Translate

[WebLogic] HTTPS(SSL/TLS) 사용 시 Cipher Suites 강제 지정하기










WebLogic v10.3.6 에서 특정 PC에서 IE가 https 접속 시 화면이 보이지 않는 이슈가 발생해 디버깅을 해보니 취약한 Cipher Suites 로 인해서 문제가 발생을 했었다.

WebLogic 에서 사용가능한 Cipher Suites를 강제로 지정을함으로 이슈를 해결했었다.




실습환경
 - OS: Linux
 - WAS: WebLogic v10.3.6


# 실습환경 웹로직 관련 홈디렉토리 경로
# $DOMAIN_HOME(도메인 디렉토리): /app/weblogic1036/domains/1004lucifer_domain
[weblogic@ae2793daea03 1004lucifer_domain]$
[weblogic@ae2793daea03 1004lucifer_domain]$
# 도메인의 config.xml 파일 수정
[weblogic@ae2793daea03 1004lucifer_domain]$ vi config/config.xml
 ... (생략)
<server>
    <name>ManagedName</name>
    <max-http-message-size>10240</max-http-message-size>
    <complete-message-timeout>60</complete-message-timeout>
    <ssl>
      <name>ManagedName</name>
      <enabled>true</enabled>
      <ciphersuite>TLS_RSA_WITH_AES_128_CBC_SHA</ciphersuite>
      <ciphersuite>TLS_RSA_WITH_AES_256_CBC_SHA</ciphersuite>
      <ciphersuite>SSL_RSA_WITH_3DES_EDE_CBC_SHA</ciphersuite>
      <hostname-verifier xsi:nil="true"></hostname-verifier>
      <hostname-verification-ignored>false</hostname-verification-ignored>
      <client-certificate-enforced>false</client-certificate-enforced>
      <two-way-ssl-enabled>false</two-way-ssl-enabled>
      <server-private-key-alias>keyname</server-private-key-alias>
      <server-private-key-pass-phrase-encrypted>{AES}Kvlw07qFlsTSGwmbGQKxbeFT0GoarOvVpCCs=</server-private-key-pass-phrase-encrypted>
      <jsse-enabled>true</jsse-enabled>
    </ssl>

... (생략)

</server>
 ... (생략)
[weblogic@ae2793daea03 1004lucifer_domain]$



위와같이 config.xml 파일의 ssl 안에 ciphersuite 값을 넣어준다.





주의할점은 반드시 enabled 뒤에 넣어줘야 한다.
순서를 달리하게되면 웹로직 Admin(웹콘솔) 기동 시 아래와 같이 config.xml 파일이 잘못되었다고 에러가 나며 기동되지 않는다.


<2018. 11. 7 오후 10시 57분 35초 KST> <Info> <WebLogicServer> <BEA-000377> <Starting WebLogic Server with Java HotSpot(TM) 64-Bit Server VM Version 20.45-b01 from Sun Microsystems Inc.>
<2018. 11. 7 오후 10시 57분 36초 KST> <Info> <Management> <BEA-141107> <Version: WebLogic Server 10.3.6.0  Tue Nov 15 08:52:36 PST 2011 1441050 >
<2018. 11. 7 오후 10시 57분 37초 KST> <Error> <Management> <BEA-141244> <Schema validation errors while parsing /app/weblogic1036/domains/1004lucifer_domain/config/config.xml - Expected elements 'use-client-cert-for-outbound@http://xmlns.oracle.com/weblogic/domain client-cert-alias@http://xmlns.oracle.com/weblogic/domain client-cert-private-key-pass-phrase-encrypted@http://xmlns.oracle.com/weblogic/domain outbound-private-key-alias@http://xmlns.oracle.com/weblogic/domain outbound-private-key-pass-phrase@http://xmlns.oracle.com/weblogic/domain' instead of 'ciphersuite@http://xmlns.oracle.com/weblogic/domain' here in element ssl@http://xmlns.oracle.com/weblogic/domain>
<2018. 11. 7 오후 10시 57분 37초 KST> <Error> <Management> <BEA-141244> <Schema validation errors while parsing /app/weblogic1036/domains/1004lucifer_domain/config/config.xml - Expected elements 'use-client-cert-for-outbound@http://xmlns.oracle.com/weblogic/domain client-cert-alias@http://xmlns.oracle.com/weblogic/domain client-cert-private-key-pass-phrase-encrypted@http://xmlns.oracle.com/weblogic/domain outbound-private-key-alias@http://xmlns.oracle.com/weblogic/domain outbound-private-key-pass-phrase@http://xmlns.oracle.com/weblogic/domain' instead of 'ciphersuite@http://xmlns.oracle.com/weblogic/domain' here in element ssl@http://xmlns.oracle.com/weblogic/domain>
<2018. 11. 7 오후 10시 57분 37초 KST> <Error> <Management> <BEA-141244> <Schema validation errors while parsing /app/weblogic1036/domains/1004lucifer_domain/config/config.xml - Expected elements 'use-client-cert-for-outbound@http://xmlns.oracle.com/weblogic/domain client-cert-alias@http://xmlns.oracle.com/weblogic/domain client-cert-private-key-pass-phrase-encrypted@http://xmlns.oracle.com/weblogic/domain outbound-private-key-alias@http://xmlns.oracle.com/weblogic/domain outbound-private-key-pass-phrase@http://xmlns.oracle.com/weblogic/domain' instead of 'ciphersuite@http://xmlns.oracle.com/weblogic/domain' here in element ssl@http://xmlns.oracle.com/weblogic/domain>
<2018. 11. 7 오후 10시 57분 37초 KST> <Critical> <WebLogicServer> <BEA-000362> <Server failed. Reason: [Management:141245]Schema Validation Error in /app/weblogic1036/domains/1004lucifer_domain/config/config.xml see log for details. Schema validation can be disabled by starting the server with the command line option: -Dweblogic.configuration.schemaValidationEnabled=false>
<2018. 11. 7 오후 10시 57분 37초 KST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
<2018. 11. 7 오후 10시 57분 37초 KST> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
<2018. 11. 7 오후 10시 57분 37초 KST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>





추가로 주의해야 할 사항
Java가 지원하지 않는 Cipher Suites를 넣게되면 아래 링크와 같은 에러가 발생한다.
 - 링크: Cannot support {Cipher_Suite_Name} with currently installed providers 에러



참고
 - https://docs.oracle.com/cd/E76441_01/orase/pdf/141/html/security_guide/Output/secure_appserver.htm

댓글