Saturday, February 18, 2017

OPSS: syncKeyStores

Applies to Weblogic 12c

The OPSS Keystore Service (specifically in Weblogic 12c) meant to provide a single location for Keystores and Trust stores for all applications running within the Weblogic domain. This provides administrators an easier way to generate, sign, and manage their certificates. Also these actions can be managed/automated through WLST as well. The only pre-requisite for using the OPSS service is that the JRF templates have been applied to your domain.

Recently I came across new command 'syncKeyStores', which allows to synchronize keystores from the OPSS security store to the local repository. This synchronization is a one-way procedure, in which key data is read from the central security store and synchronized in the local file keystore.

Why to Synchronize:

All Oracle Fusion Middleware components keep keys and certificates in a central security store. However, because certain infrastructure components must be started before the security store is available, some components use a local file keystore instance instead.

When to Synchronize the Keystores:

  • If the keystore (or) truststore being updated belongs to WebLogic Server, then call the synchronization command for WebLogic Server.
  • No need synchronize the keystores, if any application accesses their key material from the central OPSS security store directly.

Steps to Synchronize the Keystores:

We can perform this activity in 3 different ways.

Option 1: Reboot Weblogic domain

Option 2: via WLST command line:

Use of the domain and connect to Admin Server and execute below command.

Syntax: syncKeyStores(appStripe='<application_stripe>', keystoreFormat='exported_file_format')

Ex: syncKeyStores(appStripe='system', keystoreFormat='KSS')

This command accesses the 'system' stripe in the central security store and downloads its contents into a file named keystores.xml in 'DOMAIN_HOME/config/fmwconfig' on the local system.

Option 3: via Enterprise Manager:

  • In FMW Control, Go to Weblogic Domain > System MBean Browser. Search for Operation 'syncKeyStores'
  • In the search results, click the 'syncKeyStores' link (which takes two parameters) 
  • For p1, enter 'system'; for p2, enter 'KSS'. 
  • Click 'Invoke' button.

Thursday, February 16, 2017

OHS: Host Header Injection

Recently we identified an issue with one of our application URL's. Issue is that, URL is vulnerable to Host Header Injection i.e. by supplying a malicious host header, its possible to modify the links generated in application or any other components(mail etc).

For example, if your application URL is '', a hacker can alter the HOST parameter in the client request header to ''.

Fix: To avoid this, add RewriteCond & RewriteRule conditions inside VirtualHost as mentioned below to reject anything that doesn't match the target domain.


<VirtualHost *:7004>
    RewriteEngine on
    RewriteOptions inherit
    RewriteCond %{HTTP_HOST} ^
    RewriteRule ^(.*)$ - [F,L]