SSL(Security Socket Layer) and Keystore
Step1:Generating the certificate:
Step2: Generate the private – public key pair
Step3: Generate a Certificate Signing Request (CSR) and send it to Certifying Authority.
Step 4: Create a identity keystore, this can be done my exporting
Step5: Create a trust keystore, this can be done my importing.
The following steps are:
Step1: Generating the certificate:
Open a command prompt and set the environment by running the setDomainEnv script.
( C:\bea9\user_projects\domains\ram_domain\bin\setDomainEnv.cmd)
Step2: Generate the private – public key pair.
For demonstration we would use keytool java utility to do so.
However we can use other utilities like openssl etc.
keytool -genkey -alias mykey -keyalg RSA -keysize 2048 -keystore identity.jks
Step3: Generate a Certificate Signing Request (CSR) and send it to Certifying Authority.
keytool -selfcert -alias mykey -keystore identity.jks
Step 4: Create a identity keystore, this can be done my exporting
keytool -export -alias mykey -file cert.cer -keystore identity.jks
Step5: Create a trust keystore, this can be done my importing.
keytool -import -alias mykey -file cert.cer -keystore trust.jks -noprompt
To verify the contents of the keystore, you can use the below command,
keytool -list -v -keystore <keystore-name> -storepass <keystore-password>
2) Configuring the keystore on the WebLogic Server:
Step 1: Log into the Admin Console, Click on servers
Step 2: Click on Lock and Edit
Step 3: select the server on which you want to configure the SSL certificate.(Ex:ms1)
Step 4: Click on keystores
Step 5: select Custom identity and Custom trust
Identiy:
CustomIdentitykeystore:C:\bea9\user_projects\domains\sai_domain\identity.jks
Custom Identity keystore type: jks
Custom identity passphrase : Diksha@123
Trust:
Custom trust keystore: C:\bea9\user_projects\domains\sai_domain\trust.jks
Custom trust keystore type: jks
Custom trust passphrase : Diksha@123
save
Activate changes
Step 6: Click on SSL
Step 7: Enter identity
Private key alias: mykey
Privatekey passphrase : Diksha@123
save
Activate changes
To check SSL type browser https://localhost:5003(ms1 ssl portnumber)/messaging(deploying application)
Create CSF key
http://www.soawork.com/2014/02/csf-key.html
Credential Store Framework (CSF) is used in OWSM to manage the secure credentials.
CSF provides a way to store, retrieve, and delete credentials for a Web service and other applications
with a default value of basic.credentials. This credential is stored in the CSF.
SSL and SSL Certificates Explained
Secure Sockets Layer (SSL) and Transport Layer security (TLS ) are protocols that provide secure communications over a computer network or link.
· Public and Private keys
· Why we need certificates and what they do
· How to get a digital certificate and understand the different common certificate types
What is TLS
TLS is based on SSL and was developed as a replacement in response to known vulnerabilities in SSLv3.
SSL is the term commonly used, and today usually refers to TLS.
Security Provided
SSL/TLS provides data encryption, data integrity and authentication.
This means that when using SSL/TLS you can be confident that
· No one has changed your message
· You are communicating with the intended person (server)
The solutions to these problems are to:
· Encrypt it.– This makes the content unreadable so that to anyone viewing the message it is just gibberish.
· Sign it– This allows the recipient to be confident that it was you who sent the message, and that the message hasn’t been changed.
Both of these processes require the use of keys.
These keys are simply numbers (128 bit being common) that are then combined with the message using a particular method, commonly known as an algorithm- e.g. RSA, to either encrypt or sign the message.
Symmetrical Keys and Public and Private Keys
Almost all encryption methods in use today employ public and private keys.
These are considered much more secure than the old symmetrical key arrangement.
With a symmetrical key, a key is used to encrypt or sign the message, and the same key is used to decrypt the message.
This is the same as the keys (door, car keys) we deal with in everyday life.
The problem with this type of key arrangement is if you lose the key anyone who finds it can unlock your door.
Asymmetrical key is public and private key.
With Public and Private keys, two keys are used that are mathematically related (they belong as a key pair), but are different.
This means a message encrypted with a public key cannot be decrypted with the same public key.
To decrypt the message you require the private key.
Keys and SSL Certificates
SSL/TLS use public and private key system for data encryption and data Integrity.
Public keys can be made available to anyone, hence the term public.
Because of this there is a question of trust, specifically:
How do you know that a particular public key belongs to the person/entity that it claims.
For example, you receive a key claiming to belong to your bank.
How do you know that it does belong to your bank?
The answer is to use a digital certificate.
A digital certificate provides a link between a public key and an entity (business,domain name etc) that has been verified (signed) by a trusted third party ( A certificate authority)
A digital certificate provides a convenient way of distributing trusted public encryption keys.
Obtaining a Digital Certificate
You get a digital certificate from a recognized Certificate authority (CA).
Just like you get a passport from a passport office.
In fact the procedure is very similar.
You fill out the appropriate forms add your public keys (they are just numbers) and send it/them to the certificate authority. (this is a certificate Request)
The certificate authority does some checks ( depends on authority), and sends you back the keys enclosed in a certificate.
The certificate is signed by the Issuing Certificate authority, and this it what guarantees the keys.
Now when someone wants your public keys, you send them the certificate, they verify the signature on the certificate, and if it verifies, then they can trust your keys.
Q) How do I know if you have a .der or .pem encoded file?
You can use openssl tools to find the encoding type and convert between encodings. See this tutorial – DER vs. CRT vs. CER vs. PEM Certificates
Common Questions and Answers
Q- What is a trusted store?
It is a list of CA certificates that you trust. All web browsers come with a list of trusted CAs.
Q- Can I add my own CA to my browser trusted store?
Yes on Windows if you right click on the certificate you should see an install option
Q- What is a self signed certificate?
A- A self signed certificate is a certificate signed by the same entity that the certificate verifies. It is like you approving your own passport application.
Differences b/w Development and Production Env
SSL:
Development Mode: You can use the demonstration digital certificates and the demonstration keystores provided by the WebLogic Server security services. With these certificates, you can design your application to work within environments secured by SSL.
Production Mode: You must not use the demonstration digital certificates and the demonstration keystores. If you do so, a warning message is displayed.
Deploying applications:
Development Mode: WebLogic Server instances can deploy and update applications that reside in the domain_name/autodeploy directory automatically. It is recommended that this method be used only in a single-server development environment.
Production Mode: The auto-deployment feature is disabled; so, you must use the WebLogic Server administration console, the weblogic.Deployer tool, or the WebLogic Scripting Tool.
Log file rotation:
Development Mode: By default, when you start the WebLogic Server instance, the server automatically renames (rotates) its local server log file as SERVER-NAME.log.n. For the remainder of the server session, messages accumulate in the log file until the file grows to a size of 500 kilobytes.
Production Mode: The server rotates the local log file after the size of the file reaches 5000 kilobytes. When the server is configured for production mode, by default, all versions of the log files are kept. Administrators may want to customize the number of log files retained.
JDBC system resource:
Development Mode: The default capacity is 15 connections.
Production Mode: The default capacity is 25 connections.
Security:
Development Mode: The configuration of security is relatively relaxed, allowing you to auto-deploy applications.
Production Mode: The configuration of security is stringent, requiring a user name and password to deploy applications. Before putting a domain into production, familiarize yourself with the securing the production environment.
Encryption and Decryption of Sensitive Data
SOA Suite which is 12c, Oracle provided out of box functionality to encrypt specific fields in the message which is flowing through middleware.
In Oracle SOA 12c, encryption policy is used to encrypt and decrypt the message, message encryption happens at component binding that means message get encrypted before it come to component (BPEL or Mediator) and we see only encrypted message in audit trail. Message decryption happens at reference binding level that means message fields get decrypted before it is sent to target service/system.
How to encrypt sensitive field
To do encryption, right click on the source bindings and choose “Encrypt Sensitive Data”. This open another pop-up where you can see out of box policy used for the encryption. Click on the edit button so that we can define the message field which we want to encrypt.
Once you click on the edit button, this opens another window. Click on plus sign to choose the required field which we need to encrypt. For this post, we encrypt quantity field. Once done click on next, now we need to provide CSF-key value, by default it choose “pii-csf-key”. Click on finish.
Make sure pii-csf-key should exist, if it does not exist then you will not be able to encrypt the message and see error message. Click here to see how to create csf-key.
How to decrypt sensitive field
To perform decryption, right click on the reference binding and choose “Decrypt Sensitive Data”. This open another window where you can see the out of box policy used for decryption, click on edit sign and choose the field which you need to decrypt. Also choose the default csf-key.
No comments:
Post a Comment