27 Configuring SSL
Note:
Oracle WebCenter Portal has deprecated the support for Jive features (announcements and discussions). If you have upgraded from a prior release to Release 12c (12.2.1.4.0), Jive features remain available in your upgraded instance but Oracle support is not provided for these features. In the next release, Jive features will not be available even in the upgraded instances
Permissions:
To perform the tasks in this chapter, you must be granted the WebLogic Server Admin
role through the Oracle WebLogic Server Administration Console. Users with the Monitor
or Operator
roles can view security information but cannot make changes.
See also Understanding Administrative Operations, Roles, and Tools.
Note:
The following can use WS-Security with message protection, and consequently have no hard requirement for SSL:
-
BPEL servers - Oracle BPM Worklist
-
WSRP Producers
-
Discussions and announcements
Topics:
-
Securing the Browser Connection to WebCenter Portal using SSL
-
Securing the Connection from Oracle HTTP Server to WebCenter Portal with SSL
-
Securing the WebCenter Portal Connection to Portlet Producers with SSL
-
Securing the WebCenter Portal Connection to the LDAP Identity Store
-
Securing the WebCenter Portal Connection to IMAP and SMTP with SSL
-
Securing the WebCenter Portal Connection to an External BPEL Server with SSL
-
Securing the WebCenter Portal Connection to Content Server with SSL
27.1 Securing the Browser Connection to WebCenter Portal using SSL
This section presents an overview of how to configure the Oracle Platform Security Services (OPSS) Keystore Service for use with WebCenter Portal. It is possible to use Fusion Middleware Control as well for this, but the scope of this document is restricted to usage of WLST.
Note:
The default Java Keystore Service (JKS) has been replaced with the Oracle Platform Security Services (OPSS) Keystore Service. Use WC_Portal
as the server and OPSS as the keystore service.
For detailed information and step-by-step instructions to configure SSL in the WebLogic Server environment, see Managing Keys and Certificates with the Keystore Service in Securing Applications with Oracle Platform Security Services.
The OPSS Keystore Service provides an alternate mechanism to manage keys and certificates for message security. The OPSS Keystore Service makes using certificates and keys easier by providing central management and storage of keys and certificates for all servers in a domain. You use the OPSS Keystore Service to create and maintain keystores of type KSS
.
Securing the browser connection to WebCenter Portal with SSL consists of the following steps
27.1.1 Creating the Custom Keystore
The first step is to generate a custom keystore for WebCenter Portal.
To configure the Keystore Service:
27.1.2 Configuring the Custom Identity and Custom Trust Keystores
For an overview of on how to configure the Identity and Trust keystores, see Configuring the OPSS Keystore Service for Custom Identity and Trust: Main Steps in Administering Security for Oracle WebLogic Server.
The next step is to configure the Custom Identity and Custom Trust keystores on the WebCenter Portal server.
To configure the identity and trust keystores:
27.1.3 Configuring the SSL Connection
For an overview to configure the SSL connection, see Specifying a Client Certificate for an Outbound Two-Way SSL Connection in Administering Security for Oracle WebLogic Server.
To configure the SSL Connection:
27.2 Securing the Connection from Oracle HTTP Server to WebCenter Portal with SSL
Securing the connection between the Oracle HTTP Server (OHS) and WebCenter Portal is described in the following sections:
27.2.1 Wiring the WebCenter Portal Ports to the HTTP Server
To wire the WebCenter Portal ports to the HTTP server:
27.3 Securing the Browser Connection to Discussions with SSL
Securing the browser connection to discussions with SSL is described in the following sections:
27.3.1 Creating the Custom Keystore for Discussions
The first step in securing the connection to Discussions is to generate a custom keystore as shown below:
-
Connect to WebLogic Server using the WLST console:
connect('weblogic','password','host:port’)
-
Get OPSS service reference:
svc = getOpssService(name='KeyStoreService')
-
Create a new keystore:
Note:
Create the keystore in the system stripe and the permission must be set to falsesvc.createKeyStore(appStripe='system', name='collab_wls', password='password', permission=false)
where:-
svc = the service command object obtained through a call to
getOpssService()
-
appStripe = the name of the stripe in which the keystore is created
-
name = the name of the keystore
-
password = password of the keystore
-
permission = true if keystore is protected by permission only; false if protected by both permission and password
-
-
Using keytool, generate a key pair:
svc.generateKeyPair(appStripe='system', name='collab_wls', password='password', dn='cn=collabidentity,dc=example,dc=com', keysize='2048', alias='collab_wls', keypassword='welcome1')
where:-
svc = the service command object obtained through a call to
getOpssService()
-
appStripe = the name of the stripe containing the keystore
-
name = the name of the keystore where the key pair is generated
-
password = password of the keystore
-
dn = the distinguished name of the certificate wrapping the key pair
-
keysize = the key size
-
alias = the alias of the key pair entry
-
keypassword = the key password
-
-
Optionally, list the keystores and aliases inside the keystore:
svc.listKeyStores(appStripe='*')
This will list the
system/collab_wls
.where:-
svc = the service command object obtained through a call to
getOpssService()
-
appStripe = the name of the stripe whose keystores are listed
Enter:svc.listKeyStoreAliases(appStripe="system",name="collab_wls", password="password", type="*")
This is will list the alias
collab_wls
where:-
svc = the service command object obtained through a call to
getOpssService()
-
appStripe = the name of the stripe containing the keystore
-
name = the name of the keystore
-
password = password of the keystore
-
type = the type of entry for which aliases are listed. Valid values are
'Certificate'
, 'TrustedCertificate
', 'SecretKey
' or '*
'
-
-
Run
syncKeyStores
:syncKeyStores(appStripe='system', keystoreFormat='KSS')
27.3.2 Configuring the Identity and Trust Keystore for Discussions
The next step is to configure the Custom Identity and Custom Trust keystores on the WebCenter Collaboration server.
To configure the identity and trust keystores for discussions:
27.4 Securing the WebCenter Portal Connection to Portlet Producers with SSL
Securing the connection to WSRP with SSL is described in the following sections:
27.4.1 Creating the Custom Keystores for Portlet Producers
The following steps are required to configure WebCenter Portlet with SSL using the KSS keystore.
-
Connect to WebLogic Server using the WLST console:
connect('weblogic','password','host:port’)
-
Get the OPSS service reference:
svc = getOpssService(name='KeyStoreService')
-
Create a new keystore:
Note:
Create a keystore in the system stripe and the permission must be false.svc.createKeyStore(appStripe='system', name='portlet_wls', password='password', permission=false)
where:-
svc = the service command object obtained through a call to
getOpssService()
-
appStripe = the name of the stripe in which the keystore is created
-
name = the name of the keystore
-
password = password of the keystore
-
permission = false if protected by both permission and password (true if keystore is protected by permission only)
-
-
Generate keypair:
svc.generateKeyPair(appStripe='system', name='portlet_wls', password='password', dn='cn=customidentity,dc=example,dc=com', keysize='2048', alias='portlet_wls', keypassword='password')
where:-
svc = the service command object obtained through a call to
getOpssService()
-
appStripe = the name of the stripe containing the keystore
-
name = the name of the keystore where the key pair is generated
-
password = password of the keystore
-
dn = the distinguished name of the certificate wrapping the key pair
-
keysize = the key size
-
alias = the alias of the key pair entry
-
keypassword = the key password
-
-
Optionally, list the keystores and aliases inside the keystore.
This will list the
system/portlet_wls
:svc.listKeyStores(appStripe='*')
-
svc = the service command object obtained through a call to
getOpssService()
-
appStripe = the name of the stripe whose keystores are listed
This will list the aliasportlet_wls
:svc.listKeyStoreAliases(appStripe="system",name="portlet_wls", password="password", type="*")
-
svc = the service command object obtained through a call to
getOpssService()
-
appStripe = the name of the stripe containing the keystore
-
name = the name of the keystore
-
password = password of the keystore
-
type = the type of entry for which aliases are listed. Valid values are
'Certificate'
, 'TrustedCertificate
', 'SecretKey
' or '*
'
-
-
Run
syncKeyStores
:syncKeyStores(appStripe='system', keystoreFormat='KSS')
27.4.2 Configuring the Identity and Trust Keystores for Portlet Producers
The next step is to configure the Custom Identity and Trust Keystores for the WebCenter Portlet server (for example, WC_Portlet
).
For an overview of on how to configure the Identity and Trust keystores, see Securing the Browser Connection to WebCenter Portal using SSL.
To configure the identity and trust keystores for the Portlet server:
-
Log in to the WebLogic Server Administration Console.
For information on logging into the WebLogic Server Administration Console, see Oracle WebLogic Server Administration Console.
-
In the Domain Structure pane, expand Environment and click Servers.
The Summary of Servers pane displays.
-
Click the WebCenter Portlet server (for example,
WC_Portlet
) to configure the identity and trust keystores.The Settings pane for the Portlet server displays.
-
Open the Configuration tab, and then the Keystores subtab.
The Keystores pane displays.
-
Click Change.
-
For Keystores, select Custom Identity and Custom Trust, and click Save
-
Under Identity, enter the path and filename of the Custom Identity Keystore you created in
kss://system/portlet_wls
(Creating the Custom Keystores for Portlet Producers). -
Enter
KSS
as the Custom Identity Keystore Type. -
Enter and confirm your custom identity keystore password, (for example,
welcome1
). -
Under Trust, set the Custom Trust Keystore to
kss://system/trust
and click Save. -
Enter
KSS
as the Custom Trust Keystore Type, and enter and confirm your custom trust keystore password, then click Save. -
Open the SSL tab.
-
Enter the private key alias ( for example,
portlet_wls
), and set the private key password (for example,welcome1
). -
Click Save to save your entries.
27.4.3 Configuring the SSL Connection for Portlet Producers
To configure SSL, see Overview of Configuring SSL in WebLogic server in Administering Security for Oracle WebLogic Server guide.
To configure the SSL connection for Portlet Server:
27.4.4 Registering the SSL-enabled WSRP Producer and Running the Portlets
Configure the WC_Portal
managed server to register portlets with WebCenter Portal. This also uses the certificates in JAVA_HOME
trust store (/jdk/jre/lib/security/cacerts
).
To register the SSL-enabled WSRP producer and run the portlets:
27.5 Securing the WebCenter Portal Connection to the LDAP Identity Store
To configure the LDAP server port for SSL, refer to the appropriate administration documentation for the LDAP server. For Oracle Internet Directory (OID), an SSL port is installed by default. To use this port for LDAP communication from WebCenter Portal, the identity store should be configured for authentication with the appropriate authenticator. See Configuring the Identity Store for the steps to do this for the identity store.
If the CA
is unknown to the Oracle WebLogic server, complete this additional step described in the following subsection:
27.5.1 Exporting the OID Certificate Authority (CA)
The following topics describe how to secure the WebCenter Portal connection to OID:
27.5.1.1 Enabling the SSL in OID
Note:
OID should be configured in the server auth
mode.
27.6 Securing the WebCenter Portal Connection to IMAP and SMTP with SSL
Before reconfiguring the mail server connection, you must first import the certificate into the trust store. Follow the steps below to put the certificate in the trust store and configure WebCenter Portal to use the trust store.
To secure the WebCenter Portal connection to IMAP and SMTP with SSL:
27.7 Securing the WebCenter Portal Connection to an External BPEL Server with SSL
This section describes how to secure the WebCenter Portal connection to a BPEL server when the BPEL server resides in an external SOA domain.
Note:
When SOA is installed in an external domain, the Identity Asserter and Authenticator should be configured exactly as for WebCenter Portal. For more information on configuring the Identity Asserter and Authenticator for an external LDAP identity store, see Reassociating the Identity Store with an External LDAP Server.
To secure the WebCenter Portal connection to an external BPEL server with SSL:
27.8 Securing the WebCenter Portal Connection to Content Server with SSL
27.8.1 Configuring Content Server SSL for Socket SSL
To configure Content Server socket SSL, see Configuring SSL in Developing with Oracle WebCenter Content.
serverPort
keystoreLocation
- client_keystorekeystorePassword
- idcidcprivateKeyAlias
- SecureClientprivateKeyPassword
- idcidc
27.8.2 Creating Content Server SSL Connection in WebCenter Portal
Creating Socket SSL Connection
Create Content Server Connection in WebCenter Portal
- To create Content Server connection, do the
following:
createContentServerConnection (appName='webcenter', name='dev-ucm', socketType='socketssl', serverHost='100.111.149.197', serverPort='3333', isPrimary='true', keystoreLocation='/scratch/patch-jars/ucm_keystore/client_keystore', keystorePassword='idcidc', privateKeyAlias='SecureClient', privateKeyPassword='idcidc') setContentServerProperties(appName='webcenter', portalServerIdentifier='/WCP01', securityGroup='WCP01', adminUserName='weblogic')
Note:
TheserverPort
must be SSL Port. For keystore configuration, see Configuring Content Server SSL for Socket SSL. The values that you have noted in the previous step like keystore and aliases will be used when you will create content server connection using WLST command.For createContentServerConnection details, see WebCenter Portal Custom WLST Commands in WebCenter WLST Command Reference and Managing Connections to Oracle WebCenter Content Server.
- Restart the Portal server.
- Now access the WebCenter Content RUI and test the documented use cases.
Creating JAX-WS SSL Connection
- Enter the Content Server URL:
https://host:port/cs
in the firefox browser. The certificate should be generated when you access the URL, and stored in your browser. - Download and store the certificate in .PEM or .CRT format.
- Import the certificate into cacerts in
JDK_HOME
, using the following command:keytool -importcert -alias collab_cert –file /filepath/sslcertificate/contentcert.crt –keystore..../oracle_common/jdk/jre/lib/security/cacerts
- Enter the password
changeit
when asked, then enterYES
.
Creating Content Server Connection in WebCenter Portal
- To create Content Server connection, do the
following:
createContentServerConnection(appName='webcenter', name='dev-ucm', socketType='jaxws', url='https://<ucm_host>:<sslPort>/idcnativews', clientSecurityPolicy='oracle/wss10_saml_token_client_policy', adminUsername='weblogic',isPrimary='true') setContentServerProperties(appName='webcenter', portalServerIdentifier='/WCP01', securityGroup='WCP01', adminUserName='weblogic')
Note:
The URL must be https URL of WebCenter Content. - Restart the Portal server.
- Now access the WebCenter Content RUI and test the documented use cases.