5 Configuring Security

This chapter describes how to work with security for plug-ins. It contains the following sections:

• Using SSL with Plug-Ins

• Configuring Perimeter Authentication

Using SSL with Plug-Ins

You can use the Secure Sockets Layer (SSL) protocol to protect the connection between the plug-in and Oracle WebLogic Server. The SSL protocol provides confidentiality and integrity to the data passed between the plug-in and WebLogic Server.

The plug-in does not use the transport protocol (HTTP or HTTPS) specified in the HTTP request (usually by the browser) to determine whether to use SSL to protect the connection between the plug-in and WebLogic Server; that is, the plug-in is in no way dependent on whether the HTTP request (again, usually from the browser) uses HTTPS (SSL).

Instead, the plug-in uses SSL parameters that you configure for the plug-in, as described in SSL Parameters for Web Server Plug-Ins, to determine when to use SSL:

• WebLogicSSLVersion—Specifies the SSL protocol version to use for communication between the plug-in and the WebLogic Server.

• WLSSLWallet—The version 12c (12.2.1.4.0) plug-ins use Oracle wallets to store SSL configuration information. Use the WLSSLWallet SSL configuration parameter to configure the wallets. The orapki utility is provided in the plug-in distribution for this purpose.

  The orapki utility manages public key infrastructure (PKI) elements, such as wallets and certificate revocation lists, on the command line so the tasks it performs can be incorporated into scripts. This enables you to automate many of the routine tasks of maintaining a PKI. See Using the orapki Utility for Certificate Validation and CRL Management.

• SecureProxy—The SecureProxy parameter determines whether SSL is enabled.

Note:

For more information on valid security protocols and ciphers for the current release, see SSLCipherSuite and SSLProtocol in Administering Oracle HTTP Server.

In the case of two-way SSL, the plug-in (the SSL client) automatically uses two-way SSL when Oracle WebLogic Server is configured for two-way SSL and requests a client certificate.

If a client certificate is not requested, the plug-ins default to one-way SSL.

Note:

If an Oracle Fusion Middleware 12c (12.2.1.4.0) product is installed on the same system as the Apache (including Oracle HTTP Server) plug-in, the ORACLE_HOME variable must point to a valid installation; otherwise, the plug-in fails to initialize SSL.

For example, if ORACLE_HOME is invalid because the product was not cleanly removed, the plug-in fails to initialize SSL.

This section contains the following information:

• Configuring Libraries for SSL

• Configuring a Plug-In for One-Way SSL

• Configuring Two-Way SSL Between the Plug-In and Oracle WebLogic Server

• Replacing Certificates Signed Using the MD5 Algorithm

• Enabling Support of Certificate Signed with MD5 Algorithm

Configuring Libraries for SSL

Plug-ins use Oracle libraries (NZ) to provide SSL support. Because the libraries are large, they are loaded only when SSL is needed. You must ensure that the library files, located in lib/*.so*, are available at the proper locations so that they can be dynamically loaded by the plug-in.

To configure the libraries for the plug-ins for Apache HTTP Server, you have a few options:

• Windows: Specify the lib directory that contains the .dll files in the PATH variable or copy the *.dll files in the bin directory.

• UNIX: Configure LD_LIBRARY_PATH to point to the folder containing the libraries or copy the libraries to the lib directory.

If you copy the libraries instead of updating the PATH (Windows) or LD_LIBRARY_PATH (UNIX) variables, you must copy the libraries afresh each time you install a new version of the plug-in.

Configuring a Plug-In for One-Way SSL

Perform the following steps to configure one-way SSL.

In these steps, you run the keytool commands on the system on which WebLogic Server is installed, and you run the orapki commands on the system on which the version 12c (12.2.1.4.0) plug-ins are installed.

Note:

The examples in this section use the WebLogic Server demo CA. If you are using the plug-in a production environment, ensure that trusted CAs are properly configured for the plug-in and for Oracle WebLogic Server.

1. Configure Oracle WebLogic Server for SSL. See Configuring SSL in Administering Security for Oracle WebLogic Server.

2. Create an Oracle Wallet, by using the orapki utility.

   orapki wallet create -wallet mywallet -auto_login_only
   

   See Using the orapki Utility for Certificate Validation and CRL Management in the Administering Oracle Fusion Middleware.

   Note:

   Only the user who creates the wallet (or for Windows, the account SYSTEM) has access to the wallet.

   This is typically sufficient for the Oracle WebLogic Server Proxy Plug-In for Apache HTTP Server because Apache runs as the account SYSTEM on Windows, and as the user who creates it on UNIX. However, for IIS the wallet will not work because the default user is IUSR_<Machine_Name>(IIS6.0 and below) or IUSR (IIS7.0 and above).

   If the user who runs the Oracle WebLogic Server Proxy Plug-In for Apache HTTP Server or Oracle WebLogic Server Proxy Plug-In 12c (12.2.1.4.0) for Microsoft IIS Web Server is different from the user who creates the wallet (or for Windows, the account SYSTEM), you need to grant the user access to the wallet by running the command cacls (Windows) or chmod (UNIX) after you create the wallet. For example:

   cacls <wallet_path>\cwallet.sso /e /g IUSR:R

3. Import the WLS trust certificate into the Oracle Wallet.

   orapki wallet add -wallet mywallet -trusted_cert -cert <cert_file_name> -auto_login_only
   

4. Configure the web server configuration files as follows:

   • For Oracle HTTP Server, edit the mod_wl_ohs.conf file as follows:

     <IfModule mod_weblogic.c>
      WebLogicHost host
      WebLogicPort port
      SecureProxy ON
      WLSSLWallet path_to_wallet
     </IfModule>
     

   • For Microsoft IIS, edit the iisproxy.ini file as follows:

      WebLogicHost=host
      WebLogicPort=port
      SecureProxy=ON
      WLSSLWallet=path_to_wallet
     

   For more information about the parameters in these examples, see Parameters for Web Server Plug-Ins.

5. Complete these steps if the version of the Oracle WebLogic Server instances in the back end is 10.3.4 (or a later release).

   1. Log in to the Oracle WebLogic Server administration console.

   2. In the Domain Structure pane, expand the Environment node.

      • If the server instances to which you want to proxy requests from Oracle HTTP Server are in a cluster, select Clusters.

      • Otherwise, select Servers.

   3. Select the server or cluster to which you want to proxy requests from Oracle HTTP Server.

   4. In the Configuration: General tab, scroll down to the Advanced section, then expand it.

   5. Do one of the following:

      To...	Select...
      Enable one-way SSL	WebLogic Plug-In Enabled
      Enable two-way SSL where client certificates are used to authenticate	Client Cert Proxy Enabled
      Enable two-way SSL with client certificates.	Both

   6. If you selected Servers in Step 2, repeat steps Step 3 and Step 4 for the other servers to which you want to proxy requests from Oracle HTTP Servers.

   7. Click Save.

   For the change to take effect, you must restart the server instances.

6. Send a request to http://host:port/mywebapp/my.jsp from the browser and validate the response.

Configuring Two-Way SSL Between the Plug-In and Oracle WebLogic Server

When Oracle WebLogic Server is configured for two-way SSL, the plug-in forwards the user certificate to WebLogic Server. As long as WebLogic Server can validate the user certificate, two-way SSL can be established.

In addition to the steps described in Configuring a Plug-In for One-Way SSL, perform the following steps:

In these steps, you run the keytool commands on the system on which WebLogic Server is installed. You run the orapki commands on the system on which the version 12c (12.2.1.4.0) plug-ins are installed.

1. From the Oracle wallet, generate a certificate request.
2. Use this certificate request to create a certificate by using a CA or some other mechanism.
3. Import the user certificate as a trusted certificate in the WebLogic trust store. Oracle WebLogic Server needs to trust the certificate.

   keytool -file user.crt -importcert -trustcacerts -keystore DemoTrust.jks -storepass <passphrase>
   

4. Set the WebLogic Server SSL configuration options that require the presentation of client certificates (for two-way SSL). See Configure two-way SSL in Oracle WebLogic Server Administration Console Online Help.

Replacing Certificates Signed Using the MD5 Algorithm

When using SSL to connect to WebLogic Server, ensure that any certificate request or certificates signed with MD5 are replaced by SHA-2 signed certificates in the wallet; otherwise, the server will fail to start.

Checking the Certificate Singing Algorithm

To check the certificate singing algorithm :

1. To search the certificate with it’s distinguished name, using the following command

   ${PLUGIN_HOME}/bin/orapki wallet display -wallet <wallet__location>

2. Export certificate available in wallet

   ${PLUGIN_HOME}/bin/orapki  wallet export -wallet <wallet_Location> -dn 'DN_string' -cert <certificate_file>

3. Check the signature algorithm used to sign <certificate_file> using the keytool

   $JAVA_HOME/bin/keytool -printcert -file <certificate_file>

Removing a Certificate Request or Certificate Signed with MD5 algorithm

• To remove a user certificate signed using MD5 algorithm

     ${PLUGIN_HOME}/bin/orapki wallet remove -wallet <wallet_location> -dn 'DN_string' -user_cert [-pwd <pwd>] | [-auto_login_only]

• To remove a self-signed certificate available in the trusted and requested certificate list:

  ${PLUGIN_HOME}/bin/orapki wallet remove -wallet < wallet_location > -dn 'DN_string' -trusted_cert [-pwd <pwd>] | [-auto_login_only]
   ${PLUGIN_HOME}/bin/orapki wallet remove -wallet < wallet_location > -dn 'DN_string' -cert_req [-pwd <pwd>] | [-auto_login_only]
  

• To remove a trusted certificate signed using MD5 algorithm

  ${PLUGIN_HOME}/bin/orapki wallet remove -wallet < wallet_location > -dn 'DN_string' -trusted_cert [-pwd < pwd >] | [-auto_login_only]
  

• To remove a certificate request signed using MD5 algorithm

  ${PLUGIN_HOME}/bin/orapki wallet remove -wallet < wallet_location > -dn 'DN_string' -cert_req [-pwd <pwd>] | [-auto_login_only]

Adding a Self-Signed User Certificate Signed with SHA-2 Algorithm

Use the following command to add a self-signed user certificate, signed using MD5 algorithm with a self-signed certificate signed using a SHA-2 algorithm in the wallet:

${PLUGIN_HOME} 
/bin/orapki wallet add -wallet <wallet_Location>
-dn 'DN_String'
keysize 2048 -sign_alg sha256 -self_signed
-validity 9125 [-pwd <pwd>] | [-auto_login_only]

Updating the Existing Certificate Authority Signed User Certificate Using MD5 Algorithm

Contact the certificate authority to get a user certificate signed using SHA-2 signature algorithm and replace it with existing user certificate.

${PLUGIN_HOME}/bin/orapki -wallet add -wallet <wallet_Location> -user_cert -cert <certificate_file> [-pwd <pwd> ] | [-auto_login_only]

Updating the Existing Trusted Certificates Signed Using MD5 Algorithm

If you have any trusted certificate that is signed using MD5 signature algorithm imported in your wallet, update the certificate of the corresponding backend WebLogic Server to use the SHA-2 signature algorithm. Once updated, replace the MD5 trusted certificate in your wallet with the updated certificate.

${PLUGIN_HOME}/bin/orapki -wallet add -wallet <wallet_Location> -trusted_cert -cert <certificate_file> [-pwd <pwd> ] | [-auto_login_only]

Enabling Support of Certificate Signed with MD5 Algorithm

Note:

Certificates signed using MD5 algorithm are not recommended, due to compromised security. To continue using certificates signed using MD5 algorithm by setting ORACLE_SSL_ALLOW_MD5_CERT_SIGNATURES=1 environment variable. 

Set the environment.variable in the plugin:

• Oracle HTTP Server Plugin: Add environment.ORACLE_SSL_ALLOW_MD5_CERT_SIGNATURES=1 in  DOMAIN_HOME/config/fmwconfig/components/OHS/instances/instanceName/ohs.plugin.nodemanger.properties

• Apache plugin : Add export ORACLE_SSL_ALLOW_MD5_CERT_SIGNATURES=1 in $APACHE_HOME/bin/envvars.

• IIS Plugin : Add ORACLE_SSL_ALLOW_MD5_CERT_SIGNATURES=1 in System environment variable.

Configuring Perimeter Authentication

Use perimeter authentication to secure WebLogic Server applications that are accessed by using the plug-in.

A WebLogic Identity Assertion Provider authenticates tokens from outside systems that access your WebLogic Server application, including users who access your WebLogic Server application through the plug-in. Create an Identity Assertion Provider that will safely secure your plug-in as follows:

1. Create a custom Identity Assertion Provider on your WebLogic Server application. See How to Develop a Custom Identity Assertion Provider in Developing Security Providers for Oracle WebLogic Server.
2. Configure the custom Identity Assertion Provider to support the Cert token type and make Cert the active token type. See How to Create New Token Types in Developing Security Providers for Oracle WebLogic Server.
3. Set clientCertProxy to True in the web.xml deployment descriptor file for the Web application (or, if using a cluster, optionally set the Client Cert Proxy Enabled attribute to true for the whole cluster on the Administration Console Cluster then Configuration then General tab).

   The clientCertProxy attribute can be used with a third party proxy server, such as a load balancer or an SSL accelerator, to enable 2-way SSL authentication. For more information about the clientCertProxy attribute, see context-param in Developing Web Applications, Servlets, and JSPs for Oracle WebLogic Server.

4. Once you have set clientCertProxy, be sure to use a connection filter to ensure that WebLogic Server accepts connections only from the machine on which the plug-in is running. See Using Network Connection Filters in Developing Applications with the WebLogic Security Service.
5. Web server plug-ins require a trusted Certificate Authority file to use SSL between the plug-in and WebLogic Server. See Using SSL with Plug-Ins for the steps you need to perform to configure SSL.

See Identity Assertion Providers in Developing Security Providers for Oracle WebLogic Server.