Configuring SSL for WebLogic Server

To configure SSL on WebLogic Server, you need an SSL credential for authentication. You can use Java keytool to perform the following tasks to create a credential:

  • Create a public/private key pair, wrap the public key in an X.509 v1 self-signed certificate that is stored as a single-element certificate chain, and then store the certificate chain and the private key in a new keystore. This keystore is the application server’s Custom Identity keystore.

  • Extract the certificate and insert it into a new keystore. This keystore is the application server’s Custom Trust keystore.

Then, configure WebLogic so that it uses the Custom Identity keystore and Custom Trust keystore that you created. Also, disable the WebLogic Hostname Verification feature because the distinguished name used to create the keystore files did not include the name of the computer that hosts WebLogic.

    Creating an SSL credential for use on WebLogic Server

    The keytool command is typically located in the Java jre/bin directory and must include several options and option values, which are listed in the following table.

    Keytool option

    Description

    Option value

    -alias

    The alias of the keystore.

    • Custom Identity keystore: ads-credentials

    • Custom Trust keystore: bedrock

    -keyalg

    The algorithm to use to generate the key pair.

    RSA

    You can use a different algorithm, depending on your company’s policy.

    -keystore

    The location and name of the keystore file.

    The location can include the absolute path of the file. Or, it can be relative to the current directory of the command prompt where the keytool command is entered.

    • Custom Identity keystore: [appserverdomain]/adobe/[server name]/ads-ssl.jks

    • Custom Trust keystore: [appserverdomain]/adobe/[server name]/ads-ca.jks

    -file

    The location and name of the certificate file.

    		 
    ads-ca.cer

    -validity

    The number of days that the certificate is considered valid.

    3650

    You can use a different value, depending on your company’s policy.

    -storepass

    The password that protects the contents of the keystore.

    • Custom Identity keystore: The keystore password must correspond with the SSL credential password that was specified for the Trust Store component of the Administration Console.

    • Custom Trust keystore: Use the same password that you used for the Custom Identity keystore.

    -keypass

    The password that protects the private key of the key pair.

    Use the same password that you used for the -storepass option. The key password must be at least six characters.

    -dname

    The distinguished name that identifies the person who owns the keystore.

    "CN=[User name],OU=[Group Name], O=[Company Name], L=[City Name], S=[State or province], C=[Country Code]"

    • [User name] is the identification of the user who owns the keystore.

    • [Group Name] is the identification of the corporate group that the keystore owner belongs to.

    • [Company Name] is your organization’s name.

    • [City Name] is the city where your organization is located.

    • [State or province] is the state or province where your organization is located.

    • [Country Code] is the two-letter code for the country where your organization is located.

    For more information about using the keytool command, see the keytool.html file that is part of your JDK documentation.

    Create the Custom Identity and Trust keystores

    1. From a command prompt, navigate to [appserverdomain]/adobe/[server name].

    2. Enter the following command:

      [JAVA_HOME]/bin/keytool -genkey -v -alias ads-credentials -keyalg RSA

      -keystore "ads-credentials.jks" -validity 3650 -storepass store_password

      -keypass key_password -dname "CN=Hostname, OU=Group Name, O=Company Name,

      L=City Name, S=State,C=Country Code"

      Note: Replace [JAVA_HOME] with the directory where the JDK is installed, and replace the text in italic with values that correspond with your environment.

      The keystore file is created in the [appserverdomain]/adobe/[server name] directory.

    3. Extract the certificate from the ads-credentials keystore by entering the following command:

      [JAVA_HOME]/bin/keytool -export -v -alias ads-credentials

      -file "ads-ca.cer" -keystore "ads-credentials.jks"

      -storepass store_password

      Note: Replace [JAVA_HOME] with the directory where the JDK is installed, and replace store_password with the password for the Custom Identity keystore.

      The certificate file is created in the [appserverdomain]/adobe/[server name] directory.

    4. Copy the ads-ca.cer file to any host computers that need secure communication with the application server.

    5. Insert the certificate into a new keystore file (the Custom Trust keystore) by entering the following command:

      [JAVA_HOME]/bin/keytool -import -v -noprompt -alias bedrock

      -file "ads-ca.cer" -keystore "ads-ca.jks" -storepass store_password

      -keypass key_password

      Note: Replace [JAVA_HOME] with the directory where the JDK is installed, and replace store_password and key_password with your own passwords.

    The keystore file is created in the [appserverdomain]/adobe/[server] directory.

    Configure WebLogic so that it uses the Custom Identity keystore and Custom Trust keystore that you created. Also, disable the WebLogic Hostname Verification feature because the distinguished name used to create the keystore files did not include the name of the computer that hosts WebLogic Server.

    Configure WebLogic to use SSL

    1. Start the WebLogic Server Administration Console by typing http://[host name]:7001/console in the URL line of a web browser.

    2. Under Domain Configurations > Environment, click Servers, and then select [server].

    3. On the Configuration tab, ensure that Listen Port Enabled and SSL Listen Port Enabled are selected.

    4. If this server is a Managed Server, change Listen Port to an unused port value (such as 8001) and SSL Listen Port to an unused port value (such as 8002). On a stand-alone server, the default SSL port is 7002.

    5. Under Change Center in the left panel, click Lock & Edit to modify selections and values.

    6. On the Configuration tab, click Keystores, and select Custom Identity and Custom Trust from the Keystores list.

    7. Under Identity, specify the following values:

      Custom Identity Keystore: [appserverdomain]/adobe/[server name]/ads-credentials.jks, where [appserverdomain] is the actual path and [server name] is the name of the application server.

      Custom Identity Keystore Type: JKS

      Custom Identity Keystore Passphrase: mypassword

    8. Under Trust, specify the following values:

      Custom Trust Keystore File Name: [appserverdomain]/adobe/[server]/ads-ca.jks, where [appserverdomain] is the actual path

      Custom Trust Keystore Type: JKS

      Custom Trust Keystore Pass Phrase: mypassword

    9. Under Change Center, click Lock & Edit to modify selections and values.

    10. On the Configuration tab, click SSL. In the Identity and Trust Locations list, select Keystores.

    11. Under Identity, specify the following values:

      Private Key Alias: ads-credentials

      Passphrase: mypassword

    12. Under Change Center, click Lock & Edit to modify selections and values.

    Disable the Hostname Verification feature

    1. On the Configuration tab, click SSL.

    2. Under Advanced, select None from the Hostname Verification list.

      If Hostname Verification is not disabled, the Common Name (CN) must contain the server host name.

    3. Under Change Center, click Lock & Edit to modify selections and values.

    4. Restart the application server.

    // Ethnio survey code removed