Aimstar

AIMSTAR Blog

Securing WebLogic Servers Part 1 - Configuring Keystores

Posted by Theodore Williams on Aug 22, 2017 3:00:00 PM

Configuring Keystores for WebLogic Servers

Securing_WebLogic_Servers_Part_1-Keystores.png

This article is the first in a three-part series that details how to secure a WebLogic server.  Keystores can be used to add a certificate to a WebLogic server.  There are two types of keystores – Trust and Identity.  A trust keystore contains certificates from a trusted Certificate Authority (CA) and does not contain sensitive information.  An identity keystore contains the certificate for the WebLogic server and contains sensitive information used to verify the server.

Relevant Topics: Oracle DBA,  Oracle WebLogic, Keystores, WebLogic Security,  NIST SP 800-53

Oracle WebLogic provides default keystores that can be used to simulate SSL access in a test environment.  This article details the steps in configuring keystores that can be used in a production environment to enhance Oracle WebLogic security.

 Following are variables used in the article.

 Environment Variables

 

MW_HOME: This variable refers to the location where Oracle Fusion Middleware resides.

For this example, MW_HOME is:

 

/u01/app/weblogic/wls12130

 

WL_HOME: This variable refers to the location which contains installed files necessary to host a WebLogic Server.  For this example, WL_HOME is:

/u01/app/weblogic/wls/wlserver

 

DOMAIN_HOME: This is the home for our current WebLogic domain.  For this example, DOMAIN_HOME is:

 /u01/app/weblogic/wls12130/user_projects/domains/base_domain

 

Create and Configure the Keystores

 

  1. Create keystores

 First, generate a public/private key pair and a self-signed certificate.  Set the environment by running the setDomainEnv command.

 For example:

 [[email protected] wls12130]$ $DOMAIN_HOME/bin/setDomainEnv

 Decide on a directory to store the keystores and change to that directory.  For example:

 $MW_HOME/keystores

 Execute the keytool genkeypair command to generate the key pair and create a keystore.

 keytool -genkeypair -alias <private_key_alias> -keyalg RSA -keysize 2048 -dname “CN=<server_name>,OU=<Department>,O=<Organization>” -keystore identity_keystore.jks

 For example:

 [[email protected] wls12130]$ mkdir keystores

 [[email protected] keystores]$ cd $MW_HOME/keystores

[[email protected] keystores]$ pwd

/u01/app/weblogic/wls12130/keystores

[[email protected] keystores]$ keytool -genkeypair -alias forge_private_key -keyalg RSA -keysize 2048 -dname "CN=forge.database.local,OU=Servers,O=Tech DBA Providers" -keystore identity_keystore.jks

Enter keystore password:

Re-enter new password:

Enter key password for <forge_private_key>

        (RETURN if same as keystore password):

[[email protected] keystores]$

 This command creates the keystore if it does not already exist.  The key pair and the self-signed certificate are placed in the keystore.

 Display the contents of the identity_keystore.jks keystore with the following command.

 [[email protected] keystores]$ keytool -list -v -keystore identity_keystore.jks

Enter keystore password:

 Keystore type: JKS

 Keystore provider: SUN

 Your keystore contains 1 entry

 

Alias name: forge_private_key

.

.

.

WebLogic APEX Oracle Checklist

 

2. Obtain the Root CA certificate. There are various options here depending on organization policy.

 

  1. Create a Certificate Signing Request (CSR) with the following command:

 keytool -certreq -v -alias <private_key_alias>  -file <CSR File Name>  

-keysize 2048 -keystore identity_keystore.jks

 For example:

 [[email protected] keystores]$ keytool -certreq -v -alias forge_private_key -file forge_csr -keysize 2048 -keystore identity_keystore.jks

Enter keystore password:

Certification request stored in file <forge_csr>

Submit this to your CA

 

  1. As directed, submit the resulting file to your Certificate Authority. The CA should return a signed certificate.

 

  1. Import the Root CA Certificate into a trusted keystore. This is the Root CA certificate obtained in Step 2.

 

keytool -importcert -v -noprompt -trustcacerts -alias <CA Root Cert alias> -file <CA Root Cert file name> -keystore trust_keystore.jks

 For example:

[[email protected] keystores]$ keytool -importcert -v -noprompt -trustcacerts -alias cacert -file ca.cert.pem -keystore trust_keystore.jks

 This will create the trusted keystore if it does not exist and place the CA Root certificate in the trusted keystore.

 When configuring keystores, it is important that the certificate chain from the CA Root certificate to the signed certificate is completed.  In some cases, for example, when there is an intermediate CA, it may be necessary to import a certificate chain file into the trusted keystore.  Check with your CA or organization policy to determine if what is necessary.  The following command is used to import a certificate chain if necessary.

 

keytool -importcert -v -noprompt -trustcacerts -alias <Chain file alias> -file <Chain file> -keystore trust_keystore.jks

 For example:

 [[email protected] keystores]$ keytool -importcert -v -noprompt -trustcacerts -alias chain -file chain.cert.pem -keystore trust_keystore.jks

 

  1. Import the Root CA Certificate into the identity keystore created in Step 1. This is the Root CA certificate obtained in Step 2.

keytool -importcert -v -noprompt -trustcacerts -alias <CA Root Cert alias> -file <CA Root Cert file name> -keystore identity_keystore.jks

 For example:

 [[email protected] keystores]$ keytool -importcert -v -noprompt -trustcacerts -alias cacert -file ca.cert.pem -keystore identity_keystore.jks

 If necessary, import the certificate chain into the identity keystore.  See step 5 above for an explanation.  Execute the following command if necessary.

 keytool -importcert -v -noprompt -trustcacerts -alias <Chain file alias> -file <Chain file> -keystore trust_keystore.jks

 For example:

 [[email protected] keystores]$ keytool -importcert -v -noprompt -trustcacerts -alias cachain -file ca-chain.cert.pem -keystore identity_keystore.jks

 

  1. Import the signed certificate into the identity keystore using the following command.

 keytool -importcert -v -alias <Private key alias> -file <Signed Cert file> -keystore identity_keystore.jks

 Note: The private key alias should be the same as the private key alias from Step 1.

 For example:

 [[email protected] keystores]$ keytool -importcert -v -alias forge_private_key -file forge.cert.pem -keystore identity_keystore.jks

 

  1. Examine the contents of the keystores.

 [[email protected] keystores]$ keytool -list -v -keystore identity_keystore.jks

Enter keystore password:

.

.

.

 

[[email protected] keystores]$ keytool -list -v -keystore trust_keystore.jks

Enter keystore password:

.

.

.

 

  1. At this point, the keystores should be configured. Now WebLogic should be configured to recognize the keystores.

 

WebLogic APEX Oracle Checklist

 

Topics: Oracle DBA, Oracle Database Administration, WebLogic, NIST SP 800-53, WebLogic Security, Keystores

Oracle APEX Configuration

WebLogic-ORDS-APEX Installation and Configuration Checklist

APEX allows rapid development of database applications utilizing the Oracle database.  Oracle WebLogic may be used as the web server for Oracle APEX applications by utilizing Oracle REST Data Services (ORDS), formerly named the APEX Listener.  Download a checklist containing a list of steps to install, configure, and secure ORDS on WebLogic. 

Lists:

  • Includes checklist steps for APEX
  • Includes checklist steps for WebLogic
  • Includes checklist steps for ORDS

 

WebLogic APEX Oracle Checklist

Subscribe to Email Updates