Tuesday, 16 November 2021

Weblogic - Enable Two Way SSL

Weblogic SSL Implementation:


Basic Terminologies :

SSL Termination: You can terminate SSL at Load Balancer and communication from Load Balancer to WebLogic Server as non SSL (In this case Load Balancer is configured to listen on SSL but WebLogic Server is configured to listen on NON SSL)

Identity/Keystore: A server which hosts traffic on a port which has SSL/TLS enabled, has an identity keystore. This identity keystore contains a private key and a public key/certificate. The public key/certificate can safely be given to other parties. With websites when visiting an HTTPS website (HTTP with SSL enabled), the public key is send to you. The other party / client can use the public key to encrypt messages meant for the server. The only one who can decrypt the messages is the one having the private key of the server. This is usually only the server.

Trust : Can you trust a server? You can use a certificate authority - CA to create a signed public key. If someone trust the certificate authority, that someone also automatically trusts the signed key. With websites you often see a green lock when a certain website uses HTTPS with a public certificate signed by a (by your we browser) trusted certificate authority.

Usually a trust store is used to store trusted certificate authorities -CA or specific trusted certificates. If you have many servers in your application landscape, it is recommended to use a certificate authority since it is cumbersome to load every public key of every server in every trust store. Trusting a single certificate authority makes things a lot easier.

If you are accessing Public Servers (Example Microsoft , Google etc.) then server will verify these certificates with Public CA and trust the connections automatically.  In case if you are accessing non Public Servers (Internal Servers) then we need to add the public certificates of these Servers into Trust store to Trust the Server and Connection. 

Default JRE cacerts (%JAVA_HOME%\jre\lib\security\cacertswill contain collection of trusted CA certificates and trust the connection. We don't need to add CA certificates explicitly 

We can also create a separate Keystore to store Identity and Trust Keys.

-javax.net.ssl.keyStore 

 -javax.net.ssl.trustStore 

SSL Connection - One Way:  Anytime when a client makes a SSL connection request to Server/Origin, Server will present the Key stored in Keystore/Identity Store.  Client will verify the presented Key by comparing it with the keys stored in Trust Store. 






SSL Connection - Two WayAnytime when a client makes a SSL connection request to Server/Origin, Server will present the Key stored in Keystore/Identity Store.  Client will verify the presented Key by comparing it with the keys stored in Trust Store. In two way SSL client also has to authenticate itself and it has to present the Key stored in Keystore and Server will validate the Key with the keys stored in Server Trust Store. 




Keystore Setup: 

Create Identity Key

keytool -genkey -keystore <keystore_name>.jks -alias <privatekey_alias_name> -keyalg RSA -validity <validity in days> -keysize 2048

Note down the password. 

Create CSR Request:

keytool -certreq -alias <privatekey_alias_name> -keystore <keystore_name>.jks -file <csr_file_name>.csr

Send the CSR request file to signing authority.  Get the signed certificate and import the certificates into identity key. 

Import Signed Certificate and Root Certificate. 

keytool -import -alias signedCer -keystore <keystore_name>.jks -file <signed_certificate>.crt

keytool -import -trustcacerts -alias root -file <root_certificate>.cer -keystore <keystore_name>.jks


Export Public Certificate From Keystore. 

keytool -export -alias <privatekey_alias_name> -keystore <keystore_name>.jks  -file <pub_cert_name>.cer


Create Trust Store Key and Import Client Cert:

keytool -import -alias <alias_name> -trustcacerts -file  <client_certificate> -keystore <trust_store_file_name>.jks

Note down the password. 


Weblogic Server Configurations:

Servers --> Managed Server   --> Kestore --> (Change Keystore Type to Custom Identity and Custom Trust)

Go to SSL Tab --> Provide Private Key Alias and Pass Phrase. 

Select Advanced --> Two Way Client Cert Behavior: ---> Client Certs Requested And Enforced


NoteSelecting Client Certs Requested But Not Enforced enables two-way SSL. With this option, the server requests a certificate from the client, but the connection continues if the client does not present a certificate. 

Selecting Client Certs Requested And Enforced also enables two-way SSL and requires a client to present a certificate. However, if a certificate is not presented, the SSL connection is terminated.

Reference : https://docs.oracle.com/cd/E24329_01/web.1211/e24422/identity_trust.htm#SECMG536


How WebLogic Server Locates Trust

  • If the keystore is specified by the -Dweblogic.security.SSL.trustedCAkeystore command-line argument, load the trusted CA certificates from that keystore.
  • Else if the keystore is specified in the configuration file (config.xml), load trusted CA certificates from the specified keystore. If the server is configured with DemoTrust, trusted CA certificates will be loaded from the WL_HOME\server\lib\DemoTrust.jks and the JDK cacerts keystores.
  • Else if the trusted CA file is specified in the configuration file (config.xml), load trusted CA certificates from that file (this is only for compatibility with 6.x SSL configurations).
  • Else load trusted CA certificates from WL_HOME\server\lib\cacerts keystore.

1 comment: