nShield Oracle Weblogic Server 11g R1 Windows - Thales e-Security

nShield Modules 

Integration Guide for Oracle WebLogic Server 

11g Release 1 (10.3.5.0) for Windows 

www.thales-esecurity.com

Version: 2.0 

Date: 28 March 2012 

Copyright 2012 Thales e-Security Limited. All rights reserved. 

Copyright in this document is the property of Thales e-Security Limited. It is not to be reproduced, modified, 

adapted, published, translated in any material form (including storage in any medium by electronic means 

whether or not transiently or incidentally) in whole or in part nor disclosed to any third party without the prior 

written permission of Thales e-Security Limited neither shall it be used otherwise than for the purpose for which 

it is supplied. 

CodeSafe, KeySafe, nCipher, nFast, nForce, nShield, payShield, and Ultrasign are registered trademarks of 

Thales e-Security Limited. 

CipherTools, CryptoStor, CryptoStor Tape, keyAuthority, KeyVault, nCore, netHSM, nFast Ultra, nForce Ultra, 

nShield Connect, nToken, SafeBuilder, SEE, and Trust Appliance are trademarks of Thales e-Security Limited. 

All other trademarks are the property of the respective trademark holders. 

Information in this document is subject to change without notice. 

Thales e-Security Limited makes no warranty of any kind with regard to this information, including, but not limited 

to, the implied warranties of merchantability and fitness for a particular purpose. Thales e-Security Limited shall 

not be liable for errors contained herein or for incidental or consequential damages concerned with the 

furnishing, performance or use of this material. 

These installation instructions are intended to provide step-by-step instructions for installing Thales software 

with third-party software. These instructions do not cover all situations and are intended as a supplement to the 

documentation provided with Thales products. Disclaimer: Thales e-Security Limited disclaims all liabilities 

regarding third-party products and only provides warranties and liabilities with its own products as addressed 

in the Terms and Conditions for Sale. 

Version: 2.0 

Date: 28 March 2012 

2012 

Template: nShiMar12 

nShield Modules: Integration Guide for Oracle WebLogic Server 11g Release 1 (10.3.5.0) for Windows 2

Contents 

Chapter 1: Introduction 4 

Supported nCipher functionality 5 

Requirements 5 

Chapter 2: Procedures 6 

Installing nShield Hardware and Software 6 

Installing Oracle WebLogic Server and creating the WebLogic Domain 6 

Configuring the nCipher JCE provider for key management and acceleration 7 

Configuring Oracle WebLogic Server to use the stored trusted certificate 13 

Addresses 15 


Chapter 1: 

Introduction 

This guide explains how to integrate Oracle WebLogic Server with a Thales nShield Hardware 

Security Module (HSM). The instructions in this document have been thoroughly tested and 

provide a straight-forward integration process. There may be other untested ways to achieve 

interoperability. 

This document may not cover every step in the process of setting up all the software. This 

document assumes that you have read your HSM documentation and that you are familiar with 

the documentation and setup process for Oracle WebLogic Server. 

The HSM can significantly enhance the performance of the Oracle WebLogic Server by 

offloading and accelerating the SSL RSA cryptography. Heavy SSL traffic load can drastically 

lower the performance of a web server. The HSM offloads the SSL cryptographic processing 

from the web server’s CPU, which frees the server to process other transactions. The Oracle 

WebLogic Server integrates with the HSM using the JCECSP interface. 

The benefits of using an HSM with the Oracle WebLogic Server are as follows: 

• Centralized secure storage of the private key. 

• Full life-cycle management of the keys. 

• Improved server performance by offloading the cryptographic processing. 

• Highest level of security assurance, the keys never leave the HSM as plain text. 

• FIPS 140-2 level 3 validated hardware. 

• Failover support. 

The integration between the HSM and the Oracle WebLogic Server has been tested in the 

following combinations: 

Operating system 

Windows Server 2008 

R2 

Oracle 

WebLogic 

Server 

version 

Thales 

nShield 

software 

version 


Solo 

support 

netHSM 

support 


Connect 

support 


Edge 

support 

10.3.5.0 11.50 Yes — Yes Yes 


Supported nCipher functionality 

Additional documentation produced to support your Thales nShield product can be found in the 

document directory of the CD-ROM or DVD-ROM for that product. 

Note 

Throughout this guide, the term HSM refers to nShield Solo modules, netHSM, 

and nShield Connect products. (nShield Solo products were formerly known as 

nShield.) 

Supported nCipher functionality 

Key Generation Yes 1-of-N Operator Card 

Set 

Yes Strict FIPS Support — 

Key Management Yes K-of-N Operator Card — Load Sharing Yes 

Set 

Key Import — Softcards Yes Fail Over Yes 

Key Recovery Yes Module-only Key — 

Requirements 

Before you begin the integration process: 

• Read the Quick Start Guide or User Guide for your HSM. 

• Familiarize yourself with the setup procedures for Oracle WebLogic Server. 

Before running the setup program, you need to know: 

• The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and 

the policy for managing these cards. 

• The number and quorum of Operator Cards in the OCS (only 1-of-N is supported), and the 

policy for managing these cards. 

• Whether the application keys are to be protected by the module, softcard or Operator Card 

Set (OCS). 

• Whether the security world needs to be compliant with FIPS 140-2 level 3. 

• Key attributes, such as the key size, persistence, and time out. 

• Whether or not key usage requires auditing. 

Note K-of-N functionality is not currently supported, which means you must create a 1- 

of-N OCS. 


Chapter 2: 

Procedures 

To integrate Oracle WebLogic server with an nShield HSM: 

1 Install nShield Hardware and Software. 

2 Install Oracle WebLogic Server and create the WebLogic Domain. 

3 Configure the nCipher JCE provider for key management and acceleration. 

4 Configure Oracle WebLogic to use the stored trusted certificate. 

All these procedures are described in the following sections. 

Installing nShield Hardware and Software 

Install the HSM using the instructions in the documentation for the HSM. 

After installing the HSM, install the latest version of the Thales nCipher support software and 

configure the HSM as described in the User Guide for the HSM. 

Note 

We recommend that you uninstall any existing Thales nCipher software before 

installing the new software. 

Installing Oracle WebLogic Server and creating the 

WebLogic Domain 

To install Oracle WebLogic Server: 

1 Start the WebLogic Server installation by running wls1035_oepe111172_win32.exe. 

2 In the Oracle WebLogic welcome window, click Next. 

3 Accept the license agreement and click Next. 

4 Select either the desired home directory for the Oracle WebLogic server or the default 

directory, and then click Next. 


Configuring the nCipher JCE provider for key management and acceleration 

5 Select the desired installation type, then click Next. 

6 To complete the installation, click Done. 

To create a sample WebLogic Domain: 

1 Select Start > All Programs > Oracle WebLogic > Quick Start. 

2 Click Getting Started with WebLogic Server 10.3.5.0, select Create a new WebLogic domain, 

and then click Next. 

3 Select Generate a domain configured automatically to support the following Oracle products 

and then click Next. 

4 Specify the name and location for the Domain. 

5 In the Configure Administrator Username and Password window, specify a username and a 

password (which must have a minimum length of 8 characters), and then confirm the 

password. 

6 In the Configure Server Start Mode and JDK window, accept the defaults and click Next. 

7 In the Select optional configuration window, accept the defaults and click Next. 

8 In the Configuration summary window, click Create. 

9 To complete the creation of the WebLogic Domain, click Done. 

Configuring the nCipher JCE provider for key management 

and acceleration 

The nCipher JCA/JCE CSP (Cryptographic Service Provider) allows Java applications and 

services to access the secure cryptographic operations and key management provided by Thales 

HSMs. The nCipher JCA/JCE CSP is used with the standard JCE (Java Cryptographic Extension) 

Programming interface. 

Before you configure the nCipher JCE provider for key management and acceleration, check that 

the files for the nCipher JCE provider are installed (the default directory is C:\nfast\java\classes). 



To install and configure the nCipher JCE provider: 

1 Configure the files for use with the Oracle WebLogic Server using the following method: 

- Set 

jceclasspath=C:\Oracle\jdk160_xx\jre\lib;C:\Oracle\jdk160_xx\jre\lib\ext;C:\Oracle\jdk1 

60_xx\jre\lib\security 

- Set CLASSPATH= jceclasspath;C:\nfast\java\classes 

- Set PATH= C:\Oracle\jdk160_xx\bin 

2 Install the nCipher JCA/JCE CSP by copying the nCipherKM.jar file from the 

C:\nfast\java\classes directory to the C:\Oracle\jdk160_xx\jre\lib\ext directory. 

3 Install the unlimited strength JCE jurisdiction policy files: 

a 

b 

Download the archive containing the Java Cryptography Extension (JCE) Unlimited 

Strength Jurisdiction Policy Files from: 

http://www.oracle.com/technetwork/java/javasebusiness/downloads/java-archivedownloads-java-plat-419418.html#jce_policy-6-oth-JPR 

Extract the local_policy.jar and US_export_policy.jar files from the Java Cryptography 

Extension (JCE) Unlimited Strength Jurisdiction Policy File archive, and copy them into 

the security directory (C:\Oracle\jdk160_xx\jre\lib\security). 

Note 

When you copy these files into the appropriate folder, you must overwrite any 

existing files with the same names. 

4 Using a text editor, open the Java security file (java.security) for editing. The Java security 

file is typically located in C:\Oracle\jdk160_xx\jre\lib\security\java.security. 

5 Add the nCipher JCE provider to the list of approved JCE providers for the WebLogic Server, 

as shown below: 

security.provider.1=com.ncipher.provider.km.nCipherKM 

security.provider.2=sun.security.provider.Sun 

security.provider.3=sun.security.rsa.SunRsaSign 

security.provider.4=com.sun.net.ssl.internal.ssl.Provider 

security.provider.5=com.sun.crypto.provider.SunJCE 

security.provider.6=sun.security.jgss.SunProvider 

security.provider.7=com.sun.security.sasl.Provider 

security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI 

security.provider.9=sun.security.smartcardio.SunPCSC 

security.provider.10=sun.security.mscapi.SunMSCAPI 

Note 

The order is numerical: 1 is the most preferred, followed by 2, and so on. 



6 Save your changes to the java.security file. 

7 Check that the nCipher JCA/JCE CSP has installed successfully by running the following 

command from the C:\nfast\java\classes directory: 

java com.ncipher.provider.Installationtest 

If the nCipher JCA/JCE provider has been installed correctly, it is included in the command 

output, as shown in the following example: 

Installed providers: 

1: nCipherKM 

2: SunJSSE 

3: SUN 

4: nCipherRSAPrivateEncrypt 

5: SunJCE 

6: SunJGSS 

Unlimited strength jurisdiction files are installed. 

The nCipher provider is correctly installed. 

nCipher JCE services: 

Alg.Alias.Cipher.1.2.840.113549.1.1.1 

Alg.Alias.Cipher.1.2.840.113549.3.4 

Alg.Alias.Cipher.AES 

Alg.Alias.Cipher.DES3 

Note 

If the JCE installation test does not list the nCipher JCA/JCE CSP with nShield, 

check that the Java ports are open in the nfast config file. 



8 Generate Keystore using Java keytool. 

To generate a trusted certificate using Java keytool: 

a 

b 

Open the command prompt and navigate to 

C:\Oracle\Middleware\user_projects\domains\base_domain. 

Generate a new keystore and key pair (set com.ncipher.provider.km.nCipherKM to 1 in 

the java.security file) for any of the following purposes: 

• Card set protection: 

keytool -genkey -keystore ncqa -storepass 123456 -alias ncqaalias -keypass 123456 -keyalg RSA 

-keysize 1024 -sigalg SHA1withRSA -storetype nCipher.sworld 

Example: 

C:\Oracle\Middleware\user_projects\domains\base_domain>keytool -genkey -keystore ncqa -storepass 123456 

-alias ncqaalias -keypass 123456 -keyalg RSA -keysize 1024 -sigalg SHA1withRSA -storetype nCipher.sworld 

What is your first and last name? 

[Unknown]: Application Guide 

What is the name of your organizational unit? 

[Unknown]: nCipher Guide 

What is the name of your organization? 

[Unknown]: nCipher 

What is the name of your City or Locality? 

[Unknown]: Woburn 

What is the name of your State or Province? 

[Unknown]: Cambridge 

What is the two-letter country code for this unit? 

[Unknown]: UK 

Is CN= Application Guide, OU= nCipher Guide, O= nCipher, L= Woburn, ST= 

Cambridge, C= UK correct? 

[no]: yes 

• Module protection: 

java -Dprotect=module -DignorePassphrase=true -cp "$CLASSPATH;." sun.security.tools.KeyTool -genkey 

-keystore ncqa -storepass 123456 -alias ncqaalias -keypass 123456 -keyalg RSA -keysize 1024 

-sigalg SHA1withRSA -storetype nCipher.sworld 

• Softcard protection: 

java -Dprotect=softcard:IDENT -cp "$CLASSPATH;." sun.security.tools.KeyTool -genkey -keystore ncqa 

-storepass 123456 -alias ncqaalias -keypass 123456 -keyalg RSA -keysize 1024 -sigalg SHA1withRSA 

-storetype nCipher.sworld 

In this command, IDENT is the logical token hash of the softcard, which you can 



obtain by running the nkminfo -softcard-list command. 

9 Generate a certificate request from a key in the keystore (set 

com.ncipher.provider.km.nCipherKM to 1 in the java.security file) for any of the following 

purposes: 

- Card set protection: 

keytool -certreq -alias ncqaalias -file certreq.txt -keypass 123456 -keystore ncqa -sigalg SHA1withRSA 

-storepass 123456 -storetype nCipher.sworld 

- Module protection: 

java -Dprotect=module -DignorePassphrase=true -cp "$CLASSPATH;." sun.security.tools.KeyTool -certreq 

-alias ncqaalias -file certreq.txt -keypass 123456 -keystore ncqa -sigalg SHA1withRSA -storepass 123456 


- Softcard protection: 

java -Dprotect=softcard:IDENT -cp "$CLASSPATH;." sun.security.tools.KeyTool -certreq -alias ncqaalias 

-file certreq.txt -keypass 123456 -keystore ncqa -sigalg SHA1withRSA -storepass 123456 


10 Set the com.ncipher.km.nCipherKM priority to 4 in the java.security file, as shown below: 

security.provider.1=sun.security.provider.Sun 

security.provider.2=sun.security.rsa.SunRsaSign 

security.provider.3=com.sun.net.ssl.internal.ssl.Provider 

security.provider.4=com.ncipher.provider.km.nCipherKM 

security.provider.5=com.sun.crypto.provider.SunJCE 

security.provider.6=sun.security.jgss.SunProvider 

security.provider.7=com.sun.security.sasl.Provider 

security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI 

security.provider.9=sun.security.smartcardio.SunPCSC 

security.provider.10=sun.security.mscapi.SunMSCAPI 



11 Submit the certificate request to the preferred Certificate Authority (CA) to receive a signed 

certificate for any of the following purposes: 


keytool -import -trustcacerts -alias trustalias -file rootcert.cer -keystore ncqa -storepass 123456 


Example: 

C:\Oracle\Middleware\user_projects\domains\base_domain>keytool -import -trustcacerts -alias trustalias 

-file rootcert.cer -keystore ncqa -storepass 123456 -storetype nCipher.sworld 

Owner: CN=TestCA, DC=nCipher, DC=co, DC=in 

Issuer: CN= TestCA, DC= nCipher, DC=co, DC=in 

Serial number: 5f54cbda3324f9c4aff9f3ffd55b51b 

Valid from: Fri Nov 04 16:27:43 PDT 2011 until: Tue Nov 04 15:37:41 PST 2014 

Certificate fingerprints: 

MD5: B4:C2:29:A9:3E:A9:61:94:A5:84:34:EA:51:F6:B1:80 

SHA1: 2E:4B:0D:2A:3F:84:C7:D8:34:54:7E:4E:B8:A3:38:D0:28:C0:FE:4D 

Trust this certificate? [no]: yes 

Certificate was added to keystore 


java -Dprotect=module -DignorePassphrase=true -cp "$CLASSPATH;." sun.security.tools.KeyTool -import 

-trustcacerts -alias trustalias -file rootcert.cer -keystore ncqa -storepass 123456 



java -Dprotect=softcard:IDENT -cp "$CLASSPATH;." sun.security.tools.KeyTool -import -trustcacerts 

-alias trustalias -file rootcert.cer" -keystore ncqa -storepass 123456 -storetype nCipher.sworld 

12 Check that: 

- The certificate is signed and trusted. 

- The CA is referenced in the standard java trust. 

If the CA is not referenced, you must set up the CA as a trusted CA. To set a CA as a 

trusted CA, import the CA trust certificate into a local keystore. You can obtain this 

certificate from the CA manager or vendor. 


Configuring Oracle WebLogic Server to use the stored trusted certificate 

13 Import the signed certificate for any of the following purposes: 


keytool -import -alias ncqalias -keypass 123456 -file certnew.cer -keystore ncqa -storepass 123456 


Example: 

C:\Oracle\user_projects\domains\base_domain>keytool -import -alias ncqalias -keypass 123456 

-file certnew.cer -keystore ncqa -storepass 123456 -storetype nCipher.sworld 

Certificate reply was installed in keystore 


java -Dprotect=module -DignorePassphrase=true -cp "$CLASSPATH;." sun.security.tools.KeyTool -import 

-alias ncqaalias -keypass 123456 -file certnew.cer -keystore ncqa -storepass 123456 



java -Dprotect=softcard:IDENT -cp "$CLASSPATH;." sun.security.tools.KeyTool -import -alias ncqaalias 

-keypass 123456 -file certnew.cer -keystore ncqa -storepass 123456 -storetype nCipher.sworld 

Configuring Oracle WebLogic Server to use the stored 

trusted certificate 

To configure Oracle WebLogic Server to use the stored trusted certificate: 

1 Start Oracle WebLogic Server. 

2 Open the Administration console (http://localhost:7001/console). 

3 Select Domain Structure > Environment and do the following: 

a 

b 

c 

Click Servers and then click AdminServer. 

Select SSL Listen Port enabled. 

In SSL Listen Port, type 443, and then click Save. 


Configuring Oracle WebLogic Server to use the stored trusted certificate 

4 Select the Keystores tab and do the following: 

a 

b 

c 

d 

e 

f 

g 

h 

From the drop down menu, select Custom Identity and Custom Trust. 

In Custom Identity Keystore, type ncqa. 

In Custom Identity Keystore Type, type nCipher.sworld. 

In Custom Identity Keystore Passphrase, type 123456. Confirm the passphrase. 

In Custom Trust Keystore, type trustalias. 

In Custom Trust Keystore Type, type nCipher.sworld. 

In Custom Trust Keystore Passphrase, type 123456. Confirm the passphrase. 

Click Save. 

5 Select the SSL tab and do the following: 

a 

b 

c 

In Private Key Alias, type ncqaalias. 

In Private Key Passphrase, type 123456. Confirm the passphrase. 

Click Save. 

6 Log out from the Administration console. 

7 Restart the WebLogic Server. 

8 Open the Administration console using https://localhost/console. 


Addresses 

Americas 

2200 North Commerce Parkway, Suite 200, Weston, Florida 33326, USA 

Tel: +1 888 744 4976 or + 1 954 888 6200 

sales@thalesesec.com 

Europe, Middle East, Africa 

Meadow View House, Long Crendon, Aylesbury, Buckinghamshire HP18 9EQ, UK 

Tel: + 44 (0)1844 201800 

emea.sales@thales-esecurity.com 

Asia Pacific 

Units 4101, 41/F. 248 Queen’s Road East, Wanchai, Hong Kong, PRC 

Tel: + 852 2815 8633 

asia.sales@thales-esecurity.com 

Internet addresses 

Web site: 

Support: 

Online documentation: 

International sales offices: 

www.thales-esecurity.com 

www.thales-esecurity.com/en/Support.aspx 

www.thales-esecurity.com/Resources.aspx 

www.thales-esecurity.com/en/Company/Contact%20Us.aspx

nShield Oracle Weblogic Server 11g R1 Windows - Thales e-Security

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?