Configuring SSL

The Secure Sockets Layer (SSL) protocol provides communication security by encrypting traffic across a network in a way designed to prevent eavesdropping and tampering. It uses asymmetric cryptography for privacy and a keyed message authentication code for message reliability. Setting up an SSL-secured connection requires a digital certificate issued by a trusted certificate authority.

The Web Application Utility can be run with SSL enabled. The process of creating an environment in the Rules Palette requires specifying a Web Service URL to the Web Application Utility. This URL can specify whether SSL is used.

SSL in WebLogic 12.2.1.3

WebLogic application server supports SSL 3.0 and Transport Layer Security (TLS) 1.0 specifications. WebLogic does not support SSL version 2.0 and below.

For information on how to configure SSL in WebLogic please refer to the following websites or follow the steps below:

http://docs.oracle.com/cd/E23943_01/web.1111/e13707/ssl.htm#SECMG384

http://download.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html

Steps to Configure SSL/https:

  1. Log in to the WebLogic web console.
  2. In the Domain Structure box, expand Environment and click on Servers.
  3. Click on the server you created. Example: PALETTE_SERVER
  4. The console will redirect you to the Configuration and General tab.
  5. Check the SSL Listen Port Enabled checkbox. Example: 7002 is the port number.
  6. Click Save.
  7. Restart the server.
  8. Enter https://machinename:7002/PaletteConfig in Internet Explorer to see the Web Application Utility login page.

Steps to Configure Certificates:

Note: The steps below are based on the default JDK certificate.

WEBLOGIC_JAVA_SECLIB = Specify the location of the JDK 1.8.x. /jre/lib/security

For Example: /opt/oracle/jdk1.8.0_261/jre/lib/security

WEBLOGIC_JAVA_HOME = specify the location of the JDK 1.8.x

For Example: /opt/oracle/jdk1.8.0_261/

  1. Install Oracle WebLogic 12.2.1.3 application server.
  2. Go to WEBLOGIC_JAVA_HOME\bin and run the commands below.

keytool -genkey -keystore jre/lib/security/wsse.keystore -storepass -keyalg RSA -keysize 1024 -validity 1000 -alias localhost -dname "CN=localhost"

keytool -export -keystore jre/lib/security/wsse.keystore -storepass -alias localhost -file server/default/conf/localhost.cer

keytool -import -keystore jre/lib/security/wsse.truststore -storepass -trustcacerts -alias localhost -file jre/lib/security/localhost.cer

  1. The above step will create two files within WEBLOGIC_JAVA_SECLIB.
    • wsse.keystore
    • wsse.truststore
  2. Move wsse.keystore and wsse.truststore to the conf folder where all properties files reside.

    For Example: C:\OIPA\conf

  3. Login to the Oracle WebLogic console, go to Environment >Server > OIRP > Server Start and add the details below to Arguments.

-Duser.language=en

-Duser.region=US

-Djava.net.preferIPv4Stack=true

-Djava.net.preferPv6Addresses=false

-javaagent:C:\OIPA\lib\spring-instrument-5.2.9.RELEASE.jar

-Djavax.net.ssl.trustStore=C:\OIPA\conf\wsse.truststore

-Djavax.net.ssl.trustStorePassword=Djavax.net.ssl.keyStore=C:\OIPA\conf\wsse.keystore

-Djavax.net.ssl.keyStorePassword=jbossws

  1. Go to WEBLOGIC_JAVA_SECLIB and create a backup of the cacerts file.
  2. Create a new certification (cacerts) file by following the steps below.
    1. Copy InstallCert.class and InstallCert$SavingTrustManager.class in WEBLOGIC_JAVA_HOME\bin.
    2. From WEBLOGIC_JAVA_HOME\bin, run InstallCert through a command prompt like java InstallCert localhost:7002. The KeyStore jssecacerts will load and a connection will be opened. Messages will then be presented regarding the certificates.
    3. When the process is complete, the following message will appear: Enter certificate to add to trusted keystore or 'q' to quit. Type 1 to continue.
    4. When the process is complete, another message will appear: Added certificate to keystore 'jssecacerts' using 'jssecacers' using alias 'localhost-1'. Run java InstallCert localhost:7002 one more time, then enter q to exit. This will create a new jssecacerts keystore file in WEBLOGIC_JAVA_SECLIB and rename it to cacerts.

    Note: Repeat step 7 to enable SSL for different port numbers.

  3. Stop the WebLogic application server (JVM, Node Agent, Deployment Manager).
  4. Restart the machine.
  5. Start the WebLogic application server (JVM, Node Agent, Deployment Manager).
  6. Enter https://machinename:7002/PaletteConfig in Internet Explorer to see the Web Application Utility login page.

SSL in WebSphere 9.0.0.9

Version 8 of the WebSphere application server, everything is done from the admin console that includes a complete overview of the SSL management capabilities.

For more information about managing SSL in WebSphere please refer to the following website or follow the steps listed below.

http://pic.dhe.ibm.com/infocenter/wasinfo/v8r0/index.jsp

Note: Search for Overview and new features: Securing under Network Deployment

Steps to Configure SSL/https:

  1. Log in to the WebSphere console.
  2. Expand Server Types and click WebSphere Application Servers.
  3. Click on the server you created. Example: PALETTE_SERVER.
  4. Expand Port and copy the WC_defaulthost_secure = port number. Example: WC_defaulthost_secure = 9444. This will be pasted in step 7.
  5. In the Domain Structure box on the left side of the screen, expand Environment and click Virtual Hosts.
  6. Expand default_host and click Host_Aliases.
  7. Click New and paste the port number from step 4. Click OK.
  8. Restart the server/JVM.
  9. Navigate to https://machinename:9444/PaletteConfig in Internet Explorer to access the Web Application Utility login page.

Steps to Configure Certificates

32 bit WebSphere Aapplication Server

IBM_JAVA_SECLIB = C:\Program Files (x86)\ WebSphere\AppServer\java\jre\lib\security

IBM_JAVA_HOME = C:\Program Files (x86)\IBM\WebSphere\AppServer\java

64 bit WebSphere Application Server

IBM_JAVA_SECLIB = C:\Program Files\ WebSphere\AppServer\java\jre\lib\security

IBM_JAVA_HOME = C:\Program Files\IBM\WebSphere\AppServer\java

  1. If WebSphere is not installed on your machine, download and install the IBM JDK.
    URL to download: http://www.ibm.com/developerworks/java/jdk/
  2. Start the WebSphere application server.
  3. Enable SSL in WebSphere by following the steps below.
    1. Login to the WebSphere console.
    2. Expand Server Types and click WebSphere Application Servers.
    3. Click on the server you created. Example: PALETTE_SERVER.
    4. Expand Port and copy the WC_defaulthost_secure= port number. Example: WC_defaulthost_secure = 9445. This will be pasted in Host_Aliases below.
    5. In the Domain Structure box on the left side of the screen, expand Environment and click on Virtual Hosts.
    6. Expand default_host and click on Host_Aliases.
    7. Click New and paste the port number you copied in the step above. Click OK.
    8. Go to IBM_JAVA_SECLIB\security and comment out the details below in the java.security file.

    Note: Make sure to uncomment the Default JSSE socket factories and comment out the WebSphere socket factories (in cryptosf.jar).

  4. Default JSSE socket factories

    ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl

    ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl

  5. WebSphere socket factories (in cryptosf.jar)

    #ssl.SocketFactory.provider=com.ibm.websphere.ssl.protocol.SSLSocketFactory

    #ssl.ServerSocketFactory.provider=com.ibm.websphere.ssl.protocol.SSLServerSocketFactory

    • Stop the server/JVM, Node Agent and Deployment Manager.
    • Start the server/JVM, Node Agent and Deployment Manager.
  6. Navigate to https://localhost:9445/PaletteConfig in Internet Explorer to make sure SSL works as expected.
  7. Log in to the application. If this action is successful, then SSL is set up correctly from the server side.
  8. Go to IBM_JAVA_HOME\bin and run the commands below.

keytool -genkey -keystore ../lib/security/wsse.keystore -storepass keyalg RSA -keysize 1024 -validity 1000 -alias localhost -dname "CN=localhost"

keytool -export -keystore ../lib/security/wsse.keystore -storepass alias localhost -file ./lib/security/localhost.cer

keytool -import -keystore ../lib/security/wsse.truststore -storepass trustcacerts -alias localhost -file ../lib/security/localhost.cer

  1. The step above will create two files within IBM_JAVA_SECLIB.
    • wsse.keystore
    • wsse.truststore
  2. Move wsse.keystore and wsse.truststore to conf folder where all properties files reside.

    Example: C:\OIPA\conf

  3. Log in to the WebSphere console, go to Application servers > OIRP > Process definition > Java Virtual Machine and add the arguments below to JVM.

-Duser.language=en

-Duser.region=US

-Djava.net.preferIPv4Stack=true

-Djava.net.preferPv6Addresses=false

-javaagent:C:\OIPA\lib\spring-instrument-5.2.9.RELEASE.jar

-Dtangosol.coherence.override=C:\OIPA\conf \coherence-config.xml

-Dtangosol.coherence.cacheconfig=C:\OIPA\conf \coherence-cache-config.xml

-Dtangosol.pof.config=com-adminserver-pas-web-pof-config.xml

-Djavax.net.ssl.trustStore=C:\OIPA\conf\wsse.truststore

-Djavax.net.ssl.trustStorePassword=Djavax.net.ssl.keyStore=C:\OIPA\conf\wsse.keystore

-Djavax.net.ssl.keyStorePassword=jbossws

  1. Go to IBM_JAVA_SECLIB and create a backup of the cacerts file.
  2. Create a new certification (cacerts) file by following the steps below.
    1. Copy InstallCert.class and InstallCert$SavingTrustManager.class in IBM_JAVA_HOME\bin.
    2. From IBM_JAVA_HOME\bin, run InstallCert through command prompt like java InstallCert localhost:9445. The KeyStore jssecacerts will load and a connection will be opened. Then messages will be presented regarding the certificates.
    3. When the process is complete, the following message will appear: Enter certificate to add to trusted keystore or 'q' to quit. Type 1 to continue.
    4. When the process is complete, another message will appear: Added certificate to keystore 'jssecacerts' using 'jssecacers' using alias 'localhost-1'. Run java InstallCert localhost:9445 one more time, then enter q to exit. This will create a new jssecacerts keystore.

    Note: Repeat step 7 to enable SSL for different port numbers.

  3. Stop the WebSphere application server (JVM, Node Agent, Deployment Manager).
  4. Restart the machine.
  5. Start the WebSphere application server (JVM, Node Agent, Deployment Manager).
  6. Navigate to https://machinename:9445/PaletteConfig in the Internet Explorer to access the Web Application Utility login page.