Wednesday Mar 04, 2015

Steps to create a .jks keystore from .pfx file

What are the different certificate extensions ?

How do they differ from each other ?

Common filename extensions for X.509 certificates are:

.pem – (Privacy-enhanced Electronic Mail) Base64 encoded DER certificate, enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"

.cer, .crt, .der – usually in binary DER form, but Base64-encoded certificates are common too.

If you have a .pem file (Base64) then you can directly rename the file to .cer / .crt and open the certificate in Windows to view its contents. ( by double clicking on the file ) 

.p7b, .p7c – PKCS#7 SignedData structure without data, just certificate(s) or CRL(s)

.p12 – PKCS#12, may contain certificate(s) (public) and private keys (password protected)

.pfx – PFX, predecessor of PKCS#12 (usually contains data in PKCS#12 format, e.g., with PFX files generated in IIS)

PKCS#7 is a standard for signing or encrypting (officially called "enveloping") data. Since the certificate is needed to verify signed data, it is possible to include them in the SignedData structure. A .P7C file is a degenerated SignedData structure, without any data to sign.

PKCS#12 evolved from the personal information exchange (PFX) standard and is used to exchange public and private objects in a single file.

 Source : http://en.wikipedia.org/wiki/X.509 

In this post we will see how to convert a pfx file to pem / JKS.....

[Read More]

Monday May 05, 2014

Steps to configure Custom Identity and Custom Trust with Weblogic Server

What are the different ways keystore can be configured with Weblogic Server ?

What is the default keystore configuration in Weblogic ? 

Weblogic is configured with DemoIdentity and DemoTrust by default.

If you have generated any of the following certficate / keystores then you need to configure a CustomIdentity and CustomTrust as shown in this blog post :

 - Self signed certificate / keystore

- Generated a csr and got a certificate signed from a 3rd party Certificate Signing Authority ( CA ) 

- Generated a csr and got the certificate signed by an internal CA.

 You can also configure a Custom Identity and Java Standard Trust when you have any of the above certificates.

 In case of CustomIdentity and JavaStandardTrust, we create a Identity keystore and for the Trust keystore we make use of the default JDK Trust store i.e cacerts.

We need to import the root/intermediate certificate to cacerts using the following command :

keytool -import -file <root_certificate> -keystore <JDK>/lib/security/cacerts -storepass changeit 

In this post we will see how to configure a Custom Identity and Custom Trust with Weblogic Server.........

[Read More]

Wednesday Apr 30, 2014

Steps to configure Multiple AD Kerberos Domain with Weblogic Server

Say you have x number of users in AD1 and y number of users in AD2.

You can configure Kerberos with multi domain AD and Weblogic Server, provided you have a Forest Trust configured between the two AD domains.

After this setup, we should be able to login to application deployed on Weblogic Server using any user who are a part of AD1 or AD2 - using Kerberos SSO. 

In this post we will see how to configure a multi-domain AD with Weblogic Server using Kerberos for SSO......

[Read More]

Wednesday Apr 02, 2014

Steps to configure SAML 2.0 with Shibboleth ( deployed on WLS ) as IDP and Weblogic as SP.

Shibboleth is a free and open source federated identity solutions.

Points to Remember:

The logging configuration for the IdP is located at $IDP_HOME/conf/logging.xml. This file is checked for changes every 10 minutes  by default and is reloaded if changes have been made. 
This means a deployer can keep the logging level at WARN until a problem occurs and then change the logging to DEBUG to get more information if the problem persists, all without restarting the IdP.

By default Shibboleth 2.0 Identity Providers write to three log files :

- idp-access.log contains a log entry for each time the IdP is accessed, whether information was ever sent back or not. These messages include request time, remote host making the request, server host name and port, and the request path. This log is written in the machine parsable format requestTime|remoteHost|serverHost|serverPort|requestPath|.

- idp-audit.log contains a log entry for each time the IdP sends data to a relying party. These messages include the audit event time, IdP and relying party IDs, request and response binding, communication profile ID, request and response ID, principal name, authentication method, and released attribute of the current user. This log is written in the machine parsable format auditEventTime|requestBinding|requestId|relyingPartyId|messageProfileId|assertingPartyId|responseBinding|responseId|principalName|authNMethod|releasedAttributeId1,releasedAttributeId2,|nameIdentifier|assertion1ID,assertion2ID,|
Note the name identifier and assertion IDs were added in V2.1.

- idp-process.log contains messages logged during the normal operation of the IdP. This log is meant to be human readable and contains messages that indicate what the IdP is currently doing, encountered errors, warning messages that may indicate potential problems, etc.

All logging messages are "rolled over" at midnight each night, if the IdP is running, or the next time the IdP starts up after that.

You can test your configuration here :

http://www.testshib.org/

Here are few other sites which might be helpful :

https://sp.testshib.org/

https://shibboleth.usc.edu/docs/sp/install/

NOTE :

SAML2 Assertions encryption is a feature that is not supported by any current version of WebLogic Server, whatever the Identity Provider.

SAML2 Assertions in WebLogic Server are base64 encoded but not encrypted.

In the case of Shibboleth Identity Provider, the default Out-Of-The-Box configuration is to require encryption of the SAML2 Assertions. Thus, this issue is usually raised when using Shibboleth as the Identity Provider.

Shibboleth can be configured to use non-encrypted SAML2 Assertions, for instance check this :

Link : https://wiki.shibboleth.net/confluence/display/SHIB2/IdPXMLSigEnc

The wiki describes the way to configure Shibboleth when used in conjunction with WebLogic Server.

In this post we will see how to configure SAML 2.0 SSO using Shibboleth as IDP ( deployed on WLS ) and Weblogic as SP...

[Read More]

Saturday Aug 17, 2013

Steps to DeInstall Oracle Weblogic Server 12.1.2.0.0...

How to DeInstall Oracle Weblogic Server 12.1.2.0.0 ? 

- Oracle Weblogic Server 12.1.2 can be Deinstalled in two ways :

* GUI mode

* Silent Mode 

- For GUI mode go to " ORACLE_HOME\oui\bin " directory and run deinstall script.

- For Silent mode use the following command :

Go to " ORACLE_HOME\oui\bin " directory

./deinstall.sh -silent -response <deinstaller_response_file> 

- The deinstaller does not remove the JDK or any user-created data such as WebLogic domains or custom application data. Only the components that were installed by the installation program are removed by the deinstaller. 

- Make sure you have stopped all the servers / processes running before starting the DeInstaller.

In this post we will see how to DeInstall Oracle Weblogic Server 12.1.2.0.0.

[Read More]

Steps to create a new domain on Weblogic Server 12.1.2.0.0...

Weblogic Server Domain Configuration Wizard - Points to remember :

- Adding " -Djava.security.egd=file:/dev/urandom " in Unix/Linux decreases the amount of time it takes for the Configuration Wizard to create or update a domain.

- Quick Start Configuration Wizard can be used only to configure the various sample domains, such as MedRec and the Examples Server, in your WebLogic Server installation.

- You can start Quick Start Configuration Wizard in two ways :

1. Select the Automatically Launch Quick Start Configuration Wizard option on the Installation Complete screen of the WebLogic Server installer.

2. Run the config.cmd / config.sh script located in ORACLE_HOME/oracle_common/common/bin as follows : " config.cmd -target=config-oneclick " in windows and " config.sh -target=config-oneclick " in Linux.

- Prior to manually running the Configuration Wizard in Quick Start mode, you must set the CONFIG_JVM_ARGS environment variable to specify the full path and JAR file name for each template that you want to use for the domain.

- To set CONFIG_JVM_ARGS on a Windows system:

set CONFIG_JVM_ARGS="-DuserTemplates=C:/Oracle/Middleware/wlserver/common/
templates/wls/wls.jar,C:/Oracle/Middleware/wlserver/common/templates/
wls/wls_webservice_jaxws.jar"

- To set CONFIG_JVM_ARGS on a UNIX:

export CONFIG_JVM_ARGS="-DuserTemplates=/Oracle/Middleware/wlserver/common/
templates/wls/wls.jar,/Oracle/Middleware/wlserver/common/templates/
wls/wls_webservice_jaxws.jar"

- Domain can be created using GUI mode or using WLST.

- There is silent mode installation only for WLS 12.1.2 installation and not for WLS 12.1.2 domain creation.

- Nodemanager can now be configured in domain configuration wizard.

In this post we will see how to create a new Weblogic Server domain using DomainConfigurationWizard.

[Read More]

Thursday Aug 15, 2013

Steps to install Oracle Weblogic Server 12.1.2.0.0...

What's new in Weblogic Server 12.1.2.0.0 :


- JDK is no longer bundled with Weblogic Server Installers

- There are two types of installers :

1. generic installers
2. zip distribution ( intended for development use only ) Remember - this is not patchable..!!

- New GUI ( Graphical User Interface )

- No console mode installation for weblogic.

- SmartUpdate / bsu is deprecated. We need to use OPatch to install patches from now on.

 - Nodemanager can now be configured at domain level / host(machine) level.

- You can install Weblogic Server in silent mode, but there is no option to create a domain using silent mode.

- WLS installer GUI works fine in Unix environment when connected via VNC, however there are few issues seen when using other third party X-Windows clients. 

- Only 64bit machines are supported with WLS 12.1.2.

- WLS 12.1.2 is certified for use only with JDK 1.7

- Server Templates and Dynamic Clusters are introduced in this release. 

and many more..... 

In this post we will see how to install Weblogic Server 12.1.2.0.0. 

[Read More]

Wednesday Jul 31, 2013

Steps to configure SAML 2.0 with Weblogic Server (using embedded LDAP as a security store - Only for Dev Environment)...

 What is SAML 2.0 ?

Security Assertion Markup Language 2.0 (SAML 2.0) is a version of the SAML standard for exchanging authentication and authorization data between security domains.


SAML 2.0 is an XML-based protocol that uses security tokens containing assertions to pass information about a principal (usually an end user) between a SAML authority, that is an identity provider, and a SAML consumer, that is a service provider

It enables cross-platform authentication between Web applications or Web services running in a WebLogic domain and Web browsers or other HTTP clients.

When users are authenticated at one site that participates in a single sign-on (SSO) configuration, they are automatically authenticated at other sites in the SSO configuration and do not need to log in separately.

One who generated the SAML token is called the Identity Provider OR Asserting Party OR Source Site.

And the one accepts the token is called the Service Provider OR Relying Party OR Destination Site.
Trust has to be established between them for SAML to work hence details of the Service Provider has to be with the Identity Provider and details of Identity Provider has to be with the Service Provider.

SAML can be classified into two types depending on the manner in which requests are obtained.

- IDP initiated ( Identity Provider Initiated )

- SP initiated ( Service Provider initiated )

In this post we will see how to configure Single sign-on (SSO) using SAML 2.0 in Weblogic Server. 

[Read More]

Saturday Jul 20, 2013

Steps to configure Kerberos / SPNEGO / NTLM authentication with Weblogic Server :

What is Kerberos ? 

Kerberos is a computer network authentication protocol which works on the basis of "tickets" to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.

It is primarily a client–server model and it provides mutual authentication—both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks.

The Kerberos protocol name is based on the three- headed dog figure from Greek mythology known as Kerberos.

The three heads of Kerberos comprise the Key Distribution Center (KDC), the client user and the server with the desired service to access. 

The KDC is installed as part of the domain controller and performs two service functions: the Authentication Service (AS) and the Ticket-Granting Service (TGS).

In this post we will see how to configure Single sign-on (SSO) using Kerberos in Weblogic Server. 

[Read More]
About

Oracle Fussion Middleware - WebLogic

Search

Archives
« July 2015
SunMonTueWedThuFriSat
   
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
 
       
Today