X

Deep dive into various configurations with Oracle Weblogic Server

X509 Certificate Revocation Checking using OCSP (Online Certificate Status Protocol) in Weblogic Server

Puneeth Prakash
Principal Software Engineer

In this post we will see how to configure OCSP based certificate revocation check in Weblogic Server :

- First we need to create a self-signed certificate and get it signed from an internal CA (created using openssl)

- Then create another self-signed certificate and get it signed from the same CA. Now lets revoke this certificate.

- Establish a two-way SSL communication between browser and WLS.

- Configure WLS to enable OCSP (Online Certificate Status Protocol) check.

- Connect to WLS using valid and revoked certificate and see the difference.

Step 1 :

- Install OpenSSL and modify the openssl.cfg file as follows :

 authorityInfoAccess = OCSP;URI: http://host:port

Download sample openssl.cfg file HERE..!!

NOTE : Right Click on the above hyperlink and click on "Save Link As" - Now download the file and rename its extension to .zip. 

Setup your shell/cmd prompt to use the openssl.cfg file :

Command :

export OPENSSL_CONF=/tmp/package-root/usr/local/ssl/openssl.cnf

Step 2 :

Create an Internal CA

Command : 

./openssl req -nodes -new -x509 -keyout cakey.pem -out cacert.pem -days 3650


Step 3 :

Create a certificate and get it signed by internal CA. (say Valid certificate)

Command : 

./openssl req -nodes -newkey rsa:2048 -keyout newkey.pem -out newreq.pem -days 3650

./openssl ca -policy policy_anything -out validcert.pem -infiles newreq.pem


Step 4 :

Create a certificate and get it signed by internal CA (say Revoked certificate).

Command :

./openssl req -nodes -newkey rsa:2048 -keyout newkeyFake.pem -out newreqFake.pem -days 3650

./openssl ca -policy policy_anything -out revokecert.pem -infiles newreqFake.pem

Lets revoke this certificate now :

Command :

./openssl ca -revoke revokecert.pem 

Create two .p12 keystore (valid keystore and revoked keystore) using the following command, this file will be used to configure certificates/keystore on the browser : 

Command :

./openssl pkcs12 -export -in validcert.pem -inkey newkey.pem -out valid.p12 -name "valid"  

./openssl pkcs12 -export -in revokecert.pem -inkey newkeyFake.pem -out revoked.p12 -name "revoked" 

Step 5:

Start your OCSP server.

Command :

./openssl ocsp -index index.txt -CA cacert.pem -rsigner cacert.pem -rkey cakey.pem -port 8888 

Step 6:

Configure Weblogic to enable OCSP based certificate Revocation Check.

Step 7 :

- Enable SSL (Demo Identity and Demo Trust will be configured by default) on Weblogic and enable Two-WAY SSL (client-cert requested and enforced)

Login to console -> +Environment -> Servers -> AdminServer -> General -> SSL Listen port Enabled (check)

Login to console -> +Environment -> Servers -> AdminServer -> SSL -> +Advanced -> Two Way Client Cert Behavior -> select "Client Certs Requested and Enforced " from the drop down menu.

- Enable Certificate Revocation Debugs :

Login to console -> +Environment -> Servers -> AdminServer ->Debug -> +weblogic -> +security -> certrevocationchecking (enable)

- Make sure you increase the logging severity to DEBUG :

Login to console -> +Environment -> Servers -> AdminServer ->Logging  -> +Advanced ->

Log file : Severity level : Debug  

Standard out : Severity level : Debug

Step 8 :

Configure a certificate signed by internal CA on your browser and access Weblogic console.

1) First configure the valid .p12 keystore --> access the console over SSL and check the Weblogic logs

2) Now delete the valid certificate.keystore from IE and configure Revoked .p12 keystore --> access the console over SSL and check the Weblogic logs 

NOTE :

 - After successfully configuring Two-Way SSL on Weblogic Admin Server and browser (IE) --> Access WLS console over https. You should see the following :

NOTE :

- Configure a valid .p12 keystore on IE and access the Weblogic console on Https, you will see the following logging in out file :

 <Aug 26, 2015 1:36:50 AM IST> <Debug> <CertRevocCheck> <BEA-000000> <The revocation status of certificate CN=Valid-Certificate, O=Valid, L=Bang, ST=Kar, C=IN is:
Status=NOT REVOKED
Source=OCSP
Subject="CN=Valid-Certificate,O=Valid,L=Bang,ST=Kar,C=IN"
Issuer="CN=Internal-CA,OU=Weblogic,O=Oracle,L=Bangalore,ST=Karnataka,C=IN"
SerialNumber=1
StatusValid=Tue 25 Aug 2015 16:08:39.000 +0530
StatusExpires=null
NonceIgnored=false
RevocationTime=null
ReasonCode=null
Flags=0
ProducedAt=Tue 25 Aug 2015 16:08:39.000 +0530
.>
<Aug 26, 2015 1:36:50 AM IST> <Info> <Security> <BEA-090914> <Certificate revoca
tion status:
Status=NOT REVOKED
Source=OCSP
Subject="CN=Valid-Certificate,O=Valid,L=Bang,ST=Kar,C=IN"
Issuer="CN=Internal-CA,OU=Weblogic,O=Oracle,L=Bangalore,ST=Karnataka,C=IN"
SerialNumber=1
StatusValid=Tue 25 Aug 2015 16:08:39.000 +0530
StatusExpires=null
NonceIgnored=false
RevocationTime=null
ReasonCode=null
Flags=0
ProducedAt=Tue 25 Aug 2015 16:08:39.000 +0530
>

NOTE :

- Configure a revoked .p12 keystore on IE and access the Weblogic console on Https, you will see the following logging in out file :

 <Aug 26, 2015 1:31:51 AM IST> <Debug> <CertRevocCheck> <BEA-000000> <The revocation status of certificate CN=Revoked-Certificate, OU=Bad, O=Revoked, L=Fake, ST=Fake, C=PP is:
Status=REVOKED
Source=OCSP
Subject="CN=Revoked-Certificate,OU=Bad,O=Revoked,L=Fake,ST=Fake,C=PP"
Issuer="CN=Internal-CA,OU=Weblogic,O=Oracle,L=Bangalore,ST=Karnataka,C=IN"
SerialNumber=2
StatusValid=Tue 25 Aug 2015 16:03:41.000 +0530
StatusExpires=null
NonceIgnored=false
RevocationTime=Tue 25 Aug 2015 15:13:53.000 +0530
ReasonCode=-1
Flags=0
ProducedAt=Tue 25 Aug 2015 16:03:41.000 +0530
.>
<Aug 26, 2015 1:31:51 AM IST> <Info> <Security> <BEA-090914> <Certificate revoca
tion status:
Status=REVOKED
Source=OCSP
Subject="CN=Revoked-Certificate,OU=Bad,O=Revoked,L=Fake,ST=Fake,C=PP"
Issuer="CN=Internal-CA,OU=Weblogic,O=Oracle,L=Bangalore,ST=Karnataka,C=IN"
SerialNumber=2
StatusValid=Tue 25 Aug 2015 16:03:41.000 +0530
StatusExpires=null
NonceIgnored=false
RevocationTime=Tue 25 Aug 2015 15:13:53.000 +0530
ReasonCode=-1
Flags=0
ProducedAt=Tue 25 Aug 2015 16:03:41.000 +0530
>

NOTE :

When your ocsp server is down you will see the following in Weblogic Server logs and both valid and revoked keystore will be accepted by Weblogic. 

 <Aug 26, 2015 1:40:19 AM IST> <Debug> <CertRevocCheck> <BEA-000000> <Exception while checking revocation status using OCSP.
com.rsa.certj.spi.revocation.CertStatusException: com.rsa.certj.spi.pki.PKIException: OCSP.SendOCSPRequest: Tried all: '1' addresses, but could not connect over
 HTTP to server: 'celbealnx9.us.oracle.com', port: '8888'
        at com.rsa.certj.provider.revocation.ocsp.OCSP$Implementation.checkCertRevocations(OCSP.java:705)
        at com.rsa.certj.provider.revocation.ocsp.OCSP$Implementation.checkCertRevocation(OCSP.java:592)
        at com.rsa.certj.CertJ.checkCertRevocation(CertJ.java:1270)
        at weblogic.security.pki.revocation.common.DefaultOcspChecker.checkCertRevocation(DefaultOcspChecker.java:737)
        at weblogic.security.pki.revocation.common.DefaultOcspChecker.getRemoteStatus(DefaultOcspChecker.java:133)
        at weblogic.security.pki.revocation.common.OcspChecker.getCertRevocStatus(OcspChecker.java:93)
        at weblogic.security.pki.revocation.common.RevocationCertPathChecker.runThruMethods(RevocationCertPathChecker.java:279)
        at weblogic.security.pki.revocation.common.RevocationCertPathChecker.check(RevocationCertPathChecker.java:185)

 NOTE :

-  In the above example I am using browser as SSL client to demonstrate OCSP feature in WLS.

- But you can use any Java standalone client to connect to Weblogic and initiate a two-way SSL to demonstrate the above behavior 

Example :

java -Djavax.net.ssl.keyStoreType=jks -Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.keyStore=valid.jks -Djavax.net.ssl.trustStore=trust.jks -Djavax.net.debug=ssl  -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStorePassword=password -cp . TwoWaySSLClient


Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha