keytool BIEE与LDAP配置SSL连接

--LDAP
OBIEE 11g Security Week : Connecting to Active Directory, and Obtaining Group Membership from Database Tables
https://www.rittmanmead.com/blog/2012/03/obiee-11g-security-week-connecting-to-active-directory-and-obtaining-group-membership-from-database-tables/
http://ecapitaladvisors.com/blog/obiee-quick-ldap-configuration/
https://docs.oracle.com/middleware/12211/biee/BIESC/GUID-34F68CB5-5B84-4D72-B82A-BE5A2DC90D13.htm#BIESC6078

 

Weblogic启动慢解决方法(也许 /u02/BIEE12C/oracle_common/jdk/jre)
3)最好的解决办法: 修改Linux上Weblogic使用的jdk $JAVA_HOME/jre/lib/security/java.security 文件
  将securerandom.source=file:/dev/urandom 修改为
  securerandom.source=file:/dev/./urandom

 

 

Java-Keytool

https://www.cnblogs.com/sunkaikees/p/10273897.html

https://baike.baidu.com/item/keytool/5885709?fr=aladdin

https://www.chinassl.net/ssltools/keytool-commands.html

https://blog.csdn.net/yinhuaiya/article/details/81774314

配置https或socket-ssl时等需要用到证书,如果公司没有正规证书,则需要生成自签名证书,以下介绍两种方法。我自己配置nginx https用openssl, socket 加入ssl用Java的keytool。

## java 证书工具keytool生成自签名证书和自签CA证书 

jdk自带的证书管理工具叫keytool,在jdk/bin目录下,可以用来生成自签名证书、导入导出证书、打印证书信息等。

### 1. 名词

自签名证书:用自己的私钥签发自己的公钥即主体信息生成的证书。
证书签名:对证书固定值进行hash后用密钥对中的私钥对hash值加密
keystore:  keytool生成证书的存储库,用来存储若干条目,每一条目包含公私钥,主体信息等。默认为用户目录下.keystore,相当于一个有密码保护的文件。
truststore: 与keystore格式相同,只是为区分keystore用来存放信任的证书的新的库,不存密钥等信息。

der:证书编码格式,证书结构体转换为二进制格式。
pem:证书编码格式,对der二进制编码的base64字符,包含---begin---,----end----。// 命令中加-rfc可打印和生成此类文件
.csr:证书请求文件格式,包含公钥和主体信息,发给ca,ca用私钥对内容签名并制作成证书返回。keytool在生成csr文件时需要指定证书(即公钥与主体信息)。
.crt:一般用于linux系统的证书格式,包含公钥和主体信息。
.cer:一般用于windows的证书文件格式,包含公钥和主体信息。
.p12:证书交换格式,包含公钥私钥(私用密码加密),用于交换传输。

BIEE LDAP:

Enabling an LDAP Authentication Provider for SSL
https://docs.oracle.com/middleware/12211/wls/SECMG/ldap_atn.htm#SECMG539

如果 LDAP 服务器连接使用 SSL,请创建并使用定制信任密钥库。有关信息,请参阅为 LDAP 验证提供程序启用 SSL

keytool -import -keystore ./ldapTrustKS -trustcacerts -alias oidtrust -file rootca.pem -storepass TrustKeystorePwd -noprompt

 

 

信任库和密钥库定义

https://www.orcode.com/question/44976_ka5d78.html

AD域证书申请,导入Java密钥库,实现ldap修改AD用户密码

https://blog.csdn.net/hc1017/article/details/81293323

WebLogic配置自己定义密钥库和SSL的操作手冊

https://www.cnblogs.com/wzjhoutai/p/6772493.html

WebLogic配置自己定义密钥库和SSL的操作手冊

(定制标识和定制信任&Keytool&TLS1.0)

1、启用SSLport

 

保存。重新启动受管Server

 

IE浏览器訪问

谷歌浏览器訪问

2、查看密钥库和SSL配置

密钥库

SSL

 

 

3、手动制作identity.jks和trust.jks

新建jks文件夹

[weblogic@Weblogic201 ~]$ mkdir jksHL

[weblogic@Weblogic201 ~]$ cd jksHL/

 

生成标识identity.jks密钥库

例如以下标黄色背景部分的说明:

weblogicHL为“SSL—私有密钥别名”。

keypass123为“SSL—私有密钥password短语”;

storepass123为“密钥—标识(identity)—定制标识密钥库password短语”。

storepass123为“密钥库—信任(trust)—定制标识密钥库password短语”。

3650为自己定义证书的有效期,单位为天;

[weblogic@Weblogic201 jksHL]$ keytool -genkey -alias weblogicHL -keyalg RSA -keypass keypass123 -keystoreidentity.jks -storepass storepass123-validity 3650

What is your first and last name?

 [Unknown]:  HaiLang     

What is the name of your organizationalunit?

 [Unknown]:  GZCSS

What is the name of your organization?

 [Unknown]:  GZCSS

What is the name of your City or Locality?

 [Unknown]:  GZ

What is the name of your State or Province?

 [Unknown]:  GD

What is the two-letter country code forthis unit?

 [Unknown]:  CN 

Is CN=HaiLang, OU=GZCSS, O=GZCSS, L=GZ,ST=GD, C=CN correct?

 

 [no]:  yes

导出公钥证书的cer文件

[weblogic@Weblogic201 jksHL]$ keytool -export -alias weblogicHL -file root.cer -keystore identity.jks

Enter keystore password:  storepass123

Certificate stored in file <root.cer>

生成信任trust.jks密钥库

将上一步生成的root.cer公钥证书导入并生成trust.jks密钥库

[weblogic@Weblogic201 jksHL]$ keytool -import -alias weblogicHL -trustcacerts -file root.cer -keystoretrust.jks

Enter keystore password:  storepass123

Re-enter new password:  storepass123

Owner: CN=HaiLang, OU=GZCSS, O=GZCSS, L=GZ,ST=GD, C=CN

Issuer: CN=HaiLang, OU=GZCSS, O=GZCSS,L=GZ, ST=GD, C=CN

Serial number: 559a5ac9

Valid from: Mon Jul 06 18:39:05 HKT 2015until: Thu Jul 03 18:39:05 HKT 2025

Certificate fingerprints:

          MD5: 04:F2:4F:97:5B:8B:32:23:AB:69:D0:6A:42:1D:C7:77

          SHA1:A0:B3:6F:90:08:0D:6B:55:6F:A6:13:C6:3B:C0:F4:CE:E1:B5:72:F9

          Signature algorithm name: SHA1withRSA

          Version: 3

Trust this certificate? [no]:  yes

Certificate was added to keystore

 

至此identity.jks和trust.jks制作完毕!

4、在Console配置新的密钥库和SSL

改动默认的Demo密钥库

“密钥库—更改”

选择“定制标识和定制信任”—“保存”

填写密钥库的配置

定制标识密钥库:/home/weblogic/jksHL/identity.jks

定制信任密钥库:/home/weblogic/jksHL/trust.jks

定制标识/信任密钥类型:jks

 

点击“保存”。设置完毕。

SSL的配置

私有密钥别名:weblogicHL

私有密钥password短语:keypass123

 

点击“保存”;重新启动Server。密钥库和SSL配置完毕。

5、浏览器验证

Server启动日志

[weblogic@Weblogic201 bin]$./startManagedWebLogic.sh appSrv02 http://Weblogic201:7001

.

.

JAVA Memory arguments: -Xms1024m -Xmx1024m-XX:CompileThreshold=8000 -XX:PermSize=128m -XX:MaxPermSize=256m

.

WLS Start Mode=Development

.

CLASSPATH=/home/weblogic/Oracle/Middleware/patch_wls1035/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/home/weblogic/Oracle/Middleware/patch_ocp360/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/home/weblogic/jdk1.6.0_45/lib/tools.jar:/home/weblogic/Oracle/Middleware/wlserver_10.3/server/lib/weblogic_sp.jar:/home/weblogic/Oracle/Middleware/wlserver_10.3/server/lib/weblogic.jar:/home/weblogic/Oracle/Middleware/modules/features/weblogic.server.modules_10.3.5.0.jar:/home/weblogic/Oracle/Middleware/wlserver_10.3/server/lib/webservices.jar:/home/weblogic/Oracle/Middleware/modules/org.apache.ant_1.7.1/lib/ant-all.jar:/home/weblogic/Oracle/Middleware/modules/net.sf.antcontrib_1.1.0.0_1-0b2/lib/ant-contrib.jar:/home/weblogic/Oracle/Middleware/wlserver_10.3/common/derby/lib/derbyclient.jar:/home/weblogic/Oracle/Middleware/wlserver_10.3/server/lib/xqrl.jar:.:/home/weblogic/jdk1.6.0_45$/lib:/home/weblogic/jdk1.6.0_45$/lib/tools.jar

.

PATH=/home/weblogic/Oracle/Middleware/wlserver_10.3/server/bin:/home/weblogic/Oracle/Middleware/modules/org.apache.ant_1.7.1/bin:/home/weblogic/jdk1.6.0_45/jre/bin:/home/weblogic/jdk1.6.0_45/bin:/home/weblogic/jdk1.6.0_45/bin:/home/weblogic/jdk1.6.0_45/jre/bin:/usr/lib64/qt-3.3/bin:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/home/weblogic/bin

.

***************************************************

*  Tostart WebLogic Server, use a username and  *

* password assigned to an admin-level user.  For *

* server administration, use the WebLogic Server *

* console at http://hostname:port/console        *

***************************************************

starting weblogic with Java version:

java version "1.6.0_45"

Java(TM) SE Runtime Environment (build1.6.0_45-b06)

Java HotSpot(TM) 64-Bit Server VM (build20.45-b01, mixed mode)

Starting WLS with line:

/home/weblogic/jdk1.6.0_45/bin/java-client   -Xms1024m -Xmx1024m-XX:CompileThreshold=8000 -XX:PermSize=128m -XX:MaxPermSize=256m -Dweblogic.Name=appSrv02-Djava.security.policy=/home/weblogic/Oracle/Middleware/wlserver_10.3/server/lib/weblogic.policy-Dweblogic.security.SSL.trustedCAKeyStore=/home/weblogic/Oracle/Middleware/wlserver_10.3/server/lib/cacerts  -Xverify:none -da -Dplatform.home=/home/weblogic/Oracle/Middleware/wlserver_10.3-Dwls.home=/home/weblogic/Oracle/Middleware/wlserver_10.3/server-Dweblogic.home=/home/weblogic/Oracle/Middleware/wlserver_10.3/server   -Dweblogic.management.discover=false -Dweblogic.management.server=http://Weblogic201:7001  -Dwlw.iterativeDev=false-Dwlw.testConsole=false -Dwlw.logErrorsToConsole=false-Dweblogic.ext.dirs=/home/weblogic/Oracle/Middleware/patch_wls1035/profiles/default/sysext_manifest_classpath:/home/weblogic/Oracle/Middleware/patch_ocp360/profiles/default/sysext_manifest_classpath  weblogic.Server

<Jul 6, 2015 7:20:17 PM HKT><Info> <Security> <BEA-090905> <Disabling CryptoJ JCEProvider self-integrity check for better startup performance. To enable thischeck, specify -Dweblogic.security.allowCryptoJDefaultJCEVerification=true>

<Jul 6, 2015 7:20:18 PM HKT><Info> <Security> <BEA-090906> <Changing the defaultRandom Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG. To disablethis change, specify -Dweblogic.security.allowCryptoJDefaultPRNG=true>

<Jul 6, 2015 7:20:18 PM HKT><Info> <WebLogicServer> <BEA-000377> <Starting WebLogicServer with Java HotSpot(TM) 64-Bit Server VM Version 20.45-b01 from SunMicrosystems Inc.>

<Jul 6, 2015 7:20:19 PM HKT><Info> <Security> <BEA-090065> <Getting boot identity fromuser.>

Enter username to boot WebLogicserver:weblogic

Enter password to boot WebLogic server:

<Jul 6, 2015 7:20:24 PM HKT><Info> <Management> <BEA-141107> <Version: WebLogic Server10.3.5.0.7 PSU Patch for BUG16088411 Mon Apr 01 15:13:52 IST 2013

WebLogic Server 10.3.5.0  Fri Apr 1 20:20:06 PDT 2011 1398638 >

<Jul 6, 2015 7:20:26 PM HKT><Notice> <WebLogicServer> <BEA-000365> <Server statechanged to STARTING>

<Jul 6, 2015 7:20:26 PM HKT><Info> <WorkManager> <BEA-002900> <Initializingself-tuning thread pool>

<Jul 6, 2015 7:20:26 PM HKT><Notice> <LoggingService> <BEA-320400> <The log file/home/weblogic/Oracle/Middleware/user_projects/domains/myDomain/servers/appSrv02/logs/appSrv02.logwill be rotated. Reopen the log file if tailing has stopped. This can happen onsome platforms like Windows.>

<Jul 6, 2015 7:20:26 PM HKT><Notice> <LoggingService> <BEA-320401> <The log file hasbeen rotated to/home/weblogic/Oracle/Middleware/user_projects/domains/myDomain/servers/appSrv02/logs/appSrv02.log00018.Log messages will continue to be logged in/home/weblogic/Oracle/Middleware/user_projects/domains/myDomain/servers/appSrv02/logs/appSrv02.log.>

<Jul 6, 2015 7:20:26 PM HKT><Notice> <Log Management> <BEA-170019> <The server log file/home/weblogic/Oracle/Middleware/user_projects/domains/myDomain/servers/appSrv02/logs/appSrv02.logis opened. All server side log events will be written to this file.>

<Jul 6, 2015 7:20:29 PM HKT><Notice> <Security> <BEA-090082> <Security initializingusing security realm myrealm.>

<Jul 6, 2015 7:20:30 PM HKT><Notice> <LoggingService> <BEA-320400> <The log file/home/weblogic/Oracle/Middleware/user_projects/domains/myDomain/servers/appSrv02/logs/access.logwill be rotated. Reopen the log file if tailing has stopped. This can happen onsome platforms like Windows.>

<Jul 6, 2015 7:20:30 PM HKT><Notice> <LoggingService> <BEA-320401> <The log file hasbeen rotated to/home/weblogic/Oracle/Middleware/user_projects/domains/myDomain/servers/appSrv02/logs/access.log00012.Log messages will continue to be logged in/home/weblogic/Oracle/Middleware/user_projects/domains/myDomain/servers/appSrv02/logs/access.log.>

<Jul 6, 2015 7:20:31 PM HKT><Notice> <WebLogicServer> <BEA-000365> <Server statechanged to STANDBY>

<Jul 6, 2015 7:20:31 PM HKT><Notice> <WebLogicServer> <BEA-000365> <Server statechanged to STARTING>

<Jul 6, 2015 7:20:33 PM HKT><Notice> <Log Management> <BEA-170027> <The Server hasestablished connection with the Domain level Diagnostic Servicesuccessfully.>

<Jul 6, 2015 7:20:33 PM HKT><Notice> <Cluster> <BEA-000197> <Listening forannouncements from cluster using unicast cluster messaging>

<Jul 6, 2015 7:20:33 PM HKT><Notice> <Cluster> <BEA-000133> <Waiting to synchronizewith other running members of Cluster1.>

<Jul 6, 2015 7:20:46 PM HKT><Notice> <Cluster> <BEA-000142> <Trying to downloadcluster JNDI tree from server appSrv04.>

<Jul 6, 2015 7:20:46 PM HKT><Notice> <Cluster> <BEA-000164> <Synchronized cluster JNDItree from server appSrv04.>

<Jul 6, 2015 7:20:46 PM HKT><Notice> <WebLogicServer> <BEA-000365> <Server statechanged to ADMIN>

<Jul 6, 2015 7:20:46 PM HKT><Notice> <WebLogicServer> <BEA-000365> <Server statechanged to RESUMING>

<Jul 6, 2015 7:20:46 PM HKT><Notice> <Cluster> <BEA-000162> <Starting"async" replication service with remote cluster address"150.18.23.201:8001,150.18.23.201:8002,150.18.23.202:8001,150.18.23.202:8002">

<Jul 6, 2015 7:20:47PM HKT> <Notice> <Security> <BEA-090171> <Loading theidentity certificate and private key stored under the alias weblogicHL from thejks keystore file /home/weblogic/jksHL/identity.jks.>

<Jul 6, 2015 7:20:47PM HKT> <Notice> <Security> <BEA-090169> <Loadingtrusted certificates from the jks keystore file /home/weblogic/jksHL/trust.jks.>

<Jul 6, 2015 7:20:47 PM HKT><Notice> <Server> <BEA-002613> <Channel"DefaultSecure" is now listening on 150.18.23.201:8012 for protocolsiiops, t3s, CLUSTER-BROADCAST-SECURE, ldaps, https.>

<Jul 6, 2015 7:20:47 PM HKT><Notice> <Server> <BEA-002613> <Channel"Default" is now listening on 150.18.23.201:8002 for protocols iiop,t3, CLUSTER-BROADCAST, ldap, snmp, http.>

<Jul 6, 2015 7:20:47 PM HKT><Notice> <WebLogicServer> <BEA-000332> <Started WebLogicManaged Server "appSrv02" for domain "myDomain" running inDevelopment Mode>

<Jul 6, 2015 7:20:48 PM HKT><Notice> <WebLogicServer> <BEA-000365> <Server statechanged to RUNNING>

<Jul 6, 2015 7:20:48 PM HKT><Notice> <WebLogicServer> <BEA-000360> <Server started inRUNNING mode>

说明自己定义的密钥库载入成功!

IE浏览器訪问

 

继续浏览此站点,訪问成功!

 

 

查看证书信息

 

从有效期和证书颁发者信息可知。该证书正是我们之前制作的:

What is your first and last name?

 [Unknown]:  HaiLang     

What is the name of your organizationalunit?

 

 [Unknown]:  GZCSS

What is the name of your organization?

 [Unknown]:  GZCSS

What is the name of your City or Locality?

 [Unknown]:  GZ

What is the name of your State or Province?

 

 [Unknown]:  GD

What is the two-letter country code forthis unit?

 [Unknown]:  CN 

Is CN=HaiLang, OU=GZCSS, O=GZCSS, L=GZ,ST=GD, C=CN correct?

谷歌浏览器訪问

相同会提示证书不安全

 

继续前往

 

查看证书信息

 

至此。配置自己定义密钥库和SSL的操作已完毕!

---------------------------------------------------------------------------------------------------------------------------------

12306的SSL证书加密技术:

 

 

 

发布了76 篇原创文章 · 获赞 149 · 访问量 50万+
展开阅读全文

没有更多推荐了,返回首页

©️2019 CSDN 皮肤主题: 大白 设计师: CSDN官方博客

分享到微信朋友圈

×

扫一扫,手机浏览