Wednesday, June 01, 2011

Working with SSL certificates on Oracle Enterprise Gateway or OWSM

Working with SSL certificates is not common sense. Applying a new certificate on a server for outgoing messages is not a walk in the park. Do not think installing a client certificate on top of SSL configuration is easy.

In this article I want to share you some useful statements that for creating SSL connection on the Oracle Application Server, this is the Weblogic Server. But can also be applied on others app servers.

To create an outgoing SSL connection, you need the public certificate from the external party you want to connect. This can be obtained via your browser; enter the https://servername:443/query/end/point?WSDL in your browser.

Click on the icon in the location bar to show the certificate. Now you can export this public certificate to a ".cer" file. This file you need to apply on your application server.





On the application server, in my example a Java Application Server; such as Weblogic, the public certificate must be loaded into the "keystore". The keystore is a file that contains all the public certificates which you application server is using to connect to secure sites. To control your keystore, use the following statements;

Notes: 
  • By default in java, the default keystore is named 'cacerts' and has the default password 'changeit'
  • The cacerts file is located in your $JAVA_HOME/jre/lib/security directory.
  • Make a copy of your cacerts file before making any changes.

List all the public certificates

keytool -list -v -keystore ./cacerts -storepass changeit
keytool -list -v -alias www.thawte.com -keystore ./cacerts -storepass changeit

Delete a public certificate based on an alias:

keytool -delete -alias www.thawte.com -keystore ./cacerts -storepass changeit

Add a public certificate with an alias:

keytool -import -alias www.thawte.com -keystore ./cacerts -file public_thawte_com.cer -storepass changeit

Add a public certificate with an alias and trust all the CA's:

keytool -import -v -trustcacerts -alias staatdernederlandenrootca -file staatdernederlandenrootca.crt -keystore ./cacerts -storepass changeit

Export a public certificate from the keystore:

keytool -export -alias www.thawte.com -keystore ./cacerts -file public_thawte_com.cer -storepass changeit

Certificates come in different formats; p7b, p12, pem and cer. Each format has its own purpose. In general, a p7b file contains only the public certificate. The p12 contains the public certificate and the private key. The p12 file is used to for exchanging client certificates.

To convert file formats for your keystore, you should use OpenSSL. This is by default the best tool, available on any platform. The tool is command line based, but there is also various  GUI tools available.

Converting a p7b file to p12 format:
openssl pkcs7 -print_certs -in vijfhuizen.com.p7b > vijfhuizen.com.cer

Change the vijfhuizen.com.cer file: remove any chain certificates:
-----BEGIN CERTIFICATE-----
d2bmW4werweNSIdV7qXEntvJILc519AHJJDePHrT9SjavljmK0lTRfM1awv5n4355
HUsvvi3c0AEsjypd3bIcm4fXY6IF34cuRVpb++fzASVO8Bwl3LOE9PqnHr9zIRtlv
....
MIIsE2zCCA8OgAwIBAgIEATFjtjANBgkqhkiG9w0BAQUFADBZMQswCQYDVQQGwwJO
Rmh3IrH60ylbuqmeGRnJM8qYBHzVyOWAT2ruVhNKMcXD+TnUEU2QZDfmcnNKOIM
-----END CERTIFICATE----

openssl pkcs12 -export -in vijfhuizen.com.cer -inkey vijfhuizen.com.private.key -out vijfhuizen.com.p12 -name vijfhuizen.com.name

Convert PEM format in to DER format:
openssl x509 -in vijfhuizen.com.pem -inform PEM -out vijfhuizen.com.crt -outform DER

After you have created your SSL certificates, key, keystores, you want to test if the SSL configuration is valid. Here is a nice tool to do:

#!/bin/bassh
export ORACLE_HOME=/opt/weblogic/Middleware
export PATH=.:$PATH:$ORACLE_HOME/jdk/bin

EXEC_DIR=`dirname $0`
STOR_DIR=$ORACLE_HOMEjdk/jre/lib/security

java -cp $EXEC_DIR -Djavax.net.ssl.trustStore=$STOR_DIR/cacerts
   -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.debug=ssl,handshake
   -Djavax.net.ssl.keyStore=$STOR_DIR/vijfhuizen.com.p12 -Djavax.net.ssl.keyStoreType=pkcs12
   -Djavax.net.ssl.keyStorePassword=changeit Client https://www.thawte.com/roots

The Client class can be downloaded here.

If the test is not working, you could get an error such as:

"unable to find valid certification path to requested target"

This due to the fact, that the certificate in your keystore is not complete, or the certificate is not available at all. A very cool solution is written here. This tool will automatic download the public certificate from the website and load this into a copy of your existing keystore (cacerts) into a file named jsscacerts. De java code for this tool is here.

The only thing you have to do, is to use this jsscacerts file to replace the existing keystore, or export the public certificate from this keystore,  based on the alias, and import this in the keystore.