Monday, March 23, 2015

Enable support for SHA256 SSL Certificate in PeopleSoft using WebLogic Web server.

Note: This is applicable for mainly PeopleTools 8.53 and it may or may not work with lower PeopleTools (8.52 or lower) or higher PeopleTools 8.54. Also this pertains to WebLogic and may not be applicable for Web Sphere.

WebLogic version used is 10.36.0

Step 1: Update the WebLogic to latest Patch Set update. If you already have WebLogic patch set update installed, you will need to uninstall it including one off patches and reinstall the latest Patch Set update for e.g. 10.3.6.0_10 for WebLogic 10.3.6. In case of WebLogic 10.3.6.0_10 please also apply the below one off patches to avoid SSLEngine is closed errors.

Patch 19637463: SU Patch [12UV]: WLS PATCH SET UPDATE 10.3.6.0.10

Patch 20674162: SU Patch [9UB4] :10.3.6.0.10 Overlay: MERGE REQUEST ON TOP OF WLS PSU 10.3.6.0.10 FOR BUGS 13244304 13371700 13405083 13869852

Patch 16810786: SU Patch [SK1V]: MEMORY LEAK ON COM.CERTICOM.TLS.INTERFACEIMPL.CERTIFICATESUPPORT

Step 2 : Disable SSL3 support for WebLogic (This is optional but highly recommended step to avoid security issues).

Add -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1 to JAVA_OPTIONS in setEnv.sh for appropriate OS you are using. For linux it is

JAVA_OPTIONS_LINUX="-server -Xms1024m -Xmx1024m -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1 -XX:MaxPermSize=256m -Dtoplink.xml.platform=oracle.toplink.platform.xml.jaxp.JAXPPlatform -Dcom.sun.xml.namespace.QName.useCompatibleSerialVersionUID=1.0"

If you are using both Managed Server and Admin Server, search for below line

#Changed the java min and max heap values for admin server

and update the below

Linux|LINUX)

                    JAVA_OPTIONS="-server -Xms256m -Xmx256m -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1 -XX:MaxPermSize=128m -Dcom.sun.xml.namespace.QName.useCompatibleSerialVersionUID=1.0"

Please note that once you do this any WebLogic utilities inclusing WLST (WebLogic Scripting tool), must add the below to Java command line invoking them

-Dweblogic.security.SSL.enableJSSE=true -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1

Otherwise you may see errors.

Also you will need to Go to WebLogic Console –> Servers –> PIA, WebLogicAdmin –> SSL Tab –> Advanced and select Enable JSSE checkbox.

Also you may want to upgrade to JRE or JDK 1.7.0_76 (or latest Oracle supported JRE / JDK for your weblogic server version).

Step 3: Remove the bouncy castle JAR file from CLASSPATH by moving it from lib folder for each webserver.

mv $PS_CFG_HOME/webserv/peoplesoft/applications/peoplesoft/lib/bcprov-jdk15-132.jar $HOME/tmp/

If you do not do this WebServer becomes unresponsive or takes longer to respond. Connection Reset errors will be seen in Chrome/FireFox/IE/Safari browsers when you will be using any ECDHE cipher suites.

Removing this Jar file, may impact some cryptographic functions though everything is working fine in our environment including webservice security. This is supposed to be part of wss4j-1.5.9.jar (Apache Web Services Security module) which is bundled with PeopleTools. This issue was observed in those web servers where we have enabled Integration broker gateway servers and use web services that involves security.

Restart the WebLogic after all the changes are complete and SSL certificate is imported in pskey using pskeymanager.sh

Also if there are any other applications are connecting to you using SSL or https, they will need to support SHA256 which in WebLogic 10.3.4 or higher is to enable JSSE support in WebLogic console or if your version is lower than 10.3.4 , use Sun HTTP Handler which automatically enables JSSE support.

How to Change Weblogic to Use the Sun SSL Implementation Rather Than Certicom
(Doc ID 1242974.1)

The SSL implementation and SSL Handler can be changed by setting the following flags on startup:
-Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol
-Dssl.SocketFactory.provider=com.sun.net.ssl.internal.SSLSocketFactoryImpl
-DUseSunHttpHandler=true
Also for Webservice clients, include:
-Dweblogic.wsee.client.ssl.usejdk=true

In the end Test! Test! Test! that all of this works correctly.

In summary supporting SHA256 support using WebLogic 10.3.6 or lower requires series of changes to make this work. Plan ahead and allocate enough resources to handle this migration. This will become important as major browsers will start flagging SHA1 certificates as insecure.

Useful resources : http://www.ssllabs.com and test your public website using their site scanner. Enable support for TLS 1.0, 1.1 and 1.2 and disable SSL 3.0 support in IE. For firefox/Chrome upgrade to latest version to automatically disable support for SSL 3.0.

If you encounter specific issues related to SHA256 implementation with WebLogic and PeopleSoft leave comments and I can try to provide help.

List of Bugs fixed in Patch Set Update - Doc ID 1942223.1

Some of the Error Messages I have encountered if settings are not correct are

javax.net.ssl.SSLKeyException: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received. (If JSSE is not enabled. Certicom SSL implementation does not support SHA256).

Enablig JSSE in WebLogic

<BEA-101104> <Servlet execution in servlet context "ServletContext@445892755[app:peoplesoft module:/ path: spec-version:2.5]" failed, java.io.IOException: SSLEngine is closed. at weblogic.socket.JSSEFilterImpl.checkCauseSSLEngineClosed(JSSEFilterImpl.java:383)

<BEA-101083> <Connection failure java.io.IOException: SSLEngine is closed at weblogic.socket.JSSEFilterImpl.checkCauseSSLEngineClosed(JSSEFilterImpl.java:385)

<BEA-000000> <weblogic.utils.net.SocketResetException: SSLEngine is closed>  at weblogic.socket.JSSEFilterImpl.checkCauseSSLEngineClosed(JSSEFilterImpl.java:431) only with Apple Safari Client when fetching CSS or Java Script using peoplesoft cs servlet.

java.lang.RuntimeException: Could not generate DH keypair

Caused By: java.security.InvalidAlgorithmParameterException: unknown curve name: 1.2.840.10045.3.1.7
    at org.bouncycastle.jce.provider.JDKKeyPairGenerator$EC.initialize(Unknown Source)
    at sun.security.ssl.ECDHCrypt.<init>(ECDHCrypt.java:63)

To Enable SSL Debug options

# JAVA SSL DEBUG (in setEnv.sh) to troubleshoot SSL handshake issues.

#JAVA_OPTIONS_LINUX="-server -Xms1024m -Xmx1024m -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1 -Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true -Dweblogic.security.SSL.verbose=true -Djavax.net.debug=all -XX:MaxPermSize=256m -Dtoplink.xml.platform=oracle.toplink.platform.xml.jaxp.JAXPPlatform -Dcom.sun.xml.namespace.QName.useCompatibleSerialVersionUID=1.0"