WebLogic v10.3.6 에서 특정 PC에서 IE가 https 접속 시 화면이 보이지 않는 이슈가 발생해 디버깅을 해보니 취약한 Cipher Suites 로 인해서 문제가 발생을 했었다.
WebLogic 에서 사용가능한 Cipher Suites를 강제로 지정을함으로 이슈를 해결했었다.
실습환경
- OS: Linux
- WAS: WebLogic v10.3.6
# $DOMAIN_HOME(도메인 디렉토리): /app/weblogic1036/domains/1004lucifer_domain
[weblogic@ae2793daea03 1004lucifer_domain]$
[weblogic@ae2793daea03 1004lucifer_domain]$
# 도메인의 config.xml 파일 수정
[weblogic@ae2793daea03 1004lucifer_domain]$ vi config/config.xml
... (생략)
<server>
<name>ManagedName</name>
<max-http-message-size>10240</max-http-message-size>
<complete-message-timeout>60</complete-message-timeout>
<ssl>
<name>ManagedName</name>
<enabled>true</enabled>
<ciphersuite>TLS_RSA_WITH_AES_128_CBC_SHA</ciphersuite>
<ciphersuite>TLS_RSA_WITH_AES_256_CBC_SHA</ciphersuite>
<ciphersuite>SSL_RSA_WITH_3DES_EDE_CBC_SHA</ciphersuite>
<hostname-verifier xsi:nil="true"></hostname-verifier>
<hostname-verification-ignored>false</hostname-verification-ignored>
<client-certificate-enforced>false</client-certificate-enforced>
<two-way-ssl-enabled>false</two-way-ssl-enabled>
<server-private-key-alias>keyname</server-private-key-alias>
<server-private-key-pass-phrase-encrypted>{AES}Kvlw07qFlsTSGwmbGQKxbeFT0GoarOvVpCCs=</server-private-key-pass-phrase-encrypted>
<jsse-enabled>true</jsse-enabled>
</ssl>
... (생략)
</server>
... (생략)
[weblogic@ae2793daea03 1004lucifer_domain]$
위와같이 config.xml 파일의 ssl 안에 ciphersuite 값을 넣어준다.
주의할점은 반드시 enabled 뒤에 넣어줘야 한다.
순서를 달리하게되면 웹로직 Admin(웹콘솔) 기동 시 아래와 같이 config.xml 파일이 잘못되었다고 에러가 나며 기동되지 않는다.
<2018. 11. 7 오후 10시 57분 36초 KST> <Info> <Management> <BEA-141107> <Version: WebLogic Server 10.3.6.0 Tue Nov 15 08:52:36 PST 2011 1441050 >
<2018. 11. 7 오후 10시 57분 37초 KST> <Error> <Management> <BEA-141244> <Schema validation errors while parsing /app/weblogic1036/domains/1004lucifer_domain/config/config.xml - Expected elements 'use-client-cert-for-outbound@http://xmlns.oracle.com/weblogic/domain client-cert-alias@http://xmlns.oracle.com/weblogic/domain client-cert-private-key-pass-phrase-encrypted@http://xmlns.oracle.com/weblogic/domain outbound-private-key-alias@http://xmlns.oracle.com/weblogic/domain outbound-private-key-pass-phrase@http://xmlns.oracle.com/weblogic/domain' instead of 'ciphersuite@http://xmlns.oracle.com/weblogic/domain' here in element ssl@http://xmlns.oracle.com/weblogic/domain>
<2018. 11. 7 오후 10시 57분 37초 KST> <Error> <Management> <BEA-141244> <Schema validation errors while parsing /app/weblogic1036/domains/1004lucifer_domain/config/config.xml - Expected elements 'use-client-cert-for-outbound@http://xmlns.oracle.com/weblogic/domain client-cert-alias@http://xmlns.oracle.com/weblogic/domain client-cert-private-key-pass-phrase-encrypted@http://xmlns.oracle.com/weblogic/domain outbound-private-key-alias@http://xmlns.oracle.com/weblogic/domain outbound-private-key-pass-phrase@http://xmlns.oracle.com/weblogic/domain' instead of 'ciphersuite@http://xmlns.oracle.com/weblogic/domain' here in element ssl@http://xmlns.oracle.com/weblogic/domain>
<2018. 11. 7 오후 10시 57분 37초 KST> <Error> <Management> <BEA-141244> <Schema validation errors while parsing /app/weblogic1036/domains/1004lucifer_domain/config/config.xml - Expected elements 'use-client-cert-for-outbound@http://xmlns.oracle.com/weblogic/domain client-cert-alias@http://xmlns.oracle.com/weblogic/domain client-cert-private-key-pass-phrase-encrypted@http://xmlns.oracle.com/weblogic/domain outbound-private-key-alias@http://xmlns.oracle.com/weblogic/domain outbound-private-key-pass-phrase@http://xmlns.oracle.com/weblogic/domain' instead of 'ciphersuite@http://xmlns.oracle.com/weblogic/domain' here in element ssl@http://xmlns.oracle.com/weblogic/domain>
<2018. 11. 7 오후 10시 57분 37초 KST> <Critical> <WebLogicServer> <BEA-000362> <Server failed. Reason: [Management:141245]Schema Validation Error in /app/weblogic1036/domains/1004lucifer_domain/config/config.xml see log for details. Schema validation can be disabled by starting the server with the command line option: -Dweblogic.configuration.schemaValidationEnabled=false>
<2018. 11. 7 오후 10시 57분 37초 KST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
<2018. 11. 7 오후 10시 57분 37초 KST> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
<2018. 11. 7 오후 10시 57분 37초 KST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>
추가로 주의해야 할 사항
Java가 지원하지 않는 Cipher Suites를 넣게되면 아래 링크와 같은 에러가 발생한다.
- 링크: Cannot support {Cipher_Suite_Name} with currently installed providers 에러
참고
- https://docs.oracle.com/cd/E76441_01/orase/pdf/141/html/security_guide/Output/secure_appserver.htm
댓글
댓글 쓰기