Friday, January 16, 2015

WebLogic/OSB one way and two way SSL - outbound calls

I found portecle quite useful when importing and exporting keys and it provides neat user interface. In standalone JVM, we can specify keystore using command line parameters as below

 -Djavax.net.ssl.keyStore  
 -Djavax.net.ssl.trustStore  
 -Djavax.net.ssl.trustStorePassword  
 -Djavax.net.ssl.keyStorePassword  
 -Djavax.net.ssl.keyStoreProvider  

In WebLogic, it is done via Admin Console.

One Way SSL
It is quite straight forward to configure one way SSL. I believe preferred way is to use Custom Identity and Custom Trust store, which is much better to manage than Demo trust and identity.

Using DemoTrust and DemoIdentity
The location of DemoTrust and DemoIdentity can be found from Admin Console:


The default passwords are:
 DemoIdentity.jks -> DemoIdentityKeyStorePassPhrase  
 DemoTrust.jks -> DemoTrustKeyStorePassPhrase  

We can open them in Portecle and import the SSL cert.

Using Custom Identity and Custom Trust
I prefer this option better than Demo. I usually use jre/lib/cacerts as starting point and import all necessary certs in cacerts. Once all certs are imported in cacerts, then weblogic configuration as below

Under KeyStores tab:

Under SSL tab:
It needs to be done on all servers which would be affected, and server restart would be necessary after this.





Two Way SSL
Using Custom Identity and Custom Trust
I imported both private key and root cert in cacerts file. The password of the cacerts file was same as password of private key, I was not sure if it was absolutely necessary but that is how it worked in standalone JVM. Once private key is imported, below is the WebLogic configuration



Enable SSL Debug
 -Dssl.debug=true  
 -Dweblogic.security.SSL.verbose=true  
 -Djavax.net.debug=all  


Loosen up Security Constraint
 -Dweblogic.webservice.client.ssl.strictcertchecking=false  
 -Dweblogic.security.SSL.allowSmallRSAExponent=true  
 -Dweblogic.security.SSL.enforceConstraints=off  
 -Dweblogic.security.SSL.enable.renegotiation=true  
 -Dsun.security.ssl.allowUnsafeRenegotiation=true  

No comments: