Chapter - 12 : OIDG GnuPG Encryption and Decryption


OIDG supports GPG encrypted batch request processing .To support this you need to configure the GnuPG keys in your Linux machine. Following section describes the gpg-key creation.

Verifying GnuPG-Agent

  1. Log in to PuTTY.
  2. Run the GnuPG agent from application Linux user using below command.
    gpg-agent

    Output: gpg-agent: gpg-agent running and available
  3. If the output is ‘No gpg-agent running in this session’, follow the steps to run the gpg agent.
    • Enter the following command to run the gpg-agent
      eval 'gpg-agent --daemon'
    • It shows the location of the GPG Agent file
      Now copy that file by following command
      cp -fs /tmp/gpg-CENE8e/S.gpg-agent ~/.gnupg/
    • Verify the status of GPG- agent
      gpg-agent

Generating GnuPG Key

  1. Log in to PuTTY as root.
  2. Give the permission to the gpg-agent by using the following command.
    chmod o+rw $(tty)
  3. Switch to the WebLogic installed user.
  4. Enter the following command to create GPG Key.
    gpg --gen-key
  5. Enter 1 as your section option (RSA and RSA).
  6. Enter the Key size as 2048 and enter 0 for never expire.
  7. Enter y, Real name, Email Address and Comment.
  8. Enter 0.
  9. Enter the GPG Password.
  10. Re-enter GPG Password.
  11. Now, you can check the key and secret keys using the following command:
    gpg --list-secret-keys
  12. Enter the below command to check List keys.
    gpg --list-keys

Exporting and Importing Secret Sub Keys

Exporting a Secret Key

gpg --export-secret-keys -a ‘<secret key id>’ > Full path/gpgchefsecret.asc

Note: <secret key id> should be highlighted value of step 11 screenshot.

Exporting a Public Key

gpg --armor --export ‘<Email id>’> Full path /gpgchefpublic.asc

Note: <Email id> should be same as the one entered in the step 7.

Backing up the Secret and Public Key and Deleting Secrete Key

gpg --export-secret-subkeys ‘<sub id>’ > Full path /gpgchefsecretsubkey.asc

Note: <sub id > should be highlighted value of step 12 screenshot.

gpg --delete-secret-key ‘<secret key id>’

gpg --import Full path /gpgchefsecretsubkey.asc

Trusting the Keys

Trust the secret key using the below command:

gpg --edit-key <secret key id>

Command> trust

Your decision? 5

Do you really want to set this key to ultimate trust? (y/n) y

Command> save

Steps to Find oidx.gpg.backup.key.id:

Enter gpg –list-keys command as shown below.

In the above screen, oidg1 is the backup key id.

Testing the gpg:

Encrypt File:

gpg -e -r " <GPG KeyID> " <InputFilePath>/<InputFileName>

Example: gpg –e –r “oidg1” /scratch/oraBase/FileMove/POLMIG_1.xml

Decrypt File:

gpg --output <OutputFilePath>/<OutputFileName>--batch –passphrase <Password> --decrypt<InputFilePath>/<InputFileName>

Example: gpg --output /scratch/oraBase/FileMove/POLMIG_TEST.xml --batch --passphrase Welcome123 --decrypt "/scratch/oraBase/FileMove/POLMIG_1.xml.gpg”

Audit Log Configuration:

Below is the configuration required for audit logging.

  1. Log in to WebLogic as the admin user.
  2. Go to Security Realms, 'myrealm', Providers and select the Auditing tab.
  3. Click New and provide a name.
    Image represents Creating New Auditing Provider.
    Figure 12.1 - Creating New Auditing Provider
  4. Click the created provider and select the ‘Provider Specific’ tab.
  5. Select the Severity and check boxes based on requirements.
    Image represents Settings for IDXDefalutAuditor.
    Figure 12.2 - Settings for IDXDefalutAuditor

    Note: It is recommended to reduce the value of Rotation Minutes to 6 hours or less, based on requirements.

  6. Click ‘Advanced’ and change the marker fields if necessary.
    Image represents Advanced Options.
    Figure 12.3 - Advanced Options
  7. In WebLogic, click on the domain name under ‘Domain Structure’.
  8. On the General tab of Configuration, click on the ‘Advanced’ link at bottom of the page.
  9. On the ‘Configuration Audit Type’ drop down, select ‘Change Audit’ or ‘Change Log and Audit’, based on requirements.
    Image represents Audit Type Configuration.
    Figure 12.4 - Audit Type Configuration
  10. In setDomainEnv.sh file add the location where the audit log files need to be generated.

    AUDIT_LOG_DIR="<path>"

    EXTRA_JAVA_PROPERTIES="${EXTRA_JAVA_PROPERTIES} -Dweblogic.security.audit.auditLogDir=${AUDIT_LOG_DIR}"

    export EXTRA_JAVA_PROPERTIES

  11. Log in to the EM console and navigate to domain → Security → Audit Policy.
  12. Select MFT from the Audit Component Name drop down.
  13. Change the Audit Level to 'Medium' and then Apply.
  14. Navigate to domain → Security → Security Provider Configuration. Expand Security Store Provider and then Identity Store Provider.
  15. Click on configure and Add a new property with the name 'virtualize' and a value of 'true'. Then click on OK and OK again.
  16. Restart the all the servers and the audit log files should be generated at the given path.

Find the following audit log entry for a user login.

#### Audit Record Begin <Jan 24, 2018 3:38:38 AM> <Severity =SUCCESS> <<<Event Type = Authorization Audit Event V2 ><Subject: 8

Principal = class weblogic.security.principal.WLSUserImpl("OIDXAdminUser1")

Principal = class weblogic.security.principal.WLSGroupImpl("OIDXAdmin_Group")

Principal = class weblogic.security.principal.WLSGroupImpl("Administrators")

Principal = class weblogic.security.principal.WLSGroupImpl("IntegrationAdministrators")

Principal = class weblogic.security.principal.WLSGroupImpl("AdminChannelUsers")

Principal = class weblogic.security.principal.WLSGroupImpl("Monitors")

Principal = class weblogic.security.principal.WLSGroupImpl("IntegrationAdministrators")

Principal = class weblogic.security.principal.WLSGroupImpl("OracleSystemGroup")

><ONCE><<url>><type=<url>, application=consoleapp, contextPath=/console, uri=/console.portal, httpMethod=GET>>> Audit Record End ####