Tech

20121213

Using Wildcard asterisk (*) SSL with WLS

Setting the certificates to use the wild card asterisk (*) can be troublesome on the WLS.

Example of wildcard use:

cn = *.example.com

Since WLS 10.3.6 and 12.1.+ has been hard-coded a new host name verifier on the WLS in which with some simple configuration you can use your wildcarded certificates:

A_ Start WLS with the following java properties:

./startWebLogic.sh -Dweblogic.security.SSL.HostnameVerifier=weblogic.security.utils.SSLWLSWildcardHostnameVerifier

or

B_

1. Start the AdminConsole and goto selected Server::Configuration::SSL;

2. Click on the link Advanced;

3. Copy/paste the weblogic.security.utils.SSLWLSWildcardHostnameVerifier Class name on the Hostname Verifier field;

4. Save;

C_ Restart server and test your SSL connection.


*For previous version of WLS 10.3.x there's a patch in which, I recommend to open an SR with Oracle to retrieved.


Links:
Using the Wildcarded Host Name Verifier
Configure a custom host name verifier
Oracle WebLogic Server API Reference SSLWLSWildcardHostnameVerifier

6 comments:

  1. Thanks for sharing with step by step information for using WildCard SSL Certificate with WLS. Apart from this, i would really want to thanks for sharing links for additional information.


    WildCard SSL

    ReplyDelete
  2. Hi, I am currently facing issues due to wildcard hostname in SSL certificate. Every site tells this information about how to configure, but the .class file is neither present in weblogic.jar of 10g or 11g Weblogic server versions. Just this configuration change does not fix this problem. Any idea where can I find the .class file to include in my server classpath.

    ReplyDelete
    Replies
    1. Sorry, I've been a bit busy and could not actually look into my blog for further posting and answering questions... But the issue in which you are or were facing is solved by adding a patch provided by Oracle.

      *For previous version of WLS 10.3.x there's a patch in which, I recommend to open an SR with Oracle to retrieved.

      Delete
  3. This comment has been removed by the author.

    ReplyDelete
  4. Hey filio.
    Hope you are doing great.

    On WLS1036, I am trying to configure NM with * certs with no luck, we used JSEE + -Dweblogic.security.SSL.HostnameVerifier=weblogic.security.utils.SSLWLSWildcardHostnameVerifier in JAVA_OPTIONS at startNodeManager.sh and also configured the * cert at nodemanager.properties, but not working.
    Previously we used the same configuration for a MS and works fine, but not for NM.
    Any tip ?

    Regards,
    Mario

    ReplyDelete
    Replies
    1. Hello Mario, I am great a pretty busy with work. As I've mentioned on other question previously, I did not login into my blog for a long period. But, what you are trying to do is to configure the NM with asterisk?. NM is part of a domain, but a different software in which communicates on One-Way SSL with Admin, and Managed Nodes.

      "With one-way SSL, the server must present a certificate to the client, but the client is not required to present a certificate to the server. The client must authenticate the server, but the server accepts a connection from any client."

      Thinking:

      1. I mean, NM is related one-to-one machine in a domain. But NM is part of the WLS structure, and since one WLS installation can have many domains, therefore can have many AdminServer.

      2. NM at this case is the Server when Admin is the Client...

      3. I do see the wlserver_10.3/server/lib/weblogic.jar into the NM startup classpath...

      I am not sure if NM uses the security module of WLS to do its certification. But, just the fact that the NM is the Server and has the weblogic.jar on its classpath, I would definitely try to download the patch and extract the jar file and put it first on the classpath. If this does not work, or does work the final instruction is to start a enhancement bug request for the NM. Hopping that some architect with good sense in Oracle would understand the business need.

      Delete