5 SSL Configuration WLST Commands
This chapter contains the following sections:
About SSL Configuration Commands
WLST commands are available to configure and manage SSL for Oracle Fusion Middleware components.
Use the commands listed in Table 5-1 for this task.
See Also:
Command-Line Interface for Keystores and Wallets in Administering Oracle Fusion Middleware for important instructions on how to launch the WLST shell to run SSL-related commands. Do not launch the WLST interface from any other location.
Note:
All WLST commands for SSL configuration must be run in online mode.
You can obtain help for each command by issuing:
help('command_name')
Certain commands require parameters like instance name, ias-component and process type. You can obtain this information with the command:
state('serverName') [in WebLogic domain] nmServerStatus(serverName='name', serverType='type') [in Standalone domain]
Table 5-1 WLST Commands for SSL Configuration
Use this command... | To... | Use with WLST... |
---|---|---|
Set the SSL attributes for a component listener. |
Online |
|
Display the SSL attributes for a component listener. |
Online |
Parent topic: SSL Configuration WLST Commands
Properties Files for SSL
SSL configuration employs certain properties files for use with the WLST configureSSL
command.
The files contain parameters to specify the desired SSL configuration, such as authentication type, cipher values, and SSL version.
You can use descriptive names if you need to manage multiple properties files for different components. For example, you could have properties files named ohs-ssl-properties.prop
or ovd-ssl-properties.prop
.
Parent topic: SSL Configuration WLST Commands
Structure of Properties Files
All the SSL properties files have a consistent structure.
Table 5-2 provides details about the key-value structure and usage of these files.
Table 5-2 Parameters in Properties File
Key | Mandatory? | Allowed Values for Oracle HTTP Server | Usage |
---|---|---|---|
SSLEnabled |
No |
true false |
Either value |
Ciphers |
No |
SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA SSL_DH_anon_WITH_RC4_128_MD5 SSL_DH_anon_WITH_DES_CBC_SHA SSL_DH_anon_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA |
One or more comma separated values |
SSLVersions |
No |
nzos_Version_3_0 nzos_Version_3_0_With_2_0_Hello nzos_Version_1_0 |
One or more comma separated values |
CertValidation |
No |
none crl |
Either value |
CertValidation Path |
No |
file:// dir:// |
Path of the CRL file, or directory containing CRL files |
KeyStore |
No |
Valid wallet name |
|
TrustStore |
No |
N/A |
|
AuthenticationType |
No |
None Server Optional Mutual |
Any one value |
Table 5-3 shows the default values:
Table 5-3 Default Values of Parameters
Key | Default Value for Oracle HTTP Server |
---|---|
SSLEnabled |
true |
Ciphers |
null |
SSLVersions |
null |
CertValidation |
none |
CertValidation Path |
null |
KeyStore |
default |
TrustStore |
- |
Authentication Type |
Server |
Note:
-
At least one
DH_anon
cipher must be used in SSL no-auth mode. For all other modes, at least oneRSA
cipher must be used. -
The value of the
KeyStore
parameter must be specified when configuring SSL in server-auth, mutual-auth, or optional client auth. -
If only
AES
ciphers have been specified, theSSLVersions
parameter must containTLSv1
ornzos_Version_1_0
. -
If you are doing CRL-based validation, the value of the
CertValidation
parameter should becrl
and the value of theCertValidationPath
parameter should point to the CRL file/directory.
Parent topic: Properties Files for SSL
Examples of Properties Files
Some examples demonstrating the use of the properties files follow.
Example 1: Basic Properties File
SSLEnabled=true AuthenticationType=None CertValidation=none
This properties file specifies no authentication mode, and default values will be used during SSL configuration for ciphers and SSL version. Keystore and truststore properties are not specified since the authentication type is None
. For other authentication types, keystore must be specified.
Example 2: Basic Properties File
SSLEnabled= AuthenticationType=None CertValidation=none
This properties file is exactly the same as above, except that SSLEnabled
is explicitly specified without any value. This is the same as not specifying the key at all. In both cases, the default value will be used.
Therefore, all the following three settings have the same meaning:
-
The setting:
SSLEnabled=true
Here the value
true
is explicitly specified. -
The setting:
SSLEnabled=
Since no value is mentioned here, the default value of
SSLEnabled
(true
) is used. -
The key
SSLEnabled
is not present in the properties file.Since the key is not present, its default value (
true
) is used.
Example 3: Properties File with Version for Oracle HTTP Server
SSLEnabled=true AuthenticationType=Mutual SSLVersion=nzos_Version_3_0 CertValidation=crl CertValidationPath=file:///tmp/file.crl KeyStore=ohs1
This properties file has:
-
Default values for ciphers
-
Keystore
-
SSL version v3
-
CRL validation turned on
-
Mutual Authentication mode
Parent topic: Properties Files for SSL
configureSSL
Online command that sets SSL attributes.
Description
This command sets the SSL attributes for a component listener. The attributes are specified in a properties file format (name=value). If a properties file is not provided, or it does not contain any SSL attributes, then default attribute values are used.
For details about the format of properties files, see Properties Files for SSL.
Syntax
configureSSL('instName', 'compName', 'compType', 'listener', 'filePath')
Argument | Definition |
---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid value is 'ohs'. |
listener |
Specifies the name of the component listener to be configured for SSL. |
filePath |
Specifies the absolute path of the properties file containing the SSL attributes to set. |
Example
Here are some examples of configureSSL command usage.
The following command configures SSL attributes specified in the properties file /tmp/ssl.properties
for Oracle Virtual Directory instance ovd1
in application server instance inst1
, for listener listener1
:
wls:/mydomain/serverConfig> configureSSL('inst1', 'ovd1', 'ovd', 'listener1','/tmp/ssl.properties')
The following command configures SSL attributes without specifying a properties file. Since no file is provided, the default SSL attribute values are used:
wls:/mydomain/serverConfig> configureSSL('inst1', 'ovd1', 'ovd', 'listener2')
Parent topic: SSL Configuration WLST Commands
getSSL
Online command that lists the configured SSL attributes.
Description
This command lists the configured SSL attributes for the specified component listener.
Syntax
getSSL('instName', 'compName', 'compType', 'listener')
Argument | Definition |
---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid value is 'ohs'. |
listener |
Specifies the name of the component listener. |
Example
The following command shows the SSL attributes configured for Oracle HTTP Server instance ohs1
, in application server instance inst1
, for listener sslport1
:
wls:/mydomain/serverConfig> getSSL('inst1', 'ohs1', 'ohs', 'sslport1')
Parent topic: SSL Configuration WLST Commands