Self-Signed Certificates are meant to secure the communication between servers and WebLogic Server components, such as Node Manager, inside an already secure network.
Below are steps for creating and using Self-Signed Certificates in WebLogic Server.
In this sample, following are the locations and password to consider.


Certificates will be located at: /home/Desktop/csr
Keypass=privatepassword
Storepass=password
Generate the certificate for the machine where the remote Node Manager is.
I. GENERATING THE CERTIFICATE
  1. Create a Directory. For example:
    mkdir /home/Desktop/csr
  2. Get into the directory. For example:
    cd /home/Desktop/csr
  3. Run the following keytool command:
    $keytool -genkey -alias selfsignedcert -keyalg RSA -keypass privatepassword -keystore identity.jks -storepass password -validity 365
    Expected output:
    What is your first and last name?
    [Unknown]: denny.cl.oracle.com => Machine name
    What is the name of your organizational unit?
    [Unknown]: Support => Organizational Unit
    What is the name of your organization?
    [Unknown]: Oracle => Organization
    What is the name of your City or Locality?
    [Unknown]: Santiago => City
    What is the name of your State or Province?
    [Unknown]: Huechuraba => State
    What is the two-letter country code for this unit?
    [Unknown]: CL => Country code
    Is CN=denny.cl.oracle.com, OU=Support, O=Oracle, L=Santiago, ST=Huechuraba, C=CL correct?
    [no]: yes
  4. Export the certificate from the identity keystore into a file, for example root.cer:
    $keytool -export -alias selfsignedcert -file root.cer -keystore identity.jks
    Expected Output:
    Enter keystore password: <password>
    Certificate stored in file <root.cer>
  5. Import the certificate you exported into trust.jks.
    keytool -import -alias selfsignedcert -trustcacerts -file root.cer -keystore trust.jks
    Expected Output:
    Enter keystore password:
    Re-enter new password:
    Owner: CN=denny.cl.oracle.com, OU=Support, O=Oracle, L=Santiago, ST=Huechuraba, C=CL
    Issuer: CN=denny.cl.oracle.com, OU=Support, O=Oracle, L=Santiago, ST=Huechuraba, C=CL
    Serial number: 4e1b67e3
    Valid from: Mon Jul 11 17:15:15 CLT 2011 until: Tue Jul 10 17:15:15 CLT 2012
    Certificate fingerprints:
    MD5: 74:EC:1E:90:05:EC:E6:49:62:52:B9:72:20:BF:30:3F
    SHA1: 5C:6E:80:94:9C:72:15:DC:F7:5F:49:DD:2F:2B:D2:49:7C:4C:0C:A0
    Signature algorithm name: SHA1withRSA
    Version: 3
    Trust this certificate? [no]: yes
    Certificate was added to keystore

Repeat these steps on each machine that has a Node Manager.
II. CONFIGURING IN WEBLOGIC
  1. Log into the WLS Administration Console.
  2. Go to Environment -> Domain -> Servers -> Server_Name_Where_The_Certs_Will_Be_Configured.
  3. Go to the Keystores tab and click on change.
  4. Select Custom Identity and Custom Trust.
  5. Fill in the fields with the following information:

    Custom Identity Keystore: /home/Desktop/csr/identity.jks
    Custom Identity Keystore Type: jks
    Custom Identity Keystore Passphrase: password
    Confirm Custom Identity Keystore Passphrase: password
    Custom Trust Keystore: /home/Desktop/csr/trust.jks
    Custom Trust Keystore Type: jks
    Custom Trust Keystore Passphrase: password
    Confirm Custom Trust Keystore Passphrase: password
  6. Save configuration and click on activate changes if necessary.
  7. On the SSL Tab, fill in the files with the following information:

    Private Key Alias: selfsignedcert
    Private Key Passphrase: privatepassword
    Confirm Private Key Passphrase: privatepassword
III. CONFIGURING NODE MANAGER
Modify nodemanager.properties. Insert the following lines at the end:
KeyStores=CustomIdentityAndCustomTrust
CustomIdentityKeyStoreFileName=/home/Desktop/csr/identity.jks
CustomIdentityAlias=selfsignedcert
CustomTrustKeyStoreFileName=/home/Desktop/csr/trust.jks
CustomIdentityPrivateKeyPassPhrase=privatepassword



NOTE:
There might be a chance that when attempting to start a server using node manager, it fails with a security exception (BAD CERTIFICATE error for example). If this is the case, configure node manager to use SSL instead of plain connection by going:
- Environment > Machines
- Select machine to configure
- Go to configuration > Node Manager and flip  it to SSL

IV. IMPORTING SELF SIGNED ROOT CERTIFICATE INTO JVM TRUST STORE.

In order for the JVM to trust in your newly created certificate, you need to make it aware of the existence of it. To do so, you need to import the root certificate into JVM Trust Store, following steps bellow:
1. Make sure that you JAVA_HOME is already set up.
2. Run the following command.
$keytool -import -trustcacerts -file rootCer.cer -alias selfsignedcert -keystore cacerts



V. DISABLING HOSTNAME VERIFICATION
NOTE: Disabling hostname verification is not recommended on production environments. This is only recomended for testing purposes. Hostname verification helps to prevent man-in-the-middle attacks.

The hostname verification ensures that the hostname in the URL to which the client connects matches the hostname in the digital certificate that the server sends back as part of the SSL connection.
To disable hostname verification for testing purposes, follow these steps:
  1. Go to Environment -> Domain -> Servers -> Server_Name_Where_The_Certs_Will_Be_Configured.
  2. Click on the SSL tab.
  3. Click on Advanced.
  4. On Hostname Verification, select NONE.
  5. Save and activate changes.
  6. On the Node Manager startup script, look for JAVA. Add the line-Dweblogic.nodemanager.sslHostNameVerificationEnabled=false. After this change, the script should look like this:
    cd "${NODEMGR_HOME}"
    set -x
    if [ "$LISTEN_PORT" != "" ]
    then
    if [ "$LISTEN_ADDRESS" != "" ]
    then
    "${JAVA_HOME}/bin/java" ${JAVA_VM} ${MEM_ARGS} ${JAVA_OPTIONS} -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false -Djava.security.policy="${WL_HOME}/server/lib/weblogic.policy" -Dweblogic.nodemanager.javaHome="${JAVA_HOME}" -DListenAddress="${LISTEN_ADDRESS}" -DListenPort="${LISTEN_PORT}" weblogic.NodeManager -v
    else
    "${JAVA_HOME}/bin/java" ${JAVA_VM} ${MEM_ARGS} ${JAVA_OPTIONS} -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false -Djava.security.policy="${WL_HOME}/server/lib/weblogic.policy" -Dweblogic.nodemanager.javaHome="${JAVA_HOME}" -DListenPort="${LISTEN_PORT}" weblogic.NodeManager -v
    fi
    else
    if [ "$LISTEN_ADDRESS" != "" ]
    then
    "${JAVA_HOME}/bin/java" ${JAVA_VM} ${MEM_ARGS} ${JAVA_OPTIONS} -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false -Djava.security.policy="${WL_HOME}/server/lib/weblogic.policy" -Dweblogic.nodemanager.javaHome="${JAVA_HOME}" -DListenAddress="${LISTEN_ADDRESS}" weblogic.NodeManager -v
    else
    "${JAVA_HOME}/bin/java" ${JAVA_VM} ${MEM_ARGS} ${JAVA_OPTIONS} -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false -Djava.security.policy="${WL_HOME}/server/lib/weblogic.policy" -Dweblogic.nodemanager.javaHome="${JAVA_HOME}" weblogic.NodeManager -v

0 Comments