This section describes how to use SSL/TLS to secure connections between Oracle Traffic Director instances and origin servers that are Oracle WebLogic Server and Oracle HTTP Server instances. It contains the following topics:
Section 11.3.2, "Configuring One-Way SSL/TLS Between Oracle Traffic Director and Origin Servers"
Section 11.3.3, "Configuring Two-Way SSL/TLS Between Oracle Traffic Director and Origin Servers"
The connections between Oracle Traffic Director and origin servers in the back end can be secured using one-way or two-way SSL/TLS.
One-way SSL/TLS: The SSL/TLS-enabled origin server presents its certificate to the Oracle Traffic Director instance. The Oracle Traffic Director instance is not configured to present any certificate to the origin server during the SSL/TLS handshake.
Two-way SSL/TLS: The SSL/TLS-enabled origin server presents its certificate to the Oracle Traffic Director instance. The Oracle Traffic Director instance too presents its own certificate to the origin server. The origin server verifies the identity of the Oracle Traffic Director instance before establishing the SSL/TLS connection. Additionally, either end of the SSL/TLS connection—Oracle Traffic Director and/or origin servers—can be configured to verify the host name while exchanging certificates.
To configure one-way SSL/TLS between Oracle Traffic Director and origin servers, you must export the origin servers' certificates in PKCS#12 format, install them in the certificate database of Oracle Traffic Director, and, optionally, configure Oracle Traffic Director to trust the certificates.
Note:
The procedure described in this section is for a scenario where all of the servers in the origin-server pool use certificates issued by the same CA. In such a scenario, you can configure one-way SSL/TLS by importing just the root certificate of the CA that signed the certificates for the origin servers into the certificates database of Oracle Traffic Director.
If the origin servers use self-signed certificates or certificates issued by different CAs, you should individually export and import each of the server certificates or the individual root certificates of the CAs that signed the server certificates.
If the WebLogic Server Plug-In Enabled attribute, which can be accessed using the Weblogic Server administration console, is set to true and when Oracle Traffic Director terminates an SSL connection, Oracle Traffic Director communicates the certificate information to the applications deployed on the WebLogic Server. An application can then validate for specific information in the certificate, such as key size or cipher, before allowing the clients to access the application.
Export the root certificate of the CA that issued certificates to the origin servers into the PKCS#12 format.
For Oracle WebLogic Server origin servers:
Use the keytool command available in Java SE 6.
Syntax:
> $JAVA_HOME/bin/keytool -exportcert -alias alias -file file -keystore keystore -storepass storepass -rfc
alias is the nickname of the certificate to be exported, file is the name for the exported certificate, keystore is the name of the custom Oracle WebLogic Server identity store file, and storepass is the password for the specified keystore.
Example:
> $JAVA_HOME/bin/keytool -exportcert -alias wlsos1 -file wls_os_cert
-keystore $DOMAIN_HOME/soa_domain/soa_keystore.jks -storepass stpass -rfc
For more information about keytool, see the documentation at:
http://docs.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html
For Oracle HTTP Server origin servers:
Use the exportWalletObject WebLogic Scripting Tool (WLST) command.
Syntax:
exportWalletObject(instName, compName, compType, walletName, password, type, path, DN)
Example:
> exportWalletObject('inst1', 'ohs1', 'ohs','wallet1', 'password', 'Certificate', '/tmp','cn=soa.example.com')
This command exports the certificate with the DN cn=soa.example.com from the wallet wallet1, for Oracle HTTP Server instance ohs1. The trusted certificate is exported to the directory /tmp.
For more information about the exportWalletObject command, see the documentation at http://docs.oracle.com/cd/E21764_01/web.1111/e13813/custom_infra_security.htm#CDDFDHDH.
Install the root certificate, which you just exported, in the certificates database of Oracle Traffic Director by using the install-cert CLI command.
Note:
For information about installing a certificate using the Administration Console, see Section 11.4.3, "Installing a Self-signed or CA-signed Certificate Using the Administration Console."Syntax:
tadm> install-cert --config=config_name --token=name --cert-type=ca --nickname=nickname cert_file
Example:
tadm> install-cert --config=soa --token=internal --cert-type=ca --nickname=Server-Cert os_cert
Note:
If the origin servers use self-signed certificates or certificates issued by different CAs, do the following instead of steps 1 and 2:Export each server certificate, or each root certificate of the CAs that signed the server certificates, individually, by using the same commands used in step 1.
Install each certificate, which you exported in the previous step, in the certificates database of Oracle Traffic Director, by using the install-cert CLI command, as described in step 2 but with --cert-type=server.
Configure Oracle Traffic Director to trust each of the origin servers' certificates, as described in Section 11.4.7, "Configuring Oracle Traffic Director to Trust Certificates."
If required, configure Oracle Traffic Director to verify the host name in the origin server's certificate by using the set-route-prop CLI command.
Syntax:
tadm> set-route-prop --config=config_name --vs=vs_name --route=route_name validate-server-cert=true
Example:
tadm> set-route-prop --config=soa --vs=vs1 --route=route1 validate-server-cert=true
To view a list of the virtual servers in a configuration and the routes defined for a virtual server, use the list-virtual-servers and list-routes CLI commands, respectively.
Note:
If you choose to configure Oracle Traffic Director to validate the host name in the origin server's certificate during the SSL/TLS handshake, then you must do the following:Ensure that the server name (CN) in the origin server's certificate matches the origin server's host name as specified in the origin-server pool of the Oracle Traffic Director configuration. For more information about configuring origin-server pools, see Chapter 6, "Managing Origin-Server Pools."
Ensure that dynamic discovery is disabled (default setting). For more information about dynamic discovery, see Section 6.5, "Configuring an Oracle WebLogic Server Cluster as an Origin-Server Pool."
Otherwise, when the origin server presents its certificate, Oracle Traffic Director cannot validate the host name in the certificate, and so the SSL/TLS handshake will fail.
Deploy the updated configuration to the Oracle Traffic Director instances by using the deploy-config CLI command.
tadm> deploy-config config_name
Note:
For more information, about the CLI commands mentioned in this section, see the Oracle Traffic Director Command-Line Reference or run the commands with the--help option.To configure two-way SSL/TLS between Oracle Traffic Director and origin servers, do the following:
Note:
For more information, about the CLI commands mentioned in this section, see the Oracle Traffic Director Command-Line Reference or run the commands with the--help option.Perform the procedure for configuring one-way SSL/TLS, as described in Section 11.3.2, "Configuring One-Way SSL/TLS Between Oracle Traffic Director and Origin Servers."
Obtain a CA-issued server certificate for Oracle Traffic Director, as described in Section 11.4.2, "Obtaining a CA-Signed Certificate."
Install the CA-issued server certificate in the Oracle Traffic Director configuration, as described in Section 11.4.3, "Installing a Certificate.".
Configure the required Oracle Traffic Director route with the certificate that Oracle Traffic Director should present to the origin server, by using the enable-route-auth CLI command.
Syntax:
tadm> enable-route-auth --config=config_name --vs=vs_name --route=route_name --client-cert-nickname=cert_nickname
Example:
tadm> enable-route-auth --config=soa --vs=vs1 --route=route1 --client-cert-nickname=soa_cert
To view a list of the virtual servers in a configuration and the routes defined for a virtual server, use the list-virtual-servers and list-routes CLI commands, respectively.
Deploy the updated configuration to the Oracle Traffic Director instances by using the deploy-config CLI command.
tadm> deploy-config config_name
Export the root certificate of the CA that signed the certificate for the Oracle Traffic Director instance, from the Oracle Traffic Director certificates database to the .pem format.
Syntax:
> $ORACLE_HOME/bin/certutil -L -d certdir -n nickname -a -o output_cert_file
certdir is the full path to the config directory of the Oracle Traffic Director instance from which you want to export the root CA certificate, nickname is the nickname of the certificate that you want to export, and output_cert_file is the name of the .pem file to which the certificate should be exported.
Example:
> $ORACLE_HOME/bin/certutil -L -d ../net-test/config/ -n rootca -a -o /tmp/rootca1.pem
For more information about the certutil command, run the following command:
> $ORACLE_HOME/bin/certutil -H
Import the root certificate that you exported in the previous step into the trust keystore for the Oracle WebLogic Server origin servers (and the Oracle wallet for Oracle HTTP Server origin servers).
For Oracle WebLogic Server origin servers:
Use the keytool command available in Java SE 6.
Syntax:
> $JAVA_HOME/bin/keytool -importcert -v -trustcacerts -alias alias -file cert_file -keystore keystore_file -storepass keystore_password -noprompt
alias is the nickname of the CA-issued root CA exported in the previous step, file is the name of the exported .pem certificate file, keystore is the name of the custom Oracle WebLogic Server identity store file, and storepass is the password for the specified keystore.
Example:
> $JAVA_HOME/bin/keytool -importcert -v -trustcacerts -alias rootca1
-file /tmp/rootca1.pem -keystore $DOMAIN_HOME/soa_domain/soa_keystore.jks
-storepass stpass -noprompt
For more information about keytool, see the documentation at:
http://docs.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html
For Oracle HTTP Server origin servers:
Use the importWalletObject WLST command.
Syntax:
importWalletObject(instName, compName, compType, walletName, password, type, filePath)
Example:
> importWalletObject('inst1', 'ohs1', 'ohs','wallet1', 'password', 'TrustedCertificate','/tmp/rootca1.pem')
For more information about the importWalletObject command, see the documentation at http://docs.oracle.com/cd/E21764_01/web.1111/e13813/custom_infra_security.htm#CDDGIBEJ.
Configure the origin servers to require Oracle Traffic Director to present its client certificate during the SSL/TLS handshake.
For Oracle WebLogic Server origin servers:
Perform the procedure described in "Configure two-way SSL" in the Oracle WebLogic Server Administration Console Online Help at http://docs.oracle.com/cd/E21764_01/apirefs.1111/e13952/taskhelp/security/ConfigureTwowaySSL.html.
Note:
By default, host name verification is enabled in Oracle WebLogic Server. For information about disabling host name verification, see "Disable host name verification" in the Oracle WebLogic Server Administration Console Online Help athttp://docs.oracle.com/cd/E21764_01/apirefs.1111/e13952/taskhelp/security/DisableHostNameVerification.html.For Oracle HTTP Server origin servers:
Add the following directive in the httpd.conf file.
SSLVerifyClient require