Mohan WebSite

2012 SERVER (64)
2016 windows (9)
AIX (13)
Amazon (40)
Ansibile (19)
Apache (135)
Asterisk (2)
cassandra (2)
Centos (230)
- ftp (5)
- IPTABLES (15)
- SFTP (1)
- swap (3)
Centos RHEL 7 (270)
centos8 (3)
chef (3)
cloud (2)
cluster (3)
Coherence (1)
DB2 (5)
DISK (25)
DNS (9)
Docker (31)
Eassy (11)
ELKS (1)
EXCHANGE (3)
Fedora (6)
GIT (3)
GOD (2)
Grub (1)
Hacking (10)
Hadoop (6)
health (2)
horoscope (23)
Hyper-V (10)
IIS (15)
JAVA (7)
JBOSS (32)
jenkins (1)
Kubernetes (9)
Ldap (5)
Linux (189)
Linux Commands (166)
Load balancer (5)
mariadb (14)
Mongodb (4)
MQ Server (24)
MYSQL (84)
Nagios (5)
NaturalOil (13)
Nginx (36)
Ngix (1)
openldap (1)
Openstack (6)
Oracle (35)
Perl (3)
Postfix (19)
Postgresql (1)
PowerShell (2)
Python (3)
qmail (36)
Redis (12)
RHCE (28)
SCALEIO (1)
Security on Centos (29)
Shell (64)
Solaris (58)
Sql Server 2012 (4)
squid (3)
SSH (10)
SSL (14)
Storage (1)
TIPS on Linux (28)
tomcat (62)
Ubuntu (1)
Uncategorized (30)
Veritas (2)
vfabric (1)
VMware (28)
Weblogic (38)
Websphere (71)
Windows (19)
Windows Software (2)
wordpress (1)
ZIMBRA (17)

Install Rootkit Hunter Centos 7 / 6 / 5

Rootkit Hunter (rkhunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. Rootkits are self-hiding toolkits secretly installed by a malicious intruder to allow that user to gain access to the server. Rootkit Hunter offers protection by comparing SHA-1 hashes of important files with known good ones in a online database as well as:

MD5 hash compare
Look for default files used by rootkits
Wrong file permissions for binaries
Look for suspected strings in LKM and KLD modules
Look for hidden files
Optional scan within plaintext and binary files
If this is the first installation of RHEL and CentOS RPMForge Repository:
RHEL/CentOS 7:

# yum install http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el7.rf.x86_64.rpm

RHEL/CentOS 6 64 bit:

# wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
# rpm -Uvh rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm

RHEL/CentOS 6 32 bit:

# wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.i686.rpm
# rpm -Uvh rpmforge-release-0.5.3-1.el6.rf.i686.rpm

yum install rkhunter

# /usr/local/bin/rkhunter –update
# /usr/local/bin/rkhunter –propupd
# rkhunter -c

grep Warning /var/log/rkhunter/rkhunter.log

Check the version

# rkhunter –versioncheck

Rootkit Hunter version 1.4.2

Checking rkhunter version…
This version : 1.4.2
Latest version: 1.4.2
Manual Scan

# rkhunter -c
rkhunter -c -l /var/log/rkhunter.log
Create the run-file in the following location (RHEL based distributions only):

#nano -w /etc/cron.daily/rkhunter.sh
Install into shell script

#!/bin/sh
(
/usr/bin/rkhunter –versioncheck
/usr/bin/rkhunter –update
/usr/bin/rkhunter –cronjob –report-warnings-only
) | /bin/mail -s ‘rkhunter Daily Scan Report (ServerNameHere)’ your@email.here

Set Execute Permissions

Set execute permission on the file you have just created:

# chmod 755 /etc/cron.daily/rkhunter.sh
he cron utility will run once daily, and if a threat is detected, the rkhunter command itself will email our user to alert them. If no problems were found, no email will be received.

Rootkit Hunter configuration

The configuration file for rkhunter can be found at:

# /etc/rkhunter.conf
SSHD Root Logon

The parameter ALLOW_SSH_ROOT_USER tells rkhunter whether or not the root user is allowed to ssh into the system. This is unset by default in the rkhunter.conf file. Rkhunter will complain about this on every run. If you have disabled root login, you should set this parameter to “no”.

ALLOW_SSH_ROOT_USER=no
If you need root login over SSH, you should change this parameter to “yes” so that rkhunter can check this and will mark this setting as valid:

ALLOW_SSH_ROOT_USER=yes
Security practices recommend disabling root login.

Update rkhunter

To check the currently installed version enter the following:

# rkhunter –versioncheck
Run the updater by issuing the following command:

# rkhunter –update
With our database files refreshed, we need to tell rkhunter to check the current values and store them as known-good values:

# rkhunter –propupd

FSCK on an LVM

Running FSCK on an LVM (Logical Volume Manager) using Linux Rescue Disk

i am not a linux expert and so when I have problems from time to time I usually have to go searching for the answer. It usually takes me looking at several articles to get my answer and when I am finished I always try and put together a article that has everything I need to know in once spot. Please feel free to correct or suggest a better alternative if you come across this article and would like to provide feedback.

Yesterday I had a server crash and when I logged into the console it was showing a kernal panic!!

I rebooted and the same thing happened over on every reboot. This machine had some problems in the past with the disk going into read only mode so I assumed the issue was related to something wrong with the disk. So I grabbed a CentOS disk and booted up with it and booted into resuce mode and skipped the step that would mount the disks.

Once in I attempted to run fsck /dev/sda1 but I got an error back indicating it did not recognize the volume as EXT2. Searching around I found the following solution if you are using a LVM.

Perform all of the following commands in the following order. I provided a link for each command if you are interested in knowing more about what each of the commands do.

Scan all disks for partiitions:

lvm pvscan

Scan all disks for volume groups and build /etc/lvmtab and /etc/lvmtab.d/* which are the database for all other lvm commands:

lvm vgscan

Change attributes of a logical volume

lvm lvchange -ay VolGroup00

Scan all disks for logical volumes

lvm lvscan

Then I was able to run fsck as follows

fsck -f /dev/VolGroup00/LogVol00

Which of course reported TONS of errors and fixed them up.

I do not claim to be an expert but this worked for me. Hopefully this information will help someone else out in the future.

Debian give root password for maintenance lost password

In the event your Linux box experiences disk or file system issues you may receive a “Give root password for maintenance” prompt upon reboot. If you have your root password you can login but in the event your using ‘slide’ or ‘sudo’ for wheel access or you’ve just mis-placed your root password – you’ll need to reset it.

To reset your root password:

1. When the GRUB loader shows during boot press the spare bar to pause boot.

2. Select your boot kernel.

3. Type ‘e’ to edit the default kernel line.

4. Type ‘e’ again on the line that starts with ‘kernel’.

5. Add ‘init=/bin/bash’ to the end of the ‘kernel’ line then press enter.

6. Type ‘b’ to boot the modified kernel parameters.

7. Once you’re at the /bin/bash prompt you will need to remount the root file system as read/write in order to edit the passwd file:

# mount -o remount,rw /

8. Change your root password:

# passwd root

9. Remount the filesystem back to read only:

# mount -o remount,ro /

10. Reboot your server using CTR-ALT-DELETE.

11. You will now be able to login with your new root password and carry out the maintenance.

Single User Mode

…even if “root password for maintenance” is set.

Root password recovery in Single User Mode

If you need to reset the root password then you must have access to the console. This is easy with VMWare or a Remote Access Controller. If not then you will have to make a physical trip to your server room.

Note that with Ubuntu you usually don’t want to set a root password. Just use “sudo su -” to get a root shell. If you do set a root password and then forget it then you will have to use the second method described under #Single User Mode when asked for root password for maintenance.

Boot into Single User Mode

Assuming you are booting under GRUB2 then boot your Linux box and hold shift while booting. This should bring up the GRUB boot menu. If that doesn’t work try booting again while hitting Esc until you get the GRUB boot menu. The GRUB boot menu check passes by quickly. This can be tricky under a virtual machine scenario (VirtualBox, Xen, VMWare, KVM, etc.), so you might have to reboot a few times before you catch it. If you are using the ancient LILO without a pause configured for the boot prompt then the process is similar, except that you press and hold any of the following keys while booting: Shift, Alt, Ctrl, ScrollLock, or CapsLock.
Select a boot image from the menu then press ‘e’ to edit.
Select the Kernel line and press ‘e’ to edit. It should look something like this:
```
kernel /vmlinuz-2.6.15-27-386 root=/dev/mapper/Ubuntu-root ro quiet splash
```
Edit that line to get rid of quiet and splash and add ‘single’:
```
kernel /vmlinuz-2.6.15-27-386 root=/dev/mapper/Ubuntu-root ro single
```
Then press enter. You will be returned to the menu.
Press ‘b’ to boot with these new settings.
If the OS appears to boot normally, but you see a message that says, Give root password for maintenance (or type Control-D to continue): then you will have to try a different trick described below.

Single User Mode when asked for root password for maintenance

This method will get you past the “Give root password for maintenance” message, but the environment will be much more primitive, but this should be enough for you to issue a ‘passwd’ command to change the password for root. If you want to do more than that then you may have to mount filesystems and manually start the network.

Reboot your machine; press ‘Esc’ to get to the GRUB menu; select your image; press ‘e’ to edit; select the Kernel line.
Press ‘e’ to edit the kernel line. Edit the line to get rid of quiet and splash; change ‘ro’ to ‘rw’; and add ‘init=/bin/bash’. The line should look something like this:
```
kernel /vmlinuz-2.6.15-27-386 root=/dev/mapper/Ubuntu-root rw init=/bin/bash
```
Press ‘enter’ then ‘b’ to boot with these new settings.
When you get to the shell try editing /etc/passwd and /etc/shadow. Usually I just blank out password field for the root user then reboot. This may not work if the PAM was setup to disallow root login. In that case you may need to boot back into single user mode and then update the PAM to allow root login or allow root login without a password. Alternatively, the passwd command may be available so you can just run this to actually set a real password.

linux – How do I completely remove root password – Stack Overflow

Did you try passwd -d root? Most likely, this will do what you want.

You can also manually edit /etc/shadow: (Create a backup copy. Be sure that you can log even if you mess up, for example from a rescue system.) Search for “root”. Typically, the root entry looks similar to

root:$X$SK5xfLB1ZW:0:0...

There, delete the second field (everything between the first and second colon):

root::0:0...

OpenStack

PaaS, OpenStack, & cloud adoption

IT Challenges

Major issues with traditional infrastructure

Our data is too large
• Volumes of data are being generated at unprecedented levels
• Most of this data is unstructured
• Service requests are too large
• More and more devices are coming online
• Tablets, phones, laptops, BYOD generation…
• Crucially, applications weren’t written to cope with the demand!
• Traditional infrastructure capabilities are being exhausted
• Service uptime, QoS, KPI’s and SLA’s are slipping

What is a cloud workload ?

There are many types of workloads in the datacenter, solution must serve all of them
Pets or cattle? Lots of pets, lots of cattle too
Portability – environment has to be portable
Solution needs to be highly available and reduce/eliminate single points of failure
Create an efficient system to allow repeatable and auditable processes
Needs to meet corporate security and compliance requirements
Ability to charge back the LOBs
Support for IPv6

openstack 008

Which emerging technologies and standards are most important to watch

• Inefficient utilization of resources.
• Resource saturation.
• Lack of elasticity and scalability.
• Lack of security and governance.
• Frequent outages.
• Bad or no tenant management.
• Other very bad things.

Why Openstack and its Overview

Provides a complete end-to-end infrastructure management solution for OpenStack business planning, system deployment and ongoing operations.
Core features:

API, CLI and Dashboard driven deployments
Cloud deployment modeling
Deployment and provisioning
Instrumentation framework

What is OpenStack?

OpenStack is an open source, Python based, cloud operating system. It is designed to control large scale, multi tenant cloud deployments
OpenStack is built through a set of distributed services which control compute, storage, network, identity management, orchestration, and much more

• Comprised of several open source sub-projects
• Provides all of the building blocks to create an Infrastructure-as-a-Service cloud

• Designed and architected to replicate public cloud infrastructure, e.g. Amazon AWS
• Governed by the vendor agnostic OpenStack Foundation
• Enormous market momentum with significant investment from major player

Features of Openstack

Deploying OpenStack to bare metal
OpenStack community adopted
Providing visual status of core services and cloud infrastructure
Offering platform extensibility
Providing integration via well known APIs
Is cloud operator focused!
Naturally resilient and scalable

OPENSTACK COMMUNITY : In 4 years The second largest after Linux

OpenStack Taxonomy

openstack 009

Keystone

Nova

GLANCE

SWIFT

NEUTRON

CINDER

HEAT

CELIOMETER

HORIZON

OpenStack Management Console

CERN’s infrastructure
1300 compute nodes
Run ~1000 VMs simultaneously
Deployed ~250VMs in ~5min

Sample Network Architecture of Openstack

Use Cases for OpenStack Today
Main use cases:

DevOps – important to move content from dev to ops quickly
Software development – test environment, ability to bring up and tear down sophisticated topologies and configuration
Elasticity/scalability – users who need to burst and gain large scale quickly
Batch processing/HPC
Web companies –
NFV
Early Adopters:
Small groups
Strong IT skills set can “figure stuff out”
Fairly simple regulatory environment

REDHAT 7 and CENTOS 7 Features

[gview file=”http://rmohan.com/wp-content/uploads/2015/08/7-linux-roadmap.pdf”]

[gview file=”http://rmohan.com/wp-content/uploads/2015/08/Red-Hat-7-PPT.pdf”]

Wildcard SSL Certificates with WebLogic

Wildcard SSL Certificates with WebLogic
keytool -list -v -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase

keytool -list -v -keystore DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase
keytool -import -trustcacerts -alias rootcacert -keystore DemoTrust.jks -file D:\keystores\GeoTrust_Global_CA.pem -storepass DemoTrustKeyStorePassPhrase
keytool -import -trustcacerts -alias intercacert -keystore DemoTrust.jks -file D:\keystores\Geotrustintermediate.crt -storepass DemoTrustKeyStorePassPhrase
keytool -list -v -keystore DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase

-keypass

keytool -import -file D:\keystores\rmohan.com-2018.pem -alias star -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase -keypass DemoIdentityKeyStorePassPhrase
keytool -import -file D:\keystores\rmohan.com-2018.crt -alias star -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase -keypass DemoIdentityKeyStorePassPhrase
keytool -delete -file D:\keystores\rmohan.com-2018.pem -alias star -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase
keytool -delete -noprompt -alias star -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase

keytool -list -v -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase

keytool -importkeystore -srckeystore host.p12 -destkeystore DemoIdentity.jks -srcstoretype pkcs12

keytool -importkeystore -srckeystore rmohan.com-2018.p12 -destkeystore DemoIdentity.jks -srcstoretype PKCS12 -deststoretype JKS -srcstorepass PA$$word12 -deststorepass PA$$word12 -srcalias 1
Change the Hostname Verification entry from “Hostname” to “Custom Hostname Verifier”
In the Custom Hostname Verifier form enter: “weblogic.security.utils.SSLWLSWildcardHostnameVerifier”

1) Convert it into pkcs12 format
openssl pkcs12 -export -out Tomcat.p12 -inkey server.key -in server.crt -certfile g2chain.cer -name “Server-Cert”

2) Now convert it into JKS format
keytool -importkeystore -srckeystore Tomcat.p12 -destkeystore KEYSTORE.jks -srcstoretype PKCS12 -deststoretype JKS -srcstorepass ********* -deststorepass ********* -srcalias Server-Cert -destalias tomcat -srckeypass ********* -destkeypass ********* -noprompt
Checking the logs, the same error.

Checking “Use JSSE SSL” does fix the problem easily.

Configure the servers to use wildcard verifier:

Login to WLS console
Click on “Environment” à Servers will be displayed on your left
Select the server (You’ll have to do this for all servers.)
Go to the SSL tab
Scroll down and expand the “Advanced” section
Change the Hostname Verification entry from “Hostname” to “Custom Hostname Verifier”
In the Custom Hostname Verifier form enter: “weblogic.security.utils.SSLWLSWildcardHostnameVerifier”

Restart the servers.

Node Manager, by default, uses the Demo Identity keystore. You can observe this in $WL_HOME/common/nodemanager/nodemanager.log.

To configure Node Manager to use the custom keystores, add the following lines to the end of the nodemanager.properties file located in the WL_HOME/common/nodemanager directory:

Note: Do this on all nodes.

cp $WL_HOME/common/nodemanager/nodemanager.properties $WL_HOME/common/nodemanager/nodemanager.properties.`date +%Y%m%d`

vi $WL_HOME/common/nodemanager/nodemanager.properties

— Add this at the bottom of the file. Use the correct values for the items highlighted in bold. The path changes in each environment. The password should remain same as we copy over the keystores to other environments.

##SSL Config changes

KeyStores=CustomIdentityAndCustomTrust

CustomIdentityKeyStoreFileName=[LOCATION TO KEYSTORE]/my_key_identity.jks

CustomIdentityKeyStorePassPhrase=[PASSWORD]

CustomIdentityAlias=server_identity

CustomIdentityPrivateKeyPassPhrase=[PASSWORD]

The passphrase entries in the nodemanager.properties file are encrypted when you start Node Manager.

Restart Node Manager.

— Kill the nodemanager

ps -ef | grep nodemanager

cd $WL_HOME/server/bin

rm -f nohup.out

nohup ./startNodeManager.sh &

Import private key and certificate into java keystore

From time to time you have to update your SSL keys and certificates. In some cases you may have a mixed infrastructure e.g. “normal” http servers and tomcat or other java based servers. In the latter case you’ll have to import your shiny new certificate and key into your java keystore.

There are several methods that you can use but I found the following the most simple:

Export your key, certificate and ca-certificate into a PKCS12 bundle viaopenssl pkcs12 -export -in my.crt -inkey my.key -chain -CAfile my-ca-file.crt -name "my-domain.com" -out my.p12
Be sure to set an export password! (see further below for an explanation)
If you get the following error message “Error unable to get issuer certificate getting chain.” then you should concatenate the openssl ca-certs with your own ca-cert into one file and use that as parameter for -CAfile. Example:cat /etc/ssl/cert.pem my-ca-file.crt > ca-certs.pem
openssl pkcs12 -export -in my.crt -inkey my.key -chain -CAfile ca-certs.pem -name "my-domain.com" -out my.p12
Import the PKCS12 file into a new java keystore viakeytool -importkeystore -deststorepass MY-KEYSTORE-PASS -destkeystore my-keystore.jks -srckeystore my.p12 -srcstoretype PKCS12

1. Suppose you have a certificate and key in PEM format. The key is named host.key and the certificate host.crt.

2. The first step is to convert them into a single PKCS12 file using the command: openssl pkcs12 -export -in host.crt -inkey host.key > host.p12. You will be asked for various passwords (the password to access the key (if set) and then the password for the PKCS12 file being created).

3. Then import the PKCS12 file into a keystore using the command: keytool -importkeystore -srckeystore host.p12 -destkeystore host.jks -srcstoretype pkcs12. You now have a keystore named host.jkscontaining the certificate/key you need.

For the sake of completeness here’s the output of a full session I performed:

$ openssl pkcs12 -export -in host.crt -inkey host.key > host.p12
Enter pass phrase for host.key:
Enter Export Password:
Verifying - Enter Export Password:
$ keytool -importkeystore -srckeystore host.p12 -destkeystore host.jks
-srcstoretype pkcs12
Enter destination keystore password:  
Re-enter new password: 
Enter source keystore password:  
Entry for alias 1 successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed

ssl on weblogic

One-way SSL

One-way SSL simply means that only the server certificate passes from the server to the client but not the other way around. Thus, only the server is authenticated. If we trust the server certificate’s issuer, we can establish an SSL link between our browser and the server [3].

Two-way SSL

When both client and server pass certificates to each other to establish an SSL link, we have mutual authentication via two-way SSL. Both sides now know the identity of the other from their respective certificates. The important thing to realize here is that, while the conditions for one-way SSL remain, the mirrored conditions also apply. In other words, the server also has to trust the issuer of the client certificate. Mutual authentication just means that both sides must trust each other. This forms the basis of Public Key Infrastructure [3].

Fundamentals of PKI

Public Key Infrastructure is a computerized form of message encryption using two keys; one is public and used by the sender to encrypt the message, the other is private and used by the recipient to decrypt the message [1]. It is essentially an arrangement surrounding the issuance of digital certificates and assignment of public keys. The issuance of a digital certificate is ultimately done by a certification authority as the result of the PKI process, which includes the binding of public keys to subscribing user identities after such identities have been validated.

The actual verification of user identities can be done by the certification authority itself, or by a separate registration authority. Once issued, however, the certification authority stamps and seals the PKI certificate with its unique digital signature. As a result the certificate holder is able to secure network communications and online transactions, as well as provide trusted third party, PKI -based, authentication of its business identity [2].

Configuration

Steps to configure CLIENT-CERT authentication-

Step 1: Configure two-way SSL in WebLogic Server
Step 2: Configure Default Identity Asserter
Step 3: Configure Web Application
Step 4: Test the configuration

Configure Two-Way SSL in WebLogic Server

First, we will test with Demo Identity and Demo Trust Store provided with WebLogic server. Later, we will discuss about configuring Custom Identity and Custom Trust Store.

Note: Demo Identity and Demo Trust Store should not be used in production environment.

Load BEA Test CA Certificate into Browser

Out of the box, WebLogic will present a certificate signed by the BEA test CA. You’ll need to add that CA certificate to your browser so that the server certificate will be trusted. Note that what you want to add to your browser is the certificate of the CA that issued the server certificate- not the server certificate itself. If you don’t add the CA certificate, SSL will still work but you will be prompted by your browser about an untrusted certificate [3].

To load the test CA certificate into your browser (Firefox 3.0 in this case) follow these steps-
Step 1: Go to Tools -> Options
Step 2: Select Advanced -> Encryption
Step 3: Click View Certificates
Step 4: Select Authorities
Step 5: Click Import
Step 6: Select $BEA_HOME/wlserver_10.3/server/lib/CertGenCA.der
Step 7: Select “Trust this CA to identify web sites”
Step 8: Click OK to save the settings.

Your browser will now trust certificates issued from the BEA test CA.

Note: Later, when you are done experimenting with the test certificate, be sure to remove the test CA certificate from your browser.

Create a Client Certificate

We will use a utility provided by BEA called CertGen to create a client certificate. This certificate will be issued by the BEA demo CA just like the demo server was. We will configure WLS to trust this client certificate when it is presented. To reiterate, the server trusts the client certificate issuer, not the client certificate directly [3].

To generate client certificate and keystore, follow the steps given below-

Step 1: Run $BEA_HOME/wlserver_10.3/server/bin/setWLSEnv.sh
Step 2: Use CertGen to create a client certificate as follows:

java utils.CertGen -certfile user.cer -keyfile userkey.key -keyfilepass weblogic -cn user

The CertGen command creates both the private key and certificate for the user specified as the CN (Common Name). The files are created in DER and PEM formats. Most browsers don’t recognize PEM/DER files, so we need to convert the key and certificate into a PKCS #12 file.

Step 3: Import key and certificate into a keystore of type PKCS#12 as follows:

java utils.ImportPrivateKey -keystore keystore.p12 -storepass weblogic -storetype pkcs12
-keypass weblogic -alias newalias -certfile user.cer.pem
-keyfile userkey.key.pem -keyfilepass weblogic

Load Client Certificate into Browser

The procedure for loading client certificates is almost the same as loading the CA certificate:
Step 1: Go to Tools -> Options
Step 2: Select Advanced -> Encryption
Step 3: Click View Certificates
Step 4: Select Your Certificates
Step 5: Click Import
Step 6: Select keystore.p12 (keystore generated in the previous step)
Step 7: Enter the store password (weblogic in the example)
Step 8: Click OK to save the settings.

Enforce Client Certificates over Two-Way SSL

To configure two-way SSL, demo identity store, trust store and enforce client certificates, follow the steps given below-
Step 1: Login to WebLogic Server Admin Console
Step 2: Select domain -> Environment -> Servers
Step 3: Select the server (For example: AdminServer)
Step 4: Ensure that SSL Listen Port is enabled (take a note of SSL port)
Step 5: Save the settings
Step 6: Select Keystores tab
Step 7: Select Keystores as Demo Identity and Demo Trust
Step 8: Save the settings
Step 9: Select SSL tab
Step 10: Select Identity and Trust Locations as Keystores
Step 11: Save the settings
Step 12: Click on Advanced in SSL tab
Step 13: Select Two Way Client Cert Behavior as Client Certs Requested and Enforced
Step 14: Restart WebLogic Server for the changes to take effect.

At this point, the server certificate is trusted by the browser since the browser trusts the test CA. The server is configured to trust the test CA, too, since it’s using the DemoTrust keystore. If the browser has a client certificate issued from the test CA, all should be well and SSL should work.

To test it, navigate to the WebLogic Console over SSL (https://localhost:7002/console). You should get prompted to supply a client certificate. Select the certificate and click OK to use it. You should then see the Console login page.

Next, we need to configure Default Identity Asserter to allow authentication using the client certificate.

Configure Default Identity Asserter

To configure Default Identity Store to analyze X.509 client certificate and map it to a valid user, follow the steps given below-
Step 1: Login to WebLogic Server Admin Console
Step 2: Select domain -> Security Realms -> realm
Step 3: Select Providers tab
Step 4: Select Authentication tab
Step 5: Select Default Identity Asserter
Step 6: Select X.509 as one of the Active types by moving it to Chosen box
Step 7: Save the settings
Step 8: Select Provider Specific tab
Step 9: Select Use Default User Name Mapper
Step 10: Select the Username Mapper Attribute Type as CN
Step 11: Remove any delimiter for Default Username Mapper Attribute
Step 12: Save the settings
Step 13: Restart WebLogic Server for the changes to take effect

Note: Default User Name Mapper will map the user name to a valid user in WebLogic user store
Configure Web Application

Web application must specify the authentication method as CLIENT-CERT in web.xml.

Test the Configuration

You are all set to test the configuration. Deploy the application to WebLogic server and request the protected resource. Server will authenticate you using the certificate and grant access to the protected resource.

Custom Identity and Custom Trust

The configuration that we just tested was with the demo identity and trust store provided by WebLogic. Instead of using the demo stores, we can use our custom identity and trust store. For development environment, we can generate a Self-Signed CA certificate using Java and WebLogic tools [See Reference 4].

We will follow these steps to get it done-
Step 1: Set the Environment
Step 2: Generate Server Private Key and Certificate
Step 3: Create the Identity Store
Step 4: Import the Certificate into a new Trust Keystore
Step 5: Install Server Certificate on Client
Step 6: Create a Client Certificate using Self-Signed CA Certificate
Step 7: Bundle Certificate and Key into a Keystore
Step 8: Import Trusted CA Certificate and Client Certificate into Browser
Step 9: Configure WebLogic Server with Identity and Trust Stores

Set the Environment

Run $BEA_HOME/wlserver_10.3/server/bin/setWLSEnv.sh script to set the environment.

Generate Server Private Key and Certificate

Use CertGen to create server private key and certificate as given below:

java utils.CertGen -selfsigned -certfile MyOwnSelfCA.cer
-keyfile MyOwnSelfKey.key -keyfilepass mykeypass
-cn “My Own Self CA”

Create the Identity Store

CertGen created a unique and secret Private Key for the server we are using and the Self-signed Root Certificate for us. But Java wants them packaged up neatly into a keystore. Fortunately BEA are a smart bunch and created a utility to help. Just to make sure there was no confusion about what it does, they called it ImportPrivateKey. Now run this-

java utils.ImportPrivateKey -keystore MyOwnIdentityStore.jks -storepass identitypass
-keypass keypassword -alias trustself
-certfile MyOwnSelfCA.cer.pem
-keyfile MyOwnSelfKey.key.pem -keyfilepass mykeypass

Import the Certificate into a new Trust Keystore

When the client asks the server for a connection, the server will only allow access if it trusts the signer of the client’s certificate. This is going to be the “My Own Self CA” and to make it happen we need our trusty MyOwnSelf certificate packed up into a separate keystore called the Trust Keystore. When the client presents it’s certificate, this is where the server will look to see if it trusts the signature of the CA. Now run this-

keytool -import -trustcacerts -alias trustself -keystore TrustMyOwnSelf.jks -file MyOwnSelfCA.cer.der -keyalg RSA

Install Server Certificate on Client

To have the client trust the server permanently, we need to install the certificate. You can follow the steps mentioned under Load BEA Test CA Certificate into Browser and import the certificate MyOwnSelfCA.cer.der into your browser. Alternatively, you can double click the certificate file and choose Install.

Create a Client Certificate using Self-Signed CA Certificate

It’s time to generate the certificate for the client. This time we want the Certificate to identify the client machine (usually the user of the machine – you can set up one client certificate per user and have more than one on a machine if you need to), and we want to ensure that the Client is linked to the Trusted CA Root Certificate we fabricated earlier. (This is why the ou (operating unit) of the client certificate must match the identity of the Trusted CA Certificate – in this case “My Own Self CA”.)

java utils.CertGen -certfile MyClientCert.cer -keyfile MyClientKey.key -keyfilepass clientkeypass
-cacert MyOwnSelfCA.cer.der -cakey MyOwnSelfKey.key.der -cakeypass mykeypass
-cn “My Client” -e “my.own@self.com” -ou “My Own Self CA”

Bundle Certificate and Key into a Keystore

Run the command as shown below-

java utils.ImportPrivateKey -keystore MyClientCert.p12 -storepass clientpass -storetype pkcs12
-keypass clientkeypass -alias clientcert -certfile MyClientCert.cer.pem
-keyfile MyClientKey.key.pem -keyfilepass clientkeypass

Import Client Certificate into Browser

Follow the steps mentioned under Load Client Certificate into Browser. Here, the keystore will be MyClientCert.p12 and store password will be clientpass.
Configure WebLogic Server with Identity and Trust Stores

In sections Create the Identity Store and Import the Certificate into a new Trust Keystore, we generated an Identity Keystore for Server to Client communication (to supply certificates to the client) and a Trust Keystore for Client to Server communication (to accept certificates supplied by the client). We now need to tell WebLogic to use them.

In the WebLogic Admin Console, jump to the Keystores tab (See Enforce Client Certificates over Two-Way SSL) and choose “Custom Identity and Custom Trust”. Enter the locations of your Identity and Trust keystores, the passphrases identitypass and trustpass respectively.

Now switch to SSL tab and enter the alias and the Private Key password (i.e ‘trustself’ and ‘keypassword’, respectively, in the example). When you have saved and activated your changes in the admin console, check the WebLogic command output window to verify that your Identity and Trust keystores were loaded with no problems.

You have now successfully configured the two-way SSL with Custom Identity and Custom Trust store. Rest of the configuration is same in both the cases. You need to configure Default Identity Asserter and make required changes to applications web.xml as mentioned earlier.

Troubleshooting

First step should be to enable the security log for your server. To enable the logs, follow the steps given below-
Step 1: Login to WebLogic Admin Console
Step 2: Select domain -> Environment -> Servers
Step 3: Select the Server (For example: AdminServer)
Step 4: Select Debug tab
Step 5: Expand the weblogic debug scope and enable security log
Step 6: Save the settings and restart server (if required)

After logging is enabled, you can check the server logs and look for a possible cause.

Note: You might see a lot of NoSuchAlgorithm exception that are being eaten by WebLogic server. WebLogic server looks for the best algorithm and in the process it generates those exceptions. Just ignore them.

Installation procedure for SSL Certificate in WebLogic

Installation procedure for SSL Certificate in WebLogic

BEA System’s WebLogic is one of the best e-commerce online transaction processing (OLTP) platforms. It’s a server software application which is efficiently developed to connect users in a distributed computing environment to assist the integration of mainframe applications, distributed corporate data and applications.

WebLogic server’s main features are the connectors which helps enable an inter-operation of legacy application on any client along with server applications, Enterprise JavaBean (EJB) components, resource pooling and connection sharing. This makes the applications capable enough to expand and cope with the increased use. An administration console with a user interface eases management tasks like common security features; such as, Secure Socket Layers (SSL) which make applications and transactions very secure by encrypting data transmissions with mechanisms for proper authentication and authorization.

Installing an SSL certificate properly is the best way to maintain authorization secure environment for data transmission. Here’s a step-by-step guide on how to successfully install an SSL on WebLogic.

Installation procedure for SSL Digital Certificate in WebLogic

1. First of all, download from your account the your_domain_com.p7b certificate file. It can be downloaded from the tab of “My Orders” by clicking on the order number and then the blue download link.

2. To install the certificate file to your keystore, run the following command:

keytool -import -trustcacerts -alias server -file your_domain_com.p7b -keystore your_domain.jks

A confirmation message pops up after this which reads “Certificate reply was installed in keystore” after which it asks if you want to trust the certificate, choose ‘y’ or ‘yes’.

The procedure of installing this file loads all the necessary certificates to your keystore. To use it, all you need to do is configure your server.

How to Configuring the Keystore in WebLogic

1. Expand the “Servers” node on your WebLogic server and choose the server you wish to configure.

2. After that, go to Configuration >> Key-stores and SSL
Several default key-stores or previously installed key-stores shall be displayed under ‘Keystore Configuration’.

3. Click the ‘Change…..’ link located under ‘Keystore Configuration’ to enable your new keystore.

4. Select ‘Custom Identity and Java Standard Trust’ as your keystore configuration type. Click on Continue.

5. Enter the full path to the your_domain.jks file on your server under ‘Custom Identity Keystore File Name’.

6. Choose jks for ‘Custom Identity Keystore Type’

7. The ‘Custom Identity Keystore Passphrase’ should be the password that you specified while creating the keystore.
In case you forgot the password, you will have to start the procedure of creating your keystore right from the start.

8. You will, once again be asked to enter the keystore password and confirm it.

9. Click ‘Continue’ and then Finish.

10. Now you got to go back to ‘Servers’ node and select the server you are configuring.

11. After that, go to Configuration >> Key-stores and SSL>> Click ‘Change…..’ link that lay under ‘Keystore Configuration’

12. On the page of ‘Configure SSL’ choose ‘Key Stores’ as the procedure in which identity and trust is stored for the WebLogic server.

13. Specify the ‘Private Key Alias’ and the ‘Passphrase’ which were used while creating your keystore.
‘Server’ is your alias if you are following the set of instructions mentioned here and the Keystore password is your passphrase.

14. Click Continue, then Finish
You will now have to reboot the WebLogic server.

15. Your keystore should now be installed and enabled.

Your browsers’ padlock icon should be displaying the locked position if you have successfully installed the SSL certificate.

Configure SSL on Weblogic

WebLogic Server 11g and 12c : Configure SSL for a Managed Server

By default WebLogic managed servers are configured with demo identity and trust information. This should be reconfigured to use real, or self-signed certificates. This article describes how this is done.

Create Keystores and Certificates

In order to configure SSL for a managed server, you are going to need identity and trust keystores and a certificate. If you don’t have a real certificate, you can create a self-signed certificate, as described here and in this article.

For this article we will use a self-signed certificate, created using the keytool utility. Perform the following steps as the “oracle” user.

Make a directory to hold the keystores.

$ mkdir ~/keystore
$ cd ~/keystore

Create the identity and trust keystores using the following commands. Notice the result of the hostname command is used in the “CN=” entry.

$JAVA_HOME/jre/bin/keytool -genkey -keyalg RSA -alias selfsigned -keystore identity.jks \
   -dname "CN=`hostname`, OU=My Department, O=My Company, L=Birmingham, ST=West Midlands, C=GB" \
   -storepass password1 -validity 3600 -keysize 2048 -keypass password1

$JAVA_HOME/jre/bin/keytool -selfcert -v -alias selfsigned -keypass password1 -keystore identity.jks \
   -storepass password1 -storetype jks -validity 3600

$JAVA_HOME/jre/bin/keytool -export -v -alias selfsigned -file "`hostname`-rootCA.der" -keystore identity.jks \
   -storepass password1

# Trust? yes
$JAVA_HOME/jre/bin/keytool -import -v -trustcacerts -alias selfsigned -file "`hostname`-rootCA.der" \
   -keystore trust.jks -storepass password1

We now have a self-signed certificate in a keystore will the following details, which will be referred back to later.

Identity Keystore: “/home/oracle/keystore/identity.jks”
Trust Keystore: “/home/oracle/keystore/trust.jks”
Alias: selfsigned
Store Password: password1
Key Password: password1
Valid for: 3600 Days (Approx 10 Years)

Clustered Environments

If you are working with WebLogic clusters spanning multiple machines, you have to make sure all certificates in the cluster are marked as trusted, otherwise the AdminServer will not be able to communicate with all the node managers.

Assuming you have a two node cluster, as described in this article, you would have to do the following.

Make sure you have followed the process described in the previous section on each of the machines making up the cluster before continuing.

Make sall certificates are available on all nodes by copying them into the keystore folders on each server.

cd ~/keystore
scp wls11g-1.localdomain-rootCA.der oracle@wls11g-2.localdomain:/home/oracle/keystore
scp oracle@wls11g-2.localdomain:/home/oracle/keystore/wls11g-2.localdomain-rootCA.der .

On the first node, load the certificate generated on the second node into the local trust keystore using the following command.

$JAVA_HOME/jre/bin/keytool -import -v -trustcacerts -alias selfsigned2 -file wls11g-2.localdomain-rootCA.der \
   -keystore trust.jks -storepass password1

On the second node, load the certificate generated on the first node into the local trust keystore using the following command.

$JAVA_HOME/jre/bin/keytool -import -v -trustcacerts -alias selfsigned2 -file wls11g-1.localdomain-rootCA.der \
   -keystore trust.jks -storepass password1

You can now continue with the rest of the configuration.

Configure SSL for Managed Server

This process should be followed for the AdminServer and all managed servers.

In the WebLogic Server Administration Console, click on “Servers” in the “Domain Structure” tree.
Click on the managed server you wish to configure.
Click on the “Configuration > Keystores” tab and sub-tab.
If you are running on production mode, click the “Lock & Edit” Button.
Click the “Change” button next to the “Keystores” setting.
Select the “Custom Identity and Custom Trust” option and click the “Save” button.
Enter the identity details. For example.
- Custom Identity Keystore: /home/oracle/keystore/identity.jks
- Custom Identity Keystore Type: JKS
- Custom Identity Keystore Passphrase: password1
- Confirm Custom Identity Keystore Passphrase: password1
Enter the trust information. For example.
- Custom Identity Keystore: /home/oracle/keystore/trust.jks
- Custom Identity Keystore Type: JKS
- Custom Identity Keystore Passphrase: password1
- Confirm Custom Identity Keystore Passphrase: password1
Click the “Save” button.
Click the “SSL” tab.
Enter the identity details. For example.
- Private Key Alias: selfsigned
- Private Key Passphrase: password1
- Confirm Private Key Passphrase: password1
Click the “Save” button.
If you are running in production mode, click the “Activate Changes” button.
Restart the managed server.

The managed server will now be using the new identity and trust keystores.

Configure Node Manager

Edit the “$WL_HOME/common/nodemanager/nodemanager.properties” file, adding the following entries. The values used reflect the information used to create the keystores above.

KeyStores=CustomIdentityAndCustomTrust
CustomIdentityKeystoreType=jks
CustomIdentityKeyStoreFileName=/home/oracle/keystore/identity.jks
CustomIdentityKeyStorePassPhrase=password1
CustomIdentityPrivateKeyPassPhrase=password1
CustomIdentityAlias=selfsigned
CustomTrustKeystoreType=jks
CustomTrustKeyStoreFileName=/home/oracle/keystore/trust.jks
CustomTrustKeyStorePassPhrase=password1

Restart the node manager.

Basic Constraints Extension Error

If you are using an older JRE, like Java 1.6, you may get the following type of error in the AdminServer logs.

<BEA-090548> <The certificate chain received from ??? contained a V3 CA certificate
which was missing the basic constraints extension>

To fix this we need to replace the old certificates used by the JRE, and therefore keytool, when generating our self-signed certificates.

Perform the following operations as the “oracle” user.

Test you know the password for the JREs keystore. The default is “changeit”.

cd $JAVA_HOME/jre/lib/security
$JAVA_HOME/bin/keytool -keystore cacerts -list -storepass changeit

If that works, you are good to proceed.

cd $JAVA_HOME/jre/lib/security
chmod 755 cacerts
$JAVA_HOME/bin/keytool -keystore cacerts -delete -alias entrust2048ca -storepass changeit

Download the following updated certificates and place them in the security directory on the server.

entrust_l1c.cer (L1C chain certificate)
entrust_2048_ssl.cer (2048 chain certificate)
entrust_ssl_ca.cer (1024 root certificate)

Perform the following commands to load the certificates. The comment above certain commands gives you an idea of answers to prompts, or possible outcomes.

# Trust? yes
$JAVA_HOME/bin/keytool -keystore cacerts -import -alias entrust_l1c_chain -file entrust_l1c.cer -storepass changeit
$JAVA_HOME/bin/keytool -keystore cacerts -import -alias entrust_2048_ssl_chain -file entrust_2048_ssl.cer -storepass changeit
# Overwrite? yes
$JAVA_HOME/bin/keytool -keystore cacerts -import -alias entrust_1024_ssl_ca_root -file entrust_ssl_ca.cer -storepass changeit
# May fail. That's OK.
$JAVA_HOME/bin/keytool -keystore cacerts -delete -alias entrustsslca -storepass changeit

You will have to recreate the keystores you built previously, so they will use the new certificates.

Once this is done, restart the node manager and any domains using the identity and trust keystores.

Recent Posts

Pages

Categories

Archives

Recent Comments