CH A P T E R

18

SSL Configuration Configuring SSL in Tomcat To enable SSL, you must generate the keys first and then configure the server to use them. (Tomcat is considered an example in this chapter.) To enable two-way SSL, follow these steps: I. Generating keys for server and client: Step 1

Generate keys for server. To do this: a.

Use the following from the command prompt: keytool –genkey –alias tomcat –keyalg RSA –keystore server.keystore

b.

Enter keystore password: changeit

c.

Follow the prompts and give the inputs. When prompted for the password, provide it: changeit This creates the server keys.

Step 2

Export the certificate. To do this: a.

Use the following from the command prompt: keytool –selfcert –export –alias tomcat –storepass changeit –file server.cer –keystore server.keystore

This will export the server certificate to the server.cer file. Step 3

Generate the keys for the client. To do this: a.

Use the following from the command prompt keytool –genkey –alias client –keyalg RSA –keystore client.keystore

b.

Enter keystore password: changeit

c.

Follow the prompts and give the inputs. When prompted for the password, provide it: changeit This creates the client keys.

Step 4

Export the client certificate. To do this: a.

Use the following from the command prompt keytool –selfcert –export –alias client –storepass changeit –file client.cer –keystore client.keystore

This will create a file called client.cer with the client side certificate.

Cisco Enterprise Policy Manager Installation and Configuration Guide OL-19551-01

18-1

Chapter 18

SSL Configuration

Configuring SSL in Tomcat

Step 5

Import the server certificate into the client trust store. To do this: a.

Use the following from the command prompt keytool –import –v –trustcacerts –alias tomcat –file server.cer –keystore client.keystore –keypass changeit –storepass changeit

b.

Import the client certificate into the JRE trust store. To do this:

c.

Use the following from the command prompt: keytool –keystore \jre\lib\security\cacerts –storepass changeit –file client.cer –import –alias client –trustcacerts

II. Tomcat configuration Step 6

Edit server.xml and enable two-way SSL as follows:

Note

You must set clientAuth=”true”, which enables two-way SSL. If you disable it, it will be only one way.

Note

If you want to use your own keystore with protected password, update the keystoreFile= parameter with the key store path and keystorePass= with the password.

This configuration looks for a file called .keystore with the password as changeit in the default user home directory. In Windows, it’s C:\Documents and Settings\. Step 7

When this configuration is complete, start your Tomcat instance and you should be able to access it via SSL.

Step 8

To make the PEP communicate with the PDP with two-way SSL, use the following Java Virtual Machine (JVM) parameters: -Djavax.net.ssl.trustStore=client.keystore -Djavax.net.ssl.trustStoreType=JKS -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.keyStore=server.keystore -Djavax.net.ssl.keyStoreType=JKS -Djavax.net.ssl.keyStorePassword=changeit

Cisco Enterprise Policy Manager Installation and Configuration Guide

18-2

OL-19551-01

Chapter 18

SSL Configuration Configuring SSL in WebLogic

Configuring SSL in WebLogic This section provides you with the procedure for configuring SSL in Weblogic Application Server (V10.03), when the PAP and PDP communicate each other over SOAP. The below given information is applicable for WebLogic . Follow these steps to configure SSL in WebLogic: Step 1

Generate the keystore and certificate through keytool UI. Refer to the following URL to create the same: http://m-button.blogspot.com/2008/11/how-to-configure-weblogic-to-use-ssl.htm

Step 2

Download ktl241sta.jar file from the following URL http://yellowcat1.free.fr/index_ktl.html

Step 3

Unjar the jar file to a local directory.

Step 4

Edit the run_ktl.bat or run_ktl.sh file by specifying the JAVA_HOME (Weblogic JAVA_HOME)

Step 5

Configure SSL in weblogic by following the instructions provided in the readme.txt available in the unjarred folder.

Step 6

Once the SSL COnfiguration is done, take the following actions: •

Import the certificate in to keystore called WEBLOGIC_HOME\JAVA_HOME\jre\lib\security\cacerts. To do this, run the following command: WEBLOGIC_HOME\JAVA_HOME\bin\keytool -import -alias weblogic -trustcacerts -file C:\SSL\weblogic.cer -keystore WEBLOGIC_HOME\JAVA_HOME\jre\lib\security\cacerts



Import the certificate into a keystore (specify whatever name you like to Ex: C:\WL-SSL\wl.keystore). To do this, run the following command: WEBLOGIC_HOME\JAVA_HOME\bin\keytool -import -alias client -trustcacerts -file C:\SSL\weblogic.cer -keystore C:\SSL\wl.keystore

Step 7

Open config.xml located at WEBLOGIC_HOME\user_projects\domains\your domain\config folder and add false tag in tag as shown below: cepm AuthenticatedUser WebLogicCertPathProvider myrealm myrealm {3DES}eowmt9vlrOE91iCnIOEzB5zWfmY0WHZJmgbsTaQw0kCXsgM7cFowMth005qMvQ 4SCV88SXf9XzAEkpptTh5uD/tA+MLmArbQ admin

Cisco Enterprise Policy Manager Installation and Configuration Guide OL-19551-01

18-3

Chapter 18

SSL Configuration

Configuring SSL in WebSphere

{3DES}nipW/DYAEGFQAnDanvkVyQ== false


Step 8

Restart the Weblogic Server.

Step 9

To use this keystore in PAP-UI, establish the PAP-PDP communication through weblogic SSL. To do this: •

Create PDP with Https protocol and specify the truststorelocation as - C:\SSL\wl.keystore & truststorepassword: (specify the same password while importing the certificate into the keystore, for example: changeit)



Check the PDP status. If you pass the right truststore location & password, you will see the status message ‘Alive’ otherwise ‘Not Alive’. When you check the status or send a request to PDP for the first time, all the SSL details (truststore & password) will be cached in the session for that particular protocol, host IP address and port number. For example - https://localhost:7002/cepm. If you edit the PDP and give the wrong trustorelocation & password that will not reflect until and unless you restart the server because SSL details will pick up from session. Let's take an example. Create a PDP with host as localhost and provide the correct credentials i.e truststorelocation & password, say, https://localhost:7002/pdp/services/AuthorizationService Create another PDP with host as localhost and provide the wrong credentials (such as replace host name with the IP address)., say, https://64.103.172.216:7002/pdp/services/AuthorizationService When you check the status for the first PDP, it will show the status as Alive, since you are passing the right credentials. When you check the status of the second PDP, it will also show Alive eventhough you passed the wrong credentials. This is because both of these URLs represent the same machine. When you check the status for first PDP, all the details will be cached in to the SSL session and thus when you check the status for second PDP, the SSL details will be picked up from that session.

Note

This behaviour is similar for LDAP/Tomcat/Websphere/Weblogic SSL. Whenever you do any changes in the truststore location or password, you must restart the server for changes to take effect.

Configuring SSL in WebSphere Follow these steps to configure SSL in WebSphere: Step 1

Create a self-signed certificate using iKeyman tool.

Note

Step 2

Please refer to the following URL to create the same: http://www.adobe.com/devnet/livecycle/articles/config_ssl_websphere.html

Configure WAS to use the certificate created in Step1 for SSL communication in the following: •

Login to WebSphere administration console.

Cisco Enterprise Policy Manager Installation and Configuration Guide

18-4

OL-19551-01

Chapter 18

SSL Configuration Configuring SSL in CEPM



Navigate to Security -> SSL certificate and key management -> key stores and certificates -> New. Enter the following keystore details: – Path - Absolute path for the key store. – Password - key store password, if any. – Type - JKS (since jks is selected in iKeyman tool).



Go to Security > SSL certificate and key management > SSL configurations – Click on NodeDefaultSSLSettings to edit. – Select the trust store name created in the above step from drop down – Click on get certificate aliases



Note

Restart WAS.

For IBM jdk, set the following properties in WAS_HOME\WebSphere\AppServer\java\jre\lib\security\java.security file. # Default JSSE socket factories ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl # WebSphere socket factories (in cryptosf.jar) #ssl.SocketFactory.provider=com.ibm.websphere.ssl.protocol.SSLSocketFactory #ssl.ServerSocketFactory.provider=com.ibm.websphere.ssl.protocol.SSLServerSocketFactory

Initially the following tags will be commented which you need to uncomment. ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl

Similarly, you must comment the following tags, which are commented by default: #ssl.SocketFactory.provider=com.ibm.websphere.ssl.protocol.SSLSocketFactory #ssl.ServerSocketFactory.provider=com.ibm.websphere.ssl.protocol.SSLServerSocketFactory

Step 3

Deploy CEPM and verify whether the UI is working fine over SSL connection.

Configuring SSL in CEPM The following scenarios are considered from the SSL point of view: Configuring SSL for PEP – PDP communication:

If both of these components are running in one server, only one-way SSL is possible. So you must configure SSL in the PEP server. If these components are running in two different servers, then you can configure one-way SSL in the PEP side by mentioning the keystore details (for example, password and location). In the PDP side, you must enable two-way SSL by providing the keystore details as well as trust store details. Configuring SSL for PAP – PDP communication:

If both of these components are running in one server, only one-way SSL is possible. So you must configure SSL in the PAP server. If these components are running in two different servers, then you can configure one-way SSL in the PAP side by mentioning the keystore details (for example, password and location). In the PDP side, you must enable two-way SSL by providing the keystore details as well as trust store details.

Cisco Enterprise Policy Manager Installation and Configuration Guide OL-19551-01

18-5

Chapter 18

SSL Configuration

Configuring SSL in LDAP (Sun One Server)

Note

If you are using FireFox 3.x and enabled SSL on your application server, you may get a warning page. Bypass the warning in the following way: a.

On the warning page, click Or you can add an exception....

b.

Click Add Exception.... The Add Security Exception dialog will appear.

c.

Click Get Certificate.

d.

Read the text describing the problems with this site.

e.

Click Confirm Security Exception if you want to trust the site

Configuring SSL in LDAP (Sun One Server) To enable SSL, you must generate the keys first and then configure the server to use them (Currently this feature supports only Sun One Server). Following are the step-by-step procedures on how to enable 2-way SSL: I. Generate the SSL certificate: Step 1

Login to Sun one server console. Double click on ‘Directory server’ and click on ‘Manage Certificates’

Step 2

If you are using for the first time, it will ask for password. This password will be the token whenever you restart Directory Server after enabling SSL.

Step 3

From the ‘Server Certs’ tab click on ‘Request button’ > ‘Certificate Request Wizard’ dialog box. Select ‘Request Certificate Manually’.

Step 4

In the Request information specify the details. (All the fields are optional).

Step 5

After entering the details, click Next.

Step 6

Enter the Token password. (This is the password specified initially when click on Manage Certificates) and click Next.

Step 7

In the Request Submission, you need to save the Request to a file. (You will get the SSL certificate by using this request). II. Sun One Config:

Step 8

After getting the SSL certificate, login to Sun one server console.

Step 9

Open the Directory Server.

Step 10

Click on Manage Certificates > Server Certs. Install the SSL certificate.

Step 11

Similarly go to CA Certs in the same screen and install the same SSL certificate there.

Step 12

From the Directory Server, go to Configuration tab > Encryption tab. Check ‘Enable SSL for this server’ & check ‘Use this cipher family RSA’

Step 13

Select ‘Allow Client Authentication’ radio button.

Step 14

In the DSML Authentication select ‘Only use Client certificate’.

Step 15

Go to ‘Network’ tab and select ‘Both secure and non-secure ports’ radio button.

Step 16

Click ‘Save’ to save the configuration.

Cisco Enterprise Policy Manager Installation and Configuration Guide

18-6

OL-19551-01

Chapter 18

SSL Configuration Configuring SSL in LDAP (Sun One Server)

Step 17

Restart the Directory Server. When you restart, it will ask for the token password. Once the Directory Server is started, you can see the port number as 636 if SSL is enabled successfully.

Cisco Enterprise Policy Manager Installation and Configuration Guide OL-19551-01

18-7

Chapter 18

SSL Configuration

Configuring SSL in LDAP (Sun One Server)

Cisco Enterprise Policy Manager Installation and Configuration Guide

18-8

OL-19551-01

SSL Configuration

Cisco Enterprise Policy Manager Installation and Configuration Guide. OL-19551-01. 18. SSL Configuration. Configuring SSL in Tomcat. To enable SSL, you must generate the keys first and then configure the server to use them. (Tomcat is considered an example in this chapter.) To enable two-way SSL, follow these steps:.

121KB Sizes 2 Downloads 240 Views

Recommend Documents

pdf-1471\juniper-networks-secure-access-ssl-vpn-configuration ...
pdf-1471\juniper-networks-secure-access-ssl-vpn-configuration-guide.pdf. pdf-1471\juniper-networks-secure-access-ssl-vpn-configuration-guide.pdf. Open.

SSL taxa septembrie.pdf
Page 1 of 1. SSL taxa septembrie.pdf. SSL taxa septembrie.pdf. Open. Extract. Open with. Sign In. Main menu. Displaying SSL taxa septembrie.pdf.

SSL - proba eliminatorie.pdf
Page 1 of 1. Universitatea din Bucureşti. Studii de securitate. Facultatea de ŞtiinÅ£e Politice. Rezultatele probei 1. LA DOMENIUL ŞtiinÅ£e politice, SPECIALIZAREA ...

SSL taxa- rezultate 21 iulie.pdf
Mircea Dumitru. Preţedinte comisie admitere facultate,. Prof.univ.dr. Laurenţiu Vlad. Page 1 of 1. SSL taxa- rezultate 21 iulie.pdf. SSL taxa- rezultate 21 iulie.pdf.

SSL buget - rezultate 27 iulie.pdf
Page 1 of 2. Universitatea din Bucureşti Studii de securitate. Facultatea de Ştiinţe Politice. LISTA CANDIDAŢILOR ADMIŞI. LA DOMENIUL ŞTIINŢE POLITICE, SPECIALIZAREA STUDII DE SECURITATE -. IF/IF. PE LOCURILE DE LA BUGET. 27.07.2015. NR CRT. N

Configuration -
Jan 20, 2017 - http://glob.space/php.php. 1/21. PHP Version 5.6.30. System. Linux glob 3.10.0514.6.1.el7.x86_64 #1 SMP Wed Jan 18 13:06:36 UTC 2017 ...

Configuration -
Apr 5, 2016 - PierreAlain Joye, Remi Collet. Zlib. Rasmus Lerdorf, Stefan Roehrich, Zeev Suraski, Jade Nicoletti, Michael Wallner. PHP Documentation. Authors. Mehdi Achour, Friedhelm Betz, Antony Dovgal, Nuno Lopes, Hannes Magnusson, Philip Olson, Ge

SSL buget - rezultate 29 iulie.pdf
There was a problem previewing this document. Retrying... Download. Connect more apps... Try one of the apps below to open or edit this item. SSL buget ...

SSL asteptare - rezultate 25 iulie.pdf
reclasificare din 27 iulie. Whoops! There was a problem loading this page. SSL asteptare - rezultate 25 iulie.pdf. SSL asteptare - rezultate 25 iulie.pdf. Open.

SSL taxa- rezultate 25 iulie.pdf
Retrying... Download. Connect more apps... Try one of the apps below to open or edit this item. SSL taxa- rezultate 25 iulie.pdf. SSL taxa- rezultate 25 iulie.pdf.

jumper configuration guide.pdf
Page 1 of 2. Rev.1.0 - 10/02/2014. UNIVERSAL CARTRIDGE. For Commodore 64/128. Supported EPROMs PLCC32 or DIL28: EPROM 27c64 (8KB). EPROM ...

Accelerating SSL with GPUs
eavesdropping, and enables authentication of end hosts. Nowadays,. SSL plays an essential role in online-banking, e-commerce, and other Internet services to ...

Duson SSL 17-18.pdf
Sign in. Loading… Page 1. Whoops! There was a problem loading more pages. Retrying... Duson SSL 17-18.pdf. Duson SSL 17-18.pdf. Open. Extract.

SSL Gift Card - Terms & Conditions.pdf
securities available at SSL's head office, located at 33 1⁄2 Hope Road, Kingston 10,. Jamaica. 13. Any additional funds added by the cardholder can be used at SSL or at any other ePAY. merchant (for a complete list of ePay merchants please refer to

SSL buget - rezultate 21.09.2016.pdf
There was a problem previewing this document. Retrying... Download. Connect more apps... Try one of the apps below to open or edit this item. SSL buget ...

Configuration of Devices -
Goal is to enable a network operator to seamlessly configure devices from different vendors and to verify ... *.class schema. *.yang. *.yang. ✓ Independent of ONOS API. ✓ Supports model-agnostic data traversal. ✓ Generates schema for run-time v

Electron Configuration Practice.pdf
Loading… Page 1. Whoops! There was a problem loading more pages. Retrying... Electron Configuration Practice.pdf. Electron Configuration Practice.pdf. Open. Extract. Open with. Sign In. Main menu. Displaying Electron Configuration Practice.pdf.

Bicycle with improved frame configuration
Jul 24, 2006 - support, and may include a fork croWn, tWo front Wheel support structures or blades running from said fork croWn to the center of front Wheel, ...

Kaltura Configuration Guide
9.3 Option 3 - Specifying the DRM URL in FlashVars. 9.4 Option 4 ... (Optional) Enable our free affiliate network service ​share-n-earn to increase sales through ...

DNS BIND Server Configuration - Core
TDLs are divided into two types: • generic Top-Level Domains ... LOGGING configures the location, level and type of logging that. BIND performs .... trator wants to determine if the log in was just an error or not. The pro- gram gives the user the op

Configuration for "Command" Phone
SMS Fail. Event - SMS Failure. %REMOTE. SMSfail. 5. SMS Received .... Text: Sent command to enable battery save mode. 6 ..... 45 Phone - Send SMS.

DNS BIND Server Configuration - Core
Abstract: After a brief presentation of the DNS and BIND standard for. Unix platforms, the paper presents an application which has a principal objective, the configuring of the DNS BIND 9 server. The general objectives of the application are pre- sen

Configuration Synthesis for Programmable ... - people.csail.mit.edu
Jun 17, 2016 - Compilers; C.1.3 [Processor Styles]: Analog Computers. Keywords Compilers, Analog Computing, .... Because Arco works with a hardware specification language that defines the capabilities of the ..... lows the programmer to describe the