What
is SSL?
SSL (Secure Sockets Layer)
is the standard security technology for establishing an encrypted link between
a web server and a browser. This link ensures that all data passed between the
web server and browsers remain private and integral. SSL is an industry
standard and is used by millions of websites in the protection of their online
transactions with their customers.
To be able to create an SSL
connection a web server requires an SSL Certificate. When you choose to
activate SSL on your web server you will be prompted to complete a number of
questions about the identity of your website and your company. Your web server
then creates two cryptographic keys - a Private Key and a Public Key.
The Public Key does not need
to be secret and is placed into a Certificate Signing Request (CSR) - a data
file also containing your details. You should then submit the CSR. During the
SSL Certificate application process, the Certification Authority will validate
your details and issue an SSL Certificate containing your details and allowing
you to use SSL. Your web server will match your issued SSL Certificate to your
Private Key. Your web server will then be able to establish an encrypted link
between the website and your customer's web browser.
The complexities of the SSL
protocol remain invisible to your customers. Instead their browsers provide
them with a key indicator to let them know they are currently protected by an
SSL encrypted session - the lock icon in the lower right-hand corner, clicking
on the lock icon displays your SSL Certificate and the details about it. All
SSL Certificates are issued to either companies or legally accountable
individuals.
Typically an SSL Certificate
will contain your domain name, your company name, your address, your city, your
state and your country. It will also contain the expiration date of the Certificate
and details of the Certification Authority responsible for the issuance of the
Certificate. When a browser connects to a secure site it will retrieve the
site's SSL Certificate and check that it has not expired, it has been issued by
a Certification Authority the browser trusts, and that it is being used by the
website for which it has been issued. If it fails on any one of these checks
the browser will display a warning to the end user letting them know that the
site is not secured by SSL.
What is SSL/TLS Certificate?
SSL or TLS (Transport
Layer Security) certificates are data files that bind a cryptographic key
to the details of an organization. When SSL/TLS certificate is installed on a
web server, it enables a secure connection between the web server and the
browser that connects to it. The website's URL is prefixed with
"https" instead of "http" and a padlock is shown on the
address bar. If the website uses an extended validation (EV) certificate, then
the browser may also show a green address bar.
What is SSL used for?
The SSL
protocol is used by millions of online business to protect their
customers, ensuring their online transactions remain confidential. A web page
should use encryption when it expects users to submit confidential
data, including personal information, passwords, or credit card details. All
web browsers have the ability to interact with secured sites so long as the
site's certificate is issued by a trusted CA.
Why do I need SSL certificate?
The internet has spawned new
global business opportunities for enterprises conducting online commerce.
However, that growth has also attracted fraudsters and cyber criminals who are
ready to exploit any opportunity to steal consumer bank account numbers and
card details. Any moderately skilled hacker can easily intercept and read the
traffic unless the connection between a client (e.g. internet browser) and a
web server is encrypted.
How Does SSL Certificate Work?
The following graphic
explains how SSL Certificate works on a website. The process of how
an 'SSL handshake' takes place is explained below:
·
An end-user asks their browser to make a secure
connection to a website (e.g.https://www.example.com)
·
The browser obtains the IP address of the site from
a DNS server then requests a secure connection to the website.
·
To initiate this secure connection, the browser
requests that the server identifies itself by sending a copy of its SSL
certificate to the browser.
·
The browser checks the certificate to ensure:
·
That it is signed by a trusted CA
·
That it is valid - that it has not expired or been
revoked
·
That it confirms to required security standards on
key lengths and other items.
·
That the domain listed on the certificate matches
the domain that was requested by the user.
·
When the browser confirms that the website can be
trusted, it creates a symmetric session key which it encrypts with the public
key in the website's certificate. The session key is then sent to the web
server.
·
The web server uses its private key to decrypt the
symmetric session key.
·
The server sends back an acknowledgement that is
encrypted with the session key.
·
From now on, all data transmitted between the server
and the browser is encrypted and secure.
Keystore
& SSL Configuration
Workaround to java/ ssl bug 1016361
Due to bug
https://bugzilla.redhat.com/show_bug.cgi?id=1016361 that also seems to concern
jrockit, we need to adjust setDomainEnv.sh from
JAVA_OPTIONS="${JAVA_OPTIONS}"
to
JAVA_OPTIONS="-Djava.security.egd=file:/dev/./urandom
${JAVA_OPTIONS}"
and in /oracle/products/java/jdk/jre/lib/security/java.security
from securerandom.source=file:/dev/urandom
to
securerandom.source=file:/dev/./urandom
Custom Keystore with Authorized CA Certificate (Verisign)
Create the Custom Keystore with
SSL Keypairs
$ keytool -genkey -alias online -keyalg RSA
-keystore online2.jks -keysize 2048
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: online.tieto.in
What is the name of your organizational unit?
[Unknown]: Sushil
What is the name of your organization?
[Unknown]: XXXXXXXX
What is the name of your City or Locality?
[Unknown]: PUNE
What is the name of your State or Province?
[Unknown]: MAHARASHTRA
What is the two-letter country code for this
unit?
[Unknown]: IN
Is CN= online.tieto.in, OU= Sushil, O= XXXXXXX, L= PUNE, ST= MAHARASHTRA, C=IN correct?
[no]: yes
Enter key password for
(RETURN if same as keystore password):
Create the Certificate Request
$ keytool -certreq -alias online -keystore
online2.jks -file online2.req -validity 1460
Import the certificate and CA
in Keystore and Trustsore
Importing
the CA Certificate in Keystore
$ keytool -import -alias verisignca -keystore
online2.jks -file verisignca.cer
Importing
the Server Certificate in Keystore
$ keytool -import -alias online -keystore
online2.jks -file online2.cer
Importing
the CA Certificate in Truststore
$ keytool -import -alias verisignca -keystore Trust.jks
-file verisignca.cer
Keystore & SSL Configuration for WLS Servers
Configure Weblogic Admin Server and Managed
Servers to use the generated Custom Keystores.
Login to Weblogic Admin console
Click Lock & Edit
Navigate to : Environmentsà Serversà AdminServerà Keystoresà Click Change Button
Select the option: Custom Identity and Custom
Trust
Fill in details in Identity section
Custom Identity Keystore: ../keystore/online2.jks
Custom Identity Keystore Type: JKS
Custom Identity Passphrase: keep it same as
weblogic password (easy to remember)
Fill in details in Trust section
Custom Trust Keystore: ../keystore/truststore.jks
Custom Trust Keystore Type: JKS
Custom Identity Passphrase: keep it same as
weblogic password (easy to remember)
Save the Changes.
Now navigate to SSL Tab
Add the Private Key Alias: online
Private Key Passphrase
Repeat the same steps for all other managed
servers.
Configure IdentityAsserter to Support Client Certificate Authentication
Login to Weblogic Console
Go to Security Realms->
myrealms->Providers->DefaultIdentityAserter->Configuration->Common
Include X.509 Active Type Token
Save and Navigate to Provider Specific Tab
Provide below parameter
Default User Name Mapper Attribute Delimiter =
Trusted Client Principals = *
Default User Name Mapper Attribute Type = CN
Virtual User Allowed = Checked
Use Default User Name Mapper = Checked
Configure 2-way Client Cert Behavior in OSB
Login to Weblogic Console
Go to Environments->servers->osb_server1/2->configuration->SSL
-> Advanced
Update below Properties
Two Way Client Cert Behavior = Client Certs
Requested and Not Enforced
SSLRejection Logging Enabled= Checked
Allow Unencrypted Null Cipher = Unchecked
Configure 2-way SSL Authentication for OSB Domain
Login to Weblogic Console
Go to domains->Web Service Security->SERVICE_BUS_INBOUND_WEB_SERVICE_SECURITY_MBEAN->Token
Handlers->default_x509_handler
Click on UseX509ForIdentity and take edit
session
Change the value of UseX509ForIdentity from
false to true
Save the changes, activate and restart
SSL
Fixed Ciphers and SSH Restriction Setup
Add support for AES with 256 bit keys
Due to the import restrictions of some
countries, the jurisdiction policy files distributed with the JDK software have
built-in restrictions on available cryptographic strength. By default , the AES
256 cryptographic algorithm does not work with the JRE/JDK Oracle Service Bus
uses. In order to make it work, JCE Extension jars ( Java Cryptography
Extension (JCE) Unlimited Strength Jurisdiction Policy Files) should be used
for the JDK Security.
Steps:
1. Download JCE Extension jars from
2. Replace the two jars (US_export_policy.jar
& local_policy.jar) in the /jre/lib/security directory.
3. Restart the servers for the changes to take
effect.
Restricted with fixed Cipher-Suite algorithms. ID 807974.1
To restrict and specify the list of ciphers
that WLS should use, follow these steps:
Login to Linux machine sudo su – osbjava
Navigate to config.xml: located under
/oracle/products/middleware/user_projects/domains
Edit config.xml with the list of ciphers under
of a server as below. The syntax to use them is:
Add the following tag also under the
tab:
Example:
…….
......
Save the file editor and restart the all the
servers to take effect.
List of Ciphers extracted using command:
https://www.openssl.org/docs/apps/ciphers.html#COMMAND_OPTIONS
openssl ciphers –v
'ALL:!ADH:!EXP:!aNULL:!MD5:!RC4:+HIGH:+MEDIUM:-LOW:-SSLv2'
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
Allowed cipher suites are set using wlst
commands
url="t3s://online.nets.eu:8400"
adminUsername="abc"
adminPassword="cde"
connect(adminUsername, adminPassword, url)
edit()
startEdit()
server = cmo.lookupServer('AdminServer')
cd('Servers')
cd('AdminServer')
cd('SSL')
cd('AdminServer')
ssl = server.getSSL()
ciphers = [‘TLS_RSA_WITH_AES_256_CBC_SHA’, ‘TLS_DHE_DSS_WITH_AES_128_CBC_SHA']
ssl.setCiphersuites(ciphers)
cd('/')
server = cmo.lookupServer('osb_server1')
cd('Servers/osb_server1/SSL/osb_server1')
ssl = server.getSSL()
ssl.setCiphersuites(ciphers)
cd('/')
server = cmo.lookupServer('osb_server2')
cd('Servers/osb_server2/SSL/osb_server2')
ssl = server.getSSL()
ssl.setCiphersuites(ciphers)
save()
activate()
disconnect()
exit()
0 Comments