X.509 Certificate Revocation Checking Using the OCSP Protocol with Oracle WebLogic Server 12c

by Abhijit Patil

November 2012

Introduction

Oracle WebLogic Server 12c's Java Secure Socket Extension (JSSE) implementation supports X.509 Certificate Revocation (CR) checking using Online Certificate Status Protocol (OCSP) protocol, which checks a certificate's revocation status as part of the Secure Sockets Layer (SSL) certificate path validation process. CR checking improves the security of certificate usage by ensuring that received certificates have not been revoked by the issuing certificate authority.

This article focuses on how to use X.509 Certificate Revocation Checking Functionality with the OCSP protocol to validate in-bound certificates. Although this article focuses on inbound OCSP validation using OCSP, Oracle WebLogic Server 12c also supports outbound OCSP validation.

The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. Note that although Oracle WebLogic Server supports the Certificate Revocation list (CRL) mechanism, CRL is beyond the scope of this article.

Certificate Creation

We need to first create the X.509 certificates we will be using in our scenario to check the certificate revoke functionality. We will use the OpenSSL command line tool to create these certificates.

You can download all files used in this article (including certificates, openssl conf file, jks, etc.) here (patil-certrevoc-files.zip).

We will be creating three certificates:

  • Certificate Authority (CA) Certificate (root certificate)
  • Valid Certificate (signed by CA Certificate)
  • Revoked Certificate (signed by CA Certificate)

Figure 1 illustrates the certification chain.

Figure 1: Certificate Chain used for Certificate Revocation functionality
Figure 1: Certificate Chain used for Certificate Revocation functionality

1. Download and setup openssl

Download and unzip openSSL tool in an empty directory. Documentation for openSSL tool is available here. The file openssl.cnf that comes with the installation contains configuration information used by the openssl commands. The file provides default values that are used when corresponding options are omitted from the commands; it also provides default prompts and other values that affect the way the commands interact with the user. Make sure you add the following entry in the openssl.cnf file…

authorityInfoAccess = OCSP;URI: http://host:port

…where host and port represent the host and port of OCSP server (which we will set up later in the article). This command will add the OCSP extension, including the OCSP server url, in the certificates we will generate in the next sections. The authority information access extension gives details about how to access certain information relating to the CA. Its syntax is accessOID;location, where location has the same syntax as subject alternative name. In our case, the value of accessOID is OCSP, and the location points to the OCSP server that needs to be used to check revoked certificates. Setting up the OCSP server is covered in step 6. OCSP Server Set-up. A sample openssl.cnf file is provided in the zip file that accompanies this article.

2. Create a Certification Authority Certificate

Execute following command in openSSL installation directory to generate the "certificate authority." certificate (root certificate):

openssl req -nodes -new -x509 -keyout private/cakey.pem -out cacert.pem -days 3650

This will create two new files:

  • private/cakey.pem contains the "certificate authority" private RSA key
  • cacert.pem contains a self-signed "certificate authority" certificate

The self-signed "certificate authority" certificate will resemble the following:

bash-3.2$ openssl x509 -in cacert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            a8:5c:c0:90:db:6f:be:db
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=California, L=Pleasanton, O=Oracle
        Validity
            Not Before: Aug 26 16:56:32 2011 GMT
            Not After : Aug 23 16:56:32 2021 GMT
        Subject: C=US, ST=California, L=Pleasanton, O=Oracle
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:c1:93:54:b1:07:fd:6a:a1:9d:1d:72:71:45:41:
...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                08:98:91:7A:0D:0D:02:AF:29:D9:C5:8A:6C:DF:0B:88:4F:FB:DA:2B
            X509v3 Authority Key Identifier:
                keyid:08:98:91:7A:0D:0D:02:AF:29:D9:C5:8A:6C:DF:0B:88:4F:FB:DA:2B
                DirName:/C=US/ST=California/L=Pleasanton/O=Oracle
                serial:A8:5C:C0:90:DB:6F:BE:DB

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
        73:04:85:0d:e2:f0:98:fe:c3:9a:cf:d8:12:33:4b:09:25:c8:
...

3. Generate Valid Certificate

Next we'll generate a Valid Certificate signed by the CA certificate we created in previous section.

First we make a new certificate request and private RSA key by running following command (make sure you provide following values for subject: C=US, ST=California, L=Dublin, O=Home, OU=Home, CN=Home):

openssl req -nodes -newkey rsa:1024 -out newreq.pem -days 3650

This will create two new files:

  • private/privkey.pem contains the private RSA key
  • newreq.pem contains a certificate request

Next we generate a valid certificate with "certificate authority" private RSA key from a "certificate request":

openssl ca -policy policy_anything -out validcert.pem -infiles newreq.pem

This will give you a valid certificate file.

  • validcert.pem contains a certificate signed with private/cakey.pem
bash-3.2$ openssl x509 -in validcert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 12 (0xc)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=California, L=Pleasanton, O=Oracle
        Validity
            Not Before: Sep  1 22:24:09 2011 GMT
            Not After : Aug 29 22:24:09 2021 GMT
        Subject: C=US, ST=California, L=Dublin, O=Home, OU=Home, CN=Home
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:9f:92:27:d3:fa:45:ec:13:5e:42:95:58:38:13:
….
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                F0:3E:51:E5:76:E6:3C:BC:3C:D4:4E:E3:2E:57:2B:79:08:64:DA:03
            X509v3 Authority Key Identifier:
                keyid:08:98:91:7A:0D:0D:02:AF:29:D9:C5:8A:6C:DF:0B:88:4F:FB:DA:2B

            Authority Information Access:
                OCSP - URI:http://host.domain.com:8888

            X509v3 CRL Distribution Points:
                URI:http://host.domain.com:8000/testcrl.crl

    Signature Algorithm: sha1WithRSAEncryption
        af:1e:6b:14:d0:93:37:5d:fc:0f:3c:d1:4f:da:ad:48:b6:34:
     …

4. Generate Revoked Certificate

Next we need to generate another certificate which we will tag as "revoke" (see section 5. Revoke Certificate). Basically, we repeat the same process as in section 3 to generate the certificate.

First we make a new certificate request and private RSA key by running following command (make sure you provide following values for subject: C=DK, ST=Dummy, L=Fraud, O=Careful, OU=Beware, CN=Warning):

openssl req -nodes -newkey rsa:1024 -out newreq.pem -days 3650

This will create two new files:

  • private/privkey.pem contains the private RSA key
  • newreq.pem contains a certificate request
Next we generate a valid certificate with the "certificate authority" private RSA key from a "certificate request":
openssl ca -policy policy_anything -out revokecert.pem -infiles newreq.pem

This will give you a revoke certificate file.

  • revokecert.pem contains a certificate signed with private/cakey.pem
bash-3.2$ openssl x509 -in revokecert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 11 (0xb)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=California, L=Pleasanton, O=Oracle
        Validity
            Not Before: Sep  1 22:09:59 2011 GMT
            Not After : Aug 29 22:09:59 2021 GMT
        Subject: C=DK, ST=Dummy, L=Fraud, O=Careful, OU=Beware, CN=Warning
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:c7:f8:3d:d6:a6:59:67:c1:38:4a:d1:6c:95:fd:
…
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                4A:B2:62:8A:74:D8:28:55:55:3D:C6:1D:99:B5:57:EB:2C:7E:B3:06
            X509v3 Authority Key Identifier:
                keyid:08:98:91:7A:0D:0D:02:AF:29:D9:C5:8A:6C:DF:0B:88:4F:FB:DA:2B

            Authority Information Access:
                OCSP - URI:http://host.domain.com:8888

            X509v3 CRL Distribution Points:
                URI:http://host.domain.com:8000/testcrl.crl

    Signature Algorithm: sha1WithRSAEncryption
        …

5. Revoke Certificate

Let's assume the need to revoke the revokecert.pem certificate (maybe it has been compromised or has simply expired. Run following command to revoke the certificate:

openssl ca -revoke revokecert.pem

6. OCSP Server Set-Up

Start the OCSP server by specifying the host and port indicated in openssl.cnf (see section 1. Download and Set Up openssl. To make things simple we'll start the ocsp server on the same machine as Oracle WebLogic Server, although you can start on a different host after installing openssl and copying the certificate to that host.

openssl ocsp -index index.txt -CA cacert.pem -rsigner cacert.pem -rkey
private/cakey.pem -port 8888

In above examples the server will start and listen at port 8888. The OCSP server is now up and running and waiting for requests from Oracle WebLogic Server.

Import certificates and private keys into jks

Import all generated certificates (CA, valid and revoke certificates) into a jks file (ClientCerts.jks in our case). You can use Oracle WebLogic utility utils.ImportPrivateKey for this step.
java utils.ImportPrivateKey -keystore mykeystore -storepass mypasswd -keyfile 
mykey -keyfilepass mykeyfilepass -certfile newcerts.pem -keyfile testkey.pem 
-alias passalias

Enable certificate revocation check functionality in Oracle WebLogic Server

CR checking is disabled by default in Oracle WebLogic Server. But using either the Oracle WebLogic Server Administration Console or WLST you can enable CR checking and configure the properties. When you enable CR checking, Oracle WebLogic Server provides, on a domain-wide basis, a comprehensive set of mechanisms to obtain the current revocation status of each certificate it validates.

Figure 2 illustrates the location in which to enable CR checking in the Oracle WebLogic Server console:

Figure 2: Enable Certificate Revocation checking using WLS console
Figure 2: Enable Certificate Revocation checking using WLS console

Figure 3 illustrates the OCSP tab where you can customize OCSP settings:

Figure 3: OCSP tab in WLS console
Figure 3: OCSP tab in WLS console

For convenience, in our case, all default values are retained. But you can customize settings based on your requirements

.

For example, by default, when checking a certificate's revocation status, Oracle WebLogic Server first uses OCSP. If OCSP returns the certificate's status as unknown, Oracle WebLogic Server then uses CRLs (the OCSP Then CRL option). However, you can change the CR checking method used, or the sequence in which the methods are used, to one of the following:

  • OCSP only
  • CRL only
  • OCSP then CRL - If the OCSP status for a certificate is returned as unknown, CRL is checked for certificate status.
  • CRL then OCSP - If a certificate's revocation status cannot be determined by checking available CRLs, its OCSP status is checked.

For more customization options (e.g. fail on Unknown revocation status, using nonce, setting response timeout interval, response cache), refer to the Oracle documentation.

Note: Please make sure you pass the -Dweblogic.debug.CertRevocCheck=true parameter to Oracle Weblogic Server for the certificate revocation debug log.

Create and run a sample client application

Create a sample java client application to connect to any resource in Oracle Weblogic (for example: servlet / jsp). Here's sample code to be used for the sample client application:

// Open the keystore, retrieve the private key, and certificate chain
      System.out.println("Loading keystore: " + keystore + " 
	  keystore alias: " + keystoreAlias); 
      KeyStore ks = KeyStore.getInstance(keystoreType);
      ks.load(new FileInputStream(keystore), null);
      PrivateKey key = (PrivateKey)ks.getKey(keystoreAlias, 
	  pkPassword.toCharArray());
      Certificate [] certChain = ks.getCertificateChain(keystoreAlias);
      sconnection.loadLocalIdentity(certChain, key);

      try
      {
        tryConnection(sconnection);
        System.out.println("tryConnection returned normally"); 
      }
      catch (Exception e)
      {
        System.out.println("tryConnection threw exception"); 
        System.out.println(e.toString()); 
      }
    }

In the code above, the client loads the local identity certificate chain and key for the client before connecting to an Oracle WebLogic resource. In our case, we will pass a valid certificate alias (which is the alias of the certificate imported in ClientCerts.jks, as created in the Import certificates and private keys into jks section) to the keystoreAlias variable in above code to get a positive case (the certificate is not revoked in this case). We will pass the revoked certificate alias (which is the alias of the certificate imported in ClientCerts.jks, as created in the Import certificates and private keys into jks section) to the keyStoreAlias variable above to get a negative case (the certificate is revoked as shown in Generate revoked Certificate).

When you execute the client containing the above code with a valid certificate you should be able to see the following debug comments in the Oracle WebLogic Server logs.

<May 7, 2012 4:10:42 PM PDT> <Debug> <CertRevocCheck> <BEA-000000> 
<The revocation status of certificate CN=Home, OU=Home, O=Home, L=Dublin, 
ST=California, C=US is:

Status=NOT REVOKED
Source=OCSP
Subject="CN=Home,OU=Home,O=Home,L=Dublin,ST=California,C=US"
Issuer="O=Oracle,L=Pleasanton,ST=California,C=US"
SerialNumber=e
StatusValid=Mon 7 May 2012 16:10:42.000 -0700
StatusExpires=null
NonceIgnored=false
RevocationTime=null
ReasonCode=null
Flags=0
ProducedAt=Mon 7 May 2012 16:10:42.000 -0700
.>

When you execute the client containing the above code with a revoked certificate you should see the following debug comments in the Oracle WebLogic Server logs:

<May 7, 2012 4:13:35 PM PDT> <Debug> <CertRevocCheck> <BEA-000000>
<The revocation status of certificate CN=Warning, OU=Beware, O=Careful, L=Fraud, 
ST=Dummy, C=DK is:

Status=REVOKED
Source=OCSP
Subject="CN=Warning,OU=Beware,O=Careful,L=Fraud,ST=Dummy,C=DK"
Issuer="O=Oracle,L=Pleasanton,ST=California,C=US"
SerialNumber=10
StatusValid=Mon 7 May 2012 16:13:35.000 -0700
StatusExpires=null
NonceIgnored=false
RevocationTime=Tue 17 Jan 2012 13:27:37.000 -0800
ReasonCode=-1
Flags=0
ProducedAt=Mon 7 May 2012 16:13:35.000 -0700
.>

Oracle WebLogic Server allows a connection only if the incoming certificate is not revoked. It verifies a certificate by connecting to the OCSP server (as we set up earlier) which does the certificate verification and sends back either REVOKED or NOT REVOKED as the status for a valid certificate or a revoked certificate, respectively. (For example, the status of the certificate may be marked unknown if Oracle WebLogic Server is unable to connect to the OCSP server.) If the status of inbound certificate is NOT REVOKED, Oracle WebLogic Server allows a connection from the client application; otherwise it refuses the connection and throws following Exception:

<Jun 13, 2012 1:59:22 PM PDT> <Warning> <Security> <BEA-090917> 
<Revoked certificate causing validation failure, certificate with subject:
 CN=Warning,OU=Beware,O=Careful,L=Fraud,ST=Dummy,C=DK> 
<Jun 13, 2012 1:59:22 PM PDT> <Debug> <SecuritySSL> <BEA-000000>
 <[Thread[ExecuteThread: '1' for queue: 'weblogic.socket.Muxer',5,
 Thread Group for Queue:'weblogic.socket.Muxer']]weblogic.security.SSL.jsseadapter: 
 SSLENGINE: Exception occurred during SSLEngine.wrap(ByteBuffer,ByteBuffer).
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
	at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1364)
	at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)
	at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1197)
	at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1169)

Figures 4 and 5 illustrate the message flow:

Figure 4: Message flow for Certificate status NOT REVOKED
Figure 4: Message flow for Certificate status NOT REVOKE
Figure 5: Message flow for Certificate with status REVOKED
Figure 5: Message flow for Certificate with status REVOKED

Conclusion

Oracle WebLogic Server's JSSE implementation supports X.509 certificate revocation (CR) checking, which checks a certificate's revocation status as part of the SSL certificate path validation process. Oracle WebLogic Server offers a complete solution for certificate revocation checking using the OCSP mechanism, providing performance, scalability and interoperability with open standards.

References

About the Author

Abhijit Patil is a Principal Member of the Technical Staff with the Oracle Weblogic Server Group. He has more than ten years of experience working on various Weblogic Server technologies, including security, web service, server clustering.