Jun 072012

To create the Identity and Trust Keystores, please follow these steps:

Create a keystore and a private key using the genkeypair (or genkey) command. It will generate a private and public key pair:

keytool -genkeypair -alias server_cert -keyalg RSA -keysize 1024 -dname "CN=TechPaste, OU=GTI, O=TP, L=Boston, ST=Massachusetts,C=IN " -keypass weblogic*123 -keystore server_keystore.jks -storepass weblogic*123

NOTE: -genkeypair is the new name for this command in Java SE 6. In previous Java releases, the name was -genkey. The -genkey command is still supported in Java SE 6, but -genkeypair is preferred. See here for more details.

Create the CSR using the following command:

keytool -certreq -v -alias server_cert -file csr-for-myserver.pem -keypass weblogic*123 -storepass weblogic*123 -keystore server_keystore.jks

This creates a file called csr-for-myserver.pem . This gets sent to a Certificate Authority (CA) to have a public certificate created.
Import the intermediate and root certificates into your keystore:

keytool -import -v -noprompt -trustcacerts -alias ca-root-cert -file rootcacert.cer -keystore server_keystore.jks -storepass weblogic*123

Import the public certificate into the keystore using the private key alias.

NOTE: In the email that your CA will send to you, there should be 2 links to their website, one to download the root CA and another one for the intermediate CA if any. You will have to go to their website and download them.

Once you have the 3 files (root CA, intermediate and certificate), if you have an intermediate CA, edit it and do a <Select All>, and then <Copy>. Then edit your certificate file and paste the intermediate at the bottom of the server certificate. If you don’t have an intermediate CA, you can skip this step. Then do the same with the root CA and paste it at the very bottom You will end up with a certificate that looks like this:

-------BEGIN CERTIFICATE---------
sfsdfwehdfsfsdfddfhdf <---------certificate
--------END CERTIFICATE-----------
-------BEGIN CERTIFICATE---------
sfdfsdfwejjhdfsddfaaahdf <---------intermediate
--------END CERTIFICATE-----------
-------BEGIN CERTIFICATE---------
sfsdgfdsssetetrtyrfwehdfhdf <---------root CA
--------END CERTIFICATE-----------

The reason you have to do this is so you can import the intermediate along with the certificate to avoid having to import the intermediate to all of the users’ browsers.

keytool -import -v -alias server_cert -file mycert.pem -keystore server_keystore.jks -keypass weblogic*123 -storepass weblogic*123

To confirm your keystore is created correctly, use the following command:

keytool -list -v -keystore server_keystore.jks -storepass weblogic*123

This lists the contents of your keystore.

Configure the keystore in WebLogic Server

Four different types of keystores are available in WebLogic Server:

Demo Identity and Demo Trust
Custom Identity and Java Standard Trust
Custom Identity and Custom Trust
Custom Identity and Command Line Trust

Here we will configure the Custom Identity and Java Standard Trust, using the keystore we have created above and the trusted CAs defined in the cacerts file in the JAVA_HOME\jre\lib\security directory.

Now login to WebLogic Server to configure these certificates.
In the left pane of the Console, expand Environment and select Servers.
Click the name of the server for which you want to configure the identity and trust keystores.
Check SSL Listen Port Enabled and if necessary set the value for SSL Listen Port <default 7002>
Select Configuration -> Keystores. Choose the Custom Identity and Java Standard Trust and fill in the below attributes:
Custom Identity Keystore: The fully qualified path to the identity keystore (e.g., path/server_keystore.jks).
Custom Identity Keystore Type: The type of the keystore. Generally, this attribute is Java KeyStore (JKS); if left blank, it defaults to JKS.
Custom Identity Keystore Passphrase: The password you will enter when reading or writing to the keystore (e.g., weblogic*123).
In the Trust section, as we are using Java Standard Trust as our keystore, specify the password defined when creating the keystore. Confirm the password. For example:
Navigate to Home ->Summary of Servers ->AdminServer -> SSL
Identity and Trust Locations: Keystores
Private Key Alias: alias (The alias of the private key: in our case it is server_cert)
Private Key Passphrase: weblogic*123
Confirm Private Key Passphrase: weblogic*123
Click SAVE
Now restart the server and try to access the Admin console on the HTTPS port: https://<server name>:<server port>/console. If you are able to access the console, that means you have successfully enabled SSL with the Keystore type as Custom Identity and Java Standard Trust.

© Incase of any copyright infringements please check copyrights page for faster resolutions.

  One Response to “Weblogic SSL Configuration Example”

  1. Hey there, You have done a great job. I’ll certainly digg it and personally recommend to my friends. I’m sure they’ll be benefited from this website.

Leave a Reply

Show Buttons
Hide Buttons