Configuring two way SSL between Client and Weblogic server with Apache proxying the request.

Configure Apache for SSL

Create the certificates using openssl (present in apache_home\bin) using the below steps:

openssl genrsa -des3 -out server.key 1024

openssl req -config ..\conf\openssl.cnf -new -key server.key -out localhost

openssl x509 -req -days 730 -in localhost -signkey server.key -out server.crt

Add the following in the httpd.conf file

<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

Listen 443
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile “C:\Program Files\Apache Group\Apache2\conf\server.crt”
SSLCertificateKeyFile “C:\Program Files\Apache Group\Apache2\conf\server.key”
SSLCACertificateFile “C:\Documents and Settings\Administrator\Desktop\cert\IntermediateCA.cer”
#SSLLog “C:\Program Files\Apache Group\Apache2\conf\ssl.log”
#SSLLogLevel debug
</VirtualHost>

Configure SSL between Apache and Weblogic Server

Add the following in the Location Directive

SecureProxy ON
TrustedCAFile C:\bea101\wlserver_10.0\server\lib\CertGenCA.pem
RequireSSLHostMatch false

Configure Apache to Request for Client Certificate

Add the following in the Location Directive

SSLVerifyClient optional_no_ca
SSLOptions +ExportCertData

Configure Weblogic Server for 2-way SSL

mydomain> Servers> myserver>Keystores & SSL > Advanced Options
Hostname Verification: None
Two Way Client Cert Behavior: Client Certs Requested but not enforced

Apache_SSL> Domain Wide Security Settings> Realms> myrealm> Authentication Providers> DefaultIdentityAsserter

Trusted Client Principals: provide CN of the Client Certificate
Types: X509

Details:

Use Default User Name Mapper: Checked
Default User Name Mapper Attribute Type: CN
Base64Decoding Required: Checked

Go the security realm and create a user wih the username as CN of the certificate

Add the following in the config.xml
<Server ClientCertProxyEnabled=”true”

Configure the Web Application

The Web Application should require client cert authentication.

Add the following in the web.xml

<context-param>
<param-name>weblogic.httpd.clientCertProxy</param-name>
<param-value>true</param-value>
</context-param>

Add the following in the weblogic.xml

<principal-name> CN of the certificate</principal-name>

References

1. http://www.apache-ssl.org/docs.html#SSLVerifyDepth
2. http://edocs.bea.com/wls/docs81/config_xml/Cluster.html#ClientCertProxyEnabled
3. http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#ssloptions

8 comments

  1. Hi Faisal,

    Got stucked with SSL, previously it was working and now it is throwing eating exception by saying that Algorithm MD5 not available

    (self-tuning)'> <> <> <> <1269284150344> <……….. Eating Exception ……….
    java.security.NoSuchAlgorithmException: Algorithm MD5 not available
    at javax.crypto.Mac.getInstance(DashoA13*..)
    at com.certicom.tls.provider.Mac.getInstance(Unknown Source)
    at com.certicom.tls.ciphersuite.SecurityParameters.makeKeys(Unknown Source)
    at com.certicom.tls.ciphersuite.SecurityParameters.deriveKeys(Unknown Source)
    at com.certicom.tls.ciphersuite.SecurityParameters.(Unknown Source)
    at com.certicom.tls.record.handshake.HandshakeHandler.generateSecurityParameters(Unknown Source)
    at com.certicom.tls.record.handshake.ServerStateNoHandshake.resumeSession(Unknown Source)
    at com.certicom.tls.record.handshake.ServerStateNoHandshake.handle(Unknown Source)
    at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
    at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
    at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
    at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
    at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
    at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
    at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
    at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
    at javax.net.ssl.impl.SSLSocketImpl.startHandshake(Unknown Source)
    at weblogic.server.channels.DynamicSSLListenThread$1.run(DynamicSSLListenThread.java:130)
    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
    at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
    >

    please help

  2. Hi Faizal,

    I am trying to configure Apache as SSL

    I am getting the following error

    Thu Jun 03 20:18:24 2010 ERROR: Failed to load trusted CA file(D:\hk\certificates\rootCA.der). err = 0 loaded = 0
    Thu Jun 03 20:18:24 2010 ERROR: SSL initialization failed

    I am not able to access the console however this is working fine with http

    WLS 10.3 and Apache 2.2

    1. Hi Hari

      convert the der file to pem file using the following command line and then use it as a trustedCA file

      java utils.der2pem .der

      This will create a pem file in the same directory.

      Try it and let me know.

  3. Hi Faisal,

    I am facing some issues with on way SSL from iPlanet (Sun web Server 7) to WebLogic Cluster.

    The architecture is 4 WLS Managed Servers, 1 iPlanet web Server.

    There are 4 self signed certs on 4 managed servers.
    So to have secure connection between wl proxy plugin and backend Managed Servers, I tried to use Trust keystore as a TrustedCAFile parameter to the wl proxy plugin, but it doesn’t work.
    If I use the Public key of one of the Self-signed cert in PEM format it works.

    Is there any way to make wl proxy config in such a way that, it should trust all the self signed certs on all managed servers at a time.

    Your help in this regard is highly appreciated.

    Best regards,
    Vin

  4. U can give multiple TrustedCAFile parameter in the httpd.conf file. Each TrustedCAFile pointing to the managed server certificate in PEM format.

    Thanks for posting
    -Faisal

  5. remove password from the server.key to overcome the error below.

    SSLPassPhraseDialog builtin is not supported on Win32

    openssl rsa -in server.key.bak -out server.key

Leave a Reply