Wednesday, October 28, 2015

Few Tips to install Oracle WebCenter 12c (12.2.1.0.0)

Oracle released its long-awaited 12c version of WebCenter on 23/10/2015.

Interesting thing about WebCenter versioning is that Oracle released its first 12c version with released 2 (12cR2=12.2.x) to match their latest FMW versioning scheme. There is no 12c R1 (12.1.x) version for WebCenter.

In this post, we will see how can we install WebCenter Portal and WebCenter Content quickly for production environment.
Prerequisites
               1.       You must have atleast JDK version 1.8.0_51 or above.
               2.       WLS 12c and WCP12c installer must be executed with JDK not with JRE.
               3.       Database 11g XE is not certified but you can use it for development purpose.
               4.       Unlike SOA suite installation, you need to install Weblogic Server 12c (12.2.1) before you install Oracle WebCenter Portal 12c.
              5.       You must install Weblogic Server with Fusion Middleware Infrastructure installer. This installer will also install JRF and EM Fusion Middleware Control which are required by WCP 12c. 
             6.       Please note that “Oracle Weblogic Server Quick Installer for Developer” and “Generic” installer will not work with WebCenter Portal installation.

      Installation
                  1.       Start the FMW infrastructure installer with following command.
java -jar fmw_12.2.1.0.0_infrastructure.jar

2.    No need to create any domain at this stage. Start the WCP & WCC installer with following command:-
java -jar fmw_12.2.1.0.0_wcportal_generic.jar
java -jar fmw_12.2.1.0.0_wccontent_generic.jar
     
2. RCU is also installed when we install FMW Infra. You will rcu.bat file at C:\middleware12c\Infra\oracle_common\bin\.  Process is same to install schema as we had in 11g.
3.       Use the Configuration Wizard to create a domain using the required domain configuration templates.
4.       By selecting RCU Data in Database Configuration Type screen of configuration wizard, it connect to the database and Service Table (STB) schema to automatically retrieve schema information for schemas needed to configure the domain.

Some Issues:
From 12c, NodeManager is available per host or per domain. If you try to start nodemanager per host, you will get following two errors:-
1.       It will throw error “Identity key store file not found” and shutdown the nodemanager.
Solution:
Quick solution is copy the DemoIdentity.jks file from <DomainHome>\security\ to
<MiddlewareHome>\oracle_common\common\nodemanager\security\ for development domain. 
2.       Processing for domain 'wcp_domain' failed due to configuration error: [The domain 'wcp_domain' at 'null' was not registered in the nodemanager.domains file and dynamic domain registration is not supported. Please register the domain in the nodemanager.domains file.
Solution:
Cop the nodemanager.domains file from <DomainHome>\nodemanager\
To <MiddlewareHome>\oracle_common\common\nodemanager
Alternatively, you can register WebLogic domains with Node Manager using the WLST command, nmEnroll.

Thursday, October 8, 2015

How to configure Strong Encryption for Website deployed on Weblogic Server?

Assumption: HTTPS is already configured and its using default SSL Version 3 and default Ciphers.

Newer versions of web browsers (e.g. Chrome) are now configured with policies which only allow websites or portal which enforce the strongest encryption technology to be viewed. SSL version 3 is no more secure due to POODLE attack. Most of the browser disabled support for SSL Version 3 by default. 

Google chrome (version 40+) will throw following error if Weblogic server is configured (by default) to use SSL Version 3.

SSL server probably obsolete.
ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION



Firefox Version 34+ throw following error in case website is using SSL Version 3:-
Secure Connection Failed
An error occurred during a connection to <DNS>. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)

SSL Lab report will show following results if you are using SSLV3:-




Solution:

We need to disable SSL Version 3 and enable TLS protocol. We also need to enable strong ciphers. We can set either of the following system properties in the command-line argument that starts WebLogic Server:
·         weblogic.security.SSL.protocolVersion=TLS1
·         weblogic.security.SSL.minimumProtocolVersion=TLS1

I would suggest to use 2nd option. This property value enables any protocol starting with "TLS" for messages that are sent and accepted; for example, TLS V1.0, TLS V1.1, and TLS V1.2.

Implementation in Weblogic Server:-

1.     Enable “Use JSSE SSL” option from WLS Console. For this purpsoe go to Servers> AdminServer or Managed Server >>Configuration>>SSL [Advance Tab]
2.     Now Shutdown domain
3.     Create a custom environment setting file “setCustomEnv.sh” with following lines:-
JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.0"
export JAVA_OPTIONS
4.     Include setCustomEnv.sh file into $DOMAIN_HOME/bin/setDomainEnv.sh file:-

if [ "${WEBLOGIC_EXTENSION_DIRS}" != "" ] ; then
                JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.ext.dirs=${WEBLOGIC_EXTENSION_DIRS}"
                export JAVA_OPTIONS
fi

. ${DOMAIN_HOME}/bin/setCustomEnv.sh

JAVA_OPTIONS="${JAVA_OPTIONS}"
export JAVA_OPTIONS

5.     Add following lines in $DOMAIN_HOME/config/config.xml
<server>
<name>AdminServer</name>
<ssl>
      <enabled>true</enabled>
      <ciphersuite>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</ciphersuite>
      <ciphersuite>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</ciphersuite>
      <ciphersuite>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</ciphersuite>
      <ciphersuite>TLS_RSA_WITH_AES_128_CBC_SHA</ciphersuite>
      <ciphersuite>TLS_RSA_WITH_AES_256_CBC_SHA</ciphersuite>
      <ciphersuite>TLS_RSA_WITH_3DES_EDE_CBC_SHA</ciphersuite>
      <ciphersuite>TLS_RSA_WITH_AES_128_CBC_SHA256</ciphersuite>
      <ciphersuite>TLS_RSA_WITH_AES_256_CBC_SHA256</ciphersuite>          
      <hostname-verifier xsi:nil="true"></hostname-verifier>
6.     In order to support strong ciphers (AES 256), we need to download install JCE package for JDK. Download the JCE package from the following location:
http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
7.     Extract the downloaded zip and place the two .jar files US_export_policy.jar and local_policy.jar into your $JDK_HOME/jre/lib/security folder and overwrite old files.
8.     Start the domain
9.     Once server started, verify the site on different browser. I tested on Chrome version 45
10.  Clear the cache of the SSL lab site and scan the website again. You will see A-. Not bad J


You can configure strong ciphers using above method in any oracle product as far its using Weblogic Server.

Note: Starting with the January 20, 2015 Critical Patch Update releases (JDK 8u31, JDK 7u75, JDK 6u91 and above) the Java Runtime Environment has SSLv3 disabled by default.