Configuring SSL for WebLogic Server

To configure SSL on WebLogic Server, you need an SSL credential for authentication. You can use Java keytool to perform the following tasks to create a credential:

  • Create a public/private key pair, wrap the public key in an X.509 v1 self-signed certificate that is stored as a single-element certificate chain, and then store the certificate chain and the private key in a new keystore. This keystore is the application server’s Custom Identity keystore.

  • Extract the certificate and insert it into a new keystore. This keystore is the application server’s Custom Trust keystore.

Then, configure WebLogic so that it uses the Custom Identity keystore and Custom Trust keystore that you created. Also, disable the WebLogic Hostname Verification feature because the distinguished name used to create the keystore files did not include the name of the computer that hosts WebLogic.

Creating an SSL credential for use on WebLogic Server

The keytool command is typically located in the Java jre/bin directory and must include several options and option values, which are listed in the following table.

Keytool option

Description

Option value

-alias

The alias of the keystore.

  • Custom Identity keystore: ads-credentials

  • Custom Trust keystore: bedrock

-keyalg

The algorithm to use to generate the key pair.

RSA

You can use a different algorithm, depending on your company’s policy.

-keystore

The location and name of the keystore file.

The location can include the absolute path of the file. Or, it can be relative to the current directory of the command prompt where the keytool command is entered.

  • Custom Identity keystore: [appserverdomain]/adobe/[server name]/ads-ssl.jks

  • Custom Trust keystore: [appserverdomain]/adobe/[server name]/ads-ca.jks

-file

The location and name of the certificate file.

ads-ca.cer

-validity

The number of days that the certificate is considered valid.

3650

You can use a different value, depending on your company’s policy.

-storepass

The password that protects the contents of the keystore.

  • Custom Identity keystore: The keystore password must correspond with the SSL credential password that was specified for the Trust Store component of the Administration Console.

  • Custom Trust keystore: Use the same password that you used for the Custom Identity keystore.

-keypass

The password that protects the private key of the key pair.

Use the same password that you used for the -storepass option. The key password must be at least six characters.

-dname

The distinguished name that identifies the person who owns the keystore.

"CN=[User name],OU=[Group Name], O=[Company Name], L=[City Name], S=[State or province], C=[Country Code]"

  • [User name] is the identification of the user who owns the keystore.

  • [Group Name] is the identification of the corporate group that the keystore owner belongs to.

  • [Company Name] is your organization’s name.

  • [City Name] is the city where your organization is located.

  • [State or province] is the state or province where your organization is located.

  • [Country Code] is the two-letter code for the country where your organization is located.

For more information about using the keytool command, see the keytool.html file that is part of your JDK documentation.

Create the Custom Identity and Trust keystores

  1. From a command prompt, navigate to [appserverdomain]/adobe/[server name].

  2. Enter the following command:

    [JAVA_HOME]/bin/keytool -genkey -v -alias ads-credentials -keyalg RSA -keystore "ads-credentials.jks" -validity 3650 -storepass store_password -keypass key_password -dname "CN=Hostname, OU=Group Name, O=CompanyName, L=City Name, S=State,C=Country Code

    Note: Replace [JAVA_HOME] with the directory where the JDK is installed, and replace the text in italic with values that correspond with your environment.

    For example:

    C:\Program Files\Java\jrockit-jdk1.6.0_24-R28\bin\keytool" -genkey -v -alias ads-credentials -keyalg RSA -keystore "ads-credentials.jks" -validity 3650 -storepass P@ssw0rd -keypass P@ssw0rd -dname "CN=wasnode01, OU=LC, O=Adobe, L=Noida, S=UP,C=91

    The Custom Identity keystore file named ‘‘ads-credentials.jks” is created in the [appserverdomain]/adobe/[server name] directory.

  3. Extract the certificate from the ads-credentials keystore by entering the following command:

    [JAVA_HOME]/bin/keytool -export -v -alias ads-credentials

    -file "ads-ca.cer" -keystore "ads-credentials.jks"

    -storepass store_password

    Note: Replace [JAVA_HOME] with the directory where the JDK is installed, and replace store_password with the password for the Custom Identity keystore.

    For example:

    C:\Program Files\Java\jrockit-jdk1.6.0_24-R28\bin\keytool" -export -v -alias ads-credentials -file "ads-ca.cer" -keystore "ads-credentials.jks" -storepass P@ssw0rd

    The certificate file named “ads-ca.cer” is created in the [appserverdomain]/adobe/[server name] directory.

  4. Copy the ads-ca.cer file to any host computers that need secure communication with the application server.

  5. Insert the certificate into a new keystore file (the Custom Trust keystore) by entering the following command:

    [JAVA_HOME]/bin/keytool -import -v -noprompt -alias bedrock -file "ads-ca.cer" -keystore "ads-ca.jks" -storepass store_password -keypass key_password

    Note: Replace [JAVA_HOME] with the directory where the JDK is installed, and replace store_password and key_password with your own passwords.

    For example:

    C:\Program Files\Java\jrockit-jdk1.6.0_24-R28\bin\keytool" -import -v -noprompt -alias bedrock -file "ads-ca.cer" -keystore "ads-ca.jks" -storepass Password1 -keypass Password1

The Custom Trust keystore file named ‘‘ads-ca.jks’’ is created in the [appserverdomain]/adobe/[server] directory.

Configure WebLogic so that it uses the Custom Identity keystore and Custom Trust keystore that you created. Also, disable the WebLogic Hostname Verification feature because the distinguished name used to create the keystore files did not include the name of the computer that hosts WebLogic Server.

Configure WebLogic to use SSL

  1. Start the WebLogic Server Administration Console by typing http://[host name]:7001/console in the URL line of a web browser.

  2. Under Environment, in Domain Configurations, select Servers > [server] > Configuration > General.

  3. Under General, in Configuration, ensure that Listen Port Enabled and SSL Listen Port Enabled are selected. If not enabled, do the following:
    1. Under the Change Center, click Lock & Edit to modify selections and values.

    2. Check the Listen Port Enabled and SSL Listen Port Enabled check boxes.

  4. If this server is a Managed Server, change Listen Port to an unused port value (such as 8001) and SSL Listen Port to an unused port value (such as 8002). On a stand-alone server, the default SSL port is 7002.

  5. Click Release Configuration.

  6. Under Environment, in Domain Configurations, click Servers > [Managed Server] > Configuration > General.

  7. Under General, in Configuration, select Keystores.

  8. Under the Change Center, click Lock & Edit to modify selections and values.

  9. Click Change to to get the keystore list as drop-down list and select Custom Identity And Custom Trust.

  10. Under Identity, specify the following values:

    Custom Identity Keystore: [appserverdomain]/adobe/[server name]/ads-credentials.jks, where [appserverdomain] is the actual path and [server name] is the name of the application server.

    Custom Identity Keystore Type: JKS

    Custom Identity Keystore Passphrase: mypassword (custom identity keystore password)

  11. Under Trust, specify the following values:

    Custom Trust Keystore File Name: [appserverdomain]/adobe/[server]/ads-ca.jks, where [appserverdomain] is the actual path

    Custom Trust Keystore Type: JKS

    Custom Trust Keystore Pass Phrase: mypassword (custom trust key password)

  12. Under General, in Configuration, select SSL.

  13. By default, Keystore is selected for Identity and Trust Locations. If not, change it to keystore.

  14. Under Identity, specify the following values:

    Private Key Alias: ads-credentials

    Passphrase: mypassword

  15. Click Release Configuration.

Disable the Hostname Verification feature

  1. On the Configuration tab, click SSL.

  2. Under Advanced, select None from the Hostname Verification list.

    If Hostname Verification is not disabled, the Common Name (CN) must contain the server host name.

  3. Under Change Center, click Lock & Edit to modify selections and values.

  4. Restart the application server.

// Ethnio survey code removed