Ignoring SSL Hostname Verification in Weblogic

Usually the only problem when using SSL in WebLogic is hostname verification, which will make the server failed to start. However, for production it is recommended to use this, so it won’t be vulnerable with man-in-the-middle attack. This how-to will be based on Weblogic 10.3.3 and Solaris 10.

1. Add this parameters in the Java Arguments to each managed servers.

-Dweblogic.security.SSL.ignoreHostnameVerification=true

2. Add this JAVA_OPTIONS in the startWeblogic.sh in DOMAIN’s bin directory:

JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.security.SSL.ignoreHostnameVerification=true"

3. In the WebLogic Server Administration Console:

Expand the Servers node.
Select the name of the server (for example, exampleserver).
Select the Configuration–>Keystores and SSL tab.
Click the Show link under Advanced Options.
Go to the Client attributes section of the window.
Set the Hostname Verification field to None.
Repeat for all servers
Restart WebLogic.

4. If Nodemanager using SSL, Make the following changes in nodemanager.properties (/opt/oracle11/wlserver_10.3/common/nodemanager)

KeyStores=CustomIdentityAndJavaStandardTrust
CustomIdentityKeyStoreFileName=/opt/oracle11/ssl/webkeystore.jks
CustomIdentityAlias=keystore-alias-web
CustomIdentityPrivateKeyPassPhrase=storepass-password
CustomTrustKeyStoreFileName=/aprisma/jdk1.6/jre/lib/security/cacerts

5. Add this JAVA_OPTIONS parameter in the beginning of startNodeManager.sh (/opt/oracle11/wlserver_10.3/server/bin) above this code (NODEMGR_HOME=”${WL_HOME}/common/nodemanager”)

JAVA_OPTIONS="-Dweblogic.nodemanager.sslHostNameVerificationEnabled=false${JAVA_OPTIONS} "

6. Add this JAVA_OPTIONS parameter in the beginning of setDomainEnv.sh (/opt/oracle11/user_projects/domains/domain-name/bin) below this code

if [ "${WEBLOGIC_EXTENSION_DIRS}" != "" ] ; then
JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.ext.dirs=${WEBLOGIC_EXTENSION_DIRS}"
export JAVA_OPTIONS
fi

JAVA_OPTIONS="-Dweblogic.security.IdentityKeyStore=CustomIdentity;-Dweblogic.security.CustomIdentityKeyStoreFileName=/opt/oracle11/ssl/webkeystore.jks;-Dweblogic.security.CustomIdentityKeyStorePassPhrase=storepass-password;-Dweblogic.security.Identity.KeyStoreType=JKS;-Dweblogic.security.TrustKeyStore=JavaStandardTrust;-Dweblogic.security.JavaStandardTrustKeyStorePassPhrase=changeit${JAVA_OPTIONS}"

To use the trusted CAs in the JDK’s cacerts, specify:

-Dweblogic.security.TrustKeyStore=JavaStandardTrust
-Dweblogic.security.JavaStandardTrustKeyStorePassPhrase=changeit

To use the trusted CAs in DemoTrust.jks and in the JDK’s cacerts, specify:

-Dweblogic.security.TrustKeyStore=DemoTrust
-Dweblogic.security.JavaStandardTrustKeyStorePassPhrase=changeit

To use the trusted CAs from another keystore, specify:

-Dweblogic.security.TrustKeyStore=CustomTrust
-Dweblogic.security.CustomTrustKeyStoreFileName=filename
-Dweblogic.security.CustomTrustKeyStoreType=type
-Dweblogic.security.CustomTrustKeyStorePassPhrase=passphrase.

7. Restart all the server to check.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s