In this blog entry we are going to discuss how to set up SSL in WebLogic Server.
By default WebLogic Admin and managed servers are configured with demo identity and demo trust certificates. This should be reconfigured to use real certicates (certificates of certifying authority)in production environments. You can also configure self-signed certificates.
Before configuring SSL we need to understand what is keystore, identity store, trust store, keytool utilities.
Key Store
It is used to store the certificates. There are various types of Keystore that WebLogic Server Supports. Most common of them is Java Key Store (JKS) , which is a file based repository with extension .jks
Trust Key Store
It is used to store the trusted certificates or certificates of certifying authority which provides trust for WebLogic Server.
In order to configure SSL, you need to perform the below steps:
Create a directory to hold the keystores
$ mkdir certs
$ cd certs/
$ export JAVA_HOME=/u01/app/oracle/product/fmw/jrockit-jdk1.6.0_33-R28.2.4-4.1.0/
$ export PATH=$PATH:$JAVA_HOME/bin
keytool -genkeypair -alias serverkey -keyalg RSA -keysize 1024 -dname "CN=localhost.localdomain,OU=IT,O=Mastan Inc,L=Hyderabad,S=AP,C=IN" -keystore appIdentity.jks -keypass welcome123 -storepass welcome123 -validity 365
$ keytool -certreq -alias serverkey -file appIdentity.csr -keystore appIdentity.jks
Enter keystore password:
$ ls
appIdentity.csr appIdentity.jks
Send the above generated csr file to Certificate Authorities to get it singed.
List the certificates in the key-store by executing below command
Restart the node manager.
Restart the Admin Server & managed servers
In the logs you can see the following
<May 27, 2014 11:30:26 PM IST> <Notice> <Security> <BEA-090171> <Loading the identity certificate and private key stored under the alias serverkey from the jks keystore file /u01/app/oracle/product/fmw/user_projects/domains/test_domain/certs/appIdentity.jks.>
<May 27, 2014 11:30:32 PM IST> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file /u01/app/oracle/product/fmw/user_projects/domains/test_domain/certs/appTrust.jks.>
..............
..............
<May 27, 2014 11:30:32 PM IST> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure" is now listening on 127.0.0.1:7002 for protocols iiops, t3s, ldaps, https.>
<May 27, 2014 11:30:32 PM IST> <Notice> <Server> <BEA-002613> <Channel "Default" is now listening on 127.0.0.1:7001 for protocols iiop, t3, ldap, snmp, http.>
<May 27, 2014 11:30:32 PM IST> <Notice> <WebLogicServer> <BEA-000331> <Started WebLogic Admin Server "AdminServer" for domain "test_domain" running in Development Mode>
<May 27, 2014 11:30:32 PM IST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to RUNNING>
<May 27, 2014 11:30:32 PM IST> <Notice> <WebLogicServer> <BEA-000360> <Server started in RUNNING mode>
By default WebLogic Admin and managed servers are configured with demo identity and demo trust certificates. This should be reconfigured to use real certicates (certificates of certifying authority)in production environments. You can also configure self-signed certificates.
Before configuring SSL we need to understand what is keystore, identity store, trust store, keytool utilities.
Key Store
It is used to store the certificates. There are various types of Keystore that WebLogic Server Supports. Most common of them is Java Key Store (JKS) , which is a file based repository with extension .jks
Identity Key Store
It is used to store the identity certificates(Signed Certificate issued by a Certificate Authority (CA)) which provides the identity for WebLogic Server or site. Trust Key Store
It is used to store the trusted certificates or certificates of certifying authority which provides trust for WebLogic Server.
keytool
This utility is used to generate keypairs, generate the csr, import the certificates, list the certificates, delete the certificates etc.,In order to configure SSL, you need to perform the below steps:
- Generate a key-pair
- Generate Certificate Signing Request (CSR)
- Send the CSR to Certificate Authorities to get it singed.
- Import the Signed Certificate into keystore
- Configure WebLogic Admin & Managed Servers to use the above certificate keystore
Create a directory to hold the keystores
$ mkdir certs
$ cd certs/
$ export JAVA_HOME=/u01/app/oracle/product/fmw/jrockit-jdk1.6.0_33-R28.2.4-4.1.0/
$ export PATH=$PATH:$JAVA_HOME/bin
Generate a key-pair
A keystore with a key-pair can be created by executing the below command:
$ keytool -genkeypair -alias serverkey -keyalg RSA -keysize 1024 -dname "CN=localhost.localdomain,OU=IT,O=Mastan Inc,L=Hyderabad,S=AP,C=IN" -keystore appIdentity.jks -keypass welcome123 -storepass welcome123
$ ls
appIdentity.jks
This will generate the appIdentity.jks keystore, which is protected with the password welcome123 and it is valid for 3 months by default.
If you want the validity of cert for 1year, you can execute the below command
A keystore with a key-pair can be created by executing the below command:
$ keytool -genkeypair -alias serverkey -keyalg RSA -keysize 1024 -dname "CN=localhost.localdomain,OU=IT,O=Mastan Inc,L=Hyderabad,S=AP,C=IN" -keystore appIdentity.jks -keypass welcome123 -storepass welcome123
$ ls
appIdentity.jks
This will generate the appIdentity.jks keystore, which is protected with the password welcome123 and it is valid for 3 months by default.
If you want the validity of cert for 1year, you can execute the below command
keytool -genkeypair -alias serverkey -keyalg RSA -keysize 1024 -dname "CN=localhost.localdomain,OU=IT,O=Mastan Inc,L=Hyderabad,S=AP,C=IN" -keystore appIdentity.jks -keypass welcome123 -storepass welcome123 -validity 365
You can list the contents of keystore by executing below command:
$ keytool -list -v -keystore appIdentity.jks -storepass welcome123
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: serverkey
Creation date: May 27, 2014
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=localhost.localdomain, OU=IT, O=Mastan Inc, L=Hyderabad, ST=AP, C=IN
Issuer: CN=localhost.localdomain, OU=IT, O=Mastan Inc, L=Hyderabad, ST=AP, C=IN
Serial number: 5384cacf
Valid from: Tue May 27 22:56:39 IST 2014 until: Mon Aug 25 22:56:39 IST 2014
Certificate fingerprints:
MD5: 99:5C:9B:53:D2:37:BC:34:F7:E6:2D:55:99:DE:1B:2B
SHA1: 1D:EC:6D:E6:0F:AE:76:69:40:0C:73:C5:79:45:1E:74:31:C4:5F:84
Signature algorithm name: SHA1withRSA
Version: 3
*******************************************
*******************************************
The above keystore contains a PrivateKeyEntry with alias serverkey
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: serverkey
Creation date: May 27, 2014
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=localhost.localdomain, OU=IT, O=Mastan Inc, L=Hyderabad, ST=AP, C=IN
Issuer: CN=localhost.localdomain, OU=IT, O=Mastan Inc, L=Hyderabad, ST=AP, C=IN
Serial number: 5384cacf
Valid from: Tue May 27 22:56:39 IST 2014 until: Mon Aug 25 22:56:39 IST 2014
Certificate fingerprints:
MD5: 99:5C:9B:53:D2:37:BC:34:F7:E6:2D:55:99:DE:1B:2B
SHA1: 1D:EC:6D:E6:0F:AE:76:69:40:0C:73:C5:79:45:1E:74:31:C4:5F:84
Signature algorithm name: SHA1withRSA
Version: 3
*******************************************
*******************************************
The above keystore contains a PrivateKeyEntry with alias serverkey
Generate Certificate Signing Request
By using the key-pair generate a certificate signing request (CSR) or
certification request is a message sent from an applicant to a
certificate authority in order to get the signed certificate
Execute the below command to generate csr
$ keytool -certreq -alias serverkey -file appIdentity.csr -keystore appIdentity.jks
Enter keystore password:
$ ls
appIdentity.csr appIdentity.jks
You can view the csr file and it looks like as below:
$ cat appIdentity.csr
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBsDCCARkCAQAwcDELMAkGA1UEBhMCSU4xCzAJBgNVBAgTAkFQMRIwEAYDVQQHEwlIeWRlcmFi
YWQxEzARBgNVBAoTCk1hc3RhbiBJbmMxCzAJBgNVBAsTAklUMR4wHAYDVQQDExVsb2NhbGhvc3Qu
bG9jYWxkb21haW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALUhzHv87KMSVIoBssQU38Kv
aalNXYy0laYdf4hazn+qa1CDtK5Yow0cPqtvk4W5vOffebX3BYCKXEricFdv5ejRkkAe6tKQgiBt
jX2WnIulduEQS/piY95QEGu5MbHoy4/JeLsoaDHr73ooclcKcgQC7N3hKKxVtpwwnagZVGXrAgMB
AAGgADANBgkqhkiG9w0BAQUFAAOBgQAWjgUqJf9+mY0sZzFQlHYH0TH8QJkfnXbCfjt8Lz3Jrvzw
0tZuj2LuxcL7supgX3e1DNAmoagJg0rV07kDWxwy3Rafc89R/nFiFo5T71kTnUxxOgjWLDsp6V9G
20cUSFn7wVOezYpPCJcqqXB4VjcJKDwb+PDi8uMIW1nSnRFMAw==
-----END NEW CERTIFICATE REQUEST-----
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBsDCCARkCAQAwcDELMAkGA1UEBhMCSU4xCzAJBgNVBAgTAkFQMRIwEAYDVQQHEwlIeWRlcmFi
YWQxEzARBgNVBAoTCk1hc3RhbiBJbmMxCzAJBgNVBAsTAklUMR4wHAYDVQQDExVsb2NhbGhvc3Qu
bG9jYWxkb21haW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALUhzHv87KMSVIoBssQU38Kv
aalNXYy0laYdf4hazn+qa1CDtK5Yow0cPqtvk4W5vOffebX3BYCKXEricFdv5ejRkkAe6tKQgiBt
jX2WnIulduEQS/piY95QEGu5MbHoy4/JeLsoaDHr73ooclcKcgQC7N3hKKxVtpwwnagZVGXrAgMB
AAGgADANBgkqhkiG9w0BAQUFAAOBgQAWjgUqJf9+mY0sZzFQlHYH0TH8QJkfnXbCfjt8Lz3Jrvzw
0tZuj2LuxcL7supgX3e1DNAmoagJg0rV07kDWxwy3Rafc89R/nFiFo5T71kTnUxxOgjWLDsp6V9G
20cUSFn7wVOezYpPCJcqqXB4VjcJKDwb+PDi8uMIW1nSnRFMAw==
-----END NEW CERTIFICATE REQUEST-----
Send the above generated csr file to Certificate Authorities to get it singed.
Import the Certificates
If you have received a signed certificate from a trusted CA, import it to your keystore. An example is demonstrated with the below command:
keytool -importcert -trustcacerts -file <signed cert.cer> -alias trustcert -keystore appIdentity.jks -storepass welcome123
For demonstration purpose here, we are using self signed certificate to import it into the key store. Follow the below steps to do the same.
$ keytool -exportcert -file selfsign.cer -alias serverkey -keystore appIdentity.jks -storepass welcome123
Certificate stored in file <selfsign.cer>
[mastshai@OEL certs]$ ls
appIdentity.csr appIdentity.jks selfsign.cer
[mastshai@OEL certs]$
$ keytool -printcert -file selfsign.cer
Owner: CN=localhost.localdomain, OU=IT, O=Mastan Inc, L=Hyderabad, ST=AP, C=IN
Issuer: CN=localhost.localdomain, OU=IT, O=Mastan Inc, L=Hyderabad, ST=AP, C=IN
Serial number: 5384cacf
Valid from: Tue May 27 22:56:39 IST 2014 until: Mon Aug 25 22:56:39 IST 2014
Certificate fingerprints:
MD5: 99:5C:9B:53:D2:37:BC:34:F7:E6:2D:55:99:DE:1B:2B
SHA1: 1D:EC:6D:E6:0F:AE:76:69:40:0C:73:C5:79:45:1E:74:31:C4:5F:84
Signature algorithm name: SHA1withRSA
Version: 3
$keytool -importcert -trustcacerts -file selfsign.cer -alias trustcert -keystore appIdentity.jks
Enter keystore password:
Certificate already exists in keystore under alias <serverkey>
Do you still want to add it? [no]: yes
Certificate was added to keystore
Certificate stored in file <selfsign.cer>
[mastshai@OEL certs]$ ls
appIdentity.csr appIdentity.jks selfsign.cer
[mastshai@OEL certs]$
$ keytool -printcert -file selfsign.cer
Owner: CN=localhost.localdomain, OU=IT, O=Mastan Inc, L=Hyderabad, ST=AP, C=IN
Issuer: CN=localhost.localdomain, OU=IT, O=Mastan Inc, L=Hyderabad, ST=AP, C=IN
Serial number: 5384cacf
Valid from: Tue May 27 22:56:39 IST 2014 until: Mon Aug 25 22:56:39 IST 2014
Certificate fingerprints:
MD5: 99:5C:9B:53:D2:37:BC:34:F7:E6:2D:55:99:DE:1B:2B
SHA1: 1D:EC:6D:E6:0F:AE:76:69:40:0C:73:C5:79:45:1E:74:31:C4:5F:84
Signature algorithm name: SHA1withRSA
Version: 3
$keytool -importcert -trustcacerts -file selfsign.cer -alias trustcert -keystore appIdentity.jks
Enter keystore password:
Certificate already exists in keystore under alias <serverkey>
Do you still want to add it? [no]: yes
Certificate was added to keystore
List the certificates in the key-store by executing below command
$ keytool -list -v -keystore appIdentity.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: trustcert
Creation date: May 27, 2014
Entry type: trustedCertEntry
Owner: CN=localhost.localdomain, OU=IT, O=Mastan Inc, L=Hyderabad, ST=AP, C=IN
Issuer: CN=localhost.localdomain, OU=IT, O=Mastan Inc, L=Hyderabad, ST=AP, C=IN
Serial number: 5384cacf
Valid from: Tue May 27 22:56:39 IST 2014 until: Mon Aug 25 22:56:39 IST 2014
Certificate fingerprints:
MD5: 99:5C:9B:53:D2:37:BC:34:F7:E6:2D:55:99:DE:1B:2B
SHA1: 1D:EC:6D:E6:0F:AE:76:69:40:0C:73:C5:79:45:1E:74:31:C4:5F:84
Signature algorithm name: SHA1withRSA
Version: 3
*******************************************
*******************************************
Alias name: serverkey
Creation date: May 27, 2014
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=localhost.localdomain, OU=IT, O=Mastan Inc, L=Hyderabad, ST=AP, C=IN
Issuer: CN=localhost.localdomain, OU=IT, O=Mastan Inc, L=Hyderabad, ST=AP, C=IN
Serial number: 5384cacf
Valid from: Tue May 27 22:56:39 IST 2014 until: Mon Aug 25 22:56:39 IST 2014
Certificate fingerprints:
MD5: 99:5C:9B:53:D2:37:BC:34:F7:E6:2D:55:99:DE:1B:2B
SHA1: 1D:EC:6D:E6:0F:AE:76:69:40:0C:73:C5:79:45:1E:74:31:C4:5F:84
Signature algorithm name: SHA1withRSA
Version: 3
*******************************************
*******************************************
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: trustcert
Creation date: May 27, 2014
Entry type: trustedCertEntry
Owner: CN=localhost.localdomain, OU=IT, O=Mastan Inc, L=Hyderabad, ST=AP, C=IN
Issuer: CN=localhost.localdomain, OU=IT, O=Mastan Inc, L=Hyderabad, ST=AP, C=IN
Serial number: 5384cacf
Valid from: Tue May 27 22:56:39 IST 2014 until: Mon Aug 25 22:56:39 IST 2014
Certificate fingerprints:
MD5: 99:5C:9B:53:D2:37:BC:34:F7:E6:2D:55:99:DE:1B:2B
SHA1: 1D:EC:6D:E6:0F:AE:76:69:40:0C:73:C5:79:45:1E:74:31:C4:5F:84
Signature algorithm name: SHA1withRSA
Version: 3
*******************************************
*******************************************
Alias name: serverkey
Creation date: May 27, 2014
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=localhost.localdomain, OU=IT, O=Mastan Inc, L=Hyderabad, ST=AP, C=IN
Issuer: CN=localhost.localdomain, OU=IT, O=Mastan Inc, L=Hyderabad, ST=AP, C=IN
Serial number: 5384cacf
Valid from: Tue May 27 22:56:39 IST 2014 until: Mon Aug 25 22:56:39 IST 2014
Certificate fingerprints:
MD5: 99:5C:9B:53:D2:37:BC:34:F7:E6:2D:55:99:DE:1B:2B
SHA1: 1D:EC:6D:E6:0F:AE:76:69:40:0C:73:C5:79:45:1E:74:31:C4:5F:84
Signature algorithm name: SHA1withRSA
Version: 3
*******************************************
*******************************************
From the above, you can observe that the self-signed cert is imported into the keystore with the entry trustedCertEntry.
Create the custom trust keystore appTrust.jks by making a copy from the Standard Java Trust.$ cp /u01/app/oracle/product/fmw/jrockit-jdk1.6.0_33-R28.2.4-4.1.0/jre/lib/security/cacerts appTrust.jks
$ ls
appIdentity.csr appIdentity.jks appTrust.jks cacerts selfsign.cer
We now have a self-signed certificate in a keystore will the following details, which will be used to while configuring ssl in WebLogic Server
$ ls
appIdentity.csr appIdentity.jks appTrust.jks cacerts selfsign.cer
We now have a self-signed certificate in a keystore will the following details, which will be used to while configuring ssl in WebLogic Server
Identity Keystore: "/u01/app/oracle/product/fmw/user_projects/domains/test_domain/certs/appIdentity.jks"
Trust Keystore: "/u01/app/oracle/product/fmw/user_projects/domains/test_domain/certs/appTrust.jks"
Alias: serverkey
Key Store Password: welcome123
Trust Keystore: "/u01/app/oracle/product/fmw/user_projects/domains/test_domain/certs/appTrust.jks"
Alias: serverkey
Key Store Password: welcome123
Key Password: welcome123
Valid for: 90 days
SSL Configurations in WebLogic Administration Console You can now continue with Keystores and ssl configurations in WebLogic Administration Console
Configure SSL for Admin & Managed Servers
This process should be followed for the Admin Server and all managed servers.
SSL Configurations in WebLogic Administration Console You can now continue with Keystores and ssl configurations in WebLogic Administration Console
Configure SSL for Admin & Managed Servers
This process should be followed for the Admin Server and all managed servers.
- In the WebLogic Server Administration Console, click on "Servers" in the "Domain Structure" tree.
- Click on the Admin Server to configure.
- Click on the "Configuration > Keystores" tab and sub-tab.
- Click the "Change" button next to the "Keystores" setting
- Select the "Custom Identity and Custom Trust" option and click the "Save" button.
- Enter the Custom Identity Keystore: /u01/app/oracle/product/fmw/user_projects/domains/test_domain/certs/appIdentity.jks, Custom Identity Keystore Type: JKS, Custom Identity Keystore Passphrase: welcome123.
- Enter the Custom Trust Keystore: /u01/app/oracle/product/fmw/user_projects/domains/test_domain/certs/appTrust.jks, Custom Trust Keystore Type: JKS, Custom Trust Keystore Passphrase: welcome123, Confirm Trust Keystore Passphrase: welcome123 and click the "Save" button.
- Click the "SSL" tab.
- Enter the Private Key Alias: serverkey, Private Key Passphrase: welcome123, Confirm Private Key Passphrase: welcome123 and Click the "Save" button.
- Click on the Admin Server
- Click on the "Configuration > General" tab and sub-tab.
- Select SSL Listen Port Enabled check-box and enter the SSL Listen Port for example:7002
Repeat the above steps for all managed servers in the domain.
Configure Node Manager
Change the Node Manager in the to use the custom keystores and the new certificates.
Edit the "$WL_HOME/common/nodemanager/nodemanager.properties" file, adding the following entries. The values used reflect the information used to create the keystores above.
KeyStores=CustomIdentityAndCustomTrust
CustomIdentityKeyStoreFileName=/u01/app/oracle/product/fmw/user_projects/domains/test_domain/certs/appIdentity.jks
CustomIdentityKeyStorePassPhrase=welcome123
CustomIdentityPrivateKeyPassPhrase=welcome123
CustomIdentityAlias=serverkey
Configure Node Manager
Change the Node Manager in the to use the custom keystores and the new certificates.
Edit the "$WL_HOME/common/nodemanager/nodemanager.properties" file, adding the following entries. The values used reflect the information used to create the keystores above.
KeyStores=CustomIdentityAndCustomTrust
CustomIdentityKeyStoreFileName=/u01/app/oracle/product/fmw/user_projects/domains/test_domain/certs/appIdentity.jks
CustomIdentityKeyStorePassPhrase=welcome123
CustomIdentityPrivateKeyPassPhrase=welcome123
CustomIdentityAlias=serverkey
Restart the node manager.
Restart the Admin Server & managed servers
In the logs you can see the following
<May 27, 2014 11:30:26 PM IST> <Notice> <Security> <BEA-090171> <Loading the identity certificate and private key stored under the alias serverkey from the jks keystore file /u01/app/oracle/product/fmw/user_projects/domains/test_domain/certs/appIdentity.jks.>
<May 27, 2014 11:30:32 PM IST> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file /u01/app/oracle/product/fmw/user_projects/domains/test_domain/certs/appTrust.jks.>
..............
..............
<May 27, 2014 11:30:32 PM IST> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure" is now listening on 127.0.0.1:7002 for protocols iiops, t3s, ldaps, https.>
<May 27, 2014 11:30:32 PM IST> <Notice> <Server> <BEA-002613> <Channel "Default" is now listening on 127.0.0.1:7001 for protocols iiop, t3, ldap, snmp, http.>
<May 27, 2014 11:30:32 PM IST> <Notice> <WebLogicServer> <BEA-000331> <Started WebLogic Admin Server "AdminServer" for domain "test_domain" running in Development Mode>
<May 27, 2014 11:30:32 PM IST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to RUNNING>
<May 27, 2014 11:30:32 PM IST> <Notice> <WebLogicServer> <BEA-000360> <Server started in RUNNING mode>