|
|
ALES uses SSL for communications between the Administration Server, remote ALES components, and external clients. Installation of ALES includes demonstration certificates that can be used get the system up and running in non-production environments.
This document describes how ALES uses SSL and provides instructions for replacing the demonstration certificates with those signed by a recognized Certificate Authority. It contains the following topics:
ALES uses one-way or two-way SSL as follows:
Once the enrollment process is performed on a remote machine, all ALES components on that machine (SCM, SSM) are bound into the internal ALES trust structure based on the internal CA, residing on the Administration Server. All communication with the server is performed using two-way SSL.
With the exception of Web Services SSMs, a single set of keys located in BEA_HOME\ales30-shared\keys is used by all ALES components on that machine. When enrollment is initiated on a remote machine, communication between the enrollment client and the Administration Server is one-way SSL.
NOTE: For step-by-step enrollment instructions, see the SSM Installation and Configuration Guide.
If enrollment is performed in demo mode, the Administration Server presents its certificate signed by the Demo ALES CA that is supplied with the installation that enrollment clients are configured to trust. In secure mode, the client verifies the CA certificate against its list of trusted certificate authorities in $JAVA_HOME/lib/security/cacerts.
One-way SSL is used for browser connections with the Administration Console or the Entitlements Management Tool. When a browser client initiates the connection, the Administration Server sends the client its certificate. If the CA authority that signed the certificate of Administration web server (WebLogic or Tomcat) is in the browser’s trusted stored, the browser proceeds to establish the one-way SSL connection. If not, the browser issues a warning that allows the user to trust the certificate.
NOTE: The ALES administration tools themselves use two-way SSL when communicating with other internal ALES components.
Instead of using the provided Java wrapper for the BLM SOAP interface, external clients may directly access BLM interfaces. For instructions, see
Upon installation, two keystores containing demo certificates are used to establish trust between the Administration Server and clients:
BEA_HOME\ales30-shared\keys\webserver.jks. This keystore contains a demonstration private key for the Administration Server, the server’s identity in a public certificate that is signed by the Demo ALES CA, and a public certificate for the internal CA itself. demo mode. Because this keystore also contains the Demo CA certificate, clients will trust the Administration Server. This keystore is located in the BEA_HOME\ales30-shared\keys directory.
For production environments, first configure the Administration Server’s keystore to use a keystore containing a valid CA certificate. After this, SSMs can be bound into the SSL framework by enrolling in secure mode.
| Note: | Some certificates issued by CA authorities do not strictly comply with Certicom’s Internet X.509 Public Key Infrastructure standard. To use these certificates, you must disable constraints extension checking by adding information to the the enrollment and unenrollment scripts. For instructions, see Disable Constraints Extension Checking. |
Clients enrolling in secure mode will verify the CA certificate against its list of trusted certificate authorities in $JAVA_HOME/lib/security/cacerts, which already contains most commercial CAs. If the certificate authority you are using is not in the list of trusted CAs, the CA’s certificate must be imported into cacerts.
BEA_HOME\ales30-shared\keys\webserver.jks to demowebserver.jks or a similar name.| Note: | This allows you to create the new keystore named webserver.jks. Doing so will minimize modifications that must be made to existing Administration Server config files. |
keytool -genkey -alias ales-webserver -keyalg RSA -keystore Webserver.jks
keytool -certreq -alias ales-webserver -keyalg RSA -file certreq.csr -keystore Webserver.jks
keytool -import -alias AlesCA -keystore Webserver.jks -trustcacerts -file <chain_certificate_filename> keytool -import -alias ales-webserver -keystore Webserver.jks -trustcacerts -file <certificate_filename> Webserver.jks to the BEA_HOME\ales30-shared\keys directory.
In
BEA_HOME/asiDomain/config.xml, replace the existing <server-private-key-pass-phrase-encrypted> value with the encrypted value of the keystore password used when new webserver.jks keystore was created (see step 3).
|
|
SSL connections between BLM clients and the BLM server are two-way SSL by default. You can change this to one-way SSL using the following steps:
BEA_HOME/ales30-admin/config/WLESblm.properties in an editor and add the following parameter to the bottom of the file:| Note: | If you are using the default properties file, this is already entered as a commented line at the bottom of the file. Simply remove the comment symbol (#). |
BEA_HOME/ales30-admin/bin/WLESadmin.sh restart
This is all that is required if the BLM client is on the same machine and the server. You do not need to perform the remaining steps.
trust.jks in the BEA_HOME/ales30-shared/keys directory and move the copy to an appropriate directory on the BLM client machine.
-Dwles.ssl.trustedCAKeyStore=/<directory_name>/trust.jks
<directory_name>—name of the directory containing trust.jks.
| Note: | No keys are distributed with trust.jks. It contains only the CA public certificate. |
If your CA certificates do not strictly comply with Certicom’s Internet X.509 Public Key Infrastructure standard, you must disable constraints extension checking by the enrollment and unenrollment scripts. To do this, add the following lines to enroll.bat|sh and unenroll.bat|sh located in the BEA_HOME/ales32-shared/bin directory.
if [ -f $JAVA_HOME/lib/security/cacerts ]; then
JAVA_OPTIONS="-Dbea.home=$BEA_HOME -Dwles.ssl.enforceConstraints=false -Dwles.ssl.verifyHostnames=yes -Dwles.ssl.trustedCAKeyStore=$JAVA_HOME/lib/security/cacerts -Dlog4j.configuration=file:./log4j.properties"
else
JAVA_OPTIONS="-Dbea.home=$BEA_HOME -Dwles.ssl.enforceConstraints=false -Dwles.ssl.verifyHostnames=yes -Dwles.ssl.trustedCAKeyStore=$JAVA_HOME/jre/lib/security/cacerts -Dlog4j.configuration=file:./log4j.properties"
fileif [ "$1" = "demo" ]; then
JAVA_OPTIONS="-Dbea.home=$BEA_HOME -Dwles.ssl.enforceConstraints=false -Dwles.ssl.verifyHostnames=no -Dwles.ssl.trustedCAKeyStore=$ALES_SHARED_HOME/keys/DemoTrust.jks -Dlog4j.configuration=file:./log4j.properties"
else
|