This chapter describes SSL configuration WLST commands.
This chapter contains the following sections:
WLST commands are available to configure and manage SSL for Oracle Fusion Middleware components.
Use the commands listed in Table 3-1 for this task.
See Also:
Administering Oracle Fusion Middleware for important instructions on how to launch the WLST shell to run SSL-related commands. Do not launch the WLST interface from any other location.Note:
All WLST commands for SSL configuration must be run in online mode.You can obtain help for each command by issuing:
help('command_name')
Certain commands require parameters like instance name, ias-component and process type. You can obtain this information with the command:
state('serverName') [in WebLogic domain]
nmServerStatus(serverName='name', serverType='type') [in Standalone domain]
SSL configuration employs certain properties files for use with the WLST configureSSL command. The files contain parameters to specify the desired SSL configuration, such as authentication type, cipher values, and SSL version.
You can use descriptive names if you need to manage multiple properties files for different components. For example, you could have properties files named ohs-ssl-properties.prop or ovd-ssl-properties.prop.
All the SSL properties files have a consistent structure.
Table 3-2 provides details about the key-value structure and usage of these files.
Table 3-2 Parameters in Properties File
| Key | Mandatory? | Allowed Values for Oracle HTTP Server | Usage |
|---|---|---|---|
|
SSLEnabled |
No |
true false |
Either value |
|
Ciphers |
No |
See "SSLCipherSuite" in Administering Oracle HTTP Server. |
One or more comma separated values |
|
SSLVersions |
No |
See "SSLProtocol" in Administering Oracle HTTP Server. |
|
|
CertValidation |
No |
none crl |
Either value |
|
CertValidation |
No |
file:// dir:// |
Path of the CRL file, or directory containing CRL files |
|
KeyStore |
No |
Valid wallet name |
|
|
TrustStore |
No |
N/A |
|
|
AuthenticationType |
No |
None Server Optional Mutual |
Any one value |
Table 3-3 shows the default values:
Table 3-3 Default Values of Parameters
| Key | Default Value for Oracle HTTP Server |
|---|---|
|
SSLEnabled |
true |
|
Ciphers |
null |
|
SSLVersions |
null |
|
CertValidation |
none |
|
CertValidation |
null |
|
KeyStore |
default |
|
TrustStore |
- |
|
Authentication |
Server |
Note:
At least one DH_anon cipher must be used in SSL no-auth mode. For all other modes, at least one RSA cipher must be used.
The value of the KeyStore parameter must be specified when configuring SSL in server-auth, mutual-auth, or optional client auth.
If only AES ciphers have been specified, the SSLVersions parameter must contain TLSv1 or nzos_Version_1_0.
If you are doing CRL-based validation, the value of the CertValidation parameter should be crl and the value of the CertValidationPath parameter should point to the CRL file/directory.
Some examples demonstrating the use of the properties files follow.
Example 1: Basic Properties File
SSLEnabled=true AuthenticationType=None CertValidation=none
This properties file specifies no authentication mode, and default values will be used during SSL configuration for ciphers and SSL version. Keystore and truststore properties are not specified since the authentication type is None. For other authentication types, keystore must be specified.
Example 2: Basic Properties File
SSLEnabled= AuthenticationType=None CertValidation=none
This properties file is exactly the same as above, except that SSLEnabled is explicitly specified without any value. This is the same as not specifying the key at all. In both cases, the default value will be used.
Therefore, all the following three settings have the same meaning:
The setting:
SSLEnabled=true
Here the value true is explicitly specified.
The setting:
SSLEnabled=
Since no value is mentioned here, the default value of SSLEnabled (true) is used.
The key SSLEnabled is not present in the properties file.
Since the key is not present, its default value (true) is used.
Example 3: Properties File with Version for Oracle HTTP Server
SSLEnabled=true AuthenticationType=Mutual SSLVersion=nzos_Version_1_0 CertValidation=crl CertValidationPath=file:///tmp/file.crl KeyStore=ohs1
This properties file has:
Default values for ciphers
Keystore
SSL version v1
CRL validation turned on
Mutual Authentication mode
Online command that sets SSL attributes.
This command sets the SSL attributes for a component listener. The attributes are specified in a properties file format (name=value). If a properties file is not provided, or it does not contain any SSL attributes, then default attribute values are used.
For details about the format of properties files, see Section 3.2, "Properties Files for SSL."
configureSSL('instName', 'compName', 'compType', 'listener', 'filePath')
| Argument | Definition |
|---|---|
| instName | Specifies the name of the application server instance. |
| compName | Specifies the name of the component instance. |
| compType | Specifies the type of component. Valid value is 'ohs'. |
| listener | Specifies the name of the component listener to be configured for SSL. |
| filePath | Specifies the absolute path of the properties file containing the SSL attributes to set. |
The following command configures SSL attributes specified in the properties file /tmp/ssl.properties for Oracle Virtual Directory instance ovd1 in application server instance inst1, for listener listener1:
wls:/mydomain/serverConfig> configureSSL('inst1', 'ovd1', 'ovd', 'listener1','/tmp/ssl.properties')
The following command configures SSL attributes without specifying a properties file. Since no file is provided, the default SSL attribute values are used:
wls:/mydomain/serverConfig> configureSSL('inst1', 'ovd1', 'ovd', 'listener2')
Online command that lists the configured SSL attributes.
This command lists the configured SSL attributes for the specified component listener.
getSSL('instName', 'compName', 'compType', 'listener')
| Argument | Definition |
|---|---|
| instName | Specifies the name of the application server instance. |
| compName | Specifies the name of the component instance. |
| compType | Specifies the type of component. Valid value is 'ohs'. |
| listener | Specifies the name of the component listener. |