You are here

Home

WebLogic

How to Configure SSL between Oracle iPlanet Web Server with WL Plugin 1.1 to WebLogic Server?

When configuring Oracle iPlanet Web Server 7 with WL Plugin 1.1 in SSL mode to WebLogic Server, we are experiencing the following error:

<Jan 14, 2013 2:34:33 PM CST> <Warning> <Security> <BEA-090475> <Plaintext data for protocol HTTP was received from peer proxy.example.com - 10.10.10.10 instead of an SSL handshake.>

 
and in the iPlanet Web Server errors log:

 

[14/Jan/2013:13:23:33] failure (18104): for host 172.27.180.40 trying to GET /wls/index.jsp at backend host '1xx.xxx.xxx.xx/443; got exception 'READ_ERROR_FROM_SERVER [os error=0, line 713 of ../common/URL.cpp]: Unexpected EOF reading HTTP status - failover request based on Idempotent flag'

 
 

SOLUTION

The issue is misconfiguration of the WL Plugin 1.1 in the obj.conf to enable SSL between WL Plugin and WebLogic Server.  The steps to enable SSL on the WL Plugin 1.1 is as follows.


NOTE: make sure that all configuration changes to iplanet have been fully deployed prior to making new configuration changes.

 

1. Create an Oracle Wallet with orapki utility that comes bundled with the WL Plugin 1.1 for iPlanet. Note your plugin home is where you unzipped the plugin bits WLSPlugin11g-64bit-iPlanet7.0-solaris-sparc.zip. Run this command on the system where the plug-in is being configured.
  

> ${PLUGIN_HOME}/bin/orapki wallet create -wallet my-wallet -auto_login_only

 The above command would create a directory by the name of my-wallet in the current working directory.  Change directory to my-wallet and list the files and you will see the cwallet.sso file.


2. If the user who runs the iPlanet plug-in is not the same user that created the wallet (or has ROOT account access), wallet creator would need to grant access to the wallet by running the command 'chmod' after creating the wallet.

  For example:
  > chmod a+r my-wallet/cwallet.sso

3. Import the CA certificate you wish to trust into the Oracle Wallet.    Here is the example of the command using Demo CA in WLS installation at ${WL_HOME}/sever/lib/CertGenCA.der. In your case, you would import the CA certificate that is trusted for your own server certificate that secures your WLS. Note DER is binary format of the certificate.
  

> ${PLUGIN_HOME}/bin/orapki wallet add -wallet my-wallet -trusted_cert -cert CertGenCA.der -auto_login_only

 

4. Enable SSL on the WL plug-in using the WLSSLWallet by editing the vs-obj.conf/obj.conf file to add in the WLSSLWallet parameter to point to the location of the Oracle Wallet. 

For example:

<Object name="wls" ppath="*/wls/*">
Service fn="wl-proxy" WebLogicCluster="wls1.example.com:443,wls2.example.com:443" WLProxySSL="ON" KeepAliveEnabled="true" KeepAliveSecs="60" ConnectTimeoutSecs="6" ConnectRetrySecs="2" SecureProxy="ON" CookieName="PORTRAITUISESSIONID" WLSSLWallet="/path/to/my-wallet"
</Object>

 

5. After making hand edit configuration changes to iPlanet, you should go into the iplanet admin-server console and do a pull and deploy changes. Restart your iplanet server.

Document 1311162.1 - How To Deploy Manual, CLI and GUI Configuration Changes in Oracle iPlanet Web Server 7.0.x.

6. Now test to see if you can successfully connect to your WLS through iPlanet WL Plugin 1.1 using SSL.

Configuring SSL Cipher Suites on Weblogic Server

Cipher suites play an integral part in establishing secure communications between a client and server using the SSL/TLS protocol. Cipher suites determine the ciphers to be used, the key exchange algorithms as well as message authentication codes.

The SSL protocol uses a combination of public-key and symmetric key encryption. Symmetric key encryption is much faster than public-key encryption, but public-key encryption provides better authentication techniques.

DETAILS

Introduction

An SSL session always begins with an exchange of messages called the SSL handshake. The handshake allows the server to authenticate itself to the client using public-key techniques, then allows the client and the server to cooperate in the creation of symmetric keys used for rapid encryption, decryption, and tamper detection during the session that follows.

The client presents a list of cipher suites it supports but the server makes the final decision as to which cipher suite will be used. The server is limited to choosing from the presented list of cipher suites.

Cipher Suite Composition

A Cipher Suite is composed of the following:

Encryption

Block Cipher

RC2

DES

Triple-DES

Stream Cipher

RC4

Hash Function

SHA or SHA1

MD5

Cipher Spec examples

NULL_MD5

NULL_SHA

RC4_MD5_EXPORT

RC2_MD5_EXPORT

DES_MD5_EXPORT

DES_SHA_EXPORT

TRIPLE_DES_MD5_EXPORT

Encryption + Hash Function ===> Cipher Spec

Cipher Spec + Authentication/Key Exchange ===> Cipher Suite

As stated above, the Cipher Suite is a combination of the following four attributes:

Key Exchange Algorithm:

RSA or Diffie-Hellman variants.

Authentication Algorithm:

RSA, Diffie-Hellman, DSS or none.

Cipher/Encryption Algorithm:

DES, Triple-DES, RC4, RC2, IDEA or none.

MAC Digest (Hash) Algorithm:

MD5, SHA or SHA1.

Definition

 

We can now define Cipher Suite as: A cipher suite is a named combination of authentication, encryption, and message authentication code (MAC) algorithms used to negotiate the security settings for a network connection using the Transport Layer Security (TLS) or Secure Sockets Layer (SSL) network protocol.

 

Cipher Suite Strength

 

Cipher suites are available that provide a variety of different encryption "strengths." The strongest cipher suites for example provide Advanced Encryption Standard (AES) which supports 128- or 256-bit encryption, or Triple DES (3DES) which provides 168-bit encryption. On the other hand the weakest, for example, provide no encryption and weaker message authentication.

 

How to enable 256 bit encryption (Strongest Cipher Suite) in WebLogic Server

 

WebLogic Server 12.1 supports various Cipher Suites supported by the JDK-default JSSE provider. For backward compatibility, the JSSE-based SSL implementation accepts Certicom cipher suite names for cipher suites that are compatible with SunJSSE provider. However Oracle does not encourage future use of Certicom cipher suite names.

 

The set of cipher suites supported by the JDK-default JSSE provider, SunJSSE, is available at http://docs.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html.

 

With JSSE, the cipher suites selected by default are stronger as compared to Certicom SSL and have slower performance. Also by default the anonymous and strongest Cipher Suites are disabled.

 

If we want to use the strongest Cipher suites (256 bit encryption) like AES_256 (TLS_RSA_WITH_AES_256_CBC_SHA), we have to install the unlimited encryption JCE policy. It is dependent on the JDK version.

Using the following URL, download and install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files that correspond to the version of your JDK: http://www.oracle.com/technetwork/java/javase/downloads/index.html.

 

In order to enable the specific Cipher Suite to use we need to configure the <ciphersuite> element in the <ssl> element in the DOMAIN_HOME/config/config.xml file, as follows:

 

<ssl>

  <name>examplesServer</name>

  <enabled>true</enabled>

  <listen-port>7002</listen-port>

  <ciphersuite> TLS_RSA_WITH_AES_256_CBC_SHA </ciphersuite>

  ...

</ssl>

Subscribe to WebLogic