Translate

2018년 8월 18일 토요일

[WebLogic][Admin Console] 서버에 HTTPS(SSL) 적용방법 (ver. 9.0 이상)










지원 WebLogic ver: 9.0 ~


실습환경
 - OS: OracleLinux 5
 - WebLogic ver: 10.3.6




준비사항


 - 필수사항: 개인키인증서 (파일+별칭+패스워드)
 - 옵션사항: 보안키인증서 (파일+패스워드)


 - 실습에 사용된 정보 (링크에서 제작한 인증서로 실습)
 1. 개인키 인증서
   1) 인증서 파일: 1004lucifer_key.jks
   2) 인증서 별칭(alias): 1004lucifer_key
   3) 인증서 패스워드: 1234qwer

 2. 보안키 인증서
   1) 인증서 파일: 1004lucifer_cert.jks
   2) 인증서 패스워드: 1234qwer








적용방법


- 서버 선택



- SSL항목 확인을 위해 테이블 정보 노출할 수 있도록 작업 (옵션)
1004lucifer




- 매니지드서버(Managed Server) 선택하여 '구성-일반' 항목에서 'SSL 수신 포트 사용' 항목 체크 및 'SSL 수신 포트' 입력



- '키 저장소' 항목에서 키저장소 타입을 변경

1004lucifer

- 인증서 파일 경로 및 패스워드 입력 (저장소유형: JKS입력)
 1) 필수: 사용자 정의 ID 키 (개인키인증서)
 2) 옵션: 사용자 정의 보안 키 (보안인증서)
  - 보안인증서 항목은 공란으로 두어도 HTTPS 작동하는데 문제 없다.



- 'SSL' 항목에서 개인키 별칭(alias)와 비밀번호를 입력한다.






서버 구동
- HTTPS(SSL) 이 정상적으로 적용되지 않은경우 아래의 로그에 어디에 문제가 있는지 알려주니 확인이 필요하다.


[weblogic@ae2793daea03 bin]$ ./startManagedWebLogic.sh ManagedServer01 t3://localhost:7001
.
. 1004lucifer
JAVA Memory arguments: -Xms256m -Xmx512m -XX:CompileThreshold=8000 -XX:PermSize=128m  -XX:MaxPermSize=256m
.
WLS Start Mode=Development
.
CLASSPATH=/app/weblogic1036/patch_wls1036/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/app/jdk1.6.0_45/lib/tools.jar:/app/weblogic1036/wlserver_10.3/server/lib/weblogic_sp.jar:/app/weblogic1036/wlserver_10.3/server/lib/weblogic.jar:/app/weblogic1036/modules/features/weblogic.server.modules_10.3.6.0.jar:/app/weblogic1036/wlserver_10.3/server/lib/webservices.jar:/app/weblogic1036/modules/org.apache.ant_1.7.1/lib/ant-all.jar:/app/weblogic1036/modules/net.sf.antcontrib_1.1.0.0_1-0b2/lib/ant-contrib.jar:/app/weblogic1036/wlserver_10.3/common/derby/lib/derbyclient.jar:/app/weblogic1036/wlserver_10.3/server/lib/xqrl.jar
.
PATH=/app/weblogic1036/wlserver_10.3/server/bin:/app/weblogic1036/modules/org.apache.ant_1.7.1/bin:/app/jdk1.6.0_45/jre/bin:/app/jdk1.6.0_45/bin:/usr/local/bin:/bin:/usr/bin:/home/weblogic/bin
.
***************************************************
*  To start WebLogic Server, use a username and   *
*  password assigned to an admin-level user.  For *
*  server administration, use the WebLogic Server *
*  console at http://hostname:port/console        *
***************************************************
starting weblogic with Java version:
java version "1.6.0_45"
Java(TM) SE Runtime Environment (build 1.6.0_45-b06)
Java HotSpot(TM) 64-Bit Server VM (build 20.45-b01, mixed mode)
Starting WLS with line:
/app/jdk1.6.0_45/bin/java -client   -Xms256m -Xmx512m -XX:CompileThreshold=8000 -XX:PermSize=128m  -XX:MaxPermSize=256m -Dweblogic.Name=ManagedServer01 -Djava.security.policy=/app/weblogic1036/wlserver_10.3/server/lib/weblogic.policy -Dweblogic.security.SSL.trustedCAKeyStore=/app/weblogic1036/wlserver_10.3/server/lib/cacerts  -Xverify:none  -da -Dplatform.home=/app/weblogic1036/wlserver_10.3 -Dwls.home=/app/weblogic1036/wlserver_10.3/server -Dweblogic.home=/app/weblogic1036/wlserver_10.3/server   -Dweblogic.management.discover=false -Dweblogic.management.server=t3://localhost:7001  -Dwlw.iterativeDev=false -Dwlw.testConsole=false -Dwlw.logErrorsToConsole=false -Dweblogic.ext.dirs=/app/weblogic1036/patch_wls1036/profiles/default/sysext_manifest_classpath  weblogic.Server
<Aug 18, 2018 12:57:11 AM UTC> <Info> <Security> <BEA-090905> <Disabling CryptoJ JCE Provider self-integrity check for better startup performance. To enable this check, specify -Dweblogic.security.allowCryptoJDefaultJCEVerification=true>
<Aug 18, 2018 12:57:12 AM UTC> <Info> <Security> <BEA-090906> <Changing the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG. To disable this change, specify -Dweblogic.security.allowCryptoJDefaultPRNG=true>
<Aug 18, 2018 12:57:12 AM UTC> <Info> <WebLogicServer> <BEA-000377> <Starting WebLogic Server with Java HotSpot(TM) 64-Bit Server VM Version 20.45-b01 from Sun Microsystems Inc.>
<Aug 18, 2018 12:57:13 AM UTC> <Info> <Security> <BEA-090065> <Getting boot identity from user.>
Enter username to boot WebLogic server:1004lucifer
Enter password to boot WebLogic server:
<Aug 18, 2018 12:57:21 AM UTC> <Info> <Management> <BEA-141107> <Version: WebLogic Server 10.3.6.0  Tue Nov 15 08:52:36 PST 2011 1441050 >
<Aug 18, 2018 12:57:24 AM UTC> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to STARTING>
<Aug 18, 2018 12:57:24 AM UTC> <Info> <WorkManager> <BEA-002900> <Initializing self-tuning thread pool>
<Aug 18, 2018 12:57:24 AM UTC> <Notice> <LoggingService> <BEA-320400> <The log file /app/weblogic1036/domains/1004lucifer_domain/servers/ManagedServer01/logs/ManagedServer01.log will be rotated. Reopen the log file if tailing has stopped. This can happen on some platforms like Windows.>
<Aug 18, 2018 12:57:24 AM UTC> <Notice> <LoggingService> <BEA-320401> <The log file has been rotated to /app/weblogic1036/domains/1004lucifer_domain/servers/ManagedServer01/logs/ManagedServer01.log00061. Log messages will continue to be logged in /app/weblogic1036/domains/1004lucifer_domain/servers/ManagedServer01/logs/ManagedServer01.log.>
<Aug 18, 2018 12:57:24 AM UTC> <Notice> <Log Management> <BEA-170019> <The server log file /app/weblogic1036/domains/1004lucifer_domain/servers/ManagedServer01/logs/ManagedServer01.log is opened. All server side log events will be written to this file.>
<Aug 18, 2018 12:57:28 AM UTC> <Notice> <Security> <BEA-090082> <Security initializing using security realm myrealm.>
<Aug 18, 2018 12:57:30 AM UTC> <Notice> <LoggingService> <BEA-320400> <The log file /app/weblogic1036/domains/1004lucifer_domain/servers/ManagedServer01/logs/access.log will be rotated. Reopen the log file if tailing has stopped. This can happen on some platforms like Windows.>
<Aug 18, 2018 12:57:30 AM UTC> <Notice> <LoggingService> <BEA-320401> <The log file has been rotated to /app/weblogic1036/domains/1004lucifer_domain/servers/ManagedServer01/logs/access.log00022. Log messages will continue to be logged in /app/weblogic1036/domains/1004lucifer_domain/servers/ManagedServer01/logs/access.log.>
<Aug 18, 2018 12:57:31 AM UTC> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to STANDBY>
<Aug 18, 2018 12:57:31 AM UTC> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to STARTING>
<Aug 18, 2018 12:57:31 AM UTC> <Warning> <Munger> <BEA-2156203> <A version attribute was not found in element web-app in the deployment descriptor in /tmp/testapp/WEB-INF/web.xml. A version attribute is required, but this version of the Weblogic Server will assume that the JEE5 is used. Future versions of the Weblogic Server will reject descriptors that do not specify the JEE version.>
<Aug 18, 2018 12:57:32 AM UTC> <Notice> <Log Management> <BEA-170027> <The Server has established connection with the Domain level Diagnostic Service successfully.>
<Aug 18, 2018 12:57:32 AM UTC> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to ADMIN>
<Aug 18, 2018 12:57:32 AM UTC> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to RESUMING>
<Aug 18, 2018 12:57:32 AM UTC> <Notice> <Security> <BEA-090171> <Loading the identity certificate and private key stored under the alias 1004lucifer_key from the JKS keystore file /app/weblogic1036/ssl/1004lucifer_key.jks.>
<Aug 18, 2018 12:57:33 AM UTC> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the JKS keystore file /app/weblogic1036/ssl/1004lucifer_cert.jks.>
<Aug 18, 2018 12:57:33 AM UTC> <Notice> <Server> <BEA-002613> <Channel "Default" is now listening on 172.17.0.2:9001 for protocols iiop, t3, ldap, snmp, http.>
<Aug 18, 2018 12:57:33 AM UTC> <Notice> <Server> <BEA-002613> <Channel "Default[1]" is now listening on 127.0.0.1:9001 for protocols iiop, t3, ldap, snmp, http.>
<Aug 18, 2018 12:57:33 AM UTC> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure[1]" is now listening on 127.0.0.1:8006 for protocols iiops, t3s, ldaps, https.>
<Aug 18, 2018 12:57:33 AM UTC> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure" is now listening on 172.17.0.2:8006 for protocols iiops, t3s, ldaps, https.>
<Aug 18, 2018 12:57:33 AM UTC> <Notice> <WebLogicServer> <BEA-000332> <Started WebLogic Managed Server "ManagedServer01" for domain "1004lucifer_domain" running in Development Mode>
<Aug 18, 2018 12:57:35 AM UTC> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to RUNNING>
<Aug 18, 2018 12:57:35 AM UTC> <Notice> <WebLogicServer> <BEA-000360> <Server started in RUNNING mode>




에러나는 경우 확인사항
- 서버의 로그를 보고 로그레벨이 Notice 가 아닌 로그에 대해서 유심시 살펴보고 BEA-XXXXX 와 같은 코드와 메시지를 확인해 본다.

작업을 하다보니 아래 링크와 같은 오류사항을 볼 수 있었다.
- [WebLogic][Error] HTTPS(SSL) 설정 후 서버 기동 시 BEA-000297 / BEA-090034 / BEA-090132 / BEA-090133 / BEA-090164 / BEA-090172 / BEA-090503 에러






브라우저 확인

WebLogic v10.3.6 패치 없는경우 아래의 캡쳐와 같이 보여지며 조치방법은 아래의 링크를 참조
 - 링크: 특정 브라우저에서 HTTPS 접속 시 화면이 보이지 않는경우 (Cipher Suites 이슈)



- IE


- 크롬





WebLogic SSL/TLS 적용을 하면서 발생할 수 있는 문제에 대해 아래와 같이 추가적인 정보가 필요할 수 있다.

 - [Java] SSL/TLS 디버깅 방법 및 로그분석
 - [WebLogic] HTTPS(SSL/TLS) 사용 시 Cipher Suites 강제 지정하기
 - [Java] JDK의 암호화 알고리즘 키 제한 이슈 (Illegal key size 오류)
 - [Java][WAS] Cannot support {Cipher_Suite_Name} with currently installed providers 에러
 - [Java][WAS] 특정 브라우저에서 HTTPS 접속 시 화면이 보이지 않는경우 (Cipher Suites 이슈)


댓글 없음 :

댓글 쓰기