Configuring Security

4 Configuring Security

This chapter describes how to work with security for proxy plug-ins.

This chapter includes the following topics:

Using SSL with Proxy Plug-Ins
You can use the Secure Sockets Layer (SSL) protocol to protect the connection between the proxy plug-in and Oracle WebLogic Server. The SSL protocol provides confidentiality and integrity to the data passed between the proxy plug-in and Oracle WebLogic Server.
Configuring Perimeter Authentication
Use perimeter authentication to secure Oracle WebLogic Server applications that are accessed by using the proxy plug-in.

Using SSL with Proxy Plug-Ins

You can use the Secure Sockets Layer (SSL) protocol to protect the connection between the proxy plug-in and Oracle WebLogic Server. The SSL protocol provides confidentiality and integrity to the data passed between the proxy plug-in and Oracle WebLogic Server.

The proxy plug-in does not use the transport protocol (HTTP or HTTPS) specified in the HTTP request (usually by the browser) to determine whether to use SSL to protect the connection between the proxy plug-in and Oracle WebLogic Server; that is, the proxy plug-in is in no way dependent on whether the HTTP request (again, usually from the browser) uses HTTPS (SSL).

Instead, the proxy plug-in uses SSL parameters that you configure for the proxy plug-in, as described in SSL Parameters for Oracle WebLogic Server Proxy Plug-Ins, to determine when to use SSL:

WebLogicSSLVersion - Specifies the SSL protocol version to use for communication between the proxy plug-in and Oracle WebLogic Server.
WLSSLWallet - The Oracle WebLogic Server 14.1.1.0 Proxy Plug-ins use Oracle wallets to store SSL configuration information. Use the WLSSLWallet SSL configuration parameter to configure the wallets. The orapki utility is provided in the proxy plug-in distribution for this purpose.
The orapki utility manages public key infrastructure (PKI) elements, such as wallets and certificate revocation lists, on the command line so the tasks it performs can be incorporated into scripts. This enables you to automate many of the routine tasks of maintaining a PKI. See Using the orapki Utility for Certificate Validation and CRL Management.
SecureProxy - The SecureProxy parameter determines whether SSL is enabled.

Note:

For information about configuring earlier versions of SSL/TLS on the Oracle WebLogic Server side, see Using the weblogic.security.SSL.protocolVersion System Property in Administering Security for Oracle WebLogic Server.

In the case of two-way SSL, the proxy plug-in (the SSL client) automatically uses two-way SSL when Oracle WebLogic Server is configured for two-way SSL and requests a client certificate. For more information about configuring two-way SSL on Oracle WebLogic Server, see Servers: Configuration: SSL in the Oracle WebLogic Server Administration Console Online Help.

If a client certificate is not requested, the proxy plug-ins default to one-way SSL.

Note:

If an Oracle WebLogic Server 14.1.1.0 product is installed on the same system as the Oracle WebLogic Server Proxy Plug-in, the ORACLE_HOME variable must point to a valid installation; otherwise, the proxy plug-in fails to initialize SSL.

For example, if ORACLE_HOME is invalid because the product was not cleanly removed, the proxy plug-in fails to initialize SSL.

This section includes the following topics:

Parent topic: Configuring Security

Configuring Libraries for SSL

The Oracle WebLogic Server 14.1.1.0.0 Proxy Plug-ins for Apache HTTP Server supports HTTP/2 protocol. HTTP/2 over TLS uses Application Layer Protocol Negotiation (ALPN) TLS extension to encrypt connections faster. As Oracle's NZ libraries do not support ALPN extension, proxy plug-ins have been rewritten to use OpenSSL libraries. Therefore, some minor changes are necessary for the existing deployments to use SSL for communication with Oracle WebLogic Server as described in Configuring Environment Variables.

Note:

The current implementation of the Oracle WebLogic Server Proxy Plug-in for Apache HTTP Server does not support the use of multiple certificate files with Apache SSL.

This section includes the following topics:

Configuring Environment Variables

Parent topic: Using SSL with Proxy Plug-Ins

Configuring Environment Variables

The Oracle WebLogic Server Proxy Plug-ins use Oracle Wallet to store SSL information such as private key, user certificate chain, and the list of trusted certificates. OpenSSL APIs cannot read the content of such wallets. Therefore, it is necessary to export the content of a user-supplied wallet to a format that OpenSSL APIs can read. The content of the wallet will be exported as PEM formatted files on the file system. For each user-supplied wallet, three files may be created in the same file system path where the auto-login wallet is present:

key.pem: A pass-phrase protected file containing the private key in PEM format, if a private key is present in the wallet.
user.crt: User certificate in PEM format, if a user certificate is present in the wallet.
trusted_certs.crt: Chain of trusted certificates in PEM format.

A new program called export_wallet is supplied in the proxy plug-in zip file to export user wallet(s) as described above. This program requires the environment variables JAVA_HOME and PLUGINS_HOME to be set. See Installation Prerequisites.

Parent topic: Configuring Libraries for SSL

Configuring a Proxy Plug-In for One-Way SSL

Perform the following steps to configure one-way SSL.

In these steps, you run the keytool commands on the system on which Oracle WebLogic Server is installed, and you run the orapki commands on the system on which the Oracle WebLogic Server 14.1.1.0 Proxy Plug-ins are installed.

Note:

The examples in this section use the Oracle WebLogic Server demo CA. If you are using the proxy plug-in a production environment, ensure that trusted CAs are properly configured for the proxy plug-in and for Oracle WebLogic Server.

Configure Oracle WebLogic Server for SSL. See Configuring SSL in Administering Security for Oracle WebLogic Server.
Create an Oracle Wallet, by using the orapki utility.
```
orapki wallet create -wallet mywallet -auto_login_only
```
See Using the orapki Utility for Certificate Validation and CRL Management in the Administering Oracle Fusion Middleware.

Note:

Only the user who creates the wallet (or for Windows, the account SYSTEM) has access to the wallet.

This is typically sufficient for the Oracle WebLogic Server Proxy Plug-in for Apache HTTP Server because Apache HTTP Server runs as the account SYSTEM on Windows, and as the user who creates it on UNIX.

If the user who runs the Oracle WebLogic Server Proxy Plug-in for Apache HTTP Server is different from the user who creates the wallet (or for Windows, the account SYSTEM), you need to grant the user access to the wallet by running the command cacls (Windows) or chmod (UNIX) after you create the wallet. For example:

cacls <wallet_path>\cwallet.sso /e /g IUSR:R
Import the Oracle WebLogic Server trust certificate into the Oracle Wallet.
```
orapki wallet add -wallet mywallet -trusted_cert -cert <cert_file_name> -auto_login_only
```

Complete these steps if the version of the Oracle WebLogic Server instances in the back end is 10.3.4 (or a later release).

Log in to the Oracle WebLogic Server Administration Console.
In the Domain Structure pane, expand the Environment node.
- If the server instances to which you want to proxy requests from Apache HTTP Server are in a cluster, select Clusters.
- Otherwise, select Servers.
Select the server or cluster to which you want to proxy requests from Apache HTTP Server.
In the Configuration: General tab, scroll down to the Advanced section, then expand it.

Do one of the following:

To...	Select...
Enable one-way SSL	WebLogic Plug-In Enabled
Enable two-way SSL where client certificates are used to authenticate	Client Cert Proxy Enabled
Enable two-way SSL with client certificates.	Both

If you selected Servers in Step 4b, repeat Step 3 and Step 4 for the other servers to which you want to proxy requests from Apache HTTP Servers.
Click Save.

For the change to take effect, you must restart the server instances.

Send a request to http://host:port/mywebapp/my.jsp from the browser and validate the response.

Parent topic: Using SSL with Proxy Plug-Ins

Configuring a Two-Way SSL Between the Proxy Plug-In and Oracle WebLogic Server

When Oracle WebLogic Server is configured for a two-way SSL, the proxy plug-in forwards the user certificate to Oracle WebLogic Server. A two-way SSL can be established as long as Oracle WebLogic Server can validate the user certificate.

In these steps, you run the keytool commands on the system on which Oracle WebLogic Server is installed. You run the orapki commands on the system on which the 14.1.1.0 proxy plug-ins are installed.

To configure a two-way SSL:

Perform the steps described in Configuring a Proxy Plug-In for One-Way SSL.
Set the Oracle WebLogic Server SSL configuration options that require the presentation of client certificates (for two-way SSL). See Configure two-way SSL in Oracle WebLogic Server Administration Console Online Help.
From the Oracle wallet, generate a certificate request:
1. Add the certificate request to the Oracle wallet.
```
orapki wallet add -wallet wallet_location -dn user_dn -keySize 512|1024|2048
```
2. Export the certificate request from Oracle wallet:
```
orapki wallet export -wallet wallet_location -dn certificate_request_dn -request certificate_request_filename
```
  See Exporting Certificates and Certificate Requests from Oracle Wallets with orapki in Administering Oracle Fusion Middleware.
Use the certificate request exported in Step 3 to create a certificate by using a certificate authority (CA) or some other mechanism.
Import all trusted certificates in the certificate chain of a user certificate before adding a user certificate. The certificate chain includes the intermediate certificate authorities and the root certificate authority.
Import the root CA certificate as a trusted certificate by using the following command:
```
orapki wallet add -wallet wallet_location -trusted_cert -cert root_certificate_location
```
Import the intermediate CA certificate as a trusted certificate. If there are more than one intermediate CA certificate, execute the following command by changing the location for the -cert option for each intermediate CA.
```
orapki wallet add -wallet wallet_location -trusted_cert -cert intermediate_certificate_location
```
See Adding Certificates and Certificate Requests to Oracle Wallets with orapki in the Database Security Guide.
Import the certificate signed by CA as a user certificate to Oracle wallet.
```
orapki wallet add -wallet wallet_location -user_cert -cert certificate_location
```
Import the CA certificate as a trusted certificate in the WebLogic trust store. Oracle WebLogic Server needs to trust the certificate.
```
keytool -file certificate_location -importcert -trustcacerts -keystore DemoTrust.jks -storepass <passphrase>
```

Parent topic: Using SSL with Proxy Plug-Ins

Replacing Certificates Signed Using the MD5 Algorithm

When using SSL to connect to Oracle WebLogic Server, ensure that any certificate request or certificates signed with MD5 are replaced by SHA-2 signed certificates in the wallet; otherwise, the server fails to start.

This section includes the following topics:

Parent topic: Using SSL with Proxy Plug-Ins

Checking the Certificate Signing Algorithm

To check the certificate signing algorithm:

Use the orapki command to obtain the Distinguished Name (DN) for an SSL certificate.
```
${PLUGINS_HOME}/bin/orapki wallet display -wallet <wallet__location>
```
For example:
- Content of the wallet with a CA-signed user certificate:
```
${PLUGINS_HOME}/bin/orapki  wallet display -wallet /tmp/test_wallet
```
  Sample output:
```
Oracle PKI Tool: Version 12.2.1.4.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Requested Certificates: 
User Certificates:
Subject: CN=localhost,O=FOR TESTING ONLY
Trusted Certificates: 
Subject: CN=im_ca,OU=O,O=FOR TESTING ONLY
Subject: CN=root_ca,OU=O,O=FOR TESTING ONLY
```
  In this example, the user certificate is siged with an intermediate CA. Hence, you see a complete trust chain in the trusted certificate.
  - The Distinguished Name for user certificates is "CN=localhost,O=FOR TESTING ONLY"
  - The Distinguished Name for intermediate certificates is "CN=im_ca,OU=O,O=FOR TESTING ONLY"
  - The Distinguished Name for root certificates is: "CN=root_ca,OU=O,O=FOR TESTING ONLY"
- Content of the wallet with a self-signed user certificate:
```
${PLUGINS_HOME}/bin/orapki  wallet display -wallet /tmp/test_wallet
```
  Sample output:
```
Oracle PKI Tool : Version 12.2.1.4.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Requested Certificates: 
User Certificates:
Subject: CN=localhost,O=FOR TESTING ONLY
Trusted Certificates: 
Subject: CN=localhost,O=FOR TESTING ONLY
```
  The Distinguished Name for the self-singed user certificates is "CN=localhost,O=FOR TESTING ONLY"

Export the certificates present in the wallet.

${PLUGINS_HOME}/bin/orapki  wallet export -wallet <wallet_Location> -dn 'DN_string' -cert <certificate_file>

For example:

Export the user certificate.
```
${PLUGINS_HOME}/bin/orapki  wallet export -wallet <wallet_Location> -dn 'CN=localhost,O=FOR TESTING ONLY' -cert user.crt
```
For more information about this step, see orapki wallet export in the Database Security Guide.

Export the intermediate and root CA certificates.

${PLUGINS_HOME}/bin/orapki  wallet export -wallet <wallet_Location> -dn 'CN=im_ca,OU=O,O=FOR TESTING ONLY' -cert im_ca.crt

${PLUGINS_HOME}/bin/orapki  wallet export -wallet <wallet_Location> -dn 'CN=root_ca,OU=O,O=FOR TESTING ONLY' -cert root_ca.crt

Check the signature algorithm used to sign <certificate_file> using the keytool:
```
$JAVA_HOME/bin/keytool -printcert -file <certificate_file>
```
For example, if the certificate is signed with MD5, the Signature algorithm name is set to MD5withRSA, as shown in the following sample command output:
```
$JAVA_HOME/bin/keytoolkey -printcert -file  user.crt
```
Sample output:
```
Owner: CN=localhost,OU=O,O=FOR TESTING ONLY
Issuer: CN=localhost,OU=O,O=FOR TESTING ONLY
Serial number: –--
Valid from: –--
Certificate fingerprints:
  MD5:  –--
  SHA1: –--
  SHA256: –--
  Signature algorithm name: MD5withRSA
  Version: 1
```
Note:
If any of the user and trusted certificates in the chain are signed with the MD5 algorithm, you can either create a new wallet with new certificates signed with the SHA-2 algorithm or replace the existing certificates with certificates signed with the SHA-2 signed algorithm.

The list of parameters used in the orapki commands:

Table 4-1 Command Parameters

Parameter	Description
`-wallet`	Specifies the wallet location.
`-dn`	Specifies the distinguished name of the certificate.
`-cert`	Specifies the directory location where the tool places the exported certificate.

Parent topic: Replacing Certificates Signed Using the MD5 Algorithm

Creating a New Wallet to Add Certificates Signed with the SHA-2 Algorithm

To create a new wallet:

Create a wallet.

${PLUGINS_HOME}/bin/orapki  orapki wallet create -wallet  <wallet_location> -auto_login_only

For example:

${PLUGINS_HOME}/bin/orapki wallet create -wallet test_wallet -auto_login_only

Sample output:

Oracle PKI Tool : Version 12.2.1.4.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.

Check the content of test_wallet:

$ls test_wallet

cwallet.sso

For more information about creating wallets with orapki, see Creating and Viewing Oracle Wallets with orapki in Administering Oracle Fusion Middleware.

Add the user certificate to the wallet. User certificates can be self-signed or CA-signed. For production, Oracle recommends to use a CA-signed certificate.

Add a self-signed user certificate.

Run the following command:

${PLUGINS_HOME}/bin/orapki wallet add -wallet <wallet_Location> -dn 'DN_string' -keysize 512|1024|2048|4096|8192|16384 -sign_alg sha256 -self_signed -validity 9125 [-pwd <pwd>] | [-auto_login_only]

For example:

${PLUGINS_HOME}/bin/orapki wallet add -wallet test_wallet -dn 'CN=localhost,O=FOR TESTING ONLY' -keysize 2048  -sign_alg sha256 -self_signed -validity 9125 -auto_login_only

Sample output:

Oracle PKI Tool : Version 12.2.1.4.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.

List the content of the wallet after adding self-signed certificate to the wallet:
```
${PLUGINS_HOME}/bin/orapki wallet display -wallet <wallet_location>
```
For example:
```
${PLUGINS_HOME}/bin/orapki wallet display -wallet test_wallet
```
Sample output:
```
Oracle PKI Tool : Version 12.2.1.4.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Requested Certificates: 
User Certificates:
Subject: CN=localhost,O=FOR TESTING ONLY
Trusted Certificates: 
Subject: CN=localhost,O=FOR TESTING ONLY
```
For more information about adding certificates to a wallet, see Adding a Root Certificate to an Oracle Wallet in Administering Oracle Fusion Middleware.

Add a CA-signed user certificate.

Add the certificate request to the Oracle wallet.

orapki wallet add -wallet wallet_location -dn user_dn -keySize 512|1024|2048 [-pwd <pwd>] | [-auto_login_only]

For example:

${PLUGINS_HOME}/bin/orapki wallet add -wallet test_wallet -dn "CN=localhost,O=testing_only" -keysize 2048 -auto_login_only

Sample output:

Oracle PKI Tool : Version 12.2.1.4.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed
 
Wallet content after adding certificate request
${PLUGINS_HOME}/bin/orapki wallet display -wallet /scratch/shichoud/test_wallet 
Oracle PKI Tool : Version 12.2.1.4.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Requested Certificates: 
Subject:        CN=localhost,O=testing_only
User Certificates:
Trusted Certificates:
...

Export the certificate request from Oracle wallet:
```
orapki wallet export -wallet wallet_location -dn certificate_request_dn -request certificate_request_filename
```
For example:
```
${PLUGINS_HOME}/bin/orapki wallet export -wallet test_wallet -dn "CN=localhost,O=testing_only" -request user.csr
```
Sample output:
```
Oracle PKI Tool : Version 12.2.1.4.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.
```
To view the content of the certificate, run the following command:
```
cat user.csr
```
Sample output:
```
-----BEGIN NEW CERTIFICATE REQUEST-----
MIICcDCCAVgCAQAwKzEVMBMGA1UECgwMdGVzdGluZ19vbmx5MRIwEAYDVQQDEwls
...
...
WnDd1cweMAH+1/D1C4Gi7Gvhi2Axw18H60lmZcU3JXv2bhu8QxZI9N6sI1DjU2Mg
l6EH2w==
```
See Exporting Certificates and Certificate Requests from Oracle Wallets with orapki in Administering Oracle Fusion Middleware.
Use the certificate request exported in Step 3 to create a certificate by using a certificate authority (CA) or some other mechanism.
Import all the trusted certificates in the certificate chain of a user certificate before adding a user certificate. The certificate chain includes the intermediate certificate authorities and the root certificate authority.
- Import the root CA certificate as a trusted certificate by using the following command:
```
orapki wallet add -wallet wallet_location -trusted_cert -cert root_certificate_location [-pwd <pwd>] | [-auto_login_only]
```
  For example:
```
${PLUGINS_HOME}/bin/orapki wallet add -wallet test_wallet -trusted_cert -cert Root_CA.crt -auto_login_only
```
  Sample output:
```
Oracle PKI Tool : Version 12.2.1.4.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.
```
- Import the intermediate CA certificate as a trusted certificate. If there are more than one intermediate CA certificate, execute the following command by changing the location for the -cert option for each intermediate CA.
```
orapki wallet add -wallet wallet_location -trusted_cert -cert intermediate_certificate_location [-pwd <pwd>] | [-auto_login_only]
```
  For example:
```
${PLUGINS_HOME}/bin/orapki  wallet add -wallet test_wallet -trusted_cert -cert IM_CA.crt -auto_login_only
```
  Sample output:
```
Oracle PKI Tool : Version 12.2.1.4.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.
```
Display the wallet after importing the root CA and the intermediate CA:
```
${PLUGINS_HOME}/bin/orapki wallet display -wallet test_wallet
```
Sample output:
```
Oracle PKI Tool : Version 12.2.1.4.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Requested Certificates: 
Subject:        CN=localhost,O=testing_only
User Certificates:
Trusted Certificates: 
Subject:        CN=im_ca,OU=O,O=oracle,C=IN
Subject:        CN=root_ca,OU=O,O=oracle,C=IN
```

Import the certificate signed by CA as a user certificate to the Oracle wallet.

orapki wallet add -wallet wallet_location -user_cert -cert certificate_location [-pwd <pwd>] | [-auto_login_only]

For example:

${PLUGINS_HOME}/bin/orapki wallet add -wallet test_wallet -user_cert -cert user_1.crt -auto_login_only

Sample output:

Oracle PKI Tool : Version 12.2.1.4.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.

Wallet content after adding the user certificate signed from the intermediate CA:

${PLUGINS_HOME}/bin/orapki wallet display -wallet test_wallet

Sample output:

Version 12.2.1.4.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Requested Certificates: 
User Certificates:
Subject:        CN=localhost,O=testing_only
Trusted Certificates: 
Subject:        CN=im_ca,OU=O,O=oracle,C=IN
Subject:        CN=root_ca,OU=O,O=oracle,C=IN

Add the back-end server certificate as a trusted certificate.

If the back-end server certificate is a self-singed certificate, then import it as a trusted certificate.

View the back-end server certificate:

${PLUGINS_HOME}/bin/orapki cert display -cert <backend_server_certificate> -complete

For example:

${PLUGINS_HOME}/bin/orapki  cert display -cert backend.crt -complete

Sample output:

Oracle PKI Tool : Version 12.2.1.4.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
 
{ fingerprint = ... holder = ... CN=Backend_Server,O=testing_only, issuer = CN=Backend_Server,O=testing_only, ...
]} } }

Import the back-end server certificate as a trusted certificate to the wallet:

${PLUGINS_HOME}/bin/orapki wallet add -wallet test_wallet --trusted_cert -cert <back_end_sever_crt> -auto_login_only

For example:

${PLUGINS_HOME}/bin/orapki wallet add -wallet test_wallet --trusted_cert -cert <back_end_sever_crt> -auto_login_only

Sample output:

Oracle PKI Tool : Version 12.2.1.4.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.

Display the wallet content after adding the back-end server certificate as a trusted certificate:

${PLUGINS_HOME}/bin/orapki wallet display -wallet <wallet_path>

For example:

${PLUGINS_HOME}/bin/orapki wallet display -wallet test_wallet

Sample output:

Version 12.2.1.4.0
  
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
...
Trusted Certificates:
...
Subject: CN=Backend_Server,O=testing_only

If the back-end server certificate is signed with a CA authority, then import the trust chain:

If the back-end server certificate is signed by the intermediate CA, then import the root CA and the intermediate CA certificates as trusted certificates to the wallet:

${PLUGINS_HOME}/bin/orapki wallet add -wallet <wallet_Location> -trusted_cert -cert <CA_certificate> -auto_login_only

Example 1:

${PLUGINS_HOME}/bin/orapki wallet add -wallet test_wallet -trusted_cert -cert Root_CA.crt -auto_login_only

Sample output:

Oracle PKI Tool : Version 12.2.1.4.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.

Example 2:

${PLUGINS_HOME}/bin/orapki wallet add -wallet test_wallet -trusted_cert -cert IM_CA.crt -auto_login_only

Sample output:

Oracle PKI Tool : Version 12.2.1.4.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.

Display the wallet content after adding the back-end server trust chain:

${PLUGINS_HOME}/bin/orapki wallet display -wallet <wallet_location>

For example:

${PLUGINS_HOME}/bin/orapki wallet display -wallet test_wallet

Sample output:

Version 12.2.1.4.0

Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
...
Trusted Certificates:
...
Subject: CN=im_ca,OU=O,O=oracle,C=IN
Subject: CN=root_ca,OU=O,O=oracle,C=IN

The list of parameters used in the orapki commands:

Table 4-2 Command Parameters

Parameter	Description
`-wallet`	Specifies the wallet location.
`-dn`	Specifies the distinguished name of the certificate.
`-trusted_cert`	Specifies that it is a trusted certificate.
`-user_cert`	Specifies that it is a user certificate.
`-pwd`	Specifies the wallet password if the wallet is password protected.
`-auto_login_only`	Specifies if the wallet is auto_login_only or not.
`-request`	Specifies the location of the certificate request for the certificate you are creating.
`-cert`	Specifies the directory location of the certificate.
`-keysize`	Specifies the key size for the certificate.
`-self_signed`	Causes the tool to create a root certificate.
`-validity`	Specifies the number of days, starting from the current date, that the root certificate will be valid.
`-sign_alg`	Specifies the sign algorithm to be used.

Parent topic: Replacing Certificates Signed Using the MD5 Algorithm

Replacing the Existing Certificates with SHA-2 Signed Certificates

If the wallet has a mix of certificates which are signed either with the MD5 or the SHA-2 algorithm, you may want to remove only those certificates which are signed with the MD5 algorithm and keep the certificates that are signed with the SHA-2 algorithm.

For example:

${PLUGINS_HOME}/bin/orapki wallet display -wallet test_wallet

Sample output:

Oracle PKI Tool : Version 12.2.1.4.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Subject: CN=localhost,O=FOR TESTING ONLY
Trusted Certificates:
Subject: CN=localhost,O=FOR TESTING ONLY
Subject: CN=im_ca,OU=O,O=oracle,C=IN
Subject: CN=root_ca,OU=O,O=oracle,C=IN
Subject: CN=test_SHA2_signed_cert,OU=O,O=oracle,C=IN

test_wallet contains following certificates signed with MD5 algorithm :
Self-signed user certificate : Subject: CN=localhost,O=FOR TESTING ONLY
Trusted certificates :
Subject: CN=im_ca,OU=O,O=oracle,C=IN
Subject: CN=root_ca,OU=O,O=oracle,C=IN

After you have identified the certificate request by which the user and trusted certificates are signed with MD5, complete the following steps to remove them from wallet:

Remove the CA-signed or the self-signed user certificate:

Check whether the certificate is self-signed or CA-signed:

Display the wallet content and get the Distinguished Name:
```
${PLUGINS_HOME}/bin/orapki   wallet display -wallet <wallet_location>
```
For example:
```
${PLUGINS_HOME}/bin/orapki   wallet display -wallet test_wallet
```
Sample output:
```
Oracle PKI Tool : Version 12.2.1.4.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Subject: CN=localhost,O=FOR TESTING ONLY
Trusted Certificates:
Subject: CN=localhost,O=FOR TESTING ONLY
Subject: CN=im_ca,OU=O,O=oracle,C=IN
Subject: CN=root_ca,OU=O,O=oracle,C=IN
Subject: CN=test_SHA2_singed_cert,OU=O,O=oracle,C=IN
```
The Distinguished Name for the user certificates is "CN=localhost,O=FOR TESTING ONLY"

The display -wallet command shows the user certificate and the trusted certificate present in the wallet.

Export the user certificate to a file.

${PLUGINS_HOME}/bin/orapki  wallet export -wallet <wallet_Location> -dn 'DN_string' -cert <certificate_file>

For example:

${PLUGINS_HOME}/bin/orapki  wallet export -wallet <wallet_Location> -dn 'CN=localhost,O=FOR TESTING ONLY' -cert user.crt

View the user certificate.

${PLUGINS_HOME}/bin/orapki  cert display -cert <user_cert>

For example:

For a self-signed certificate, the Subject and Issuer names are same, as given below:

${PLUGINS_HOME}/bin/orapki  cert display -cert user.crt

Sample output:

Oracle PKI Tool : Version 12.2.1.4.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Subject:        CN=localhost,O=FOR TESTING ONLY
Issuer:         CN=localhost,O=FOR TESTING ONLY
Valid Until:    Thu Oct 07 15:15:55 UTC 2117

For a CA-signed certificate, the Subject and Issuer names are different, as given below:

${PLUGINS_HOME}/bin/orapki  cert display -cert user.crt

Sample output:

Oracle PKI Tool : Version 12.2.1.4.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.

Subject:  CN=localhost,O=FOR TESTING ONLY
Issuer:    CN=im_ca,OU=O,O=FOR TESTING ONLY
Valid Until:    Thu Oct 07 15:15:55 UTC 2117

Remove the self-signed certificate from the trusted and user certificate lists and also remove the certificate request associated with the self-signed certificate:

${PLUGINS_HOME}/bin/orapki wallet remove -wallet < wallet_location > -dn 'DN_string' -trusted_cert [-pwd <pwd>] | [-auto_login_only]

${PLUGINS_HOME}/bin/orapki wallet remove -wallet < wallet_location > -dn 'DN_string' -user_cert [-pwd <pwd>] | [-auto_login_only]

${PLUGINS_HOME}/bin/orapki wallet remove -wallet < wallet_location > -dn 'DN_string' -cert_req [-pwd <pwd>] | [-auto_login_only]

If a user certificate is CA-signed, then remove the user certificate:

${PLUGINS_HOME}/bin/orapki wallet remove -wallet <wallet_location> -dn 'DN_string' -user_cert [-pwd <pwd>] | [-auto_login_only]

Remove the trusted certificate signed using the MD5 algorithm:

${PLUGINS_HOME}/bin/orapki wallet remove -wallet < wallet_location > -dn 'DN_string' -trusted_cert [-pwd < pwd >] | [-auto_login_only]

Remove the certificate request signed using the MD5 algorithm:

${PLUGINS_HOME}/bin/orapki wallet remove -wallet < wallet_location > -dn 'DN_string' -cert_req [-pwd <pwd>] | [-auto_login_only]

Create and import the certificates to the wallet:

Add a self-signed user certificate signed with the SHA-2 algorithm:

${PLUGINS_HOME}/bin/orapki wallet add -wallet <wallet_Location> -dn 'DN_String' -keysize 2048 -sign_alg sha256 -self_signed -validity 9125 [-pwd <pwd>] | [-auto_login_only]

Add a CA-signed user certificate signed with the SHA-2 algorithm:

Add the certificate request to the Oracle wallet.

orapki wallet add -wallet wallet_location -dn user_dn -keySize 512|1024|2048 [-pwd <pwd>] | [-auto_login_only]

For example:

${PLUGINS_HOME}/bin/orapki wallet add -wallet test_wallet -dn "CN=localhost,O=testing_only" -keysize 2048 -auto_login_only

Sample output:

Oracle PKI Tool : Version 12.2.1.4.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed
 
Wallet content after adding certificate request
${PLUGINS_HOME}/bin/orapki wallet display -wallet /scratch/shichoud/test_wallet 
Oracle PKI Tool : Version 12.2.1.4.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Requested Certificates: 
Subject:        CN=localhost,O=testing_only
User Certificates:
Trusted Certificates:

Export the certificate request from Oracle wallet:
```
orapki wallet export -wallet wallet_location -dn certificate_request_dn -request certificate_request_filename
```
For example:
```
${PLUGINS_HOME}/bin/orapki wallet export -wallet test_wallet -dn "CN=localhost,O=testing_only" -request user.csr
```
Sample output:
```
Oracle PKI Tool : Version 12.2.1.4.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.
```
To view the content of the certificate, run the following command:
```
cat user.csr
```
Sample output:
```
-----BEGIN NEW CERTIFICATE REQUEST-----
MIICcDCCAVgCAQAwKzEVMBMGA1UECgwMdGVzdGluZ19vbmx5MRIwEAYDVQQDEwls
...
...
WnDd1cweMAH+1/D1C4Gi7Gvhi2Axw18H60lmZcU3JXv2bhu8QxZI9N6sI1DjU2Mg
l6EH2w==
```
See Exporting Certificates and Certificate Requests from Oracle Wallets with orapki in Administering Oracle Fusion Middleware.
Use the certificate request exported in Step 3 to create a certificate by using a certificate authority (CA) or some other mechanism.
Import all trusted certificates in the certificate chain of a user certificate before adding a user certificate. The certificate chain includes the intermediate certificate authorities and the root certificate authority.
- Import the root CA certificate as a trusted certificate by using the following command:
```
orapki wallet add -wallet wallet_location -trusted_cert -cert root_certificate_location [-pwd <pwd>] | [-auto_login_only]
```
  For example:
```
${PLUGINS_HOME}/bin/orapki wallet add -wallet test_wallet -trusted_cert -cert Root_CA.crt -auto_login_only
```
  Sample output:
```
Oracle PKI Tool : Version 12.2.1.4.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.
```
- Import the intermediate CA certificate as a trusted certificate. If there are more than one intermediate CA certificate, execute the following command by changing the location for the -cert option for each intermediate CA.
```
orapki wallet add -wallet wallet_location -trusted_cert -cert intermediate_certificate_location [-pwd <pwd>] | [-auto_login_only]
```
  For example:
```
${PLUGINS_HOME}/bin/orapki wallet add -wallet test_wallet -trusted_cert -cert IM_CA.crt -auto_login_only
```
  Sample output:
```
Oracle PKI Tool : Version 12.2.1.4.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
```
Display the wallet after importing the root CA and the intermediate CA:
```
${PLUGINS_HOME}/bin/orapki wallet display -wallet test_wallet
```
Sample output:
```
Oracle PKI Tool : Version 12.2.1.4.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Requested Certificates: 
Subject:        CN=localhost,O=testing_only
User Certificates:
Trusted Certificates: 
Subject:        CN=im_ca,OU=O,O=oracle,C=IN
Subject:        CN=root_ca,OU=O,O=oracle,C=IN
```

Import the certificate signed by CA as a user certificate to the Oracle wallet.

orapki wallet add -wallet wallet_location -user_cert -cert certificate_location [-pwd <pwd>] | [-auto_login_only]

For example:

${PLUGINS_HOME}/bin/orapki wallet add -wallet test_wallet -user_cert -cert user_1.crt -auto_login_only

Sample output:

Oracle PKI Tool : Version 12.2.1.4.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Operation is successfully completed.

Wallet content after adding the user certificate signed from the intermediate CA:

${PLUGINS_HOME}/bin/orapki wallet display -wallet test_wallet

Sample output:

Version 12.2.1.4.0
Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
Requested Certificates: 
User Certificates:
Subject:        CN=localhost,O=testing_only
Trusted Certificates: 
Subject:        CN=im_ca,OU=O,O=oracle,C=IN
Subject:        CN=root_ca,OU=O,O=oracle,C=IN

The list of parameters used in the orapki commands:

Table 4-3 Command Parameters

Parameter	Description
`-wallet`	Specifies the wallet location.
`-dn`	Specifies the distinguished name of the certificate.
`-trusted_cert`	Specifies that it is a trusted certificate.
`-user_cert`	Specifies that it is a user certificate.
`-cert_req`	Specifies that it is a certificate request.
`-pwd`	Specifies the wallet password if the wallet is password protected.
`-auto_login_only`	Specifies if the wallet is auto_login_only or not.
`-request`	Specifies the location of the certificate request for the certificate you are creating.
`-cert`	Specifies the directory location of the certificate.
`-keysize`	Specifies the key size for the certificate.
`-self_signed`	Causes the tool to create a root certificate.
`-validity`	Specifies the number of days, starting from the current date, that the root certificate will be valid.
`-sign_alg`	Specifies the sign algorithm to be used.

Parent topic: Replacing Certificates Signed Using the MD5 Algorithm

Certificates Signed with MD5 Algorithm Not Supported

Certificates signed using MD5 algorithm are not recommended due to compromised security.

These certificates are no longer supported with the Oracle WebLogic Server 14.1.1.0.0 Proxy Plug-ins. The environment variable - ORACLE_SSL_ALLOW_MD5_CERT_SIGNATURES that enabled the use of certificates with MD5 algorithm is no longer supported. The proxy plug-ins refuse to start if MD5 certificates are present in the Oracle Wallet.

Parent topic: Using SSL with Proxy Plug-Ins

Using Certificates Signed with RSASSA-PSS Signature Algorithm

Certificates signed with RSASSA-PSS signature algorithm are very secure and are supported in the Oracle WebLogic Server 14.1.1.0.0 Proxy Plug-ins.

Certificates signed with RSASSA-PSS signature algorithm and private keys generated using the RSASSA-PSS algorithm can be deployed when using TLSv1.3 for communication between the web server and the back-end Oracle WebLogic Server. The minimum JDK version required for this is Oracle JDK 11.0.9 or Oracle JDK 8u261-b12. The SunPKCS11 provider in these versions of JDK has been updated with the support for PKCS#11 v2.40. This version adds support for RSASSA-PSS signatures when the corresponding PKCS11 mechanisms are supported by the underlying PKCS11 library.

With Oracle WebLogic Server 14.1.1.0.0 Proxy Plug-ins, you can configure an RSA certificate with a signature algorithm of RSASSA-PSS as a user certificate for the Apache Web Server. You can then use this certificate to function as a client certificate when the Oracle WebLogic Server requires one for client authentication.

If you have configured Oracle WebLogic Server to use a certificate with RSASSA-PSS signature, the Oracle WebLogic Server 14.1.1.0.0 Proxy Plug-ins support such certificates during an SSL handshake.

Parent topic: Using SSL with Proxy Plug-Ins

Configuring Perimeter Authentication

Use perimeter authentication to secure Oracle WebLogic Server applications that are accessed by using the proxy plug-in.

A WebLogic Identity Assertion Provider authenticates tokens from outside systems that access your Oracle WebLogic Server application, including users who access your Oracle WebLogic Server application through the proxy plug-in. Create an Identity Assertion Provider that will safely secure your proxy plug-in as follows:

Create a custom Identity Assertion Provider on your Oracle WebLogic Server application. See How to Develop a Custom Identity Assertion Provider in Developing Security Providers for Oracle WebLogic Server.
Configure the custom Identity Assertion Provider to support the Cert token type and make Cert the active token type. See How to Create New Token Types in Developing Security Providers for Oracle WebLogic Server.
Set clientCertProxy to True in the web.xml deployment descriptor file for the Web application (or, if using a cluster, optionally set the Client Cert Proxy Enabled attribute to true for the whole cluster on the Administration Console Cluster then Configuration then General tab).

The clientCertProxy attribute can be used with a third party proxy server, such as a load balancer or an SSL accelerator, to enable 2-way SSL authentication. For more information about the clientCertProxy attribute, see context-param in Developing Web Applications, Servlets, and JSPs for Oracle WebLogic Server.
Once you have set clientCertProxy, be sure to use a connection filter to ensure that Oracle WebLogic Server accepts connections only from the machine on which the proxy plug-in is running. See Using Network Connection Filters in Developing Applications with the WebLogic Security Service.
The Oracle WebLogic Server Proxy Plug-ins require a trusted Certificate Authority file to use SSL between the proxy plug-in and Oracle WebLogic Server. See Using SSL with Proxy Plug-Ins for the steps you need to perform to configure SSL.

See Identity Assertion Providers in Developing Security Providers for Oracle WebLogic Server.

Parent topic: Configuring Security