Wildcard SSL Certificates with WebLogic

Wildcard SSL Certificates with WebLogic
keytool -list -v -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase

keytool -list -v -keystore DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase
keytool -import -trustcacerts -alias rootcacert -keystore DemoTrust.jks -file D:\keystores\GeoTrust_Global_CA.pem -storepass DemoTrustKeyStorePassPhrase
keytool -import -trustcacerts -alias intercacert -keystore DemoTrust.jks -file D:\keystores\Geotrustintermediate.crt -storepass DemoTrustKeyStorePassPhrase
keytool -list -v -keystore DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase

-keypass

keytool -import -file D:\keystores\rmohan.com-2018.pem -alias star -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase -keypass DemoIdentityKeyStorePassPhrase
keytool -import -file D:\keystores\rmohan.com-2018.crt -alias star -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase -keypass DemoIdentityKeyStorePassPhrase
keytool -delete -file D:\keystores\rmohan.com-2018.pem -alias star -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase
keytool -delete -noprompt -alias star -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase

keytool -list -v -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase

keytool -importkeystore -srckeystore host.p12 -destkeystore DemoIdentity.jks -srcstoretype pkcs12

keytool -importkeystore -srckeystore rmohan.com-2018.p12 -destkeystore DemoIdentity.jks -srcstoretype PKCS12 -deststoretype JKS -srcstorepass PA$$word12 -deststorepass PA$$word12 -srcalias 1
Change the Hostname Verification entry from “Hostname” to “Custom Hostname Verifier”
In the Custom Hostname Verifier form enter: “weblogic.security.utils.SSLWLSWildcardHostnameVerifier”

1) Convert it into pkcs12 format
openssl pkcs12 -export -out Tomcat.p12 -inkey server.key -in server.crt -certfile g2chain.cer -name “Server-Cert”

2) Now convert it into JKS format
keytool -importkeystore -srckeystore Tomcat.p12 -destkeystore KEYSTORE.jks -srcstoretype PKCS12 -deststoretype JKS -srcstorepass ********* -deststorepass ********* -srcalias Server-Cert -destalias tomcat -srckeypass ********* -destkeypass ********* -noprompt
Checking the logs, the same error.

Checking “Use JSSE SSL” does fix the problem easily.

Configure the servers to use wildcard verifier:

• Login to WLS console
• Click on “Environment” à Servers will be displayed on your left
• Select the server (You’ll have to do this for all servers.)
• Go to the SSL tab
• Scroll down and expand the “Advanced” section
• Change the Hostname Verification entry from “Hostname” to “Custom Hostname Verifier”
• In the Custom Hostname Verifier form enter: “weblogic.security.utils.SSLWLSWildcardHostnameVerifier”

 

Restart the servers.

Node Manager, by default, uses the Demo Identity keystore. You can observe this in $WL_HOME/common/nodemanager/nodemanager.log.

To configure Node Manager to use the custom keystores, add the following lines to the end of the nodemanager.properties file located in the WL_HOME/common/nodemanager directory:

Note: Do this on all nodes.

cp $WL_HOME/common/nodemanager/nodemanager.properties $WL_HOME/common/nodemanager/nodemanager.properties.`date +%Y%m%d`

vi $WL_HOME/common/nodemanager/nodemanager.properties

— Add this at the bottom of the file. Use the correct values for the items highlighted in bold. The path changes in each environment. The password should remain same as we copy over the keystores to other environments.

##SSL Config changes

KeyStores=CustomIdentityAndCustomTrust

CustomIdentityKeyStoreFileName=[LOCATION TO KEYSTORE]/my_key_identity.jks

CustomIdentityKeyStorePassPhrase=[PASSWORD]

CustomIdentityAlias=server_identity

CustomIdentityPrivateKeyPassPhrase=[PASSWORD]

The passphrase entries in the nodemanager.properties file are encrypted when you start Node Manager.

Restart Node Manager.

— Kill the nodemanager

ps -ef | grep nodemanager

cd $WL_HOME/server/bin

rm -f nohup.out

nohup ./startNodeManager.sh &