fme congres 2016: ssl everywhere!

51
Zeist • February 2016 SSL Everywhere! OGh Fusion Middleware Experience 2016

Upload: trinhtuyen

Post on 14-Feb-2017

234 views

Category:

Documents


2 download

TRANSCRIPT

Page 1: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

Max. width

Max. height

Zeist • February 2016

SSL Everywhere!

OGh – Fusion Middleware Experience 2016

Page 2: FME congres 2016: SSL Everywhere!
Page 3: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

Jacco H. Landlust:

• Sr. Managing Consultant at ING Group Services

• Oracle ACE (Database Management & Performance)

Simon Haslam:

• Founder of Veriton, and now Technical Director at eProseed UK

• Oracle ACE Director (Middleware & SOA)

• UKOUG App Server & Middleware SIG Chair

Jacco & Simon

3

Page 4: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

To prevent eavesdropping – e.g.

• getting hold of your user ID & password: for later reuse

• stealing your (post authentication) session credentials to allow session

hijacking: for same application and control as you have

To prevent tampering of data – e.g.

• change recipient bank account or amount in a bank transfer

• to trick you into entering more information

Why encrypt traffic?

4

Page 5: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

Agenda • Concepts you need • Fusion Middleware & SSL • Tools

5

Page 6: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

Essential Concepts

• key-pair (asymmetric)

• one key to encrypt, a different key to decrypt

• you make one your private key, the other your public key

• certificate

• unique to you

• public key

• signed

• certificate authority (CA)

• signs certificates

• is independently trusted

6

Page 7: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

Old school Identity Management

7

https://commons.wikimedia.org/wiki/File:Ashdod-port-border-control-stamp-2010.jpg

Page 8: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

How does this work?

• Border guard doesn’t know who I am – I present passport

• Passport is signed by UK Identity & Passport Service (IPS)

• UK IPS is an agency of British Govt.

• Border guard trusts British Govt.

8

Page 9: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

Identity

certificate

certificate authority

person I want to

communicate with

me

1. person sends me their cert

2. I look at who it is signed by

3. If I trust the person it is

signed by I accept their

identity

signed

by

9

Page 10: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

Passport vs Certificate attributes

• Who it represents {issued to name}

• Who has issued it {issued by name}

• Start/end date {issued on, expires on}

• Signature/biometric details {public key}

• Picture, place of birth, etc {organisation details}

10

Page 11: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

11

Page 12: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

Trust

certificate

certificate authority A

person I want to

communicate with me

1. Person sends me their cert

2. I look at who it is signed by

3. If I don't trust the person it

is signed by I look at who

they are signed by and so on

certificate authority B

12

Page 13: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

What's in the Certificate

• The public key

• Registered name/details of owner

• Validity

• Identity of CA

• Location of CA Revocation List

• Hash function summary (encrypted by CA key)

18

Page 14: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

How do I know certificate is valid?

• Client recreates summary "as they should be" (from ~hostname/validity)

• Client hash function on summary and encrypts using CA public key

• Client compares result to public key offered by server

• If same client now has the public key for the certificate owner and can check

validity, (optionally) CRL, etc

So by now we have the

server's public key which

we can secure traffic with

19

Page 15: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

SSL 1.0 <1995

SSL 2.0 1995

SSL 3.0 1996

TLS 1.0 1999

TLS 1.1 2006

TLS 1.2 2008

TLS 1.3 2014 draft

TLS & SSL = same thing!

• Secure Sockets Layer very old but name still used

• Transport Layer Security the correct term

POODLE bug

21

Page 16: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

Cipher Suite

• Symmetric vs Asymmetric cryptography

• Negotiating protocol

• Message digest

• Mostly don’t need to worry about details

• Need to choose key length, e.g. 1024 bits

• Greater needs more processing

• Length affects resistance to attack (brute-force or otherwise)

• Often mandated by your security or network team

Encryption

22

Page 17: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

Agenda • Concepts you need • Fusion Middleware & SSL • tools

23

Page 18: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

Consider everything!

Application Traffic

• External to perimeter and DMZ

• DMZ web servers to WebLogic servers

• WebLogic servers to databases

Administration Traffic

• Admin operations (human or machine)

Intra-component traffic

• WebLogic servers to other infrastructure, e.g. LDAP or SMTP

• Monitoring traffic (JMX but also OEM Agents)

• Cluster communications between peers (WebLogic and/or Coherence)

What kind of traffic should we consider encrypting?

24

Image is taken from Oracle® Fusion Middleware: Administering Oracle Fusion Middleware

Page 19: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

Common tools to manage certificates

• keytool

• openssl

• orapki / Oracle Wallet Manager

• Oracle Enterprise Manager Fusion Middleware Control

25

Page 20: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

Overall process for creating certificate

1. Create key pair and Certificate

could be self signed - not much use unless every recipient is going to add you

to their trust keystore!

2. Create Certificate Signing Request (CSR)

3. Give CSR to CA to sign

4. Receive signed Certificate back from CA

5. Insert Certificate into (identity) keystore

Secure website

(+ sometimes email)

26

Many sites offer free class 1 certificates. These certificates are intended for web sites which require

protection of privacy and prevent eavesdropping. However information presented within these

certificates, except the domain name and email address, are not verified.

Page 21: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

Key Stores

For Fusion Middleware we're interested in:

• Java Keystores (JKS)

• Oracle Wallet (PKCS12 format)

• Oracle Key Store Services

Either:

• contains one or more certificates

• each certificate has a CN, and usually has an alias

• can contain both public and private keys

27

Page 22: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

Type of keystore per component

Type of Keystore Tasks Tool

Oracle WebLogic Server JKS-based Keystore or

Oracle Key Store Service

All Keystore operations JDK Keytool

Oracle WebLogic Server JKS-based Keystore or

Oracle Key Store Service

Enable SSL Oracle WebLogic Server

Administration Console

All Java EE applications JKS-based Keystore or

Oracle Key Store Service

All Keystore operations JDK Keytool

Oracle HTTP Server

Oracle Web Cache

Oracle Internet Directory

Oracle Wallet Create Wallet, Create Certificate

Request, Delete Wallet, Import

Certificate, Export Certificate, Enable

SSL

Fusion Middleware Control,

WLST

Oracle Wallet Manager and

orapki for PKCS#11 or

Hardware Security Modules

(HSM)-based wallets.

Oracle Virtual Directory

Oracle Unified Directory

JKS-based Keystore Create KeyStore, Create Certificate

Request, Delete KeyStore, Import

Certificate, Export Certificate, Enable

SSL

Fusion Middleware Control,

WLST

Oracle SOA Suite JKS-based Keystore or

Oracle Key Store Service

All Keystore operations JDK Keytool

Oracle WebCenter JKS-based Keystore or

Oracle Key Store Service

All Keystore operations JDK Keytool

28

Page 23: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

Best Practice for Application Developers

Externalize SSL configuration parameters like keystore path, truststore path, and authentication type in a configuration file, rather than embedding these values in the application code. This allows you the flexibility to change SSL configuration without having to change the application itself. Even better is to utilize functionality from OPSS (Oracle Key Store Services).

29

Page 24: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

How WebLogic states its Identity

• Identity comes from a Java Keystore "identity keystore"

• must contain a certificate & key-pair matching alias

• Each WebLogic server instance (Admin Server and Managed Servers) has to

have an identity keystore to do SSL

• Trust comes from another JKS "trust keystore“ or Oracle Key Store Service

• Choice of standalone JKS or to use the one in the JDK trust (cacerts stored with

JRE, this is deprecated as of 12.2)

• Lack of trust is one of the most common reasons for SSL handshake failures

How WebLogic Establishes Trust

30

Page 25: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

31

Page 26: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

WebLogic Identity/Trust Combinations

• Demo Identity and Demo Trust (default - not for prod)

• CN=hostname, signed by BEA CA that anyone can sign with

• Custom Identity and Java Standard Trust

• determine trust from java/…

• Custom Identity and Custom Trust

• our own identity and trust keystores

• Custom Identity and Command Line Trust

• our own identity but trust keystore specified in start-up parameters

32

Page 27: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

Certificates Required

Server sends out its cert when someone tries to connect over SSL (i.e. one way)

but can optionally request cert from client (two way) - console options:

• Client Certs Not Requested

• Client Certs Requested but Not Enforced

• Client Certs Requested and Enforced

33

Page 28: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

Hostname Verification

• None

• BEA Hostname Verifier

• DemoCertFor_<your-domain> is valid if DemoTrust is selected as truststore

• Custom Hostname Verifier • e.g. weblogic.security.utils.SSLWLSWildcardHostnameVerifier

• Wildcard verifier is build in as of 12c

• What does none mean?

• Cert is requested but does not have a CN for the host WebLogic is trying to

connect to. It could be any old certificate.

34

Page 29: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

Set ignoreHostnameVerification = true

• ignoreHostnameVerification stops Weblogic from presenting its identity

• We strongly recommend enabling hostname verification in all test and

production environments

• Oracle® Fusion Middleware Securing Oracle WebLogic Server:

"Oracle recommends leaving host name verification on in production

environments“

• All MOS notes and blogposts suggesting to set ignoreHostnameVerification to

true should be considered documentation bugs and false hints.

35

Page 30: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

Enabling SSL for Oracle HTTP Server Virtual Hosts for inbound requests

36

Page 31: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

Enabling SSL for Oracle HTTP Server Virtual Hosts for outbound requests, one way SSL

• Create custom keystore

• Import the trusted CA certificate used by Oracle WebLogic Server into the

Oracle HTTP Server wallet as a trusted certificate

• Warning: in OHS 11g password protected wallets cannot be used

• Add

WlSSLWallet

"$(DOMAIN_HOME}/config/fmwconfig/components/COMPONENT_TYPE/COMPONENT_NA

ME/keystores/default“

to

DOMAIN_HOME/config/fmwconfig/components/OHS/instance_name/ssl.conf

37

Page 32: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

Enabling SSL for Oracle HTTP Server Virtual Hosts for outbound requests, two way SSL

• Export the user certificate from the Oracle HTTP Server wallet, and import it into

the truststore

• From the Oracle WebLogic Server Administration Console, select

the Keystores tab for the server being configured.

• Set the custom trust store with the jks file location of the trust store

• Under the SSL tab, ensure that Trusted Certificate Authorities is set as from

Custom Trust Keystore.

• Set the keystore type as JKS, and set the passphrase used to create the

keystore.

• Ensure that Oracle WebLogic Server is configured for two-way SSL

38

Page 33: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

Configuring the OPSS Keystore Service for Custom Identity and Trust

• In Fusion Middleware Control, from the Weblogic Domain menu, select Security

then Keystore

• Create a keystore in the system stripe.

• Select the keystore you just created and click Manage

• Click Generate Keypair to generate a private/public key pair

• You have the option to use this KSS Demo CA-signed key pair as-is, or to obtain

a signed certificate from a reputable vendor

• Oracle recommends you use the preconfigured OPSS

Keystore Service trust store

• Configure the WebLogic Server instance to use KSS for

Custom Identity and Trust

• Configure SSL for the WebLogic Server instance

39

Page 34: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

SSL-Enabling a Data Source

• Add the root certificate (which is created when SSL-enabling the database) as a trusted

certificate to the truststore.

• In the Oracle WebLogic Server Administration Console, navigate to the Connection pool tab of

the data source that you are using. The properties you need to specify in the JDBC

Properties text box depend on the type of authentication you wish to configure. javax.net.ssl.keyStore=.. javax.net.ssl.keyStoreType=JKS

javax.net.ssl.keyStorePassword=... javax.net.ssl.trustStore=...

javax.net.ssl.trustStoreType=JKS javax.net.ssl.trustStorePassword=...

• In the URL text box, enter the JDBC connect string. Ensure that the protocol is TCPS and that

SSL_SERVER_CERT_DN contains the full DN of the database certificate. jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)

(HOST=host-name)(PORT=port-number)))

(CONNECT_DATA=(SERVICE_NAME=service))

(SECURITY=(SSL_SERVER_CERT_DN="CN=server_test")))

40

Page 35: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

Agenda • Concepts you need • Fusion Middleware & SSL • Tools

41

Page 36: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

Keystore Naming Conventions

• Do not use a name longer than 256 characters

• Do not use any of the following characters in a keystore name:

| ; , ! @ # $ ( ) < > / \ " ' ` ~ { } [ ] = + & ^ space tab

• Do not use non-ASCII characters in a keystore name

• Additionally, follow the operating system-specific rules for directory and file

names

42

Page 37: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

Copying Keystores to File System Not Supported

Creating, renaming, or copying keystores directly to any directory on the file system

is not supported.

Any existing pre-11g keystore or wallet that you wish to use must be imported using

either Fusion Middleware Control or the WLST utility.

http://docs.oracle.com/cd/E21764_01/core.1111/e10105/wallets.htm

43

Page 38: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

Generate self signed certificate

keytool -genkey -keyalg RSA -alias selfsigned -keystore ${JKS}

-storepass ${JKS_PASSWORD} -validity 360 -keysize 2048

-keypass ${KEY_PASSWORD}

What is your first and last name?

[Unknown]: somehost.localdomain

What is the name of your organizational unit?

[Unknown]: Example Department

What is the name of your organization?

[Unknown]: Example Company

What is the name of your City or Locality?

[Unknown]: Manchester

What is the name of your State or Province?

[Unknown]: West Midlands

What is the two-letter country code for this unit?

[Unknown]: GB

Is CN=somehost.localdomain, OU=Example Department, O=Example Company, L=Manchester, ST=West Midlands, C=GB correct?

[no]: yes

Enter key password for <selfsigned>

(RETURN if same as keystore password):

44

Page 39: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

Generate self signed certificate 2

keytool -genkey -keyalg RSA -alias selfsigned -keystore ${JKS} -dname "CN=`hostname`, OU=Example Department, O=Example Company, L=Manchester, ST=West Midlands, C=GB" -storepass ${JKS_PASSWORD} -validity 360 -keysize 2048 -keypass ${KEY_PASSWORD}

This must be the

hostname that clients use

to connect to you. E.g.

may be a CNAME or a VIP

45

Page 40: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

Create key pair

keytool -genkey -alias `hostname` -keyalg RSA -keystore ${JKS} -keysize 2048

46

Page 41: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

Create certificate signing request

keytool -certreq -alias `hostname` -keystore ${JKS} -file ${REQUEST_FILE}

47

Page 42: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

Import a signed certificate from CA

keytool -import -trustcacerts -alias `hostname` -file ${SIGNED_CERT} -keystore ${JKS}

48

Page 43: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

List contents of keystore

keytool -list -v -keystore ${JKS} -storepass ${JKS_PASSWORD} Keystore type: JKS

Keystore provider: SUN

Your keystore contains 1 entry

Alias name: selfsigned

Creation date: Feb 9, 2013

Entry type: PrivateKeyEntry

Certificate chain length: 1

Certificate[1]:

Owner: CN=somehost.localdomain, OU=Example Department, O=Example Company, L=Manchester, ST=West Midlands,

C=GB

Issuer: CN=somehost.localdomain, OU=Example Department, O=Example Company, L=Manchester, ST=West Midlands,

C=GB

Serial number: 51165df7

Valid from: Sat Feb 09 14:32:23 GMT 2013 until: Tue Feb 04 14:32:23 GMT 2014

Certificate fingerprints:

MD5: DA:FF:F9:0B:EF:2D:26:DA:E9:48:22:1A:6E:7F:42:DF

SHA1: 46:8B:E7:DC:6B:95:69:34:85:43:A3:F7:C2:63:3B:29:F7:BD:9C:AD

Signature algorithm name: SHA1withRSA

Version: 3

49

Page 44: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

keytool commands for checking

• Check a stand-alone certificate keytool -printcert -v -file ${CERTIFICATE}

• Check which certificates are in a Java keystore keytool -list -v -keystore ${JKS}

• Check a particular keystore entry using an alias keytool -list -v -keystore ${JKS} -alias ${ALIAS}

50

Page 45: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

Other useful keystore commands

• Delete a certificate from a Java Keytool keystore keytool -delete -alias ${ALIAS} -keystore ${JKS}

• Change a Java keystore password keytool -storepasswd -new ${NEW_PASSWORD}

-keystore ${JKS}

• Export a certificate from a keystore keytool -export -alias ${ALIAS}

-file ${CERTIFICATE}

-keystore ${JKS}

51

Page 46: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

Copy key to other keystore

SRC_ALIAS=cn=`hostname` keytool -importkeystore -srckeystore ${JKS} -srcstorepass ${JKS_PASSWORD} -destkeystore ${IDENTITY_KS} -deststorepass ${ID_KS_PASSWORD} -srcalias ${SRC_ALIAS} -destalias `hostname` -destkeypass ${ID_KS_PASSWORD} <<EOF yes EOF

52

Page 47: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

Convert wallet to keystore

orapki wallet pkcs12_to_jks -wallet ${WALLET}

-pwd ${WALLET_PASSWORD}

-jksKeyStoreLoc ${JKS}

-jksKeyStorepwd ${JKS_PASSWORD}

-jksTrustStoreLoc ${TRUSTSTORE}

-jksTrustStorepwd ${TRUST_PWD}

53

Page 48: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

Convert keystore to wallet

orapki wallet create -wallet ${WALLET}

-pwd ${WALLET_PASSWORD}

-auto_login

orapki wallet jks_to_pkcs12 -wallet ${WALLET}

-pwd ${WALLET_PASSWORD}

-keystore ${JKS}

-jkspwd ${JKS_PASSWORD}

54

Page 49: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

About Importing DER-encoded Certificates

You cannot use Fusion Middleware Control or the WLST command-line tool to

import DER-encoded certificates or trusted certificates into an Oracle wallet or a

JKS keystore. Use these tools instead:

To import DER-encoded certificates or trusted certificates into an Oracle wallet, use

Oracle Wallet Manager or orapki command-line tool

To import DER-encoded certificates or trusted certificates into a JKS keystore, use

the keytool utility

55

Page 50: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

Text Colour

RGB= 51, 51, 51

No content below the grey line

We twit: • @simon_haslam • @oraclemva

We blog: • http://simonhaslam.co.uk • http://oraclemva.wordpress.com

We snailmail: • But we are not sharing our home

addresses

We email: • simon dot haslam at eproseed dot com • jacco dot landlust at ing.nl

Questions?

56

Page 51: FME congres 2016: SSL Everywhere!

ING Orange

RGB= 255, 98, 0

ING Light Grey

RGB= 168, 168, 168

ING Indigo

RGB= 82, 81, 153

ING Sky

RGB= 96, 166, 218

Colour Guidelines

ING Fuchsia

RGB= 171, 0, 102

ING Lime

RGB= 208, 217, 60

ING Leaf

RGB= 52, 150, 81

ING Mid Grey

RGB= 118, 118, 118

ING Dark Grey

RGB= 51, 51, 51

58

Important legal information

ING Group’s Annual Accounts are prepared in accordance with International Financial Reporting Standards as adopted by the European Union (‘IFRS-EU’).

In preparing the financial information in this document, the same accounting principles are applied as in the 2014 ING Group Annual Accounts. All figures in this document are unaudited. Small differences are possible in the tables due to rounding.

Certain of the statements contained herein are not historical facts, including, without limitation, certain statements made of future expectations and other forward-looking statements that are based on management’s current views and assumptions and involve known and unknown risks and uncertainties that could cause actual results, performance or events to differ materially from those expressed or implied in such statements. Actual results, performance or events may differ materially from those in such statements due to, without limitation: (1) changes in general economic conditions, in particular economic conditions in ING’s core markets, (2) changes in performance of financial markets, including developing markets, (3) consequences of a potential (partial) break-up of the euro, (4) ING’s implementation of the restructuring plan as agreed with the European Commission, (5) changes in the availability of, and costs associated with, sources of liquidity such as interbank funding, as well as conditions in the credit markets generally, including changes in borrower and counterparty creditworthiness, (6) changes affecting interest rate levels, (7) changes affecting currency exchange rates, (8) changes in investor and customer behaviour, (9) changes in general competitive factors, (10) changes in laws and regulations, (11) changes in the policies of governments and/or regulatory authorities, (12) conclusions with regard to purchase accounting assumptions and methodologies, (13) changes in ownership that could affect the future availability to us of net operating loss, net capital and built-in loss carry forwards, (14) changes in credit ratings, (15) ING’s ability to achieve projected operational synergies and (16) the other risks and uncertainties detailed in the Risk Factors section contained in the most recent annual report of ING Groep N.V. Any forward-looking statements made by or on behalf of ING speak only as of the date they are made, and, ING assumes no obligation to publicly update or revise any forward-looking statements, whether as a result of new information or for any other reason.

This document does not constitute an offer to sell, or a solicitation of an offer to purchase, any securities in the United States or any other jurisdiction. The securities of NN Group have not been and will not be registered under the U.S. Securities Act of 1933, as amended (the “Securities Act”), and may not be offered or sold within the United States absent registration or an applicable exemption from the registration requirements of the Securities Act.

www.ing.com