Showing posts with label certificate. Show all posts
Showing posts with label certificate. Show all posts

Sunday, November 20, 2022

Install SSL proxy intercept certificate for Azure CLI on Ubuntu

HOWTO

 

Add SSL intercept certificate to local OS storage

sudo cp SSL-intercept.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

Add into .bashrc 

export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

Add SSL intercept certificate to Python

cp SSL-intercept.crt  /usr/lib/python3/dist-packages/certifi/

Posted by at No comments:
Labels: , , ,

Thursday, August 2, 2012

WebLogic X509 Certificate Authentication

Securing Web Applications http://docs.oracle.com/cd/E14571_01/web.1111/e13711/thin_client.htm#i1044688

How to Set Up X509 Certificate Authentication for Oracle WebLogic Server http://www.oracle.com/technetwork/articles/damo-howto-091164.html

Installing and Configuring the Apache HTTP Server Plug-In
http://docs.oracle.com/cd/E14571_01/web.1111/e14395/apache.htm Certificate is send by Weblogic plugin in WL-Proxy-Client-Cert HTTP header

in weblogic.xml
client-cert-proxy-enabled The element default value is true. When set to true, WebLogic Server passes identity certificates from the clients to the backend servers. Also, WebLogic Server is notified whether to honor or discard the incoming WL-Proxy-Client-Cert header. A proxy-server plugin encodes each identity certification in the WL-Proxy-Client-Cert header and passes it to the backend WebLogic Server instances. Each WebLogic Server instance takes the certificate information from the header, ensures it came from a secure source, and uses that information to authenticate the user. For the background WebLogic Server instances, this parameter must be set to true (either at the cluster/server level or at the Web application level). If you set this element to true, use a weblogic.security.net.ConnectionFilter to ensure that each WebLogic Server instance accepts connections only from the machine on which the proxy-server plugin is running. If you specify true without using a connection filter, a potential security vulnerability is created because the WL-Proxy-Client-Cert header can be spoofed.

web.xml http://docs.oracle.com/cd/E23943_01/web.1111/e13712/web_xml.htm 
  
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Faces Servlet</web-resource-name>
      <url-pattern>/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>AppUser</role-name>
    </auth-constraint>
    <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
  </security-constraint>
  <login-config>
    <auth-method>CLIENT-CERT</auth-method> 
    <realm-name>NoSuchRealm</realm-name> 
  </login-config>
  <security-role>
        <role-name>AppUser</role-name>
  </security-role>
  
</web-app>
weblogic.xml http://docs.oracle.com/cd/E14571_01/web.1111/e13712/weblogic_xml.htm 

    <wls:security-role-assignment>
        <wls:role-name>AppUser</wls:role-name>
        <wls:principal-name>AppUsers</wls:principal-name>
    </wls:security-role-assignment>
Posted by at 5 comments:
Labels: , ,

Sunday, March 7, 2010

How WebLogic Server Locates Trust when using own SSL certificate

It is necessary to provide JVM property -Dweblogic.security.SSL.trustedCAKeyStore in all scripts connecting to weblogic SSL port.
Other option is to add server SSL certificate into cacerts trust keystore inside WLS installation.

Default trust key store is located in WL_HOME/server/lib and also in JDK
find . -name cacerts
./jrockit_160_14_R27.6.5-32/jre/lib/security/cacerts
./wlserver_10.3/server/lib/cacerts
./jdk160_14_R27.6.5-32/jre/lib/security/cacerts



export JAVA_OPTIONS="-Dweblogic.security.SSL.trustedCAKeyStore=/app/cert/ServerTrust.jks ${JAVA_OPTIONS}"


This is defined is Oracle® Fusion Middleware Securing Oracle WebLogic
Server 11g Release 1 (10.3.1) , Chpt 11, Configuring identity and
trust


WebLogic Server uses the following algorithm when it loads its trusted
CA certificates:

1.  I<span style="font-weight:bold;">f the keystore is specified by the
-Dweblogic.security.SSL.trustedCAkeystore command-line argument,</span> load
the trusted CA certificates from that keystore.
 2.  Else if the keystore is specified in the configuration file
(config.xml), load trusted CA certificates from the specified
keystore. If the server is configured with DemoTrust, trusted CA
certificates will be loaded from the WL_HOME\server\lib\DemoTrust.jks
and the JDK cacerts keystores.
 3. Else if the trusted CA file is specified in the configuration
file (config.xml), load trusted CA certificates from that file (this
is only for compatibility with 6.x SSL configurations).
 4.Else load trusted CA certificates from <span style="font-weight:bold;">WL_HOME\server\lib\cacerts</span> keystore.



10.3.2
http://download.oracle.com/docs/cd/E15523_01/web.1111/e13707/identity_trust.htm#i1202187

10.3.1
http://download.oracle.com/docs/cd/E12839_01/web.1111/e13707/identity_trust.htm#i1202182

10.3
http://download.oracle.com/docs/cd/E12840_01/wls/docs103/secmanage/identity_trust.html#wp1183754
Posted by at 1 comment:
Labels: , , ,
Subscribe to: Posts (Atom)