Weblogic with FIPS 140-2 Configuration
Version History
| Version | Date | Modified By | Description |
|---|---|---|---|
| 1.0 | 11/29/2018 | Minh-Hai Nguyen | Initial Version |
Prerequisites
- CONNECT is deployed on Weblogic server. Make sure the Connection Validation Suite runs successfully before attempting to configure FIPS
Configure FIPS Mode
Configure JAVA Security Policy:
- Back up java.security in $JAVA_HOME/jre/lib/security
- cp java.security java.security.non_fips
- Edit java.security file in $JAVA_HOME/jre/lib/security.
- Add both the RSA JCE provider and the RSA JSSE provider as the first two Java security providers listed in the
java.securityproperties file:java.securitysecurity.provider.1=com.rsa.jsafe.provider.JsafeJCE security.provider.2=com.rsa.jsse.JsseProvider security.provider.3=sun.security.provider.Sun
- Use no restriction on cryptographic strengths by commenting out
- crypto.policy=unlimited
- Replace default jks with pkcs12
- keystore.type=pkcs12
- Add both the RSA JCE provider and the RSA JSSE provider as the first two Java security providers listed in the
Convert JKS into PKCS12 Keystore
- keytool -importkeystore -srckeystore gateway.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore gateway.p12
- keytool -importkeystore -srckeystore cacerts.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore cacerts.p12
Modify CONNECT Property
- Modify truststore.properties as shown below:truststore.properties
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin org.apache.ws.security.crypto.merlin.keystore.type=pkcs12 org.apache.ws.security.crypto.merlin.keystore.password=changeit org.apache.ws.security.crypto.merlin.truststore.file=cacerts.p12
- Modify signature.propertiessignature.properties
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin org.apache.ws.security.crypto.merlin.keystore.type=pkcs12 org.apache.ws.security.crypto.merlin.keystore.password=changeit org.apache.ws.security.crypto.merlin.file=gateway.p12
Load Weblogic FIP library
- Backup and edit $WL_HOME/bin/setDomainEnv.sh
- Add new PRE_CLASSPATH variable above WL_HOME variable as shown below. Make sure to use right path for your environment. In this case, our weblogic server locates under /nhin/server/wls1221setDomainEnv.sh
PRE_CLASSPATH="/nhin/server/wls1221/wlserver/server/lib/jcmFIPS.jar:/nhin/server/wls1221/wlserver/server/lib/sslj.jar:${PRE_CLASSPATH}" export PRE_CLASSPATH WL_HOME="/nhin/server/wls1221/wlserver" - Append the following entry to NHIN_PRO variable inside setDomainEnv.sh as shown below
-Dweblogic.security.allowCryptoJDefaultPRNG=true
- -Dweblogic.security.allowCryptoJDefaultJCEVerification=trueNHIN_PRO
EXT_POST_CLASSPATH="/nhin/server/connectProperties" export EXT_POST_CLASSPATH NHIN_PRO="-Dlog4j.configuration=file:${EXT_POST_CLASSPATH}/log4j.properties -Dweblogic.log.Log4jLoggingEnabled=true -Xmx8000m -Dnhinc.properties.dir=${EXT_POST_CLASSPATH} -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.keyStore=${EXT_POST_CLASSPATH}/gateway.p12 -Djavax.net.ssl.keyStoreType=PKCS12 -Djavax.net.ssl.trustStoreType=PKCS12 -Djavax.net.ssl.trustStore=${EXT_POST_CLASSPATH}/cacerts.p12 -DCLIENT_KEY_ALIAS=gateway -Djava.security.egd=file:/dev/./urandom -DUseSunHttpHandler=true -Dcom.sun.xml.ws.transport.http.HttpAdapter.dump=true -Dcom.sun.xml.ws.transport.http.client.HttpTransportPipe.dump=true -Djavax.enterprise.resource.xml.webservices.security.level=FINE -Djavax.enterprise.resource.webservices.jaxws=FINE -Dweblogic.security.allowCryptoJDefaultPRNG=true -Dweblogic.security.allowCryptoJDefaultJCEVerification=true -Djavax.net.debug=all" export NHIN_PRO JAVA_OPTIONS="${JAVA_OPTIONS} ${NHIN_PRO} " export JAVA_OPTIONS
- Add new PRE_CLASSPATH variable above WL_HOME variable as shown below. Make sure to use right path for your environment. In this case, our weblogic server locates under /nhin/server/wls1221
Configure Weblogic Console
- Start Weblogic
- Under "Environment," go to "Servers," then go to the adopter's managed server
- Navigate to "Keystores"
- Keystores: "Custom Identity and Custom Trust"
- Under "Keystores" --> "Identity"
- "Custom Identity Keystore:" = <path to certs>/gateway.p12
- "Custom Identity Keystore Type:" = PKCS12
- Enter the passphrase and confirm
- Under "Keystores" --> "Trust"
- "Custom Trust Keystore:" = <path to certs>/cacerts.p12
- "Custom Trust Keystore Type:" = PKCS12
- Enter the passphrase and confirm
- Click on Save.
- Restart the server
- Rerun Validation Suite and verify it passes
Link/Additional Reading
- Enable Weblogic in FIPS Mode
- CONNECT Forums
- Deploying CONNECT to WebLogic
- Validating CONNECT Installation