By default WebLogic managed servers are configured with demo identity and trust information. This should be reconfigured to use real, or self-signed certificates. This article describes how this is done.<\/p>\n
Related articles.<\/p>\n
In order to configure SSL for a managed server, you are going to need identity and trust keystores and a certificate. If you don’t have a real certificate, you can create a self-signed certificate, as described here<\/a> and in this article.<\/p>\n For this article we will use a self-signed certificate, created using the keytool<\/a> utility. Perform the following steps as the “oracle” user.<\/p>\n Make a directory to hold the keystores.<\/p>\n Create the identity and trust keystores using the following commands. Notice the result of the We now have a self-signed certificate in a keystore will the following details, which will be referred back to later.<\/p>\n If you are working with WebLogic clusters spanning multiple machines, you have to make sure all certificates in the cluster are marked as trusted, otherwise the AdminServer will not be able to communicate with all the node managers.<\/p>\n Assuming you have a two node cluster, as described in this article<\/a>, you would have to do the following.<\/p>\n Make sure you have followed the process described in the previous section on each of the machines making up the cluster before continuing.<\/p>\n Make sall certificates are available on all nodes by copying them into the keystore folders on each server.<\/p>\n On the first node, load the certificate generated on the second node into the local trust keystore using the following command.<\/p>\n On the second node, load the certificate generated on the first node into the local trust keystore using the following command.<\/p>\n You can now continue with the rest of the configuration.<\/p>\n This process should be followed for the AdminServer and all managed servers.<\/p>\n The managed server will now be using the new identity and trust keystores.<\/p>\n Edit the “$WL_HOME\/common\/nodemanager\/nodemanager.properties” file, adding the following entries. The values used reflect the information used to create the keystores above.<\/p>\n Restart the node manager.<\/p>\n If you are using an older JRE, like Java 1.6, you may get the following type of error in the AdminServer logs.<\/p>\n To fix this we need to replace the old certificates used by the JRE, and therefore Perform the following operations as the “oracle” user.<\/p>\n Test you know the password for the JREs keystore. The default is “changeit”.<\/p>\n If that works, you are good to proceed.<\/p>\n Download the following updated certificates and place them in the security directory on the server.<\/p>\n Perform the following commands to load the certificates. The comment above certain commands gives you an idea of answers to prompts, or possible outcomes.<\/p>\n$ mkdir ~\/keystore\r\n$ cd ~\/keystore<\/pre>\n
hostname<\/code> command is used in the “CN=” entry.<\/p>\n$JAVA_HOME\/jre\/bin\/keytool -genkey -keyalg RSA -alias selfsigned -keystore identity.jks \\\r\n -dname \"CN=`hostname`, OU=My Department, O=My Company, L=Birmingham, ST=West Midlands, C=GB\" \\\r\n -storepass password1 -validity 3600 -keysize 2048 -keypass password1\r\n\r\n$JAVA_HOME\/jre\/bin\/keytool -selfcert -v -alias selfsigned -keypass password1 -keystore identity.jks \\\r\n -storepass password1 -storetype jks -validity 3600\r\n\r\n$JAVA_HOME\/jre\/bin\/keytool -export -v -alias selfsigned -file \"`hostname`-rootCA.der\" -keystore identity.jks \\\r\n -storepass password1\r\n\r\n# Trust? yes\r\n$JAVA_HOME\/jre\/bin\/keytool -import -v -trustcacerts -alias selfsigned -file \"`hostname`-rootCA.der\" \\\r\n -keystore trust.jks -storepass password1<\/pre>\n
\n
Clustered Environments<\/h2>\n
cd ~\/keystore\r\nscp wls11g-1.localdomain-rootCA.der oracle@wls11g-2.localdomain:\/home\/oracle\/keystore\r\nscp oracle@wls11g-2.localdomain:\/home\/oracle\/keystore\/wls11g-2.localdomain-rootCA.der .<\/pre>\n
$JAVA_HOME\/jre\/bin\/keytool -import -v -trustcacerts -alias selfsigned2 -file wls11g-2.localdomain-rootCA.der \\\r\n -keystore trust.jks -storepass password1<\/pre>\n
$JAVA_HOME\/jre\/bin\/keytool -import -v -trustcacerts -alias selfsigned2 -file wls11g-1.localdomain-rootCA.der \\\r\n -keystore trust.jks -storepass password1<\/pre>\n
Configure SSL for Managed Server<\/h2>\n
\n
\n
\n
\n
Configure Node Manager<\/h2>\n
KeyStores=CustomIdentityAndCustomTrust\r\nCustomIdentityKeystoreType=jks\r\nCustomIdentityKeyStoreFileName=\/home\/oracle\/keystore\/identity.jks\r\nCustomIdentityKeyStorePassPhrase=password1\r\nCustomIdentityPrivateKeyPassPhrase=password1\r\nCustomIdentityAlias=selfsigned\r\nCustomTrustKeystoreType=jks\r\nCustomTrustKeyStoreFileName=\/home\/oracle\/keystore\/trust.jks\r\nCustomTrustKeyStorePassPhrase=password1<\/pre>\n
Basic Constraints Extension Error<\/h2>\n
<BEA-090548> <The certificate chain received from ??? contained a V3 CA certificate\r\nwhich was missing the basic constraints extension><\/pre>\n
keytool<\/code>, when generating our self-signed certificates.<\/p>\ncd $JAVA_HOME\/jre\/lib\/security\r\n$JAVA_HOME\/bin\/keytool -keystore cacerts -list -storepass changeit<\/pre>\n
cd $JAVA_HOME\/jre\/lib\/security\r\nchmod 755 cacerts\r\n$JAVA_HOME\/bin\/keytool -keystore cacerts -delete -alias entrust2048ca -storepass changeit<\/pre>\n
\n
# Trust? yes\r\n$JAVA_HOME\/bin\/keytool -keystore cacerts -import -alias entrust_l1c_chain -file entrust_l1c.cer -storepass changeit\r\n$JAVA_HOME\/bin\/keytool -keystore cacerts -import -alias entrust_2048_ssl_chain -file entrust_2048_ssl.cer -storepass changeit\r\n# Overwrite? yes\r\n$JAVA_HOME\/bin\/keytool -keystore cacerts -import -alias entrust_1024_ssl_ca_root -file entrust_ssl_ca.cer -storepass changeit\r\n# May fail. That's OK.\r\n$JAVA_HOME\/bin\/keytool -keystore cacerts -delete -alias entrustsslca -storepass changeit<\/pre>\n