WebLogic Server 11g and 12c : Configure SSL for a Managed Server

By default WebLogic managed servers are configured with demo identity and trust information. This should be reconfigured to use real, or self-signed certificates. This article describes how this is done.

• Create Keystores and Certificates
• Clustered Environments
• Configure SSL for Managed Server
• Configure Node Manager
• Basic Constraints Extension Error

Related articles.

• Creating Self-Signed SSL Certificates

Create Keystores and Certificates

In order to configure SSL for a managed server, you are going to need identity and trust keystores and a certificate. If you don’t have a real certificate, you can create a self-signed certificate, as described here and in this article.

For this article we will use a self-signed certificate, created using the keytool utility. Perform the following steps as the “oracle” user.

Make a directory to hold the keystores.

$ mkdir ~/keystore
$ cd ~/keystore

Create the identity and trust keystores using the following commands. Notice the result of the hostname command is used in the “CN=” entry.

$JAVA_HOME/jre/bin/keytool -genkey -keyalg RSA -alias selfsigned -keystore identity.jks \
   -dname "CN=`hostname`, OU=My Department, O=My Company, L=Birmingham, ST=West Midlands, C=GB" \
   -storepass password1 -validity 3600 -keysize 2048 -keypass password1

$JAVA_HOME/jre/bin/keytool -selfcert -v -alias selfsigned -keypass password1 -keystore identity.jks \
   -storepass password1 -storetype jks -validity 3600

$JAVA_HOME/jre/bin/keytool -export -v -alias selfsigned -file "`hostname`-rootCA.der" -keystore identity.jks \
   -storepass password1

# Trust? yes
$JAVA_HOME/jre/bin/keytool -import -v -trustcacerts -alias selfsigned -file "`hostname`-rootCA.der" \
   -keystore trust.jks -storepass password1

We now have a self-signed certificate in a keystore will the following details, which will be referred back to later.

• Identity Keystore: “/home/oracle/keystore/identity.jks”
• Trust Keystore: “/home/oracle/keystore/trust.jks”
• Alias: selfsigned
• Store Password: password1
• Key Password: password1
• Valid for: 3600 Days (Approx 10 Years)

Clustered Environments

If you are working with WebLogic clusters spanning multiple machines, you have to make sure all certificates in the cluster are marked as trusted, otherwise the AdminServer will not be able to communicate with all the node managers.

Assuming you have a two node cluster, as described in this article, you would have to do the following.

Make sure you have followed the process described in the previous section on each of the machines making up the cluster before continuing.

Make sall certificates are available on all nodes by copying them into the keystore folders on each server.

cd ~/keystore
scp wls11g-1.localdomain-rootCA.der oracle@wls11g-2.localdomain:/home/oracle/keystore
scp oracle@wls11g-2.localdomain:/home/oracle/keystore/wls11g-2.localdomain-rootCA.der .

On the first node, load the certificate generated on the second node into the local trust keystore using the following command.

$JAVA_HOME/jre/bin/keytool -import -v -trustcacerts -alias selfsigned2 -file wls11g-2.localdomain-rootCA.der \
   -keystore trust.jks -storepass password1

On the second node, load the certificate generated on the first node into the local trust keystore using the following command.

$JAVA_HOME/jre/bin/keytool -import -v -trustcacerts -alias selfsigned2 -file wls11g-1.localdomain-rootCA.der \
   -keystore trust.jks -storepass password1

You can now continue with the rest of the configuration.

Configure SSL for Managed Server

This process should be followed for the AdminServer and all managed servers.

• In the WebLogic Server Administration Console, click on “Servers” in the “Domain Structure” tree.
• Click on the managed server you wish to configure.
• Click on the “Configuration > Keystores” tab and sub-tab.
• If you are running on production mode, click the “Lock & Edit” Button.
• Click the “Change” button next to the “Keystores” setting.
• Select the “Custom Identity and Custom Trust” option and click the “Save” button.
• Enter the identity details. For example.
  • Custom Identity Keystore: /home/oracle/keystore/identity.jks
  • Custom Identity Keystore Type: JKS
  • Custom Identity Keystore Passphrase: password1
  • Confirm Custom Identity Keystore Passphrase: password1
• Enter the trust information. For example.
  • Custom Identity Keystore: /home/oracle/keystore/trust.jks
  • Custom Identity Keystore Type: JKS
  • Custom Identity Keystore Passphrase: password1
  • Confirm Custom Identity Keystore Passphrase: password1
• Click the “Save” button.
• Click the “SSL” tab.
• Enter the identity details. For example.
  • Private Key Alias: selfsigned
  • Private Key Passphrase: password1
  • Confirm Private Key Passphrase: password1
• Click the “Save” button.
• If you are running in production mode, click the “Activate Changes” button.
• Restart the managed server.

The managed server will now be using the new identity and trust keystores.

Configure Node Manager

Edit the “$WL_HOME/common/nodemanager/nodemanager.properties” file, adding the following entries. The values used reflect the information used to create the keystores above.

KeyStores=CustomIdentityAndCustomTrust
CustomIdentityKeystoreType=jks
CustomIdentityKeyStoreFileName=/home/oracle/keystore/identity.jks
CustomIdentityKeyStorePassPhrase=password1
CustomIdentityPrivateKeyPassPhrase=password1
CustomIdentityAlias=selfsigned
CustomTrustKeystoreType=jks
CustomTrustKeyStoreFileName=/home/oracle/keystore/trust.jks
CustomTrustKeyStorePassPhrase=password1

Restart the node manager.

Basic Constraints Extension Error

If you are using an older JRE, like Java 1.6, you may get the following type of error in the AdminServer logs.

<BEA-090548> <The certificate chain received from ??? contained a V3 CA certificate
which was missing the basic constraints extension>

To fix this we need to replace the old certificates used by the JRE, and therefore keytool, when generating our self-signed certificates.

Perform the following operations as the “oracle” user.

Test you know the password for the JREs keystore. The default is “changeit”.

cd $JAVA_HOME/jre/lib/security
$JAVA_HOME/bin/keytool -keystore cacerts -list -storepass changeit

If that works, you are good to proceed.

cd $JAVA_HOME/jre/lib/security
chmod 755 cacerts
$JAVA_HOME/bin/keytool -keystore cacerts -delete -alias entrust2048ca -storepass changeit

Download the following updated certificates and place them in the security directory on the server.

• entrust_l1c.cer (L1C chain certificate)
• entrust_2048_ssl.cer (2048 chain certificate)
• entrust_ssl_ca.cer (1024 root certificate)

Perform the following commands to load the certificates. The comment above certain commands gives you an idea of answers to prompts, or possible outcomes.

# Trust? yes
$JAVA_HOME/bin/keytool -keystore cacerts -import -alias entrust_l1c_chain -file entrust_l1c.cer -storepass changeit
$JAVA_HOME/bin/keytool -keystore cacerts -import -alias entrust_2048_ssl_chain -file entrust_2048_ssl.cer -storepass changeit
# Overwrite? yes
$JAVA_HOME/bin/keytool -keystore cacerts -import -alias entrust_1024_ssl_ca_root -file entrust_ssl_ca.cer -storepass changeit
# May fail. That's OK.
$JAVA_HOME/bin/keytool -keystore cacerts -delete -alias entrustsslca -storepass changeit

You will have to recreate the keystores you built previously, so they will use the new certificates.

Once this is done, restart the node manager and any domains using the identity and trust keystores.