AWS
Quick guide on aws for beginners Understanding network concepts in aws How to achieve CI/CD in aws CI/CD in aws managed resources with Jenkins Push Image to aws ECR Using GitHub Actions Setup an EventBridge Rule in aws How ECS & ECR works in aws EKS with Fargate Profile Launch EKS using eksctl in aws Container insight for EKS-Fargate in cloudwatch Deploy aws resources with CloudFormation AWS secrets scanning by GitHub Setup Site to Site VPN Connection in AWS
AZURE
Gateways in Azure Understanding network concepts in Azure Ingress in Azure Kubernetes Service
GCP
Architecting hybrid infrastructure with Anthos

ANSIBLE
Ansible a configuration management tool Runbook Automation tool for playbooks
DOCKER
Docker a containerization Tool Networking in Docker Multi-stage build in Docker what is docker-compose All about Docker swarm
GITHUB
CLI instruction to work with GitHub Integrating Jenkins with GitHub Push Image to ECR Using GitHub Actions
JENKINS
Jenkins a continuous integration tool Acheive CI/CD using Jenkins in AWS Configuring weblogic deployer plugin in Jenkins
KUBERNETES
Kubernetes an orchestration framework Launch kubernetes cluster in Different ways Debugging your kubernetes cluster Certificates renewal of kubernetes cluster Deploying application on Kubernetes cluster api versions to use in manifest file RBACs in Kubernetes Health check of containers in Kubernetes Rancher a cluster management platform Understanding ISTIO as a service mesh
TERRAFORM
Deploying IaC using Terraform Terraform module EKS cluster using Terraform

APACHE
Things to know in Apache How to Configure Apache-httpd Server Setup httpd as os-service on OL8 SiteMinder and its Integration with WebServer Apache SSL Installation Instructions NO_RESOURCES Errors in APACHE with WLS
WEBLOGIC
Installing WebLogic 12.1.3 without GUI WebLogic Server as a managed Azure service WLS domain extension to include JRF template All about OPatch in WLS How to define WorkManager in Weblogic Some known Weblogic exceptions Different OutOfMemory issues Some known Weblogic exceptions Play with WLST Persistent store in WLS Configuration of NodeManager

JAVA
JAVA_OPTIONS Study on JAVA_HEAP Native OOM in Java Heap Types of Threads Various Java-options to use in Java apps How to run Java Flight Recorder dbping a java-weblogic utility
SSL
When & why to use SSL certificates SSLv3 to TLS1.* SHA2 on Oracle https Server Weblogic SSL Renewal Steps
CHEATSHEETs
Linux Cheatsheet Linux Log parsing cheetsheet SSL Cheatsheet MySQL Cheatsheet PostgreSQL Cheatsheet WebLogic Cheatsheet Python Cheatsheet Kubernetes Cheatsheet Terraform Cheatsheet Hashicorp-vault Cheatsheet GCP Cheatsheet
OTHER
All about Messaging Queue small guide on Python WLSDM monitoring agent in WLS Register driver for MSSqlServer Understanding YAML

25 November 2014

Why to use SSL certificate & when to Use a Self-Signed Certificate

This video helps you to understand SSL in the simplest way!! 


You should never use a self-signed certificate for any e-commerce website or any site that transfers valuable personal information like credit cards, social security numbers, etc.

An SSL certificate is necessary for more than just distributing the public key: if it is signed by a trusted third party, it verifies the identity of the server so clients know they aren’t sending their information to the wrong person.

So what is a self-signed certificate? 
It is a certificate that is signed by itself rather than a trusted third party. Isn’t that bad? In most cases, yes. You will almost never want to use a self-signed certificate on a public apache server that requires anonymous visitors to connect to your site because they could easily become a victim of a man-in-the-middle attack. However, self-signed certificates have their place:
  • Self-signed certificates can be used on an Apache development server. There is no need to spend extra cash buying a trusted certificate when you are just developing or testing an application.
  • Self-signed certificates can be used on an intranet. When clients only have to go through a local intranet to get to the server, there is virtually no chance of a man-in-the-middle attack.
  • Self-signed certificates can be used on personal sites with few visitors. If you have a small personal site that transfers non-critical information, there is very little incentive for someone to attack the connection.
Just keep in mind that visitors will see a warning in their browsers when connecting to an Apache site that uses a self-signed certificate until it is permanently stored in their certificate store.

For example: 
WebLogic Server is configured by default with Demo Identity and Demo Trust. To use these, you need to enable the SSL port under the General Tab of the server and generate a demo certificate using keytool utility of weblogic, and WLS will start listening over SSL on that port.

To generate the certificates, you need to use keytool. It is a standard java keystore utility. This is included with the Java SE JDK as well as the JRockit JDK.

A keystore is a database of key material. Key material is used for a variety of purposes, including authentication and data integrity.

There are two types of keystores:

identity keystores:  An identity keystore contains the server's private key and is therefore referred to as the identity. This keystore can contain more than one private key.

trust keystores: A trust keystore contains the root and intermediate certificates which are trusted by the server.

However, using these demo certificates is not recommended in a production environment because they do not provide adequate security. Instead of using the demo certificates, we can either get our certificates signed by a third-party certifying authority or use self-signed certificates (use our own root ca which we can use to sign our own certificates).

since for demonstration purpose we cannot afford a certificate signing authority to sign our certificate, we use self signed certificate.
For instance, lets try to install one on a weblogic server

Step1: create a private key/identity store:
$JAVA_HOME/keytool -genkey -alias slefcert -keyalg RSA -keypass weblogic1 -keystore identity.jks -storepass weblogic1 -validity 365
you will be asked a few questions like:
Organisation Unit=?
Organisation=?
City=?
State=?
County=?
after entering all the above details type 'yes'
Step2: being a self-signed, export the same cert into identity store (root cert)
$JAVA_HOME/keytool -export -alias mycert -file root.cer -keystore identity.jks -storepass weblogic1

 Step3: import same cert into trust store which will be root.cert
$JAVA_HOME/keytool -import -alias selfcert -trustcacerts -file root.cer -keystore tust.jks -storepass weblogic1

 this will list out your certificate request details
owner:
Issuer:
Serial number:
Validity:
certificate fingerprints:
Algorithms:
Version:

 which will ask you to trust this certificate? : 'yes' 
and it will add the certificate to your keystore

 now after successful generation of certs, let weblogic know what have you generated 

 login to console & navigate to : servers > serverName > configuration > keystore

 -custom identity keystore : path to your identity.jks
-custom identity keystore type: jks
-custom identity keypass : weblogic1
-custom identity identity store pass : weblogic1
-custom trust keystore: path to your trust.jks
-custom trust keystore type: jks
-custom trust keypass: weblogic1
-custom trust trust store pass: weblogic1

 navigate to SSL tab and update following:

 -private key alias: selfcert
-private key pass: weblogic1

enable SSL port by navigation to configuration > general and update the port number

 restart the service for changes to take effect

 now try to access the service on https://localhost:7002/console 
(here I have installed cert on admin server of weblogic domain)

--
Labels: ,

No comments:

Post a Comment