Securing OHS layer and disabling the non-ssl port of management server (EMGC_OMSx) when using self-signed certificates (in Oracle Grid Control 11g)

Make sure that we have:
  • Server certificate (which will correspond to identity of our OHS server). This certificate should be contained in "new" custom oracle wallet file named as "ewallet.p12". This certificate can be self-signed/3rd party signed (details of creating such a wallet are out of scope of this document). I will call this wallet as "OHS identity wallet" and the server certificate within it as OHS identity certificate from this point onwards.
  • Root certificate of CA(Certifying authority) who signed OHS identity certificate. Say this is in file "CA_of_ohs.cer".
  • Root certificate of CA who signed weblogic certificate. If you have used 3rd party signed certificate on weblogic, then this will be ROOT certificate of the corresponding CA. If you have used self-signed certificates on weblogic, then our "CA certificate" will be public certificate corresponding to self-signed keypair. We can get this by exporting it from the weblogic identity keystore using "keytool" like this:

keytool -exportcert -alias <self-signed_cert_alias> -keystore <keystore_name> -storetype jks -storepass <keystore_password> -keypass <private_key_password> -file < filename>
e.g.,

keytool -exportcert -alias wlsmac2 -keystore identity.jks -storetype jks -storepass mypass -keypass mypass -file wlsmac2.cer

Note: Keytool exports the certificate into DER format. Consider getting PEM format of same certificate using java utility "utils.der2pem". Command is:

java utils.der2pem <input_der_file>

This will generate PEM certificate into the same directory with same file name but with "pem" extension. Note that this utility will expect the input file to be with "der" extension. So, rename "wlsmac2.cer" to "wlsmac2.der" before executing this command.
e.g., java utils.der2pem wlsmac2.der

Note: If you get any "java.lang.ClassNotFoundException" command while trying to execute this utility, try setting the weblogic environment using script gc_inst/user_projects/domains/GCDomain/bin/setDomainEnv.sh. E.g.,

. ./setDomainEnv.sh #after cd to "gc_inst/user_projects/domains/GCDomain/bin/"

I will call this certificate as "WebLogic CA certificate", and suppose it is there in file "wlsmac2.pem".
Copy above files (ewallet.p12, CA_of_ohs.cer and wlsmac2.pem) into some temporary directory (let us say into "/tmp").


Now here the steps:

1) Navigate to "/tmp". Import WebLogic CA certificate into OHS identity wallet using "orapki" utility like this:          
orapki wallet add -wallet ./ewallet.p12 -trusted_cert -cert ./wlsmac2.pem

This utility can be typically located at "<MIDDLEWARE_HOME>/oracle_common/bin" in Grid Control setup.

2) Generate SSO wallet corresponding to OHS identity wallet using "orapki" utility:           
orapki wallet create -wallet ./ -auto_login


This will generate file "cwallet.sso" in the same directory.

3) Ensure Grid Control is up, using command:          
OMS_HOME/bin/emctl status oms

4) Bring up Weblogic administration console using browser:      
https://host:secure_port/console

5) Navigate to tab Servers/EMGC_OMS1/Configuration/General

6) Click on 'Lock and Edit' button in change center

7) Uncheck the checkbox next to 'Listen Port Enabled'

8) Click on button 'Save'

9) Click on 'Activate Change'

10) Logout from console

11) Edit "emgc.properties" file and set already defined parameter "MSPORT" to 0:
MSPORT=0

This will tell "emctl start/stop oms" to connect to EMGC_OMS1 server over ssl port to bring it down, from now onwards.

12) Stop the OMS server:         
OMS_HOME/bin/emctl stop oms

13) Execute:          
OMS_HOME/bin/emctl secure oms

This command connects to EMGC_ADMIN and reads the port values from there. Since we have disabled non-ssl port of EMGC_OMS1 server, this command will automatically modify mod_wl_ohs.conf file and set following for you:


  • WebLogicPort <secure_port_of_EMGC_OMS1>
  • SecureProxy On #This tells OHS to connect to above port using secure protocol
  • WlSSLWallet ${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/proxy #This is where OHS will expect a wallet containing root certificate of CA who signed weblogic certificate



14) Copy the files "ewallet.p12", "cwallet.sso" and "CA_of_ohs.cer" (from "/tmp") into following location:

${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/proxy

15) Execute:            
OMS_HOME/bin/emctl secure oms -wallet <${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/proxy> -trust_certs_loc <${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/proxy/CA_of_ohs.cer>

This will copy the wallets from "proxy" directory into "upload" directory, overwriting any existing wallet.

16) Secure console with new certificate:            
OMS_HOME/bin/emctl secure console -wallet <${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/proxy>

17) Force shutdown whole grid control:            
OMS_HOME/bin/emctl stop oms -force -all

18) Start the grid control:           
OMS_HOME/bin/emctl start oms

19) Next we import the OHS' CA certificate into agent trust on all machines so that agent(s) can accepts/trust new OHS certificate, and upload is successful.            
AGENT_HOME/bin/emctl secure add_trust_cert -trust_certs_loc CA_of_ohs.cer   ----> (file is from requirement-b as discussed at the start of this topic)

20) Stop and restart the agents for changes to take effect.

Comments

Post a Comment

Popular posts from this blog

Replacing expired certificates on SSL Server that uses JKS based keystore

Replacing an expired identity certificate in a JKS based keystore is pretty easy stuff, unless you have forgot to keep a backup of your private key. This post discusses the use-case where we don't have a backup copy of the private key outside the JKS keystore, and we wish to replace the expired/going-to-expire identity certificate There are two ways that I know of: Portecle (easy) - this is a tool available out on internet OpenSSL-Keytool combination (lengthy one) I will discuss 2nd one, and would only provide commands (and not discuss each switch as you can always refer relevant product docs for it) 1. Backup the JKS keystore, suppose original is  "keystore.jks" 2. JKS -> PKCS12 conversion (pkcs12 obtained in this step would be run through OpenSSL in next step, to separate the private key from the expired certificates)          keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -srcstoretype JKS -deststoretype PKCS
Read more

Giving non-admin users the permission to access MBeans

Sometimes it might be a requirement that a JEE application, deployed on WebLogic, needs an access to MBeans (Server, domain  or custom MBeans). With WebLogic default administrator user and other users who belong to default administrator group “Administrators” such a thing is possible quite easily. However it is not a good practice as the admin credentials would unnecessarily get exposed to application (and it may in-turn have security consequences). So, the question comes up - can we avoid using these admin credentials and instead use appropriate credentials, in our application, based on role access? The answer is yes - this requirement involves working with JMX policies. WebLogic provides a way for creating new as well as modifying existing (default) JMX policies. So what you can do is use the JMX policy editor to grant non-admin user/group a write access to the required MBean. JMX policy editor is described here . Also refer this to enable the JMX policy editor if it i
Read more

Modifying the "supported" attributes of embedded ldap users/groups

Image
WLS Admin console provides limited access to modify the attributes of users and groups that are located in its embedded ldap. This is primarily because embedded ldap is not supposed to hold any application users/groups on a large scale and probably this is one of the reasons why WLS does not provide any dedicated GUI to to modify the user/group attributes inside embedded ldlap. Neverthless, we can store these users/groups and we can modify the attributes as well. There are two approaches: 1) Using an external LDAP browser utility . My favorite as of today is jxplorer . I use such a utility against WLS embedded ldap for various purposes - testing the connectivity, the bind operation, search queries, etc Using such ldap browser utilities against WLS embedded ldap requires one to explicitly open embedded ldap for "outside WLS" access.This involves resetting the password of embedded ldap's super user "Admin" to a known value. Note that when WLS domain is creat
Read more