SSL Revisit
One-way SSL

In-depth Readings
Internet Security Issues
- Eavesdropping
- Tampering
- Impersonation
- Encryption / Decryption
- Digital Signatures
- Certificates
RSA


Encrypt
Sign
Determining the trust of a public key certificate


In-depth Readings
2-way SSL and certificates

- keyStore
- Private key
- Certificate issued by CA
- trustStore
- CA certificate chain
In-depth Readings
How to create WebLogic Keystores
Create Root CA private key
openssl genrsa -out rootCA.key 2048
Create Root CA public key
openssl req -x509 -new -days 7300 -key rootCA.key -out rootCA.pem
Create server private key
openssl genrsa -out AdminServer.key 2048
Create server CSR (Certificate Signing Request)
openssl req -new -key AdminServer.key -out AdminServer.csr
Root CA signs server CSR, got server certificate
openssl x509 -req -days 7300 -in AdminServer.csr -out AdminServer.pem \
-CA rootCA.pem -CAkey rootCA.key -CAcreateserial
Create ECETrust.jks (Java KeyStore), import CA certificate chain
keytool -import -trustcacerts -file rootCA.pem -keystore ECETrust.jks -alias ECETrust
Create ECEIdentity.jks, import server private key/certificate pairs
First, create a bundle of private key/certificate pairs
openssl pkcs12 -export -in AdminServer.pem -inkey AdminServer.key -out AdminServer.p12
Then, convert it to Java KeyStore
keytool -importkeystore -srckeystore AdminServer.p12 -srcstoretype pkcs12 \
-destkeystore ECEIdentity.jks -srcalias 1 -destalias ECEIdentity
Set ECETrust.jks and ECEIdentity.jks to WebLogic
Set AdminServer's SSL Identity and Trust
wlst.cd('/Server/AdminServer')
wlst.set('KeyStores', 'CustomIdentityAndCustomTrust')
wlst.set('CustomIdentityKeyStoreFileName', '/usr/lib/occas/security/ECEIdentity.jks')
wlst.set('CustomIdentityKeyStoreType', 'JKS')
wlst.set('CustomIdentityKeyStorePassPhraseEncrypted',
wlst.encrypt('weblogic30', domainHome)) # The password here is for the KeyStore
wlst.set('CustomTrustKeyStoreFileName', '/usr/lib/occas/security/ECETrust.jks')
wlst.set('CustomTrustKeyStoreType', 'JKS')
wlst.set('CustomTrustKeyStorePassPhraseEncrypted',
wlst.encrypt('weblogic30', domainHome)) # The password here is for the KeyStore
wlst.cd('/Server/AdminServer/SSL/AdminServer')
wlst.set('Enabled', 'true')
wlst.set('ListenPort', int(serverSecurePort))
wlst.set('ServerPrivateKeyAlias', 'ECEIdentity')
wlst.set('ServerPrivateKeyPassPhraseEncrypted',
wlst.encrypt('weblogic30', domainHome)) # The password here is for the KeyStore
wlst.set('HostnameVerificationIgnored', 'true')
wlst.set('HostnameVerifier', 'null')
wlst.set('TwoWaySSLEnabled', 'false')
wlst.set('ClientCertificateEnforced', 'false')
2-way SSL for WebLogic
- Add client CA certificate chain to ECETrust.jks
-
wlst.set('TwoWaySSLEnabled', 'true')
-
wlst.set('ClientCertificateEnforced', 'true')
Server Out-bound HTTPS
- Add remote CA certificate chain to ECETrust.jks
- Depends on your code, this step is optional
- Add our root CA to remote trust store
- Depends on remote, this step is also optional
- If no fake CA, you may not need above steps
- The trusted CA is shipped with OS and JDK
SSL Revisit
By aclisp
SSL Revisit
- 1,524