vendredi 15 septembre 2017

Use java jarsigner to self sign your java archive

Use jar signer to sign your java archive

Some applications or browsers security require that any jar you try to use must be signed. 
You can use java tool jarsigner to self sign your own jar files. 

First, you need to create your certificate or use your existing certificate. 

Create your own certificate

-    To create you own certificate, run the following command :

C:\Java\jdk1.8.0_92\bin\keytool.exe -genkeypair -alias ddy -keyalg rsa -keysize 2048 -keypass ddy1234 -validity 3650 -keystore C:\temp\mykeystore.jks -storepass ddy1234 -storetype jks -dname "CN=DDY,OU=OC,O=DDY,L=Paris,ST=IDF,C=FR" -v
Generating 2 048 bit RSA key pair and self-signed certificate (SHA256withRSA) wi
th a validity of 3 650 days
        for: CN=DDY, OU=OC, O=DDY, L=Paris, ST=IDF, C=FR
[Storing C:\temp\.keystore]


Use jarsigner 

- Use your certificate with jarsigner to sign your java archive : 

C:\Java\jdk1.8.0_92\bin\jarsigner -keystore C:\Temp\mykeystore.jks pdev.jar ddy 
Enter Passphrase for keystore: 
jar signed.



jeudi 14 septembre 2017

SSL Configuration on Weblogic

This article decribes all steps to configure SSL on Weblogic Server.
For a Weblogic Cluster, these steps must be configured for each cluster member.

1.    Configure java stores

To configure java stores (keystore for storing certificate, truststore for Certification Authorities), follow these steps :
Connect to Weblogic Admin Console (click Lock & Edit in production mode) :
-                     Go to “Environment / Servers / <ServerName> »
-                     Go to “Configuration / Keystore” tab.
-                     click on “Change” button.




-                     Select “Custom Identity and Custom Trust” in "keystore" list, then click on “Save”
Note : If certificates are provided by a well-known CA, use « Custom Identity and Java Standard Trust ».



-                     Make the following changes :
o        Custom Identity Store : « /u01/app/security/mykeystore.jks” (store previously created)
o        Custom Identity Keystore Type : « JKS »
o        Custom Identity Keystore Passphrase : <password for the keystore> (password used during java keystore creation)
o        Confirm Custom Identity Keystore Passphrase : <password for the keystore>
o        Custom Trust Keystore Passphrase : <password for the truststore> (password used during java truststore creation)
-                     Confirm Java Standard Trust Keystore Passphrase : <password for the truststore>
-                     Click on “Save”


-                     Click on « Activate changes ».

2.    SSL Configuration

To configure SSL using keysotres previously installed : 

-                     Go to «  Environment / Servers / <ServerName> »
-                     Click on «  Configuration / SSL » tab
-                     Apply the following modifications :
o        Identity and Trust Location : Keystores (default)
o        Private Key Location : from Custom Identity Keystore (default).
o        Private Key Alias : « alias used for the key ». (use the value when adding certificate to keystore).
o        Private Key Passphrase : « password used when creating the key alias ».
o        Confirm Private Key Passphrase : « password used when creating the key alias »
-                     Click on “Save”.
Note : Passphrase cannot be empty, if not added during creation, use keytool to add a passphrase.




-                  Click on « Activate changes ».


3.   Hostname Verification


It can be usefull to disable hostname verification (only for testing purpose, not recommanded for production).

Weblogic doesn't allow certificate not matching hostname by default. 
To disable hostname verification.
-                     Go to “ Environment / Servers / <ServerName> »
-                     Click on « Configuration / SSL» tab
-                     Click on “Advanced” section and make the following changes :
o        Hostname Verification : « NONE »
o        Custom Hostname Verifier : Leave empty
-                     Click on  “Save”

-                     Click on « Activate Changes. »

Note : To use certifcates using Wildcards, you can use a Custom Verifier :
Example : *.ddy.com
-                     Go to “ Environment / Servers / <ServerName> »
-                     Click on « Configuration / SSL » tab
-                     Click on “Advanced” section  and set the following values :
o        Hostname Verification : Custom Hostname Verifier
o        Custom Hostname Verifier : weblogic.security.utils.SSLWLSWildcardHostnameVerifier
-                     Click on  “Save”

-                     Click on « Activate Changes. »

Generate SSL certificate using keytool

This article describe steps to create a SSL certificate using java keytool. 

1.1    Generate keypair

Keytool binary is a java tool provided by JDK/ JRE ($JAVA_HOME/bin)
-                     To create a keypair using java keytool (only if using well-known CA) :
${JAVA_HOME}/bin/keytool -genkeypair -alias wls.ddy.com -keyalg RSA -keysize 2048 -validity 3650 -keypass password_1 -keystore /u01/app/security/Identity.jks -storepass password_1
What is your first and last name?
  [Unknown]:  wls.ddy.com
What is the name of your organizational unit?
  [Unknown]:  IT
What is the name of your organization?
  [Unknown]:  DDY
What is the name of your City or Locality?
  [Unknown]:  Paris
What is the name of your State or Province?
  [Unknown]:  IDF
What is the two-letter country code for this unit?
  [Unknown]:  FR
Is CN=wls.ddy.com, OU=IT, O=DSI, L=Paris, ST=IDF, C=FR correct?
  [no]:  yes

-                     To create CSR to send it to PKI (internal or CA) :
${JAVA_HOME}/bin/keytool -certreq -alias wls.ddy.com -file wls-csr.pem -keystore /u01/app/security/Identity.jks
Enter keystore password:

-                      Send .pem file to your CA to ask your certificate.

1.2    To create a self-signed certificate

To create a self-singed certificate, use the following command :
${JAVA_HOME}/bin/keytool -genkey -noprompt -trustcacerts -alias wlssvr -dname "CN=wls.ddy.com,OU=IT,O=DDY,L=Paris,ST=IDF,C=FR" -keypass ovsroot -keystore /u01/app/security/mykeystore.jks -storepass ovsroot -keyalg RSA

1.3    Export certificate

To be able to import your CA in truststore, you need to export it first :
${JAVA_HOME}/bin/keytool -export -alias wlssvr -keypass ovsroot -keystore /u01/app/security/mykeystore.jks -storepass ovsroot –file mycert.cer

1.4    Add your CA to custom java TrustStore

Add your CA to a custom or existing truststore is a mandatory step to authorize Weblogic Server to use this certificate and to avoid Handshake errors
-    To add certificate CA to a truststore :
#  ${JAVA_HOME}/bin/keytool -import -v -trustcacerts -alias mywlsserver -file mywlsserver.cer -keystore /u01/app/security/myTrust.jks -keypass changeme -storepass changeit
Certificate was added to keystore
[Storing SoaTrust.jks]

${JAVA_HOME}/bin/keytool -import -v -trustcacerts -alias mywlsca -file mywlsca.cer -keystore /u01/app/security/myTrust.jks -keypass changeme -storepass changeit
Certificate was added to keystore
[Storing SoaTrust.jks]

${JAVA_HOME}/bin/keytool -import -v -trustcacerts -alias myca -file myca.cer -keystore /u01/app/security/myTrust.jks -keypass changeme -storepass changeit
Certificate was added to keystore
[Storing SoaTrust.jks]

When adding a CA to a trustsotre, it is mandatory to add ROOT CA and any intermediate CA. .

The provided exemple shows how to add a certificate isssued by mywlsca depending of root CA myCA.