![]() ![]() ![]() ![]() ![]() ![]() ![]() |
AquaLogic Enterprise Security uses an implementation of the Transport Layer Security (TLS) 1.0 specification, also referred to as SSL. The server (WebLogic Server or Tomcat) hosting ALES supports TLS on a dedicated listening port that defaults to 7010. To establish a secure connection, a client (Web browser or Java application) connects to the Administration Server by supplying the port and the secure address (HTTPS) in the connection URL, e.g., https://myserver:7010
. The Administration Server returns a certificate to identify itself to the client.
When you install ALES, demonstration certificates are provided and configured automatically for working in a development environment. However, it is very important that these certificates not be used in a production environment.
Secure Sockets Layer (SSL) is described in the following sections.
Basic information about SSL and ALES is contained in the following sections.
For more information about SSL and WebLogic Server, see Configuring SSL in Securing WebLogic Server in the WebLogic Server documentation set.
Private keys, digital certificates, and trusted certificate authorities establish and verify server identity. SSL uses public key encryption for authentication. With public key encryption, a public key and a private key are generated for a server. Data encrypted with the public key can only be decrypted using the corresponding private key and vice versa. The private key is carefully protected so that only the owner can decrypt messages that were encrypted using the public key.
The public key is embedded within digital certificate along with additional information describing the owner of the public key, such as name, street address, and e-mail address. A private key and digital certificate provide identity for the server.
The data embedded in a digital certificate is verified by a certificate authority (CA) and is digitally signed with the digital certificate of the certificate authority. Well-known certificate authorities include Verisign and Entrust. The trusted CA certificate establishes trust for a certificate.
Web browsers, servers, and other SSL-enabled applications generally accept as genuine any digital certificate that is signed by a trusted certificate authority and is otherwise valid. For example, a digital certificate can be invalid because it has expired, or the digital certificate of the CA used to sign it expired, or because the host name in the digital certificate of the server does not match the URL specified by the client.
You can configure SSL to use either one-way or two-way authentication:
To establish an SSL connection, the server must present a certificate to the client, but the client is not required to present a certificate to the server. To successfully negotiate an SSL connection, the client must authenticate the server, but the server accepts any client into the connection. One-way SSL is common on the Internet where customers want to create secure connections before sharing personal data. Often, clients use SSL to log on so that the server can authenticate them. By default, the Administration Server is configured for one-way SSL using demo certificates.
To establish the SSL connection, the server must present a certificate to the client and the client must also present a certificate to the server. ALES can be configured to require clients to submit valid and trusted certificates before completing the SSL connection.
A keystore is a mechanism designed to create and manage private key/digital certificate pairs and trusted CA certificates.
All private key entries in a keystore are accessed through unique aliases and a password that is specified when creating the private key in the keystore. The default alias for the ALES Administration Server certificates is ales-webserver
. Note: Aliases are case-insensitive; the aliases Hugo
and hugo
would refer to the same keystore entry.
ALES explicitly trusts all certificate authorities whose entries are found in the keystore configured as trusted. Although ALES does not use the alias to access trusted CA certificates, the keystore does require an alias when loading a trusted CA certificate into the keystore.
Upon installation, two keystores are used to establish trust between the Administration Server and clients:
Webserver.jks
— The keystore is located in the Administration Servers ssl
directory. It contains:DemoTrust.jks
— This keystore is located in the ssl
directory of the SSM or SCM instance. It used by enrollment clients when connecting from an SSM or SCM instance. It contains the public certificate of the same trusted ALES Demo certificate authority that is in webserver.jks
. This keystore is used when running enroll.bat/sh
(for SSM) or enrolltool.bat/sh
(for SCM) with the demo
argument. When using the secure
argument, the SSM enroller uses $JAVA_HOME/lib/security/cacerts
, while the SCM uses its own trust.jks keystore.For descriptions of common keytool commands, see Keytool Utility on page 5-8.
The client types connecting to the Administration Server are: (1) Internet Explorer browsers accessing the administration console, and (2) SSM enrollment clients. The method used to establish trust depends on the client type.
DemoTrust.jks
keystore to establish trust. When the client tries to enroll, the Administration Server presents its public certificate for verification to the enrollment client. The client will trust the certificate, because the DemoTrust.jks
keystore that it is using in demo mode has the same ALES Demo CA certificate.The important thing to remember when updating certificates is that the server and client both trust a common CA.
To configure SSL for a production environment you must create a keystore to replace Webserver.jks
and configure the Administration Server to use it. Then you may configure ALES to use one-way or two-way SSL.
Procedures described in this section make use of Sun's keytool utility. For information about this tool, see Keytool Utility.
secureWebserver.jks
keystore and generate the private key using keytool utility as follows:keytool -genkey -alias ales-webserver -keyalg RSA -keystore secureWebserver.jks
keytool -import -alias cacerts -keystore secureWebserver.jks -trustcacerts -file <filename_of_the_chain_certificate
>
keytool -import -alias ales-webserver -keystore secureWebserver.jks -trustcacerts -file <your_certificate_filename
>
trust.jks
in the ssl
directory. keytool -import -alias cacerts -keystore trust.jks -trustcacerts -file <filename_of_the_chain_certificate
>
The procedure for configuring the new keystore (secureWebserver.jks
) for production use on depends on the type of server hosting ALES. This section provides instructions for WebLogic Server and Tomcat.
Perform the following steps to use the secure the keystore when using WebLogic Server.
Note: | For information about using the WebLogic Server Administration Console to configure SSL, see Set up SSL in the WLS Administration Console online help. |
secureWebserver.jks
to the ssl
directory where the Administration Server is installed (the default is BEA_HOME/ales25-admin/ssl)
.BEA_HOME/asiDomain/config.xml
) as follows.webserver.jks
with secureWebserver.jks
.ServerPrivateKeyAlias
attribute to match the alias that is assigned to the certificate in the secureWebserver.jks
keystore. In the example above it was ales-webserver
.ServerPrivateKeyPassPhrase
attribute to match the password for the secureWebserver.jks
keystore.
After performing these steps, running enroll.bat/sh
(for a SSM) or enrolltool.bat/sh
(for a SCM) will pass in secure
instead of demo
as an argument.
Perform the following steps to use the secure keystore when using WebLogic Server.
Note: | For more information about SSL under Apache Tomcat, see http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html . |
After performing these steps, running enroll.bat/sh
(for a SSM) or enrolltool.bat/sh
(for a SCM) will pass in secure
instead of demo
as an argument.
The procedure for configuring the new keystore (secureWebserver.jks
) for two-way SSL (SSL with client authentication) depends on the type of server hosting ALES. This section provides instructions for WebLogic Server and Tomcat.
To configure the Administration Server for two-way SSL on WebLogic server:
adminserver
.
After performing these steps, running enroll.bat/sh
(for a SSM) or enrolltool.bat/sh
(for a SCM) will pass in secure
instead of demo
as an argument.
To configure the Administration Server for two-way SSL on WebLogic server:
TOMCAT_HOME/config/server.xml
in a text editor and set the value of clientAuth
as follows.
After performing these steps, running enroll.bat/sh
(for a SSM) or enrolltool.bat/sh
(for a SCM) will pass in secure
instead of demo
as an argument.
Sun Microsystem's keytool utility is included in JDK installations. For complete information about this tool, consult the Sun Microsystems web site. See also detailed command usage options for Windows ( http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html) and Solaris/Linux ( http://java.sun.com/j2se/1.4.2/docs/tooldocs/solaris/keytool.html).
When using the keytool utility, observe the following:
Table 5-2 shows the keytool commands to use when creating and using JKS keystores.
![]() ![]() ![]() |