To configure SSL on WebLogic Server, you need an SSL credential for authentication. You can use Java keytool to perform the following tasks to create a credential:
Then, configure WebLogic so that it uses the Custom Identity keystore and Custom Trust keystore that you created. Also, disable the WebLogic Hostname Verification feature because the distinguished name used to create the keystore files did not include the name of the computer that hosts WebLogic.
The keytool command is typically located in the Java jre/bin directory and must include several options and option values, which are listed in the following table.
Keytool option |
Description |
Option value |
---|---|---|
-alias |
The alias of the keystore. |
|
-keyalg |
The algorithm to use to generate the key pair. |
RSA You can use a different algorithm, depending on your company’s policy. |
-keystore |
The location and name of the keystore file. The location can include the absolute path of the file. Or, it can be relative to the current directory of the command prompt where the keytool command is entered. |
|
-file |
The location and name of the certificate file. |
ads-ca.cer |
-validity |
The number of days that the certificate is considered valid. |
3650 You can use a different value, depending on your company’s policy. |
-storepass |
The password that protects the contents of the keystore. |
|
-keypass |
The password that protects the private key of the key pair. |
Use the same password that you used for the |
-dname |
The distinguished name that identifies the person who owns the keystore. |
|
For more information about using the keytool command, see the keytool.html file that is part of your JDK documentation.
From a command prompt, navigate to [appserverdomain]/adobe/[server name].
Enter the following command:
[JAVA_HOME]/bin/keytool -genkey -v -alias ads-credentials -keyalg RSA -keystore "ads-credentials.jks" -validity 3650 -storepass store_password -keypass key_password -dname "CN=Hostname, OU=Group Name, O=Company Name, L=City Name, S=State,C=Country Code
Replace [JAVA_HOME]
with the directory where the JDK is installed, and replace the text in italic with values that correspond with your environment.
For example:
C:\Program Files\Java\jrockit-jdk1.6.0_24-R28\bin\keytool" -genkey -v -alias ads-credentials -keyalg RSA -keystore "ads-credentials.jks" -validity 3650 -storepass P@ssw0rd -keypass P@ssw0rd -dname "CN=wasnode01, OU=LC, O=Adobe, L=Noida, S=UP,C=91
The Custom Identity keystore file named ‘‘ads-credentials.jks” is created in the [appserverdomain]/adobe/[server name] directory.
Extract the certificate from the ads-credentials keystore by entering the following command:
[JAVA_HOME]/bin/keytool -export -v -alias ads-credentials
-file "ads-ca.cer" -keystore "ads-credentials.jks"
-storepass
*store*
*_password
Replace [JAVA_HOME]
with the directory where the JDK is installed, and replace store
_ password
* with the password for the Custom Identity keystore.*
For example:
C:\Program Files\Java\jrockit-jdk1.6.0_24-R28\bin\keytool" -export -v -alias ads-credentials -file "ads-ca.cer" -keystore "ads-credentials.jks" -storepass P@ssw0rd
The certificate file named “ads-ca.cer” is created in the [appserverdomain]/adobe/[server name] directory.
Copy the ads-ca.cer file to any host computers that need secure communication with the application server.
Insert the certificate into a new keystore file (the Custom Trust keystore) by entering the following command:
[JAVA_HOME] /bin/keytool -import -v -noprompt -alias bedrock -file "ads-ca.cer" -keystore "ads-ca.jks" -storepass store_password -keypass key_password
Replace [JAVA_HOME]
with the directory where the JDK is installed, and replace store
_ password
and key
_ password
with your own passwords.
For example:
C:\Program Files\Java\jrockit-jdk1.6.0_24-R28\bin\keytool" -import -v -noprompt -alias bedrock -file "ads-ca.cer" -keystore "ads-ca.jks" -storepass Password1 -keypass Password1
The Custom Trust keystore file named ‘‘ads-ca.jks’’ is created in the [appserverdomain]/adobe/[server] directory.
Configure WebLogic so that it uses the Custom Identity keystore and Custom Trust keystore that you created. Also, disable the WebLogic Hostname Verification feature because the distinguished name used to create the keystore files did not include the name of the computer that hosts WebLogic Server.
Start the WebLogic Server administration console by typing https://
[host name] :7001/console
in the URL line of a web browser.
Under Environment, in Domain Configurations, select Servers > [server] > Configuration > General.
Under General, in Configuration, ensure that Listen Port Enabled and SSL Listen Port Enabled are selected. If not enabled, do the following:
If this server is a Managed Server, change Listen Port to an unused port value (such as 8001) and SSL Listen Port to an unused port value (such as 8002). On a stand-alone server, the default SSL port is 7002.
Click Release Configuration.
Under Environment, in Domain Configurations, click Servers > [Managed Server] > Configuration > General.
Under General, in Configuration, select Keystores.
Under the Change Center, click Lock & Edit to modify selections and values.
Click Change to to get the keystore list as drop-down list and select Custom Identity And Custom Trust.
Under Identity, specify the following values:
Custom Identity Keystore: [appserverdomain]/adobe/[server name]/ads-credentials.jks, where *[appserverdomain] *is the actual path and [server name] is the name of the application server.
Custom Identity Keystore Type: JKS
Custom Identity Keystore Passphrase: mypassword (custom identity keystore password)
Under Trust, specify the following values:
Custom Trust Keystore File Name: *[appserverdomain]*/adobe/*[server]*/ads-ca.jks
, where *[appserverdomain]*
is the actual path
Custom Trust Keystore Type: JKS
Custom Trust Keystore Pass Phrase: mypassword (custom trust key password)
Under General, in Configuration, select SSL.
By default, Keystore is selected for Identity and Trust Locations. If not, change it to keystore.
Under Identity, specify the following values:
Private Key Alias: ads-credentials
Passphrase: mypassword
Click Release Configuration.
On the Configuration tab, click SSL.
Under Advanced, select None from the Hostname Verification list.
If Hostname Verification is not disabled, the Common Name (CN) must contain the server host name.
Under Change Center, click Lock & Edit to modify selections and values.
Restart the application server.