Oracle Utilities Network Management System ships with a dummy SSL and signing certificates as part of the OPAL NMS demonstration model. However, for production use these certificates should be replaced by third party certificates. It is also possible to use an internal certificate authority if one is available.

Oracle NMS uses an SSL certificate to secure network traffic between the Java client and the WebLogic server. To create this certificate, run the following commands from the NMS server:

Choose a keystore password.

Then fill out the information about your server.

For "first and last name" choose the hostname of the server you wish to deploy. It should match the url that the end user will be using. For example, if the user accesses the site by http://nms.company.com:7010/nms, you would choose "nms.company.com". It is not critical what you put in the other fields. If a field doesn't apply (such as organizational unit) it may be left blank. State should be the full name and not an abbreviation.

When you are prompted to enter the key password, press Enter.

This certificate can be used as-is, as a self-signed certificate. That means this certificate can be used to help encrypt traffic but for the browser to trust the certificate it will be necessary for the end user to accept the certificate before continuing. Note that self-signed certificates generally need to be accepted each time the application is launched.

To avoid the issue of having to accept self signed certificates each time an application is launched Oracle recommends using a third party certificate. To request a third party certificate, follow these steps:

This creates the nms-ssl.csr which should be sent to the Certificate Authority (CA) you are using. They will respond back with the certificate

To import the certificate do the following (replacing nms-ssl.pem with the name of the certificate you received):

After importing the certificates into nms-ssl.keystore, you may need to copy the file to your WebLogic server. (See also the "Configure the Identity and Trust Keystore" section of the Oracle Utilities Network Management System Installation Guide.)

NMS will use the most secure cipher suite that is available to both the client and server. If there are specific requirements that certain ciphers be allowed or disabled, it may be done by adding the appropriate configuration options to the WebLogic managed server. See https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#DisabledAlgorithms for more information.

The encryption used to secure the application is negotiated by the server and client. If you wish to see which cipher suite was chosen, add this parameter to either the client or server: -javax.net.debug=ssl:handshake

If it is desired to automatically start the application without the validation screen when it is first installed, it is possible to configure a deployment rule to indicate that a certain application or location should always be considered trusted and run without further security prompts.

For more details, see:

https://docs.oracle.com/javase/8/docs/technotes/guides/deploy/deployment_rules.html

Signing certificates are used to help generate digital signatures. Digital signatures can in turn be used to validate that an application is legitimate and can be trusted for download.

Because of the security restrictions that Oracle places on Java Web Start applications, it is recommended that applications be signed with a third party certificate. Future versions of Java will not permit the running of self-signed applications by default.

The steps to acquire a 3rd party certificate are similar to creating an SSL certificate:

For the "first and last name", enter the name of the application: Oracle NMS

The remainder is filled out the same as for SSL certificates (above0)

Next, request a 3rd party certificate:

Send the nms-signing.csr to the desired third party Certificate Authority (CA), and they will respond back with the certificate.

Next, import the certificate (replacing nms-signing.pem with the name of the certificate you received)

Your CA might also provide an intermediate certificate along with your SSL (server) certificate. You must import that certificate before you import the SSL certificate.

To import the certificate do the following (replacing IntermediateCA.cer with the name of the certificate you received):

After importing the certificates into nms-ssl.keystore, you may need to copy the file to your WebLogic server. (See also the "Configure the Identity and Trust Keystore" section of the Oracle Utilities Network Management System Installation Guide.)

Next run this command to update build.properties with an obfuscated copy of the pass phrase:

If you receive a Java keystore to use (instead of using the standard process for requesting and processing a signing keystore), follow these steps:

Rename the keystore to nms-signing.keystore, if necessary.

Change that alias of the signing entry to nms-key. You can determine the names of the entries by using:

To change an alias name, use:

The alias password needs to match the keystore password. If it doesn't, do the following:

After creating the server certificate, regardless if it is a 3rd party or self-signed, the next step is to create the client keystore. It is recommended to use a different password than was used for the server keystore:

SwService needs a certificate in order to communicate with WebLogic Server securely. This certificate can be created using the following command: