Sunday, July 1, 2018

Adaptive Access and Fraud Prevention



Adaptive Access and Fraud Prevention

Adaptive Access delivers risk-aware, context-driven access management. The Adaptive Access service is built on a scalable, fault-tolerant, multi-tier deployment architecture including the following components:
  • Adaptive Access Administration for managing the Adaptive Access Server. 
  • Adaptive Access Server consisting of three layers: Presentation leveraging the strong authenticator functionality using the interfaces provided by the business layer to access its services; Business Logic containing the core application logic that implements the risk-analyzing engine; and Data Access connecting the environment to the supported relational database systems. 


Adaptive Access supports the following functionality:
  •  Real-time and batch risk analytics to address fraud and misuse across multiple channels of access (real-time evaluation of multiple data types helps stop fraud as it occurs). 
  •  Device fingerprinting, real-time behavioral profiling and risk analytics harnessed across both web and mobile channels. 
  • Risk-based authentication methods including knowledge-based authentication (KBA) challenge infrastructure with server-generated one-time passwords (OTP). 
  • Standard integration with Oracle Identity Management (Identity Governance and Access Management). 
  •  Leverages Access Management’s core services and enhances its authentication methods. 
  • Key support for mobile devices using Access Management’s Mobile and Social service.
Adaptive Access includes the following features:
  • Auto learning: A mixture of real-time and predictive auto-learning technology is used to profile behavior and detect anomalies (recognize high risk activity and proactively take actions to prevent fraud and misuse). Auto-learning automates risk evaluations and keeps track of changing behaviors. 
  • Configurable risk engine: Flexible architecture supporting three methods of risk evaluation that work concurrently to evaluate risk in real-time: configurable rules, real-time behavioral profiling, and predictive analysis. 
  • Virtual authentication devices: Server-driven services (i.e., no client-side software or logic that can be compromised by key-loggers and other common malware – personalized images and phrases are known only to the server and the end user). The security of the user credentials during entry is ensured by not capturing or transmitting the actual credential of the end user (strong authentication). Virtual authentication devices include TextPad, a personalized device for entering a password or PIN using a regular keyboard (defends against phishing); PinPad, a lightweight authentication device for entering a numeric PIN; QuestionPad, a personalized device for entering answers to challenge questions using a regular keyboard; and KeyPad, a personalized graphics keyboard used to enter alphanumeric and special characters (passwords and other sensitive data such as credit card numbers). 
  • Device fingerprinting: Designed to support desktops, laptops, mobile devices or other web-enabled devices, providing standard browser-based access and mobile browser-based access without additional client software. Adaptive Access device fingerprinting integrates with the Access Management Mobile and Social SDK and REST interface, and monitors multiple device attributes. 
  • Knowledge-based authentication (KBA): Secondary authentication in the form of KBA questions presented after successful primary authentication. The KBA infrastructure handles registration, answers, and the challenge of questions. Adaptive Access Management's rules engine and organizational policies are responsible for determining if it is appropriate to use challenge questions to authenticate the customer. 
  • Answer Logic: Increases the usability of KBA questions by accepting answers that are fundamentally correct but may contain a small typo, abbreviation, or misspelling. 
  •  OTP Anywhere: Risk-based challenge mechanism consisting of a server-generated one-time password (OTP) delivered to an end user via SMS, email, or instant messaging. The challenge processor framework supports custom risk-based challenge solutions combining third-party authentication products with Adaptive Access realtime risk evaluations. 
  •  Mobile access security: Security policies available with Adaptive Access can dynamically adjust when user access originates from a mobile device. IP geo-location velocity rules behave differently if the access request is via a cellular connection or Wi-Fi. When used with Mobile and Social, Adaptive Access provides device fingerprinting, device registration, risk-based challenge mechanisms, and lost and stolen device. 
  • Universal Risk Snapshot: Allows an administrator to instantly save a full copy of all Adaptive Access policies, dependent services, and configurations for backup, disaster recovery, and migration. 
  • Fraud investigation: Forensic interface for security analysts and compliance officers allowing agents to save “case” information in a repository. 
  • Adaptive policy management: Policies and rules are designed to handle patterns or practices, or specific activities. The administrator can define when rules should be executed, the criteria used to detect various scenarios, the group to evaluate, and the appropriate actions to take when suspicious activity is detected. 
Adaptive Authentication with Oracle Mobile Authenticator Oracle 

Mobile Authenticator is a token-based authentication mobile app available for download from the Apple Store and Google Play. Oracle Mobile Authenticator enables organizations to cost-effectively provide strong authentication and prevent unauthorized access to vital company and customer data by generating a time-based security code or one-touch notification enabling soft-token authentication. As part of the Oracle Access Management platform, Oracle Mobile Authenticator leverages adaptive, dynamic authentication and strong authentication services.

For Technical Implementation please refer my other blogs.

Identity Federation


Identity Federation :- The Identity Federation service is an integral part of the Oracle Access Management platform, leveraging the authentication core services  such as credential collectors and authentication plug-ins.
Identity Federation services can protect both on-premise and cloud resources leveraging several industry standards:


  •  SAML-based federation (authentication, attribute sharing)
  •  OpenID-based federation (delegated authentication) 
  •  OAuth-based federation (delegated authorization) 
  •  Social-identity-based federation (redirected authentication) 
  •  Form-fill-based federation (Access Portal) 


 Identity Federation services are enabled from the central access management console,




Identity Federation services are seamlessly weaved into the authentication and authorization process.

Identity Federation leverages the Access Management platform’s shared services.

SAML-Based Federation :-The Security Assertion Markup Language (SAML) is an open framework for sharing security information on the Internet through XML documents.
SAML was originally designed to address the following requirements:


  •  Limitations of web browser cookies to a single domain: SAML provides a standard way to transfer security information across multiple Internet domains (Note: Cross domain SSO can be supported by Oracle Access Management (without federation) if all domains leverage the same Access Management server – in all other cases, Access Management Identity Federation is required).
  •  Proprietary web single sign-on (SSO): SAML provides a standard way to implement SSO within a single domain or across multiple domains. 
  • Federation: SAML facilitates identity management (e.g., account linking when a single user is known to multiple web sites under different identities). 
  • Web Services Security: SAML provides a standard security token (a SAML assertion) that can be used with standard web services security frameworks (e.g., WS-Security, WS-Trust, etc.). 
  • Identity propagation: SAML provides a standard way to represent a security token that can be passed across the multiple steps of a business process or transaction. 

Typically, SAML involves two parties: 
  • Identity Provider (IdP): Asserting party that provides identity information to other services. 
  • Service Provider (SP): Relying party that consumes the identity information sent by the asserting party to grant access to services hosted by the SP. 


Oracle Access Management Identity Federation supports a large set of use-case scenarios: 

  •  Known name or attribute: Email address, X.509 Subject Name, Windows Domain Qualified Name, Kerberos Principal name, Attribute (e.g., employee number). 
  • Opaque identifier: The principal is identified by a persistent randomized string private to the identity provider and service provider pairs. 
  • Anonymous user: The principal is never explicitly identified by a persistent identifier, i.e., there’s no need to maintain a user (principal) entry at the service provider. 
  •  Attribute Sharing: Identity Federation’s attribute-sharing plug-in allows Oracle Access Management to request user attributes from an identity provider. 
  • Identity Provider Proxy: This use case involves three parties: Original Service Provider; Proxying Identity Provider (Oracle Access Management Federation acting as Identity Provider and becoming a Service Provider); and Proxied Identity Provider (Oracle Access Management services that authenticate the user). 


Oracle Access Management Fedlet :- 

Fedlet provides a standalone, light-weight SAML 2.0-compliant component for a Service Provider (SP) interacting with Access Management Identity Federation or a third-party SAML Identity Provider (IdP). 
Fedlet can be embedded and integrated with an application at development time. Fedlet can be deployed on premise or in the cloud supporting multiple environments: 
  • Java version deployable as a Web Archive (WAR) on Oracle WebLogic Server and other market-leading Java EE containers. 
  •  .NET version designed to support asp.net applications, deployable to Microsoft IIS (DLL) . 
Additionally, Fedlet can be deployed in conjunction with an IdP Discovery Service allowing users to select a preferred IdP. 


OpenID-Based Delegated Authentication :-

OpenID is a delegated authentication standard that any web site can leverage without having to develop its own authentication system. As a user, the OpenID standard allows you to log in to multiple OpenID-enabled sites with a single OpenID token. Identity data is communicated through the exchange of an OpenID identifier (a URL or XRI chosen by the end-user) and the Identity Provider provides OpenID authentication. Oracle Access Management Identity Federation support the following functionality: 

  • OpenID 2.0 Authentication and SSO: An OpenID token contains the NameID of the user and (optional) attributes, outgoing tokens (or “assertions”) are signed.
  •  OpenID 2.0 NameID Format: OpenID defines the NameID as being a random string. Identity Federation uses one of the following as the value for the NameID: A hashed user attribute (such as DN); a generated random value stored in the Federation Data Store (requires the use of a Federation Data Store). 

OAuth Delegated Authorization 

OAuth (Open Authorization) is an industry standard designed to support delegated authorization. Before OAuth, if a third-party (e.g., a money manager) wanted to access your account, you’d have to share your credentials with them, thus compromising your environment. 

OAuth was originally designed to allow a User (Resource Owner) to transparently share his private data stored on one site (Service Provider, or Resource Server) with another site (Consumer, or Client). 
With the advent of OAuth 2.0, the original consumer-centric delegated authorization use case extends to the enterprise and the cloud. OAuth 2.0 enables a third-party application to obtain access on its own behalf (two-legged process) or obtain limited access to an HTTP service on behalf of a Resource Owner by orchestrating an approval interaction between the Resource Owner and the HTTP Service Provider (three-legged process).
Although focusing on mobile clients, OAuth was originally intended for web applications that need access to resources owned by private users.

Oracle Access Management’s Support for OAuth 

OAuth is supported by multiple Oracle Access Management services: 

  • Oracle Access Management Identity Federation (license for web clients only (i.e., non-mobile)). Oracle Access Management Mobile and Social (license for both web clients and mobile clients). Oracle API Gateway (typically, OAG acts as the resource server while the Oracle Access Management OAuth service acts as the authorization server; an OAG filter validates the Access Management OAuth token before allowing access to the resource). 
  • Web Services Manager (future release): OAuth client-side support and integration with Oracle Access Management OAuth service for obtaining an access token, propagating it to a WSM-protected resource, and verifying the access token on the service side. 

Identity Federation OAuth Service 

The Identity Federation OAuth service extends the Access Management server (both administration and runtime) to provide Token Issuance, Token Validation, Token Revocation and User Flows in accordance with the OAuth 2.0 standard. The OAuth service increases security by eliminating the use of end-user passwords in many service-toservice interactions and reduces administrative costs by centralizing trust policies and associations in a large deployment. 

The standard OAuth Service is implicitly enabled if the Oracle Access Management Identity Federation service is enabled, To also enable Mobile OAuth, the Mobile and Social service (described later in this document) must be enabled, in addition to the Identity Federation service.
 Oracle Access Management Cloud Federation 
  •  Microsoft Office 365 SAML 2.0 federation: Oracle Access Management Identity Federation is the Identity Provider, MS Office 365 is the Service Provider 
  • WS-Federation Passive Requester Profile: Cross-domain Web SSO (HTTP Redirect, HTTP Post), local log out supported (i.e., log out is not broadcast to all WS-Federation endpoints in the circle of trust). 
  • Web Services and APIs Security: Support for federation and delegated authorization with Salesforce, Google, Amazon AWS, SQS.

For Technical Implementation please refer my other blogs

Oracle Access Management Core Services


Oracle Access Management core services provide the primary perimeter access control services for the whole Oracle Access Management platform, including web authentication, web single sign-on (SSO), and coarse-grained authorization.
Oracle Access Management core services are deployed in a layered architecture across web, application, and data tiers as shown below




1) Users access protected web applications by authenticating to Oracle Access Management. 
2) The user request is intercepted by a filter referred to as WebGate acting as a Policy Enforcement Point (PEP) deployed in the DMZ. 
3) The WebGate communicates with Oracle Access Management’s policy server, which acts as the Policy Decision Point (PDP).
4) The administrator sets up security policies and selects authentication schemes from the administration console, which acts as the Policy Administration Point (PAP). 
5) If authentication is successful, a cookie is returned to the user’s browser to enable repeated log-ins to the same application or SSO with other web applications similarly protected by Oracle Access Management. 
6) For authorization, the WebGate prompts the Access Management policy server to look up authorization policies. The Access Management policy server evaluates the user’s identity and determines the user’s level of authorization for the requested resource (coarse-grained authorization). 

Few more features about Oracle Access Management in short:-

Persistent log-in :- OAM  lets users log in without credentials after first-time log-in,  based on configurable cookie technology. This capability, known as “persistent log-in,” is enabled by the application domain’s system administrator.

Basically this means that OAM will have the option to remember a user’s session for some defined period of time so even if they close their browser, they’ll be able to log back in again without providing credentials.

At the High level you need to perform the below steps to setup persistent login :-

  • Check the “Allow Persistent Login” option on your Application Domain.
  • Run a WLST command to enable persistent login globally in OAM
  • Create a new Authentication Scheme with an additional Challenge Parameter: enablePersistentLogin=true
  • Associate your resources with this new Authentication Scheme.
  • For your Authorization Policies, add a new session response called allowPersistentLogin with value true.
All of these steps are fairly straightforward from the doc (which can be found here)

 WNA/Kerberos:- Oracle Access Management supports Windows Native Authentication (WNA) whereby a client logs in to their Windows desktop, opens an  browser, navigates to an Access Management protected HTTP resource, and is let in using the Kerberos Service Ticket without being challenged. Credentials are sent to the Access Management runtime servers for collection, regardless of where the login pages are (sample log-in pages are provided out-of-the-box). Find more details in my another blogs. 

DCC(detached credential collector) :-   Oracle Access Management extends WebGate 11g with a detached credentials collector (DCC) capability enabling the decoupling of credential collection from the server thus providing additional security (end-user HTTP sessions get terminated in the DMZ), and reducing overhead on the server in addition to improving performance.  Find more details in my another blogs. 

Session Management :- Oracle Access Management supports the session management life cycle (session life time, idle timeout, maximum number of sessions, database persistence of active sessions). Server-side session management allows for advanced session management across nodes via Oracle Coherence-based caching. Client-side session management stores the session details in the browser cookie with no information saved on the server side (stateless session), providing higher performance and smaller footprint than server-side session management. 

For Technical Implementation please refer my other blogs











Sunday, June 24, 2018

Overview of OAM(Oracle Access manager)



1)   What is OAM(Oracle Access manager)?
è  Oracle Access Management is a Java, Enterprise Edition (Java EE)-based enterprise-level security application that provides a full range of Web-perimeter security functions and Web single sign-on services including identity context, authentication and authorization; policy administration; testing; logging; auditing; and more.

è  It leverages shared platform services including session management, Identity Context, risk analytics, and auditing, and provides restricted access to confidential information.

  

Oracle Access Management is an integrated platform providing the following services:

·         Access Management Core Services: Authentication, web SSO, coarse-grained authorization for enterprise applications deployed on premise or in the cloud.

Oracle Access Management core services provide the primary perimeter access control services for the whole Oracle Access Management platform, including web authentication, web single sign-on (SSO), and coarse-grained authorization.
Oracle Access Management core services are deployed in a layered architecture across web, application, and data tiers as shown below. CLICK HERE for more details


·         Identity Federation: Cross-Internet-domain authentication and delegated authorization supporting industry standards such as SAML, OAuth, and OpenID. Social log-on using social network identities is supported. For more details CLICK HERE

·          Mobile Security: Lightweight mobile, cloud, and social networks interface to access corporate resources via industry standards such as OAuth. The Mobile and Social service allows mobile clients such as smart phones to leverage the backend Access Management infrastructure for adaptive authentication, SSO, fine-grained authorization, risk analysis and fraud detection.

·         Access Portal Service: A web-based central launch pad allowing users to federate all their applications through SAML, OAuth, or Form-Fill. Access Portal provides the foundation to build a private or public cloud SSO service.

·         Adaptive Access and Fraud Detection: Strong, multi-factor authentication and heuristic fraud detection.Fine-grained Authorization: External, centralized, fine-grained, attribute-based authorization compliant with the Extensible Access Control Markup Language (XACML) standard.For more details CLICK HERE

·         API Security: First line of defense for REST APIs and web services, typically deployed in the DMZ, supporting protocol transformation, API firewalling, authentication, and authorization.

·         SOA Security: Last-mile security component co-located with the resource endpoint, designed to protect against man-in-the-middle attacks.

·         Security Token Service: Trust brokerage between different, heterogeneous infrastructure tiers by creating,validating and consuming standard security tokens such as SAML assertions or Kerberos tokens.

·         Rich-Client-Based Enterprise SSO: Standalone component suite installed on a Microsoft Windows PC to provide SSO to rich client applications. Browser-based Enterprise SSO is available through Access Portal.

·         OAuth Services : allows organizations to implement the open OAuth 2.0 Web authorization protocol in an Access Manager environment. OAuth Services enables a client to access resources protected by Access Manager that belong to another resource owner. An OAuth client can be an application or service created and controlled by your organization, or it can be an application or service created and controlled by another organization that requires access to resources protected by Access Manager.

1)   What are the Components in Access Manager?
è  Access Manager sits on an instance of Oracle WebLogic Server and is part of the Oracle Fusion Middleware Access Management architecture.

                              Access Manager Components and Services



Access Manager Component Distribution
 
  Oracle Access Management Console resides on the Oracle WebLogic Administration Server (referred to as AdminServer). WebLogic Managed Servers hosting OAM runtime instances are known as OAM Servers. Information shared between the two includes:

·         Agent and server configuration data
·         Access Manager policies
·         Session data (shared among all OAM Servers)



Hope this post is useful for you to understand the basic components and services about OAM, I will cover more on OAM in my next blogs. Please subscribe me for more updates and also you can post your comments , feedback or questions in the below comment box.




Saturday, June 23, 2018

WebGate Installation failed for Windows IIS Web Server During Configuration Stage

In this blog I am going to explain a common issue faced during installation of 11g webgate (11.1.2.3) on Windows 2012 R2  IIS web server.

Issue :-


1) As a process of installation of webgate on Windows 2012 R2 IIS webserver whille executing ConfConfigureIISWebGate.bat it failed with error 

" 'rm' is not recognized as an internal or external command,operable program or batch file. "

Components used :-

  • Oracle Access Manager 11.1.2.3.0
  • Oracle Access Manager 11.1.2.3.0 Webgate Installer for Windows IIS WebServer
  • OAM webgate 11.1.2.3 for IIS on Windows Server 2012 R2
Cause :-

It is noticed that during installation it creates a tmp file in the same location where ConfConfigureIISWebGate.bat is present but due to a code defect in ConfConfigureIISWebGate.bat file it is trying to remove the file using "rm" command which is not a valid command for windows (rm command is mainly used in Linux to remove any files) and as a result it failed with the error message. 

Workaround:-  Edit ConfConfigureIISWebGate.bat and locate the "rm tmp" keyword and replace this with "del /f tmp" and save the file and re-execute the command. It will work without any issue :) 

2) Another issue that you may encountered commonly during ConfConfigureIISWebGate. ConfConfigureIISWebGate.bat commands failed with the below mentioned error 

Creating virtual directory for "Default Web Site" ........
Failed to process input: The parameter 'Site' must begin with a / or - (HRESULT=80070057). Failed to process input: The parameter 'to' must begin with a / or - (HRESULT=80070057).


Cause :- 
If there is a white space between the site name used for IIS  then it failed as it is not able to recognize the website completely due to white space. 

For example if you are trying to install the webgate for "default web site " for IIS using the below command , it is not able to recognize the default site due to white space between the words.

ConfigureIISConfConfigureIISWebGate.bat -oh C:\oracle\product\11.1.2.3 -w C:\oracle -site Default Web Site


Workaround :- 

Instead of the above mentioned command just put the site name in within " " . i.e use the below command like 

ConfigureIISConfConfigureIISWebGate.bat -oh C:\oracle\product\11.1.2.3 -w C:\oracle -site "Default Web Site"

or 
ConfigureIISConfConfigureIISWebGate.bat -oh C:\oracle\product\11.1.2.3 -w C:\oracle -site "My Website"

Hope this post is helpful  to resolve the issue. Please leave your comments and feedback in the comment section and subscribe my blogs to get more updates on OAM related issue and simple workarounds. 










Wednesday, June 13, 2018

Update the oam-config.xml file Without Restarting the Server

In this blog I am going to explain you how we can update the oam-config.xml file without restarting the servers.


Goal :-
How can we update oam-config.xml file without having to  restart the server.


Workaround :-

Note: Manual edit to oam-config.xml file is not recommended. Take necessary backup of this file before editing it.

Generally,  in order to modify or update changes to oam-config.xml file a server restart needs to be done in order to reflect the changes. However this can be achieved without having to restart the server by follow the below steps:-

·         Take a proper backup of the oam-config.xml file. Always take a backup before make any manual changes.
·         Edit the file and perform the modification required.
·         Search for "NGAMConfiguration" and make modification as below.

<Setting Name="NGAMConfiguration" Type="htf:map">
<Setting Name="ProductRelease" Type="xsd:string">11.1.1.5.0</Setting>
<Setting Name="Version" Type="xsd:integer">2</Setting>


Note :- In order to achieve the changes without having to restart the server, update the "version" with next integer value before saving the changes.

That’s ALL !!  Hope you liked the post.


Activation Failed for Custom plugin in OAM

Activation Failed for Custom plugin in OAM


In this blog I am going to cover a common issue faced during the deployment of any custom plugin in OAM(Oracle Access Manager).

Issue:-   When someone is trying to deploy any custom or New plugin( having size > 2MB> in OAM through OAM console , the deployment of plugin failed with error message <BEA-000000> <Action failed due to inconsistent status of plugin in different managed servers.>

Steps to Reproduce :- 
·         Login to OAM Console and navigate to Application security -> Authentication Plugins 
·         Select any out of the box plugin that you want to deploy.
·         scroll down and click on 'Activation status'. You will see the following error message as shown in screenshot.


·         Also In  AdminServer logs , you will noticed the below error message.
<Aug 15, 2016 7:41:27 PM EDT> <Error> <oracle.oam.extensibility.lifecycle
<BEA-000000> <Action failed due to inconsistent status of plugin in different
managed servers.>

Reason:- This is due to improper loading of the configuration of plugins information in from oam-config.xml or due to the over size of the plugin which, cause uneven distribution of plugin information in clustered environment. 

Workaround :- In order to resolve the issue, you can directly update the “activation status” of plugin to true in oam-config.xml. To do so, follow the steps mentioned below:

·         Go to <OAMDomain_Home>/config/fmwconfig/
·         Edit oam-config.xml 
·         Search for failed plugin name in oam-config.xml file. In my case, it is 'AdaptiveAuthenticationPlugin'. you will find the below section
·         Now make sure the 'activated' status as  'true'.


·          Now increment the oam-config.xml version number by 1 in the below section. This should be in the beginning sections of oam-config.xml

·                   Save the file and restart Admin Server in OAM domain

After restart check the  Activation status of the plugin. It should be now load properly and will show the managed servernames as given below. 







  Hope this will be helpful for you. Please check my other posts and follow me to get more updates  on OAM and Weblogic related issue and simple workarounds.


Monday, June 4, 2018

Configure SSL in Weblogic


Configure SSL for Weblogic Server :-


 In this post I’d like to explain the basic steps to configure SSL in weblogic Server . If you want some basic idea about SSL and how it works then please refer to my previous blog on SSL.

Note :-  In this article I am going to cover only 3rd party CA certificate based SSL configuration not Self Signed certificate based SSL implementation.
To set up SSL :-


  •     Obtain an identity (private key and digital certificates) and trust (certificates of trusted certificate authorities) for WebLogic Server. By default WebLogic managed servers are configured with demo identity and trust information. This should be reconfigured to use real, or self-signed certificates.
  •      Store the private keys, digital certificates, and trusted CA certificates. Private keys and trusted CA certificates are stored in a keystore.

Note: - WebLogic Server supports private keys and trusted CA certificates stored in files, or in the WebLogic Keystore provider for the purpose of backward compatibility only.
  • Configure the Identity and Trust keystores for WebLogic Server in the WebLogic Server Administration Console.
  • Set SSL attributes for the private key alias and password in the WebLogic Server Administration Console. Optionally, set attributes that require the presentation of client certificates (for two-way SSL).

·         Obtain an Identity (private key and digital certificates) and trust
To use SSL, the server needs a private key, a digital certificate containing the matching public key, and a certificate for at least one trusted certificate authority. WebLogic Server supports private keys, digital certificates, and trusted CA certificates from the following sources:-
ü  The demonstration digital certificates, private keys, and trusted CA certificates in the WL_HOME\server\lib directory.

ü  Sun Microsystem's keytool utility can be used to generate a private key, a self-signed digital certificate for WebLogic Server, and a Certificate Signing Request (CSR). Submit the CSR to a certificate authority(CA) to obtain a digital certificate for WebLogic Server.

ü  The Cert Gen utility generates digital certificates and private keys that should be used only for demonstration or testing purposes and not in a production environment.( I will cover it in other blogs).

This document contains mainly 2 activities to configure the SSL
1)      Keystore/certificate creation
i)                    Keystore/certificate Creation Using JAVA Keytool
a)       Generate keystore(JKS)
b)      Import root and intermittent certificate.
c)       Generates CSR based on the JKS created.
d)      Submit the request to CA to get server certificate or public key.
e)      Create PEM(certificate chain) from server certificate and import the same to JKS.
f)          Create identity and trust keystore .
ii)                   Keystore/certificate  Creation Using EM Console
a)       Generate keypair
b)      Generates CSR
c)       Submit the request to CA to get server certificate.
d)      Create PEM(certificate chain) from server certificate and import the same to keystore.
    
2)      Weblogic Keystore Configuration using Administration Console

I am going to explain some methods to generate certificate and create identity and trust store for  Weblogic SSL configuration:-
1.       Keystore/certificate Creation Using JAVA Keytool
2.       Keystore/certificate  Creation Using EM Console

1.            Keystore/Certificate  Creation Using JAVA Keytool:-
Ø  Keytool is a key and certificate management utility which comes with JDK
Ø  Make sure JAVA executable is added to PATH environment variable

 
Ø  Create a directory to store your keystores
cd <directory_path_where_you_want_to_store_keystore>
mkdir mykeystore

Ø  Navigate to DOMAIN_HOME/bin and set domain environment variables.
cd /<Domain_Path>/bin/
 ./setDomainEnv.sh

Ø  Navigate to the keystore directory created earlier and execute keytool command to create a keystore. Provide required passwords when prompted

cd  <directory_path_where_you_want_to_store_keystore>/mykeystore/
keytool -genkeypair -alias <alias_name> -keyalg RSA -keysize 2048 -dname "CN=mycompany.com, C=GB" -keystore mytestkeystore.jks
 


Ø  Make sure mytestkeystore.jks file is created. The details of the keystore can be viewed using below command
keytool -list -v -keystore mytestkeystore.jks
 


Ø  Get the Root and Intermittent certificate from your certificate Authority.
    Install each of the CA certificates as follows, starting with the CA Root certificate then the intermittent certificate by following this command:
keytool -import -noprompt -keystore <location of the jks file> -storepass <password of the jks> -alias "<Alias_name>" –file <location of downloaded root/Intermittent certificate>

 CSR(certificate Signing Request) Creation Using JAVA Keytool
Ø  Make sure JAVA executable is added to PATH environment variable & domain environment is set as mentioned in above section
Ø  Navigate to the keystore directory and execute below keytool command to generate CSR.
Once the private key is generated and the CA certificates are installed, execute the following command to create CSR
cd /u01/app/oracle/product/fmw/mykeystore/
keytool -certreq -v -alias <Alias_name> -file mytestcertreq.csr -keystore mytestkeystore.jks



 
Copy the contents of CSR file and submit it to CA service to get a public key.  This is the CSR file generated

 
Once you have the public key from the Certificate Authority follow the below mentioned steps to create a chain of the certificate.

Extract the Intermittent, root and server certificates from public key file as following the below mentioned steps :-

Ø  Double click on the certificate in windows system or open it with “crypto shell extension”
Ø  Go to certification Path and click on the Root certificate and select “View certificate option”
Ø  Go the the Deatils tab now and click on “copy to file” option















Ø  Do the same for Intermittent Certificate  as well.
Ø  Edit and Copy the content of Intermittent, root and server certificate and paste the same in a note pad in the below sequence:- serveràsilveràroot and save the same as server_name.pem

Import Certificate using Java keytool:-
Note:- You can either use one keystore as trusted and identity store both or have separated one but it is recommended to have these 2 as a different keystore .

In order to make it different copy mytestkeystore.jks and save it as mytestkeystore_trusted.jks

Now, run the following command to create the trust  Keystore file . To create a trust keystore we already imported the extract root CA certificate to this  jks file.  Now we are creating identity keystore.
In order to create Identity store please follow the below mentioned steps:-
Ø  Make sure JAVA executable is added to PATH environment variable & domain environment is set as mentioned in above section
Ø  Navigate to the keystore directory and execute below keytool command to import Trust Certificates received from CA
Ø  Navigate to the keystore directory and execute below keytool command to import Server Signed Certificates chain(.pem file)
Note:- Use the same Alias of the keypair used while generating the CSR
keytool -importcert -v -alias mytestalias -file server_signed.pem  -keystore mytestkeystore.jks
The above mentioned command will create identity keystore file which need to place in the server

Now we have identity and trust keystore and need to configure weblogic.

2.       Keystore/certificate  Creation Using EM Console( This is another way to create keystore)

Ø  Login to Fusion Middleware EM Console using below URL and Weblogic administrator credentials

Ø  Navigate to Weblogic Domain -> Security -> Keystore

 
Ø  Click Create Keystore button

 

Ø  Provide new Keystore details and click OK

 
Ø  Verify new Keystore under System stripe

 
Keypair & CSR Creation Using EM Console
Ø  Select the new Keystore and click Manage


Ø  Provide Keystore password and click OK

 
Ø  Click Generate Keypair which creates a public-private keypair

 
Ø  Provide details for your new keypair and click OK

 
Ø  Verify the new keypair details. Select it and click Generate CSR to generate a Certificate Signing Request



Ø  Provide password when prompted

 
Ø  Copy the CSR content or export it to local machine to send it to third party Certificate Authority who will provide with a digitally signed certificate and trust certificates

 

Note :- Now, create a certificate chain(.pem) as mentioned above in the document during certificate creation using keytool.

Import Certificates Using EM Console

Ø  Select alias on click Import on EM Console. Provide Keystore password when prompted

 
Provide details of the received certificates and click OK
Ø  Select either Trusted Certificate or Certificate depending on the type of certificate you are importing
Ø  Select the alias from the drop down. Please select the same alias used while generating the CSR
Ø  Provide the password for your Keystore
Ø  For Certificate Source, you can either paste the certificate content directly or select the file received from the CA

 

Weblogic Keystore Configuration using Administration Console


Ø  Login to Weblogic Administration Console using below URL and Weblogic Admin Credentials
Ø  Navigate to Environment -> Servers -> ServerName -> Configuration -> Keystores. By default DemoTrust and DemoIdentity stores will be used

 
Ø  Click on Change button. Select “Custom Identity and Custom Trust” and click Save


 



Ø  Provide details of the Custom Keystore
For Oracle Keystore Service (KSS), ie the Keystore created using EM console
Ø  Custom Identity Key Store : kss://system/MyTestKeyStore
Ø  Custom Identity Key Store Type: kss
Ø  Custom Identity Key Store Passphrase : Keystore Password
Ø  Confirm Custom Identity Key Store : Confirm Keystore Password
For JAVA Keystore Service (JKS), ie the Keystore created using JAVA Keytool
Ø  Custom Identity Key Store : /<path>/mytestkeystore.jks
Ø  Custom Identity Key Store Type: jks
Ø  Custom Identity Key Store Passphrase : Keystore Password
Ø  Confirm Custom Identity Key Store : Confirm Keystore Password
Ø  Custom trust Key Store : <path>/mytestkeystore_trusted.jks
Ø  Custom trust Key Store Type: jks
Ø  Custom Trust Key Store Passphrase : Keystore Password
Ø  Confirm Custom Trust Key Store : Confirm Keystore Password


 
Ø  If you are using same Keystore for Trust and Identity, provide same details in both Trust and Identity sections. If you are using different Keystores (preferred method in production environments), provide respective Keystore details
Ø  Save and activate the changes. Restart the Managed / Admin server where ever Keystore changes have been done


Thats all !! Hope it was helpful. If you have any queries, please post them in comments section.