In the last article we looked at encrypting communication between WebLogic and the load balancer. Now it is time to investigate the traffic between WebLogic and the Application server. Without this configuration the logs get filled with messages like this:
Let’s upgrade to SSL then!
We already discussed TLS with regards to the Integration Broker and the Web Server. The application server conceptually works in the same way, but it (mostly) isn’t written in Java, so in practice the procedure is slightly different.
Create the Key Store and the Certificate Signing Request
mentions we can use the Oracle Client to create
a wallet or
openssl. I will use the latter, as I am automating this
process and hope to be able to reuse the code elsewhere. PeopleSoft
much like WebLogic already has a demo key store which we shouldn’t use
as the private keys are widely known. We will create a new one under the
application server domain security folder, then generate the Certificate
Signing Request (CSR). This needs to be done as the user that owns the
domain (by default
psadm2). I start in the domain directory, by default
8.59 is the PeopleSoft
wallet.tls is a name for the wallet, and
<hostname> is the fully
qualified hostname. The CSR is now in
Signing the CSR
In exactly the same way as we did with WebLogic, we need to:
- transfer this signing request to the Certificate Authority (CA)
- sign it
- transfer it back to the application server together with the root certificate
The signing command is exactly the same for WebLogic:
Note that the oracle documentation referenced above says to add the
set_serial 01 parameter to the
openssl x509 command. This is not
recommended. Some blogs recommend using the CASerial parameter. Again
this is not recommended.
RFC3280 states that
The serial number MUST be a positive integer assigned by the CA to each certificate. It MUST be unique for each certificate issued by a given CA
They should not
be consecutive. By leaving out these parameters
openssl acts in the
recommended way and creates a random serial number which is from a large
enough pool it is guaranteed to be unique. The serial number can be displayed
to verify this:
A long hex number is displayed. It seems the
hasn’t been updated with this useful feature which has caused some
Import the Signed Certificate and Root Certificate
We should now have three files back in our
root.crt, together with the
that we created above. We have all the pieces we need to create
the wallet. We put them together to create the wallet as follows:
<wallet_password> is a password for the wallet. We will
need this later.
We don’t need the
to be in the wallet directory
any longer, they can be removed now if you want to keep things tidy
Configuring the Application Server
Next we need to configure the application server to use this wallet to
encrypt communication. We can do this by editing the configuration file, or by
psadmin utility interactively.
Manually Editing psappsrv.cfg
My preferred approach is to edit the configuration files, as this is
easier to automate.
psappsrv.cfg in the domain directory. Find the
Oracle Wallet section,
and make it look like this:
tls is the name of the wallet directory without the leading
<wallet_password> is what we specified when creating the wallet.
Make a note of the
SSL port in the
Jolt Listener section, and ensure that
JSL Min Encryption is set to
Run a configure:
If we check the wallet password in
psappsrv.cfg then we will see the password
has been encrypted and now looks something like the following:
Using psadmin Interactively
The other option is to run
psadmin interactively to configure the domain.
This is more difficult to automate, but if
raising issues with Oracle it’s worth doing the configuration in this way
to eliminate errors in editing that
psadmin might be able to pick up on.
The procedure below is for tools 8.59. Options may change for different
- Select option 1) Application Server
- Select option 1) Administer a domain
- Select the domain from the list (Probably option 1)
- Select option 4) Configure this domain
- Agree to shut down the domain (y)
- Select option 15) Custom configuration
- Press Enter to leave the Startup section alone
- Press Enter to leave the Database Options alone
- Press Enter to leave the Security section alone
- Press Enter to leave the Inter-Domain Events section alone
- Press Y and enter to edit the Oracle Wallet section as below:
tls is the name of the wallet folder without the leading
<wallet_password> is the password we gave to the wallet when we created
- Press Enter to not change any values.
- Press Enter to leave the Workstation Listener section alone
- Select Y to change the JOLT Listener section
- Press Enter 3 times to leave the address, Port and SSL Port alone, but make a note of the Port and SSL Port
- Select Y to change JSL Min Encryption to
- Press enter on the other 8 prompts to keep existing values.
- Select q to exit when asked Do you want to change any values again.
- As shown above, press q to return to the domain administration menu
- Select option 1) Boot this domain if you wish to boot the domain
- Select q three times to exit psadmin
Configuring the Web Server
WebLogic needs to be
configured to trust our CAs root certificate.
If WebLogic hasn’t been configured, just import
root.crt into the trust store.
configuration.properties file needs to be edited to communicate with
the application servers TLS port. By default the weblogic domain is under
8.59 is the tools version. The configuration.properties file is under here in:
ps is the website which may be different in your installation.
Then simply change any ports in the
psserver line to point to the encrypted ports.
<appserver_hostname> is the fully qualified hostname of the application
9010 is the encrypted port noted above.
Restart WebLogic and test that everything works!