bea.com | products | dev2dev | support | askBEA |
|
e-docs > WebLogic Server > Managing WebLogic Security > Configuring the SSL Protocol |
Managing WebLogic Security |
This following sections describe how to configure the SSL protocol for WebLogic Server:
Note: This chapter applies to WebLogic Server deployments using the security features in WebLogic Server 7.0 as well as deployments using Compatibility Security.
Configuring the SSL protocol is an optional step, however, BEA recommends using the SSL protocol in production.
The Secure Sockets Layer (SSL) protocol provides secure connections by allowing two applications connecting over a network connection to authenticate the other's identity and by encrypting the data exchanged between the applications. Authentication allows a server and optionally a client to verify the identity of the application on the other end of a network connection. Encryption makes data transmitted over the network intelligible only to the intended recipient.
The SSL protocol in WebLogic Server 7.0 implements the SSL 3.0 and TLS 1.0 specifications.
Note: The proxy plug-ins in WebLogic Server 7.0 only support SSL 3.0.
WebLogic Server supports the SSL protocol on a dedicated listen port which defaults to 7002. To establish an SSL connection, a Web browser connects to WebLogic Server by supplying the SSL listen port and the HTTPs schema in the connection URL, for example, https://myserver:7002.
Using the SSL protocol is computationally intensive and adds overhead to a connection. You should avoid using the SSL protocol when it is not necessary. However, you should always use the SSL protocol in a production environment.
Private Keys, Digital Certificates and Trusted Certificate Authorities
Private keys, digital certificates, and trusted certificate authorities (CAs) establish and verify server identity.
The SSL protocol uses public key encryption technology for authentication. With public key encryption, a public key and a private key are generated for a server. The keys are related such that data encrypted with the public key can only be decrypted using the corresponding private key. The private key is carefully protected so that only the owner can decrypt messages.
The public key is embedded into a digital certificate with additional information describing the owner of the public key, such as name, street address, and e-mail address.
The data embedded in a digital certificate is verified by a certificate authority (also referred to as trusted CA) and digitally signed with the certificate authority's digital certificate. Well-know certificate authorities include Verisign and Entrust.net.
An application participating in an SSL connection is authenticated when the other party evaluates and accepts their digital certificate. Web browsers, servers, and other SSL-enabled applications generally accept as genuine any digital certificate that is signed by a trusted CA and is otherwise valid. For example, a digital certificate can be invalidated because it has expired or the digital certificate of the CA used to sign it expired. A server certificate can be invalidated in the URL of the server that presented the certificate does not match the URL embedded in the certificate.
The SSL protocol can be configured one-way or two-way:
Setting Up the SSL Protocol: Main Steps
For more information on these steps, see:
Obtaining Private Keys, Digital Certificates and Trusted CAs
Storing Private Keys, Digital Certificates, and Trusted CAs
Setting Attributes for One-Way SSL
Setting Attributes for Two-Way SSL
Obtaining Private Keys, Digital Certificates and Trusted CAs
To use the SSL protocol, you need a private key, a digital certificate containing the matching public key, and at least one trusted CA that can verify the data embedded in the digital certificate. WebLogic Server supports private keys, digital certificates, and trusted CAs from the following sources:
When you create a domain through the Configuration Wizard, the demonstration certificates and private keys are copied into the domain directory. The digital certificate file contains the name of the local host and the private key file is time-stamped by the build. The demonstration digital certificates, private keys, and trusted CAs should only be used for demonstration or testing purposes and not in a production environment
WebLogic Server can use digital certificates in either .pem or .der format. The file extension determines the format of the digital certificate file.
A .pem (privacy-enhanced mail) format file begins with this line:
A .der format file contains binary data. WebLogic Server requires that the file extension match the contents of the digital certificate, so be sure to save the file you receive from the trusted CA with the correct file extension.
Private keys must be in PKCS#5/PKCS#8 PEM format.
Note: The CertGen utility generates digital certificates and private keys that should only be used for demonstration or testing purposes and not in a production environment.
The CertGen utility creates a private key and digital certificate signed by the demonstration certificate authority (CertGenCA). The digital certificates generate by the Cert Gen utility have the hostname of the machine on which they were generated as the common name, so you must generate a digital certificate for every machine on which you wish to use the SSL protocol.
The CertGen utility generates two .pem files and two .der files. View the .der files in a Web browser to view the details of the generated digital certificate. Use the .pem files when you boot WebLogic Server or use the digital certificates with a client.
The CertGen tool uses the JDK version 1.3 InetAddress.getLocalHost().getHostname() method to get the hostname it puts in the common name field of a certificate. The getHostName() method works differently on different platforms. It returns a fully qualified domain name (FQDN) on some platforms (for example, Solaris) and a short host name on other platforms (for example, Windows NT). If WebLogic Server is acting as a client (and by default hostname verification is enabled), you need to ensure the hostname specified in the URL matches the common name field in the certificate. Otherwise, your connection fails because the hostnames do not match.
On Solaris, when you type hostname on the command line the server looks at the /etc/hosts file and gets a short hostname. When you invoke java.net.InetAddress.getHostName(), the host goes to the /etc/nsswitch.conf file and depending on how the host is configured returns a FQDN or a short hostname.
If the host entry is configured as:
hosts: dns nis [NOTFOUND=return]
The host performs a name service look up first and uses the information /etc/hosts file only if DNS is not available. In this case, a FQDN is returned.
If the host entry is configured as:
hosts: files dns nis [NOTFOUND=return]
The host goes to the /etc/hosts file first and then goes to DNS. In this case, a short hostname is returned.
Using the Certificate Request Generator Servlet
Before using a WebLogic Server deployment in a production environment, you need to obtain a private key and certificate from a trusted certificate authority such as VeriSign or Entrust.net. To acquire a digital certificate from a certificate authority, you must submit your request in a particular format called a CSR. The Certificate Request Generator servlet collects information from you and generates a private key file and a CSR. You then submit the CSR to a certificate authority.
To generate a CSR, perform the following steps:
The Certificate Request Generator servlet displays messages informing you if any required attributes are empty or if any attributes contain invalid values. Click Back in your Web browser and correct any errors.
When all attributes have been accepted, the Certificate Request Generator servlet generates the following files in the startup directory of your WebLogic Server:
Converting a Microsoft p7b Format to PEM Format
Microsoft can also be used as a certificate authority. The digital certificates issued by Microsoft are in a format (p7b) that cannot be used by WebLogic Server. To convert a digital certificate in p7b format to PEM format:
Note: For p7b certificate files that contain certificate chains, you need to concatenate the issuer PEM digital certificates to the certificate file. The resulting certificate file can be used by WebLogic Server.
Storing Private Keys, Digital Certificates, and Trusted CAs
Once you have obtained private keys, digital certificates, and trusted CAs, you need to store them so that WebLogic Server can use them to verify identity. Digital certificates can only be stored in a file in the domain directory. Private keys and trusted CAs can either be stored in a file in the domain directory or in a keystore.
Creating a Keystore and Loading Private Keys and Trusted CAs into the Keystore
A keystore is a mechanism designed to create and manage files that store private keys and trusted CAs. The WebLogic Keystore provider locates instances of keystores. Use the following utilities to create a keystore and load private keys and trusted CAs into the keystore:
Note: The keytool utility requires a digital certificate to be presented when importing a private key into the keystore. This digital certificate is not used by WebLogic Server.
While you can use the keytool utility to load new private keys and trusted CAs into a keystore, the utility does not allow you to take an existing private key from a file and import it into the keystore.
Either create one keystore for both private keys and trusted CAs or two keystores: one for private keys and one for trusted CAs. BEA recommends creating two keystores.
By default, WebLogic Server looks for a private key keystore named wlDefaultKeyStore.jks in the domain directory. The keystore for trusted CAs can use either the demonstration trusted CA (weblogic700/server/lib/cacerts) or a trusted CA available from the JDK (.../jre/lib/security/cacerts).
Note: The weblogic700/server/lib/cacerts file should be used for demonstration or testing purposes and not in a production environment.
All keystore entries (private key and trusted CAs) are accessed via unique aliases. You specify the alias when loading the private key or trusted CA into the keystore. Aliases are case-insensitive; the aliases Hugo and hugo would refer to the same keystore entry. Aliases for private keys are specified in the Server Private Key Alias attribute when configuring the SSL protocol.
Configuring the WebLogic Server Keystore Provider to Locate a Keystore
Note: The WebLogic Keystore provider is deprecated in WebLogic Server 7.0 SP01.
The WebLogic Keystore provider has been enhanced in the following ways:
Configuring a WebLogic Keystore provider is an optional step. If private keys and digital certificates are stored in files, you do not need to configure the WebLogic Keystore provider.
To configure the WebLogic Keystore provider, you need to create a keystore and set attributes in the Administration Console that point to the keystore.
Note: Weblogic Keystore providers are configured on a domain basis. However, keystores are configured on a per machine basis. If you have multiple security realms or multiple servers running on the same machine, they can all use the same keystore.
To configure the WebLogic Keystore provider:
Note: If you don't want to use the WebLogic Keystore provider to store trusted CAs, you have the option of specifying another keystore location as a command line argument when starting WebLogic Server.
Use the -Dweblogic.security.SSL.trustedCAKeyStore command line argument to specify the location of a keystore that contains certificate authorities that the server or client trusts. The path value must be a relative or qualified name to a Sun JKS keystore file. If you do not specify this argument, WebLogic Server trusts all of CA stored in JAVA_HOME\jre\lib\security\cacerts.
For more information, see the weblogic.Admin Command-Line Reference.
Weblogic Server looks for trusted CAs in the following sequence:
To enable the SSL protocol, perform the following steps:
Setting Attributes for One-Way SSL
To define attributes for one-way SSL:
Setting Attributes for Two-Way SSL
Two-way SSL requires clients to present a digital certificate to WebLogic Server in order to establish an SSL connection. The client first authenticates the server's digital certificate and then the server authenticates the client's digital certificate.
To define attributes for two-way SSL:
Command-Line Arguments for the SSL Protocol
To use a private key stored in a file with WebLogic Server, use the following command-line argument:
-Dweblogic.management.pkpassword=pkpassword
where password is the password for the private key.
To specify a trusted CA keystore other than the keystore specified in the Root CA Key Store Location attribute in the WebLogic Keystore provider, use the following command line argument:
-Dweblogic.security.SSL.trustedCAkeystore=path
The path value must be a relative or qualified name to a Sun JKS keystore file. If you do not specify this argument, the server or client trusts all of the CA certificates that are in shipped in the JDK (JAVA_HOME\jre\lib\security\cacerts).
Note: The weblogic.security.SSL.sessionCache.size and weblogic.security.SSL.sessionCache.ttl command-line arguments are not supported in WebLogic Server 7.0. For more information, see SSL Session Behavior.
WebLogic Server allows SSL sessions to be cached. Those sessions live for the life of the server.
not change this behavior in WebLogic Server 7.0. The weblogic.security.SSL.sessionCache.size and weblogic.security.SSL.sessionCache.ttl command-line arguments are ignored.
Clients that use HTTPS URLs get a new SSL session for each URL because each URL uses a different SSL context and therefore SSL sessions can not be shared or reused. The SSL session can be retrieved using the weblogic.net.http.HttpsClient class or the weblogic.net.http.HttpsURLConnection class.
Clients that use SSL sockets directly can control the SSL session cache behavior. The SSL session cache is specific to each SSL context. All SSL sockets created by SSL socket factory instances returned by a particular SSL context can share the SSL sessions.
Clients default to resuming sessions at the same IP address and port. Multiple SSL sockets use the same host and port share SSL sessions by default assuming the SSL sockets are using the same underlying SSL context.
Clients that don't want SSL sessions to be used at all need to explicitly call setEnableSessionCreation(false) on the SSL socket to ensure that no SSL sessions are cached. This setting only controls whether an SSL session is added to the cache, it does not stop an SSL socket from finding an SSL session that was already cached (for example, SSL socket 1 caches the session, SSL socket 2 sets setEnableSessionCreation to false but it can still reuse the SSL session but can still reuse the SSL session from SSL socket 1 since that session was put in the cache.)
SSL sessions exist for the lifetime of the SSL context, they are not controlled by the lifetime of the SSL socket. Therefore, creating a new SSL socket and connecting to the same host and port can resume a previous session as long as the SSL socket is created using an SSL socket factory from the SSL context that has the SSL session in its cache.
In WebLogic Server 6.x, there is one SSL session cached in the thread of execution. In WebLogic Server 7.0, session caching is maintained by the SSL context which can be shared by threads. A single thread has access to the entire session cache not just one SSL session so multiple SSL sessions can be used and shared in a single (or multiple) thread.
Using the SSL Protocol in a Cluster
When using the SSL protocol in a cluster, perform the following steps:
Note: If you choose to store the private keys in a keystore, you must use the same directory location and filenames for the keystore and the private key on each machine in the cluster.
A Hostname Verifier ensures the host to which an SSL connection is made is the intended or authorized party. A Hostname Verifier is useful when WebLogic Server or a WebLogic client is acting as an SSL client to another application server. It prevents man-in-the-middle attacks.
By default, WebLogic Server, as a function of the SSL handshake, compares the common name in the SubjectDN in the SSL server's digital certificate with the host name of the SSL server used to initiate the SSL connection. If these names do not match, the SSL connection is dropped. The SSL client actually drops the SSL connection if the names do not match.
If anything other than the default behavior is desired, either turn off host name verification or register a custom host name verifier. Turning off host name verification leaves WebLogic Server vulnerable to man-in-the-middle attacks.
Turn off host name verification in the following ways:
You can also write a custom Hostname Verifier. For more information, see Programming WebLogic Security. If you write a custom Hostname Verifier, the name of the class that implements the Hostname Verifier must be specified in the CLASSPATH of WebLogic Server.
To use a custom Hostname Verifier:
Configuring RMI over IIOP with SSL
Use the SSL protocol to protect IIOP connections to RMI remote objects. The SSL protocol secures connections through authentication and encrypts the data exchanged between objects.
To use the SSL protocol to protect RMI over IIOP connections, do the following:
For more information about using RMI over IIOP, see Programming WebLogic RMI and Programming WebLogic RMI over IIOP.