This chapter includes the following topics:
Securing the Browser Connection to WebCenter Portal using SSL
Securing the Connection from Oracle HTTP Server to WebCenter Portal with SSL
Securing the WebCenter Portal Connection to Portlet Producers with SSL
Securing the WebCenter Portal Connection to the LDAP Identity Store
Securing the WebCenter Portal Connection to Content Server with SSL
Securing the WebCenter Portal Connection to IMAP and SMTP with SSL
Securing the WebCenter Portal Connection to an External BPEL Server with SSL
Note:
The following can use WS-Security with message protection, and consequently have no hard requirement for SSL:
BPEL servers - Oracle BPM Worklist
WSRP Producers
Discussions and announcements
Permissions
To perform the tasks in this chapter, you must be granted the WebLogic Server Admin
role through the Oracle WebLogic Server Administration Console. Users with the Monitor
or Operator
roles can view security information but cannot make changes.
See also Understanding Administrative Operations, Roles, and Tools.
This section presents an overview of how to configure the Oracle Platform Security Services (OPSS) Keystore Service for use with WebCenter Portal. It is possible to use Fusion Middleware Control as well for this, but the scope of this document is restricted to usage of WLST.
Note:
The default Java Keystore Service (JKS) has been replaced with the Oracle Platform Security Services (OPSS) Keystore Service. Use WC_Portal
as the server and OPSS as the keystore service.
For detailed information and step-by-step instructions to configure SSL in the WebLogic Server environment, see Managing Keys and Certificates with the Keystore Service in Securing Applications with Oracle Platform Security Services.
The OPSS Keystore Service provides an alternate mechanism to manage keys and certificates for message security. The OPSS Keystore Service makes using certificates and keys easier by providing central management and storage of keys and certificates for all servers in a domain. You use the OPSS Keystore Service to create and maintain keystores of type KSS
.
Securing the browser connection to WebCenter Portal with SSL consists of the following steps
Note:
An overview of the configuration process is described in this section. For detailed information and step-by-step instructions, see Configuring SSL with Keystore Service in Securing Applications with Oracle Platform Security Services .
The first step is to generate a custom keystore for WebCenter Portal.
To configure the Keystore Service:
For an overview of on how to configure the Identity and Trust keystores, see Configuring the OPSS Keystore Service for Custom Identity and Trust: Main Steps in Administering Security for Oracle WebLogic Server 12c (12.2.1).
The next step is to configure the Custom Identity and Custom Trust keystores on the WebCenter Portal server.
To configure the identity and trust keystores:
For an overview to configure the SSL connection, see Specifying a Client Certificate for an Outbound Two-Way SSL Connection in Administering Security for Oracle WebLogic Server 12c (12.2.1).
To configure the SSL Connection:
Securing the connection between the Oracle HTTP Server (OHS) and WebCenter Portal is described in the following sections:
To wire the WebCenter Portal ports to the HTTP server:
Securing the browser connection to discussions with SSL is described in the following sections:
The first step in securing the connection to Discussions is to generate a custom keystore as shown below:
Connect to WebLogic Server using the WLST console:
connect('weblogic','password','host:port’)
Get OPSS service reference:
svc = getOpssService(name='KeyStoreService')
Create a new keystore:
Note:
Create the keystore in the system stripe and the permission must be set to falsesvc.createKeyStore(appStripe='system', name='collab_wls', password='password', permission=false)
svc = the service command object obtained through a call to getOpssService()
appStripe = the name of the stripe in which the keystore is created
name = the name of the keystore
password = password of the keystore
permission = true if keystore is protected by permission only; false if protected by both permission and password
Using keytool, generate a key pair:
svc.generateKeyPair(appStripe='system', name='collab_wls', password='password', dn='cn=collabidentity,dc=example,dc=com', keysize='2048', alias='collab_wls', keypassword='welcome1')
svc = the service command object obtained through a call to getOpssService()
appStripe = the name of the stripe containing the keystore
name = the name of the keystore where the key pair is generated
password = password of the keystore
dn = the distinguished name of the certificate wrapping the key pair
keysize = the key size
alias = the alias of the key pair entry
keypassword = the key password
Optionally, list the keystores and aliases inside the keystore:
svc.listKeyStores(appStripe='*')
This will list the system/collab_wls
.
svc = the service command object obtained through a call to getOpssService()
appStripe = the name of the stripe whose keystores are listed
svc.listKeyStoreAliases(appStripe="system",name="collab_wls", password="password", type="*")
This is will list the alias collab_wls
svc = the service command object obtained through a call to getOpssService()
appStripe = the name of the stripe containing the keystore
name = the name of the keystore
password = password of the keystore
type = the type of entry for which aliases are listed. Valid values are 'Certificate'
, 'TrustedCertificate
', 'SecretKey
' or '*
'
Run syncKeyStores
:
syncKeyStores(appStripe='system', keystoreFormat='KSS')
The next step is to configure the Custom Identity and Custom Trust keystores on the WebCenter Collaboration server.
To configure the identity and trust keystores for discussions:
Securing the connection to WSRP with SSL is described in the following sections:
The following steps are required to configure WebCenter Portlet with SSL using the KSS keystore.
Connect to WebLogic Server using the WLST console:
connect('weblogic','password','host:port’)
Get the OPSS service reference:
svc = getOpssService(name='KeyStoreService')
Create a new keystore:
Note:
Create a keystore in the system stripe and the permission must be false.svc.createKeyStore(appStripe='system', name='portlet_wls', password='password', permission=false)where:
svc = the service command object obtained through a call to getOpssService()
appStripe = the name of the stripe in which the keystore is created
name = the name of the keystore
password = password of the keystore
permission = false if protected by both permission and password (true if keystore is protected by permission only)
Generate keypair:
svc.generateKeyPair(appStripe='system', name='portlet_wls', password='password', dn='cn=customidentity,dc=example,dc=com', keysize='2048', alias='portlet_wls', keypassword='password')
svc = the service command object obtained through a call to getOpssService()
appStripe = the name of the stripe containing the keystore
name = the name of the keystore where the key pair is generated
password = password of the keystore
dn = the distinguished name of the certificate wrapping the key pair
keysize = the key size
alias = the alias of the key pair entry
keypassword = the key password
Optionally, list the keystores and aliases inside the keystore.
This will list the system/portlet_wls
:
svc.listKeyStores(appStripe='*')
svc = the service command object obtained through a call to getOpssService()
appStripe = the name of the stripe whose keystores are listed
portlet_wls
:svc.listKeyStoreAliases(appStripe="system",name="portlet_wls", password="password", type="*")
svc = the service command object obtained through a call to getOpssService()
appStripe = the name of the stripe containing the keystore
name = the name of the keystore
password = password of the keystore
type = the type of entry for which aliases are listed. Valid values are 'Certificate'
, 'TrustedCertificate
', 'SecretKey
' or '*
'
Run syncKeyStores
:
syncKeyStores(appStripe='system', keystoreFormat='KSS')
The next step is to configure the Custom Identity and Trust Keystores for the WebCenter Portlet server (for example, WC_Portlet
).
For an overview of on how to configure the Identity and Trust keystores, see Securing the Browser Connection to WebCenter Portal using SSL.
To configure the identity and trust keystores for the Portlet server:
Log in to the WebLogic Server Administration Console.
For information on logging into the WebLogic Server Administration Console, see Oracle WebLogic Server Administration Console.
In the Domain Structure pane, expand Environment and click Servers.
The Summary of Servers pane displays.
Click the WebCenter Portlet server (for example, WC_Portlet
) to configure the identity and trust keystores.
The Settings pane for the Portlet server displays.
Open the Configuration tab, and then the Keystores subtab.
The Keystores pane displays.
Click Change.
For Keystores, select Custom Identity and Custom Trust, and click Save
Under Identity, enter the path and filename of the Custom Identity Keystore you created in kss://system/portlet_wls
(Creating the Custom Keystores for Portlet Producers).
Enter KSS
as the Custom Identity Keystore Type.
Enter and confirm your custom identity keystore password, (for example, welcome1
).
Under Trust, set the Custom Trust Keystore to kss://system/trust
and click Save.
Enter KSS
as the Custom Trust Keystore Type, and enter and confirm your custom trust keystore password, then click Save.
Open the SSL tab.
Enter the private key alias ( for example, portlet_wls
), and set the private key password (for example, welcome1
).
Click Save to save your entries.
Note:
For the Pagelet Producer, Custom Identity and Java Standard Trust keystore type should be used for SSL configuration. For more info on how to configure Java standard keystore (JKS), see Configuring Keystores in Administering Security for Oracle WebLogic Server 12c (12.2.1).
To configure SSL, see Overview of Configuring SSL in WebLogic server in Administering Security for Oracle WebLogic Server 12c (12.2.1) guide.
To configure the SSL connection for Portlet Server:
Configure the WC_Portal
managed server to register portlets with WebCenter Portal. This also uses the certificates in JAVA_HOME
trust store (/jdk/jre/lib/security/cacerts
).
To register the SSL-enabled WSRP producer and run the portlets:
To configure the LDAP server port for SSL, refer to the appropriate administration documentation for the LDAP server. For Oracle Internet Directory (OID), an SSL port is installed by default. To use this port for LDAP communication from WebCenter Portal, the identity store should be configured for authentication with the appropriate authenticator. See Configuring the Identity Store for the steps to do this for the identity store.
If the CA
is unknown to the Oracle WebLogic server, complete this additional step described in the following subsection:
Secure the WebCenter Portal connection to OID in the following way:
Enable SSL in OID (note that OID needs to be configured in server auth
mode)
Create an Oracle wallet:
<OID_INSTALL_LOC>/oracle_common/bin/orapki wallet create -wallet wal -auto_login
<OID_INSTALL_LOC>/oracle_common/bin/orapki wallet add-wallet wal -dn cn=any_alias -keysize 2048 -self_signed -validity 1000
Configure the SSL parameters:
ldapmodify -h OID_host -p OID_port -D cn=OID_admin -w password dn:cn=oid1,cn=osdldapd,cn=subconfigsubentry changetype: modify replace: orclsslauthentication orclsslauthentication: 32 - replace: orclsslwalleturl orclsslwalleturl: file://OID_install_LOC/wal
where
OID_install_LOC/wal = location where the wallet is created in step 1 (create a new directory or use the existing one)
cn = DN of the OID user having ldapmodify
permissions
password = OID password
Restart the OID server.
Export the OID certificate
<OID_INSTALL_LOC>/oracle_common/bin/orapki wallet export -wallet /OID_install_LOC/wal -dn "cn=any_alias" -cert oid_trust.cer
OID_install_LOC/wal = location where the wallet is created in step 1 (create a new directory or use the existing one)
Import the OID certificate into the WebLogic Server Trust Store:
keytool -importcert -v -trustcacerts -alias oid_server_trust -file oid_trust.cer -keystore cacerts -storepass changeit
cacerts
path can be retrieved as follows:Log in to the WebCenter WebLogic console, navigate to Servers and click WC_Portal
server.
Click Configurations, then click the Keystores subtab.
Select Keystore Types as Demo Identity and Demo Trust
.
Check the path mentioned in the Java Standard Trust Keystore — this will be your cacert
path.
Note:
If you have configured your instance to use Custom Identity and Custom Trust, revert the changes made above as they were done for retrieving thecacert
path only.Restart all servers.
Configure OID with WLS: Use OID SSL host and port and select the option SSL Enabled
Note:
When entering the Provider Specific information, be sure to specify an SSL port and to check the SSL Enabled checkbox.
Restart the WLS server and the managed servers.
Access WebCenter and log in using the OID user name. You should be able to login.
If Content Server and the WebCenter Portal application in which you intend to create a repository connection are not on the same system or the same trusted private network, then identity propagation is not secure. To ensure secure identity propagation you must also configure SSL on Content Server.
Securing Content Server with SSL involves the following tasks:
In a production environment, Oracle recommends that you use only real certificates. For information about how to configure keystores when using real certificates, see Understanding Content Server Security Providers in Administering Oracle WebCenter Content.
For an overview of on how to configure the Identity and Trust keystores, see Securing the Browser Connection to WebCenter Portal using SSL. For detailed information and step-by-step instructions, see Securing the Connection to WebCenter Portal using SSL in Administering Security for Oracle WebLogic Server 12c (12.2.1) guide.
To configure a keystore on the (client) side:
For an overview of on how to configure the Identity and Trust keystores, see Securing the Browser Connection to WebCenter Portal using SSL. For detailed information and step-by-step instructions, see Securing the Connection to WebCenter Portal using SSL in Administering Security for Oracle WebLogic Server 12c (12.2.1) guide.
To configure a keystore on the Content Server side:
Before reconfiguring the mail server connection, you must first import the certificate into the trust store. Follow the steps below to put the certificate in the trust store and configure WebCenter Portal to use the trust store.
To secure the WebCenter Portal connection to IMAP and SMTP with SSL:
There are two scenarios in which you may want to configure SSL for SES: The first scenario is where WebCenter Portal has already been protected with SSL but SES has not; the second scenario is where SES has been protected with SSL, but WebCenter Portal has not. These two scenarios are described in the following subsections:
Note:
In this scenario, WebCenter Portal is already protected with SSL, but SES is not protected.Follow the steps below to secure SES with SSL.
Before registering the SES connection, you must first import the certificate into the trust store. Follow the steps below to put the certificate in the trust store and register the Oracle Secure Enterprise Search (SES) connection.
To download the certificate of the HTTPS URL and save it:
Configure SSL on the WebCenter side using the following certificate name:
cn=<myhost>
where <myhost>
is the fully qualified name of the host where WebCenter is installed.
For more information about configuring SSL on WebCenter Portal, see Securing the Browser Connection to WebCenter Portal using SSL.
Export the WebCenter certificate in PEM format (i.e., <myhost>.crt
).
You can use Firefox 3.0 or later to download the certificate directly to.PEM
format. For other browsers, follow the steps below and then use the WebLogic Server der2pem
tool to convert to PEM format.
Click Certificate.
In the popup window, open the Details tab, and click Copy to File...
Use DER encoded binary(X.509) format and copy the certificate to a file.
Convert the .DER format certificate to .PEM format.
For more information about using the der2pem
tool, see der2pem
in Command Reference for Oracle
WebLogic Server. Note that WebLogic does not recognize any other format other than .PEM
format.
In SES, import the certificate into the following keystores:
<SES Installation Directory>/jdk6/jre/lib/security/cacerts
<SES Installation Directory>/seshome/jdk/jre/lib/security/cacerts
using the following command:
keytool -importcert -trustcacerts -alias webcenter_wls -file <myhost>.crt -keystore cacerts -storepass changeit
For the handshake to be successful, the following steps are required:
Restart WebCenter Portal with the command: -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1
Apply the 10.3.6 patch to your SES server: http://aru.us.oracle.com:8080/ARU/ViewPatchRequest/process_form?aru=17092883
Note:
The WebLogic Server server version of SES is 10.3.6 and WebLogic Server version of WebCenter is 12.2.1.
By default only TLSv1.1 & TLSv1.2 are supported in 12.2.1. In 10.3.6 and JDK 1.6_29 (SES environment), only SSLv3 & TLSv1 are supported.
In SES, create a source for Oracle WebCenter in which the crawl and authorization endpoints point to the WebCenter Portal application's HTTPS ports.
Create a schedule and source group for the crawl (see Configuring Search Parameters and Crawlers Using Fusion Middleware Control).
Finish the WebCenter-side configuration for SES and restart SES and WebCenter Portal.
Create some objects in WebCenter Portal and start the crawl.
After the crawl has been completed, search for a keyword and the results should appear in WebCenter Portal.
This section describes how to secure the WebCenter Portal connection to a BPEL server when the BPEL server resides in an external SOA domain.
Note:
When SOA is installed in an external domain, the Identity Asserter and Authenticator should be configured exactly as for WebCenter Portal. For more information on configuring the Identity Asserter and Authenticator for an external LDAP identity store, see Reassociating the Identity Store with an External LDAP Server.
To secure the WebCenter Portal connection to an external BPEL server with SSL: