--LDAP
OBIEE 11g Security Week : Connecting to Active Directory, and Obtaining Group Membership from Database Tables
https://www.rittmanmead.com/blog/2012/03/obiee-11g-security-week-connecting-to-active-directory-and-obtaining-group-membership-from-database-tables/
http://ecapitaladvisors.com/blog/obiee-quick-ldap-configuration/
https://docs.oracle.com/middleware/12211/biee/BIESC/GUID-34F68CB5-5B84-4D72-B82A-BE5A2DC90D13.htm#BIESC6078
Weblogic启动慢解决方法(也许 /u02/BIEE12C/oracle_common/jdk/jre)
3)最好的解决办法: 修改Linux上Weblogic使用的jdk $JAVA_HOME/jre/lib/security/java.security 文件
将securerandom.source=file:/dev/urandom 修改为
securerandom.source=file:/dev/./urandom
https://www.cnblogs.com/sunkaikees/p/10273897.html
https://baike.baidu.com/item/keytool/5885709?fr=aladdin
https://www.chinassl.net/ssltools/keytool-commands.html
https://blog.csdn.net/yinhuaiya/article/details/81774314
配置https或socket-ssl时等需要用到证书,如果公司没有正规证书,则需要生成自签名证书,以下介绍两种方法。我自己配置nginx https用openssl, socket 加入ssl用Java的keytool。
## java 证书工具keytool生成自签名证书和自签CA证书
jdk自带的证书管理工具叫keytool,在jdk/bin目录下,可以用来生成自签名证书、导入导出证书、打印证书信息等。
### 1. 名词
自签名证书:用自己的私钥签发自己的公钥即主体信息生成的证书。
证书签名:对证书固定值进行hash后用密钥对中的私钥对hash值加密
keystore: keytool生成证书的存储库,用来存储若干条目,每一条目包含公私钥,主体信息等。默认为用户目录下.keystore,相当于一个有密码保护的文件。
truststore: 与keystore格式相同,只是为区分keystore用来存放信任的证书的新的库,不存密钥等信息。
der:证书编码格式,证书结构体转换为二进制格式。
pem:证书编码格式,对der二进制编码的base64字符,包含---begin---,----end----。// 命令中加-rfc可打印和生成此类文件
.csr:证书请求文件格式,包含公钥和主体信息,发给ca,ca用私钥对内容签名并制作成证书返回。keytool在生成csr文件时需要指定证书(即公钥与主体信息)。
.crt:一般用于linux系统的证书格式,包含公钥和主体信息。
.cer:一般用于windows的证书文件格式,包含公钥和主体信息。
.p12:证书交换格式,包含公钥私钥(私用密码加密),用于交换传输。BIEE LDAP:
Enabling an LDAP Authentication Provider for SSL
https://docs.oracle.com/middleware/12211/wls/SECMG/ldap_atn.htm#SECMG539
如果 LDAP 服务器连接使用 SSL,请创建并使用定制信任密钥库。有关信息,请参阅为 LDAP 验证提供程序启用 SSL。
keytool -import -keystore ./ldapTrustKS -trustcacerts -alias oidtrust -file rootca.pem -storepass TrustKeystorePwd -noprompt
信任库和密钥库定义
https://www.orcode.com/question/44976_ka5d78.html
AD域证书申请,导入Java密钥库,实现ldap修改AD用户密码
https://blog.csdn.net/hc1017/article/details/81293323
WebLogic配置自己定义密钥库和SSL的操作手冊
https://www.cnblogs.com/wzjhoutai/p/6772493.html
WebLogic配置自己定义密钥库和SSL的操作手冊
(定制标识和定制信任&Keytool&TLS1.0)
1、启用SSLport
保存。重新启动受管Server
IE浏览器訪问
谷歌浏览器訪问
2、查看密钥库和SSL配置
密钥库
SSL
3、手动制作identity.jks和trust.jks
新建jks文件夹
[weblogic@Weblogic201 ~]$ mkdir jksHL
[weblogic@Weblogic201 ~]$ cd jksHL/
生成标识identity.jks密钥库
例如以下标黄色背景部分的说明:
weblogicHL为“SSL—私有密钥别名”。
keypass123为“SSL—私有密钥password短语”;
storepass123为“密钥—标识(identity)—定制标识密钥库password短语”。
storepass123为“密钥库—信任(trust)—定制标识密钥库password短语”。
3650为自己定义证书的有效期,单位为天;
[weblogic@Weblogic201 jksHL]$ keytool -genkey -alias weblogicHL -keyalg RSA -keypass keypass123 -keystoreidentity.jks -storepass storepass123-validity 3650
What is your first and last name?
[Unknown]: HaiLang
What is the name of your organizationalunit?
[Unknown]: GZCSS
What is the name of your organization?
[Unknown]: GZCSS
What is the name of your City or Locality?
[Unknown]: GZ
What is the name of your State or Province?
[Unknown]: GD
What is the two-letter country code forthis unit?
[Unknown]: CN
Is CN=HaiLang, OU=GZCSS, O=GZCSS, L=GZ,ST=GD, C=CN correct?
[no]: yes
导出公钥证书的cer文件
[weblogic@Weblogic201 jksHL]$ keytool -export -alias weblogicHL -file root.cer -keystore identity.jks
Enter keystore password: storepass123
Certificate stored in file <root.cer>
生成信任trust.jks密钥库
将上一步生成的root.cer公钥证书导入并生成trust.jks密钥库
[weblogic@Weblogic201 jksHL]$ keytool -import -alias weblogicHL -trustcacerts -file root.cer -keystoretrust.jks
Enter keystore password: storepass123
Re-enter new password: storepass123
Owner: CN=HaiLang, OU=GZCSS, O=GZCSS, L=GZ,ST=GD, C=CN
Issuer: CN=HaiLang, OU=GZCSS, O=GZCSS,L=GZ, ST=GD, C=CN
Serial number: 559a5ac9
Valid from: Mon Jul 06 18:39:05 HKT 2015until: Thu Jul 03 18:39:05 HKT 2025
Certificate fingerprints:
MD5: 04:F2:4F:97:5B:8B:32:23:AB:69:D0:6A:42:1D:C7:77
SHA1:A0:B3:6F:90:08:0D:6B:55:6F:A6:13:C6:3B:C0:F4:CE:E1:B5:72:F9
Signature algorithm name: SHA1withRSA
Version: 3
Trust this certificate? [no]: yes
Certificate was added to keystore
至此identity.jks和trust.jks制作完毕!
4、在Console配置新的密钥库和SSL
改动默认的Demo密钥库
“密钥库—更改”
选择“定制标识和定制信任”—“保存”
填写密钥库的配置
定制标识密钥库:/home/weblogic/jksHL/identity.jks
定制信任密钥库:/home/weblogic/jksHL/trust.jks
定制标识/信任密钥类型:jks
点击“保存”。设置完毕。
SSL的配置
私有密钥别名:weblogicHL
私有密钥password短语:keypass123
点击“保存”;重新启动Server。密钥库和SSL配置完毕。
5、浏览器验证
Server启动日志
[weblogic@Weblogic201 bin]$./startManagedWebLogic.sh appSrv02 http://Weblogic201:7001
.
.
JAVA Memory arguments: -Xms1024m -Xmx1024m-XX:CompileThreshold=8000 -XX:PermSize=128m -XX:MaxPermSize=256m
.
WLS Start Mode=Development
.
CLASSPATH=/home/weblogic/Oracle/Middleware/patch_wls1035/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/home/weblogic/Oracle/Middleware/patch_ocp360/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/home/weblogic/jdk1.6.0_45/lib/tools.jar:/home/weblogic/Oracle/Middleware/wlserver_10.3/server/lib/weblogic_sp.jar:/home/weblogic/Oracle/Middleware/wlserver_10.3/server/lib/weblogic.jar:/home/weblogic/Oracle/Middleware/modules/features/weblogic.server.modules_10.3.5.0.jar:/home/weblogic/Oracle/Middleware/wlserver_10.3/server/lib/webservices.jar:/home/weblogic/Oracle/Middleware/modules/org.apache.ant_1.7.1/lib/ant-all.jar:/home/weblogic/Oracle/Middleware/modules/net.sf.antcontrib_1.1.0.0_1-0b2/lib/ant-contrib.jar:/home/weblogic/Oracle/Middleware/wlserver_10.3/common/derby/lib/derbyclient.jar:/home/weblogic/Oracle/Middleware/wlserver_10.3/server/lib/xqrl.jar:.:/home/weblogic/jdk1.6.0_45$/lib:/home/weblogic/jdk1.6.0_45$/lib/tools.jar
.
PATH=/home/weblogic/Oracle/Middleware/wlserver_10.3/server/bin:/home/weblogic/Oracle/Middleware/modules/org.apache.ant_1.7.1/bin:/home/weblogic/jdk1.6.0_45/jre/bin:/home/weblogic/jdk1.6.0_45/bin:/home/weblogic/jdk1.6.0_45/bin:/home/weblogic/jdk1.6.0_45/jre/bin:/usr/lib64/qt-3.3/bin:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/home/weblogic/bin
.
***************************************************
* Tostart WebLogic Server, use a username and *
* password assigned to an admin-level user. For *
* server administration, use the WebLogic Server *
* console at http://hostname:port/console *
***************************************************
starting weblogic with Java version:
java version "1.6.0_45"
Java(TM) SE Runtime Environment (build1.6.0_45-b06)
Java HotSpot(TM) 64-Bit Server VM (build20.45-b01, mixed mode)
Starting WLS with line:
/home/weblogic/jdk1.6.0_45/bin/java-client -Xms1024m -Xmx1024m-XX:CompileThreshold=8000 -XX:PermSize=128m -XX:MaxPermSize=256m -Dweblogic.Name=appSrv02-Djava.security.policy=/home/weblogic/Oracle/Middleware/wlserver_10.3/server/lib/weblogic.policy-Dweblogic.security.SSL.trustedCAKeyStore=/home/weblogic/Oracle/Middleware/wlserver_10.3/server/lib/cacerts -Xverify:none -da -Dplatform.home=/home/weblogic/Oracle/Middleware/wlserver_10.3-Dwls.home=/home/weblogic/Oracle/Middleware/wlserver_10.3/server-Dweblogic.home=/home/weblogic/Oracle/Middleware/wlserver_10.3/server -Dweblogic.management.discover=false -Dweblogic.management.server=http://Weblogic201:7001 -Dwlw.iterativeDev=false-Dwlw.testConsole=false -Dwlw.logErrorsToConsole=false-Dweblogic.ext.dirs=/home/weblogic/Oracle/Middleware/patch_wls1035/profiles/default/sysext_manifest_classpath:/home/weblogic/Oracle/Middleware/patch_ocp360/profiles/default/sysext_manifest_classpath weblogic.Server
<Jul 6, 2015 7:20:17 PM HKT><Info> <Security> <BEA-090905> <Disabling CryptoJ JCEProvider self-integrity check for better startup performance. To enable thischeck, specify -Dweblogic.security.allowCryptoJDefaultJCEVerification=true>
<Jul 6, 2015 7:20:18 PM HKT><Info> <Security> <BEA-090906> <Changing the defaultRandom Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG. To disablethis change, specify -Dweblogic.security.allowCryptoJDefaultPRNG=true>
<Jul 6, 2015 7:20:18 PM HKT><Info> <WebLogicServer> <BEA-000377> <Starting WebLogicServer with Java HotSpot(TM) 64-Bit Server VM Version 20.45-b01 from SunMicrosystems Inc.>
<Jul 6, 2015 7:20:19 PM HKT><Info> <Security> <BEA-090065> <Getting boot identity fromuser.>
Enter username to boot WebLogicserver:weblogic
Enter password to boot WebLogic server:
<Jul 6, 2015 7:20:24 PM HKT><Info> <Management> <BEA-141107> <Version: WebLogic Server10.3.5.0.7 PSU Patch for BUG16088411 Mon Apr 01 15:13:52 IST 2013
WebLogic Server 10.3.5.0 Fri Apr 1 20:20:06 PDT 2011 1398638 >
<Jul 6, 2015 7:20:26 PM HKT><Notice> <WebLogicServer> <BEA-000365> <Server statechanged to STARTING>
<Jul 6, 2015 7:20:26 PM HKT><Info> <WorkManager> <BEA-002900> <Initializingself-tuning thread pool>
<Jul 6, 2015 7:20:26 PM HKT><Notice> <LoggingService> <BEA-320400> <The log file/home/weblogic/Oracle/Middleware/user_projects/domains/myDomain/servers/appSrv02/logs/appSrv02.logwill be rotated. Reopen the log file if tailing has stopped. This can happen onsome platforms like Windows.>
<Jul 6, 2015 7:20:26 PM HKT><Notice> <LoggingService> <BEA-320401> <The log file hasbeen rotated to/home/weblogic/Oracle/Middleware/user_projects/domains/myDomain/servers/appSrv02/logs/appSrv02.log00018.Log messages will continue to be logged in/home/weblogic/Oracle/Middleware/user_projects/domains/myDomain/servers/appSrv02/logs/appSrv02.log.>
<Jul 6, 2015 7:20:26 PM HKT><Notice> <Log Management> <BEA-170019> <The server log file/home/weblogic/Oracle/Middleware/user_projects/domains/myDomain/servers/appSrv02/logs/appSrv02.logis opened. All server side log events will be written to this file.>
<Jul 6, 2015 7:20:29 PM HKT><Notice> <Security> <BEA-090082> <Security initializingusing security realm myrealm.>
<Jul 6, 2015 7:20:30 PM HKT><Notice> <LoggingService> <BEA-320400> <The log file/home/weblogic/Oracle/Middleware/user_projects/domains/myDomain/servers/appSrv02/logs/access.logwill be rotated. Reopen the log file if tailing has stopped. This can happen onsome platforms like Windows.>
<Jul 6, 2015 7:20:30 PM HKT><Notice> <LoggingService> <BEA-320401> <The log file hasbeen rotated to/home/weblogic/Oracle/Middleware/user_projects/domains/myDomain/servers/appSrv02/logs/access.log00012.Log messages will continue to be logged in/home/weblogic/Oracle/Middleware/user_projects/domains/myDomain/servers/appSrv02/logs/access.log.>
<Jul 6, 2015 7:20:31 PM HKT><Notice> <WebLogicServer> <BEA-000365> <Server statechanged to STANDBY>
<Jul 6, 2015 7:20:31 PM HKT><Notice> <WebLogicServer> <BEA-000365> <Server statechanged to STARTING>
<Jul 6, 2015 7:20:33 PM HKT><Notice> <Log Management> <BEA-170027> <The Server hasestablished connection with the Domain level Diagnostic Servicesuccessfully.>
<Jul 6, 2015 7:20:33 PM HKT><Notice> <Cluster> <BEA-000197> <Listening forannouncements from cluster using unicast cluster messaging>
<Jul 6, 2015 7:20:33 PM HKT><Notice> <Cluster> <BEA-000133> <Waiting to synchronizewith other running members of Cluster1.>
<Jul 6, 2015 7:20:46 PM HKT><Notice> <Cluster> <BEA-000142> <Trying to downloadcluster JNDI tree from server appSrv04.>
<Jul 6, 2015 7:20:46 PM HKT><Notice> <Cluster> <BEA-000164> <Synchronized cluster JNDItree from server appSrv04.>
<Jul 6, 2015 7:20:46 PM HKT><Notice> <WebLogicServer> <BEA-000365> <Server statechanged to ADMIN>
<Jul 6, 2015 7:20:46 PM HKT><Notice> <WebLogicServer> <BEA-000365> <Server statechanged to RESUMING>
<Jul 6, 2015 7:20:46 PM HKT><Notice> <Cluster> <BEA-000162> <Starting"async" replication service with remote cluster address"150.18.23.201:8001,150.18.23.201:8002,150.18.23.202:8001,150.18.23.202:8002">
<Jul 6, 2015 7:20:47PM HKT> <Notice> <Security> <BEA-090171> <Loading theidentity certificate and private key stored under the alias weblogicHL from thejks keystore file /home/weblogic/jksHL/identity.jks.>
<Jul 6, 2015 7:20:47PM HKT> <Notice> <Security> <BEA-090169> <Loadingtrusted certificates from the jks keystore file /home/weblogic/jksHL/trust.jks.>
<Jul 6, 2015 7:20:47 PM HKT><Notice> <Server> <BEA-002613> <Channel"DefaultSecure" is now listening on 150.18.23.201:8012 for protocolsiiops, t3s, CLUSTER-BROADCAST-SECURE, ldaps, https.>
<Jul 6, 2015 7:20:47 PM HKT><Notice> <Server> <BEA-002613> <Channel"Default" is now listening on 150.18.23.201:8002 for protocols iiop,t3, CLUSTER-BROADCAST, ldap, snmp, http.>
<Jul 6, 2015 7:20:47 PM HKT><Notice> <WebLogicServer> <BEA-000332> <Started WebLogicManaged Server "appSrv02" for domain "myDomain" running inDevelopment Mode>
<Jul 6, 2015 7:20:48 PM HKT><Notice> <WebLogicServer> <BEA-000365> <Server statechanged to RUNNING>
<Jul 6, 2015 7:20:48 PM HKT><Notice> <WebLogicServer> <BEA-000360> <Server started inRUNNING mode>
说明自己定义的密钥库载入成功!
IE浏览器訪问
继续浏览此站点,訪问成功!
查看证书信息
从有效期和证书颁发者信息可知。该证书正是我们之前制作的:
What is your first and last name?
[Unknown]: HaiLang
What is the name of your organizationalunit?
[Unknown]: GZCSS
What is the name of your organization?
[Unknown]: GZCSS
What is the name of your City or Locality?
[Unknown]: GZ
What is the name of your State or Province?
[Unknown]: GD
What is the two-letter country code forthis unit?
[Unknown]: CN
Is CN=HaiLang, OU=GZCSS, O=GZCSS, L=GZ,ST=GD, C=CN correct?
谷歌浏览器訪问
相同会提示证书不安全
继续前往
查看证书信息
至此。配置自己定义密钥库和SSL的操作已完毕!
---------------------------------------------------------------------------------------------------------------------------------
12306的SSL证书加密技术:
