Contents
Overview
* Preferred formats:
– PEM
– JKS
Demo Key Stores
DemoIdentity.jks
* Contains a demo private key
* Located: $WL_HOME/weblogic/wlserver_10.3/ server/lib/DemoIdentity.jks
* Key store password: DemoIdentityKeyStorePassPhrase
* Private key password: DemoIdentityPassPhrase
# List demoidentity key $JAVA_HOME/bin/keytool -list -v -alias demoidentity -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase # Export demoidentity cert $JAVA_HOME/bin/keytool -export -keystore DemoIdentity.jks -alias demoidentity -file demoidentity.der -storepass DemoIdentityKeyStorePassPhrase
DemoTrust.jks
* Contains a list of trusted CAs
* Located: $WL_HOME/server/lib/DemoTrust.jks
* Trust store password: DemoTrustKeyStorePassPhrase
$JAVA_HOME/bin/keytool -list -v -keystore DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase
Configure SSL for wlbox
* Keys are generated in wlbox1 machine
* wlbox1 is also used as CA box
Generate Private Key Pair
# Prepare directories to hold identity cd ~/ mkdir identity cd identity mkdir wlbox cd wlbox # Generate private key. Use -validity to specify validity days which default to 90 days $JAVA_HOME/bin/keytool -genkey -alias wlbox -keyalg RSA -sigalg SHA1withRSA -keystore wlbox.keystore -storepass secret -keypass secret -dname "CN=wlbox, emailAddress=jd@tmprealm.com, OU=tmpRealm, O=tmpOrg, L=Reston, S=VA, C=US" # Generate CSR $JAVA_HOME/bin/keytool -certreq -alias wlbox -sigalg SHA1withRSA -file wlbox.csr -keystore wlbox.keystore -storepass secret #Inspect keys $JAVA_HOME/bin/keytool -list -v -alias wlbox -keystore wlbox.keystore
Sign CSR
# Go to exampleca directory cd ~/exampleca # Copy csr to ca cp ~/identity/wlbox/wlbox.csr csr # Sign csr. Use -days to specify the number of days to certify the certificate for. Default to 360 days. openssl ca -in csr/wlbox.csr # Rename cert to meaningful name cd certs mv 02.pem wlbox.pem
Import Signed Certificate
* Commands:
cd ~/identity/wlbox # Copy certs cp ~/exampleca/cacert.pem . cp ~/exampleca/certs/wlbox.pem . # Remove from wlbox.pem all text except those between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- vi wlbox.pem # Import cacer cert $JAVA_HOME/bin/keytool -import -v -keystore wlbox.keystore -alias cacert -storepass secret -file cacert.pem # Import wlbox cert $JAVA_HOME/bin/keytool -import -v -keystore wlbox.keystore -alias wlbox -storepass secret -file wlbox.pem # List keystore $JAVA_HOME/bin/keytool -list -v -alias wlbox -keystore wlbox.keystore
Create Trust Key Store
* Commands:
# Copy Java cacerts cp $JAVA_HOME/jre/lib/security/cacerts ./wlbox.truststore # Import cacer cert $JAVA_HOME/bin/keytool -import -v -keystore wlbox.truststore -alias cacert -storepass changeit -file cacert.pem # Import wlbox cert $JAVA_HOME/bin/keytool -import -v -keystore wlbox.truststore -alias wlbox -storepass changeit -file wlbox.pem # List keystore $JAVA_HOME/bin/keytool -list -v -alias wlbox -keystore wlbox.truststore
Setup Identity and Trust Stores for WebLogic
* Copy wlbox.keystore and wlbox.truststore to wlbox
mkdir ~/identity # Copy wlbox.keystore and wlbox.truststore to identity directory
* Go to domain > Environment > Servers > examplesServer > Configuration > Keysotres
* Click Lock & Edit and Change
* Select Custom Identity and Custom Trust and click Save
* Enter:
Identity:
– Custom Identity Keystore: /home/oracle/identity/wlbox.keystore
– Custom Identity Keystore Type: jks
– Custom Identity Keystore Passphrase: secret
Trust:
– Custom Trust Keystore: /home/oracle/identity/wlbox.truststore
– Custom Trust Keystore Type: jks
– Custom Trust Keystore Passphrase: changeit
* Click Save
Setup SSL
* Go to domain > Environment > Servers > examplesServer > Configuration > SSL
* Click Lock & Edit and Change
* Enter:
– Private Key Location: # leave blank
– Private Key Passphrase: wlbox
– Private Key Passphrase: secret
Turn on SSL Listen Port
* Go to domain > Environment > Servers > examplesServer > Configuration > General
* Click Lock & Edit
* Check SSL Listen Port Enabled
* Click Save
* Click Activate Changes
* Restart WLS
Configure SSL for wlbox1 Machine
* This is identical to wlbox machine.
Generate Private Key Pair
# Prepare directories to hold identity cd ~/ mkdir identity cd identity mkdir wlbox1 cd wlbox1 # Generate private key. Use -validity to specify validity days which default to 90 days $JAVA_HOME/bin/keytool -genkey -alias wlbox1 -keyalg RSA -sigalg SHA1withRSA -keystore wlbox1.keystore -storepass secret -keypass secret -dname "CN=wlbox1, emailAddress=jd@tmprealm.com, OU=tmpRealm, O=tmpOrg, L=Reston, S=VA, C=US" # Generate CSR $JAVA_HOME/bin/keytool -certreq -alias wlbox1 -sigalg SHA1withRSA -file wlbox1.csr -keystore wlbox1.keystore -storepass secret #Inspect keys $JAVA_HOME/bin/keytool -list -v -alias wlbox1 -keystore wlbox1.keystore
Sign CSR
# Go to exampleca directory cd ~/exampleca # Copy csr to ca cp ~/identity/wlbox1/wlbox1.csr csr # Sign csr openssl ca -in csr/wlbox1.csr # Rename cert to meaningful name cd certs mv 03.pem wlbox1.pem
Import Signed Certificate
* Commands:
cd ~/identity/wlbox1 # Copy certs cp ~/exampleca/cacert.pem . cp ~/exampleca/certs/wlbox1.pem . # Remove from wlbox1.pem all text except those between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- vi wlbox1.pem # Import cacer cert $JAVA_HOME/bin/keytool -import -v -keystore wlbox1.keystore -alias cacert -storepass secret -file cacert.pem # Import wlbox1 cert $JAVA_HOME/bin/keytool -import -v -keystore wlbox1.keystore -alias wlbox1 -storepass secret -file wlbox1.pem # List keystore $JAVA_HOME/bin/keytool -list -v -alias wlbox1 -keystore wlbox1.keystore
Create Trust Key Store
* Commands:
# Copy Java cacerts cp $JAVA_HOME/jre/lib/security/cacerts ./wlbox1.truststore # Import cacer cert $JAVA_HOME/bin/keytool -import -v -keystore wlbox1.truststore -alias cacert -storepass changeit -file cacert.pem # Import wlbox1 cert $JAVA_HOME/bin/keytool -import -v -keystore wlbox1.truststore -alias wlbox1 -storepass changeit -file wlbox1.pem # List keystore $JAVA_HOME/bin/keytool -list -v -alias wlbox1 -keystore wlbox1.truststore
Setup Identity and Trust Stores for WebLogic
* Go to domain > Environment > Servers > examplesServer > Configuration > Keysotres
* Click Lock & Edit and Change
* Select Custom Identity and Custom Trust and click Save.
* Enter:
Identity:
– Custom Identity Keystore: /home/oracle/identity/wlbox1/wlbox1.keystore
– Custom Identity Keystore Type: jks
– Custom Identity Keystore Passphrase: secret
Trust:
– Custom Trust Keystore: /home/oracle/identity/wlbox1/wlbox1.truststore
– Custom Trust Keystore Type: jks
– Custom Trust Keystore Passphrase: changeit
* Click Save
Setup SSL
* Go to domain > Environment > Servers > examplesServer > Configuration > SSL
* Click Lock & Edit and Change
* Enter:
– Private Key Location: # leave blank
– Private Key Passphrase: wlbox1
– Private Key Passphrase: secret
Turn on SSL Listen Port
* Go to domain > Environment > Servers > examplesServer > Configuration > General
* Click Lock & Edit
* Check SSL Listen Port Enabled
* Click Save
* Click Activate Changes
* Restart WLS
Enable SSL between wlbox and wlbox1
* Import wlbox server cert into wlbox1 trust store:
cd ~/identity/wlbox1 cp wlbox1.truststore wlbox1.truststore.bak cp ~/identity/wlbox/wlbox.pem . $JAVA_HOME/bin/keytool -import -v -keystore wlbox1.truststore -alias wlbox -storepass changeit -file wlbox.pem
* Import wlbox1 server cert into wlbox trust store:
cd ~/identity/wlbox cp wlbox.truststore wlbox.truststore.bak cp ~/identity/wlbox1/wlbox1.pem . $JAVA_HOME/bin/keytool -import -v -keystore wlbox.truststore -alias wlbox1 -storepass changeit -file wlbox1.pem
* Restart both wlbox and wlbox1 WebLogic servers.
One Response to WebLogic11g: Configure SSL