SSL installation on Weblogic 11g – part 1

In this first of three posting series, we will outline steps to install SSL certificates on weblogic 11g server so that it can service SSL requests from client webservers such as IIS and Apache.

In this first part, we will show how to create java keystores on Weblogic 11g server. In the second part, we will show how to configure your weblogic server to use the keystores to make it ready for SSL. We will show how to configure IIS 6.0 to communicate with Weblogic 11g through SSL.

Follow these steps on each managed servers in the cluster that will be servicing SSL requests.

1. Create a custom identity key store

First create a Java keystore to hold signed certificate of the server.

keytool -genkey -alias give alias name here -keyalg RSA -keysize 2048 -keystore keystore file path

Example:
keytool -genkey -alias wlpdomain -keyalg RSA -keysize 2048 -keystore /local/apps/bea103/wlserver_10.3/server/keystore/wlpDomainIdentity.jks

Provide CN, OU, O, City, Province and Country information along with keystore password.

2. Create a Certificate Signing Request (CSR)

Create a Certificate Signing Request (CSR) using java keytool that comes along with JDK 1.6.x packaged with Weblogic 11g.

keytool -certreq -alias give alias name here -keystore keystore file path -file put file name for the csr

Example:

keytool -certreq -alias wlpdomain -keystore /local/apps/bea103/wlserver_10.3/server/keystore/wlpDomainIdentity.jks -file managed_server1.csr

Provide the password of the keystore at the prompt. Remember to use the same alias as you used to create the keystore.

3. Get signed certificate

Send the CSR file managed_server1.csr to Certficate Signing Authority such as Verisign, Entrust to get a Signed Certificate. You should also receive a Root/Chain CA along with the signed certificate.

4. Import the Certificate into the keystore

First import the root/chain certificate provided by the Certificate Signing Authority.

keytool -import -alias alias name -keystore keystore file path -trustcacerts -file root cartificate file path

Example:

keytool -import -alias root_ca -keystore /local/apps/bea103/wlserver_10.3/server/keystore/wlpDomainIdentity.jks -trustcacerts -file entrust_l1c_certificate.cer

Import the Signed certificate with the same alias name which have been used during creation of csr or keystore.

keytool -import -alias alias name here -keystore keystore file path -trustcacerts -file signed certificate from CA

Example:

keytool -import -alias wlpdomain -keystore /local/apps/bea103/wlserver_10.3/server/keystore/wlpDomainIdentity.jks -trustcacerts -file managed_server1_signed.cer

5. Create a custom trust store and import the Root CA

Now create another keystore for the trust certificates. Import the root CA that you received in step 3 into a custom trust store

keytool -import -file root CA file path -alias alias name -keystore keystore file path

Example

keytool -import -file entrust_l1c_certificate.cer -alias trustCA -keystore /local/apps/bea103/wlserver_10.3/server/keystore/wlpDomainTrust.jks

Provide a password at the prompt for the key store.

At this point you should see two keystores created on your filesystem. If you are following above example, you should be seeing following files at this location

/local/apps/bea103/wlserver_10.3/server/keystore/

wlpDomainIdentity.jks
wlpDomainTrust.jks

We will use these files to configure SSL and keystores on the weblogic domain.

Written by Incepta

July 14, 2012

You May Also Like…

We're Here To Help!

Office

CANADA:
Suite 303, 2585 Skymark Avenue,

Mississauga, ON, L4W 4L5

USA:
1177 High Ridge Road
Stamford, CT

Email Us

hello@inceptasolutions.com

Pin It on Pinterest