ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
Max. width
Max. height
Zeist • February 2016
SSL Everywhere!
OGh – Fusion Middleware Experience 2016
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
Jacco H. Landlust:
• Sr. Managing Consultant at ING Group Services
• Oracle ACE (Database Management & Performance)
Simon Haslam:
• Founder of Veriton, and now Technical Director at eProseed UK
• Oracle ACE Director (Middleware & SOA)
• UKOUG App Server & Middleware SIG Chair
Jacco & Simon
3
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
To prevent eavesdropping – e.g.
• getting hold of your user ID & password: for later reuse
• stealing your (post authentication) session credentials to allow session
hijacking: for same application and control as you have
To prevent tampering of data – e.g.
• change recipient bank account or amount in a bank transfer
• to trick you into entering more information
Why encrypt traffic?
4
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
Agenda • Concepts you need • Fusion Middleware & SSL • Tools
5
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
Essential Concepts
• key-pair (asymmetric)
• one key to encrypt, a different key to decrypt
• you make one your private key, the other your public key
• certificate
• unique to you
• public key
• signed
• certificate authority (CA)
• signs certificates
• is independently trusted
6
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
Old school Identity Management
7
https://commons.wikimedia.org/wiki/File:Ashdod-port-border-control-stamp-2010.jpg
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
How does this work?
• Border guard doesn’t know who I am – I present passport
• Passport is signed by UK Identity & Passport Service (IPS)
• UK IPS is an agency of British Govt.
• Border guard trusts British Govt.
8
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
Identity
certificate
certificate authority
person I want to
communicate with
me
1. person sends me their cert
2. I look at who it is signed by
3. If I trust the person it is
signed by I accept their
identity
signed
by
9
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
Passport vs Certificate attributes
• Who it represents {issued to name}
• Who has issued it {issued by name}
• Start/end date {issued on, expires on}
• Signature/biometric details {public key}
• Picture, place of birth, etc {organisation details}
10
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
11
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
Trust
certificate
certificate authority A
person I want to
communicate with me
1. Person sends me their cert
2. I look at who it is signed by
3. If I don't trust the person it
is signed by I look at who
they are signed by and so on
certificate authority B
12
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
What's in the Certificate
• The public key
• Registered name/details of owner
• Validity
• Identity of CA
• Location of CA Revocation List
• Hash function summary (encrypted by CA key)
18
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
How do I know certificate is valid?
• Client recreates summary "as they should be" (from ~hostname/validity)
• Client hash function on summary and encrypts using CA public key
• Client compares result to public key offered by server
• If same client now has the public key for the certificate owner and can check
validity, (optionally) CRL, etc
So by now we have the
server's public key which
we can secure traffic with
19
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
SSL 1.0 <1995
SSL 2.0 1995
SSL 3.0 1996
TLS 1.0 1999
TLS 1.1 2006
TLS 1.2 2008
TLS 1.3 2014 draft
TLS & SSL = same thing!
• Secure Sockets Layer very old but name still used
• Transport Layer Security the correct term
POODLE bug
21
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
Cipher Suite
• Symmetric vs Asymmetric cryptography
• Negotiating protocol
• Message digest
• Mostly don’t need to worry about details
• Need to choose key length, e.g. 1024 bits
• Greater needs more processing
• Length affects resistance to attack (brute-force or otherwise)
• Often mandated by your security or network team
Encryption
22
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
Agenda • Concepts you need • Fusion Middleware & SSL • tools
23
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
Consider everything!
Application Traffic
• External to perimeter and DMZ
• DMZ web servers to WebLogic servers
• WebLogic servers to databases
Administration Traffic
• Admin operations (human or machine)
Intra-component traffic
• WebLogic servers to other infrastructure, e.g. LDAP or SMTP
• Monitoring traffic (JMX but also OEM Agents)
• Cluster communications between peers (WebLogic and/or Coherence)
What kind of traffic should we consider encrypting?
24
Image is taken from Oracle® Fusion Middleware: Administering Oracle Fusion Middleware
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
Common tools to manage certificates
• keytool
• openssl
• orapki / Oracle Wallet Manager
• Oracle Enterprise Manager Fusion Middleware Control
25
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
Overall process for creating certificate
1. Create key pair and Certificate
could be self signed - not much use unless every recipient is going to add you
to their trust keystore!
2. Create Certificate Signing Request (CSR)
3. Give CSR to CA to sign
4. Receive signed Certificate back from CA
5. Insert Certificate into (identity) keystore
Secure website
(+ sometimes email)
26
Many sites offer free class 1 certificates. These certificates are intended for web sites which require
protection of privacy and prevent eavesdropping. However information presented within these
certificates, except the domain name and email address, are not verified.
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
Key Stores
For Fusion Middleware we're interested in:
• Java Keystores (JKS)
• Oracle Wallet (PKCS12 format)
• Oracle Key Store Services
Either:
• contains one or more certificates
• each certificate has a CN, and usually has an alias
• can contain both public and private keys
27
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
Type of keystore per component
Type of Keystore Tasks Tool
Oracle WebLogic Server JKS-based Keystore or
Oracle Key Store Service
All Keystore operations JDK Keytool
Oracle WebLogic Server JKS-based Keystore or
Oracle Key Store Service
Enable SSL Oracle WebLogic Server
Administration Console
All Java EE applications JKS-based Keystore or
Oracle Key Store Service
All Keystore operations JDK Keytool
Oracle HTTP Server
Oracle Web Cache
Oracle Internet Directory
Oracle Wallet Create Wallet, Create Certificate
Request, Delete Wallet, Import
Certificate, Export Certificate, Enable
SSL
Fusion Middleware Control,
WLST
Oracle Wallet Manager and
orapki for PKCS#11 or
Hardware Security Modules
(HSM)-based wallets.
Oracle Virtual Directory
Oracle Unified Directory
JKS-based Keystore Create KeyStore, Create Certificate
Request, Delete KeyStore, Import
Certificate, Export Certificate, Enable
SSL
Fusion Middleware Control,
WLST
Oracle SOA Suite JKS-based Keystore or
Oracle Key Store Service
All Keystore operations JDK Keytool
Oracle WebCenter JKS-based Keystore or
Oracle Key Store Service
All Keystore operations JDK Keytool
28
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
Best Practice for Application Developers
Externalize SSL configuration parameters like keystore path, truststore path, and authentication type in a configuration file, rather than embedding these values in the application code. This allows you the flexibility to change SSL configuration without having to change the application itself. Even better is to utilize functionality from OPSS (Oracle Key Store Services).
29
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
How WebLogic states its Identity
• Identity comes from a Java Keystore "identity keystore"
• must contain a certificate & key-pair matching alias
• Each WebLogic server instance (Admin Server and Managed Servers) has to
have an identity keystore to do SSL
• Trust comes from another JKS "trust keystore“ or Oracle Key Store Service
• Choice of standalone JKS or to use the one in the JDK trust (cacerts stored with
JRE, this is deprecated as of 12.2)
• Lack of trust is one of the most common reasons for SSL handshake failures
How WebLogic Establishes Trust
30
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
31
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
WebLogic Identity/Trust Combinations
• Demo Identity and Demo Trust (default - not for prod)
• CN=hostname, signed by BEA CA that anyone can sign with
• Custom Identity and Java Standard Trust
• determine trust from java/…
• Custom Identity and Custom Trust
• our own identity and trust keystores
• Custom Identity and Command Line Trust
• our own identity but trust keystore specified in start-up parameters
32
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
Certificates Required
Server sends out its cert when someone tries to connect over SSL (i.e. one way)
but can optionally request cert from client (two way) - console options:
• Client Certs Not Requested
• Client Certs Requested but Not Enforced
• Client Certs Requested and Enforced
33
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
Hostname Verification
• None
• BEA Hostname Verifier
• DemoCertFor_<your-domain> is valid if DemoTrust is selected as truststore
• Custom Hostname Verifier • e.g. weblogic.security.utils.SSLWLSWildcardHostnameVerifier
• Wildcard verifier is build in as of 12c
• What does none mean?
• Cert is requested but does not have a CN for the host WebLogic is trying to
connect to. It could be any old certificate.
34
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
Set ignoreHostnameVerification = true
• ignoreHostnameVerification stops Weblogic from presenting its identity
• We strongly recommend enabling hostname verification in all test and
production environments
• Oracle® Fusion Middleware Securing Oracle WebLogic Server:
"Oracle recommends leaving host name verification on in production
environments“
• All MOS notes and blogposts suggesting to set ignoreHostnameVerification to
true should be considered documentation bugs and false hints.
35
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
Enabling SSL for Oracle HTTP Server Virtual Hosts for inbound requests
36
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
Enabling SSL for Oracle HTTP Server Virtual Hosts for outbound requests, one way SSL
• Create custom keystore
• Import the trusted CA certificate used by Oracle WebLogic Server into the
Oracle HTTP Server wallet as a trusted certificate
• Warning: in OHS 11g password protected wallets cannot be used
• Add
WlSSLWallet
"$(DOMAIN_HOME}/config/fmwconfig/components/COMPONENT_TYPE/COMPONENT_NA
ME/keystores/default“
to
DOMAIN_HOME/config/fmwconfig/components/OHS/instance_name/ssl.conf
37
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
Enabling SSL for Oracle HTTP Server Virtual Hosts for outbound requests, two way SSL
• Export the user certificate from the Oracle HTTP Server wallet, and import it into
the truststore
• From the Oracle WebLogic Server Administration Console, select
the Keystores tab for the server being configured.
• Set the custom trust store with the jks file location of the trust store
• Under the SSL tab, ensure that Trusted Certificate Authorities is set as from
Custom Trust Keystore.
• Set the keystore type as JKS, and set the passphrase used to create the
keystore.
• Ensure that Oracle WebLogic Server is configured for two-way SSL
38
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
Configuring the OPSS Keystore Service for Custom Identity and Trust
• In Fusion Middleware Control, from the Weblogic Domain menu, select Security
then Keystore
• Create a keystore in the system stripe.
• Select the keystore you just created and click Manage
• Click Generate Keypair to generate a private/public key pair
• You have the option to use this KSS Demo CA-signed key pair as-is, or to obtain
a signed certificate from a reputable vendor
• Oracle recommends you use the preconfigured OPSS
Keystore Service trust store
• Configure the WebLogic Server instance to use KSS for
Custom Identity and Trust
• Configure SSL for the WebLogic Server instance
39
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
SSL-Enabling a Data Source
• Add the root certificate (which is created when SSL-enabling the database) as a trusted
certificate to the truststore.
• In the Oracle WebLogic Server Administration Console, navigate to the Connection pool tab of
the data source that you are using. The properties you need to specify in the JDBC
Properties text box depend on the type of authentication you wish to configure. javax.net.ssl.keyStore=.. javax.net.ssl.keyStoreType=JKS
javax.net.ssl.keyStorePassword=... javax.net.ssl.trustStore=...
javax.net.ssl.trustStoreType=JKS javax.net.ssl.trustStorePassword=...
• In the URL text box, enter the JDBC connect string. Ensure that the protocol is TCPS and that
SSL_SERVER_CERT_DN contains the full DN of the database certificate. jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)
(HOST=host-name)(PORT=port-number)))
(CONNECT_DATA=(SERVICE_NAME=service))
(SECURITY=(SSL_SERVER_CERT_DN="CN=server_test")))
40
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
Agenda • Concepts you need • Fusion Middleware & SSL • Tools
41
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
Keystore Naming Conventions
• Do not use a name longer than 256 characters
• Do not use any of the following characters in a keystore name:
| ; , ! @ # $ ( ) < > / \ " ' ` ~ { } [ ] = + & ^ space tab
• Do not use non-ASCII characters in a keystore name
• Additionally, follow the operating system-specific rules for directory and file
names
42
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
Copying Keystores to File System Not Supported
Creating, renaming, or copying keystores directly to any directory on the file system
is not supported.
Any existing pre-11g keystore or wallet that you wish to use must be imported using
either Fusion Middleware Control or the WLST utility.
http://docs.oracle.com/cd/E21764_01/core.1111/e10105/wallets.htm
43
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
Generate self signed certificate
keytool -genkey -keyalg RSA -alias selfsigned -keystore ${JKS}
-storepass ${JKS_PASSWORD} -validity 360 -keysize 2048
-keypass ${KEY_PASSWORD}
What is your first and last name?
[Unknown]: somehost.localdomain
What is the name of your organizational unit?
[Unknown]: Example Department
What is the name of your organization?
[Unknown]: Example Company
What is the name of your City or Locality?
[Unknown]: Manchester
What is the name of your State or Province?
[Unknown]: West Midlands
What is the two-letter country code for this unit?
[Unknown]: GB
Is CN=somehost.localdomain, OU=Example Department, O=Example Company, L=Manchester, ST=West Midlands, C=GB correct?
[no]: yes
Enter key password for <selfsigned>
(RETURN if same as keystore password):
44
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
Generate self signed certificate 2
keytool -genkey -keyalg RSA -alias selfsigned -keystore ${JKS} -dname "CN=`hostname`, OU=Example Department, O=Example Company, L=Manchester, ST=West Midlands, C=GB" -storepass ${JKS_PASSWORD} -validity 360 -keysize 2048 -keypass ${KEY_PASSWORD}
This must be the
hostname that clients use
to connect to you. E.g.
may be a CNAME or a VIP
45
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
Create key pair
keytool -genkey -alias `hostname` -keyalg RSA -keystore ${JKS} -keysize 2048
46
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
Create certificate signing request
keytool -certreq -alias `hostname` -keystore ${JKS} -file ${REQUEST_FILE}
47
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
Import a signed certificate from CA
keytool -import -trustcacerts -alias `hostname` -file ${SIGNED_CERT} -keystore ${JKS}
48
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
List contents of keystore
keytool -list -v -keystore ${JKS} -storepass ${JKS_PASSWORD} Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: selfsigned
Creation date: Feb 9, 2013
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=somehost.localdomain, OU=Example Department, O=Example Company, L=Manchester, ST=West Midlands,
C=GB
Issuer: CN=somehost.localdomain, OU=Example Department, O=Example Company, L=Manchester, ST=West Midlands,
C=GB
Serial number: 51165df7
Valid from: Sat Feb 09 14:32:23 GMT 2013 until: Tue Feb 04 14:32:23 GMT 2014
Certificate fingerprints:
MD5: DA:FF:F9:0B:EF:2D:26:DA:E9:48:22:1A:6E:7F:42:DF
SHA1: 46:8B:E7:DC:6B:95:69:34:85:43:A3:F7:C2:63:3B:29:F7:BD:9C:AD
Signature algorithm name: SHA1withRSA
Version: 3
49
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
keytool commands for checking
• Check a stand-alone certificate keytool -printcert -v -file ${CERTIFICATE}
• Check which certificates are in a Java keystore keytool -list -v -keystore ${JKS}
• Check a particular keystore entry using an alias keytool -list -v -keystore ${JKS} -alias ${ALIAS}
50
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
Other useful keystore commands
• Delete a certificate from a Java Keytool keystore keytool -delete -alias ${ALIAS} -keystore ${JKS}
• Change a Java keystore password keytool -storepasswd -new ${NEW_PASSWORD}
-keystore ${JKS}
• Export a certificate from a keystore keytool -export -alias ${ALIAS}
-file ${CERTIFICATE}
-keystore ${JKS}
51
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
Copy key to other keystore
SRC_ALIAS=cn=`hostname` keytool -importkeystore -srckeystore ${JKS} -srcstorepass ${JKS_PASSWORD} -destkeystore ${IDENTITY_KS} -deststorepass ${ID_KS_PASSWORD} -srcalias ${SRC_ALIAS} -destalias `hostname` -destkeypass ${ID_KS_PASSWORD} <<EOF yes EOF
52
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
Convert wallet to keystore
orapki wallet pkcs12_to_jks -wallet ${WALLET}
-pwd ${WALLET_PASSWORD}
-jksKeyStoreLoc ${JKS}
-jksKeyStorepwd ${JKS_PASSWORD}
-jksTrustStoreLoc ${TRUSTSTORE}
-jksTrustStorepwd ${TRUST_PWD}
53
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
Convert keystore to wallet
orapki wallet create -wallet ${WALLET}
-pwd ${WALLET_PASSWORD}
-auto_login
orapki wallet jks_to_pkcs12 -wallet ${WALLET}
-pwd ${WALLET_PASSWORD}
-keystore ${JKS}
-jkspwd ${JKS_PASSWORD}
54
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
About Importing DER-encoded Certificates
You cannot use Fusion Middleware Control or the WLST command-line tool to
import DER-encoded certificates or trusted certificates into an Oracle wallet or a
JKS keystore. Use these tools instead:
To import DER-encoded certificates or trusted certificates into an Oracle wallet, use
Oracle Wallet Manager or orapki command-line tool
To import DER-encoded certificates or trusted certificates into a JKS keystore, use
the keytool utility
55
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
Text Colour
RGB= 51, 51, 51
No content below the grey line
We twit: • @simon_haslam • @oraclemva
We blog: • http://simonhaslam.co.uk • http://oraclemva.wordpress.com
We snailmail: • But we are not sharing our home
addresses
We email: • simon dot haslam at eproseed dot com • jacco dot landlust at ing.nl
Questions?
56
ING Orange
RGB= 255, 98, 0
ING Light Grey
RGB= 168, 168, 168
ING Indigo
RGB= 82, 81, 153
ING Sky
RGB= 96, 166, 218
Colour Guidelines
ING Fuchsia
RGB= 171, 0, 102
ING Lime
RGB= 208, 217, 60
ING Leaf
RGB= 52, 150, 81
ING Mid Grey
RGB= 118, 118, 118
ING Dark Grey
RGB= 51, 51, 51
58
Important legal information
ING Group’s Annual Accounts are prepared in accordance with International Financial Reporting Standards as adopted by the European Union (‘IFRS-EU’).
In preparing the financial information in this document, the same accounting principles are applied as in the 2014 ING Group Annual Accounts. All figures in this document are unaudited. Small differences are possible in the tables due to rounding.
Certain of the statements contained herein are not historical facts, including, without limitation, certain statements made of future expectations and other forward-looking statements that are based on management’s current views and assumptions and involve known and unknown risks and uncertainties that could cause actual results, performance or events to differ materially from those expressed or implied in such statements. Actual results, performance or events may differ materially from those in such statements due to, without limitation: (1) changes in general economic conditions, in particular economic conditions in ING’s core markets, (2) changes in performance of financial markets, including developing markets, (3) consequences of a potential (partial) break-up of the euro, (4) ING’s implementation of the restructuring plan as agreed with the European Commission, (5) changes in the availability of, and costs associated with, sources of liquidity such as interbank funding, as well as conditions in the credit markets generally, including changes in borrower and counterparty creditworthiness, (6) changes affecting interest rate levels, (7) changes affecting currency exchange rates, (8) changes in investor and customer behaviour, (9) changes in general competitive factors, (10) changes in laws and regulations, (11) changes in the policies of governments and/or regulatory authorities, (12) conclusions with regard to purchase accounting assumptions and methodologies, (13) changes in ownership that could affect the future availability to us of net operating loss, net capital and built-in loss carry forwards, (14) changes in credit ratings, (15) ING’s ability to achieve projected operational synergies and (16) the other risks and uncertainties detailed in the Risk Factors section contained in the most recent annual report of ING Groep N.V. Any forward-looking statements made by or on behalf of ING speak only as of the date they are made, and, ING assumes no obligation to publicly update or revise any forward-looking statements, whether as a result of new information or for any other reason.
This document does not constitute an offer to sell, or a solicitation of an offer to purchase, any securities in the United States or any other jurisdiction. The securities of NN Group have not been and will not be registered under the U.S. Securities Act of 1933, as amended (the “Securities Act”), and may not be offered or sold within the United States absent registration or an applicable exemption from the registration requirements of the Securities Act.
www.ing.com