This Post describes the steps and concepts required to Configure and use Two Way SSL with the Weblogic Server.
Admin Server Console is used as a Testing Application to verify the Configuration is working or not.
Create a WLS domain: ssl_domain.
Open a Command Prompt and navigate to the ssl_domain/bin directory.
Run the setDomainEnv.cmd to set the environment.
Creating Server Cert:
1: Create a dir: ServerCert
2: From the Command prompt where the env was set we need to move to this ServerCert directory.
2: use the CertGen utility to create the certificate.
------------------------------------------------------------
Two way SSL with Weblogic Server:
First of all let us understand the process of Two Way SSL.
Here we will assume the following:
Weblogic Server as Server:
Mozilla Firefox as the Client:
1: Weblogic Server is configured for SSL:
2: Certificate used by Weblogic Server is: ServerCert
3: Private Key used by Weblogic Server is: ServerKey
4: Trust Store used by Weblogic Server is: DemoTrust.
Two Way SSL Communications:
1: Client initiates a SSL connection with the Server.
2: Server Sends its Identity Certificate to Client.
3: Client will Trust this Identity Certificate from the Server.
4: Server will ask for the Identity Certificate from the Client.
5: Client will send its own Identity certificate to the Server.
6: Server will trust the Certificate send by the Client.
7: Client will ask for a Cipher negotiation from the Server.
8: Server will confirm over a common cipher presented by the Client.
9: Handshake is successful and encrypted data will start flowing over the network.
So From the above process we have to following requirements for configuring two way SSL on Weblogic Server.
1: Identity Certificate for Weblogic Server.
2: Identity Certificate for Client (Mozilla Firefox).
3: Trust Store of Weblogic Server which should contain the root Certificate of the CA which issued the Client Identity Certificate.
4: Trust Store of Client which should contain the root certificate of the CA which issued the Identity Certificate of the Weblogic Server.
Now we will be creating the Certificates required for Weblogic Server:
From the above we need an Identity Certificate for Weblogic Server issued by CA.
Here we will be creating a certificate using the Weblogic CertGen utility and we will be using the Weblogic CertGenCA.der and the Certificate Authority.
- Create a Weblogic Server Domain ssl_domain.
- Open a command prompt and move to ssl_domain/bin directory.
- Run the setDomainEnv.cmd file to set the environment on the command prompt.
- Then create a Directory anywhere on the file system named: ServerCert.
- From the already opened command prompt go to the ServerCert directory.
- Run the following command:
java utils.CertGen -certfile ServerCert -keyfile ServerKey -keyfilepass keypass
The above Command will be creating four files:
ServerCert.der and ServerCert.pem: This is the Identity Certificate in DER and PEM format.
ServerKey.der and ServerKey.pem: This is the Private Key for above certificate in DER and PEM.
Keypass: This is the Private Key password required to read the Private Key.
- Since the CA used above is CertGenCA.der which is by default used by the CertGen utility if it is not explicitly mentioned.
- We need to concatenate the CertGenCA certificate to the end of above created certificate ServerCer.pem.
- In order to concatenate the CertGen.der we have to convert the certificate into PEM format and for that we will be using the Weblogic der2pem utility.
10. First copy the CertGenCA.der file from %BEA_HOME%/wlserver_103/server/lib directory to your newly created ServerCert dir.
11. From the command prompt used above run the following command:
java utils.der2pem CertGenCA.der
12. The above command will convert the CertGenCA.der into CertGenCA.pem format.
13. Now add the contents of the CertGenCA.pem to the end of the contents of ServerCert.pem using the below command:
type serverCert.pem CertGenCA.pem >> myCert.pem
14. Since Weblogic Server uses JKS file store for SSL configuration, hence we will have to import the above create myCert.pem and the Private Key in the JKS file using the Weblogic ImportPrivateKey utility.
15. From the same command Prompt run the below command:
java utils.ImportPrivateKey -keystore SeverIdentity.jks -storepass storepass -storetype JKS -keypass keypass -alias mykey -certfile myCert.pem -keyfile ServerKey.pem -keyfilepass keypass
Here:
Keystore: SeverIdentity.jks ---This is the JKS file in which the certificate and key will be imported.
Storepass: storepass – This is the password of the keystore file severIdentity.jks
Storetype: JKS - This is the type of keystore to be used. It can be PKCS12, PEM etc.
Keypass: keypass – This password required to read the Private Key from the keystore. For simplicity we will be using keypass only.
Alias: mykey - This is the alias used for reading the Private Key from the Keystore.
Certfile: myCert.pem – This is the certificate to be imported into the Keystore.
Keyfile: ServerKey.pem - This is the Private Key to be imported into the Keystore.
Keyfilepass: keypass – This is the Password used in the CertGen utility command required to read the Private Key from the ServerKey.pem file.
16. The above Command will be creating a file: ServerIdentity.jks file. This file will be used for configuring SSL on Weblogic.
17. As the Certificate Authority for the above Created certificate is the Default CertGenCA.der and this CA is by default present in the Demotrust.jks file.
18. So for the Trust Store of Weblogic Server we will be using the default DemoTrust.jks file present in the %BEA_HOME%wlserver_103/server/lib directory.
19. So Copy the DemoTrust.jks file from the above mentioned directory to our working directory i.e. ServerCert.
20. Now Start the Admin Server of the Weblogic Server and log into the Admin Console.
21. Click on the Admin Server:
22. Enable the SSL port from the General configuration tab of the Admin Server and save it.
23. By Default the Admin Server SSL Port is: 7002.
24. Now click on the keystores tab of the Admin Server.
25. Fill in the Following entries:
Keystores: Custom Identity Custom Trust.
Custom Identity Keystore: C:serverCertSeverIdentity.jks
Custom Identity Keystore Type: JKS
Custom Identity Keystore Passphrase: storepass (same as –storepass value of ImportPrivateKey)
Confirm Custom Identity Keystore Passphrase: storepass
Custom Trust Keystore: C:serverCertDemoTrust.jks
Custom Trust Keystore Type: JKS
Custom Trust Keystore Passphrase: DemoTrustKeyStorePassPhrase
Custom Trust Keystore Passphrase: DemoTrustKeyStorePassPhrase
26. Save it.
27. Click on the SSL tab:
Identity and Trust Locations: Keystores
Private Key Alias: mykey
Private Key Passphrase: keypass (same as –keypass value of ImportPrivateKey utility used above)
28. Click on Advanced option and select the value of Hostname Verification to NONE.
29. Save it.
30. Restart the Admin Server.
31. This completes the SSL configuration of the Weblogic Server.
32. Now after restarting the Admin Server check whether the Admin Console is accessible over the https port or not by using the following URL in the Mozilla Firefox:
https://localhost:7002/console.
If the above url is accessible then this confirms that the SSL configuration is correct for the Weblogic Admin Server.
Now we will try to configure the Two Way SSL.
On the Admin Server >>>> SSL tab: Advanced options:
Two Way Client Cert Behavior: Client Cert Requested and Enforced.
Save it.
Now if you will try to access the Admin Console over SSL then it will throw some SSL Handshake exception. This is happening because in the process of two way SSL, Client is also requested to submit the certificate and we have not configured any certificate for our client (that is Mozilla Firefox browser).
So, we will be configuring the certificate for the Client.
For that we again need the Certificates for the Client.
We will be using the same CertGen utility of Weblogic Server to create this certificate.
33. So from the above opened command prompt run the following command:
java utils.CertGen -certfile ClientCert -keyfile ClientKey -keyfilepass keypass
34. This will again create four certificates for the client.
35. Now we need to convert the client certificate into the PKCS12 format because the browsers generally accept PKSC12 keystore format for storing certificates.
36. For this conversion we will be using the OpenSSL tool which is freely downloadable for windows from below link:
http://gnuwin32.sourceforge.net/packages/openssl.htm
37. After having OpenSSL installed go to the OpenSSL bin directory and run the openssl.exe file
38. This will open up the OpenSSL command window where we can run the OpenSSL command.
39. On this OpenSSL command use run the following command:
pkcs12 -export -in C:ServerCertClientCert.pem -inkey C:ServerCertClientKey.pem -out C:ServerCertclient-pkcs-12-cert
This will ask for a ClientKey.pem password: keypass
Enter the Export Password: keypass
Confirm the Export Pass: keypass
40. This will create the client-pkcs-12-cert.
41. Now for configuring the above certificate into the Browser:
42. Open Mozilla Firefox >>> Tools >>> Options >>> Encryption >>> View Certificates:
43. On the Your Certificates Tab >>> click on import >>>
44. Select the client-pkcs-12-cert created above.
Enter the Key password: keypass
45. This will import the Client certificate into the Browser.
46. Now Restart the Browser.
47. Try accessing the Admin Console through the Bowser.
48. This time the Browser will be able to access the Admin Console.
If there is any SSL handshake issue then you can follow my post:
How to Debug SSL issues:
If the issue is still there then you can paste your comments here.
34 comments:
Great work!
Does this apply to Windows Internet Exporer as the Client? Does the Explorer accept the cert in PKSC12 format?
Hi Sean,
Yes the same is true for every browser( IE also).
However, I have tried to do the POC( Proof of Concept) of Two Way SSL with IE8 and It always throws - No Such Algorithm Exception.
This is something to do with the IE 8 issue and I was not able to resolve it either with the IE8 or with Google Chrome.
Also If you get any Cipher related exception with mozilla then try using the following flag:
-Dweblogic.security.SSL.nojce=true
Thanks,
Sandeep
Is that because of non-trusted CA -- wls' demo?
Yes, a non-trusted CA can be one of the reasons for the secnario not working with IE8.
For IE Can the wls' demo CA be imported as "Trusted Root Certification Authorities"? then the problem may be gone? I am kind of new to the certificate business. I see the import option under "Trusted Root Certification Authorities".
I have tried that also and was still receiving the same error trace. really don't know what is the problem with the IE.
May be IE is not allowing the servers with Demo or self-signed certificates configured to be accessed. If you have commercial certificates then you can try with that and let me know the results.
Thanks,
Sandeep
Hi Sandeep,
I have it tried on IE8 and worked. The IE version is 8.0.6001.18702
However, I have tried a test case from a metalink note and without success. My goal is to have the users authenticated by the smart cards. The note is 775726.1 WLS 8.1 - Setting-up Two-way SSL for WLS 8.1. If you have a chance, could you please take a look?
My wls log was showing:
Certificate chain received from .com - 169.254.25.129 was incomplete
I think the problem is due to the CA missmatch, one signed the client's and one signed the server's though they are both the verisign class1 CA. On the client, the root CA is " VeriSign Class 1 Individual Subscriber CA-G2", while on the server, the demo cacerts contains VeriSign's "Class 1 Public Primary Certification Authority". Any comments?
Thanks
I'm seeing that incompatible cypher problem with IE8 if TLS 1.2 or 1.1 are enabled, it seems like if the intial request fails due to an imcompatible protocol it gives up on the 2-way negotiation.
I didn't know you can do this with a SSL certificate. Is this a special type of certificate or it doesn't matter? I'm asking because I bought mine from an UK registrar and the domain I will be using it on is targetted for the US.
Hi Sandeep,
I am a beginner,
Please let me know, why are we going this...
1.Since the CA used above is CertGenCA.der which is by default used by the CertGen utility if it is not explicitly mentioned.
2.We need to concatenate the CertGenCA certificate to the end of above created certificate ServerCer.pem.
Why are we concatenating CertGenCA certificate?
Thanks
Sathay
hi Sathya,
We are concatenating the CertGenCA to the ServerCer.pem to complete the certificate chain.
As Weblogic server checks whether the certificate configured is properly chained or not, and if we do not concatenate the CertGenCA to ServerCer.pem then WLS will throw error related to certificate chain.
Thanks,
Sandeep
Sandeep,
This is good for browser,but am getting javax.net.ssl.SSLHandshakeException when i tried to access from my client program main method,Please help me how can i invoke https url with out any exception
Hi Srini,
If you are trying to access the URL hosted in WLS server which is configured for the TWO-WAY SSL then you will have to code your client as per the below link:
http://download.oracle.com/docs/cd/E12840_01/wls/docs103/security/SSL_client.html
Thanks,
Sandeep
Very Helpful!!! Thanks
Hi Sandeep,
This is what I wanted for last so many months to test two-way SSL in weblogic!!
Excellent post. Thanks a lot for posting very very very helpful technical stuff on two way ssl.
Regards,
Sriji
Excellent article,
I was banging my head for this issue for the past two months.
thanks a lot.
Great work ! this article is very helpful for me.
Hi,
Thank you very much for the knowledge.
When I use try serverCert.pem CertGenCA.pem >> myCert.pem, I receive the following error although they are in the current directory:
bash: type: ServerCert.pem: not found
bash: type: CertGenCA.pem: not found
May I know why?
Hi,
Thank you very much for the knowledge.
When I use try serverCert.pem CertGenCA.pem >> myCert.pem, I receive the following error although they are in the current directory:
bash: type: ServerCert.pem: not found
bash: type: CertGenCA.pem: not found
May I know why?
Regards,
Maria
When I use try serverCert.pem CertGenCA.pem >> myCert.pem, I receive the following error although they are in the current directory:
bash: type: ServerCert.pem: not found
serverCert.pem ----- > 's' is in small letter
ServerCert.pem ----- > 'S' this is capital letter.
Bash is case sensitive.
Hi,
That's what I don't understand. In the sample CertGen command, it used "utils.CertGen -certfile ServerCert ... " and for concatenating the certs it mentioned "type serverCert.pem ...". May be typo. Actually I tried both small and capital letter ... produced the same error.
Thanks,
Maria
Can you check the directory whether both the files are present or not.
After using java utils.CertGen -certfile , you will get one ServerCert.der and ServerCert.pem file.
and you need to copy CertGenCA.der file from %BEA_HOME%/wlserver_103/server/lib directory into the same directory where ServerCert.pem is present and change it to CertGenCA.pem and then try to concatenate it.
You can also use any text editor to copy paste the contents of CertGenCA.pem file to ServerCert.pem.
Make sure that there is no white space present while copying the contents and you should copy the contents below the contents of ServerCert.pem file.
Thanks,
Sandeep
Sandeep,
This is one of the best posts I have seem on 'how to'.
Thanks for the post
-Venkat
Hi Sandeep,
Excellent job!. I am trying to setup SSL between Apache and Weblogic using the WebLogic plug-in. One of the requirements in the virtual host with SSL is asking for a TrustedCA certificate file.
Could you shed some light how a TrustedCA cert can be generated using the CertGen utility ? also will Apache trust that cert...
Thanks in Advance
Raj
Hi Raj,
As you are configuring SSL between Apache and WLS server, so the most important thing you should know is only one way SSL is supported between Apache and WLS plugin.
so your secnario : Apache ---> one way ssl ---> wls server.
In one way ssl, your apache has to trust the public certificate presented by wls server.
So, you do not have to create any trusted ca file. All that you have to do is get the Root CA certificate which WLS server is using, store it on the Apache machine and provide the path of this root ca file in the httpd.conf file.
the best way to get the Root CA file of wls server is , try to open the any application page which is deployed on WLS server using https protocol from browser, and you can see one certificate available on browser. Save that certificate in .der format.
Change the .der format to pem format using der2pem utility of weblogic server and use it as TrustedCA file on Apache machine.
hi,
any updates on how to solve the ie8 issue?
thanks
any solution to this ie8 and wl10.0 issue?
thanks
the two way SSL above is 1) between browser and web server or 2) between web server and weblogic (application server) or 3) browser and weblogic (application server) thank you
Hi Chen,
The above two way SSL is between Weblogic Server and the Browser.
Thanks,
Sandeep
Is there anyway to receive the certificate, sent by the browser, inside the application?
Hi Bruno,
Yes ,you can receive the browser certificate inside the application .
Please go through the below link for the sample java servlet code that is reading a browser certificate .
http://www.experts-exchange.com/Software/Server_Software/Application_Servers/Java/Oracle_IAS/Q_22547465.html
Thank,
Weblogictips
Hi Sandeep,
I am not able to create certificates using the below command
i have give above command@ ssl_domain/bin
first i ran the setDoaminEnv.sh
then given the command in ssl_domain/bin/servercert terminal:java utils.CertGen -certfile ServerCert -keyfile ServerKey -keyfilepass keypass.
even i created servercert directory in another location and given the above genkey command getting the same issue
Got the below exception
xception in thread "main" java.lang.NoClassDefFoundError: utils/CertGen
Caused by: java.lang.ClassNotFoundException: utils.CertGen
at java.net.URLClassLoader$1.run(URLClassLoader.java:202)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)
at java.lang.ClassLoader.loadClass(ClassLoader.java:247)
Could not find the main class: utils.CertGen. Program will exit.
could you please debug and tell me what i am missing here and why i am getting this error.
how u executed the setDomainEnv.sh
please execute like below :
. ./setDomainEnv.sh
Hi Sean,
Very good tutorial thanks.
One thing that I miss.
You say
"... for configuring two way SSL on Weblogic Server"
...
3: Trust Store of Weblogic Server which should contain the root Certificate of the CA which issued the Client Identity Certificate.
4: Trust Store of Client which should contain the root certificate of the CA which issued the Identity Certificate of the Weblogic Server.
It is not clear to me when this is done.
the root certificate of the CA which issued the identity certificate of the Weblogic server is not in the client Trust Store (firefox) is it?
Post a Comment