|
To configure SSL on WebLogic Server, you need an SSL credential
for authentication. You can use Java keytool to perform the following
tasks to create a credential:
Create a public/private key pair, wrap the public key
in an X.509 v1 self-signed certificate that is stored as a single-element
certificate chain, and then store the certificate chain and the
private key in a new keystore. This keystore is the application
server’s Custom Identity keystore.
Extract the certificate and insert it into a new keystore.
This keystore is the application server’s Custom Trust keystore.
Then, configure WebLogic so that it uses the Custom Identity
keystore and Custom Trust keystore that you created. Also, disable
the WebLogic Hostname Verification feature because the distinguished
name used to create the keystore files did not include the name
of the computer that hosts WebLogic.
Creating an SSL credential for use on WebLogic ServerThe keytool command is typically located in the Java jre/bin
directory and must include several options and option values, which
are listed in the following table.
Keytool option
|
Description
|
Option value
|
|---|
-alias
|
The alias of the keystore.
|
|
-keyalg
|
The algorithm to use to generate the key pair.
|
RSA
You can use a different algorithm,
depending on your company’s policy.
|
-keystore
|
The location and name of the keystore file.
The
location can include the absolute path of the file. Or, it can be
relative to the current directory of the command prompt where the keytool
command is entered.
|
|
-file
|
The location and name of the certificate
file.
|
|
-validity
|
The number of days that the certificate
is considered valid.
|
3650
You can use a different value,
depending on your company’s policy.
|
-storepass
|
The password that protects the contents
of the keystore.
|
Custom Identity keystore: The
keystore password must correspond with the SSL credential password
that was specified for the Trust Store component of the Administration
Console.
Custom Trust keystore: Use the same password that you used
for the Custom Identity keystore.
|
-keypass
|
The password that protects the private key
of the key pair.
|
Use the same password that you used for
the -storepass option. The key password must be
at least six characters.
|
-dname
|
The distinguished name that identifies the person
who owns the keystore.
|
"CN=[User name],OU=[Group Name], O=[Company Name], L=[City Name], S=[State or province], C=[Country Code]"
[User name] is the identification
of the user who owns the keystore.
[Group Name] is the identification
of the corporate group that the keystore owner belongs to.
[Company Name] is your organization’s
name.
[City Name] is the city where your
organization is located.
[State or province] is the state
or province where your organization is located.
[Country Code] is the two-letter
code for the country where your organization is located.
|
For more information about using the keytool command, see the
keytool.html file that is part of your JDK documentation.
Create the Custom Identity and Trust keystoresFrom a command prompt, navigate to [appserverdomain]/adobe/[server name].
Enter the following command:
[JAVA_HOME]/bin/keytool -genkey -v -alias ads-credentials -keyalg RSA -keystore "ads-credentials.jks" -validity 3650 -storepass store_password -keypass key_password -dname "CN=Hostname, OU=Group Name, O=CompanyName, L=City Name, S=State,C=Country Code
Note: Replace [JAVA_HOME] with the directory where the JDK is installed, and replace the text in italic with values that correspond with your environment.
For
example:
C:\Program Files\Java\jrockit-jdk1.6.0_24-R28\bin\keytool" -genkey -v -alias ads-credentials -keyalg RSA -keystore "ads-credentials.jks" -validity 3650 -storepass P@ssw0rd -keypass P@ssw0rd -dname "CN=wasnode01, OU=LC, O=Adobe, L=Noida, S=UP,C=91
The
Custom Identity keystore file named ‘‘ads-credentials.jks” is created
in the [appserverdomain]/adobe/[server name] directory.
Extract the certificate from the ads-credentials keystore
by entering the following command:
[JAVA_HOME]/bin/keytool -export -v -alias ads-credentials
-file "ads-ca.cer" -keystore "ads-credentials.jks"
-storepass store_password
Note: Replace [JAVA_HOME] with
the directory where the JDK is installed, and replace store_password with the password for the Custom Identity keystore.
For
example:
C:\Program Files\Java\jrockit-jdk1.6.0_24-R28\bin\keytool" -export -v -alias ads-credentials -file "ads-ca.cer" -keystore "ads-credentials.jks" -storepass P@ssw0rd
The
certificate file named “ads-ca.cer” is created in the [appserverdomain]/adobe/[server name]
directory.
Copy the ads-ca.cer file to any host computers that need
secure communication with the application server.
Insert the certificate into a new keystore file (the Custom
Trust keystore) by entering the following command:
[JAVA_HOME]/bin/keytool -import -v -noprompt -alias bedrock -file "ads-ca.cer" -keystore "ads-ca.jks" -storepass store_password -keypass key_password
Note: Replace [JAVA_HOME] with
the directory where the JDK is installed, and replace store_password and key_password with your own passwords.
For
example:
C:\Program Files\Java\jrockit-jdk1.6.0_24-R28\bin\keytool" -import -v -noprompt -alias bedrock -file "ads-ca.cer" -keystore "ads-ca.jks" -storepass Password1 -keypass Password1
The Custom Trust keystore file named ‘‘ads-ca.jks’’ is created
in the [appserverdomain]/adobe/[server] directory.
Configure WebLogic so that it uses the Custom Identity keystore
and Custom Trust keystore that you created. Also, disable the WebLogic
Hostname Verification feature because the distinguished name used
to create the keystore files did not include the name of the computer
that hosts WebLogic Server.
Configure WebLogic to use SSLStart the WebLogic Server Administration Console
by typing http://[host name]:7001/console in
the URL line of a web browser.
Under Environment, in Domain Configurations, select Servers > [server] > Configuration > General.
Under General, in Configuration, ensure that Listen Port Enabled and SSL Listen Port Enabled are
selected. If not enabled, do the following: Under the
Change Center, click Lock & Edit to modify selections
and values.
Check the Listen Port Enabled and SSL Listen Port Enabled check
boxes.
If this server is a Managed Server, change Listen Port to
an unused port value (such as 8001) and SSL Listen Port to an unused
port value (such as 8002). On a stand-alone server, the default
SSL port is 7002.
Click Release Configuration.
Under Environment, in Domain Configurations, click Servers > [Managed Server] > Configuration > General.
Under General, in Configuration, select Keystores.
Under the Change Center, click Lock & Edit to
modify selections and values.
Click Change to to get the keystore list as drop-down
list and select Custom Identity And Custom Trust.
Under Identity, specify the following values:
Custom Identity Keystore: [appserverdomain]/adobe/[server name]/ads-credentials.jks,
where [appserverdomain] is the actual path and [server name] is the
name of the application server.
Custom Identity Keystore Type:
JKS
Custom Identity Keystore Passphrase: mypassword (custom
identity keystore password)
Under Trust, specify the following values:
Custom Trust Keystore File Name: [appserverdomain]/adobe/[server]/ads-ca.jks,
where [appserverdomain] is the actual path
Custom Trust Keystore Type:
JKS
Custom Trust Keystore Pass Phrase: mypassword (custom
trust key password)
Under General, in Configuration, select SSL.
By default, Keystore is selected for Identity and Trust Locations.
If not, change it to keystore.
Under Identity, specify the following values:
Private Key Alias:
ads-credentials
Passphrase: mypassword
Click Release Configuration.
Disable the Hostname Verification featureOn the Configuration tab, click SSL.
Under Advanced, select None from the Hostname Verification
list.
If Hostname Verification is not disabled, the Common
Name (CN) must contain the server host name.
Under Change Center, click Lock & Edit to modify selections
and values.
Restart the application server.
|
|
|
