SSL Revisit

One-way SSL

In-depth Readings

Internet Security Issues

  • Eavesdropping
  • Tampering
  • Impersonation
  • Encryption / Decryption
  • Digital Signatures
  • Certificates

RSA

Encrypt

Sign

Determining the trust of a public key certificate

In-depth Readings

2-way SSL and certificates

  • keyStore
    • Private key
    • Certificate issued by CA
  • trustStore
    • CA certificate chain

In-depth Readings

How to create WebLogic Keystores

Create Root CA private key

openssl genrsa -out rootCA.key 2048

Create Root CA public key

openssl req -x509 -new -days 7300 -key rootCA.key -out rootCA.pem

Create server private key

openssl genrsa -out AdminServer.key 2048

Create server CSR (Certificate Signing Request)

openssl req -new -key AdminServer.key -out AdminServer.csr

Root CA signs server CSR, got server certificate

openssl x509 -req -days 7300 -in AdminServer.csr -out AdminServer.pem \
        -CA rootCA.pem -CAkey rootCA.key -CAcreateserial 

Create ECETrust.jks (Java KeyStore), import CA certificate chain

keytool -import -trustcacerts -file rootCA.pem -keystore ECETrust.jks -alias ECETrust

Create ECEIdentity.jks, import server private key/certificate pairs

First, create a bundle of private key/certificate pairs

openssl pkcs12 -export -in AdminServer.pem -inkey AdminServer.key -out AdminServer.p12

Then, convert it to Java KeyStore

keytool -importkeystore -srckeystore AdminServer.p12 -srcstoretype pkcs12 \
        -destkeystore ECEIdentity.jks -srcalias 1 -destalias ECEIdentity

Set ECETrust.jks and ECEIdentity.jks to WebLogic

Set AdminServer's SSL Identity and Trust

wlst.cd('/Server/AdminServer')
wlst.set('KeyStores', 'CustomIdentityAndCustomTrust')
wlst.set('CustomIdentityKeyStoreFileName', '/usr/lib/occas/security/ECEIdentity.jks')
wlst.set('CustomIdentityKeyStoreType', 'JKS')
wlst.set('CustomIdentityKeyStorePassPhraseEncrypted',
    wlst.encrypt('weblogic30', domainHome))  # The password here is for the KeyStore
wlst.set('CustomTrustKeyStoreFileName', '/usr/lib/occas/security/ECETrust.jks')
wlst.set('CustomTrustKeyStoreType', 'JKS')
wlst.set('CustomTrustKeyStorePassPhraseEncrypted',
    wlst.encrypt('weblogic30', domainHome))  # The password here is for the KeyStore

wlst.cd('/Server/AdminServer/SSL/AdminServer')
wlst.set('Enabled', 'true')
wlst.set('ListenPort', int(serverSecurePort))
wlst.set('ServerPrivateKeyAlias', 'ECEIdentity')
wlst.set('ServerPrivateKeyPassPhraseEncrypted',
    wlst.encrypt('weblogic30', domainHome))  # The password here is for the KeyStore

wlst.set('HostnameVerificationIgnored', 'true')
wlst.set('HostnameVerifier', 'null')
wlst.set('TwoWaySSLEnabled', 'false')
wlst.set('ClientCertificateEnforced', 'false')

2-way SSL for WebLogic

  • Add client CA certificate chain to ECETrust.jks
  • wlst.set('TwoWaySSLEnabled', 'true')
  • wlst.set('ClientCertificateEnforced', 'true')

Server Out-bound HTTPS

  • Add remote CA certificate chain to ECETrust.jks
    • Depends on your code, this step is optional
  • Add our root CA to remote trust store
    • Depends on remote, this step is also optional
  • If no fake CA, you may not need above steps
    • The trusted CA is shipped with OS and JDK

SSL Revisit

By aclisp

SSL Revisit

  • 1,510