What is SSL and How to Configure SSL, Keystores and Certificates in Oracle Weblogic Server

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello everyone prasad amla here today i will be discussing about ssl key stores and certificates these ssl key stores and certificates can be quite confusing if you don't get the basics right in this video i will try to explain some of those basic concepts and will show you a demo on how to create and configure key stores and certificates in Fusion Middleware context you can always apply these concepts to any web server or application server with minor differences in configuration process please do have a look at my blog on this topic for a step-by-step instructions on commands I will be using in this video along with the screenshots I'll leave the link in the description or you can click on the information icon on the top right corner of this video before starting let me tell you that you'll be able to answer these questions when you finish watching this video first one what is SSL what are the capabilities of Assistant what your public keys and private keys what is a key store and available key store types and what are certificates and available certificate types and finally how to configure key stores and certificates for Oracle WebLogic server using a key tool and Fusion Middleware control or AM console let's start with the SSL and key stores overview SSL is an acronym for Secure Sockets Layer and it is an industry standard for securing communications between client and server in most cases the client will be a web browser and the server will be an application server like web logic or a web server like Apache and OHS let's see what is SSL capable of doing it mainly performs three functions number one it is capable of encrypting the data that's being transferred between client and server there are many encryption algorithms supported by SSL like RSA de as years and so on dar sa is the most commonly used algorithm number two it is responsible to maintain data integrity by making sure that the data is not tampered during the communication process this data integrity is maintained by generating a digest using hash functions in this process client hashes the message and sends the result which is called as digest to the server on the server side the server also generates the dices using the same hash functions and compares the resulting digest and obviously the message is untampered if the digest matches sha-1 is the commonly used hash function in SSL and it's practically impossible to generate identical digests for different messages and finally it is responsible to mutually authenticate client and server which prevents unintended or data transfers when the client initiates the SSL session server sends the digital certificate signed by third party certification authority to the client and the client verifies the trust or root certificate in the certificate chain the third body CA that is certification Authority guarantees that the certificate is valid if the drug certificate is not in the browser's or trusts or or if the certificate is expired then the SSL communication will not happen and the browser complains that the certificate is not valid and these are the three main capabilities or functionalities of firm SSL now let me briefly explain about public keys and private keys private key as the name suggests it's a secret key is also called as a symmetric key in private key or cryptography or raw symmetric key cryptography same key is used to encrypt and decrypt the messages so the client and server should have the same copy of the private key for encryption and decryption purposes this type of cryptography is faster and obviously is more common when huge data transfers or involved public key on the other hand is public and is commonly wrapped into the digital certificate and each public key will have an Associated private key messages encrypted using a public key can only be decrypted using an associated private key and vice-versa in public key cryptography or a symmetric key cryptography when the client initiates the SSL session server sends the certificate to the client along with the public key before encrypting and sending the message the client verifies the server's authenticity using the ca'se digital signature on the certificate once authenticated the message is encrypted using the embedded public key and sent to the server which then will be decrypted on the server using Associated private key which is kept secret and never revealed to anyone except the server or the owner you can have either one-way or two-way SSL here in one way is this will only the server is authenticated by the client and in two aces in both client and server authenticate each other where the client des should also have the certificate installed one way SSL is more common in internet-based websites or web applications that's about private Keys on public keys now let's talk about key stores there are two key store providers jks that is java key store and oracle wallet or cases that is Oracle key store service the case is used for working web logic server and all applications deployed on WebLogic server including a suit Oracle WebCenter orca virtual directory Oracle Identity and Access Management and so on and Oracle violet is used for Oracle H DB server o ID that is vertical internet directory and Oracle web cache I am coming to the key store types we have identity store and Trust or identity store holds private key and digital certificates or commonly called as server certificates and trusts or holds certification authorities trust certificates these can be route or intermediate are certificates in the certificate chain you can store private key server certificates on trust advocates in a single store but it's advisable to use a different key stores for identity under trust interaction environments because these have different security requirements identity store raw should be more secure as it holds the sensitive information like servers private key but trust or can be less secure as it holds publicly available trust or root certificates so generally it is a good idea not to combine these two stores in production environments okay that's a brief overview of ssl and key stores next i will show you how to manage key stores in Fusion Middleware context so this is my VMware where I have my WebLogic server 12c installed and have my domain created along with the e/m template I have my domain started let me access the e/m console now it's running on my 7,000 won port /e m if you have worked with the 11g versions you will notice that the Lucan field is completely changed into LC navigate through different sections on the console to make yourself familiar with the new console so I'm logging in with my WebLogic ID this is my M consoles home page to create a new key store you need to go to WebLogic domain and then security and Keystone here you can see some default or demo key stores already created under system stripe a stripe is are nothing but a unique reference which holds your key stores you can either create a new application stripe for your new key store or use existing application stripe I am creating my Yaqui store inside system stripe so click on create key store here provide a name for your key store I'll call - my test key store and for protection you have policy-based or a password based you can use policy based if we have integrated to your robbed logic domain with Oracle platform security services which is a central or security management service here I will use password based keep this password safe while you cannot reset it if you lose it it can only be changed using the old password and provide your rocky store password and here you have an option to grant permissions to this sake store using a code base URL for demo purposes I am not using it can click OK here so our key stories are now created under the system stripe as you can see if you are doing this in production environments you can create two separate stores for your ROM identity and Trust rows and name them accordingly next we need to generate a key pair a key pair is a public key a private key combination signed using a demo certification Authority so select your newly created key store and click manage here you need to provide your raw password so as you can see we don't have any or key bits or here so select a generate key pair here you need to provide details or specific to your key bear so for all yes I'll give it as my tester yes common name I'll just call it as my test key whoa you call it as test to you test organization CT test city country United Kingdom then you can select the key type here the default is RSA so I am selecting the default one next you can specify the key size here so you have different options for key size you can go with the default value that is to 0 for 8 and then you need to provide the password of your key store click OK now your rocky pairs are created as you can see so these are the details of your key store next you need to generate our CSR that is a certificate signing request which you need to send to a third party certification Authority so you select your rocky pair and click generate CSR provide the password this is how a CSR looks like you can copy this content into a text file or you can save the CSR into a text file here by clicking on export CSR which you need to send to a third party certification authority once the data is verified by other certification Authority it issues two things a root or a certificate and a server specific digital certificate the root certificate should be imported to your trust store and the server certificate should be imported to your identity store if you have two separate stores for your trust and identity so I am closing this here once you receive the certificate from the third-party certification authority you can import them by clicking the import button here and here it will ask you what type of certificate you are trying to import so you can either import a trusted certificate or a service digital certificate and then you need to provide the alias it will list down the available areas so you need to select the same areas which you use to generate your wrong csr otherwise your certificate will not be imported and then you need to provide your password for your awliyas for seven difficut source you have two options you can either paste certificate directly into this text box here or select the second option and specify the location of your received or trust or digital certificates here I am NOT importing anything as I don't have any third-party certificates but this is how you import your certificates when you receive them from your third-party certification authority so that's how you manage your key stores and certificates using a middleware control Orion console now let's see how you can perform the same steps using Java key tool so before executing the key tool make sure your Java environment is set properly make sure rather Java executable is added in the path so mine is already added you can check the path of the key tool utility as well so key tool is an utility or that comes along with your jdk which can be used to create and manage or jks based key stores so the first step is to create a key store and generate key bear when we use the IAM console previously or this was done in two steps but key tool does it in a single step so the command is key tool - Jen key pair then you need to provide your Elias so I am giving - my tester yes and then you need to provide the key algorithm that is - key ALG I am providing it as RSA then you need to provide the key size that would be - key size I am giving it X - 0 for 8 and then you need to provide a name for your raw key pair this name should follow the x.509 standard or LDAP standards so I'll give - say CN is equal to my company comm comma say country is equal to GB and then you need to provide a keystore file so - key store and then my file name I will just call it as my tester key store dot j KS k case is the file extension for your run java key store based key stores execute that it will ask you to provide a password for your key store confirm the password and then it will ask you whether you want to use the same password for your key store on the keys so i will use the same password so just hit enter that's it your key store should be created so this is the keystore file so if you want to view this key store you can always execute key tool command again and then - list option and if you want verbose mode i can you - v and then your key store name that is - key store and then your file name that is my test key store dot g case and it will ask you for the password and release down all the entries in your key store as you can see the key store type is JK's and our key store has one entry that is the new key bear which we just created it's nothing but my taster yes and then all the values for your rocky bear ok the next step is to create a certificate signing request that is on CSR so you can do that using key tool this time - cert req option and then if you want verbose you can give - V and then you need to provide the le s and then you need to provide a file name where you want to store your CSR so I will just give - file and say my CSR dot c sr then you need to provide the keystroke - key store again my test key store not JK's so this will generate the CSR and stores it inside your file name my CSR dot C s will ask you for the password okay so if you open your newly generated CSR you can see the content so this is how you are wrong CSR looks like you can send this to your raw third-party certification authority and once you receive the trust certificates and digital certificates from your certification authority you can import them using these commands key tool this time - import cert and then your file name - file so this is the certificate file name which you received from the third-party CA say for example my cert not CER or PM whatever files are you received from your raw certification Authority and then you need to provide your alias say my test alias you need to provide the same alias so which you used while generating your raw CSR and then you need to provide your key store name - key store and then my test he store dot JK's so this command will import your raw certificates into your key store so that's how you can create key stores and import certificates using a key tool Here I am NOT importing any certificates so I'm canceling this command once the key store is ready and the certificates are imported into the key store it's time to configure WebLogic server to use the new key stores let me log into my web logic console we'll be running on 7001 slash console log in with your WebLogic ID so this is our web logic console homepage so to configure the key stores you need to navigate to environment servers and then your admin server or manage server where you want to configure your new Keystone's here I am selecting admin server and then under configuration you have a tab called as key stores as you can see by default web logic uses our demo identity on demo trust stores which gets created during the installation so now we will change them to use our custom key stores before that you need to if you are running in a production mode you need to block under it and then click change here here you have four options for rocky stores the default one is demo identity and demo trusts next you have custom identity and command line trust you can select this if you want to use the key store you created as identity store and pass the trust or as a command line argument while starting your WebLogic server and next you have custom identity and custom trust select this if you want to use custom key stores for both identity and trust then you have a custom identity and Java standard trust you can select this if you want to use custom store for identity and the JDK saw inbuilt store as your raw trust or so if you are not aware JDK comes with the default trust or that contains almost 90 90 plus trust certificates let me quickly or show you the trust or the JDK is a default trust or so it will be under your arm JRE lib security directory so let me navigate - my GRE that's /g re Lib and then security so here you can see a file called as CS Earth's so this is your default trust store that comes along with your JDK if you want to view the contents of this trust or you can always use a key tune command key tool - lists then if you want Dom verbose - B and then - key store and then your file name that is ca certs it will ask you for the password the default password for Rajai DKA sort restore is change it that is chal GE I T once you enter you can see the list of all the trust certificates you can see the trust certificates from most of the third-party certification authorities let me grip on a Lea's name so that you can see the names of the certificates so I will just pass the password in the command itself that will be store pass please change it then let me grip on yes name it will give you the list of names of your trust certificates as you can see these are all the true certificates that comes by default with your Raj JDK so you can CDT certs Komodo and many many other companies you know and trust GoDaddy Verisign so this is the default JDK sort restore so let me come back to the console so you can select this third option if you want to use a custom identity and Java default or trust or so here in this case I will select the second option custom identity and custom trust and then click Save now you need to provide the details of your key store so you have two sections here identity section and cross section so the first one is identity key store so if you are using the key store created using the EEM console that will be of type cases that is nothing but Oracle key store service so this will be the syntax so you need to provide cases as protocol and then colon slash slash and then you need to provide your application stripe name in our case it is system and then you need to provide your key store name my test key store and then the type would be KSS and you need to provide the password for your key store so if you are using JK is based key store here you need to provide the absolute path of your raw JK's file so in our case like say home Oracle and then my test key store dot JK's and then the type would be JK s if you have created a different key store to store your raw trust certificates you can provide those details here if you are using a single key store for both identity untrust you can provide the same details in both the these sections and then save once the keystore changes are done you have two options to activate them actually so if you go to servers and then control tab you have something called as restart SSL restart SSL activates SSL for all new connections if you want to enable SSL for all the connections it is always better to restart your rom manage server or admin server and that's it you know know the basic concepts of SSL and how you can configure key stores and certificates for Oracle WebLogic server if you have any questions please post them in the comment section and please have a look at my blog on this topic for step-by-step instructions on screenshots I'll leave the link in the description hope you liked the video and found it helpful please give me a thumbs up if you did and do subscribe to my youtube channel for more technical videos like this one bye for now and see you in the next one
Info
Channel: Prasad Domala
Views: 114,009
Rating: undefined out of 5
Keywords: SSL, secure sockets layer, keystores, java keystore, oracle wallet, keystore service, kss, cacerts, java trust store, java keytool, oracle weblogic server, security, em console
Id: uxWlxhrwRkA
Channel Id: undefined
Length: 27min 10sec (1630 seconds)
Published: Sun Apr 17 2016
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.