Configuring Certificate Based Authentication in WebLogic 10.3.3

In my previous post, I had discussed the steps needed to configure 2-way SSL in WebLogic. As a step further, in this article I will discus the steps needed to create an environment for Certificate based authentication.

Following are my assumptions -

• Weblogic Server has been setup for 2-way SSL for a principal with the name robert.brown
• Client certificate/key for robert.brown has been imported into the browser's Personal identity store
• User robert.brown has been created in the Weblogic Server and assigned to group AuthorizedGroup
• AuthorizedRole is mapped to AuthorizedGroup
• Web application (war) with CLIENT-CERT based authentication method is deployed in the Weblogic Server. The application allows access to all users in the AuthorizedRole role. This configuration is setup in the web.xml of the web application.

Now, to set this application for authentication, perform the following steps in the Weblogic Server

Logon to Weblogic Admin Console

Click Security Realm

Click myrealm

Click Providers

Click New button

Select DefaultIdentityAsserter

Enter an appropriate name

Click the newly created IdentityAsserter

Add X.509 to Chosen

Click ProviderSpecific tab

Select CN in Default User Name Mapper Attribute Type. It is assumed that the user name is available in the subject name in the certificate

Check Use Default User Name Mapper

Click Save

Restart Server

To test, enter the URL of the web application. If the browser has multiple keys personal keys installed, it should ask which key is to be used for SSL and after choosing a key, automatically the user should be logged in as robert.brown in the web application.

Configuring Two way SSL in Weblogic 10.3.3

This involves the following steps -

• Creation of Identity for Weblogic Server
• Creation of Personal Identity for the user
• Creating trust for the Personal Identity for the user in WebLogic Server
• Configuring SSL

Creation of Identity for Weblogic Server

This involves the following steps

• Creation of Identity Keystore, Key and Certificate
• Configuration of Keystore in WebLogic Server

Creation of Identity Keystore, Key and Certificate

D:\Oracle\Middleware\user_projects\domains\sandesh_domain\servers\AdminServer\security\identity>keytool -genkey -alias server.identity -dname "CN=,OU=ORG,O=Company" -keypass server.identity.password -keystore identity.jks -storepass identity.password

Configuration of Keystore in WebLogic Server

Go to Weblogic Admin Console

Click Environments

Click Servers

Click the Server (for example AdminServer)

Click KeyStores tab

Click Change button for Keystores and select Custom Identity and Java Standard Trust

Click Save

Enter the location for identity.jks in Custom Identity Keystore

Enter JKS for Custom Identity Keystore Type

Enter identity.password for Custom Identity Keystore Passphrase and its confirmation

Creation of Personal Identity for the user

This involves the following steps

• Creation of Client Personal Identity Key pair
• Getting the Key pair signed by a CA
• Generate a PKCS12 Keystore to import into Internet Explorer
• Installing the Key in a browser for 2-way SSL

Creation of Client Personal Identity Key pair

Goto WebLogic domain config directory and run setDomainEnv.cmd in the bin directory

D:\Oracle\Middleware\user_projects\domains\sandesh_domain\servers\AdminServer\security\trust>java utils.CertGen -certfile robert.brown.identity.cert -keyfile robert.brown.identity.key -keyfilepass robert.brown.identity.key.password -cn robert.brown

Generating a certificate with common name robert.brown and key strength 1024 issued by CA with certificate from D:\Oracle\MIDDLE~1\WLSERV~1.3\server\lib\CertGenCA.der file and key from D:\Oracle\MIDDLE~1\WLSERV~1.3\server\lib\CertGenCAKey.der file

The following files are created -

robert.brown.identity.cert.der

robert.brown.identity.cert.pem

robert.brown.identity.key.der

robert.brown.identity.key.pem

Please note that this step signs the certificates with a WebLogic test CA

Generate a PKCS12 Keystore to import into Internet Explorer

D:\Oracle\Middleware\user_projects\domains\sandesh_domain\servers\AdminServer\security\trust>java utils.ImportPrivateKey -keystore robert.brown.identity.p12 -storepass robert.brown.identity.password -storetype pkcs12 -keypass robert.brown.identity.password -alias robert.brown.identity -certfile robert.brown.identity.cert.pem -keyfile robert.brown.identity.key.pem -keyfilepass robert.brown.identity.key.password

Imported private key robert.brown.identity.key.pem and certificate robert.brown.identity.cert.pem into a new keystore robert.brown.identity.p12 of type pkcs12 under alias robert.brown.identity

The following file is created

robert.brown.identity.p12

Installing the Key in a browser for 2-way SSL

Open Internet Explorer

Open Tools

Click Content Tab

Click Certificates button in Certificates section

Click Trusted Root Certification Authorities tab

Click Import and in the Certificate Import Wizard import D:\Oracle\Middleware\wlserver_10.3\server\lib\CertGenCA.der

You should be able to see a self-signed certificate installed in the Trusted Root Certification Authorities issued to CertGenCab

Click Personal tab

Click Import and in the Certificate Import Wizard import robert.brown.identity.p12 and enter password robert.brown.identity.password

You should be able to see an entry in the Personal tab Issued to robert.brown Issued by CertGenCab

Creating trust for the Personal Identity for the user in WebLogic Server

This involves the following steps

• Installing the WebLogic test CA in the truststore
• Installing the Client certificate in the truststore
• Configuration of Truststore in WebLogic Server

Installing the WebLogic test CA in the truststore

D:\Oracle\Middleware\user_projects\domains\sandesh_domain\servers\AdminServer\security\trust>keytool -importcert -trustcacerts -alias ca -file D:\Oracle\Middleware\wlserver_10.3\server\lib\CertGenCA.der -keystore trust.jks -storepass trust.password

Owner: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=USIssuer: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MySta

te, C=US

Serial number: 234b5559d1fa0f3ff5c82bdfed032a87

Valid from: Thu Oct 24 23:54:45 CST 2002 until: Tue Oct 25 23:54:45 CST 2022

Certificate fingerprints:

MD5: A2:18:4C:E0:1C:AB:82:A7:65:86:86:03:D0:B3:D8:FE

SHA1: F8:5D:49:A4:12:54:78:C7:BA:42:A7:14:3E:06:F5:1E:A0:D4:C6:59

Signature algorithm name: MD5withRSA

Version: 3

Extensions:

#1: ObjectId: 2.5.29.15 Criticality=true

KeyUsage [

Key_CertSign

]

#2: ObjectId: 2.5.29.19 Criticality=true

BasicConstraints:[

CA:true

PathLen:1

]

Trust this certificate? [no]: yes

Certificate was added to keystore

Installing the Client certificate in the truststore

D:\Oracle\Middleware\user_projects\domains\sandesh_domain\servers\AdminServer\security\trust>keytool -importcert -trustcacerts -alias robert.brown -file robert.brown.identity.cert.der -keystore trust.jks -storepass trust.password

Certificate was added to keystore

Configuration of Truststore in WebLogic Server

Go to Weblogic Admin Console

Click Environments

Click Servers

Click the Server (for example AdminServer)

Click KeyStores tab

Click Change button for Keystores and select Custom Identity and Custom Trust

Click Save

Enter the location for trust.jks in Custom Trust Keystore

Enter JKS for Custom Trust Keystore Type

Enter trust.password in Custom Trust Keystore Passphrase and its confirmation

Click Save

Configuring 2-way SSL

Click SSL tab

Enter server.identity in Private Key Alias

Enter server.identity.password in Private Key Passphrase and its confirmation

Click Save

Click Advanced

Select Client Certs Requested and Enforced in Two Way Client Cert Behavior

[Note : Ensure that Listen Port Enabled (clear port is enabled, just in case you need to login using clear if SSL configuration does not work)

To test, open Internet Explorer and open the URL https://localhost:7002/console. If you have multiple client certificates on the browser, browser will prompt which certificate to use. Also, since, the server certificate is not in the trusted list, there will be a warning.