Weblogic SSL Configuration Steps

Oracle Weblogic Server

WebLogic Server 12c supports SSL to add security and encryption to the data transmitted over the network. Here we will discuss on weblogic ssl configuration process.

Assumptions: SSL will be enabled in the AdminServer01 instance of the MY_DOMAIN domain.

A new identity keystore and a new trusted keystore will be created to store the new certificate. The WebLogic Server instances and the Node Manager will be configured to enable the SSL protocol and use the custom keystores.

Create the identity keystore MYSRVIdentity.jks on machine:

1. Log in to shell as the user wls, and create a new folder named /oracle/Middleware/user_projects/domains/MY_DOMAIN/keystores:

[wls@MYSRV01]$ mkdir /oracle/Middleware/user_projects/domains/MY_DOMAIN/keystores

2. Set the MY_DOMAIN environment variables with the setDomainEnv.sh script and create the keystore:

[wls@MYSRV01]$ cd /oracle/Middleware/user_projects/domains/MY_DOMAIN/bin

[wls@MYSRV01]$ . ./setDomainEnv.sh

[wls@MYSRV01]$ cd keystores

[wls@MYSRV01]$ keytool -genkeypair -alias MYSRVcert -keyalg RSA -keysize 1024 -dname “CN=*.domain.local,OU=MyOrganization,O=MyCompany,L=MyCity,S=MyState,C=US” -keystore MYSRVIdentity.jks

Generate Keypair

3. Type and confirm the password for the keystore, and then type <ENTER> to use the same password for MYSRVcert:

Enter keystore password: <Type a new password>

Re-enter new password: <Re-type the password>

Enter key password for <MYSRVcert>

(RETURN if same as keystore password): <ENTER>

Generate a new CSR using MYSRVIdentity.jks:

1. Execute the keytool utility to generate the CSR.

[wls@MYSRV01]$ keytool -certreq -v -alias MYSRVcert -file MYSRVCert.csr -keystore MYSRVIdentity.jks

2. Type the password when required:

Enter keystore password: <Type the password>

Certification request stored in file <MYSRVCert.csr>

Submit this to your CA

Sign the CSR and import it into the identity keystore:

1. Submit MYSRVCert.csr to the Certificate Authority of your choice to get the digital certificate and its private key. For demonstration purposes, this recipe will use the CertGen utility to create and sign the certificate from the CSR. CertGen uses the WebLogic Demo CA (CertGenCA.der):

[wls@MYSRV01]$ java utils.CertGen -keyfile MYSRVCertPrivateKey -keyfilepass password -certfile MYSRVCert -cn “*.domain.local”

Generating a certificate with common name *.domain.local and key strength 1024

/oracle/Middleware/wlserver_12.1/server/lib/CertGenCA.der file and key from /oracle/Middleware/wlserver_12.1/server/lib/CertGenCAKey.der file

2. Import the server certificate and private keys to the MYSRVIdentity.jks keystore:

[wls@MYSRV01]$ java utils.ImportPrivateKey -keystore MYSRVIdentity.jks -keyfile MYSRVCertPrivateKey.pem -keyfilepass password -certfile MYSRVCert.pem -storepass password -alias MYSRVcert

Create the custom trust keystore MYSRVTrust.jks on the MYSRV01 machine:

1. Create the MYSRVTrust.jks keystore by making a copy from the Standard Java Trust.

[wls@MYSRV01]$ cp /oracle/jvm/jre/lib/security/cacerts ./MYSRVTrust.jks

2. Change the default cacerts password. The default is changeit. Change it to a new one:

[wls@MYSRV01]$ keytool -storepasswd -keystore MYSRVTrust.jks

Enter keystore password: changeit

New keystore password: <Type the new password>

Re-enter new keystore password: <Re-type the new password>

3. In previous steps, the WebLogic Demo CA (CertGenCA.der) was used to sign the certificate, so it will be imported to the trust keystore. In production, import the CA certificate from your trusted CA vendor.

[wls@MYSRV01]$ keytool -import -v -trustcacerts -alias rootCA -file /oracle/Middleware/wlserver_12.1/server/lib/CertGenCA.der -keystore MYSRVTrust.jks

If you have multiple machines and managed servers then you need to manully copy the keystore folder to every machine.

1. Copy the keystore folder to the MYSRV02 machine:

[wls@MYSRV01]$ scp –r /oracle/Middleware/user_projects/domains/MY_DOMAIN/keystores MYSRV02:/oracle/Middleware/user_projects/domains/MY_DOMAIN/

Change the Node Manager in the MYSRV01 and MYSRV02 machines to use the custom keystores and the new certificate:

1. Edit the nodemanager.properties file:

[wls@MYSRV01]$ vi $WL_HOME/common/nodemanager/nodemanager.properties

2. Add the following lines to the file:






3. Enter :ws! to save and exit.

4. Repeat the nodemanager.properties configurations for the MYSRV02 machine.

5. Restart the Node Manager.

Assign WebLogic Server instances to use the custom keystores and the certificate:

1. Access the Administration Console by pointing your web browser to http://adminhost.domain.local:7001/console.

2. Click on the [+] Environment sign from the navigation box to the left and then click on the Servers link.

3. Click on the AdminServer01 link.

4. Click on the Keystores tab and then click on the Change button from the Keystores option As shown in the following screenshot:

Server Keystore Configuration Page

5. Select the Custom Identity and Custom Trust option from the Keystores drop-down menu and click on the Save button.

6. Enter ./keystores/MYSRVIdentity.jks in the Custom Identity Keystore text field. Then, enter jks in the Custom Identity Keystore Type text field. Enter the password chosen earlier in Custom Identity Keystore Passphrase and Confirm Custom Identity Keystore Passphrase.

7. Enter ./keystores/MYSRVTrust.jks in the Custom Trust Keystore text field. Then, enter jks in the Custom Trust Keystore Type text field. Enter the password chosen earlier in Custom Trust Keystore Passphrase and Confirm Custom Trust Keystore Passphrase. Click on the Save button.

8. Click on the SSL tab and type MYSRVcert in the Private Key Alias text field. Enter the password chosen earlier in Private Key Passphrase and Confirm Private Key Passphrase. Select the Custom Hostname Verifier option from the Hostname Verification drop-down menu and enter weblogic.security.utils. SSLWLSWildcardHostnameVerifier in the Custom Hostname Verifier text field. Click on the Save button.

9. Click on the General tab and check the SSL Listen Port Enabled checkbox As shown in the following screenshot:

SSL port enabled tab

10. Enter 7002 in the SSL Listen Port text field and click on the Save button.

11. Repeat the preceding steps for the rest of the managed servers in the domain.

12. Click on the Activate Changes button.

13. Restart the Administration Server and the Managed Servers.

All WebLogic Server instances were configured to use the custom identity and trust keystores and stop using the default DemoIdentity.jks and DemoTrust.jks keystores. The Node Manager was also configured to use the custom keystores and the new certificate. The SSL protocol was then enabled in the AdminServer01 and MYSRV_Server01 and other Managed Servers in the same domain.


In case of any ©Copyright or missing credits issue please check CopyRights page for faster resolutions.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.