Thursday, May 26, 2016

Hacking users in WebLogic

vi $DOMAIN_HOME/security/DefaultAuthenticatorInit.ldift
insert this:

dn: uid=PIPPO,ou=people,ou=@realm@, dc=@domain@
description: Test generated user
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: top
cn: S107077
sn: S107077
userpassword: {ssha}blablabla
uid: PIPPO
objectclass: wlsUser
wlsMemberOf: cn=Administrators,ou=groups,ou=@realm@,dc=@domain@



PIPPO should become an Administrative user

ssha passwords (ssha being a variant of SHA1) can be generated with openssh http://www.openldap.org/faq/data/cache/347.html or with Python/WLST

Wednesday, May 25, 2016

WebLogic network-access-point

If you need to invoke operations (EJB, WS...) on a specific IP different from the main listen address / port of WLS, you can create inside config.xml a network-access-point and give it a mnemonic name like "INT-Channel" :
   <network-access-point>
      <name>INT-Channel</name>
      <protocol>t3s</protocol>
      <listen-address>1.2.3.4</listen-address>
      <enabled>true</enabled>
      <two-way-ssl-enabled>true</two-way-ssl-enabled>
      <client-certificate-enforced>true</client-certificate-enforced>
    </network-access-point> 


and configure your component in your weblogic-ejb-jar.xml with a clause:
<weblogic-enterprise-bean>
     <network-access-point>INT-Channel</network-access-point>
</weblogic-enterprise-bean>

see https://docs.oracle.com/cd/E11035_01/wls100/ejb/DDreference-ejb-jar.html#network-access-point



Tuesday, May 24, 2016

Apache http-client, customizing SSLSocketFactory

Here the general documentation on Apache HTTP client https://hc.apache.org/httpcomponents-client-ga/

https://hc.apache.org/httpcomponents-client-ga/httpclient/apidocs/org/apache/http/conn/scheme/SchemeSocketFactory.html

    HttpContext context...
    SchemeRegistry registry = getSchemeRegistry(context);
    Scheme schm = registry.getScheme(target.getSchemeName());
    SchemeSocketFactory sf = schm.getSchemeSocketFactory();


This example https://hc.apache.org/httpcomponents-client-ga/httpclient/examples/org/apache/http/examples/client/ClientCustomSSL.java shows

Specifically, it's interesting to look at their default implementation of https://docs.oracle.com/javase/7/docs/api/javax/net/ssl/HostnameVerifier.html which is the org.apache.http.conn.ssl.BrowserCompatHostnameVerifier ( extends org.apache.http.conn.ssl.AbstractVerifier implements org.apache.http.conn.ssl.X509HostnameVerifier extends javax.net.ssl.HostnameVerifier )

The extra methods added by org.apache.http.conn.ssl.X509HostnameVerifier are:

  public abstract void verify(String host, SSLSocket ssl)
    throws IOException;
  
  public abstract void verify(String host, X509Certificate cert)
    throws SSLException;
  
  public abstract void verify(String host, String[] cns, String[] subjectAlts)
    throws SSLException;

while the basic javax.net.ssl.HostnameVerifier contains only
verify(String hostname, SSLSession session)


Remember! javax.net.ssl.SSLSocketFactory is an ABSTRACT class.

For use within WebLogic, see http://docs.oracle.com/cd/E12839_01/core.1111/e10043/ohttps.htm#JISEC2046, but the property HTTPClient.defaultHostnameVerifier doesn't seem to work with Apache HTTPClient.

Also another interface exists weblogic.security.SSL.HostnameVerifier