Lets secure our proxy service with 1 way ssl(Inbound)
Note : For dev purposes we can use the self signed certificates but for production purposes we need to get the certificates signed by the trusted certificate authority.
<trustStore type is : jks>
<trustStore provider is :>
<init truststore>
<adding as trusted cert:>
<Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US>
<Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US>
<Algorithm: RSA; Serial number: 0x23456>
<Valid from Tue May 21 06:00:00 CEST 2002 until Sat May 21 06:00:00 CEST 2022>
<adding as trusted cert:>
- Just follow the below steps will explain why we need to do this later section
- Create private public key pair using keytool command
Note : For dev purposes we can use the self signed certificates but for production purposes we need to get the certificates signed by the trusted certificate authority.
- Click on server
- Navigate to the Configuration | Keystores tab.
- Click Change and change the value to Custom Identity and Custom Trust for the Keystores field.
- Enter ./config/fmwconfig/server.jks into the Custom Identity Keystore field.
- Enter JKS into the Custom Identity Keystore Type field.
- Enter welcome into the Custom Identity Keystore Passphrase field.
- Enter welcome into the Confirm Custom Identity Keystore Passphrase field.
- Enter ./config/fmwconfig/server.jks into the Custom Trust Keystore field.
- Enter JKS into the Custom Trust Keystore Type field.
- Enter welcome into the Custom Trust Keystore Passphrase field.
- Enter welcome into the Confirm Custom Trust Keystore Passphrase field.
- Navigate to the Configuration | SSL tab.
- Enter serverKey into the Private Key Alias field.
- Enter welcome into the Private Key Passphrase field.
- Enter welcome into the Confirm Private Key Passphrase field and click Save.
- Click on the Advanced link.
- Select None for Hostname Verification.
- Select "Client Certs Not Requested" (For 1 Way SSL)
- Select "Use JSSE SSL"
- Navigate to the Configuration | General tab.
- Check the option SSL Listen Port Enabled.
- Leave the SSL Listen Port on the default of 7002.
We are all set now , we just have to select "HTTPS Required" in proxy service transport configuration
Check the option SSL Listen Port Enabled.eave the SSL Listen Port on the default of 7002.
We need to share the Public key with the clients so that they can access our proxy service secured over 1 way ssl ,to generate the public key from the keystore
keytool -exportcert –alias serverKey -storepass welcome –keystore
DOMAIN_HOME\config\fmwconfig\server.jks –file serverPublic.cer
To access the proxyService from the browser simply import the serverPublic.cer in browser
To access the proxyService from another weblogic domain, import the serverPublic.cer in the truststore of the client weblogic domain.
keytool -import -file serverPublic.cer -alias serverKey -keystore
client.jks -storepass welcome -keypass welcome
Note : Weblogic has 2 keystores TrustStore and IdentityStore, normally PrivateKeys are stored in IdentityStore and PublicKeys/RootCACerts/IntermediateCACerts are stored in TrustStores, but here in this example, we have used the same keystore for both Trust and Identity
Invoke web service secured with 1 way SSL(Outbound)
Debugging
-Djavax.net.ssl.keyStore=[location of the identityStore]
Check the option SSL Listen Port Enabled.eave the SSL Listen Port on the default of 7002.
We are all set now , we just have to select "HTTPS Required" in proxy service transport configuration
keytool -exportcert –alias serverKey -storepass welcome –keystore
DOMAIN_HOME\config\fmwconfig\server.jks –file serverPublic.cer
To access the proxyService from the browser simply import the serverPublic.cer in browser
To access the proxyService from another weblogic domain, import the serverPublic.cer in the truststore of the client weblogic domain.
keytool -import -file serverPublic.cer -alias serverKey -keystore
client.jks -storepass welcome -keypass welcome
1 Way SSL
- In one way ssl client requests the resource from server over https
- Server sends public certificate
- Client verifies the signature of the received public certificate against the list of public certificates in its trust-store(client.jks)
- If it matches then communication between client and server is encrypted
- Client encrypts data using the server's public key in its truststore
- Server decrypt's the data using private key in its identity store
- As the communication is now encrypted no middleman can snoop and tamper the data
Note : Weblogic has 2 keystores TrustStore and IdentityStore, normally PrivateKeys are stored in IdentityStore and PublicKeys/RootCACerts/IntermediateCACerts are stored in TrustStores, but here in this example, we have used the same keystore for both Trust and Identity
Invoke web service secured with 1 way SSL(Outbound)
- Get the public certificate from the targetSystem, (you can get the Public Certificate of google from Mozilla, follow the steps)
- Goto https://www.google.com in Mozilla
- Click on the green lock and export the public certificate as shown below
- Import the public certificate(google.crt) into the TrustStore(either in DemoTrust or in CustomTrust, if you are using CustomTrust you should configure the same in Server |Configuration | Keystores)
- Navigate to the Configuration | SSL tab.
- Select "Use JSSE SSL"
- Invoke the target system service via Business Service
- Set the Enpoint URI as https://www.google.com/#q=osb
- Select the HTTP Method as "GET"
- Now the communication between OSB and google search query is encrypted
Debugging
- set -Djavax.net.debug=ssl in setDomainEnv to debug and understand SSL Errors
- Weblogic sometimes doesnt recognize CustomtrustStore and IdentityTrustStore configured in weblogic console, in that case set the below in setDomainEnv
-Djavax.net.ssl.keyStore=[location of the identityStore]
-Djavax.net.ssl.keyStorePassword=[identitystore password]
-Djavax.net.ssl.trustStore=[location of the keyStore]
-Djavax.net.ssl.trustStorePassword=[keystore password]
- In server logs you should see similar to the below to confirm weblogic has recognized and loaded the trust certificates
<trustStore type is : jks>
<trustStore provider is :>
<init truststore>
<adding as trusted cert:>
<Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US>
<Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US>
<Algorithm: RSA; Serial number: 0x23456>
<Valid from Tue May 21 06:00:00 CEST 2002 until Sat May 21 06:00:00 CEST 2022>
<adding as trusted cert:>
No comments:
Post a Comment