Secure Oracle HTTP Server 12c scripts

This post is a spin-off on my instance configuration note and covers another security finding. A small intro to set up a context: I always use custom certificates for the WebLogic servers and all the components. In nova days certificates are free and if you have a cloud-based or open project, services like Let's Encrypt give you free SSL certificates and tools for automating the certificate life cycle. But you not always have a choice and most of my projects use internal CA services to manage certificates company-wide.

One way or another, my quite standard NodeManager property file looks similar to the template below:

# Keystore configuration
KeyStores=CustomIdentityAndCustomTrust
CustomTrustKeyStoreFileName={{ jks_home }}/trust.jks
CustomIdentityKeyStoreFileName={{ jks_home }}/identity.jks
CustomIdentityAlias={{ key_alias }}
CustomIdentityKeyStoreType=JKS
CustomIdentityPrivateKeyPassPhrase={{ key_pass }}
CustomIdentityKeyStorePassPhrase={{ store_pass }}

Of course, Oracle HTTP server 12c has received the same NodeManager configuration as all the other domains we manage through the Ansible playbooks. Immediately, after NodeManager start I run into the odd issue: my startComponent.sh script failed to connect to the NodeManager port. Well, it happens all the time, so as part of the standard WLST script call I add an environment variable declaration:

export WLST_PROPERTIES="-Dweblogic.security.SSL.enableJSSE=true -Dweblogic.security.TrustKeyStore=CustomTrust -Dweblogic.security.CustomTrustKeyStoreType=JKS -Dweblogic.security.CustomTrustKeyStoreFileName={{ jks_home }}/trust.jks -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2 -Dweblogic.MaxMessageSize=300000000"

Well, this time it doesn't work. All the domain scripts ignore my arguments and failed with the handshake exception: PKIX path building failed.  To check if WLST_PROPERTIES works,  I added -Djavax.net.ssl.debug argument I get the debug output. That's how I figured out that scripts ignore WebLogic arguments and use DemoIdentity.jks and DemoTrust.jks, ignoring even the standard Java trust keystore. After a few trials, I end up with the environment variable as below.

export WLST_PROPERTIES="-Dweblogic.MaxMessageSize=3000000 -Djavax.net.ssl.trustStore={{ jks_home }}/trust.jks"

It adds custom keystore to the list of the trusted certificates on the JVM level, so java.weblogic.WLST can validate custom certificates.

I think that WebLogic base component template is not quite a WebLogic server and it does not understand WebLogic security arguments, while tools use WebLogic server framework and default configuration settings.