29 Configuring SSL

This chapter describes how to secure Oracle WebCenter Portal and components with SSL.

This chapter includes the following topics:

Note:

The following can use WS-Security with message protection, and consequently have no hard requirement for SSL:

  • BPEL servers - Oracle BPM Worklist

  • WSRP Producers

  • Discussions and announcements

Permissions:

To perform the tasks in this chapter, you must be granted the WebLogic Server Admin role through the Oracle WebLogic Server Administration Console. Users with the Monitor or Operator roles can view security information but cannot make changes.

See also Understanding Administrative Operations, Roles, and Tools.

29.1 Securing the Browser Connection to WebCenter Portal using SSL

This section presents an overview of how to configure the Oracle Platform Security Services (OPSS) Keystore Service for use with WebCenter Portal. It is possible to use Fusion Middleware Control as well for this, but the scope of this document is restricted to usage of WLST.

Note:

The default Java Keystore Service (JKS) has been replaced with the Oracle Platform Security Services (OPSS) Keystore Service. Use WC_Portal as the server and OPSS as the keystore service.

For detailed information and step-by-step instructions to configure SSL in the WebLogic Server environment, see Managing Keys and Certificates with the Keystore Service in Oracle Fusion Middleware Securing Applications with Oracle Platform Security Services.

The OPSS Keystore Service provides an alternate mechanism to manage keys and certificates for message security. The OPSS Keystore Service makes using certificates and keys easier by providing central management and storage of keys and certificates for all servers in a domain. You use the OPSS Keystore Service to create and maintain keystores of type KSS.

Securing the browser connection to WebCenter Portal with SSL consists of the following steps

Note:

An overview of the configuration process is described in this section. For detailed information and step-by-step instructions, see Configuring SSL with Keystore Service in Oracle Fusion Middleware Securing Applications with Oracle Platform Security Services .

29.1.1 Creating the Custom Keystore

The first step is to generate a custom keystore for WebCenter Portal.

To configure the Keystore Service:

  1. Connect to WebLogic Server using the WLST console: 
    connect('username','password','hostname:port')
  2. Get the OPSS Service reference name. 
    svc = getOpssService(name='KeyStoreService')
  3. Create a new keystore:

    Note:

    Create a keystore in the system stripe and the permission must be set to false.

    Enter the following command:

    svc.createKeyStore(appStripe='system', name='webcenter_wls', password='password', permission=false)
    where:

    • svc = the service command object obtained through a call to getOpssService()

    • appStripe = the name of the stripe in which the keystore is created

    • name = the name of the keystore

    • password = password of the keystore

    • permission = false if protected by both permission and password (true if keystore is protected by permission only)

  4. Generate key pair.

    Use your actual alias, domain name, and credentials. The following example also uses a default CA signed certificate.

    svc.generateKeyPair(appStripe='system', name='webcenter_wls', password='password', dn='cn=webcenteridentity,dc=example,dc=com', keysize='2048', alias='webcenter_wls',  keypassword='password')
    where:

    • svc = the service command object obtained through a call to getOpssService()

    • appStripe = the name of the stripe containing the keystore

    • name = the name of the keystore where the key pair is generated

    • password = password of the keystore

    • dn = the distinguished name of the certificate wrapping the key pair

    • keysize = the key size

    • alias = the alias of the key pair entry

    • keypassword = the key password

  5. (Optional) List the keystores and aliases inside the keystore, using the following command:. 
    svc.listKeyStores(appStripe='*')

    This will list the system/webcenter_wls.

    where:

    • svc = the service command object obtained through a call to getOpssService()

    • appStripe = the name of the stripe whose keystores are listed

    Enter:

    svc.listKeyStoreAliases(appStripe="system",name="webcenter_wls", password="password", type="*")

    This will list the alias webcenter_wls.

    where:

    • svc = the service command object obtained through a call to getOpssService()

    • appStripe = the name of the stripe containing the keystore

    • name = the name of the keystore

    • password = password of the keystore

    • type = the type of entry for which aliases are listed. Valid values are 'Certificate', 'TrustedCertificate', 'SecretKey' or '*'

  6. Run the syncKeyStores command: 
    syncKeyStores(appStripe='system', keystoreFormat='KSS')
  7. Restart the WC_Portal managed server.

29.1.2 Configuring the Custom Identity and Custom Trust Keystores

For an overview of on how to configure the Identity and Trust keystores, see Configuring the OPSS Keystore Service for Custom Identity and Trust: Main Steps in Oracle Fusion Middleware Administering Security for Oracle WebLogic Server.

The next step is to configure the Custom Identity and Custom Trust keystores on the WebCenter Portal server.

To configure the identity and trust keystores:

  1. Log in to the WebLogic Server Administration Console.

    For information on logging into the WebLogic Server Administration Console, see Oracle WebLogic Server Administration Console.

  2. Click the WebCenter Portal server (WC_Portal) to configure the identity and trust keystores.

    The Settings pane for the WebCenter Portal server opens.

  3. Open the Configuration tab, and then the Keystores subtab.
    The Keystores pane opens.
  4. Click Change.
  5. For Keystores, select Custom Identity and Custom Trust and click Save.
  6. Under Identity, enter the path and filename of the Custom Identity Keystore you created in Securing the Browser Connection to WebCenter Portal using SSL.
    If you use the example in Securing the Browser Connection to WebCenter Portal using SSL, enter kss://system/webcenter_wls

    where

    • alias = system

    • keystore_alias_name = webcenter_wls

  7. Enter KSS as the Custom Identity Keystore Type.
  8. Enter and confirm the Custom Identity Keystore password.
  9. Under Trust, set the Custom Trust Keystore to kss://system/trust.
  10. For Custom Trust Keystore Type, enter KSS, then click Save to save your entries.
  11. Open the SSL tab.
  12. Enter the Private Key Alias (for example, webcenter_wls) and the Private Key Passphrase (for example, welcome1), then click Save to save your entries.

29.1.3 Configuring the SSL Connection

For an overview to configure the SSL connection, see Specifying a Client Certificate for an Outbound Two-Way SSL Connection in Oracle Fusion Middleware Administering Security for Oracle WebLogic Server.

To configure the SSL Connection:

  1. On the Settings pane for the WebCenter Portal server, open the Configuration tab and then the General subtab.

    The General Configuration pane displays.

  2. Check SSL Listen Port Enabled.
  3. Enter an SSL Listen Port number and click Save.
  4. On the Configuration tab, open the SSL subtab, and then expand the Advanced options at the bottom of the page.

    The SSL advanced options are displayed.

  5. Set the Two Way Client Cert Behavior option to Client Certs Not Requested and click Save.
  6. Open the Control tab on the Settings pane, and select the Start/Stop subtab.
  7. Click Restart SSL.
  8. Restart the WebLogic Server and open the SSL WebCenter Portal URL.
    For a development or test environment only (that is, not for a production environment), if the hostname in the certificate does not match the host name, then the server must be started with the following command:

    -Dweblogic.security.SSL.ignoreHostnameVerification=true

  9. Accept the certificate for the session and log in.

29.2 Securing the Connection from Oracle HTTP Server to WebCenter Portal with SSL

Securing the connection between the Oracle HTTP Server (OHS) and WebCenter Portal is described in the following sections:

29.2.1 Wiring the WebCenter Portal Ports to the HTTP Server

To wire the WebCenter Portal ports to the HTTP server:

  1. Install and configure OHS 12c (see Installing the Oracle HTTP Server Software in Oracle Fusion Middleware Installing and Configuring Oracle HTTP Server ).
    By default, it comes configured with the SSL port.
  2. Open the file DOMAIN_HOME/config/fmwconfig/components/OHS/instances/ohs1/mod_wl_ohs.conf
  3. Add the WebCenter URL to mod_wl_ohs.conf to make WebCenter Portal work with OHS: 
    <Location/webcenter>
SetHandler weblogic-handler
WebLogicHost host_id
WebLogicPort port
</Location>
    Replacing host_id and port with the WebLogic server ID and port number.

    Note:

    When using mod_wl_ohs, you need to complete the prerequisites mentioned in Preparing for Configuring the Oracle WebLogic Server Proxy Plug-In in Using Oracle WebLogic Server Proxy Plug-Ins 12.2.1.
  4. Start the node manager: 
    DOMAIN_HOME/bin/startNodeManager.sh &

    See Starting the Node Manager in Oracle Fusion Middleware Installing and Configuring Oracle HTTP Server.

  5. Restart the OHS server: 
                                 DOMAIN_HOME/bin/stopComponent.sh ohs1 & DOMAIN_HOME/bin/startComponent.sh ohs1
  6. Verify if the following URLs are working:

    http://OHS_12c_installation_host:port

    http://OHS_12c_installation_host:OHS_12c_installation_port/webcenter

  7. Configure the WebCenter SSL port with the OHS SSL:
    1. Verify that the OHS SSL port is working by checking the following URL. 
      https://ohs_ssl_host:ohs_ssl_port
    2. To configure the WebCenter SSL port, open the file OHS ssl.conf file (DOMAIN_HOME/config/fmwconfig/components/OHS/instances/ohs1/ssl.conf.
    3. Add the following entry (WebCenter SSL host and port) to ssl.conf to make WebCenter Portal run on the OHS SSL port:

      Note:

      This snippet needs to be inserted just before the </VirtualHost> tag, that is, where the virtual host tag ends.
                   <Location /webcenter>
      SetHandler weblogic-handler
                 WebLogicHost host_id
      WebLogicPort port
      SecureProxy ON
      WlSSLWallet /filepath/ohs12c/user_projects/domains/base_domain/config/fmwconfig/components/OHS/instances/ohs1/keystores/default
                </Location>
  8. Restart OHS.

29.2.2 Configuring the SSL Certificates

For OHS to trust WebCenter Portal's certificate, the WC_Portal certificate must be imported into the OHS trust store.

To configure the SSL certificates:

  1. Export the WC_Portal certificate from the WC_Portal identity keystore, using the following WLST: 
    svc = getOpssService(name='KeyStoreService')
svc.exportKeyStoreCertificate(appStripe='system', name='webcenter_wls', password='password', alias='webcenter_wls', type='TrustedCertificate', filepath='/filepath/certificate/webcenter.cer')
    where:

    • svc = the service command object obtained through a call to getOpssService()

    • appStripe = the name of the stripe containing the keystore

    • name = the name of the keystore

    • password = password of the keystore

    • type = the type of entry for which aliases are listed. Valid values are 'Certificate', 'TrustedCertificate', or 'CertificateChain'

    • filepath = absolute path of the file where certificate, trusted certificate or certificate chain is exported

  2. Import this certificate into the wallet on the OHS side.
    Navigate to /domain_home/config/fmwconfig/components/OHS/instances/ohs1/keystores/default and run the following orapki command (typically located in IDM_HOME) : 
    setenv JAVA_HOME /Java_install_location/jdk1.8.0_40/
/OHS_install_location/oracle_common/bin/orapki wallet add -wallet . -trusted_cert -cert <webcenter_wls.cer location> -auto_login_only
  3. For WebCenter Portal to trust OHS certificates, export the user certificate from OHS wallet and import it as a trusted certificate in the WebLogic trust store. 
    /OHS_install_location/oracle_common/bin/orapki wallet display -wallet .
/OHS_install_location/oracle_common/bin/orapki wallet export -wallet . -cert cert.txt -dn 'dn_value'

    Where, dn_value refers to the output returned by the wallet display -wallet command.

  4. Import the OHS certificate into the WC_Portal managed server trust store: 
    keytool -importcert -alias ohs_cert -file wls_java_home/jre/lib/security/cacerts

    Where, wls_java_home refers to the WebLogic Java home directory, and keytool is installed in wls_java_home/jre/bin/keytool. For finding out the wls_java_home path, you can run domain_home/bin/setDomainEnv.sh (on UNIX) or domain_home\bin\setDomainEnv.cmd (on Windows).

  5. In WebCenter, log in to the WebLogic Console and check if the WebLogic Plugin checkbox is enabled:
    1. Log in to the WebLogic Console.
    2. Click the domain name on the left hand navigation.
    3. Click the Web Applications tab.
    4. Select the option WebLogic Plugin Enabled, then click Save.
  6. Restart OHS and the WC_Portal server.

    You should now be able to access the SSL OHS URL (https://<ohs ssl host>:<ohs ssl port>/webcenter).

  7. After accessing the URL, accept the certificate.

29.3 Securing the Browser Connection to Discussions with SSL

Securing the browser connection to discussions with SSL is described in the following sections:

29.3.1 Creating the Custom Keystore for Discussions

The first step in securing the connection to Discussions is to generate a custom keystore as shown below:

  1. Connect to WebLogic Server using the WLST console:

    connect('weblogic','password','host:port’)

  2. Get OPSS service reference:

    svc = getOpssService(name='KeyStoreService')

  3. Create a new keystore:

    Note:

    Create the keystore in the system stripe and the permission must be set to false
    svc.createKeyStore(appStripe='system', name='collab_wls', password='password', permission=false)
    where:

    • svc = the service command object obtained through a call to getOpssService()

    • appStripe = the name of the stripe in which the keystore is created

    • name = the name of the keystore

    • password = password of the keystore

    • permission = true if keystore is protected by permission only; false if protected by both permission and password

  4. Using keytool, generate a key pair:

    svc.generateKeyPair(appStripe='system', name='collab_wls', password='password', dn='cn=collabidentity,dc=example,dc=com', keysize='2048', alias='collab_wls', keypassword='welcome1')
    where:

    • svc = the service command object obtained through a call to getOpssService()

    • appStripe = the name of the stripe containing the keystore

    • name = the name of the keystore where the key pair is generated

    • password = password of the keystore

    • dn = the distinguished name of the certificate wrapping the key pair

    • keysize = the key size

    • alias = the alias of the key pair entry

    • keypassword = the key password

  5. Optionally, list the keystores and aliases inside the keystore:

    svc.listKeyStores(appStripe='*')

    This will list the system/collab_wls.

    where:

    • svc = the service command object obtained through a call to getOpssService()

    • appStripe = the name of the stripe whose keystores are listed

    Enter: 
    svc.listKeyStoreAliases(appStripe="system",name="collab_wls", password="password", type="*")

    This is will list the alias collab_wls

    where:

    • svc = the service command object obtained through a call to getOpssService()

    • appStripe = the name of the stripe containing the keystore

    • name = the name of the keystore

    • password = password of the keystore

    • type = the type of entry for which aliases are listed. Valid values are 'Certificate', 'TrustedCertificate', 'SecretKey' or '*'

  6. Run syncKeyStores:

    syncKeyStores(appStripe='system', keystoreFormat='KSS')

29.3.2 Configuring the Identity and Trust Keystore for Discussions

The next step is to configure the Custom Identity and Custom Trust keystores on the WebCenter Collaboration server.

To configure the identity and trust keystores for discussions:

  1. Log in to the WebLogic Server Administration Console.

    For information on logging into the WebLogic Server Administration Console, see Oracle WebLogic Server Administration Console.

  2. In the Domain Structure pane, expand Environment and click Servers.

    The Summary of Servers pane displays.

  3. Click the WebCenter Collaboration server (WC_Collaboration) to configure the identity and trust keystores.

    The Settings pane for the Collaboration server displays.

  4. Open the Configuration tab, and then the Keystores subtab.

    The Keystores pane displays.

  5. Click Change.
  6. For Keystores, select Custom Identity and Custom Trust, then click Save.
  7. Under Identity, enter the path and filename of the Custom Identity Keystore you created in kss://system/collab_wls (Creating the Custom Keystore for Discussions).
  8. Enter KSS as the Custom Identity Keystore Type.
  9. Enter and confirm your custom identity keystore password, (for example, welcome1).
  10. Under Trust, set the Custom Trust Keystore to kss://system/trust and click Save.
  11. Enter KSS as the Custom Trust Keystore Type, and enter and confirm your custom trust keystore password, then click Save.
  12. From the WLS Administration console, go to Servers -> WC_Collaboration and open the Configuration tab, and then the SSL subtab.
  13. Enter the private key alias ( for example, collab_wls), and set the private key password (for example, welcome1.
  14. Click Save to have your entries.
  15. On the Settings pane for the WebCenter Collaboration server (WC_Collaboration), open the Configuration tab and then the General subtab.

    The General Configuration pane opens.

  16. Check SSL Listen Port Enabled.
  17. Enter an SSL Listen Port number and click Save.
  18. On the Configuration tab, open the SSL subtab, and then expand the Advanced options at the bottom of the page.
  19. Check that the Two Way Client Cert Behavior option is set to Client Certs Not Requested and click Save.
  20. Open the Control tab.

    The Control Settings pane opens.

  21. Click Restart SSL.

29.3.3 Configuring and Securing the SSL Connection for Discussions

To configure the SSL connection for Discussions:

  1. Restart the WebCenter Collaboration server (WC_Collaboration) server and open the SSL collaboration URL: https://host:port/owc_discussions.
    The certificate should be generated when you access the URL, and stored in your browser.
  2. Download and store the certificate in .PEM or .CRT format.
  3. Import the certificate into cacerts in JDK_HOME, using the following command: 
    keytool -importcert -alias collab_cert –file /filepath/sslcertificate/collabcert.crt –keystore..../oracle_common/jdk/jre/lib/security/cacerts
  4. Enter the password changeit when asked, then enter YES.
  5. Register the https://jive URL in Oracle Enterprise Manager for Announcements and Discussions.
  6. Restart the WC_Portal managed server.
  7. Test announcements and discussions.

29.4 Securing the WebCenter Portal Connection to Portlet Producers with SSL

Securing the connection to WSRP with SSL is described in the following sections:

29.4.1 Creating the Custom Keystores for Portlet Producers

The following steps are required to configure WebCenter Portlet with SSL using the KSS keystore.

  1. Connect to WebLogic Server using the WLST console:

    connect('weblogic','password','host:port’)

  2. Get the OPSS service reference:

    svc = getOpssService(name='KeyStoreService')

  3. Create a new keystore:

    Note:

    Create a keystore in the system stripe and the permission must be false.
    svc.createKeyStore(appStripe='system', name='portlet_wls', password='password', permission=false)
    where:

    • svc = the service command object obtained through a call to getOpssService()

    • appStripe = the name of the stripe in which the keystore is created

    • name = the name of the keystore

    • password = password of the keystore

    • permission = false if protected by both permission and password (true if keystore is protected by permission only)

  4. Generate keypair:

    svc.generateKeyPair(appStripe='system', name='portlet_wls', password='password', dn='cn=customidentity,dc=example,dc=com', keysize='2048', alias='portlet_wls', keypassword='password')
    where:

    • svc = the service command object obtained through a call to getOpssService()

    • appStripe = the name of the stripe containing the keystore

    • name = the name of the keystore where the key pair is generated

    • password = password of the keystore

    • dn = the distinguished name of the certificate wrapping the key pair

    • keysize = the key size

    • alias = the alias of the key pair entry

    • keypassword = the key password

  5. Optionally, list the keystores and aliases inside the keystore.

    This will list the system/portlet_wls:

    svc.listKeyStores(appStripe='*')

    • svc = the service command object obtained through a call to getOpssService()

    • appStripe = the name of the stripe whose keystores are listed

    This will list the alias portlet_wls: 
    svc.listKeyStoreAliases(appStripe="system",name="portlet_wls", password="password", type="*")

    • svc = the service command object obtained through a call to getOpssService()

    • appStripe = the name of the stripe containing the keystore

    • name = the name of the keystore

    • password = password of the keystore

    • type = the type of entry for which aliases are listed. Valid values are 'Certificate', 'TrustedCertificate', 'SecretKey' or '*'

  6. Run syncKeyStores:

    syncKeyStores(appStripe='system', keystoreFormat='KSS')

29.4.2 Configuring the Identity and Trust Keystores for Portlet Producers

The next step is to configure the Custom Identity and Trust Keystores for the WebCenter Portlet server (for example, WC_Portlet).

For an overview of on how to configure the Identity and Trust keystores, see Securing the Browser Connection to WebCenter Portal using SSL.

To configure the identity and trust keystores for the Portlet server:

  1. Log in to the WebLogic Server Administration Console.

    For information on logging into the WebLogic Server Administration Console, see Oracle WebLogic Server Administration Console.

  2. In the Domain Structure pane, expand Environment and click Servers.

    The Summary of Servers pane displays.

  3. Click the WebCenter Portlet server (for example, WC_Portlet) to configure the identity and trust keystores.

    The Settings pane for the Portlet server displays.

  4. Open the Configuration tab, and then the Keystores subtab.

    The Keystores pane displays.

  5. Click Change.

  6. For Keystores, select Custom Identity and Custom Trust, and click Save

  7. Under Identity, enter the path and filename of the Custom Identity Keystore you created in kss://system/portlet_wls (Creating the Custom Keystores for Portlet Producers).

  8. Enter KSS as the Custom Identity Keystore Type.

  9. Enter and confirm your custom identity keystore password, (for example, welcome1).

  10. Under Trust, set the Custom Trust Keystore to kss://system/trust and click Save.

  11. Enter KSS as the Custom Trust Keystore Type, and enter and confirm your custom trust keystore password, then click Save.

  12. Open the SSL tab.

  13. Enter the private key alias ( for example, portlet_wls), and set the private key password (for example, welcome1).

  14. Click Save to save your entries.

Note:

For the Pagelet Producer, Custom Identity and Java Standard Trust keystore type should be used for SSL configuration. For more info on how to configure Java standard keystore (JKS), see Configuring Keystores in Oracle Fusion Middleware Administering Security for Oracle WebLogic Server.

29.4.3 Configuring the SSL Connection for Portlet Producers

To configure SSL, see Overview of Configuring SSL in WebLogic server in Oracle Fusion Middleware Administering Security for Oracle WebLogic Server guide.

To configure the SSL connection for Portlet Server:

  1. On the Settings pane for the WebCenter Portlet server (WC_Portlet), open the Configuration tab and then the General subtab.
  2. Select SSL Listen Port Enabled.
  3. Enter an SSL listen port number.
  4. Click Save.
  5. Select Configuration > SSL, and then open the Advanced options at the bottom of the page.
  6. Check that the Two Way Client Cert Behavior option is set to Client Certs Not Requested .
  7. Click Save.
  8. Open the Control tab.

    The Control Settings pane opens.

  9. Click Restart SSL.
  10. Restart the Portlet Server (WC_Portlet) and open the SSL WSRP Portlet URL: https://host:port/<context-root>/portlets/wsrp2?WSDL.
  11. Accept the certificate for the session and WSDL will get loaded.

29.4.4 Registering the SSL-enabled WSRP Producer and Running the Portlets

Configure the WC_Portal managed server to register portlets with WebCenter Portal. This also uses the certificates in JAVA_HOME trust store (/jdk/jre/lib/security/cacerts).

To register the SSL-enabled WSRP producer and run the portlets:

  1. When you accessed the SSL WSRP Portlet URL (https://host:port/<context-root>/portlets/wsrp2?WSDL), the certificate was generated and stored in your browser.
  2. Download the certificate and save it in .PEM or .crt format.

    Use Firefox 3.0 or later to download the certificate directly to .PEM format, or for other browsers use the WebLogic Server der2pem tool to convert to PEM format. For more information about using the der2pem tool, see der2pem in Oracle Fusion Middleware Command Reference for Oracle WebLogic Server.

  3. Import the certificate into the cacerts file in the /jdk/jre/lib/security using the following keytool command: 
    keytool -importcert -alias portlet_cert -file portlet_pem -keystore cacerts

    Where:

    • portlet_cert is the portlet certificate alias

    • portlet_pem is the portlet certificate file (for example, portlet_cert.pem)

  4. Restart WC_Portal.
  5. Register the SSL enabled portlet URL — Run the registerWSRPProducer WLST command to register the producer: 
    registerWSRPProducer('webcenter', 'sslwsrpprod','producer_wsdl')

    Where:

    • sslwsrpprod is the name of the SSL-enabled WSRP producer

    • producer_wsdl is the WSDL URL of the SSL-enabled WSRP producer

    For example:

    registerWSRPProducer('webcenter', 'sslwsrpprod','https://example.com:7004/richtextportlet/portlets/wsrp2?WSDL')
  6. Navigate to the HTTP or HTTPS WebCenter Portal URL.
  7. Create a page and go to the Portlets link.
  8. Go to the registered WSRP producer.
  9. Add the portlet to the page.
  10. Go to the view mode of the page and check that the WSRP portlet renders correctly.

29.5 Securing the WebCenter Portal Connection to the LDAP Identity Store

To configure the LDAP server port for SSL, refer to the appropriate administration documentation for the LDAP server. For Oracle Internet Directory (OID), an SSL port is installed by default. To use this port for LDAP communication from WebCenter Portal, the identity store should be configured for authentication with the appropriate authenticator. See Configuring the Identity Store for the steps to do this for the identity store.

If the CA is unknown to the Oracle WebLogic server, complete this additional step described in the following subsection:

29.5.1 Exporting the OID Certificate Authority (CA)

The following topics describe how to secure the WebCenter Portal connection to OID:

  1. Enabling the SSL in OID
  2. Importing the OID Certificate
  3. Establishing the SSL Connections

29.5.1.1 Enabling the SSL in OID

This topic describes how to enable the SSL in OID.

Note:

OID should be configured in the server auth mode.

  1. Create an Oracle wallet by running the following commands: 
    <OID_INSTALL_LOC>/oracle_common/bin/orapki wallet create -wallet <wallet_location>/OID_Wallet -auto_login

    Note:

    Enter the password, when prompted.

    where,

    • <OID_INSTALL_LOC> is the location where the OID is installed.

      <wallet_location> is the location where you want the new wallet named OID_Wallet to be created. If you do not specify the wallet location, the new wallet is created in the current directory, where the command is executed.

  2. Add certificates to an Oracle wallet by running the following commands: 
    <OID_INSTALL_LOC>/oracle_common/bin/orapki wallet add -wallet -wallet <wallet_location>/OID_Wallet -dn cn=<Domain name> -keysize 2048 -self_signed -sign_alg sha1 -validity 1000

    Where,

    • <OID_INSTALL_LOC> is the OID install location.

    • <wallet_location> is the wallet location.

    • cn is the domain name where OID server is installed. You can find the domain name from /etc/hosts file. 

      For example: cn=<Domain name>.  

    • -sign_alg is signature algorithm. MD5 is the default value of signature algorithm.    

      The recent versions of JDK, which is JDK8 does not support the MD5 algorithm, you need to give sha1 or sha2 for the signature algorithm. For example: sha1 .

    • -self_signed is a self signed certificate.

      You can also get the certificate trusted by CA and import it accordingly. For more information, see Configuring Secure Sockets Layer (SSL).

  3. Configure the SSL parameters in OID by running the following commands: 
    ldapmodify -h OID_host -p OID_port -D cn=OID_admin -w password
dn:cn=oid1,cn=osdldapd,cn=subconfigsubentry
changetype: modify
replace: orclsslauthentication
orclsslauthentication: 32
-
replace: orclsslwalleturl
orclsslwalleturl: file://<wallet_location>/OID_wallet
  4. Restart the OID server.
  5. Verify that the SSL connections are created successfully by running the following commands: 
    ./ldapbind -h OID_host -p OID_port -U 2 -W file://<wallet_location>/OID_Wallet  -P password

    where,

    • <wallet_location>/OID_Wallet is wallet location.

  6. Export the certificate by running the following command: 
    <OID_INSTALL_LOC>/oracle_common/bin/orapki wallet export -wallet /<wallet_location>/OID_Wallet -dn "cn=<Domain name>" -cert oid_trust.cer

    where,

    • <OID_install_LOC>/<wallet_location>/OID_Wallet is the location of the wallet.

    • oid_trust.cer is the certificate. By default, the wallet certificate is created in the current directory where the command is executed. If you specify the path, wallet certificate is created in the specified location, for example: /OID_Install_LOC/oid_cert_trust.cer.

29.5.1.2 Importing the OID Certificate

This topic describes how to import the OID certificate to the WebLogic Server Trust Store of WebCenter.

Note:

The procedure has to be performed on your WebLogic domain, where the WebCenter Portal server is installed.

  1. Import the certificate to the Oracle WebLogic Server Trust Store of the WebCenter Portal using the following command: 
    keytool -importcert -v -trustcacerts -alias oid_server_trust -file oid_trust.cer -keystore cacerts -storepass changeit

    Note:

    The cacerts path can be retrieved as follows:

    1. Log in to the WebLogic console, navigate to Servers and click WC_Portal server.

    2. Click Configurations, then click the Keystores subtab.

    3. Verify the path mentioned in the Java Standard Trust Keystore.

      Note:

      The path mentioned in the Java Standard Trust Keystore is your cacert path.

  2. Configure the OID with Oracle WebLogic Server.

    For more information, see Configuring the Oracle Internet Directory Authenticator.

    Note:

    When entering the Provider Specific information, ensure to specify an SSL host and port and to select the SSL Enabled check box.

29.5.1.3 Establishing the SSL Connections

This topic describes how to Establish the SSL connections between the identity store and LDAP server.

Note:

The procedure has to be performed on your WebLogic domain, where the WebCenter Portal server is installed.

  1. Set up your environment using the following script: 
    setenv WL_HOME <WCP_INSTALL_LOCATION>/wlserver  
setenv ORACLE_HOME <WCP_ORACLE_HOME> 
cd $WL_HOME/server/bin 
./setWLSEnv.sh 
cd $ORACLE_HOME/oracle_common/bin
  2. Create the keystore using the following script: 
    libovdconfig.sh -host wls_host -port wls_adminserver_port -userName
wls_user_name -domainPath full_path_domain_home -createKeystore

    • host is the Oracle WebLogic Server host

    • port is the Oracle WebLogic Server Admin Server port

    • username is the Oracle WebLogic Server admin user name

    • domainPath is the complete path to the domain home

    Note:

    The keystore is created in the following location -keystore $DOMAIN_HOME/config/fmwconfig/ovd/default/keystores/adapters.jks
  3. Import the certificate to the keystore using the keytool command. The syntax is as follows, for a keystore named adapters.jks.

    Ensure that you have exported the previously generated OID. For more information, see Enabling the SSL in OID.

    Note:

    The keystore adapters.jksis created in Step 2.

    $JAVA_HOME/bin/keytool -importcert 
-keystore $DOMAIN_HOME/config/fmwconfig/ovd/default/keystores/adapters.jks 
-storepass keystore_password_used_in_libovdconfig.sh 
-alias alias_name 
-file full_path_to_LDAPCert_file 
-noprompt
  4. Restart the Oracle WebLogic Server and the managed servers.
  5. Access the WebCenter Portal and log in as any OID user. You should be able to login successfully.

    Note:

    if you receive host name verification exception, then set the following parameter: 
     -Dweblogic.security.SSL.ignoreHostnameVerification=true

29.6 Securing the WebCenter Portal Connection to Content Server with SSL

If Content Server and the WebCenter Portal application in which you intend to create a repository connection are not on the same system or the same trusted private network, then identity propagation is not secure. To ensure secure identity propagation you must also configure SSL on Content Server.

Securing Content Server with SSL involves the following tasks:

In a production environment, Oracle recommends that you use only real certificates. For information about how to configure keystores when using real certificates, see Understanding Content Server Security Providers in Oracle Fusion Middleware Administering Oracle WebCenter Content.

29.6.1 Configuring a Keystore and Key on the WebCenter Portal (Client) Side

For an overview of on how to configure the Identity and Trust keystores, see Securing the Browser Connection to WebCenter Portal using SSL. For detailed information and step-by-step instructions, see Securing the Connection to WebCenter Portal using SSL in Oracle Fusion Middleware Administering Security for Oracle WebLogic Server guide.

To configure a keystore on the (client) side:

  1. Go to the location, for example jdk/bin, where the keytool is located, and open the command prompt.
  2. Generate the client keystore by running the following keytool command: 
    svc.generateKeyStore(appStripe='stripe1', name='keystore1', password='password', alias=Client private key alias dn='cn=client)
  3. To verify that the keys have been correctly created, you can optionally run the following keytool command: 
    svc.listKeyStoreAliases(appStripe="stripe1",name="keystore1", password='', type="*")

    This should list the alias Client private key alias

  4. To use the key, sign it by running the following keytool command: 
    

    5. 

  5. Export the client public key by running the following keytool command:

    

    exportKeyStore(appStripe='stripe1', name='keystore', 
password='password', alias='Client private key alias', keypassword='keypass1', 
filepath='client.pubkey')

    

    6. 









29.6.2 Configuring a Keystore and Key on the Content Server Side






For an overview of on how to configure the Identity and Trust keystores, see Securing the Browser Connection to WebCenter Portal using SSL. For detailed information and step-by-step instructions, see Securing the Connection to WebCenter Portal using SSL in Oracle Fusion Middleware Administering Security for Oracle WebLogic Server guide.


To configure a keystore on the Content Server side:





    

  1. Go to the location, for example jdk/bin, where the keytool is located, and open the command prompt.
    2. 

  2. Generate the server keystore by running the following keytool command:

    

    svc.generateKeyPair(appStripe='stripe1', name='keystore', password='password', dn='cn=server', keysize='2048', alias='Server public key alias', keypassword='keypass1')

    

    3. 

  3. To verify that the key has been correctly created, run the following keytool command:

    

    svc.listKeyStoreAliases(appStripe="stripe1",name="keystore1", password='', type="*")

    

    This should list the alias Server private key alias
    

    

    4. 

  4. To use the key, sign it by running the following keytool command:

    

    

    5. 

  5. Export the server public key to the server keystore by running the following keytool command:

    

    svc.exportKeyStore(appStripe='stripe1', name='keystore1', password='password', alias='Server public key alias', keypassword='keypass1', type='TrustedCertificate', filepath='server.pubkey')

    

    6. 









29.6.3 Verifying Signatures of Trusted Clients






To verify signatures of trusted clients, import the client public key into the server keystore:





    

  1. Go to the location, where the keytool is located, and open the command prompt.
    2. 

  2. To verify the signature of trusted clients, import the client's public key in to the server keystore by running the following keytool command:

    

    importKeyStore(appStripe='stripe1', name='keystore1', password='password', 
aliases='Client public key alias', keypasswords='keypass1', 
type='TrustedCertificate', filepath='client.pubkey')

    

    3. 

  3. Import the server public key into the client keystore by running the following keytool command:

    

    importKeyStore(appStripe='stripe1', name='keystore1', password='password', 
aliases='Server public key alias', keypasswords='keypass1', 
type='TrustedCertificate', filepath='server.pubkey')

    

    When the tool prompts you if the key is self-certified, you must enter Yes. The following shows a sample output that is generated after this procedure is completed successfully.
    

    Sample Output Generated by the Keytool
    

    [user@server]$ keytool -import -alias client -file client.pubkey
-keystore server-keystore.jks -keypass Server private key password -storepass Keystore password
Owner: CN=client
Issuer: CN=client
Serial number: serial number, for example, 123a19cb
Valid from: Date, Year, and Time until: Date, Year, and Time
Certificate fingerprints:
        ...
Trust this certificate? [no]:  yes
Certificate was added to keystore.

    

    4. 









29.6.4 Securing Identity Propagation






To secure identity propagation, you must configure SSL on Content Server.





    

  1. Log on to Content Server as an administrator.
    2. 

  2. From Administration, select Providers.
    3. 

  3. On the Create a New Provider page, click Add for sslincoming.
    4. 

  4. On the Add Incoming Provider page, in Provider Name, enter a name for the provider, for example, sslincomingprovider.

    

    When the new provider is set up, a directory with the provider name is created as a subdirectory of the CONTENT_SERVER_HOME/data/providers directory.
    

    

    5. 

  5. In Provider Description, briefly describe the provider, for example, SSL Incoming Provider for securing the Content Server.
    6. 

  6. In Provider Class, enter the class of the sslincoming provider, for example, idc.provider.ssl.SSLSocketIncomingProvider.

    

    

    Note:
    

    You can add a new SSL keepalive incoming socket provider or a new SSL incoming socket provider. Using a keepalive socket improves the performance of a session and is recommended for most implementations.
    

    

    

    7. 

  7. In Connection Class, enter the class of the connection, for example, idc.provider.KeepaliveSocketIncomingConnection.
    8. 

  8. In Server Thread Class, enter the class of the server thread, for example, idc.server.KeepaliveIdcServerThread.
    9. 

  9. In Server Port, enter an open server port, for example, 5555.
    10. 

  10. Select the Require Client Authentication checkbox.
    11. 

  11. In Keystore password, enter the password to access the keystore.
    12. 

  12. In Alias, enter the alias of the keystore.
    13. 

  13. In Alias password, enter the password of the alias.
    14. 

  14. In Truststore password, enter the password of the trust store.
    15. 

  15. Click Add.

    

    The new incoming provider is now added.
    

    

    16. 

  16. Go to the new provider directory that was created in step 4.
    17. 

  17. To specify the trust store and keystore, create a file named sslconfig.hda.
    18. 

  18. Copy the server keystore to the server.
    19. 

  19. Configure the sslconfig.hda file. The following shows how the .hda file should look after you include the trust store and keystore information.

    

    Sample sslconfig.hda File
    

    @Properties LocalData
TruststoreFile=/tmp/ssl/server_keystore
KeystoreFile=/tmp/ssl/server_keystore
@end

    

    20. 












29.7 Securing the WebCenter Portal Connection to IMAP and SMTP with SSL






Before reconfiguring the mail server connection, you must first import the certificate into the trust store. Follow the steps below to put the certificate in the trust store and configure WebCenter Portal to use the trust store.


To secure the WebCenter Portal connection to IMAP and SMTP with SSL:





    

  1. Open a browser and connect to your IMAP server with the following command:

    

    https://imapserver:ssl_port

    

    For example:
    

    https:mailserver.example:993 

    

    2. 

  2. Place your cursor on the page, right-click, and select Properties.
    3. 

  3. Click Certificate.
    4. 

  4. In the popup window, click the Details tab and click Copy to File...

    

    Be sure to use the DER encoded binary(X.509) format and copy to a file.
    

    

    5. 

  5. Convert the .DER format certificate to .PEM format.

    

    Use Firefox 3.0 or later to download the certificate directly to.PEM format, or for other browsers use the WebLogic Server der2pem tool to convert to PEM format. For more information about using the der2pem tool, see der2pem in Oracle Fusion Middleware Command Reference for Oracle WebLogic Server. Note that WebLogic does not recognize any other format other than .PEM format.
    

    

    6. 

  6. Import the certificate into the cacerts in the JDK_HOME using the following command:

    

    keytool -import -alias imap_cer -file cert_file.cer -keystore cacerts -storepass changeit

    

    Where cert_file is the name of the certificate file you downloaded.
    

    

    7. 

  7. Register the mail server connection as described in Registering Mail Servers.
    8. 

  8. Restart WebCenter Portal.
    9. 

  9. Log into WebCenter Portal and provide your mail credentials.
    10. 










29.8 Securing the Connection to Oracle SES with SSL




There are two scenarios in which you may want to configure SSL for SES: The first scenario is where WebCenter Portal has already been protected with SSL but SES has not; the second scenario is where SES has been protected with SSL, but WebCenter Portal has not. These two scenarios are described in the following subsections:








29.8.1 Securing Oracle SES with SSL








Note:

In this scenario, WebCenter Portal is already protected with SSL, but SES is not protected.


Follow the steps below to secure SES with SSL.


Before registering the SES connection, you must first import the certificate into the trust store. Follow the steps below to put the certificate in the trust store and register the Oracle Secure Enterprise Search (SES) connection.


To download the certificate of the HTTPS URL and save it:


    

  1. 

    Configure SSL on the WebCenter side using the following certificate name:
    

    cn=<myhost>

    

    where <myhost> is the fully qualified name of the host where WebCenter is installed.
    

    For more information about configuring SSL on WebCenter Portal, see Securing the Browser Connection to WebCenter Portal using SSL.
    

    2. 

  2. 

    Export the WebCenter certificate in PEM format (i.e., <myhost>.crt).
    

    You can use Firefox 3.0 or later to download the certificate directly to.PEM format. For other browsers, follow the steps below and then use the WebLogic Server der2pem tool to convert to PEM format.
    

      

    1. 

      Click Certificate.
      

      2. 

    2. 

      In the popup window, open the Details tab, and click Copy to File...
      

      Use DER encoded binary(X.509) format and copy the certificate to a file.
      

      3. 

    3. 

      Convert the .DER format certificate to .PEM format.
      

      For more information about using the der2pem tool, see der2pem in Oracle Fusion Middleware Command Reference for Oracle WebLogic Server. Note that WebLogic does not recognize any other format other than .PEM format.
      

      4. 

    

    3. 

  3. 

    In SES, import the certificate into the following keystores:
    

      

    • 

      <SES Installation Directory>/jdk6/jre/lib/security/cacerts
      

      • 

    • 

      <SES Installation Directory>/seshome/jdk/jre/lib/security/cacerts
      

      • 

    

    using the following command:
    

    keytool -importcert -trustcacerts -alias webcenter_wls -file <myhost>.crt -keystore cacerts -storepass changeit

    4. 

  4. 

    For the handshake to be successful, the following steps are required:
    

      

    1. 

      Restart WebCenter Portal with the command: -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1
      

      2. 

    2. 

      Apply the 10.3.6 patch to your SES server: http://aru.us.oracle.com:8080/ARU/ViewPatchRequest/process_form?aru=17092883
      

      3. 

    

    

    Note:
    

      

    • 

      The WebLogic Server server version of SES is 10.3.6 and WebLogic Server version of WebCenter is 12.2.1.
      

      • 

    • 

      By default only TLSv1.1 & TLSv1.2 are supported in 12.2.1. In 10.3.6 and JDK 1.6_29 (SES environment), only SSLv3 & TLSv1 are supported.
      

      • 

    

    

    5. 

  5. 

    In SES, create a source for Oracle WebCenter in which the crawl and authorization endpoints point to the WebCenter Portal application's HTTPS ports.
    

    6. 

  6. 

    Create a schedule and source group for the crawl (see Configuring Search Parameters and Crawlers Using Fusion Middleware Control).
    

    7. 

  7. 

    Finish the WebCenter-side configuration for SES and restart SES and WebCenter Portal.
    

    8. 

  8. 

    Create some objects in WebCenter Portal and start the crawl.
    

    9. 

  9. 

    After the crawl has been completed, search for a keyword and the results should appear in WebCenter Portal.
    

    10. 












29.8.2 Securing the Connection to Oracle SES with SSL










Note:

In this scenario, WebCenter Portal is not protected with SSL, but SES is protected.




To import the SES certificate to the WebCenter Portal Trust Store:





    

  1. Enable SSL on SES :

      

    1. In the Oracle SES Administration Console, keep the default setting of Demo Identity and Demo Trust.
      2. 

    2. Access the search server, for example search_server1 and enable SSL on SES by setting the SSL Listen Port Enabled to True on the General page.
      3. 

    3. Restart the server
      4. 

    

    2. 

  2. Register Oracle SES with WebCenter (see Registering Oracle Secure Enterprise Search Servers and register the SSL-enabled SES instance with WebCenter Portal.
    3. 

  3. Use your browser to navigate to the Web Services URL that Oracle Secure Enterprise Search exposes to enable search requests at:

    

    http://host:port/search/query/OracleSearch

    

    For example:
    

    https://example.com:7777/search/query/OracleSearch

    

    4. 

  4. Place your cursor on the page, right-click with your mouse, and select Properties.
    5. 

  5. Click Certificate.
    6. 

  6. In the popup window, open the Details tab, and click Copy to File...

    

    Use DER encoded binary(X.509) format and copy the certificate to a file.
    

    

    7. 

  7. Convert the .DER format certificate to .PEM format.

    

    Use Firefox 3.0 or later to download the certificate directly to.PEM format, or for other browsers use the WebLogic Server der2pem tool to convert to PEM format. For more information about using the der2pem tool, see der2pem in Oracle Fusion Middleware Command Reference for Oracle WebLogic Server. Note that WebLogic does not recognize any other format other than .PEM format.
    

    

    8. 

  8. Import the certificate into WebCenter Portal cacerts in JDK_HOME using the following command:

    

    keytool -import -alias ses_cer -file cert_file.cer -keystore cacerts -storepass changeit 

    

    where cert_file is the name of the certificate file you downloaded.
    

    

    9. 

  9. Register the SES connection as described in Registering Oracle Secure Enterprise Search Servers.
    10. 

  10. Restart WebCenter Portal.
    11. 












29.9 Securing the WebCenter Portal Connection to an External BPEL Server with SSL






This section describes how to secure the WebCenter Portal connection to a BPEL server when the BPEL server resides in an external SOA domain.




Note:


When SOA is installed in an external domain, the Identity Asserter and Authenticator should be configured exactly as for WebCenter Portal. For more information on configuring the Identity Asserter and Authenticator for an external LDAP identity store, see Reassociating the Identity Store with an External LDAP Server.




To secure the WebCenter Portal connection to an external BPEL server with SSL:





    

  1. Install and configure Oracle SOA 12c.

    See Installing Oracle SOA Suite Quick Start for Developers in Oracle Fusion Middleware Installing Oracle SOA Suite and Business Process Management Suite Quick Start for Developers.
    

    2. 

  2. From WebCenter, create a connection to SOA in WebCenter, by running the following commands:

    

    createBPELConnection('webcenter','WebCenter-Worklist'
setSpacesWorkflowConnectionName('webcenter', 'WebCenter-Worklist', 'SOA_host:port','oracle/wss10_saml_token_client_policy')

    

    3. 

  3. From WebCenter, enable SSL.


    4. 

  4. From SOA, enable SSL.

    Follow the steps in Securing the Browser Connection to WebCenter Portal using SSL, but instead of webcenter_wls, you will use soa_wls and instead of webcenteridentity, you will use soaidentity.
    

    5. 

  5. Configure the keystores for WebCenter Portal and SOA.


    6. 

  6. Wire WebCenter WebLogic server and SOA WebLogic server to the same OID.
    7. 

  7. From WebCenter, import the SOA public and CA certificate to the WebCenter Trust store:

    

    keytool -importcert -trustcacerts -alias soa_cert -file /filepath/certificate/bpel.cer -keystore /filepath/cacerts -storepass changeit

    

    keytool -importcert -trustcacerts -alias soa_trust -file /filepath/certificate/democabpel.cer -keystore /filepath/cacerts -storepass changeit

    

    8. 

  8. From SOA, import the WebCenter public and CA certificate to the SOA Trust Store:

    

    keytool -importcert -trustcacerts -alias webcenter_cert -file /filepath/certificate/webcenter.cer -keystore /filepath/cacerts -storepass changeit

    

    keytool -importcert -trustcacerts -alias webcenter_trust -file /filepath/certificate/democaprod.cer -keystore /filepath/cacerts -storepass changeit

    

    9. 

  9. From WebCenter, change the SOA connection details to use the SOA HTTPS host and port in Oracle Enterprise Manager.
    10. 

  10. Add -Dweblogic.security.SSL.ignoreHostnameVerification=true as EXTRA_JAVA_PROPERTIES in setDomainEnv.sh for Webcenter.
    11. 

  11. Restart the WC_Portal server and the SOA managed server.
    12.