Saturday, 1 October 2016

WebLogic 12c 12.1.3 HTTPS TLSv1.2 Only Enablement

Pre-requisite

HTTPS and TLSv1.2 Only Enablement
  • HTTPS Enablement
    • Login to the Admin Console of Weblogic Admin Server 
    • Select from left tree "base_domain -> Enviornment -> Servers"
    • Select the Server which you want to enable for HTTPS, for example "Server-1"
    • Select Tabe "Configuration -> General" and select "SSL Port Enabled" and provide a HTTPS port, for example 8082
    • Select Tabe "Configuration -> Keystores" and provide following values:
      • Keystores: Select "Customer Identity and Custom Trust"
      • Custom Identity Keystore: the path to identity jks in the machine
      • Custom Identity Keystore Type: JKS
      • Custom Identity Keystore Passphrase: the password of identity keystore
      • Confirm Custom Identity Keystore Passphrase: the password of identity keystore
      • Custom Trust Keystore: the path to trust jks in the machine
      • Custom Trust Keystore Type: JKS
      • Custom Trust Keystore Passphrase: the password of trust store keystore
      • Confirm Custom Trust Keystore Passphrase: the password of trust store keystore
    • Select Tabe "Configuration -> SSL" and provide following values:
      • Identity and Trust Locations: Keystores
      • Private Key Alias: the alias name of the identity certificate
      • Private Key Passphrase: the private key of the identity certificate
      • Confirm Private Key Passphrase: the private key of the identity certificate
    • You may do the same changes for Admin Server as well if want to do HTTPS enablement for Admin Server port.
    • Restart the Servers to take HTTPS enablement into effect, and hit the server URL with HTTPS port to verify.
  • TLSv1.2 Only Restriction
    • Select Tabe "Configuration -> Server Start" and provide following values:
      • Arguments: -Dweblogic.security.SSL.enableJSSE=true -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2 -Dweblogic.security.SSL.allowUnencryptedNullCipher=false -Dweblogic.security.disableNullCipher=true
    • Restart the Servers
  • To restrict ciphers
    • Stop NodeManager, AdminServer and all other Servers
    • Modify config.xml
      • $cd /app/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/config
      • $vi config.xml
      • Add following ciphers under respective Server section, for example
        • <server>
        • <name>Server-1</name>
        • <ssl>
        • <enabled>true</enabled>
        • <ciphersuite>TLS_RSA_WITH_AES_128_CBC_SHA</ciphersuite>
        • <ciphersuite>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA</ciphersuite>
        • <ciphersuite>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</ciphersuite>
        • <ciphersuite>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</ciphersuite>
        • .....
        • .....
      • Save the modification in config.xml
    • Restart NodeManager, AdminServer and respective Servers.
Thank You!