SSL IMPLEMENTATION

1.Create a Wallet or Keystore
2.Generate a Certificate Signing Request (CSR)
3.Send the CSR to a Certificate Authority (CA)
4.CA Team will send 4 certificates based on requirement
5.Import the Trusted CA Certificate(s)
6.Import the Server Certificate
7.Modifications in ssl config file
8.Validation of ohs with ssl port
9.Port modification according to sso enabled port
10.Bounce application
11.Sanity checks.


Create a Wallet or Keystore:
[appluser1@ospdl87dv ohshome]$ $ORACLE_HOME/oracle_common/bin/orapki wallet create -wallet $ORACLE_HOME/wallet -auto_login
Oracle PKI Tool : Version 12.2.1.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Enter password:   
Enter password again:   
Operation is successfully completed.

Generate a Certificate Signing Request (CSR):

Export the Certificate Signing Request:

[appluser1@ospdl87dv wallet]$ $ORACLE_HOME/oracle_common/bin/orapki wallet export -wallet $ORACLE_HOME/wallet -dn 'CN=ospdl87dv.cloud.ge.com, OU=Enterprise SSL, O=General Electric Company, L=Boston, ST=MA, C=US' -request $ORACLE_HOME/wallet/server.csr -pwd Welcome1
Oracle PKI Tool : Version 12.2.1.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.

Send server.csr to CA team for Certificatate signing

1.            Root: AddTrustExternalCARoot
2.            Intermediate 1: USERTrustRSAAddTrustCA
3.            Intermediate 2: TrustedSecureCertificateAuthority5
4.            Domain: ospdl87dv_cloud_ge_com
We have Received above 4 certificates from CA Team.

Import the Trusted Certificates into the Wallet:

[appluser1@ospdl87dv wallet]$ $ORACLE_HOME/oracle_common/bin/orapki wallet add -wallet $ORACLE_HOME/wallet -trusted_cert -cert $ORACLE_HOME/wallet/AddTrustExternalCARoot.ccc -pwd Welcome1
Oracle PKI Tool : Version 12.2.1.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.
[appluser1@ospdl87dv wallet]$ $ORACLE_HOME/oracle_common/bin/orapki wallet add -wallet $ORACLE_HOME/wallet -trusted_cert -cert $ORACLE_HOME/wallet/USERTrustRSAAddTrustCA.ccc -pwd Welcome1
Oracle PKI Tool : Version 12.2.1.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.
[appluser1@ospdl87dv wallet]$ $ORACLE_HOME/oracle_common/bin/orapki wallet add -wallet $ORACLE_HOME/wallet -trusted_cert -cert $ORACLE_HOME/wallet/TrustedSecureCertificateAuthority5.ccc -pwd Welcome1
Oracle PKI Tool : Version 12.2.1.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.
[appluser1@ospdl87dv wallet]$ $ORACLE_HOME/oracle_common/bin/orapki wallet add -wallet $ORACLE_HOME/wallet -user_cert -cert $ORACLE_HOME/wallet/ospdl87dv_cloud_ge_com.ccc -pwd Welcome1
Oracle PKI Tool : Version 12.2.1.1.0
Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.

Modifications in ssl config file:
Update the wallet path in ssl.conf 

<    #SSLWallet "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/keystores/default"
<     SSLWallet "/orpacgd1/grcapp/ohshome/wallet"   

The Wallet is now ready to use with Oracle HTTP Server (OHS):

Verify whether we are able to open ohs with ssl port upon completion of OHS bounce.


Modify the ssl port with sso enable port in ssl.conf file

[appluser1@ospdl87dv ohs1]$ diff ssl.conf ssl.conf-bkp12mar18
8c8
< Listen ospdl87dv.cloud.ge.com:8000
---
> Listen ospdl87dv.cloud.ge.com:8443
37c37
< <VirtualHost ospdl87dv.cloud.ge.com:8000> 
---
> <VirtualHost ospdl87dv.cloud.ge.com:8443>


Sanity checks:
Do full bounce of application which are running with OHS

open url https://ospdl87dv.cloud.ge.com:8000



####EXAMPLES###

Orapki utility manages the below two

1.wallet
2.crl
3.change jks keys to orawaet and vice versa


Here are a few examples of using orapki:

# Create root wallet (for example, CA wallet)
orapki wallet create -wallet ./root -pwd mypasswd
# Add a self-signed certificate (CA certificate) to the root wallet
orapki wallet add -wallet ./root -dn 'CN=root_test,C=US' -keysize 1024 -self_signed -validity 3650 -pwd mypasswd
# Export self-signed certificate from the wallet 
orapki wallet export -wallet ./root -dn 'CN=root_test,C=US' -cert ./root/b64certificate.txt -pwd mypasswd 
# Create a user wallet (for example, a customer wallet)
orapki wallet create -wallet ./user -pwd mypasswd
# Add a certificate request
orapki wallet add -wallet ./user -dn 'CN=user_test,C=US' -keysize 1024 -pwd mypasswd
# Export the certificate request 
orapki wallet export -wallet ./user -dn 'CN=user_test,C=US' -request ./user/creq.txt -pwd mypasswd
# Create a certificate (issued by CA)
orapki cert create -wallet ./root -request ./user/creq.txt -cert ./user/cert.txt -validity 3650 -pwd mypasswd
# Add a trusted certificate (CA certificate) to the wallet
orapki wallet add -wallet ./user -trusted_cert -cert ./root/b64certificate.txt -pwd mypasswd
# Add a user certificate
orapki wallet add -wallet ./user -user_cert -cert ./user/cert.txt -pwd mypasswd
# Display contents of wallet
orapki wallet display -wallet ./root -pwd mypasswd

##Converting JKS to Oracle Wallet

Use this command to migrate entries from JKS store to p12 wallet:

jks_to_pkcs12 -wallet wallet -pwd pwd -keystore keystore 
-jkspwd jkspwd [-aliases [alias:alias..]]

##creating a self-signed JKS keystore:

keytool -genkey -alias myalias -keyalg RSA -keysize 1024 -dname CN=root,C=US -validity 3650 -keystore ./ewallet.jks -storetype jks -storepass password 
-keypass password 


##Converting Oracle Wallet to JKS

Use this command to migrate entries from a p12 wallet to a JKS keystore:

pkcs12_to_jks -wallet p12wrl -pwd p12pwd 
[-jksKeyStoreLoc jksKSloc -jksKeyStorepwd jksKS_pwd][-jksTrustStoreLoc loc -jksTrustStorepwd pwd]
where the parameters are as follows:

CRL:

A Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing Certificate Authority

The problem with Certificate Revocation Lists, as with all blacklists, is that they are difficult to maintain and are an inefficient method of distributing critical information in real time. When a certificate authority receives a CRL request from a browser, it returns a complete list of all the revoked certificates that the CA manages. The browser must then parse the list to determine if the certificate of the requested site has been revoked. Although the CRL may be updated as often as hourly, this time gap could allow a revoked certificate to be accepted, particularly because CRLs are cached to avoid incurring the overhead involved with repeatedly downloading them. Also, if the CRL is unavailable, then any operations depending upon certificate acceptance will be prevented and that may create a denial of service.

H.2.6.3 orapki crl create

The following sections describe this command.

H.2.6.3.1 Purpose
Use this command to create a CRL.

H.2.6.3.2 Syntax
orapki crl create [-crl [url|filename]] 
[-wallet [cawallet]] 
[-nextupdate [days]] 
[-pwd pwd]
  • -crl is the location where the CRL will be created (for example ./nzcrl.txt)
  • -wallet is the cawallet, which contains self-signed certificate and corresponding private key
  • -nextupdate is the number of days until the next update
  • -pwd is the password of cawallet

H.2.6.4 orapki crl delete

The following sections describe this command.

H.2.6.4.1 Purpose
Use this command to delete CRLs from Oracle Internet Directory. Note that the user who deletes CRLs from the directory by using orapki must be a member of the CRLAdmins(cn=CRLAdmins,cn=groups,%s_OracleContextDN%) directory group.

H.2.6.4.2 Syntax
orapki crl delete -issuer issuer_name 
-ldap hostname:ssl_port -user username [-summary]
  • The -issuer parameter specifies the name of the certificate authority (CA) who issued the CRL.
  • The -ldap parameter specifies the hostname and SSL port for the directory in which the CRLs are to be deleted. Note that this must be a directory SSL port with no authentication. See Section H.2.5.2.2, "Uploading CRLs to Oracle Internet Directory" for more information about this port.
  • The -user parameter specifies the username of the directory user who has permission to delete CRLs from the CRL subtree in the directory.
  • The -summary parameter is optional. Using it causes the tool to print the CRL LDAP entry that was deleted.

H.2.6.5 orapki crl display

The following sections describe this command.

H.2.6.5.1 Purpose
Use this command to display specific CRLs that are stored in Oracle Internet Directory.

H.2.6.5.2 Syntax
orapki crl display -crl crl_location 
 [-wallet wallet_location] [-summary|-complete]
  • The -crl parameter specifies the location of the CRL in the directory. It is convenient to paste the CRL location from the list that displays when you use the orapki crl list command. See Section H.2.6.7, "orapki crl list".
  • The -wallet parameter (optional) specifies the location of the wallet that contains the certificate of the certificate authority (CA) who issued the CRL. Using it causes the tool to verify the validity of the CRL against the CA's certificate prior to displaying it.
  • Choosing either the -summary or the -complete parameters displays the following information:
    • -summary provides a listing that contains the CRL issuer's name and the CRL's validity period
    • -complete provides a list of all revoked certificates that the CRL contains. Note that this option may take a long time to display, depending on the size of the CRL.

H.2.6.6 orapki crl hash

The following sections describe this command.

H.2.6.6.1 Purpose
Use this command to generate a hash value of the certificate revocation list (CRL) issuer to identify the location of the CRL in your file system for certificate validation.

H.2.6.6.2 Syntax
orapki crl hash -crl crl_filename|URL 
 [-wallet wallet_location] [-symlink|-copy] crl_directory [-summary]
  • The -crl parameter specifies the filename that contains the CRL or the URL in which it can be found.
  • The -wallet parameter (optional) specifies the location of the wallet that contains the certificate of the certificate authority (CA) who issued the CRL. Using it causes the tool to verify the validity of the CRL against the CA's certificate prior to uploading it to the directory.
  • Depending on your operating system, use either the -symlink or the -copy parameter:
    • On UNIX: Use -symlink to create a symbolic link to the CRL at the crl_directory location
    • On Windows: Use -copy to create a copy of the CRL at the crl_directory location
  • The -summary parameter (optional) causes the tool to display the CRL issuer's name.

H.2.6.7 orapki crl list

The following sections describe this command.

H.2.6.7.1 Purpose
Use this command to display a list of CRLs stored in Oracle Internet Directory. This is useful for browsing to locate a particular CRL to view or download to your local file system.

H.2.6.7.2 Syntax
orapki crl list -ldap hostname:ssl_port
The -ldap parameter specifies the hostname and SSL port for the directory server from which you want to list CRLs. Note that this must be a directory SSL port with no authentication. See Section H.2.5.2.2, "Uploading CRLs to Oracle Internet Directory" for more information about this port.

H.2.6.8 orapki crl revoke

The following sections describe this command.

H.2.6.8.1 Purpose
Use this command to revoke a certificate.

H.2.6.8.2 Syntax
orapki crl revoke [-crl [url|filename]] 
[-wallet [cawallet]] 
[-cert [revokecert]] 
[-pwd pwd]
where:
  • -crl specifies the CRL as either a URL or a filename
  • -wallet is the cawallet, which contains self-signed certificate and corresponding private key
  • -cert: certificate to be revoked
  • -pwd is the password of cawallet.

H.2.6.9 orapki crl status

The following sections describe this command.

H.2.6.9.1 Purpose
Use this command to check if a certificate is revoked in a CRL.

H.2.6.9.2 Syntax
orapki crl status [-crl [url|filename]] 
 [-cert [cert]]
  • -crl specifies the CRL as either a URL or a filename
  • -cert is the CA's certificate

H.2.6.10 orapki crl upload

The following sections describe this command.

H.2.6.10.1 Purpose
Use this command to upload certificate revocation lists (CRLs) to the CRL subtree in Oracle Internet Directory. Note that you must be a member of the directory administrative group CRLAdmins(cn=CRLAdmins,cn=groups,%s_OracleContextDN%) to upload CRLs to the directory.

H.2.6.10.2 Syntax
orapki crl upload -crl crl_location 
 -ldap hostname:ssl_port -user username 
 [-wallet wallet_location] [-summary]
  • The -crl parameter specifies the directory location or the URL of the CRL that you are uploading to the directory.
  • The -ldap parameter specifies the hostname and SSL port for the directory to which you are uploading the CRLs. Note that this must be a directory SSL port with no authentication. See Section H.2.5.2.2, "Uploading CRLs to Oracle Internet Directory" for more information about this port.
  • The -user parameter specifies the username of the directory user who has permission to add CRLs to the CRL subtree in the directory.
  • The -wallet parameter specifies the location of the wallet that contains the certificate of the certificate authority (CA) who issued the CRL. This is an optional parameter. Using it causes the tool to verify the validity of the CRL against the CA's certificate prior to uploading it to the directory.
  • The -summary parameter is also optional. Using it causes the tool to display the CRL issuer's name and the LDAP entry in which the CRL is stored in the directory.

H.2.6.11 orapki crl verify

The following sections describe this command.

H.2.6.11.1 Purpose
Use this command to verify a CRL signature.

H.2.6.11.2 Syntax
orapki crl verify [-crl [url|filename]] 
[-cert [cacert]]
where:
  • -crl specifies the CRL as either a URL or a filename
  • -cert specifies the certificate to be checked

Certificate Validation (CRL and OCSP) orapki only supports crl

Two methods of checking for revoked certificates:
  • Certificate Revocation List (CRL) - A CRL is a list of revoked certificates that is downloaded from the Certificate Authority (CA).
  • Online Certificate Status Protocol (OCSP) - OCSP is a protocol for checking revocation of a single certificate interactively using an online service called an OCSP responder.
CRL and OCSP validation are two different ways to achieve the same result: denying access to any user whose certificate is revoked. In a web browser, OCSP is generally considered superior because a browser is usually dealing with many different Certificate Authorities (CAs), and having to download an entire CRL to check one web site is inefficient.

#####ORACLE DOC ##
https://docs.oracle.com/cd/E28280_01/core.1111/e10105/walletmgr.htm#ASADM10624

a few examples of using orapki:

# Create root wallet (for example, CA wallet)
orapki wallet create -wallet ./root -pwd mypasswd
# Add a self-signed certificate (CA certificate) to the root wallet
orapki wallet add -wallet ./root -dn 'CN=root_test,C=US' -keysize 1024 -self_signed -validity 3650 -pwd mypasswd
# Export self-signed certificate from the wallet 
orapki wallet export -wallet ./root -dn 'CN=root_test,C=US' -cert ./root/b64certificate.txt -pwd mypasswd 
# Create a user wallet (for example, a customer wallet)
orapki wallet create -wallet ./user -pwd mypasswd
# Add a certificate request
orapki wallet add -wallet ./user -dn 'CN=user_test,C=US' -keysize 1024 -pwd mypasswd
# Export the certificate request 
orapki wallet export -wallet ./user -dn 'CN=user_test,C=US' -request ./user/creq.txt -pwd mypasswd
# Create a certificate (issued by CA)
orapki cert create -wallet ./root -request ./user/creq.txt -cert ./user/cert.txt -validity 3650 -pwd mypasswd
# Add a trusted certificate (CA certificate) to the wallet
orapki wallet add -wallet ./user -trusted_cert -cert ./root/b64certificate.txt -pwd mypasswd
# Add a user certificate
orapki wallet add -wallet ./user -user_cert -cert ./user/cert.txt -pwd mypasswd
# Display contents of wallet
orapki wallet display -wallet ./root -pwd mypasswd

###Converting JKS to Oracle Wallet

Use this command to migrate entries from JKS store to p12 wallet:

jks_to_pkcs12 -wallet wallet -pwd pwd -keystore keystore 
-jkspwd jkspwd [-aliases [alias:alias..]]
where the parameters are as follows:

wallet is the wallet location; entries from the JKS keystore will be migrated to this wallet.

pwd is the wallet password.

keystore is the keystore location; this JKS will be migrated to the p12 wallet.

jkspwd is the JKS password.

aliases are optional. If specified, only entries corresponding to the specified alias are mig

By - No comments:
Subscribe to: Posts (Atom)