OES uses SSL for communications between the Administration Server, remote OES components, and external clients. Installation of OES includes demonstration certificates that can be used get the system up and running in non-production environments.
This document describes how OES uses SSL and provides instructions for replacing the demonstration certificates with those signed by a recognized Certificate Authority. It contains the following topics:
OES uses one-way or two-way SSL as follows:
Once the enrollment process is performed on a remote machine, all OES components on that machine (SCM, SSM) are bound into the internal OES trust structure based on the internal CA, residing on the Administration Server. All communication with the server is performed using two-way SSL.
A single set of keys located in BEA_HOME\ales32-shared\keys
is used by all OES components on that machine. When enrollment is initiated on a remote machine, communication between the enrollment client and the Administration Server is one-way SSL.
NOTE: For step-by-step enrollment instructions, see the SSM Installation and Configuration Guide.
If enrollment is performed in demo
mode, the Administration Server presents its certificate signed by the Demo ALES CA that is supplied with the installation that enrollment clients are configured to trust. In secure
mode, the client verifies the CA certificate against its list of trusted certificate authorities in $JAVA_HOME/lib/security/cacerts
.
One-way SSL is used for browser connections with the Administration Console or the Entitlements Management Tool. When a browser client initiates the connection, the Administration Server sends the client its certificate. If the CA authority that signed the certificate of Administration web server (WebLogic or Tomcat) is in the browser’s trust store, the browser proceeds to establish the one-way SSL connection. If not, the browser issues a warning that allows the user to trust the certificate.
NOTE: The OES administration tools themselves use two-way SSL when communicating with other internal OES components.
Instead of using the provided Java wrapper for the BLM SOAP interface, external clients may directly access BLM interfaces.
Upon installation, two keystores containing demo certificates are used to establish trust between the Administration Server and clients:
BEA_HOME\ales32-shared\keys\webserver.jks
. This keystore contains a demonstration private key for the Administration Server, the server’s identity in a public certificate that is signed by the Demo ALES CA, and a public certificate for the internal CA itself. demo
mode. Because this keystore also contains the Demo CA certificate, clients will trust the Administration Server. This keystore is located in the BEA_HOME\ales32-shared\keys
directory.
For production environments, first configure the Administration Server must be configured to use a keystore containing its private key and corresponding certificate signed by a well-know certificate authority. After this, SSMs can be bound into internal OES 2-way SSL framework by enrolling in secure
mode.
Note: | Some certificates issued by CA authorities do not strictly comply with Certicom’s Internet X.509 Public Key Infrastructure standard. To use these certificates, you must disable constraints extension checking by adding information to the the enrollment and unenrollment scripts. For instructions, see “Certificates” on page 3-6 of the SSM Installation and Configuration Guide. |
Clients enrolling in secure
mode will verify the CA certificate against its list of trusted certificate authorities in $JAVA_HOME/lib/security/cacerts
and determine that it was signed by a trusted CA by checking for its presence in the cacerts keystore.
If the certificate authority is not in the list of trusted CAs, the CA’s certificate must be imported into cacerts
.
BEA_HOME\ales32-shared\keys\webserver.jks
to demowebserver.jks
or a similar name.Note: | This allows you to create the new keystore named webserver.jks . Doing so will minimize modifications that must be made to existing Administration Server config files. |
keytool -genkey -alias ales-webserver -keyalg RSA -keystore Webserver.jks
keytool -certreq -alias ales-webserver -keyalg RSA -file certreq.csr -keystore Webserver.jks
keytool -import -alias AlesCA -keystore Webserver.jks -trustcacerts -file <chain_certificate_filename
>
keytool -import -alias ales-webserver -keystore Webserver.jks -trustcacerts -file <certificate_filename
>
Webserver.jks
to the BEA_HOME\ales32-shared\keys
directory.
In
BEA_HOME/asiDomain/config.xml , replace the existing <server-private-key-pass-phrase-encrypted > value with the encrypted value of the keystore password used when new webserver.jks keystore was created (see step 3).
|
|
SSL connections between BLM clients and the BLM server are two-way SSL by default. You can change this to one-way SSL using the following steps:
BEA_HOME/ales32-admin/config/WLESblm.properties
in an editor and add the following parameter to the bottom of the file:Note: | If you are using the default properties file, this is already entered as a commented line at the bottom of the file. Simply remove the comment symbol (#). |
BEA_HOME/ales32-admin/bin/WLESadmin.sh restart
This is all that is required if the BLM client is on the same machine and the server. You do not need to perform the remaining steps.
trust.jks
in the BEA_HOME/ales32-shared/keys
directory and move the copy to an appropriate directory on the BLM client machine.
-Dwles.ssl.trustedCAKeyStore=/<directory_name>/trust.jks
<directory_name
>—name of the directory containing trust.jks
.
Note: | No keys are distributed with trust.jks . It contains only the CA public certificate. |
The SSL diagnosis tool in a SSM’s ales32-shared/bin
directory can be used to troubleshoot SSL connectivity problems between the SSM and the administration server. The tool checks the SSM’s SSL configuration and shows detailed handshake information.
ales32-shared/bin
directory as follows:
ssldiagnosis.bat|sh <demo|secure>
admin
and password
respectively)
C:\bea_ssms\ales32-shared\bin>ssldiagnosis.bat demo
===============================================================================
AquaLogic Enterprise Security Enrollment/Unenrollment Utility
===============================================================================
checking keystore:C:\bea_ssms\ales32-shared/keys/DemoTrust.jks
Enter Demo Trust CA keystore password :>
Enter Demo Trust CA Alias:>alesdemoca
checking keystore:C:\bea_ssms\ales32-shared/keys\trust.jks
Enter password of C:\bea_ssms\ales32-shared/keys\trust.jks:>
checking keystore:C:\bea_ssms\ales32-shared/keys\identity.jceks
Enter password of C:\bea_ssms\ales32-shared/keys\identity.jceks:>
checking keystore:C:\bea_ssms\ales32-shared/keys\peer.jks
Enter password of C:\bea_ssms\ales32-shared/keys\peer.jks:>
checking Demo Trust CA certificate
the CA certificate with alias name: alesdemoca is compatible with OES requirement
Checking Admin server: blougee-lap and port number is: 7010
Processing ssl diagnosis result
found qualified certificate for certficate with tag:cacert
found qualified certificate for certficate with tag:ssmcert
found qualified certificate for certficate with tag:admincert
found qualified certificate for certficate with tag:trustedcert
check OES component: PD & SCM status
input one of installed SSMs' Location:>C:\bea_ssms\ales32-ssm\java-ssm
PD is working on blougee-lap and port number is 7011
SCM is working on localhost and port number is 7005
C:\bea_ssms\ales32-shared\bin>