Aimstar

AIMSTAR Blog

Securing WebLogic Servers Part 1 - Configuring Keystores

Posted by Theodore Williams on Aug 22, 2017 3:00:00 PM

Configuring Keystores for WebLogic Servers

Securing_WebLogic_Servers_Part_1-Keystores.png

This article is the first in a three-part series that details how to secure a WebLogic server.  Keystores can be used to add a certificate to a WebLogic server.  There are two types of keystores – Trust and Identity.  A trust keystore contains certificates from a trusted Certificate Authority (CA) and does not contain sensitive information.  An identity keystore contains the certificate for the WebLogic server and contains sensitive information used to verify the server.

Relevant Topics: Oracle DBA,  Oracle WebLogic, Keystores, WebLogic Security,  NIST SP 800-53

Oracle WebLogic provides default keystores that can be used to simulate SSL access in a test environment.  This article details the steps in configuring keystores that can be used in a production environment to enhance Oracle WebLogic security.

 Following are variables used in the article.

 Environment Variables

 

MW_HOME: This variable refers to the location where Oracle Fusion Middleware resides.

For this example, MW_HOME is:

 

/u01/app/weblogic/wls12130

 

WL_HOME: This variable refers to the location which contains installed files necessary to host a WebLogic Server.  For this example, WL_HOME is:

/u01/app/weblogic/wls/wlserver

 

DOMAIN_HOME: This is the home for our current WebLogic domain.  For this example, DOMAIN_HOME is:

 /u01/app/weblogic/wls12130/user_projects/domains/base_domain

 

Create and Configure the Keystores

 

  1. Create keystores

 First, generate a public/private key pair and a self-signed certificate.  Set the environment by running the setDomainEnv command.

 For example:

 [oracle@Forge wls12130]$ $DOMAIN_HOME/bin/setDomainEnv

 Decide on a directory to store the keystores and change to that directory.  For example:

 $MW_HOME/keystores

 Execute the keytool genkeypair command to generate the key pair and create a keystore.

 keytool -genkeypair -alias <private_key_alias> -keyalg RSA -keysize 2048 -dname “CN=<server_name>,OU=<Department>,O=<Organization>” -keystore identity_keystore.jks

 For example:

 [oracle@Forge wls12130]$ mkdir keystores

 [oracle@Forge keystores]$ cd $MW_HOME/keystores

[oracle@Forge keystores]$ pwd

/u01/app/weblogic/wls12130/keystores

[oracle@Forge keystores]$ keytool -genkeypair -alias forge_private_key -keyalg RSA -keysize 2048 -dname "CN=forge.database.local,OU=Servers,O=Tech DBA Providers" -keystore identity_keystore.jks

Enter keystore password:

Re-enter new password:

Enter key password for <forge_private_key>

        (RETURN if same as keystore password):

[oracle@Forge keystores]$

 This command creates the keystore if it does not already exist.  The key pair and the self-signed certificate are placed in the keystore.

 Display the contents of the identity_keystore.jks keystore with the following command.

 [oracle@Forge keystores]$ keytool -list -v -keystore identity_keystore.jks

Enter keystore password:

 Keystore type: JKS

 Keystore provider: SUN

 Your keystore contains 1 entry

 

Alias name: forge_private_key

.

.

.

 

 

2. Obtain the Root CA certificate. There are various options here depending on organization policy.

 

  1. Create a Certificate Signing Request (CSR) with the following command:

 keytool -certreq -v -alias <private_key_alias>  -file <CSR File Name>  

-keysize 2048 -keystore identity_keystore.jks

 For example:

 [oracle@Forge keystores]$ keytool -certreq -v -alias forge_private_key -file forge_csr -keysize 2048 -keystore identity_keystore.jks

Enter keystore password:

Certification request stored in file <forge_csr>

Submit this to your CA

 

  1. As directed, submit the resulting file to your Certificate Authority. The CA should return a signed certificate.

 

  1. Import the Root CA Certificate into a trusted keystore. This is the Root CA certificate obtained in Step 2.

 

keytool -importcert -v -noprompt -trustcacerts -alias <CA Root Cert alias> -file <CA Root Cert file name> -keystore trust_keystore.jks

 For example:

[oracle@Forge keystores]$ keytool -importcert -v -noprompt -trustcacerts -alias cacert -file ca.cert.pem -keystore trust_keystore.jks

 This will create the trusted keystore if it does not exist and place the CA Root certificate in the trusted keystore.

 When configuring keystores, it is important that the certificate chain from the CA Root certificate to the signed certificate is completed.  In some cases, for example, when there is an intermediate CA, it may be necessary to import a certificate chain file into the trusted keystore.  Check with your CA or organization policy to determine if what is necessary.  The following command is used to import a certificate chain if necessary.

 

keytool -importcert -v -noprompt -trustcacerts -alias <Chain file alias> -file <Chain file> -keystore trust_keystore.jks

 For example:

 [oracle@Forge keystores]$ keytool -importcert -v -noprompt -trustcacerts -alias chain -file chain.cert.pem -keystore trust_keystore.jks

 

  1. Import the Root CA Certificate into the identity keystore created in Step 1. This is the Root CA certificate obtained in Step 2.

keytool -importcert -v -noprompt -trustcacerts -alias <CA Root Cert alias> -file <CA Root Cert file name> -keystore identity_keystore.jks

 For example:

 [oracle@Forge keystores]$ keytool -importcert -v -noprompt -trustcacerts -alias cacert -file ca.cert.pem -keystore identity_keystore.jks

 If necessary, import the certificate chain into the identity keystore.  See step 5 above for an explanation.  Execute the following command if necessary.

 keytool -importcert -v -noprompt -trustcacerts -alias <Chain file alias> -file <Chain file> -keystore trust_keystore.jks

 For example:

 [oracle@Forge keystores]$ keytool -importcert -v -noprompt -trustcacerts -alias cachain -file ca-chain.cert.pem -keystore identity_keystore.jks

 

  1. Import the signed certificate into the identity keystore using the following command.

 keytool -importcert -v -alias <Private key alias> -file <Signed Cert file> -keystore identity_keystore.jks

 Note: The private key alias should be the same as the private key alias from Step 1.

 For example:

 [oracle@Forge keystores]$ keytool -importcert -v -alias forge_private_key -file forge.cert.pem -keystore identity_keystore.jks

 

  1. Examine the contents of the keystores.

 [oracle@Forge keystores]$ keytool -list -v -keystore identity_keystore.jks

Enter keystore password:

.

.

.

 

[oracle@Forge keystores]$ keytool -list -v -keystore trust_keystore.jks

Enter keystore password:

.

.

.

 

  1. At this point, the keystores should be configured. Now WebLogic should be configured to recognize the keystores.

 

 WebLogic-APEX-Oracle-Checklist

 

Topics: Oracle DBA, Oracle Database Administration, WebLogic, NIST SP 800-53, WebLogic Security, Keystores

Oracle APEX Configuration White Paper

Get detailed information on integrating WebLogic, APEX, and Oracle Rest Data Services

Oracle APEX allows rapid development of database applications utilizing the Oracle database.  Oracle WebLogic may be used as the web server for Oracle APEX applications by utilizing Oracle REST Data Services (ORDS), formerly named the APEX Listener.  This white paper details the steps needed to set up an Oracle APEX environment using Oracle Rest Data Services (ORDS) on Oracle WebLogic.

Please click the button below to get detailed information on:

  • Installing APEX
  • Configuring WebLogic
  • Securing WebLogic
  • Installing ORDS
  • Configuring APEX for LDAP Authentication

 

APEX-WebLogic-ORDS White Paper

 

Subscribe to Email Updates

Recent Posts