Wednesday, 8 July 2020

SOACS - SSL Configuration



Creating KSS keystores and generating Certificate Signing Request (CSR)

  • Login to em console and open Weblogic domain -> Security -> Keystores page.
  • Create a new stripe, or use an existing one (eg. "system")
  • Under selected stripe, create a new keystore myKSSIdentity, password based, for custom identity
  • Under selected stripe, create a new keystore myKSSTrust, password based, for custom trust.
  • Open manage section of myKSSIdentity, create a new key pair inside myKSSIdentity with alias as myKSSIdentity and password as required.
  • Use the below values while creating keypair:
    • Alias Name: myIdentity
    • Common Name: mysoacsdomain.com (domain name registered with public DNS)
    • The rest of information from keypair generation form is optional.
  • Select the new keypair created and click generate CSR.
  • Export the created CSR, share it with CA, and get root, intermediate and signed certificates.

Importing CA Certificates

  • Login to em console and open weblogic domain -> security -> keystores page.
  • Select the identity keystore (myKSSIdentity) and click manage
  • Import root certificate from CA as trusted certificate (alias myRootCA).
  • Import intermediate certificate from CA as trusted certificate (alias myInterCA).
  • Import signed certificate as certificate and select alias as myIdentity from drop down. This should be same alias that used to create keypair for generating CSR.
  • Select the trust keystore (myKSSTrust) keystore and click manage.
  • Import root certificate from CA as trusted certificate (alias myRootCA).
  • Import intermediate certificate from CA as trusted certificate (alias myInterCA).
  • Import signed certificate as trusted certificate (alias mySignedCert).
  •  Using putty, login to soa CS VM and open /u01/jdk/jre/lib/security
  •  Import the intermediate certificate into cacerts using below command:  
    • keytool -import -keystore cacerts -storepass changeit -file inter.crt
  •  Take a backup from cacerts file, for future use (eg. in case of JDK upgrade).

Sync Key Stores


  • Login to SOA CS VM using putty.
  • Open /u01/oracle/middleware/oracle_common/common/bin
  • Run ./wlst.sh and execute below commands to sync custom identity and custom trust keystores.

connect('weblogic',’****,'t3://x.x.x.93:7001')
svc = getOpssService(name='KeyStoreService')
svc. listKeyStoreAliases (appStripe="system”, name="myKSSIdentity”, password=” ****”, type="*")
syncKeyStores(appStripe='system',keystoreFormat='KSS')
svc. listKeyStoreAliases (appStripe="system”, name="myKSSTrust”, password='****’, type="*")
syncKeyStores(appStripe='system',keystoreFormat='KSS')
 
  • Restart both admin and managed servers.
Note: This step is needed only if using "system" stripe.

Change weblogic keystores to Custom Identity and Custom Trust

  • On weblogic server admin console open Servers -> Admin Server -> Keystores tab:
  • Change the keystore to Custom Identity and Custom Trust
  • Save
  • Provide the values for Custom Identity
    • Custom Identity Keystore: kss://system/myKSSIdentity and Press ENTER.
    • Custom Identity KeyStore Type:  KSS and ENTER
    • Custom Identity PassPhrase: enter password given while creating myKSSIdentity keystore
    • Confirm Custom Identity PassPhrase:
    • enter password given while creating myKSSIdentity   keystore
  • Provide the values for Custom Trust
    • Custom Trust Keystore: kss://system/myKSSTrust and Press ENTER.
    •  Custom Trust KeyStore Type: KSS and ENTER
    •  Custom Trust PassPhrase: enter password given while creating myKSSTrust keystore
    •  Confirm Custom Trust PassPhrase: 
    • enter password given while creating myKSSTrust  keystore
  • Click Save
  • Open SSL tab
    •  Provide Private Key Alias: myIdentity and Press ENTER.
    •  > This is the alias given while create keypair in myIdentitykeystore
    •   Private Key PassPhrase: Password given while creating key pair under idenity keystore
    •  Confirm Private Key PassPhrase:
    •  Password given while creating key pair under idenity keystore
  • Change HostNameVerfication = None. Not sure if its required.
  • Click Save.
  • Repeat steps 1 to 8 for Managed Server also.
  • Stop Admin, Managed Server and Node Manager.

Node Manager Changes

1. Open /domain_home/nodemanager
2. Edit nodemanager.properties and add the below properties.

# added for custom identity and custom trust
KeyStores=CustomIdentityAndCustomTrust
CustomIdentityAlias=myKSSIdentity
CustomIdentityKeyStoreFileName=kss://system/myKSSIdentity
CustomIdentityKeyStorePassPhrase=*********
CustomIdentityKeyStoreType=KSS
CustomIdentityPrivateKeyPassPhrase=*********
CustomTrustKeyStoreFileName=kss://system/myKSSTrust

3. Edit startNodeManager.sh file under /domain_home/bin to add the below properties during startup: 

JAVA_OPTIONS="${JAVA_OPTIONS} -Doracle.security.jps.config=/u01/data/domains/SOA_domain/config/fmwconfig/jps-config-jse.xml -Dcommon.components.home=/u01/app/oracle/middleware/oracle_common -Dopss.version=12.2.1.2 -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false -Djava.security.egd=file:/dev/./urandom.egd=file:/dev/./urandom"

Note: -Dopss.version=12.2.1.2 property is specific to version 12.2.1.2.

Changes in boot.properties

Note: This step is not needed if the environment is using OTD.

1. Login the SOA CS VM through putty and open /domain_home/servers/AdminServer/data/nodemanager
2. Take a backup copy of boot.properties.
3. Open boot.properties and comment the below line and save.

#TrustKeyStore=DemoTrust

4. Open /domain_home/servers/soa_server1/data/nodemanager/
5. Take a backup copy of boot.properties.
6. Edit boot.properties file, comment the below line.

#TrustKeyStore=DemoTrust

7. Add the below lines at the end.

CustomTrustKeyStoreFileName=kss://system/myKSSTrust
TrustKeyStore=CustomTrust
CustomTrustKeyStorePassPhrase=****
CustomTrustKeyStoreType=KSS

8. save boot.properties.


In setDomainEnv.sh remove this property:

-Djavax.net.ssl.trustStore=%WL_HOME%\server\lib\DemoTrust.jks

No comments:

Post a Comment