Monday, December 22, 2014

Install OHS Certificate


To secure the http communication between web browsers and OHS web server, you will need to install the certificate from a trusted authority on OHS server.
By default OHS store the keys in the keystore located at
$INSTANCE/config/OHS/ohs5/keystores/default

By default OHS uses the keystore cwallet.sso defined at the above location. It is a good idea to leave the default keystore alone and create your own keystore at a different location.

Follow the steps below to setup the certificate:

1> Start the Oracle Wallet Manager(owm)

owm is an Oracle provided utility that you could use to manage the keystore and certificates. You could find it at $OHS_HOME/bin .

Example:
cd /app/oracle/product/fmw/webServer/bin
./owm

This will start the OWM interface.





2> Create a new Oracle Wallet

Click on Wallet --> New to create a new wallet. You will be asked to enter password for the wallet.




When clicked on OK, a new wallet will be created for you. 




3> Create a Certificate Signing Request (CSR)

Clicking "Yes" on the confirmation window will create a new CSR window. Alternatively, you could choose Operations --> "Add Certificate Request" to create a CSR.

Supply the information for your CSR





4> Get the certificate

Right click on the CSR --> Export it. Send it to the Certificate authority. CA will send back a trusted certificate and a user certificate.





Save the above wallet, once you receive the 2 certificate, open the wallet again and import the certificates.


5> Import the certs

Import the Trusted cert first. 

sftp the certificate received from CA to the server, then use OWM to import the cert.





A message will be displayed at the bottom that certificate is imported successfully. 
Follow the same procedure to import the user certificate.

The certificate will be shown as ready after the user certificate is imported.



Save the wallet. There will be 2 files created at the save location.

cwallet.sso
ewallet.p12

6> Modify the config files

You could create a new keystore parallel to the default location

Default keystore: $INSTANCE/config/OHS/ohs5/keystores/default
Custom keystore: $INSTANCE/config/OHS/ohs5/keystores/custom

Copy the newly create wallet file to the custom location. The location of keystore is in the configuration files and it is loaded at the startup of the server. Modify the config files to change the location.

Stop the wen server.
Go to the config location, $INSTANCE/config/OHS/oha1
grep for the file containing SSLWallet, usually it is in the file ssl.conf

 #Path to the wallet
   SSLWallet "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/default"


   <FilesMatch "\.(cgi|shtml|phtml|php)$">

Modify the SSLWallet setting to point to the directory where the new keystore is located.

Restart the web server.

Test by going to the https:// url

--have fun








Tuesday, December 16, 2014

Setup OAM 11G Webgate for OHS in "CERT" mode

Setup OAM 11G Webgate for OHS in "CERT" mode
"CERT" mode is similar to "SIMPLE" mode but, in cert mode, the trusted authority is not Oracle but an external CA.

I assume that you already have an OHS running in your environment. If webgate is not already installed, install the webgate first. You could check my other blog on setting up the webgate.

After the OHS is installed with webgate setup completed, follow the rest of blog for setting up the "CERT" mode.

1. Generate the KEY and CSR

The first step is to generate the private key and Certificate Signing Request (CSR) for OAM server. 

openssl req -new -keyout aaa_key.pem -out aaa_req.pem -utf8 –nodes –config /usr/local/groundwork/common/openssl/openssl.cnf

You could use a different openssl.cnf if available. The key name "aaa_key.pem" and the CSR name "aaa_req.pem" are not optional. They have to be exactly like this.

The above command will present you a series of questions for CSR. fill them out for your requirements.

Generating a 2048 bit RSA private key
...........................................+++
......................................................................................................................................................................+++
writing new private key to 'aaa_key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:NY
Locality Name (eg, city) [Default City]:New York
Organization Name (eg, company) [Default Company Ltd]:Example.com
Organizational Unit Name (eg, section) []:example.com
Common Name (eg, your name or your server's hostname) []:*.example.com
Email Address []:admin@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:Oracle123
An optional company name []:

The above command will generate 2 files.

   aaa_req.pem
   aaa_key.pem

Submit the aaa_req.pem to the external Certificate Authority (CA). 

Note: You could also create your own CA internally. In that case, you will be able to submit the request to your own CA.Check my other blog on setting up the local CA.


The CA will return you 2 files. 
  user Certificate in base64 format, aaa_cert.pem
 CA root chain cert in base64 format, aaa_chain.pem.

2. Encrypt the private key

Encrypt the key generated n the first step.

openssl rsa -in aaa_key.pem -passin pass:Oracle123 -out aaa_key.pem -passout pass:Oracle123 -des


3. Retrieve the OAM keystore alias and password

To import the certificate to the OAM store, you will need the keystore password, follow the steps below to retrieve the password.


cd $FMW/Oracle_OIM1/common/bin
./wlst.sh
Connect()
domainRuntime()
wls:/OAMDomain/domainRuntime> listCred(map="OAM_STORE",key="jks")
Already in Domain Runtime Tree

[Name : jks, Description : null, expiry Date : null]
PASSWORD:m7699agvgdtqnbetb64t6r0skj


Note the password above, you are going to need it in the next step.

4. Import the CA chain and the User Cert to OAM keystore

To import user certificate, you will first need to convert the cert and key from base64 format to DER format. OAM keystore accept the user cert in DER format only. This step is not needed for trusted chain cert.

    4.1 Convert the user key and cert to DER format

    open the aaa_key.pem
    Delete everything except all the content between

    -----BEGIN CERTIFICATE-----
    Cert
    -----END CERTIFICATE-----

( Do not delete the line that says BEGIN CERTIFICATE and END CERTIFICATE)

    openssl pkcs8 -topk8 -nocrypt -in aaa_key.pem -inform PEM -out aaa_key.der -   outform DER 

     Enter pass phrase for aaa_key.pem: Oracle123

Do the same for aaa_cert.pem

              openssl x509 -in aaa_cert.pem -inform PEM -out aaa_cert.der -outform DER


    4.2 Import the CA chain certificate

CA Cert:
keytool -importcert -file ./aaa_chain.pem -trustcacerts -storepass m7699agvgdtqnbetb64t6r0skj -keystore $OAMDOMAIN/config/fmwconfig/.oamkeystore -storetype JCEKS

Note: Use the keytool from the java installation in use for OAM managed server.

User Certificate

java -cp importcert.jar oracle.security.am.common.tools.importcerts.CertificateImport -keystore $OAMDOMAIN/config/fmwconfig/.oamkeystore -privatekeyfile /home/oracle/cert/aaa_key.der signedcertfile /home/oracle/cert/aaa_cert.der -alias dev.certmode -storetype JCEKS

Enter Store Password: m7699agvgdtqnbetb64t6r0skj 
Enter alias password: Oracle123
Certificates imported to $OAMDOMAIN/config/fmwconfig/.oamkeystore                                                                                           
Note the alias used here, you will need to use it in the next step.


5. Add certificate details to OAM server

Login to OAM à System Configuration à Access Manager à Access Manager Settings à





In the  settings above, Enter the "PEM KeSstore Alias" that you used at the time of cert import in the step 4.2. The password is the password used earlier at the for the key.

6. Set OAM to CERT mode

OAMà System Configuration Ã  Server Instancesà oam_server1

Set the mode to "CERT"


Restart OAM

7. Generate the WebGate artifacts

Go to OAM, register/re-register the webgate in cert mode. During registration, use the password ( Oracle123) that was used earlier when CSR was generated.






This will generate the artifacts on OAM server under the directory

$OAMDOMAIN/output/<webgate name>

cwallet.sso
ObAccessClient.xml
password.xml

Copy these files from OAM server to OHS web server using scp or sftp

8. WebGate Certificates
On the web server, generate the CSR

openssl req -new -keyout aaa_key.pem -out aaa_req.pem -utf8 –nodes –config /usr/local/groundwork/common/openssl/openssl.cnf

Submit the CSR to CA
Receive the user certificate aaa_cert.pem and trust chain certificate aaa_chain.pem

Encrypt the private key

openssl rsa -in aaa_key.pem -passin pass:Oracle123 -out aaa_key.pem -passout pass:Oracle123 -des

9. Copy the files on WebGate server.

Copy the following files to the directory OHSINSTANCE/config/OHS/ohs4/webgate/config

aaa_key.pem
aaa_cert.pem
aaa_chain.pem

Note that these files are the result of CSR on WebGate server

Copy the following files that you SFTPed from OAm server.

cwallet.sso
ObAccessClient.xml
password.xml


Restart the OHS server.


--Have fun.




















Monday, December 15, 2014

Setup OAM 11G Webgate for OHS in "SIMPLE" mode

Setup OAM 11G Webgate for OHS in "SIMPLE" mode
The process to setup webgate in "SIMPLE" mode is very similar to setting it up in "OPEN" mode. Check my other blog on setting up the "OPEN" mode.

Simple mode provides encrypted communication between WebGate and OAM server. The certificates are issued by "Oracle". The trusted authority is already included in the OOTB install. 

I assume that you already have an OHS running in your environment. If webgate is not already installed, install the webgate as below:

1. Install the WebGate

Unzip the binary file, I have it in V33639.zip. You may have it with another name.

./runinstaller -jreloc <java install location>/jrockit-jdk1.6.0_37-R28.2.5-4.1.0

If you have java from another vendor, provide the install location and directory above

The installation is simple, you could take all the default except for:

    Oracle Middleware Home: <provide middleware directory here>
    Oracle Home Directory:    <webgate1>

Oracle home directory will be created under Middleware.

2. After completing WebGate installation, goto 

<MiddleWare>/webgate1/webgate/ohs/tools/deployWebGate


3. Run the following command

./deployWebGateInstance.sh –w <webgate instance directory> -oh <HTTP Server Home>

An example is:
./deployWebGateInstance.sh -w <OHS instance dir>/instance1/config/OHS/ohs1 -oh <MW Dir>/webgate1


3. Set the library path

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:<Middleware>/<OHS (not instance) Install directory>/lib

Example:
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/app/oracle/product/mw/web/lib

4. Edit httpd.conf

cd <MW>/webgate1/webgate/ohs/tools/setup/InstallTools

./EditHttpConf -w <OHS instance dir>/instance1/config/OHS/ohs1 -oh <mw>/webgate1 


The web server configuration file was successfully updated

../instance1/config/OHS/ohs1/httpd.conf has been backed up as ../instance1/config/OHS/ohs1/httpd.conf.ORIG

5. Create the artifacts for new WebGate.

Login to OAM console as admin

goto
System Configuration --> Access Manager --> OAM Agents, click on "Create 11g WebGate"

Name: secureGate2 (choose your own name for webgate)
Security: Simple

Take default for other fields






The artifacts are generated and stored on OAM server at the location;

<OAMDomain>/output/secureGate2 (the webgate name will be different)


5. Copy the artifacts to the OHS server.

Use scp or sftp to transfer the artifacts from the above directory on OAM server to the OHS server

For SIMPLE mode, the artifacts consist of the following files:

1. cwallet.sso
2. ObAccessClient.xml
3. password.xml

4. aaa_key.pem
5. aaa_cert.pem

Copy the first three files to the OHS server under following directory

<OHS instance>/config/OHS/ohs3/webgate/config

Copy the last 2 files to the directory

<OHS instance>/config/OHS/ohs3/webgate/config/simple

Restart the web server.

Registration issue:

During the registration of webgate, if OAM instance is running in "OPEN" mode, OAM will not allow to create the webgate in open or cert mode. There are 2 work around for that.

1> create a new instance for name sake only in simple mode. Do not register any WG to this instance. If the instance in there in "SIMPLE" mode, that will allow you to create webgate in open or simple mode.



2> The other work around involves changing the OAM instance mode to "SIMPLE, create a new WG in SIMPLE mode, roll the OAM instance back to OPEN mode. This procedure works fine but during the period OAM instance is changed to SIMPLE, all other webgate will stop working. Everytime you add a new WebGate in SIMPLE mode, you will have to set the OAM mode to SIMPLE and then roll it back.





--Have fun

Setup OAM 11G Webgate for OHS in "OPEN" mode


OAM WebGate support three mode of communications with WebGate. Open, Simple and Cert mode. I will create post for all three mode setup.

As the name suggest "OPEN" mode provides no communication security. The traffic flow is in text format. It should be used only if the WebGate servers resides internally and the risk of spoofing is minimal/acceptable.

I assume that you already have an OHS running in your environment. If webgate is not already installed, install the webgate as below:

1. Install the WebGate

Unzip the binary file, I have it in V33639.zip. You may have it with another name.

./runinstaller -jreloc <java install location>/jrockit-jdk1.6.0_37-R28.2.5-4.1.0

If you have java from another vendor, provide the install location and directory above

The installation is simple, you could take all the default except for:

    Oracle Middleware Home: <provide middleware directory here>
    Oracle Home Directory:    <webgate1>

Oracle home directory will be created under Middleware.

2. After completing WebGate installation, goto 

<MiddleWare>/webgate1/webgate/ohs/tools/deployWebGate


3. Run the following command

./deployWebGateInstance.sh –w <webgate instance directory> -oh <HTTP Server Home>

An example is:
./deployWebGateInstance.sh -w <OHS instance dir>/instance1/config/OHS/ohs1 -oh <MW Dir>/webgate1


3. Set the library path

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:<Middleware>/<OHS (not instance) Install directory>/lib

Example:
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/app/oracle/product/mw/web/lib

4. Edit httpd.conf

cd <MW>/webgate1/webgate/ohs/tools/setup/InstallTools

./EditHttpConf -w <OHS instance dir>/instance1/config/OHS/ohs1 -oh <mw>/webgate1 


The web server configuration file was successfully updated

../instance1/config/OHS/ohs1/httpd.conf has been backed up as ../instance1/config/OHS/ohs1/httpd.conf.ORIG

5. Create the artifacts for new WebGate.

Login to OAM console as admin

goto
System Configuration --> Access Manager --> OAM Agents, click on "Create 11g WebGate"

Name: new_wg
Security: open

Take default for other fields

The artifacts are generated and stored on OAM server at the location;

<OAMDomain>/output/new_wg


5. Copy the artifacts to the OHS server.

Use scp or sftp to transfer the artifacts from the above directory on OAM server to the OHS server

For OPEN mode, the artifacts consist of two files

cwallet.sso
ObAccessClient.xml

Copy these files to the OHS server under following directory

<OHS instance>/config/OHS/ohs3/webgate/config

Restart the web server.

--Have fun







Friday, December 12, 2014

Setting up a new local Certificate Authority

Create you own CA

Certificate Authorities provide certificates that is installed on the web server or application that are connected through a client. The browsers, like Mozilla or Chrome, trust these certificate because browsers comes prepacked with the root trust certificate for all these providers. These providers charge a hefty fee to provide the certificates.

However, you don't have to pay for the certificates if you install your own CA and use the local CA to issue the certificates. This can save you time and money when certificates are used in environments other than PRODUCTION.

When you access a site running your certificate, a warning will be displayed that the certificate is not from a trusted source. This also can be taken care of as we will see later.

The following blog used redhat linux for setting up but it could easily be used for other flavors. You will need to make sure that openssl is installed and is in the path.

1. Set up the directory structure

linux# mkdir /opt/CA
linux# cd /opt/CA
linux# mkdir csr certs conf private public signed-keys
linux# echo "01" > conf/serial
linux# touch conf/index

2. Set up the config file

linux# cd conf
linux# vi openssl.cnf

Copy the below in your openssl.cnf file

[ req ]
default_bits            = 2048
dir                     = /opt/CA
default_keyfile         = $dir/private/root.pem
default_md              = sha1
prompt                  = no
distinguished_name      = MY_CA
x509_extensions = v3_ca

[ MY_CA ]
countryName             = US
stateOrProvinceName     = NY
localityName            = NewYork
0.organizationName      = example.com
commonName              = example.com root CA
emailAddress            = ca@example.com

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true

[ ca ]
default_ca              = CA_default

[ CA_default ]
dir                     = /opt/CA
new_certs_dir           = $dir/signed-keys/
database                = $dir/conf/index
certificate             = $dir/public/root.pem
serial                  = $dir/conf/serial
private_key             = $dir/private/root.pem
x509_extensions         = usr_cert
name_opt                = ca_default
cert_opt                = ca_default
default_crl_days        = 30
default_days            = 3650
default_md              = sha1
preserve                = no
policy                  = policy_match

[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ usr_cert ]
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
nsCaRevocationUrl     = https://example.com/ca-crl.pem

You may want to change the default bits, validity period or URL for revocation list to match your requirements. Other setting could be used as they are.

3. Generate the root key pair

linux# openssl req -nodes -config conf/openssl.cnf -days 3650 -x509 -newkey rsa:2048 -out public/root.pem -outform PEM

This will create the key pair n base64 format. Keep the private/root.pem safe. Provide public/root.pem to the clients along with user certs.

You could view the content of these key files using openssl command.

linux# openssl rsa -in private/root.pem -noout -text
linux# openssl x509 -in public/root.pem -noout -text

Some of the client may want the public key in DER format. To convert PEM to DER, use following:

linux# openssl x509 -in public/root.pem -outform DER -out public/root.der

4. Signing the Certificate

The party that needs the certificate will send you the Certificate Signing Request (CSR). Check the CSR before signing it.

linux# openssl req -in example.csr -noout -text

This will show the CSR details.

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: CN=example.com, OU=Example, O=example ou, L=New York, ST=NY, C=US
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c3:b7:32:bd:59:1e:a3:e5:42:66:3b:42:cb:db:
                    4a:5c:a8:ff:d3:f7:c1:ba:0b:8b:43:66:54:81:14:
                    ed:61:8b:d9:79:fa:51:43:ea:e0:26:17:39:bc:14:
                    14:eb:89:3e:73:6f:f4:0a:4e:90:46:68:d8:c0:b4:
                    0f:72:13:19:79:e6:90:bd:a4:d1:61:3e:63:a5:b3:
                    7a:ac:1c:9a:2c:75:a7:5b:84:78:60:66:3f:64:fe:
                    af:a0:09:bc:8e:09:9f:d6:b3:76:1d:4e:c4:76:f1:
                    21:f1:f8:36:05:2a:dd:d2:82:37:ff:cc:57:19:06:
                    ab:f6:a6:00:a2:24:12:2e:51:d5:8e:22:99:0b:be:
                    a0:94:e5:13:9b:b3:38:dc:3c:43:0a:a2:d2:6f:95:
                    6e:19:d6:0a:9b:13:d7:2e:0f:98:cf:78:aa:00:31:
                    a0:5d:83:10:2c:68:2c:8a:1f:25:32:c1:68:21:6d:
                    e6:d6:75:05:02:ec:d8:b8:86:36:ac:95:d1:8b:a7:
                    cf:d8:e7:2e:9d:d5:ed:36:5f:69:0b:e0:49:21:20:
                    81:96:bf:dc:00:d6:ed:6e:fa:28:95:f3:e7:72:b3:
                    b6:79:12:93:b8:47:5b:f6:25:33:17:86:8b:7d:9d:
                    ca:50:de:f6:03:87:57:f7:6a:c6:7f:9c:19:c8:cb:
                    45:67
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: md5WithRSAEncryption
         18:db:e5:33:7a:45:8d:70:c1:be:5c:95:b7:f6:2e:c4:d3:d3:
         de:45:ad:ce:d1:e8:8c:09:9b:21:37:97:99:7c:91:77:99:92:
         e9:47:cc:0e:11:5d:29:14:b0:be:11:a4:41:30:98:b7:1a:26:
         34:fc:77:92:c4:1e:62:c9:1f:11:cb:be:0f:37:5d:72:d7:6f:
         55:65:06:7b:50:42:ae:6b:46:77:ee:59:50:db:2b:b5:ed:bf:
         d3:21:a6:ac:b6:d6:fd:5e:2c:15:54:73:81:85:ce:52:5e:fe:
         ff:be:d3:2e:75:f9:cb:85:6b:bf:81:b8:10:09:4e:d7:57:5b:
         92:50:51:b2:f4:ef:3f:ee:30:de:fb:12:ba:86:8c:6e:03:20:
         50:70:50:85:22:d9:d7:df:2a:cb:d9:ef:98:fb:31:c8:cb:85:
         c7:25:0a:0b:40:30:29:4e:eb:1c:50:b4:de:eb:2d:d3:87:c4:
         1d:0b:fc:de:9a:58:48:3c:66:f5:07:3b:66:df:18:10:18:c2:
         9f:ed:b9:16:36:8b:78:6f:9e:e7:33:56:41:57:cb:99:8f:db:
         dd:8d:24:9b:8e:0b:af:b8:d6:29:3e:fe:6e:cb:26:70:ce:82:
         50:c9:c9:6e:6a:99:e8:44:67:87:a1:db:39:b3:a9:48:ad:0f:
         b5:ee:6c:22

Now sign the certificate

linux# openssl ca -batch -config conf -in csr/example.csr -out certs/example.pem

Now, certificate is ready in the directory /opt/CA/certs, you will need to send the user certificate, "certs/example.pem" and the trusted authroty (CA) certificate "public/root.pem" to the party that sent the CSR.

The requester will need to import the certificates to the web server in the order -- trusted cert "root.pem" than user cert "example.pem".

When you access the site now the warning will be displayed that certificate is not from a trusted source. To fix this, import the root.pem to the web browsers.

For Mozilla


goto options --> Advanced --> View Certficates --> Authorities , click on Import

Select the root.pem file --> select "Trust this CA to identify websites" --> ok

Now you will be able to see the certificate along with other trusted trusted certificates.

Access the site now. No warning will be displayed.

Similarly, you could import the root certificate for Chrome as well.


Have fun--