Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Version History

VersionDateModified ByDescription
1.011/29/2018Minh-Hai NguyenInitial Version

Prerequisites

  • CONNECT is deployed on Weblogic server.  Make sure the Connection Validation Suite runs successfully before attempting to configure FIPS

Configure FIPS Mode

Configure JAVA Security Policy:

  • Back up java.security in $JAVA_HOME/jre/lib/security
    • cp java.security java.security.non_fips
  • Edit java.security file in $JAVA_HOME/jre/lib/security. 
    • Add both the RSA JCE provider and the RSA JSSE provider as the first two Java security providers listed in the java.security properties file:
      java.security
      security.provider.1=com.rsa.jsafe.provider.JsafeJCE
      security.provider.2=com.rsa.jsse.JsseProvider
      security.provider.3=sun.security.provider.Sun
    • Use no restriction on cryptographic strengths by commenting out
      • crypto.policy=unlimited
    • Replace default jks with pkcs12
      • keystore.type=pkcs12

Convert JKS into PKCS12 Keystore

  • keytool -importkeystore -srckeystore gateway.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore gateway.p12
  • keytool -importkeystore -srckeystore cacerts.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore cacerts.p12

Modify CONNECT Property

  • Modify truststore.properties as shown below:
    truststore.properties
    org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
    org.apache.ws.security.crypto.merlin.keystore.type=pkcs12
    org.apache.ws.security.crypto.merlin.keystore.password=changeit
    org.apache.ws.security.crypto.merlin.truststore.file=cacerts.p12
  • Modify signature.properties
    signature.properties
    org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
    org.apache.ws.security.crypto.merlin.keystore.type=pkcs12
    org.apache.ws.security.crypto.merlin.keystore.password=changeit
    org.apache.ws.security.crypto.merlin.file=gateway.p12

Load Weblogic FIP library

  • Backup and edit $WL_HOME/bin/setDomainEnv.sh
    • Add  new PRE_CLASSPATH variable above WL_HOME variable as shown below.  Make sure to use right path for your environment.  In this case, our weblogic server locates under /nhin/server/wls1221
      setDomainEnv.sh
      PRE_CLASSPATH="/nhin/server/wls1221/wlserver/server/lib/jcmFIPS.jar:/nhin/server/wls1221/wlserver/server/lib/sslj.jar:${PRE_CLASSPATH}"
      export PRE_CLASSPATH
      WL_HOME="/nhin/server/wls1221/wlserver"
    • Append the following entry to NHIN_PRO variable inside setDomainEnv.sh as shown below
      • -Dweblogic.security.allowCryptoJDefaultPRNG=true

      • -Dweblogic.security.allowCryptoJDefaultJCEVerification=true
        NHIN_PRO
        EXT_POST_CLASSPATH="/nhin/server/connectProperties"
        export EXT_POST_CLASSPATH
        NHIN_PRO="-Dlog4j.configuration=file:${EXT_POST_CLASSPATH}/log4j.properties -Dweblogic.log.Log4jLoggingEnabled=true -Xmx8000m -Dnhinc.properties.dir=${EXT_POST_CLASSPATH} -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.keyStore=${EXT_POST_CLASSPATH}/gateway.p12 -Djavax.net.ssl.keyStoreType=PKCS12 -Djavax.net.ssl.trustStoreType=PKCS12 -Djavax.net.ssl.trustStore=${EXT_POST_CLASSPATH}/cacerts.p12 -DCLIENT_KEY_ALIAS=gateway -Djava.security.egd=file:/dev/./urandom -DUseSunHttpHandler=true -Dcom.sun.xml.ws.transport.http.HttpAdapter.dump=true -Dcom.sun.xml.ws.transport.http.client.HttpTransportPipe.dump=true -Djavax.enterprise.resource.xml.webservices.security.level=FINE -Djavax.enterprise.resource.webservices.jaxws=FINE -Dweblogic.security.allowCryptoJDefaultPRNG=true -Dweblogic.security.allowCryptoJDefaultJCEVerification=true -Djavax.net.debug=all"
        export NHIN_PRO
        
        JAVA_OPTIONS="${JAVA_OPTIONS} ${NHIN_PRO} "
        export JAVA_OPTIONS

Configure Weblogic Console

  • Start Weblogic
  • Under "Environment," go to "Servers," then go to the adopter's managed server
  • Navigate to "Keystores"
  • Keystores: "Custom Identity and Custom Trust"
    • Under "Keystores" --> "Identity"
    • "Custom Identity Keystore:" = <path to certs>/gateway.p12
    • "Custom Identity Keystore Type:" = PKCS12
    • Enter the passphrase and confirm
  • Under "Keystores" --> "Trust"
    • "Custom Trust Keystore:" = <path to certs>/cacerts.p12
    • "Custom Trust Keystore Type:" = PKCS12
    • Enter the passphrase and confirm 
  • Click on Save.
  • Restart the server
  • Rerun Validation Suite and verify it passes

Link/Additional Reading

  1. Enable Weblogic in FIPS Mode (https://docs.oracle.com/middleware/1221/wls/SECMG/fips.htm#SECMG771)
  2. CONNECT Developer Forums (connectopensource.org)
  3. Deploying CONNECT to WebLogic
  4. https://connectopensource.atlassian.net/wiki/x/I4Ch (Connection Validation Suite)



  • No labels