SSL enabled causes AAD failure

[galiacheng]

Deploying admin offer with custom SSL and AAD enable, error happened on AAD LADP server connection.

The LDAP authentication provider named "AzureActiveDirectoryProvider" failed to make a connection to LDAP server at ldaps://ldaps.wls-security.com:636, the error cause is: java.lang.RuntimeException: java.lang.IllegalStateException: TrustManagerFactoryImpl is not initialized
--

Root cause The admin offer enables custom SSL configuration, by asking customer to input identity and trust key store and configuring WebLogic Server with Custom Identity and Custom Trust.

While the AAD LDAP server public key is imported to Java Standard Trust in /u01/app/jdk/jdk1.8.0_271/jre/lib/security/cacerts.

We have to connect AAD LDAP via SSL. While the AAD LDAP public key is not included in custom trust, WLS can not find the certificate from custom trust store.

To solve the issue, it's time to consider certificate management.

[galiacheng]

Hello @gnsuryan FYI, I believe the working custom SSL solution on cluster and dynamic cluster offer also have this issue.

[gnsuryan]

Hi Galia @galiacheng ,

I was able to resolve the issue with AAD connectivity, if we import the LDAP certificate into the WLS Custom SSL Trust (trust.jks or trust.pkcs12) file.

I have used the following command to import the LDAP certificate into the WLS trust key store.

keytool -noprompt -import -trustcacerts -keystore /u01/app/keystores/trust.jks -storepass mypassword -alias aadtrust -file /u01/app/AzureADTrust.cer

[galiacheng]

@gnsuryan Good news! Could you please create a PR to admin offer?

[gnsuryan]

Hi Galia @galiacheng ,

I have created Pull Request https://github.com/wls-eng/arm-oraclelinux-wls-admin/pull/82 containing the fix for this issue.

[gnsuryan]

Hi Galia @galiacheng , can you please check if the fix works and if so, close the issue? Thanks.

[galiacheng]

@gnsuryan thank you Guru, I will check and close this issue next Monday.

[galiacheng]

I have created a testing offer. Will test it when it's ready

[galiacheng]

Verified.

[galiacheng]

@gnsuryan I reopen this issue, as I found an issue when deploying aadLinkedTemplateWithCustomSSL in dynamic cluster.

{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"VMExtensionProvisioningError","message":"VM has reported a failure when processing extension 'newuserscript'. Error message: \"Enable failed: failed to execute command: command terminated with exit status=1\n[stdout]\nCleaning up temporary files...\nCleanup completed.\ncheck status of admin server\nCheck admin server status\nstart to configure Azure Active Directory\nmap LDAP host with pubilc IP\ncreate key store\nImporting AAD Certificate into WLS Custom Trust Key Store: \nconfigure ladp ssl\n\nInitializing WebLogic Scripting Tool (WLST) ...\n\nWelcome to WebLogic Server Administration Scripting Shell\n\nType help() for help on available commands\n\nConnecting to t3://adminVM:7005 with userid weblogic ...\nSuccessfully connected to Admin Server \"admin\" that belongs to domain \"wlsd\".\n\nWarning: An insecure protocol was used to connect to the server. \nTo ensure on-the-wire security, the SSL port or Admin port should be used instead.\n\nShutting down the cluster with name cluster1 ...\nThis Exception occurred at Tue Feb 09 04:05:37 UTC 2021.\njavax.management.RuntimeOperationsException\nException occurs during SSL configuration, please check.\n\n[stderr]\n\nWarning:\n<verisignclass2g2ca [jdk]> uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update.\n<verisigntsaca [jdk]> uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update.\n<gtecybertrustglobalca [jdk]> uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update.\n<verisignclass3g2ca [jdk]> uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update.\n<thawtepremiumserverca [jdk]> uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update.\n<verisignclass3ca [jdk]> uses a 1024-bit RSA key which is considered a security risk. This key size will be disabled in a future update.\nCertificate was added to keystore\nCertificate was added to keystore\n\nWarning:\nThe JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using \"keytool -importkeystore -srckeystore /u01/domains/wlsd/keystores/trust.keystore -destkeystore /u01/domains/wlsd/keystores/trust.keystore -deststoretype pkcs12\".\nchown: missing operand after ‘oracle:oracle’\nTry 'chown --help' for more information.\nProblem invoking WLST - Traceback (innermost last):\n File \"/configure-ssl.py\", line 3, in ?\n File \"<iostream>\", line 1372, in shutdown\n File \"<iostream>\", line 553, in raiseWLSTException\nWLSTException: Error occurred while performing shutdown : Error while shutting down the cluster \nUse dumpStack() to view the full stacktrace :\n\n\"\r\n\r\nMore information on troubleshooting is available at https://aka.ms/VMExtensionCSELinuxTroubleshoot "}]}

[galiacheng]

Close this issue, I can deploy with SSL enabled with Guru's parameters.