An Odyssey of discovery

Thursday, January 17, 2008

Implementing SSL on Weblogic Web Servers

Secure Socket Layer (SSL) and web server certificates are two of the most important components for a secured web communication. While those two components are pivotal to a secured PeopleSoft implementation, the knowledge and complete understanding remains nebulous to many PeopleSoft Administrator. On today's entry, I'll try to shed some light on the basic concepts of SSL and certificates on Weblogic web servers.

What is SSL ?
Secure Sockets Layer (SSL), are cryptographic protocols that provide secure communications on the Internet for such things as web browsing, e-mail, Internet faxing, instant messaging and other data transfers (Wikipedia).
SSL was created by Netscape to ensure transaction between web servers and browsers. The protocol uses a third-party usually called a Certificate Authority (CA), to identify one end or both end of the transaction. Below summarizes the follow of communication between the browser and the web server.

1. A browser requests a secure page usually sent with the following URL - https://

2. The web server sends its public key with its certificate.

3. The browser checks that the certificate was issued by a trusted party (usually a trusted root CA), that the certificate is still valid and that the certificate is related to the site contacted.

4. The browser then uses the public key, to encrypt a random symmetric encryption key and sends it to the server with the encrypted URL required as well as other encrypted http data.

5. The web server decrypts the encryption key using its private key and uses the key to decrypt the URL and http data.

6. The web server sends back the requested html document and http data encrypted with the key.

7. The browser decrypts the http data and html document using the key and displays the information.


Basic SSL Terminologies

Private Key/Public Key - These are encryption key pairs that ensures that data encrypted by one key can be decrypted by other key. The key pairs resides on both the browser and the web server.

Certificates - A certificate contains all the elements used to send an encrypted message to the owner (using the public key) or to verify a message signed by the author of this certificate. These elements include:
• reference to the issuer
• information about the owner
• certificate usage
• duration of validity
• resource location or Distinguished Name (DN) which includes the Common Name (CN) (web site address or e-mail address depending of the usage)
• the certificate ID of the person who certifies (signs) this information
• public key
• a hash (signature) to ensure that the certificate has not been tampered with
There are two types of certificates; Root Certificate which is usually signed by your Certificate Authority (CA) and the Intermediate Certificate. Depending on your Certificate Authority (CA), the Intermediate Certificate might not be provided. The Intermediate Certificate provides an additional layer of security to secured communication. Usually your browser and your web server already has Root Certificates of well known Certificate Authorities (CA) preloaded on your application. The CA maintains a list of signed certificates as well as revoked certificates. A certificate is insecured until it is signed by a CA.

Now that we've been exposed to the key concepts of SSL and Certificates, let's walk-thru updating an expired SSL Certificate in Weblogic Web Servers. Updating a certificate in Weblogic is almost the same as requesting a new certificate except for the latter (Update), which doesn't require you to delete expired certs. The following steps describes how to update an expired certificate in Weblogic.

I. Delete expired certificate from your keystore

Use the following command to delete expired certificate from your keystore:
Pskeymanager.sh –delete –v –alias test
(where test is the alias for the cert you want deleted)
Image and video hosting by TinyPic
http://i3.tinypic.com/869rckz.jpg

II. Generate a CSR on the web server and use it to generate a corresponding public key on the Certificate Authority’s web site.

To decrypt SSL request, it requires that you have a corresponding private key on your web server. You generate a private key and send it to the certificate authority (Verisign) to generate a corresponding public key /Trusted Certificate based on your private key information. To generate a private key, enter the following command on the web server command line and follow the prompt: pskeymanager.sh –create –alias myprivatekey
Image and video hosting by TinyPic
http://i8.tinypic.com/6tm60qu.jpg

Image and video hosting by TinyPic
http://i11.tinypic.com/6toj0pw.jpg

Image and video hosting by TinyPic
http://i15.tinypic.com/6ybu45x.jpg

III. Import the intermediate (Root CA) into your keystore via pskeymanager utitlity.

Go to the following link to obtain intermediate/Root CA from Verisign - http://www.verisign.com/support/verisign-intermediate-ca/secure-site-pro-intermediate/index.html . In this case, we are using Verisign as our CA.
Download the Intermediate certificate (Verisign requires that we obtain the Intermediate Certificate as well). When prompted, save as Intermediate.cer and FTP it in ASCII mode to your Weblogic domain directory. Execute the following command at the prompt to import the Intermediate certificate into your keystore :
Pskeymanager.sh –import -trustcacerts

Image and video hosting by TinyPic
http://i13.tinypic.com/86e4g1h.jpg
When prompted for an alias, specify VerisignTestCA as the name to store this CA as. This is simply an alias for this certificate. You can use any alias you want. When prompted for the certificate file to import, specify the Intermediate.cer file.

IV. Import the public key (certificate) you get from the certificate authority (Verisign) into your keystore via pskeymanager utility

When you receive your certificate via email from the certificate authority (Verisign), you will see your actual certificate in the following format :

-----BEGIN CERTIFICATE-----
MIIEvzCCBCigAwIBAgIQUhoVSb+AwOsuKn38CdU19TANBgkqhkiG9w0BAQUFADCB
dmVyIENBIC0gQ2xhc3MgMzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMg
SW5jb3JwLmJ5IFJlZi4gTElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjAeFw0w
0dHA6Ly9TVlJJbnRsLWFpYS52ZXJpc2lnbi5jb20vU1ZSSW50bC1haWEuY2Vy
MG4GCCsGAQUFBwEMBGIwYKFeoFwwWjBYMFYWCWltYWdlL2dpZjAhMB8wBwYFKw4D
AhoEFEtruSiWBgy70FI4mymsSweLIQUYMCYWJGh0dHA6Ly9sb2dvLnZlcmlzaWdu
LmNvbS92c2xvZ28xLmdpZjANBgkqhkiG9w0BAQUFAAOBgQDFnyR7Xlsgbag97HqJ
mY+uIVhZunbymctkZ70789jEJzBKLTl+BRjpdYodu3DiOLLmusus2BJwTbMLBenk
dNKF11VHYTrrenNJCSkc6fzXJlG/jMUtSpbhUAmZxIcmRUst4UGaKF/PrAseT1ad
tA0KvM1DwTn/z+g6Ofw1QuDbJA==
-----END CERTIFICATE-----

A. Copy the certificate information, including - -BEGIN CERTIFICATE- - and - - END CERTIFICATE - - and save it as text file called -cert.pem. Do not use MS Word to save file, use notepad and FTP it in ASCII mode to the Weblogic domain directory. Make sure you remove the ‘.txt’ appended to the file name by renaming the file.
B. Import your certificate into your keystore:
To import your public certificate, execute the following at the prompt “pskeymanager.sh – import -trustcacerts”
Image and video hosting by TinyPic
http://i13.tinypic.com/86e4g1h.jpg
When prompted for password, enter ‘password’. When prompted for an alias specify the same alias you entered when you generated the CSR. It is very important that you match the alias otherwise the import would fail.
When prompted for the certificate file to import, specify your certificate file in step 1
C. Bounce the web server.

D. Verify that the certificate is in the keystore by entering this command at the prompt ‘pskeymanager.sh – list – alias myprivatekey

To preview and verify the expiration date of your certificate, use the ‘ previewfilecert –file option. You should see the certificate’s validity, the certificate authority and the certificate’s fingerprint

V. Reconfigure Keystore/SSL on the Weblogic console.

Log into the weblogic administration console (http://machinename:port/console) and navigate the following path – Servers > PIA > Keystores & SSL
Image and video hosting by TinyPic
http://i7.tinypic.com/6tn8ewk.jpg

· Scroll down to the SSL Configuration section and verify the ‘Private Key Alias’ is the same as the name you specified when you created the CSR in step II, otherwise change it to match the alias. The ‘Passphrase’ field should be the same as keystore password when SSL was initially created (default password is ‘password’). Reenter the password to be sure you’re reconfiguring with the same password in the keystore. If password doesn’t match the password in the keystore, you will get ‘Cannot read private key’ error message and SSL port will not be listening when you reboot the server.
Image and video hosting by TinyPic
http://i9.tinypic.com/85kz7no.jpg

· Click on the ‘Change’ hyperlink to specify where to find the private key you created in step II. Remember that you need private key, public key and Intermediate certificate (a.k.a Trusted CA, Root CA, Chain Certificate) obtained from the certificate authority (Verisign) to complete a handshake SSL request. You can either manage these keys (private and intermediate) on file or let the keystore automatically manage them. When you manage these keys on file, identity and trust locations field on the SSL section of the web console should be changed to ‘Files or Key Stores Providers’. This type of key management would put explicit names and locations for the keys in the config.xml file. Make sure the files exist at the location specified in the config.xml file. These are the entries on the SSL section of config.xml file : Server CertificateFileName (public key), ServerKeyFileName (private key), TrustedCAFileName (intermediate). Click continue, log off the web console and bounce the web server.
Image and video hosting by TinyPic
http://i5.tinypic.com/81zmu7t.jpg

When you manage these key files automatically, identity and trust location field on the SSL section of the web console should be changed to ‘Key Stores’. This type of key management instructs weblogic to find private and intermediate key files on the keystore. You don’t have to explicitly define the locations for these key files. Click continue, log off the web console and bounce the web server.
Image and video hosting by TinyPic
http://i7.tinypic.com/86rcaom.jpg

Log on to the secured site to verify SSL has been updated. Double click on the padlock icon at the bottom of the browser and verify “Issued to” and “Issued by” on the General tab. Also verify the certificate chain by clicking on the Certification Path tab. The chain should be in this pattern – Verisign Class 3 Public Primary CA (Root CA) è www.verisign.com/CPS Incorp. by Ref. LIABILITY LTD.(c)verisign (Intermediate CA) è (public key)
Image and video hosting by TinyPic
http://i6.tinypic.com/80mickg.jpg

7 comments:

Unknown said...

I jus chanced upon your blog.
A really good one. Appriciate the effort that you put into sequencing each setps.
Looking forward to read more posts

PSADMIN said...

Thanks. I'm encouraged.

Jack said...

Very Well written article. I am getting many problems while implementing SSL on weblogic servers. I tried lot but getting same error again and again. Let me read your given tutorial and will try it again...
digital signatures

Unknown said...

I followed the steps u have written but in the IV step cert.pem file what u have written in not getting inserted in keystrore as it gives error that its not X.508 certificate..also i couldnt understand the last two steps..pls help

Ganesh said...

Hi PSADMIN,

We are creating add-on product on the peoplesoft.

we are creating the webservices, these web services should be secure, on Ptools 8.50, we need to configure secure target location field in
PeopleTools > Integration Broker > Configuration > System Configuration

This is the secure url that will be used when CI based web service is created.

How to configure this field, with https link, so that web service use secure target location.

Ganesh said...

How will differ if the client has https url for the application or not ?

Please let me know

shyam said...

Hi
I have small doubt.
We will get the webserver certificate right. It is public one right. So can i make use of the same certificate to add digital store of peoplesoft client pia to have to file transfer securely from peoplesoft .

About Me

This blog will cover my day to day experience working as PeopleSoft Admin/DBA consultant. I will discuss pertinent technical issues, tips and architecture of PeopleSoft Infrastructure. It will also cover various PeopleTool sets, Enterprise Application modules, upgrades and industry best practice as it relates to the configuration and administration of PeopleSoft instance.

Blog Archive