In this first of three posting series, we will outline steps to install SSL certificates on weblogic 11g server so that it can service SSL requests from client webservers such as IIS and Apache.
In this first part, we will show how to create java keystores on Weblogic 11g server. In the second part, we will show how to configure your weblogic server to use the keystores to make it ready for SSL. We will show how to configure IIS 6.0 to communicate with Weblogic 11g through SSL.
Follow these steps on each managed servers in the cluster that will be servicing SSL requests.
1. Create a custom identity key store
First create a Java keystore to hold signed certificate of the server.
keytool -genkey -alias give alias name here -keyalg RSA -keysize 2048 -keystore keystore file path
Example:
keytool -genkey -alias wlpdomain -keyalg RSA -keysize 2048 -keystore /local/apps/bea103/wlserver_10.3/server/keystore/wlpDomainIdentity.jks
Provide CN, OU, O, City, Province and Country information along with keystore password.
2. Create a Certificate Signing Request (CSR)
Create a Certificate Signing Request (CSR) using java keytool that comes along with JDK 1.6.x packaged with Weblogic 11g.
keytool -certreq -alias give alias name here -keystore keystore file path -file put file name for the csr
Example:
keytool -certreq -alias wlpdomain -keystore /local/apps/bea103/wlserver_10.3/server/keystore/wlpDomainIdentity.jks -file managed_server1.csr
Provide the password of the keystore at the prompt. Remember to use the same alias as you used to create the keystore.
3. Get signed certificate
Send the CSR file managed_server1.csr
to Certficate Signing Authority such as Verisign, Entrust to get a Signed Certificate. You should also receive a Root/Chain CA along with the signed certificate.
4. Import the Certificate into the keystore
First import the root/chain certificate provided by the Certificate Signing Authority.
keytool -import -alias alias name -keystore keystore file path -trustcacerts -file root cartificate file path
Example:
keytool -import -alias root_ca -keystore /local/apps/bea103/wlserver_10.3/server/keystore/wlpDomainIdentity.jks -trustcacerts -file entrust_l1c_certificate.cer
Import the Signed certificate with the same alias name which have been used during creation of csr or keystore.
keytool -import -alias alias name here -keystore keystore file path -trustcacerts -file signed certificate from CA
Example:
keytool -import -alias wlpdomain -keystore /local/apps/bea103/wlserver_10.3/server/keystore/wlpDomainIdentity.jks -trustcacerts -file managed_server1_signed.cer
5. Create a custom trust store and import the Root CA
Now create another keystore for the trust certificates. Import the root CA that you received in step 3 into a custom trust store
keytool -import -file root CA file path -alias alias name -keystore keystore file path
Example
keytool -import -file entrust_l1c_certificate.cer -alias trustCA -keystore /local/apps/bea103/wlserver_10.3/server/keystore/wlpDomainTrust.jks
Provide a password at the prompt for the key store.
At this point you should see two keystores created on your filesystem. If you are following above example, you should be seeing following files at this location
/local/apps/bea103/wlserver_10.3/server/keystore/
wlpDomainIdentity.jks
wlpDomainTrust.jks
We will use these files to configure SSL and keystores on the weblogic domain.