Tuesday, December 6, 2016

Securing cleartext FactoryProperties credentials in the Oracle JMS Adapter using Oracle Wallet

Are you installing an Oracle SOA Suite 11g or 12c cluster? Clearly you're well acquainted with the EDG (aka Enterprise Deployment Guide). One of the steps involves configuring high availability for the Oracle JMS Adapter.

This requires adding an entry similar to the following:
java.naming.factory.initial=weblogic.jndi.WLInitialContextFactory;java.naming.provider.url=t3://soahost1.raastech.com:8001,soahost2.raastech.com:8001;java.naming.security.principal=weblogic;java.naming.security.credentials=welcome1
This is found on page 12-33 of the Oracle Fusion Middleware Enterprise Deployment Guide for Oracle SOA Suite 12c (12.2.1) E57888-04 document:
This is how it looks like on the Oracle WebLogic Server 12c Administration Console:

As you can see in the screenshot, the password for the "weblogic" user is unfortunately in cleartext.


Securing FactoryProperties Credentials with Oracle Wallet

1. Create a wallet.

java -jar $ORACLE_HOME/wlserver/server/lib/wljmsra.rar create $JAVA_HOME/jre/lib/security

2. This creates an Oracle Wallet with the file name cwallet.sso under the $JAVA_HOME/jre/lib/security directory.

3. Create an alias for your property. This is a name-value pair property and will have a name of "weblogicPwdAlias" and a value of "welcome1".

java -jar $ORACLE_HOME/wlserver/server/lib/wljmsra.rar add weblogicPwdAlias welcome1

4. List the aliases in the Oracle Wallet to confirm all is good.

java -jar $ORACLE_HOME/wlserver/server/lib/wljmsra.rar dump$JAVA_HOME/jre/lib/security

5. On the WebLogic Server Administration Console, click on Deployments.

6. Navigate to Deployments > JmsAdapter > Configuration > Outbound Connection Pools.

7. Expand oracle.tip.adapter.jms.IJmsConnectionFactory.

8. Click on eis/wls/Queue.

9. Add the following FactoryProperties property. Make note of java.naming.security.credentials (which is now the alias) and weblogic.jms.walletDir (which is the path to cwallet.sso).

java.naming.factory.initial=weblogic.jndi.WLInitialContextFactory;java.naming.provider.url=t3://soahost1.raastech.com:8001,soahost2.raastech.com:8001;java.naming.security.principal=weblogic;java.naming.security.credentials=->weblogicPwdAlias;weblogic.jms.walletDir=/u01/app/oracle/middleware/products/jdk1.8.0_102/jre/lib/security

10. Click on Save.

11. On the Save Deployment Plan page, enter the Path (e.g., /u01/app/oracle/middleware/products/fmw1221/user_projects/applications/soa_domain/dp/JmsAdapterPlan.xml).

12. Click on OK.

13. Click on Save.

15. Activate Changes.



Applicable Versions:
  • Oracle WebLogic Server 12c (12.1.x)


References:


No comments:

Post a Comment

Subscribe to: Post Comments (Atom)