Configuring SSL with self-sign certificates Weblogic server 8.1

Agenda Prerequisites Use of Keytool Import Certificates Into Keystores Configure SSL Test Weblogic Console over HTTPS References

Prerequisites WLS 8.1 Already Installed. WLS 8.1 domain already created

For WLS 8.1: There are 2 approaches to generating your own certificates: Use self-signed certificates, with you as the certificate authority. Use WLS's CertGen utility to create certificates signed by the WLS demonstration certificate authority.

Use of KeytoolOption 1: Procedure for generating a self-signed certificate for use with WLS 8.1

1) Generate the key pair and self-signed certificate.

Use keysize 512 if you have an export license look for SSL/Export in license.bea).Use keysize 1024 if you have a domestic license look for SSL/Domestic in license.bea). Pick your own keystore name, alias name, and passwords; these are only examples.See also Table 8-1 in "Managing WebLogic Security".(http://edocs.bea.com/wls/docs81/secmanage/ssl.html#1185171)

Have a look with license file for strength(export/domestic)

keytool -genkey -keyalg rsa -keystore mykeystore.jks -alias weblogic keysize 512 -keypass weblogic -storepass weblogic -validity 365 Supply your hostname to the prompt "First and last name" e.g., www.myhost.bea.com)

2) Now extract the self-signed certificate into trust.pem keytool -export -alias weblogic -file C:\bea\user_projects\domains\Self_Signed_Cert_Domain\trust.pe m -keystore C:\bea\user_projects\domains\Self_Signed_Cert_Domain\mykeys tore.jks -storepass weblogic -rfc

Import Certificates Into Keystores

3) Import the self-signed certificate which functions as its own certificate authority into trust.jks.

keytool -import -alias weblogic -file C:\bea\user_projects\domains\Self_Signed_Cert_Domain\trus t.pem -keystore C:\bea\user_projects\domains\Self_Signed_Cert_Domain\trus t.jks -storepass weblogic

Now you have mykeystore.jks containing your own host-specific certificate and private key, and trust.jks containing the trusted certificate.

Configure SSL

Start Weblogic server Configure SSL

Currently server is running on 7001 port

4) Configure WLS via the console to use this custom identity and custom trust keystores. Point your browser to http://host:port/console Go to servers->myserver->general->Check the SSL Listen Port Enabled. Specify the port number.(Default is 7002) Click on Apply

Go to servers->myserver->Keystore & SSL->Click on change link Change Choose Custom Identity and Custom Trust and then hit on continue. supply mykeystore.jks as the custom identity keystore file name, type JKS, pass phrase weblogic. Use trust.jks as the customer trust keystore file name, etc. Hit continue.

Enter the SSL Private Key Settings Private Key Alias as weblogic Passphrase as weblogic and Confirm the Passphrase Click on continue. Finally hit on Finish

Test Weblogic Console over HTTPS

Start Weblogic Server Test Weblogic Console over HTTPS

Start the WLS server.

Now server is running on both the port 7001 and 7002

You will get a security alert message. As you are not using Trusted certificate. Click on Yes and pass the credentials.

If you see in the browser link, it is using HTTS protocol.

Option 2: Use WLS's CertGen utility to create certificates signed by the WLS demonstration certificate authority.WLS 8.1 domain already created This procedure is an alternative to option 1. It uses the demonstration certificate authority.

Required filesCopy the following files into the current directory for easy access. WL_HOME/server/lib/CertgenCA.der WL_HOME/server/lib/CertgenCAKey.der

Generate a certificate signed by the demonstration CA with domestic key strength. The common name CN is the same as the current hostname. The issuer CA name is CN=CertGenCAB,OU=FOR TESTING ONLY,O=MyOrganization,L=MyTown,ST=MyState,C=US.

The following command must be executed with CLASSPATH set for the WLS 8.1 environment.WLS 8.1 domain already created

Java command:java utils.CertGen weblogic mycertfile mykeyfile The files created are mycertfile.{der,pem} and mykeyfile.{der.pem}

ConversionConvert CertgenCA.der to .pem format java utils.der2pem CertgenCA.der

ConcatenateConcatenate the 2 certificates to form a chain. cat mycertfile.pem CertgenCA.pem > certs.pem

New keystore to load private keyCreate a new keystore, load the private key and certificate chain. java utils.ImportPrivateKey mykeystore.jks weblogic weblogic weblogic certs.pem mykeyfile.pem

List the keysList the keystore to make sure it's OK. keytool -v -list keystore mykeystore.jks

Keystore for trusted CA certificateCreate a separate keystore for the trusted CA certificate. keytool -import -alias weblogic -file CertgenCA.pem keystore trust.jks -storepass weblogic

Follow the steps to configure SSL in console from option 1.

Useful References The man page for the keytool utility, which is part of the JDK. See http://java.sun.com/j2se/1.4.2/docs/tooldocs/solaris/keytool.html The WLS document "Managing WebLogic Security" at http://edocs.bea.com/wls/docs81/pdf/secmanage.pdf, especially Chapter 8. The documentation for the openssl utility at http://www.openssl.org. openssl can be downloaded from this web site. For CertGen :http://edocs.bea.com/wls/docs81/admin_ref/utils6.html#1213378 http://iaskbea-2.bea.com/askbea/wls/S-24834.html http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security6.html http://java.sun.com/j2se/1.5.0/docs/tooldocs/windows/keytool.html