Friday, June 25, 2010

Configuring Certificate Based Authentication in WebLogic 10.3.3

In my previous post, I had discussed the steps needed to configure 2-way SSL in WebLogic. As a step further, in this article I will discus the steps needed to create an environment for Certificate based authentication.

Following are my assumptions -
  • Weblogic Server has been setup for 2-way SSL for a principal with the name robert.brown
  • Client certificate/key for robert.brown has been imported into the browser's Personal identity store
  • User robert.brown has been created in the Weblogic Server and assigned to group AuthorizedGroup
  • AuthorizedRole is mapped to AuthorizedGroup
  • Web application (war) with CLIENT-CERT based authentication method is deployed in the Weblogic Server. The application allows access to all users in the AuthorizedRole role. This configuration is setup in the web.xml of the web application.
Now, to set this application for authentication, perform the following steps in the Weblogic Server

Logon to Weblogic Admin Console
Click Security Realm
Click myrealm
Click Providers
Click New button
Select DefaultIdentityAsserter
Enter an appropriate name
Click the newly created IdentityAsserter
Add X.509 to Chosen
Click ProviderSpecific tab
Select CN in Default User Name Mapper Attribute Type. It is assumed that the user name is available in the subject name in the certificate
Check Use Default User Name Mapper
Click Save
Restart Server

To test, enter the URL of the web application. If the browser has multiple keys personal keys installed, it should ask which key is to be used for SSL and after choosing a key, automatically the user should be logged in as robert.brown in the web application.

Configuring Two way SSL in Weblogic 10.3.3

This involves the following steps -
  • Creation of Identity for Weblogic Server
  • Creation of Personal Identity for the user
  • Creating trust for the Personal Identity for the user in WebLogic Server
  • Configuring SSL
Creation of Identity for Weblogic Server

This involves the following steps
  • Creation of Identity Keystore, Key and Certificate
  • Configuration of Keystore in WebLogic Server
Creation of Identity Keystore, Key and Certificate

D:\Oracle\Middleware\user_projects\domains\sandesh_domain\servers\AdminServer\security\identity>keytool -genkey -alias server.identity -dname "CN=,OU=ORG,O=Company" -keypass server.identity.password -keystore identity.jks -storepass identity.password

Configuration of Keystore in WebLogic Server

Go to Weblogic Admin Console
Click Environments
Click Servers
Click the Server (for example AdminServer)
Click KeyStores tab
Click Change button for Keystores and select Custom Identity and Java Standard Trust
Click Save
Enter the location for identity.jks in Custom Identity Keystore
Enter JKS for Custom Identity Keystore Type
Enter identity.password for Custom Identity Keystore Passphrase and its confirmation

Creation of Personal Identity for the user

This involves the following steps
  • Creation of Client Personal Identity Key pair
  • Getting the Key pair signed by a CA
  • Generate a PKCS12 Keystore to import into Internet Explorer
  • Installing the Key in a browser for 2-way SSL
Creation of Client Personal Identity Key pair

Goto WebLogic domain config directory and run setDomainEnv.cmd in the bin directory

D:\Oracle\Middleware\user_projects\domains\sandesh_domain\servers\AdminServer\security\trust>java utils.CertGen -certfile robert.brown.identity.cert -keyfile robert.brown.identity.key -keyfilepass robert.brown.identity.key.password -cn robert.brown

Generating a certificate with common name robert.brown and key strength 1024 issued by CA with certificate from D:\Oracle\MIDDLE~1\WLSERV~1.3\server\lib\CertGenCA.der file and key from D:\Oracle\MIDDLE~1\WLSERV~1.3\server\lib\CertGenCAKey.der file

The following files are created -

robert.brown.identity.cert.der
robert.brown.identity.cert.pem
robert.brown.identity.key.der
robert.brown.identity.key.pem

Please note that this step signs the certificates with a WebLogic test CA

Generate a PKCS12 Keystore to import into Internet Explorer

D:\Oracle\Middleware\user_projects\domains\sandesh_domain\servers\AdminServer\security\trust>java utils.ImportPrivateKey -keystore robert.brown.identity.p12 -storepass robert.brown.identity.password -storetype pkcs12 -keypass robert.brown.identity.password -alias robert.brown.identity -certfile robert.brown.identity.cert.pem -keyfile robert.brown.identity.key.pem -keyfilepass robert.brown.identity.key.password

Imported private key robert.brown.identity.key.pem and certificate robert.brown.identity.cert.pem into a new keystore robert.brown.identity.p12 of type pkcs12 under alias robert.brown.identity

The following file is created

robert.brown.identity.p12

Installing the Key in a browser for 2-way SSL

Open Internet Explorer
Open Tools
Click Content Tab
Click Certificates button in Certificates section
Click Trusted Root Certification Authorities tab
Click Import and in the Certificate Import Wizard import D:\Oracle\Middleware\wlserver_10.3\server\lib\CertGenCA.der
You should be able to see a self-signed certificate installed in the Trusted Root Certification Authorities issued to CertGenCab
Click Personal tab
Click Import and in the Certificate Import Wizard import robert.brown.identity.p12 and enter password robert.brown.identity.password
You should be able to see an entry in the Personal tab Issued to robert.brown Issued by CertGenCab

Creating trust for the Personal Identity for the user in WebLogic Server

This involves the following steps
  • Installing the WebLogic test CA in the truststore
  • Installing the Client certificate in the truststore
  • Configuration of Truststore in WebLogic Server
Installing the WebLogic test CA in the truststore

D:\Oracle\Middleware\user_projects\domains\sandesh_domain\servers\AdminServer\security\trust>keytool -importcert -trustcacerts -alias ca -file D:\Oracle\Middleware\wlserver_10.3\server\lib\CertGenCA.der -keystore trust.jks -storepass trust.password

Owner: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=USIssuer: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MySta
te, C=US
Serial number: 234b5559d1fa0f3ff5c82bdfed032a87
Valid from: Thu Oct 24 23:54:45 CST 2002 until: Tue Oct 25 23:54:45 CST 2022
Certificate fingerprints:
MD5: A2:18:4C:E0:1C:AB:82:A7:65:86:86:03:D0:B3:D8:FE
SHA1: F8:5D:49:A4:12:54:78:C7:BA:42:A7:14:3E:06:F5:1E:A0:D4:C6:59
Signature algorithm name: MD5withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
]

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:1
]

Trust this certificate? [no]: yes
Certificate was added to keystore

Installing the Client certificate in the truststore

D:\Oracle\Middleware\user_projects\domains\sandesh_domain\servers\AdminServer\security\trust>keytool -importcert -trustcacerts -alias robert.brown -file robert.brown.identity.cert.der -keystore trust.jks -storepass trust.password

Certificate was added to keystore

Configuration of Truststore in WebLogic Server

Go to Weblogic Admin Console
Click Environments
Click Servers
Click the Server (for example AdminServer)
Click KeyStores tab
Click Change button for Keystores and select Custom Identity and Custom Trust
Click Save
Enter the location for trust.jks in Custom Trust Keystore
Enter JKS for Custom Trust Keystore Type
Enter trust.password in Custom Trust Keystore Passphrase and its confirmation
Click Save

Configuring 2-way SSL

Click SSL tab
Enter server.identity in Private Key Alias
Enter server.identity.password in Private Key Passphrase and its confirmation
Click Save
Click Advanced
Select Client Certs Requested and Enforced in Two Way Client Cert Behavior
[Note : Ensure that Listen Port Enabled (clear port is enabled, just in case you need to login using clear if SSL configuration does not work)

To test, open Internet Explorer and open the URL https://localhost:7002/console. If you have multiple client certificates on the browser, browser will prompt which certificate to use. Also, since, the server certificate is not in the trusted list, there will be a warning.