Welcome to DevOps World
Attended a Oracle SOA suite 12c session by Oracle,some new features are enticing.
Will post some other new features ASAP..
Posted steps in Oracle/SOA section to resolve logout functionality for worklist application.
We encountered SSL( cipher not initialized ) error when the app tries to contact a third party vendor. Below is the error we see.
java.security.InvalidKeyException: Illegal key size
at javax.crypto.Cipher.a(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
at com.certicom.tls.provider.Cipher.init(Unknown Source)
at com.certicom.tls.ciphersuite.SecurityParameters.createWriteCipher(Unknown Source)
Also saw
java.lang.IllegalStateException: Cipher not initialized
Solutin:
Looks like the vendor has updated the certificate
Please add -Dweblogic.security.SSL.nojce=true to your JVM arguments and restart the instances.By enabling this argument it will use FIPS PUB 140-2 crypto module in implementing SSL.
http://en.wikipedia.org/wiki/FIPS_140-2
Will I be safe if i use above JVM argument. What exactly does the property -Dweblogic.security.SSL.nojce=true do? ( from Oracle Doc ID 1299207.1)
The WLS built-in SSL implementation uses JCE providers to support its functionality. For example, it uses Signatures. It also has built-in implementations of some JCE functionality, so it can continue to work in the absence of a JCE provider (for example, if the JDK configuration doesn’t supply one). This flag also provides a hook to output some informational messages to the log file about what provider is being used.
When this SSL implementation was integrated into WLS, we wanted SSL to use the JCE providers configured on the system, rather than the built-in ones. So, without the weblogic.security.SSL.nojce flag (or with a value of false), the providers are loaded according to the JDK JCE configuration: this is the default.
But a flag value of true means to use the built-in provider functionality rather than going to the configured JCE providers. We have added functionality to the built-in SSL implementation to load jsafe functionality first; if it can’t load that (because jsafeFIPS.jar is not in the classpath), it will fall back to using the built-in functionality. For example, when the flag is true and jsafeFIPS.jar is present, it will load the RSA Signature from jsafe.
The weblogic.security.SSL.nojce flag only applies to the built-in SSL; it does not apply to JSSE. If an application or some other part of WLS wanted to use a JCE provider, it would be loaded as specified by the JDK JCE configuration, no matter what theweblogic.security.SSL.nojce value is.
Does the property -Dweblogic.security.ssl.nojce=true , make my weblogic server instance less secure ?
No, not really. The SSL client sends its preference of cipher suites, and the SSL server (WLS) picks the strongest cipher suite it can support from that list. If you have placed jsafeFIPS.jar in the front of the classpath, that will be the provider used.
FYI.. Using a new design for my blog
SSL and its Basics
Secute Sockets Layer, Its a protocol used for securely communicatiing over the internet.SSL will encrypt the data between a server and client.If you are using a non-secure site , hacker can easily intercept the data between your browser and webserver.So make sure you are using https(SSL) site on the internet specifically when you are doing online transations.
SSL Certificate
To make your browser and server secure you need SSL Certificate.These certificates contain information about site identity like owner, Trusted Authorities and they have key pair( Public and Private Keys ). You will use public key to encrypt data and private key to decrypt data. Private key is never shared with anyone.
How it works
1. https site ( https://www.amazon.com ) in your browser.
2. Browser contacts webserver ( amazon server ) to identify yourself.
3. Webserver ( typically) sends its copy of SSL certificate + Public key.
4. Browser has a list of trusted certificate authorities and check that certificate
it received is trusted by above CA’s. Also it validates Expiration, DNS name.
5. After validation and browser believes that Certificate is trusted. It starts
encrypting the data and sends Symmetric Session key using the servers public key.
6. Webserver decrypts the symmetric session key with its private key.
7. Webserver sends back to browser to start the encrypted session.
8. Now your browser and webserver are encrypting all of your data over the internet.
There is lot more to know about SSL..
Posted few factors which could impact OSB and what can be considered to improve performance in OSB section
Posted steps to resolve the below Error in Ipanet Webserver Section
[10/Jul/2014:13:50:34] config (28907): CORE3361: Insufficient file descriptors for optimum configuration.
[10/Jul/2014:13:50:34] info (28907): HTTP3072: http-listener-1: http://someproxy:80 ready to accept requests
Posted few steps for tuning your SOA Applications in Oralce>SOA/BPM Section.There are many recommended turnings given by oracle or various vendors,ultimately it depends on your application and its load test results.
Today we saw weirdo issue where in a clustered OTD ENV(IP1 and IP2) IP2 is not pingable , but IP2 shows listening on the server and we were able to start the server with no issues and looked at the OTD logs ( server logs shows it started and listening at IP2:80 ). IP1 is pingable.
Ping -t IP2 ( fails )
netstat -na | grep IP2 ( Shows the IP2 is listening on port 80 )
telnet IP2 80 ( ( fails )
Look below if you are having the same issue
Solution : After much digging we came to conclusion that , when we configured the OTD instances on both servers we used the same Route ID ( 0-255 ). Once we modified the route ID to a unique value, IP was pingable and available for services.
Remember to use unique Route ID for each http-listener in OTD.Best practice is to use the last octet of your IP address as route ID while configuring instances.
Below link provides some solutions to common issues we see in Oracle Traffic Director
http://docs.oracle.com/cd/E23389_01/doc.11116/e21036/diag002.htm
Sreekar's Blog 