oracle weblogic server integration guide for unix€¦ · contents 1introduction 4 1.1thisproduct 4...

Oracle WebLogic ServerIntegration Guide for Unix

Version: 2.2

Date: Friday, December 20, 2019

Copyright 2019 nCipher Security Limited. All rights reserved.

Copyright in this document is the property of nCipher Security Limited. It is not to be reproduced,modified, adapted, published, translated in any material form (including storage in any medium byelectronic means whether or not transiently or incidentally) in whole or in part nor disclosed to any thirdparty without the prior written permission of nCipher Security Limited neither shall it be used otherwisethan for the purpose for which it is supplied.

Words and logos marked with ® or ™ are trademarks of nCipher Security Limited or its affiliates in the EUand other countries.

Mac and OS X are trademarks of Apple Inc., registered in the U.S. and other countries.

Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in theUnited States and/or other countries.

Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.

Information in this document is subject to change without notice.

nCipher Security Limited makes no warranty of any kind with regard to this information, including, but notlimited to, the implied warranties of merchantability and fitness for a particular purpose. nCipher SecurityLimited shall not be liable for errors contained herein or for incidental or consequential damagesconcerned with the furnishing, performance or use of this material.

Where translations have been made in this document English is the canonical language.

of 18 Oracle WebLogic Server - Integration Guide for Unix

Contents

1 Introduction 4

1.1 This product 4

1.1.1 Product configuration 4

1.1.2 Supported nCipher functionality 5

1.1.3 Requirements 5

1.2 This guide 5

1.3 More information 6

2 Procedures 7

2.1 Installing the nCipher nCipher HSM 7

2.2 Installing Oracle WebLogic Server and creating the WebLogic Domain 7

2.3 Configuring the nCipher JCE provider for key management and acceleration 8

2.4 Generating a Keystore using the Java keytool 11

2.5 Configuring Oracle WebLogic Server to use the stored trusted certificate 15

Contact Us 17

Europe, Middle East, and Africa 17

Americas 17

Asia Pacific 17

Oracle WebLogic Server - Integration Guide for Unix of 18

1 Introduction

1 Introduction

1.1 This productThe HSM can significantly enhance the performance of the Oracle WebLogic Server by offloading andaccelerating the SSL RSA cryptography. Heavy SSL traffic load can drastically lower the performance of aweb server. The HSM offloads the SSL cryptographic processing from the web server’s CPU, which freesthe server to process other transactions. The Oracle WebLogic Server integrates with the HSM using theJCECSP interface.

Throughout this guide, the term HSM refers to nShield Solo modules and nShield Connectproducts. (nShield Solo products were formerly known as nShield.)

l The benefits of using an HSM with the Oracle WebLogic Server are:

l Centralized secure storage of the private key

l Full life-cycle management of the keys

l Improved server performance by offloading the cryptographic processing

l Highest level of security assurance, the keys never leave the HSM as plain text

l FIPS 140-2 level 3 validated hardware

l Failover support

1.1.1 Product configuration

The integration between the HSM and the Oracle WebLogic Server has been tested in the followingcombinations:

Operating systemOracle WebLogicServer version

nShieldsoftwareversion

nShieldPCIsupport

nShieldPCIesupport

nShieldConnectsupport

Redhat Enterprise LinuxServer Release 5 x64 bit

10.3.5.0 11.50 Yes Yes Yes

Redhat Enterprise LinuxServer Release 6 x64 bit

10.3.5.0 11.50 Yes Yes Yes

Sun Solaris 10 SPARC x64bit

10.3.5.0 11.50 Yes Yes Yes


1 Introduction

1.1.2 Supported nCipher functionality

Key Generation Yes 1-of-N Operator Card Set Yes Strict FIPS Support Yes

Key Management Yes K-of-N Operator CardSet

— Load Sharing Yes

Key Import — Softcards Yes Fail Over Yes

Key Recovery Yes Module-only Key —

Softcards are supported for non-FIPS security worlds only.

1.1.3 Requirements

Before you begin the integration process:

l Read the Quick Start Guide or User Guide for your HSM.

l Familiarize yourself with the setup procedures for Oracle WebLogic Server.

Before running the setup program, you need to know:

l The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and thepolicy for managing these cards.

l The number and quorum of Operator Cards in the OCS (only 1-of-N is supported), and the policy formanaging these cards.

l Whether the application keys are to be protected by the module, softcard or Operator Card Set(OCS).

l Whether the security world needs to be compliant with FIPS 140-2 level 3.

l Key attributes, such as the key size, persistence, and time out.

l Whether or not key usage requires auditing.

K-of-N functionality is not currently supported, which means you must create a 1-of-N OCS.

1.2 This guideThis guide explains how to integrate Oracle WebLogic Server with an nShield Hardware Security Module(HSM). The instructions in this document have been thoroughly tested and provide a straight-forwardintegration process. There may be other untested ways to achieve interoperability.

This document may not cover every step in the process of setting up all the software. This documentassumes that you have read your HSM documentation and that you are familiar with the documentationand setup process for Oracle WebLogic Server.


1.3 More information

1.3 More informationAdditional documentation produced to support your nShield product is in the document directory of theCD-ROM or DVD-ROM for that product.

For more information about contacting nCipher, see Internet addresses on page 1 at the end of this guide.


2 Procedures

2 ProceduresTo integrate Oracle WebLogic server with an nShield HSM:

1. Install the nCipher nCipher HSM.

2. Install Oracle WebLogic Server and create the WebLogic Domain.

3. Configure the nCipher JCE provider for Key Management and Acceleration.

4. Configure Oracle WebLogic to use the stored trusted certificate.

All these procedures are described in the following sections.

2.1 Installing the nCipher nCipher HSMInstall the HSM using the instructions in the documentation for the HSM.

After installing the HSM, install the latest version of the nCipher upport software and configure the HSMas described in the User Guide for the HSM.

We recommend that you uninstall any existing nCipher software before installing the newsoftware.

2.2 Installing Oracle WebLogic Server and creating the WebLo-gic DomainTo install Oracle WebLogic Server:

1. Download the Oracle WebLogic Server installer fromhttp://www.oracle.com/technetwork/middleware/weblogic/downloads/wls-main-097127.html

2. Set executable permission for the installer file on the corresponding Operating System andexecute the command as follows:

Operating system Command

Red Hat Enterprise Linux Server releases 5 and6

chmod +x wls1035_generic.jar

Sun Solaris10 SPARC chmod +x wls1035_generic.jar

4. To initiate Oracle WebLogic Server installation, run the following command:

# java -jar wls1035_generic.jar

6. In the Oracle WebLogic welcome window, click Next.


http://www.oracle.com/technetwork/middleware/weblogic/downloads/wls-main-097127.html

2 Procedures

7. Choose the Middleware Home Directory and click on Next

8. Register for security updates, if required, and click Next.

9. Choose Install type custom and click Next.

10. Select all the Products and components.

11. Select the local JDK and click on Next.

12. Accept the default Product Installation directory and then click Next.

13. Select either the desired home directory for the Oracle WebLogic server or the defaultdirectory,and then click Next.

14. Select the desired installation type, then click Next

15. To complete the installation, click Next and then Done.

To create a sample WebLogic Domain:

1. Navigate to the appropriate directory for the Operating System, as shown in the table below, andthen run ./config.sh.

Operating system Directory

Red Hat Enterprise Linux Serverreleases 5 and 6

/root/Oracle/Middleware/wlserver_10.3/common/bin

Sun Solaris10 SPARC /usr/local/Oracle/Middleware/wlserver_10.3/common/bin

3. Click Getting Started with WebLogic Server 10.3.5.0, select Create a new WebLogic domain, and then clickNext.

4. Select Generate a domain configured automatically to support the following Oracle products and then clickNext.

5. Specify the name and location for the Domain.

6. In the Configure Administrator Username and Password window, specify a username and a password(which must have a minimum length of 8 characters), and then confirm the password.

7. In the Configure Server Start Mode and JDK window, accept the defaults and click Next.

8. In the Select optional configuration window, accept the defaults and click Next.

9. In the Configuration summary window, click Create.

10. To complete the creation of the WebLogic Domain, click Done.

2.3 Configuring the nCipher JCE provider for key managementand accelerationThe nCipher JCA/JCE CSP (Cryptographic Service Provider) allows Java applications and services toaccess the secure cryptographic operations and key management provided by nCipher HSMs. ThenCipher JCA/JCE CSP is used with the standard JCE (Java Cryptographic Extension) Programminginterface.

To install and configure the nCipher JCE provider:


2.3 Configuring the nCipher JCE provider for key management and acceleration

1. Install the nCipher JCA/JCE CSP by copying the nCipherKM.jar file from the /opt/nfast/java/classes/

directory to the /root/Oracle/Middleware/jdk160_25/jre/lib/ext/ directory.


Red Hat Enterprise Linux Server releases 5and 6

/root/Oracle/jdk160_25/jre/lib/ext/

Sun Solaris10 SPARC /usr/local/Oracle/jdk1.7.0_02/jre/lib/ext/

3. Install the unlimited strength JCE jurisdiction policy files:

a. Download the archive containing the Java Cryptography Extension (JCE) Unlimited StrengthJurisdiction Policy Files from:http://www.oracle.com/technetwork/java/javasebusiness/downloads/java-archive-downloads-java-plat-419418.html#jce_policy-6-oth-JPR

b. Extract the local_policy.jar andUS_export_policy.jar files from the Java Cryptography Extension(JCE) Unlimited Strength Jurisdiction Policy File archive, and copy them into the securitydirectory of the operating system, as shown in the table below:


Red Hat Enterprise Linux Server releases 5and 6

/root/Oracle/jdk160_25/jre/lib/security/

Sun Solaris10 SPARC /usr/local/Oracle/jdk1.7.0_02/jre/lib/security/

When you copy these files into the appropriate folder, you must overwrite any existingfiles with the same names.

5. Using a text editor, open the Java security file (java.security) for editing. The Java security file islocated in the security directory shown below:


Red Hat Enterprise Linux Server release 5and 6

/root/Oracle/jdk160_25/jre/lib/security/

Sun Solaris10 SPARC /usr/local/Oracle/jdk1.7.0_02/jre/lib/security/

7. Add the nCipher JCE provider to the list of approved JCE providers for the WebLogic Server, asshown below:

security.provider.1=com.ncipher.provider.km.nCipherKM

security.provider.2=sun.security.provider.Sun

security.provider.3=sun.security.rsa.SunRsaSign


http://www.oracle.com/technetwork/java/javasebusiness/downloads/java-archive-downloads-java-plat-419418.html#jce_policy-6-oth-JPR

http://www.oracle.com/technetwork/java/javasebusiness/downloads/java-archive-downloads-java-plat-419418.html#jce_policy-6-oth-JPR

2 Procedures

security.provider.4=com.sun.net.ssl.internal.ssl.Provider

security.provider.5=com.sun.crypto.provider.SunJCE

security.provider.6=sun.security.jgss.SunProvider

security.provider.7=com.sun.security.sasl.Provider

security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI

security.provider.9=sun.security.smartcardio.SunPCSC

security.provider.10=sun.security.mscapi.SunMSCAPI

The order is numerical: 1 is the most preferred, followed by 2, and so on.

9. Save your changes to the java.security file.

10. Export JAVA_HOME as shown in the table below:


Red Hat Enterprise Linux Server release5 and 6

export JAVA_HOME=/root/Oracle/jdk160_25

Sun Solaris10 SPARC export JAVA_HOME=/usr/local/Oracle/jdk1.7.0_02

12. Export PATH for Java Virtual Machine on the corresponding Operating System:

export PATH=$JAVA_HOME/bin/:$PATH

14. Export CLASSPATH for nCipherKM.jar and Jurisdictions Policies on the corresponding OperatingSystem:

export CLASSPATH=$JAVA_HOME/jre/lib/ext/:$JAVA_HOME/jre/lib/security/:$CLASSPATH

16. After you have created a security world, you can test that the nCipher JCA/JCE provider has beeninstalled correctly by running the following command, shown in the table below:


Red Hat Enterprise Linux Serverrelease 5 and 6

java com.ncipher.provider.InstallationTest

Sun Solaris10 SPARC java com.ncipher.provider.InstallationTest

18. If the nCipher JCA/JCE provider has been installed correctly, output from this command has thefollowing form:


2.4 Generating a Keystore using the Java keytool

Installed providers:

1: nCipherKM

2: SunJSSE

3: SUN

4: nCipherRSAPrivateEncrypt

5: SunJCE

6: SunJGSS

Unlimited strength jurisdiction files are installed.

The nCipher provider is correctly installed.

nCipher JCE services:

Alg.Alias.Cipher.1.2.840.113549.1.1.1

Alg.Alias.Cipher.1.2.840.113549.3.4

Alg.Alias.Cipher.AES

Alg.Alias.Cipher.DES3

If the JCE Installation test does not list the nCipher JCA/JCE CSP with nShield, check tomake sure that the Java ports are open in the nfast config file.

2.4 Generating a Keystore using the Java keytoolTo generate a Keystore using the Java keytool:

1. Navigate to the appropriate directory for the Operating System, as shown in the table below:



/root/Oracle/Middleware/user_projects/domains/base_domain

Sun Solaris10 SPARC /usr/local/Oracle/Middleware/user_projects/domains/base_

domain

3. Generate a new keystore and key pair for any of the following purposes.

The commands below are applicable to RHEL5, RHEL6 and Solaris10 SPARC.

l Card set protection:

keytool -genkey -keystore ncqa -storepass 123456 -alias ncqaalias -keypass 123456 -keyalg

RSA

-keysize 1024 -sigalg SHA1withRSA -storetype nCipher.sworld

Example:


2 Procedures

[root@ps5307lnx base_domain]#keytool -genkey -keystore ncqa -storepass 123456

-alias ncqaalias -keypass 123456 -keyalg RSA -keysize 1024 -sigalg SHA1withRSA -

storetype nCipher.sworld

What is your first and last name?

[Unknown]: Application Guide

What is the name of your organizational unit?

[Unknown]: nCipher Guide

What is the name of your organization?

[Unknown]: nCipher

What is the name of your City or Locality?

[Unknown]: Woburn

What is the name of your State or Province?

[Unknown]: Cambridge

What is the two-letter country code for this unit?

[Unknown]: UK

Is CN= Application Guide, OU= nCipher Guide, O= nCipher, L= Woburn, ST=

Cambridge, C= UK correct?

[no]: yes

l Module protection:

java -Dprotect=module -DignorePassphrase=true -cp "$CLASSPATH;."

sun.security.tools.KeyTool -genkey

-keystore ncqa -storepass 123456 -alias ncqaalias -keypass 123456 -keyalg RSA -keysize

1024

-sigalg SHA1withRSA -storetype nCipher.sworld

l Softcard protection:

java -Dprotect=softcard:IDENT -cp "$CLASSPATH;." sun.security.tools.KeyTool -genkey -

keystore ncqa

-storepass 123456 -alias ncqaalias -keypass 123456 -keyalg RSA -keysize 1024 -sigalg

SHA1withRSA

-storetype nCipher.sworld

In this command, IDENT is the logical token hash of the softcard, whichyou can obtain by running the nkminfo -softcard-list command.

4. Generate a certificate request from a key in the keystore for any of the following purposes:



2.4 Generating a Keystore using the Java keytool

keytool -certreq -alias ncqaalias -file certreq.txt -keypass 123456 -keystore ncqa -sigalg SHA1withRSA

-storepass 123456 -storetype nCipher.sworld

2. Module protection:

java -Dprotect=module -DignorePassphrase=true -cp "$CLASSPATH;." sun.security.tools.KeyTool -

certreq

-alias ncqaalias -file certreq.txt -keypass 123456 -keystore ncqa -sigalg SHA1withRSA -storepass

123456


4. Softcard protection:

java -Dprotect=softcard:IDENT -cp "$CLASSPATH;." sun.security.tools.KeyTool -certreq -alias ncqaalias

-file certreq.txt -keypass 123456 -keystore ncqa -sigalg SHA1withRSA -storepass 123456


In this command, IDENT is the logical token hash of the softcard, which you canobtain by running the nkminfo -softcard-list command.

5. When you have generated the certificate request, set the com.ncipher.km.nCipherKM priority to 4 inthe java.security file, as shown below:

security.provider.1=sun.security.provider.Sun

security.provider.2=sun.security.rsa.SunRsaSign

security.provider.3=com.sun.net.ssl.internal.ssl.Provider

security.provider.4=com.ncipher.provider.km.nCipherKM

security.provider.5=com.sun.crypto.provider.SunJCE

security.provider.6=sun.security.jgss.SunProvider

security.provider.7=com.sun.security.sasl.Provider

security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI

security.provider.9=sun.security.smartcardio.SunPCSC

security.provider.10=sun.security.mscapi.SunMSCAPI

7. Submit the certificate request to the preferred Certificate Authority (CA) to receive a signedcertificate for any of the following purposes:


keytool -import -trustcacerts -alias trustalias -file rootcert.cer -keystore ncqa -storepass 123456



2 Procedures

Example:

[root@ps5307lnx base_domain]#keytool -import -trustcacerts -alias trustalias

-file rootcert.cer -keystore ncqa -storepass 123456 -storetype nCipher.sworld

Owner: CN=TestCA, DC=nCipher, DC=co, DC=in

Issuer: CN= TestCA, DC= nCipher, DC=co, DC=in

Serial number: 5f54cbda3324f9c4aff9f3ffd55b51b

Valid from: Fri Nov 04 16:27:43 PDT 2011 until: Tue Nov 04 15:37:41 PST 2014

Certificate fingerprints:

MD5: B4:C2:29:A9:3E:A9:61:94:A5:84:34:EA:51:F6:B1:80

SHA1: 2E:4B:0D:2A:3F:84:C7:D8:34:54:7E:4E:B8:A3:38:D0:28:C0:FE:4D

Trust this certificate? [no]: yes

Certificate was added to keystore


java -Dprotect=module -DignorePassphrase=true -cp "$CLASSPATH;." sun.security.tools.KeyTool -import

-trustcacerts -alias trustalias -file rootcert.cer -keystore ncqa -storepass 123456



java -Dprotect=softcard:IDENT -cp "$CLASSPATH;." sun.security.tools.KeyTool -import -trustcacerts

-alias trustalias -file rootcert.cer" -keystore ncqa -storepass 123456 -storetype nCipher.sworld


8. Check that:

l The certificate is signed and trusted.

l The CA is referenced in the standard java trust.

If the CA is not referenced, you must set up the CA as a trusted CA. To set a CA as a trustedCA, import the CA trust certificate into a local keystore. You can obtain this certificate fromthe CA manager or vendor.

l Import the signed certificate for any of the following purposes:


keytool -import -alias ncqalias -keypass 123456 -file certnew.cer -keystore ncqa -storepass 123456



2.5 Configuring Oracle WebLogic Server to use the stored trusted certificate

Example:

[root@ps5307lnx base_domain]#keytool-import -alias ncqalias -keypass 123456

-file certnew.cer -keystore ncqa -storepass 123456 -storetype nCipher.sworld

Certificate reply was installed in keystore


java -Dprotect=module -DignorePassphrase=true -cp "$CLASSPATH;." sun.security.tools.KeyTool -import

-alias ncqaalias -keypass 123456 -file certnew.cer -keystore ncqa -storepass 123456



java -Dprotect=softcard:IDENT -cp "$CLASSPATH;." sun.security.tools.KeyTool -import -alias ncqaalias

-keypass 123456 -file certnew.cer -keystore ncqa -storepass 123456 -storetype nCipher.sworld


2.5 Configuring Oracle WebLogic Server to use the stored trus-ted certificateTo configure Oracle WebLogic Server to use the stored trusted certificate:

1. Start Oracle WebLogic Server by running the command ./startWeblogic.sh from the appropriatedirectory, as shown in the table below:



/root/Oracle/Middleware/user_projects/domains/base_

domain/bin

Sun Solaris10 SPARC /usr/local/Oracle/Middleware/user_projects/domains/base_

domain/bin

3. Open the Administration console (http://localhost:7001/console).

4. Select Domain Structure > Environment and do the following:

a. Click Servers and then click AdminServer.

b. Select SSL Listen Port enabled.

c. In SSL Listen Port, type 443, and then click Save.


2 Procedures

5. Select the Keystores tab and do the following:

a. From the drop down menu, select Custom Identity and Custom Trust.

b. In Custom Identity Keystore, type ncqa.

c. In Custom Identity Keystore Type, type nCipher.sworld.

d. In Custom Identity Keystore Passphrase, type 123456. Confirm the passphrase.

e. In Custom Trust Keystore, type trustalias.

f. In Custom Trust Keystore Type, type nCipher.sworld.

g. In Custom Trust Keystore Passphrase, type 123456. Confirm the passphrase.

h. Click Save.

6. Select the SSL tab and do the following:

a. In Private Key Alias, type ncqaalias.

b. In Private Key Passphrase, type 123456. Confirm the passphrase.

c. Click Save.

7. Log out from the Administration console.

8. Restart the WebLogic Server.

9. Open the Administration console using https://localhost/console.


Contact Us

Contact UsWeb site: https://www.ncipher.comSupport: https://help.ncipher.comEmail Support: [email protected] documentation: Available from the Support site listed above.

You can also contact our Support teams by telephone, using the following numbers:

Europe, Middle East, and Africa

United Kingdom: +44 1223 622444One Station SquareCambridgeCB1 2GAUK

Americas

Toll Free: +1 833 425 1990Fort Lauderdale: +1 954 953 5229

Sawgrass Commerce Center – ASuite 130,13800 NW 14 StreetSunriseFL 33323 USA

Asia Pacific

Australia: +61 8 9126 9070World Trade Centre Northbank WharfSiddeley StMelbourne VIC 3005Australia

Japan: +81 50 3196 4994Hong Kong: +852 3008 3188

10/F, V-Point,18 Tang Lung StreetCauseway BayHong Kong


About nCipher SecuritynCipher Security, an Entrust Datacard company, is a leader in the general-purpose hardware security module (HSM)market, empowering world-leading organizations by delivering trust, integrity and control to their business criticalinformation and applications. Today’s fast-moving digital environment enhances customer satisfaction, gives competitiveadvantage and improves operational efficiency – it also multiplies the security risks. Our cryptographic solutions secureemerging technologies such as cloud, IoT, blockchain, and digital payments and help meet new compliance mandates.We do this using our same proven technology that global organizations depend on today to protect against threats totheir sensitive data, network communications and enterprise infrastructure. We deliver trust for your business criticalapplications, ensure the integrity of your data and put you in complete control – today, tomorrow, always.www.ncipher.com

https://www.ncipher.com/

oracle weblogic server integration guide for unix€¦ · contents 1introduction 4 1.1thisproduct 4...

Documents