How To Create a Wallet using WebLogic Scripting Tool (WLST) in Fusion Middleware

Oracle Weblogic Server

 

Note: To create a Wallet using WLST the component has to be associated with a WLS domain. If you are using standalone OHS, Webcache or OID, then you cannot use WLST to create a keystore.

We need to follow below 4 steps to complete the task.

1. Creating the Wallet File.
2. Generate a Certificate Signing Request.
3. Import the Trusted Certificate
4. Check Wallet Contents

Follow Below example to know how to create a Wallet for Oracle HTTP Server associated with a WLS domain.

Creating the Wallet File.

…………………………
1. If not already started, start the WebLogic AdminServer for the domain

$MIDDLEWARE_HOME/user_projects/domains/<domain>/startWebLogic.sh

2. Run $ORACLE_HOME/common/bin/wlst.sh

$ORACLE_HOME/common/bin>./wlst.sh

Initializing WebLogic Scripting Tool (WLST) …
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands
wls:/offline>

3. Connect to the WebLogic Server AdminServer that your C based Component is associated with

wls:/offline> connect(‘weblogic’,’welcome1′,’localhost:7001′)

Connecting to t3://localhost:7001 with userid weblogic …
Successfully connected to Admin Server ‘AdminServer’ that belongs to domain ‘ClassicDomain’.
Warning: An insecure protocol was used to connect to the server. To ensure on-the-wire security, the SSL port or Admin port should be used instead.

wls:/ClassicDomain/serverConfig>

Note: Here (‘weblogic’,’welcome1′,’localhost:7001′) is the weblogic user/pwd and hostname and port of the AdminServer.

4. Create the Wallet with the following command:

createWallet('<instance_name>', '<ias-component>', '<process-type>', '<wallet_name>', '<password>')

If you are unsure of the <instance_name>, <ias-component> and <process-type> then run $ORACLE_INSTANCE/bin/opmnctl status:

$opmnctl status

Processes in Instance: MIOReactors
---------------------------------+--------------------+---------+---------
ias-component | process-type | pid | status
---------------------------------+--------------------+---------+---------
emagent_MIOReactors | EMAGENT | N/A | Down
ReportsServer_marshall_FormsRep~ | ReportsServerComp~ | N/A | Down
webcache1 | WebCache-admin | N/A | Down
webcache1 | WebCache | N/A | Down
ohs1 | OHS | 2443| Alive

So in this case <instance_name>, <ias-component> and <process-type> is ‘MIOReactors’, ‘ohs1’, and OHS respectively.

So in this case to create a Password Protected Wallet (ewallet.p12/cwallet.sso) the example is as follows:

wls:/ClassicDomain/serverConfig> createWallet ('MIOReactors','ohs1','ohs','ohswallet','Welcome1')
Wallet created

To create an Auto-Login Wallet (cwallet.sso), then for the password parameter enter ”, i.e no text between quotes.

Example:

wls:/ClassicDomain/serverConfig> createWallet ('MIOReactors','ohs1','ohs','ohswallet','')
Wallet created

This procedure creates the Wallet at $ORACLE_INSTANCE/config/COMPONENT_TYPE/COMPONENT_NAME/keystores/<wallet_name>

So in this example the it can be found at: $ORACLE_INSTANCE/config/OHS/ohs1/keystores/ohswallet

Note: Wallets created with WLST are automatically visible in FMW Control.

Generate a Certificate Signing Request

…………………………………

1. To generate the CSR execute the following command:

addCertificateRequest('<instance_name', '<ias-component>', '<process-type>', '<wallet_name>', '<password>', '<subject_dn>', '<key_size>')

For example:

wls:/ClassicDomain/serverConfig> addCertificateRequest('MIOReactors','ohs1','ohs','ohswallet','Welcome1','cn=TServers.us.techpaste.com,OU=Support,O=TechPaste,L=REDWOOD,ST=CA,C=US','1024')
Certificate signing request generated

2. To export the Certificate Request

exportWalletObject('<instance_name', '<ias-component>', '<process-type>', '<wallet_name>', '<password>', 'CertificateRequest','<dir_to_export_to>','<subject_dn>')

For example for a Password Protected Wallet:

wls:/ClassicDomain/serverConfig> exportWalletObject('MIOReactors','ohs1','ohs','ohswallet','Welcome1','CertificateRequest','/oracle/11AS/instances','cn=TServers.us.techpaste.com,OU=Support,O=TechPaste,L=REDWOOD,ST=CA,C=US')
Wallet object exported

For an Auto-Login Wallet replace ‘Welcome1’, with empty quotes ”

This will create a file called base64.txt in the directory specified in the command.

3. Send the Certificate Request (base64.txt) to a Certificate Authority. Refer to your specific Certificate Authorities instructions on how to request the Certificate. Once you have received the certificate from the CA, make sure that you download the certificate (server.crt), Trusted Root CA certificate (rootca.crt), and any required Intermediate Trusted CA certificates in Base64 (PEM) format as WLST cannot import Binary (DER) Certificates.

Import the Trusted Certificate

…………………………….

1. To import a Trusted Certificate execute the following command:

importWalletObject('<instance_name', '<ias-component>', '<process-type>', '<wallet_name>', '<password>', 'TrustedCertificate','<path_to_certificate_file>')

For example for a Password Protected Wallet:

wls:/ClassicDomain/serverConfig> importWalletObject('MIOReactors','ohs1','ohs','ohswallet','Welcome1','TrustedCertificate','/oracle/11AS/instances/MIOReactors/rootca.crt')
Wallet object imported

For an Auto-Login Wallet replace ‘Welcome1’, with empty quotes ”

2. Repeat this process for any other Trusted Root CA Certificates in the chain

Import the Server Certificate

…………………………….

1. To import the Server Certificate execute the following command:

importWalletObject('<instance_name', '<ias-component>', '<process-type>', '<wallet_name>', '<password>', 'Certificate','<path_to_certificate_file>')

For example for a Password Protected Wallet:

wls:/ClassicDomain/serverConfig> importWalletObject('MIOReactors','ohs1','ohs','ohswallet','Welcome1','Certificate','/oracle/11AS/instances/MIOReactors/server.crt')
Wallet object imported

For an Auto-Login Wallet replace ‘Welcome1’, with empty quotes ”
List Wallet Contents
…………………

The Wallet is now ready. To list the contents of a Wallet execute the following command:

listWalletObjects('<instance_name', '<ias-component>', '<process-type>', '<wallet_name>', '<password>', '<object_type>')

where object_type=’CertificateRequest’, ‘Certificate’, or ‘TrustedCertificate’.

For example to list the Trusted Certificates installed:

wls:/ClassicDomain/serverConfig> listWalletObjects('MIOReactors','ohs1','ohs','ohswallet','Welcome1','TrustedCertificate')
------------------------------------------------------
Index: 0
DN: CN=SSL Training CA,OU=Support,O=TechPaste,L=REDWOOD,ST=CA,C=US
------------------------------------------------------
Index: 1
DN: OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
------------------------------------------------------
Index: 2
DN: OU=Secure Server Certification Authority,O=RSA Data Security\, Inc.,C=US
------------------------------------------------------
Index: 3
DN: OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
------------------------------------------------------
Index: 4
DN: OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
------------------------------------------------------
wls:/ClassicDomain/serverConfig>

Note: If on Windows an extra step is required otherwise you will face Oracle HTTP Server and/or WebCache Fails to Start after Configuring SSL in FMW 11g.

1. Open Windows Explorer and navigate to the <wallet_location>\cwallet.sso file.
2. Right Click on the cwallet.sso file, select Properties, and navigate to the Security tab. In the “Group or user names” security box, select “Add”, and enter “SYSTEM” and click OK.

 

 

In case of any ┬ęCopyright or missing credits issue please check CopyRights page for faster resolutions.

Leave a Reply