Configure Apache for SSL
Create the certificates using openssl (present in apache_home\bin) using the below steps:
openssl genrsa -des3 -out server.key 1024
openssl req -config ..\conf\openssl.cnf -new -key server.key -out localhost
openssl x509 -req -days 730 -in localhost -signkey server.key -out server.crt
Add the following in the httpd.conf file
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
Listen 443
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile “C:\Program Files\Apache Group\Apache2\conf\server.crt”
SSLCertificateKeyFile “C:\Program Files\Apache Group\Apache2\conf\server.key”
SSLCACertificateFile “C:\Documents and Settings\Administrator\Desktop\cert\IntermediateCA.cer”
#SSLLog “C:\Program Files\Apache Group\Apache2\conf\ssl.log”
#SSLLogLevel debug
</VirtualHost>
Configure SSL between Apache and Weblogic Server
Add the following in the Location Directive
SecureProxy ON
TrustedCAFile C:\bea101\wlserver_10.0\server\lib\CertGenCA.pem
RequireSSLHostMatch false
Configure Apache to Request for Client Certificate
Add the following in the Location Directive
SSLVerifyClient optional_no_ca
SSLOptions +ExportCertData
Configure Weblogic Server for 2-way SSL
mydomain> Servers> myserver>Keystores & SSL > Advanced Options
Hostname Verification: None
Two Way Client Cert Behavior: Client Certs Requested but not enforced
Apache_SSL> Domain Wide Security Settings> Realms> myrealm> Authentication Providers> DefaultIdentityAsserter
Trusted Client Principals: provide CN of the Client Certificate
Types: X509
Details:
Use Default User Name Mapper: Checked
Default User Name Mapper Attribute Type: CN
Base64Decoding Required: Checked
Go the security realm and create a user wih the username as CN of the certificate
Add the following in the config.xml
<Server ClientCertProxyEnabled=”true”
Configure the Web Application
The Web Application should require client cert authentication.
Add the following in the web.xml
<context-param>
<param-name>weblogic.httpd.clientCertProxy</param-name>
<param-value>true</param-value>
</context-param>
Add the following in the weblogic.xml
<principal-name> CN of the certificate</principal-name>
References
1. http://www.apache-ssl.org/docs.html#SSLVerifyDepth
2. http://edocs.bea.com/wls/docs81/config_xml/Cluster.html#ClientCertProxyEnabled
3. http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#ssloptions
8 Comments
good..
Hi Faisal,
Got stucked with SSL, previously it was working and now it is throwing eating exception by saying that Algorithm MD5 not available
(self-tuning)'> <> <> <> <1269284150344> <……….. Eating Exception ……….
java.security.NoSuchAlgorithmException: Algorithm MD5 not available
at javax.crypto.Mac.getInstance(DashoA13*..)
at com.certicom.tls.provider.Mac.getInstance(Unknown Source)
at com.certicom.tls.ciphersuite.SecurityParameters.makeKeys(Unknown Source)
at com.certicom.tls.ciphersuite.SecurityParameters.deriveKeys(Unknown Source)
at com.certicom.tls.ciphersuite.SecurityParameters.(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.generateSecurityParameters(Unknown Source)
at com.certicom.tls.record.handshake.ServerStateNoHandshake.resumeSession(Unknown Source)
at com.certicom.tls.record.handshake.ServerStateNoHandshake.handle(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
at javax.net.ssl.impl.SSLSocketImpl.startHandshake(Unknown Source)
at weblogic.server.channels.DynamicSSLListenThread$1.run(DynamicSSLListenThread.java:130)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
>
please help
can you mail me your complete server log file at khan.faysal06@gmail.com
And explain me ur architechture, when exactly are u getting these exceptions?
Hi Faizal,
I am trying to configure Apache as SSL
I am getting the following error
Thu Jun 03 20:18:24 2010 ERROR: Failed to load trusted CA file(D:\hk\certificates\rootCA.der). err = 0 loaded = 0
Thu Jun 03 20:18:24 2010 ERROR: SSL initialization failed
I am not able to access the console however this is working fine with http
WLS 10.3 and Apache 2.2
Hi Hari
convert the der file to pem file using the following command line and then use it as a trustedCA file
java utils.der2pem .der
This will create a pem file in the same directory.
Try it and let me know.
Hi Faisal,
I am facing some issues with on way SSL from iPlanet (Sun web Server 7) to WebLogic Cluster.
The architecture is 4 WLS Managed Servers, 1 iPlanet web Server.
There are 4 self signed certs on 4 managed servers.
So to have secure connection between wl proxy plugin and backend Managed Servers, I tried to use Trust keystore as a TrustedCAFile parameter to the wl proxy plugin, but it doesn’t work.
If I use the Public key of one of the Self-signed cert in PEM format it works.
Is there any way to make wl proxy config in such a way that, it should trust all the self signed certs on all managed servers at a time.
Your help in this regard is highly appreciated.
Best regards,
Vin
U can give multiple TrustedCAFile parameter in the httpd.conf file. Each TrustedCAFile pointing to the managed server certificate in PEM format.
Thanks for posting
-Faisal
remove password from the server.key to overcome the error below.
SSLPassPhraseDialog builtin is not supported on Win32
openssl rsa -in server.key.bak -out server.key
Post a Comment