/
Weblogic with FIPS 140-2 Configuration

Weblogic with FIPS 140-2 Configuration

Jul 12, 2019

Version History

Version

Date

Modified By

Description

Version

Date

Modified By

Description

1.0

11/29/2018

Minh-Hai Nguyen

Initial Version

Prerequisites

  • CONNECT is deployed on Weblogic server.  Make sure the Connection Validation Suite runs successfully before attempting to configure FIPS

Configure FIPS Mode

Configure JAVA Security Policy:

  • Back up java.security in $JAVA_HOME/jre/lib/security

    • cp java.security java.security.non_fips

  • Edit java.security file in $JAVA_HOME/jre/lib/security. 

    • Add both the RSA JCE provider and the RSA JSSE provider as the first two Java security providers listed in the java.security properties file:

      java.security

      security.provider.1=com.rsa.jsafe.provider.JsafeJCE security.provider.2=com.rsa.jsse.JsseProvider security.provider.3=sun.security.provider.Sun

    • Use no restriction on cryptographic strengths by commenting out

      • crypto.policy=unlimited

    • Replace default jks with pkcs12

      • keystore.type=pkcs12

Convert JKS into PKCS12 Keystore

  • keytool -importkeystore -srckeystore gateway.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore gateway.p12

  • keytool -importkeystore -srckeystore cacerts.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore cacerts.p12

Modify CONNECT Property

  • Modify truststore.properties as shown below:

    truststore.properties

    org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin org.apache.ws.security.crypto.merlin.keystore.type=pkcs12 org.apache.ws.security.crypto.merlin.keystore.password=changeit org.apache.ws.security.crypto.merlin.truststore.file=cacerts.p12

  • Modify signature.properties

    signature.properties

    org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin org.apache.ws.security.crypto.merlin.keystore.type=pkcs12 org.apache.ws.security.crypto.merlin.keystore.password=changeit org.apache.ws.security.crypto.merlin.file=gateway.p12

Load Weblogic FIP library

  • Backup and edit $WL_HOME/bin/setDomainEnv.sh

    • Add  new PRE_CLASSPATH variable above WL_HOME variable as shown below.  Make sure to use right path for your environment.  In this case, our weblogic server locates under /nhin/server/wls1221

      setDomainEnv.sh

      PRE_CLASSPATH="/nhin/server/wls1221/wlserver/server/lib/jcmFIPS.jar:/nhin/server/wls1221/wlserver/server/lib/sslj.jar:${PRE_CLASSPATH}" export PRE_CLASSPATH WL_HOME="/nhin/server/wls1221/wlserver"

    • Append the following entry to NHIN_PRO variable inside setDomainEnv.sh as shown below

      • -Dweblogic.security.allowCryptoJDefaultPRNG=true

      • -Dweblogic.security.allowCryptoJDefaultJCEVerification=true

        NHIN_PRO

        EXT_POST_CLASSPATH="/nhin/server/connectProperties" export EXT_POST_CLASSPATH NHIN_PRO="-Dlog4j.configuration=file:${EXT_POST_CLASSPATH}/log4j.properties -Dweblogic.log.Log4jLoggingEnabled=true -Xmx8000m -Dnhinc.properties.dir=${EXT_POST_CLASSPATH} -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.keyStore=${EXT_POST_CLASSPATH}/gateway.p12 -Djavax.net.ssl.keyStoreType=PKCS12 -Djavax.net.ssl.trustStoreType=PKCS12 -Djavax.net.ssl.trustStore=${EXT_POST_CLASSPATH}/cacerts.p12 -DCLIENT_KEY_ALIAS=gateway -Djava.security.egd=file:/dev/./urandom -DUseSunHttpHandler=true -Dcom.sun.xml.ws.transport.http.HttpAdapter.dump=true -Dcom.sun.xml.ws.transport.http.client.HttpTransportPipe.dump=true -Djavax.enterprise.resource.xml.webservices.security.level=FINE -Djavax.enterprise.resource.webservices.jaxws=FINE -Dweblogic.security.allowCryptoJDefaultPRNG=true -Dweblogic.security.allowCryptoJDefaultJCEVerification=true -Djavax.net.debug=all" export NHIN_PRO JAVA_OPTIONS="${JAVA_OPTIONS} ${NHIN_PRO} " export JAVA_OPTIONS

Configure Weblogic Console

  • Start Weblogic

  • Under "Environment," go to "Servers," then go to the adopter's managed server

  • Navigate to "Keystores"

  • Keystores: "Custom Identity and Custom Trust"

    • Under "Keystores" --> "Identity"

    • "Custom Identity Keystore:" = <path to certs>/gateway.p12

    • "Custom Identity Keystore Type:" = PKCS12

    • Enter the passphrase and confirm

  • Under "Keystores" --> "Trust"

    • "Custom Trust Keystore:" = <path to certs>/cacerts.p12

    • "Custom Trust Keystore Type:" = PKCS12

    • Enter the passphrase and confirm 

  • Click on Save.

  • Restart the server

  • Rerun Validation Suite and verify it passes

Link/Additional Reading

  1. Enable Weblogic in FIPS Mode

  2. CONNECT Forums 

  3. Deploying CONNECT to WebLogic

  4. Validating CONNECT Installation