your application in production, especially public accessible, a certificate issued by Certificate Authority (CA) is absolutely necessary. To request and install CA issued certificate on WebLogic 12c, follow these steps,

1. Generate Private Key

The private key can be generated with OpenSSL utility or Java keytool utility, if the server is only for WebLogic applications, keytool is recommended. Run one of following command to generate private key,

    openssl genpkey -algorithm RSA -out <key-file-name> -pkeyopt rsa_keygen_bits:2048
    keytool -genkeypair -alias <alias name> -keyalg RSA -keystore <keystore filename> -keysize 2048
Sample output of openssl,
$ openssl genpkey -algorithm RSA -out privatekey.pem -pkeyopt rsa_keygen_bits:2048
..........................................................................................+++
.........................+++
$
$ ls -l
-rw-r--r--. 1 oracle oinstall  1704 Jul 14 15:59 privatekey.pem

A 2048 bit RSA key is generated. The key is saved in file privatekey.pem.

Sample output of keytool,
$ keytool -genkeypair -alias dbaplus -keyalg RSA -keystore Identity.jks -keysize 2048
Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  host01
What is the name of your organizational unit?
  [Unknown]:  lab
What is the name of your organization?
  [Unknown]:  dbaplus
What is the name of your City or Locality?
  [Unknown]:
What is the name of your State or Province?
  [Unknown]:
What is the two-letter country code for this unit?
  [Unknown]:  ca
Is CN=host01, OU=lab, O=dbaplus, L=Unknown, ST=Unknown, C=ca correct?
  [no]:  yes

Enter key password for <dbaplus>
        (RETURN if same as keystore password):
$ ls -l
-rw-r--r--. 1 oracle oinstall 2221 Jul 14 17:11 Identity.jks

The private key will be created within the keystore file Identity.jks and labeled with the alias dbaplus which is provided in the command.  Please take note of the alias specified, the same alias is required for generating the Certificate Signing Request (CSR) and for the certificate installation.

2. Generate Certificate Signing Request

Execute one of following commands to create Certificate Signing Request (CSR), 

   openssl req -new -key <key-file-name> -out <csr-file-name>
   
   keytool -certreq -keyalg RSA -alias <alias-name> -file <CSR-file-nane> -keystore <keystore-file-name>

Example of running openssl,
$ openssl req -new -key privatekey.pem -out dbaplus.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:ca
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:dbaplus
Organizational Unit Name (eg, section) []:lab
Common Name (eg, your name or your server's hostname) []:host01
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
$
$ ls -l
-rw-r--r--. 1 oracle oinstall 1041 Jul 14 18:17 dbaplus.csr
-rw-r--r--. 1 oracle oinstall 1704 Jul 14 15:59 privatekey.pem

Example of running keytool,
$ keytool -certreq -keyalg RSA -alias dbaplus -file dbaplus.csr -keystore Identity.jks
Enter keystore password:
$ ls -l
-rw-r--r--. 1 oracle oinstall 1081 Jul 14 18:42 dbaplus.csr
-rw-r--r--. 1 oracle oinstall 2221 Jul 14 17:11 Identity.jks

Following instruction of Certificat Authority to send CSR file dbaplus.csr and request signed certificate. Once the certificate is issued, download the certificate and save as file certificate.cert.

3. Import certificate into Java keystore on WebLogic 12c

3.1 Create an interim PKCS12 keystore

This step is only required when openssl is used to generate private key in step 1. 

As we know, WebLogic 12c uses Java keystore to store identity data (private key/digital certificate pairs) and the Java keystore has private key generated and stored inside the keystore while the keystore is being created. Certificate issued by CA does not include private key, and has to be paired with the private key which is used to create CSR. If the CSR is created with private key generated by openssl, the certificate is paired with openssl-generated private key but not paired with keytool-generated private key. 

Therefore, if the private key is generated by openssl,in order to pair certificate with proper private key, an interim PKCS12 keystore needs to be created with following command,

   openssl pkcs12 -export -in <certificate-file> -inkey <private-key-file> -name <pair-name> -out <keystore-file>

Sample output of creating an interim PKCS12 keystore
$ openssl pkcs12 -export -in certificate.cert -inkey privatekey.pem -name dbaplus -out interim_keystore.p12
Enter Export Password:
Verifying - Enter Export Password:
[oracle@host01]$ ls -l
total 20
-rw-r--r--. 1 oracle oinstall 2296 Jul 15 17:06 certificate.cert
-rw-r--r--. 1 oracle oinstall 1704 Jul 15 17:06 privatekey.pem
-rw-r--r--. 1 oracle oinstall 3292 Jul 15 17:07 interim_keystore.p12

Here, dbaplus defined by command option -name is the name of private key / certificate pair. The Export Password is the password of interim keystore interim_keystore.p12, and will be required to access the keystore.

3.2 Import the certificate

If the private key is generated by keytool, import certificate with following command,

   keytool -import -alias <alias-name> -keystore <keystore-file> -file <certificate-file>

Here, <alias-name> is the alias used while private key is generated.

Sample output,
$ keytool -import -alias dbaplus -keystore Identity.jks -file certificate.cert
Enter keystore password:
Certificate reply was installed in keystore
   
If the private key is generated by openssl, import certificate from interim keystore created in previous step with following command,

   keytool -importkeystore  -destkeystore <Java-keystore> -srckeystore <interim-keystore> -srcstoretype PKCS12

Sample output of the command,
$ keytool -importkeystore  -destkeystore Identity.jks -srckeystore interim_keystore.p12 -srcstoretype PKCS12
Importing keystore interim_keystore.p12 to Identity.jks...
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
$
$ ls -l
-rw-r--r--. 1 oracle oinstall 2296 Jul 15 17:06 certificate.cert
-rw-r--r--. 1 oracle oinstall 1704 Jul 15 17:06 privatekey.pem
-rw-r--r--. 1 oracle oinstall 2980 Jul 15 17:46 Identity.jks
-rw-r--r--. 1 oracle oinstall 3292 Jul 15 17:07 interim_keystore.p12

4. Configure the Identity and Trust keystores for WebLogic Server

* In the left pane of the Console, click Lock & Edit button.

* In the left pane of the Console, expand Environment and select Servers.

* Click the name of the server for which you want to configure the identity and trust keystores.

* Select Configuration > Keystores.

* By default, WebLogic ships with demo certificates for testing purposes.

* Click the 'Change' link in the upper-right portion of the configuration items. 

  This will display the drop-down list of options for configuration. 

* Choose 'Custom Identity and Java Standard Trust' from the list.

* Click Save button.

* Specify the identity keystore information:

  Custom Identity key store file Name: /u01/Middleware/Oracle_Home/user_projects/domains/base_domain/security/Identity.jks (Identity.jks is the file created/updated in step 3)

  Custom Identity key Store Type: jks (Generally, this attribute is jks)

  Custom Identity key Store Pass Phrase: keystore_password (The password defined when creating the keystore with keytool -genkeypair in step 1 or with keytool -importkeystore in step 3.2)

  Confirm Customer Identity key Store Pass Phrase: Keystore_password (Same as previous)

* Specify the trust keystore information:
  
  Java standard Trust Key Store Pass Phrase: changeit (unless your system admin changed it the password for the cacerts keystore is "changeit"

  Confirm Java Standard Trust Key Store Pass Phrase: changeit (Same as previous)
  
* Click Save button.

* In the left pane of the Console, click Active Changes button.

* In the left pane of the Console, expand Environment and select Servers.

* In the right pane of the Console, click Control tab

* Select the server for which you just configured the identity and trust keystores.

* Click Restart SSL button.

* Click Yes.

5. Configure Node Manager

If you configured WebLogic Admin Server in step 4, you have to configure Node Manager too.

Add following lines to Node Manager property file ${DOMAIN_HOME}/nodemanager/nodemanager.properties   
   KeyStores=CustomIdentityAndJavaStandardTrust
   CustomIdentityKeyStoreFileName=/u01/Middleware/Oracle_Home/user_projects/domains/base_domain/security/Identity.jks
   CustomIdentityKeyStorePassPhrase=oracle
   CustomIdentityAlias=dbaplus
   CustomIdentityPrivateKeyPassPhrase=oracle

Here, 
   DOMAIN_HOME: environment variable for the domain home of WebLogic installation, in my installation, it is /u01/Middleware/Oracle_Home/user_projects/domains/base_domain .

   KeyStores: the type of Identity & Trust keystore, it should be same as WebLogic Admin Server keystores configuration.
   CustomIdentityKeyStoreFileName: Identity keystore file name (same as Admin Server configuration)
   CustomIdentityKeyStorePassPhrase: Password of Identity keystore
   CustomIdentityAlias: Alias of the private key / certificate pair in the Identity keystore
   CustomIdentityPrivateKeyPassPhrase:  PassPhrase of private key

Restart Node Manager.

No comments: