Sunday, 29 July 2018

CASDK-0007 Unable to establish a secure connection to oracleebs.com. SSL protocol related exception occurred

When we are trying to make Oracle E-Business connection leveraging Oracle EBS adapter in Oracle OIC / ICS, we may face below error:

CASDK-0007: Unable to establish a secure connection to ebs.com. SSL protocol related exception occurred. Verify that the URL is reachable and the certificate for the same is available.
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
unable to find valid certification path to requested target

This error occurs because of SSL certificate issues. If Oracle E-Business Suite requires a specific SSL certificate, ensure that we must import or upload the Oracle E-Business Suite SSL certificate to Oracle ICS Agent

Below are the steps to upload Oracle E-Business Suite to ICS Agent:
  • Download Oracle E-Business Certificate chain using firefox browser
  • Import Oracle E-Business certificate chain to Oracle ICS agent
Download Oracle E-Business certificate chain using firefox browser
  • Login into EBS suite using firebox browser
  • Click on Security Report and More Information
  • Go to Security Tab and Click on View Certificate button
  • Click on Details tab and click on Export button
  • Select X.509 Certificate with Chain (PEM) (*.crt, *.pem) from Save as type list
  • Click on Save button
Import Oracle E-Business certificate chain to Oracle ICS agent
  • Transfer the Certificate chain to the machine where ICS agent is installed
  • Login into the ICS agent machine and move to the <AGENT_HOME>/oracle_common/common/bin directory
  • Create a new file let’s say importCert.py file and  paste below content in the file
hostname="<agent_host_name>"
port="<Port number which was given during Agent installation, Default is 7001 if not provided>"
username="<User Name which was given during Agent installation, Default is weblogic if not provided>"
password="<Password which was given during Agent installation, Default is welcome2 if not provided >"
cert_file="<Certificate path which was downloaded in previous step> "
connect(username,password,"t3://"+hostname+":"+port)
svc=getOpssService(name='KeyStoreService')
svc.importKeyStoreCertificate(appStripe='system', name='trust', password='password',
alias='<alias_name>', keypassword='keypassword', type='TrustedCertificate',filepath=cert_file)

Note: Replace the values in <> bracket as per the agent environment

Consider below command which was used to install ICS agent

./cloud-connectivity-agent-installer.bsx -h=https://icsinstance-a12122.integration.us2.oraclecloud.com:443 -u=ankurjain -p=myics@098 -ad= AGENT_GROUP -au=ebsagent -ap=agent@ICSagent1 -ph=111.40.10.111 -pp=5520

As per command, the file importCert.py will look like

Hostname=123.21.11.11
Port=7001
Username=ebsagent 
Password=agent@ICSagent1
cert_file=/u01/ebscert.crt
connect(username,password,"t3://"+hostname+":"+port)
svc=getOpssService(name='KeyStoreService')
svc.importKeyStoreCertificate(appStripe='system', name='trust', password='password',
alias=ebsCert, keypassword='keypassword', type='TrustedCertificate',filepath=cert_file)


Run below command to import the certificate

./wlst.sh importCert.py

Test EBS connection, this time EBS connection should be established successfully.

Friday, 13 July 2018

Apply SSL certificate on API CS physical Gateway node

High level steps to configure SSL in API CS physical Gateway
  1. Create Java KeyStore (JKS) and generate key
  2. Generate a Certificate Signing Request (CSR)
  3. Send the CSR file to CA to issue the certificate
  4. Import Certificates (Root, Intermediate(if any) & Server)
  5. Import API CS Certificate into Keystore
  6. Configure SSL in WebLogic Server
    • Change KeyStore type in WebLogic Server
    • Specify path of Identity KeyStore and Trust KeyStore
    • Specify Private Key Alias in WebLogic Server
    • Enable SSL in WebLogic Server
  7. Update Hostname Verification property
  8. Update the https URL of Gateway in API CS management console
  9. Import backend Services certificate into Keystore (if backend service is https enabled)
  10. Test API
Create Java KeyStore (JKS) and generate key

Keytool utility is a Key and Certificate Management Tool and is available in $JAVA_HOME/bin. Before we start, set JAVA_HOME and PATH variables. Use below two command to set JAVA_HOME and PATH variables

 export JAVA_HOME=/usr/jdk1.8.0_171
 export PATH=$JAVA_HOME/bin:$PATH

 In this step, we'll create Key Store and private key. Use below command to generate Key Store

keytool -genkey -alias <alias> -keyalg RSA -keysize 2048 -keypass <private_key_password> -keystore <keystore_name>.jks -storepass <keystore_password> -storetype pkcs12

Option
Description
genkey
Generate private keys
alias
Represent alias name of the keys
keyalg
Represent key algorithm. If not specified DSA algorithm will be used as default
keysize
Size of the private key
keypass
Represent the private key password
keystore 
Used to provide keystore name
storepass 
Used to provide keystore password
storetype 
Used to give key store type

For example:

 keytool -genkey -alias myweblogic -keyalg RSA -keysize 2048 -keypass welcome1 -keystore mystore.jks -storepass welcome1 storetype pkcs12

Note: When we'll import signed certificate (issued by CA) in KeyStore then same alias myweblogic must be used.



Once we run the command, enter below information
  • First Name and Last Name (CN): It should be server name for which certificate is being generated. For example (techsupper.com)
  • Organization Unit (OU): Represent the Company organizational unit. For example (AnkurBlog)
  • Organization (O): Represent the Organization. For example (Techsupper)
  • City or Locality (L): Represent the organization city. For example (Delhi)
  • State or Province (ST): State of the organization. For example (Delhi)
  • Country (C): Represent of the organization country. For example (IN)
Generate a Certificate Signing Request (CSR)

Next step is to create a Certificate Signing Request (CSR). 

Use the same alias (myweblogic) which was used to generate keystore (mystore.jks)

keytool -certreq -alias <alias> -keystore <keystore_name>.jks  -storepass <keystore_password> -file <certificate_request>.csr

Option certreq signifies that we are generating certificate signing request (CSR) file.

For example:

 keytool -certreq -alias myweblogic -keystore mystore.jks  -storepass welcome1 -file myweblogiccsr.csr


mystore.jks is the kyestore which was created in the first step and welcome1 is the password which was used to create mystore.jks file

Send the CSR file (myweblogic.csr) to CA to issue the certificate

Send CSR file to certifying authority to issue the certificate.

Import Certificates (Root, Intermediate(if any) & Server)

Once we receive the certificate for the server then we must import certificate of Authority issued the certificate (before importing certificate issued by CA).
  • Use below command to import root certificate into Keystore file (mystore.jks)
 keytool -import -trustcacerts -alias <rootcacert_alias> -keystore <keystore_name>.jks -file <rootCA_file>.crt -storepass <keyStorePassword>

For example:

keytool -import -trustcacerts -alias rootcacert -keystore mystore.jks -file AddTrustExternalCARoot.crt -storepass welcome1
    • import is used to import the certificate in keystore
    • trustcacerts signifies that we are importing the trusted certificate
    • alias must be different as used while generating keystore file
    • file AddTrustExternalCARoot.crt is the file that contains the certificate of Root Certifying Authority
  • User below command to import intermediate certificate into Keystore file (mystore.jks)   if any
 keytool -import -trustcacerts -alias <intermediatecacert_alias> -keystore <keystore_name>.jks -file <intermediateCA_file>.crt -storepass <keyStorePassword>

For example:

 keytool -import -trustcacerts -alias intermediatecacert -keystore mystore.jks -file USERTrustRSAAddTrustCA.crt -storepass welcome1
  • Finally import server certificate. Below command will be used to import the server certificate 
 keytool -import -alias <myAlias> -keystore <keystore_name>.jks -file <servercert>.crt -keypass <keyPassword> -storepass <keyStorePassword>

For example:

 keytool -import -alias myweblogic -keystore mystore.jks -file techsupper_com.crt -  keypass welcome1 -storepass welcome1

alias myweblogic should match with Alias used during generation of Key file techsupper_com.crt is a file that contains the certificate of server issued by CA

The certificate chain has been added into the keystore file (mystore.jks). To list certificate stored in Keystore, use below command

 keytool -list -v -keystore mystore.jks -storepass welcome1

Import API CS Certificate into Keystore

API CS certificate should be imported into the keystore (mystore.jks) for the communication between API CS and GW node over SSL. Even if API CS is not SSL enabled even then API CS certificate should be imported into keystore. The same command wil be used to import API CS certificate as we imported intermediate / root certificate. First download the certificate from API CS management console and then import into mystore.jks

Note: Check the blog to see how to download certificate from browser

Configure SSL in WebLogic Server

In this blog, we have created a trust store and identity store in the same file (mystore.jks)
  • Change KeyStore type in WebLogic Server
Login into the Physical Gateway WebLogic Server and navigate to Servers -> managedServer1-> Configuration -> Keystore

Click on Change button and select Custom Identity and Custom Trust. Once selected Click on Save button
  • Specify path of Identity KeyStore and Trust KeyStore
In our case Trust Store (store containing Root and Intermediate CA) and Identity Store (store containing server certificate) are same i.e. <keystore_name>.jks (mystore.jks in our case).

Again Navigate to Servers -> managedServer1 -> Configuration -> Keystore tab

Enter below information and click on Save button

Custom Identity Keystore: Path of Keystore. In our case this  is /home/oracle/gateway/domain/gateway1/security/mystore.jks
Custom Identity Keystore Type: jks
Custom Identity Keystore Passphrase: Password of Keystore. In our case this is welcome1
Confirm Custom Identity Keystore Passphrase: Password of Keystore. In our case this is welcome1
Custom Trust Keystore: Path of Keystore. In our case this is /home/oracle/gateway/domain/gateway1/security/mystore.jks
Custom Trust Keystore Type: jks
Custom Trust Keystore Passphrase: Password of Keystore. In our case this is welcome1
Confirm Custom Trust Keystore Passphrase: Password of Keystore. In our case this is welcome1

  • Specify Private Key Alias in WebLogic Server
Navigate to Servers -> managedServer1 -> Configuration -> SSL tab

Enter below information and click on Save button

Private Key Alias: Alias of the Private key. In our case this is myweblogic
Private Key Passphrase: Password of Private Key. In our case this is welcome1
Confirm Private Key Passphrase: Password of Private Key. In our case this is welcome1


  • Enable SSL in WebLogic Server
Finally, enable SSL in WebLogic Server. Navigate to Servers -> managedServer1  -> Configuration -> General


Check the SSL Listen Port Enabled checkbox


Update Hostname Verification property

Login into the Physical Gateway WebLogic Server and navigate to  Servers -> managedServer1  -> Configuration -> SSL. Click on Advance and change the Hostname verification property to None



Update the https URL of Gateway in API CS management console

Follow below steps to change the https URL in logical gateway
  • Login into the API CS management portal
  • Navigate to the Gateways tab and click on the Gateway which need to be configured with https url
  • Select the nodes tab and enter the domain name in HTTPS text box

  • Click on Save button
Import backend Services certificate into Keystore (if backend service is https enabled)

This is optional step. It is required only if the service which is configured in API CS is https enabled. Hit the https service using browser and download the certificate from browser. Check how to download certificate from browser. Import the downloaded certificate in mystore.jk file.  The steps will be same as we imported root / intermediate certificate in previous step. 


Test API

Once all steps completed successfully, deploy the API with https protocol. Please see the blog how to configure and deploy API in API CS


Once API deployed successfully, it should be accessible over https protocol.

SSL Certificate in WebLogic Server 8 - 12x


The default WebLogic Server installation uses a demo certificate to support SSL. Oracle recommends installing a certificate from a well-known third party to strengthen the security of the environment.

Below are the steps to configure SSL in WebLogic 
  1. Create Java KeyStore (JKS) and generate key
  2. Generate a Certificate Signing Request (CSR)
  3. Send the CSR file to CA to issue the certificate
  4. Import Certificates (Root, Intermediate(if any) & Server)
  5. Configure SSL in WebLogic Server
    • Change KeyStore type in WebLogic Server
    • Specify path of Identity KeyStore and Trust KeyStore
    • Specify Private Key Alias in WebLogic Server
    • Enable SSL in WebLogic Server
  6. Test SSL
Create Java KeyStore (JKS) and generate key

Keytool utility is a Key and Certificate Management Tool and is available in $JAVA_HOME/bin. Before we start, set JAVA_HOME and PATH variables. For this blog, we are using Linux so use below two command to set JAVA_HOME and PATH variables

 export JAVA_HOME=/usr/jdk1.8.0_171
 export PATH=$JAVA_HOME/bin:$PATH

 In this step, we'll create Key Store and private key. Use below command to generate Key Store

 keytool -genkey -alias <alias> -keyalg RSA -keysize 2048 -keypass <private_key_password> -keystore <keystore_name>.jks -storepass <keystore_password> -storetype pkcs12

Option
Description
genkey
Generate private keys
alias
Represent alias name of the keys
keyalg
Represent key algorithm. If not specified DSA algorithm will be used as default
keysize
Size of the private key
keypass
Represent the private key password
keystore 
Used to provide keystore name
storepass 
Used to provide keystore password
storetype 
Used to give key store type

For example:

 keytool -genkey -alias myweblogic -keyalg RSA -keysize 2048 -keypass welcome1 -keystore mystore.jks -storepass welcome1 storetype pkcs12

Note: When we'll import signed certificate (issued by CA) in KeyStore then same alias myweblogic must be used.



Once we run the command, enter below information


  • First Name and Last Name (CN): It should be server name for which certificate is being generated. For example (techsupper.com)
  • Organization Unit (OU): Represent the Company organizational unit. For example (AnkurBlog)
  • Organization (O): Represent the Organization. For example (Techsupper)
  • City or Locality (L): Represent the organization city. For example (Delhi)
  • State or Province (ST): State of the organization. For example (Delhi)
  • Country (C): Represent of the organization country. For example (IN)
Generate a Certificate Signing Request (CSR)

Next step is to create a Certificate Signing Request (CSR). 

Use the same alias (myweblogic) which was used to generate keystore (mystore.jks)

keytool -certreq -alias <alias> -keystore <keystore_name>.jks  -storepass <keystore_password> -file <certificate_request>.csr

Option certreq signifies that we are generating certificate signing request (CSR) file.

For example:

 keytool -certreq -alias myweblogic -keystore mystore.jks  -storepass welcome1 -file myweblogiccsr.csr

mystore.jks is the kyestore which was created in the first step and welcome1 is the password which was used to create mystore.jks file


Send the CSR file (myweblogic.csr to CA to issue the certificate

Send CSR file to certifying authority to issue the certificate.

Import Certificates (Root, Intermediate(if any) & Server)

Once we receive the certificate for the server then we must import certificate of Authority issued the certificate (before importing certificate issued by CA).
  • Use below command to import root certificate into Keystore file (mystore.jks)
 keytool -import -trustcacerts -alias <rootcacert_alias> -keystore <keystore_name>.jks -file <rootCA_file>.crt -storepass <keyStorePassword>

For example:

keytool -import -trustcacerts -alias rootcacert -keystore mystore.jks -file AddTrustExternalCARoot.crt -storepass welcome1
  • import is used to import the certificate in keystore
  • trustcacerts signifies that we are importing the trusted certificate
  • alias must be different as used while generating keystore file
  • file AddTrustExternalCARoot.crt is the file that contains the certificate of Root Certifying Authority

  • Use below command to import intermediate certificate into Keystore file (mystore.jks) if any
 keytool -import -trustcacerts -alias <intermediatecacert_alias> -keystore <keystore_name>.jks -file <intermediateCA_file>.crt -storepass <keyStorePassword>

For example:

 keytool -import -trustcacerts -alias intermediatecacert -keystore mystore.jks -file USERTrustRSAAddTrustCA.crt -storepass welcome1

  • Finally import server certificate. Below command will be used to import the server certificate

 keytool -import -alias <myAlias> -keystore <keystore_name>.jks -file <servercert>.crt -keypass <keyPassword> -storepass <keyStorePassword>

For example:

 keytool -import -alias myweblogic -keystore mystore.jks -file techsupper_com.crt -keypass welcome1 -storepass welcome1

alias myweblogic should match with Alias used during generation of Key
file techsupper_com.crt is a file that contains the certificate of server issue by CA

The certificate chain has been added into the keystore file (mystore.jks). To list certificate stored in Keystore, use below command

 keytool -list -v -keystore mystore.jks -storepass welcome1

Configure SSL in WebLogic Server

In this blog, we have created a trust store and identity store in the same file (mystore.jks)
  • Change KeyStore type in WebLogic Server
Login into the WebLogic server and navigate to Servers -> <Click on the Server on which SSL will be applied> -> Configuration -> Keystore


Click on Change button and select Custom Identity and Custom Trust. Once selected Click on Save button
  • Specify path of Identity KeyStore and Trust KeyStore
In our case Trust Store (store containing Root and Intermediate CA) and Identity Store (store containing server certificate) are same i.e. <keystore_name>.jks (mystore.jks in our case).

Again Navigate to Servers -> <Click on the Server on which SSL will be applied> -> Configuration -> Keystore tab

Enter below information and click on Save button

Custom Identity Keystore: Path of Keystore. In our case this is /home/oracle/mycert/mystore.jks
Custom Identity Keystore Type: jks
Custom Identity Keystore Passphrase: Password of Keystore. In our case this is welcome1
Confirm Custom Identity Keystore Passphrase: Password of Keystore. In our case this is welcome1
Custom Trust Keystore: Path of Keystore. In our case this is /home/oracle/mycert/mystore.jks
Custom Trust Keystore Type: jks
Custom Trust Keystore Passphrase: Password of Keystore. In our case this is welcome1
Confirm Custom Trust Keystore Passphrase: Password of Keystore. In our case this is welcome1

  • Specify Private Key Alias in WebLogic Server
Navigate to Servers -> <Click on the Server on which SSL will be applied> -> Configuration -> SSL tab

Enter below information and click on Save button

Private Key Alias: Alias of the Private key. In our case this is myweblogic
Private Key Passphrase: Password of Private Key. In our case this is welcome1
Confirm Private Key Passphrase: Password of Private Key. In our case this is welcome1

  • Enable SSL in WebLogic Server
Finally, enable SSL in WebLogic Server. Navigate to Servers -> <Click on the Server on which SSL will be applied> -> Configuration -> General

Check the SSL Listen Port Enabled checkbox


TEST SSL

Deploy sample application on Server and see the application is served on https