| Oracle® Retail Process Orchestration and Monitoring Security Guide Release 4.0.1 F17860-01 |
|
 Previous |
 Next |
| Oracle® Retail Process Orchestration and Monitoring Security Guide Release 4.0.1 F17860-01 |
|
Previous |
Next |
Oracle Retail applications are primarily deployed in Oracle WebLogic server at the Middleware tier. Java and forms-based applications rely upon Middleware infrastructure for complete security. This is separate from application-specific security features.
This chapter describes the pre-installation steps for secured setup of Oracle Retail infrastructure in WebLogic.
The following topics are covered in this chapter:
See the following sections on JDK hardening for use with Retail applications:
You need to install the unlimited encryption Java Cryptography Extension (JCE) policy, if you want to use the strongest Cipher suites (256 bit_encryption). It is dependent on the Java Development Kit (JDK) version.
Using the following URL, download and install the JCE Unlimited Strength Jurisdiction Policy Files that correspond to the version of your JDK:
http://www.oracle.com/technetwork/java/javase/downloads/index.html
For JDK 7, download from the following URL, then replace the files in the JDK/jre/lib/security directory:
http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
For JDK8, download the files from URL:
http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
|
Note: This section is applicable only for applications using Java 7. |
Edit the following lines in the /jre/lib/security/java.security file for the JDK:
jdk.certpath.disabledAlgorithms=MD2, RC4, RSA keySize < 1024
and
jdk.tls.disabledAlgorithms=SSLv3, SSLV2Hello, MD5withRSA, DH keySize < 768
|
Note: Restart the entire WebLogic instance using the JDK to enable changes to take effect once the JCE has been installed. |
Secured Sockets Layer (SSL) protocol allows client-server applications to communicate across a network in a secured channel. Client and server should both decide to use SSL to communicate secured information, like user credentials or any other secured information.
WebLogic Server supports SSL on a dedicated listen port. Oracle Forms are configured to use SSL as well. To establish an SSL connection, a Web browser connects to a WebLogic Server by supplying the SSL port and the secure Hypertext Transfer Protocol (HTTPS) protocol in the connection URL.
For example: https://myserver:7002
|
Note: You need to obtain a separate, signed SSL certificate for each host where the application will be deployed |
The Security Guide focuses on securing Oracle Retail Applications in single node setup and not on applications deployed on clusters.
The Certificate Authority or Certification Authority (CA) is an organization that provides digital certificates to entities and acts as a trusted third party. Certificates issued by commercial CAs are automatically trusted by most web browsers, devices, and applications. You should obtain certificates from a trusted CA or commercial CAs to ensure better security.
|
Note: SSL certificates are used to contain public keys. With each public key there is an associated private key. It is critically important to protect access to the private key. Otherwise, the SSL messages may be decrypted by anyone intercepting the communications. |
Perform the following steps to obtain an SSL certificate and setting up a keystore:
Obtain an identity (private key and digital certificates) and trust (certificates of trusted certificate authorities) for WebLogic Server.
Use the digital certificates, private keys, and trusted CA certificates provided by the WebLogic Server kit, the CertGen utility, Sun Microsystem's keytool utility, or a reputed vendor such as Entrust or Verisign to perform the following steps:
Set appropriate JAVA_HOME and PATH to java.
For example:
export JAVA_HOME=/u00/webadmin/product/jdk export PATH=$JAVA_HOME/bin:$PATH
Create a new keystore:
keytool -genkey -keyalg RSA -keysize 2048 -keystore <keystore> -alias <alias>
For example:
keytool -genkey -keyalg RSA -keysize 2048 -keystore hostname.keystore -alias hostname
Generate the signing request:
keytool -certreq -keyalg RSA -file <certificate request file> -keystore <keystore> -alias <alias>
For example:
keytool -certreq -keyalg RSA -file hostname.csr -keystore hostname.keystore -alias hostname
Submit the certificate request to the CA.
Store the identity and trust.
Private keys and trusted CA certificates which specify identity and trust are stored in a keystore.
The examples in the following steps use the same keystore to store all certificates:
Import the root certificate into the keystore as shown in the following example:
keytool -import -trustcacerts -alias verisignclass3g3ca -file Primary.pem -keystore hostname.keystore
A root certificate is either an unsigned public key certificate or a self-signed certificate that identifies the Root CA.
Import the intermediary certificate (if required) into the keystore as shown in the following example:
keytool -import -trustcacerts -alias oracleclass3g3ca -file Secondary.pem -keystore hostname.keystore
Import the received signed certificate for this request into the keystore as shown in the following example:
keytool -import -trustcacerts -alias hostname -file cert.cer -keystore hostname.keystore
A WebLogic domain is created for Oracle Retail Applications as part of the installation. Different domains are created in different hosts for different applications in situations where applications are being managed by different users or deployed on different hosts. Once the domains are created, you need to enable the SSL ports if you have not enabled already.
Perform the following steps to enable the SSL:
Log in to WebLogic console using the Administrator user. For example, weblogic.
Navigate to <Domain> > Environment > Servers > < Servername> > Configuration > General tab.
Click Lock & Edit.
Select SSL Listen Port Enabled.
Assign the port number.
Click Save.
Click Activate Changes.
Restart SSL to enable the changes.
Perform the following steps to configure the Application Server for SSL:
Configure the identity and trust keystores for WebLogic Server in the WebLogic Server Administration Console:
In the Change Center of the Administration Console, click Lock & Edit.
In the left pane of the Console, expand Environment and select Servers.
Click the name of the server for which you want to configure the identity and trust keystores as shown in the following example:
WLS_FORMS is for Forms server
Select Configuration, then select Keystores.
In the Keystores field, select the method for storing and managing private keys/digital certificate pairs and trusted CA certificates.
The following options are available:
Demo Identity and Demo Trust - The demonstration identity and trust keystores, located in the BEA_HOME\server\lib directory and the Java Development Kit (JDK) cacerts keystore, are configured by default. These are for development purpose only.
Custom Identity and Java Standard Trust - A keystore you create and the trusted CAs defined in the cacerts file in the
JAVA_HOME\jre\lib\security directory.
Custom Identity and Custom Trust [Recommended] - Identity and trust keystores you create.
Custom Identity and Command Line Trust - An identity keystore you create and command-line arguments that specify the location of the trust keystore.
Select Custom Identity and Custom Trust.
In the Identity section, define the following attributes for the identity keystore:
Custom Identity Keystore - The fully qualified path to the identity keystore.
Custom Identity Keystore Type - The type of the keystore. Generally, this attribute is Java KeyStore (JKS); if it is left blank, it defaults to JKS.
Custom Identity Keystore Passphrase - The password you must enter when reading or writing to the keystore. This attribute is optional or required depending on the type of keystore. All keystores require the passphrase in order to write to the keystore. However, some keystores do not require the passphrase to read from the keystore. WebLogic Server only reads from the keystore, so whether or not you define this property depends on the requirements of the keystore.
In the Trust section, define properties for the trust keystore.
If you choose Java Standard Trust as your keystore, specify the password defined when creating the keystore.
Confirm the password.
If you choose Custom Trust [Recommended], define the following attributes:
Custom Trust Keystore - The fully qualified path to the trust keystore.
Custom Trust Keystore Type - The type of keystore. Generally, this attribute is JKS; if it is left blank, it defaults to JKS.
Custom Trust Keystore Passphrase - The password that you need to enter when reading or writing to the keystore. This attribute is optional or required depending on the type of keystore. All keystores require the passphrase in order to write to the keystore. However, some keystores do not require the passphrase to read from the keystore. WebLogic Server only reads from the keystore, so whether or not you define this property depends on the requirements of the keystore.
Click Save.
Click Activate Changes to activate these changes, in the Change Center of the Administration Console.
|
Note: Not all changes take effect immediately, some require a restart. |
Figure 2-2 shows how to configure the Application Server for SSL.
For more information on configuring Keystores, see the Administration Console Online Help.
Set SSL configuration options for the private key alias and password in the WebLogic Server Administration Console:
In the Change Center of the Administration Console, click Lock & Edit.
In the left pane of the Console, expand Environment and select Servers.
Click the name of the server for which you want to configure the identity and trust keystores.
Select Configuration, then select SSL.
In the Identity and Trust Locations, the Keystore is displayed by default.
In the Private Key Alias, type the string alias that is used to store and retrieve the server's private key.
In the Private Key Passphrase, enter the keystore attribute that defines the passphrase used to retrieve the server's private key.
Save the changes.
Click the Advanced section of SSL tab.
In the Hostname Verification, select None.
This specifies to ignore the installed implementation of the WebLogic.security.SSL.HostnameVerifier interface (this interface is generally used when this server is acting as a client to another application server).
For Weblogic Server 10.3.6 and former versions, enable Java Secure Socket Extension by enabling Use JSSE SSL to provide high security.
Save the changes.
For more information on configuring SSL, see ”Configure SSL” in the Administration Console Online Help.
All the server SSL attributes are dynamic; when modified through the Console. They cause the corresponding SSL server or channel SSL server to restart and use the new settings for new connections. Old connections will continue to run with the old configuration. You must reboot WebLogic Server to ensure that all the SSL connections exist according to the specified configuration.
Use the Restart SSL button on the Control: Start/Stop page to restart the SSL server when changes are made to the keystore files. You need apply the same for subsequent connections without rebooting WebLogic Server.
Upon restart, you will see entries like the following in the log:
<Mar 11, 2019 5:18:27 AM CDT> <Notice> <WebLogicServer> <BEA-000365> <Serverstate changed to RESUMING> <Mar 11, 2019 5:18:27 AM CDT> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure" is now ing on 10.141.15.214:57002 for protocols iiops, t3s, ldaps, https.> <Mar 11, 2019 5:18:27 AM CDT> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure[1]" is now ing on 127.0.0.1:57002 for protocols iiops, t3s, ldaps, https.> <Mar 11, 2019 5:18:27 AM CDT> <Notice> <WebLogicServer> <BEA-000329> <Started WebLogic Admin Server "AdminServer" for domain "APPDomain" running in Production Mode> <Mar 11, 2019 5:18:27 AM CDT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to RUNNING> <Mar 11, 2019 5:18:27 AM CDT> <Notice> <WebLogicServer> <BEA-000360> <Server started in RUNNING mode>
|
Note: For complete security of the WebLogic Server, it is recommended to secure both Administration as well the Managed Server where application is being deployed. You can choose to disable the non-SSL ports (HTTP). It is recommended to secure the Node Manager. |
The steps to secure Node Manager is provided in the following section.
Perform the following steps to configure the WebLogic scripts if Admin Server is secured:
Update the WebLogic startup/shutdown scripts with secured port and protocol to start/stop services.
Back up and update the following files in <DOMAIN_HOME>/bin with correct Admin server URLs:
startManagedWebLogic.sh: echo "$1 managedserver1 http://apphost1:7001"
stopManagedWebLogic.sh: echo "ADMIN_URL defaults to t3://apphost1:7001 if not set as an environment variable or the second command-line parameter."
stopManagedWebLogic.sh: echo "$1 managedserver1 t3://apphost1:7001 WebLogic
stopManagedWebLogic.sh: ADMIN_URL="t3://apphost1:7001"
stopWebLogic.sh: ADMIN_URL="t3://apphost1:7001"
Change the URLs to:
t3s://apphost1:7002
https://apphost1:7002
You will need the Oracle Retail Application installer to run Java. In situations where Administration Server is secured using signed certificate, the Java keystore through which the installer is launched must have the certificate installed.
In case the installer is being run using the JDK deployed in /u00/webadmin/product/jdk, follow the steps as shown in Example 2-1.
Example 2-1 Adding Certificate to the JDK Keystore for Installer
apphost1:[10.3.6_apps] /u00/webadmin/ssl> keytool -import -trustcacerts -alias apphost1 -file /u00/webadmin/ssl/apphost1.cer -keystore /u00/webadmin/product/jdk/jre/lib/security/cacerts Enter keystore password: Certificate was added to keystore apphost1:[10.3.6_apps] /u00/webadmin/ssl>
You should use a stronger encryption protocol in your production environment.
See the following sections to enable the latest SSL and cipher suites.
In a production environment, Oracle you should use Transport Layer Security (TLS) Version 1.1 or higher for sending and receiving messages in an SSL connection.
To control the minimum versions of SSL Version 3.0 and TLS Version 1 that are enabled for SSL connections, do the following:
Set the WebLogic.security.SSL.minimumProtocolVersion=protocol system property as an option in the command line that starts WebLogic Server. This system property accepts one of the following values for protocol:
Set the following property in the startup parameters in WebLogic Managed server for enabling the higher protocol:
DWebLogic.security.SSL.minimumProtocolVersion=TLSv1.2 -Dhttps.protocols=TLSv1.2
|
Note: In case a protocol is set for Managed servers, the same should be set for the Administration server. Ensure that all the managed servers are down when making changes to the Administration server for setting up the protocol. Set the properties in the Administration server, then the Managed server. |
Configure the <ciphersuite> element in the <ssl> element in the
<DOMAIN_ HOME>\server\config\config.xml file in order to enable the specific Cipher Suite to use as follows:
|
Note: You need to ensure that the tag<ciphersuite> is added immediately after tab <enabled>. |
<ssl> <name>examplesServer</name> <enabled>true</enabled> <ciphersuite>TLS_RSA_WITH_AES_256_CBC_SHA</ciphersuite> <-port>17002</-port> ... </ssl>
|
Note: The above can be done using awlst script.
For more information, go to |
Perform the following steps for securing the Nodemanager with SSL certificates:
Navigate to <BEA_HOME>/wlserver_10.3/common/nodemanager (If you are using the Weblogic 12c domain, the location is <DOMAIN_HOME>/nodemanager ) and take a backup of nodemanager.properties.
Add the following similar entries to nodemanager.properties:
KeyStores=CustomIdentityAndCustomTrust CustomIdentityKeyStoreFileName=/u00/webadmin/ssl/hostname.keystore CustomIdentityKeyStorePassPhrase=[password to keystore, this will get encrypted] CustomIdentityAlias=hostname CustomIdentityPrivateKeyPassPhrase=[password to keystore, this will get encrypted] CustomTrustKeyStoreFileName=/u00/webadmin/ssl/hostname.keystore SecureListener=true
If you are using Weblogic 10.3.6 and the earlier-version servers were enabled with JSSE, then Nodemanager start up script (startNodeManager.sh) should be added as the following parameter:
-Dweblogic.security.SSL.enableJSSE=true
Log in to the WebLogic console, navigate to Environment, and then Machines.
Select the nodemanager created earlier and navigate to Node Manager tab.
In the Change Center, click Lock & Edit.
In the Type field, select SSL from the list.
Click Save and Activate.
Restart the WebLogic Domain for changes to take effect, after activating the changes.
You need to verify if the nodemanager is reachable in the Monitoring tab after the restart.
The Application can communicate with the LDAP server on a secured port. It is recommended to use the secured LDAP server to protect usernames and passwords from being sent in clear text on the network.
For information on Configuring Secure Sockets Layer (SSL), see the Oracle Fusion Middleware Administration Guide.
It is important to import the certificates used in the LDAP server into the Java Runtime Environment (JRE) of the WebLogic server for SSL handshake, in case the secure LDAP is used for authentication.
For example:
Set JAVA_HOME and PATH to the JDK being used by WebLogic Domain.
Back up the JAVA_HOME/jre/lib/security/cacerts directory:
/u00/webadmin/product/jdk/jre/lib/security> cp -rp cacerts cacerts_ORIG
Import the Root and Intermediary (if required) certificates into the java keystore:
/u00/webadmin/product/jdk/jre/lib/security> keytool -import -trustcacerts -alias verisignclass3g3ca -file ~/ssl/Primary.pem -keystore cacerts /u00/webadmin/product/jdk/jre/lib/security> keytool -import -trustcacerts -alias oracleclass3g3ca -file ~/ssl/Secondary.pem -keystore cacerts
Import the User certificate from LDAP server into the java keystore:
/u00/webadmin/product/jdk/jre/lib/security> keytool -import -trustcacerts -alias hostname -file ~/ssl/cert.cer -keystore cacerts
|
Note: The default password for the JDK keystore is changeit. |
The deployed application should be able to communicate with LDAP on the SSL port after successful SSL Handshake.
You need to configure the user credentials and other security-related information at the service consumer and the app service provider layers. This provides end-to-end security between Web service consumer and provider.
The security policies certified by Oracle Retail are:
Username Token over HTTPS - This security configuration is referred as Policy A in this document. This policy provides confidentiality due to the use of SSL, however it does not provide non-repudiation as nothing is signed. Wssp1.2-2007-Https-UsernameToken-Plain.xml
Message Protection - This security configuration is referred as Policy B in this document. This policy encrypts the messages itself, so SSL is not used. The sender also signs the messages, which provides non-repudiation of the messages. However, this policy is more complex to implement.
Wssp1.2-2007-Wss1.1-UsernameToken-Plain-EncryptedKey-Basic128
Wssp1.2-2007-EncryptBody
Wssp1.2-2007-SignBody
|
Note:
|
Depending upon the security needs for your production environment, infrastructure where Oracle Retail applications are deployed can be secured.
Ensure the following to secure complete protection of environment:
Securing the WebLogic Server Host
Securing Network Connections
Securing your Database
Securing the WebLogic Security Service
Securing Applications
For more information on Ensuring the Security of Your Production Environment, see Securing a Production Environment for Oracle WebLogic Server 12 C Release 1 (10.3.6) Guide.
