Oracle WebLogic Server: How to Configure SSL on Oracle WebLogic Server with Custom Identity and Java Standard Trust
Create the Identity and Trust Keystores
To create the Identity and Trust Keystores, please follow these steps:- Create a keystore and a private key using the genkeypair (or genkey) command. It will generate a private and public key pair:
keytool -genkeypair -alias server_cert -keyalg RSA -keysize 1024 -dname "CN=Prakash, OU=GTI, O=JPMC, L=Bangalore, ST=Karnataka,C=IN " -keypass weblogic1234 -keystore server_keystore.jks -storepass weblogic1234In the above command CN (COMMON NAME) we can provide a domain name/DNS Name/machine name or any other name. Usually in the real production systems where we implement our own keystores, CN should match with your Domain name.
- Create the CSR using the following command:
keytool -certreq -v -alias server_cert -file csr-for-myserver.pem -keypass weblogic1234 -storepass weblogic1234 -keystore server_keystore.jksThis creates a file called csr-for-myserver.pem . This gets sent to a Certificate Authority (CA) to have a public certificate created. - Import the intermediate and root certificates into your keystore:
keytool -import -v -noprompt -trustcacerts -alias ca-root-cert -file rootcacert.cer -keystore server_keystore.jks -storepass weblogic1234 - Import the public certificate into the keystore using the private key alias.NOTE: In the email that your CA will send to you, there should be 2 links to their website, one to download the root CA and another one for the intermediate CA if any. You will have to go to their website and download them. Another way to obtain them is to double-click on the certificate file and then go to the Certification Path tab. The first cert in the list is the root CA and the second one is the intermediate CA if any. If you highlight the root CA and then click on View Certificate, it will open up the Root CA certificate. Then you can go to the Details tab and click onThen do the actual import of the certificate:
. Select Base 64 as the format and save the file. Repeat the same steps to copy the intermediate CA to a file.
Once you have the 3 files (root CA, intermediate and certificate), if you have an intermediate CA, edit it and do a
-------BEGIN CERTIFICATE---------The reason you have to do this is so you can import the intermediate along with the certificate to avoid having to import the intermediate to all of the users' browsers.
dfsfsdfdf
sfsdfwehdfhdf <---------certificate
dgdfgfgfdg
--------END CERTIFICATE-----------
-------BEGIN CERTIFICATE---------
hghjgfjgj
sfsdfwejjhdfhdf <---------intermediate
dgdfgiuiyuiuiyufgfdg
--------END CERTIFICATE-----------
-------BEGIN CERTIFICATE---------
dfsfsmbvmvbmdfdf
sfsdetetrtyrfwehdfhdf <---------root CA
dgdfgnbnbvnvbfgfdg
--------END CERTIFICATE-----------
keytool -import -v -alias server_cert -file mycert.pem -keystore server_keystore.jks -keypass weblogic1234 -storepass weblogic1234NOTE: The -file argument is the name of the file that you created when you copied the certificate from the e-mail.The public certificate is always imported using the private key alias. THIS IS A VERY COMMON MISTAKE! - To confirm your keystore is created correctly, you can look at the keystore using the following command:
keytool -list -v -keystore server_keystore.jks -storepass weblogic1234This lists the contents of your keystore.
Configure the keystore in WebLogic Server
Four different types of keystores are available in WebLogic Server:- Demo Identity and Demo Trust
- Custom Identity and Java Standard Trust
- Custom Identity and Custom Trust
- Custom Identity and Command Line Trust
- Now login to WebLogic Server to configure these certificates.
- In the left pane of the Console, expand Environment and select Servers.
- Click the name of the server for which you want to configure the identity and trust keystores.
- Check SSL Listen Port Enabled and if necessary set the value for SSL Listen Port <default 7002>
- Select Configuration -> Keystores. Choose the Custom Identity and Java Standard Trust and fill in the below attributes:
- Custom Identity Keystore: The fully qualified path to the identity keystore (e.g., path/server_keystore.jks).
- Custom Identity Keystore Type: The type of the keystore. Generally, this attribute is Java KeyStore (JKS); if left blank, it defaults to JKS.
- Custom Identity Keystore Passphrase: The password you will enter when reading or writing to the keystore (e.g., weblogic1234).
- In the Trust section, as we are using Java Standard Trust as our keystore, specify the password defined when creating the keystore. Confirm the password. For example:
- Navigate to Home ->Summary of Servers ->AdminServer -> SSL
- Identity and Trust Locations: Keystores
- Private Key Alias: alias (The alias of the private key: in our case it is server_cert)
- Private Key Passphrase: weblogic1234
- Confirm Private Key Passphrase: weblogic1234
- Click SAVE
- Now restart the server and try to access the Admin console on the HTTPS port:https://<server name>:<server port>/console. If you are able to access the console, that means you have successfully enabled SSL with the Keystore type as Custom Identity and Java Standard Trust.
keytool -alias <alias_name> -import -file rootcacert.cer -keystore trustkeystore.jks -storepass <Password>
0 Comments