5 SSL Configuration WLST Commands

This chapter describes SSL configuration WLST commands.

This chapter contains the following sections:

About SSL Configuration Commands

WLST commands are available to configure and manage SSL for Oracle Fusion Middleware components.

Use the commands listed in Table 5-1 for this task.

See Also:

Administering Oracle Fusion Middleware for important instructions on how to launch the WLST shell to run SSL-related commands. Do not launch the WLST interface from any other location.

Note:

All WLST commands for SSL configuration must be run in online mode.

You can obtain help for each command by issuing:

help('command_name')

Certain commands require parameters like instance name, ias-component and process type. You can obtain this information with the command:

state('serverName') [in WebLogic domain]

nmServerStatus(serverName='name', serverType='type') [in Standalone domain]

Table 5-1 WLST Commands for SSL Configuration

Use this command... To... Use with WLST...

configureSSL

Set the SSL attributes for a component listener.

Online

getSSL

Display the SSL attributes for a component listener.

Online

Properties Files for SSL

SSL configuration employs certain properties files for use with the WLST configureSSL command.

The files contain parameters to specify the desired SSL configuration, such as authentication type, cipher values, and SSL version.

You can use descriptive names if you need to manage multiple properties files for different components. For example, you could have properties files named ohs-ssl-properties.prop or ovd-ssl-properties.prop.

Structure of Properties Files

All the SSL properties files have a consistent structure.

Table 5-2 provides details about the key-value structure and usage of these files.

Table 5-2 Parameters in Properties File

Key Mandatory? Allowed Values for Oracle HTTP Server Usage

SSLEnabled

No

true

false

Either value

Ciphers

No

SSL_RSA_WITH_RC4_128_MD5

SSL_RSA_WITH_RC4_128_SHA

SSL_RSA_WITH_3DES_EDE_CBC_SHA

SSL_RSA_WITH_DES_CBC_SHA

SSL_DH_anon_WITH_RC4_128_MD5

SSL_DH_anon_WITH_DES_CBC_SHA

SSL_DH_anon_WITH_3DES_EDE_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA

One or more comma separated values

SSLVersions

No

nzos_Version_3_0

nzos_Version_3_0_With_2_0_Hello

nzos_Version_1_0

One or more comma separated values

CertValidation

No

none

crl

Either value

CertValidation Path

No

file://crl_file_path

dir://crl_dir_path

Path of the CRL file, or directory containing CRL files

KeyStore

No

Valid wallet name

 

TrustStore

No

N/A

 

AuthenticationType

No

None

Server

Optional

Mutual

Any one value

Table 5-3 shows the default values:

Table 5-3 Default Values of Parameters

Key Default Value for Oracle HTTP Server

SSLEnabled

true

Ciphers

null

SSLVersions

null

CertValidation

none

CertValidation Path

null

KeyStore

default

TrustStore

-

Authentication Type

Server

Note:

  • At least one DH_anon cipher must be used in SSL no-auth mode. For all other modes, at least one RSA cipher must be used.

  • The value of the KeyStore parameter must be specified when configuring SSL in server-auth, mutual-auth, or optional client auth.

  • If only AES ciphers have been specified, the SSLVersions parameter must contain TLSv1 or nzos_Version_1_0.

  • If you are doing CRL-based validation, the value of the CertValidation parameter should be crl and the value of the CertValidationPath parameter should point to the CRL file/directory.

Examples of Properties Files

Some examples demonstrating the use of the properties files follow.

Example 1: Basic Properties File

SSLEnabled=true
AuthenticationType=None
CertValidation=none

This properties file specifies no authentication mode, and default values will be used during SSL configuration for ciphers and SSL version. Keystore and truststore properties are not specified since the authentication type is None. For other authentication types, keystore must be specified.

Example 2: Basic Properties File

SSLEnabled=
AuthenticationType=None
CertValidation=none

This properties file is exactly the same as above, except that SSLEnabled is explicitly specified without any value. This is the same as not specifying the key at all. In both cases, the default value will be used.

Therefore, all the following three settings have the same meaning:

  • The setting:

    SSLEnabled=true
    

    Here the value true is explicitly specified.

  • The setting:

    SSLEnabled=
    

    Since no value is mentioned here, the default value of SSLEnabled (true) is used.

  • The key SSLEnabled is not present in the properties file.

    Since the key is not present, its default value (true) is used.

Example 3: Properties File with Version for Oracle HTTP Server

SSLEnabled=true
AuthenticationType=Mutual
SSLVersion=nzos_Version_3_0
CertValidation=crl
CertValidationPath=file:///tmp/file.crl
KeyStore=ohs1

This properties file has:

  • Default values for ciphers

  • Keystore

  • SSL version v3

  • CRL validation turned on

  • Mutual Authentication mode

configureSSL

Online command that sets SSL attributes.

Description

This command sets the SSL attributes for a component listener. The attributes are specified in a properties file format (name=value). If a properties file is not provided, or it does not contain any SSL attributes, then default attribute values are used.

For details about the format of properties files, see Properties Files for SSL.

Syntax

configureSSL('instName', 'compName', 'compType', 'listener', 'filePath')
Argument Definition

instName

Specifies the name of the application server instance.

compName

Specifies the name of the component instance.

compType

Specifies the type of component. Valid value is 'ohs'.

listener

Specifies the name of the component listener to be configured for SSL.

filePath

Specifies the absolute path of the properties file containing the SSL attributes to set.

Example

Here are some examples of configureSSL command usage.

The following command configures SSL attributes specified in the properties file /tmp/ssl.properties for Oracle Virtual Directory instance ovd1 in application server instance inst1, for listener listener1:

wls:/mydomain/serverConfig> configureSSL('inst1', 'ovd1', 'ovd', 'listener1','/tmp/ssl.properties')

The following command configures SSL attributes without specifying a properties file. Since no file is provided, the default SSL attribute values are used:

wls:/mydomain/serverConfig> configureSSL('inst1', 'ovd1', 'ovd', 'listener2')

getSSL

Online command that lists the configured SSL attributes.

Description

This command lists the configured SSL attributes for the specified component listener.

Syntax

getSSL('instName', 'compName', 'compType', 'listener')
Argument Definition

instName

Specifies the name of the application server instance.

compName

Specifies the name of the component instance.

compType

Specifies the type of component. Valid value is 'ohs'.

listener

Specifies the name of the component listener.

Example

The following command shows the SSL attributes configured for Oracle HTTP Server instance ohs1, in application server instance inst1, for listener sslport1:

wls:/mydomain/serverConfig> getSSL('inst1', 'ohs1', 'ohs', 'sslport1')