The security of an application, the data exchanged within it, and the network on which it is hosted should be considered one of the most important aspects of any application deployment. A weakened security layer can be responsible for sensitive data breaches and malicious system attacks. As an application developer, DBA, System Administrator, or any other role in IT, it is your responsibility to ensure that proper security efforts are being used to protect the applications, the data, and their hosting systems.
Secure Socket Layer or SSL (aka TLS) is a protocol used to provide encrypted communication between a source and destination of network traffic. This protocol works by creating a trusted connection, which is most often established by a public and private key exchange. Using SSL to run any application communicating on the network is very important with regard to securing data. The use of SSL for running any and all applications should be considered a requirement and not optional. Running an application through FSAL requires that the SSL certificate public key be included in the Java keystore. This may require the certificate(s) be manually imported if it is not already included in the keystore or provided by a known Certificate Authority.
In order to use SSL with FSAL, follow these steps prior to attempting the use of FSAL.
1. Obtain an SSL certificate from a known Certificate Authority and configure Oracle HTTP Server (or WebLogic Server) according to the instructions provided by the documentation for those components.
2. The public key portion of the certificate will be needed on the user’s machine. If you do not have the public key as provided by your Certificate Authority, there are several ways to obtain it. Obtaining the key chain can be done from any machine that has access to the server. Here is an example of how to obtain the key(s) using the openssl command. This is pre-installed on most Unix/Linux platforms, but can also be obtained for Microsoft Windows.
openssl s_client -showcerts -connect example.com:4443 > output.txt
In the above example, replace example.com:4443 with your server and SSL port number. The result of running this command will go into a file named “output.txt”. Within this file you will see one or more certificates listed. The certificate is the contents between and including the BEGIN and END header/footer. Copy each certificate to its own file. Be sure to only include the BEGIN and END text and the contents between them.Do not include any extra lines above or below the-----BEGIN CERTIFICATE-----or -----END CERTIFICATE-----when saving the file.
Alternatively, run the following to directly generate the needed certificate file.
openssl s_client -showcerts -servername example.com -connect example.com:4443 | openssl x509 -outform PEM > cert.cer
3. Import the public key(s)into the Java keystore on the user’s machine. If it is a certificate chain, be sure to import all keys in the chain.
This means it may be necessary to run the appropriate utility more than one time. To import the certificate public key(s) you can use the Java keytool utility which is included in all Oracle Java distributions. Alternatively, you can use one of the many free utilities available on the Internet.
Here is an example of how each certificate could be inserted manually. Refer to the Java documentation for details on how to use the keytool utility.
keytool -import -alias <server_name> -keystore <JAVA_HOME>/jre/lib/security/cacerts -file cert.cer
4. Run FSAL with SSL, as shown in the example provided in the previous article: How do I run/use FSAL?
Read more about SSL with FSAL and troubleshooting tips in : Using and Securing Applications Running with FSAL