Step -1 Create Identity Store
To create an identity store we use key tool command. Actually here we will not only create an identity store but will also generate a private key for our WebLogic server. The below command does both.
keytool -genkeypair -alias serverCert -keyalg RSA -keysize 2048 -validity 3650 -keypass <private key password> -keystore IdentityKeystore.jks -storepass <keystore password>
keytool -genkeypair -alias serverCert -keyalg RSA -keysize 2048 -validity 3650 -keypass welcome1 -keystore IdentityKeystore.jks -storepass welcome1
====================================================================================================
Step-2 Create Sign Request
Next generate a certificate signing request with the private key that was created in earlier step. Run this command.
keytool -certreq -alias serverCert -file certreq.pem -keystore IdentityKeystore.jks
It will create a CSR file 'certreq.pem'. Once you provide this to CA they will sign and return signed certificate along with root and intermediate certificates if any.
======================================================================================================
Step-3 Import Signed Certificates
Now the signed certificates must be imported to the Keystore. Note that the sequence of import must be root, intermediate and server signed certificate.
keytool -importcert -trustcacerts -alias root -file certs/RootCert.cer -keystore IdentityKeystore.jks
keytool -importcert -alias inter -file certs/IntermediateCert.cer -keystore IdentityKeystore.jks
keytool -importcert -alias serverCert -file certs/SignedCert.cer -keystore IdentityKeystore.jks
========================================================================================================
Step-4 Create TrustStore
Here as well the single command will create a trust store and also adds the trusted certificate into it.
keytool -importcert -trustcacerts -file Certs/RootCert.cer -alias root -keystore Truststore.jks
keytool -importcert -file Certs/Intermediate.cer -alias root -keystore Truststore.jks
======================================================================================================
Step-5 Point Weblogic to use Custom Keystore
Now that we have both custom identity and truststore ready, its time to change WebLogic to use these keystore. For this login to admin console and select 'Admin Server' in summary of servers page. Goto Configuration > Keystore and update identity and trust keystore with custom ones.
=========================================================================================================
Step 6 - Update setDomainEnv.sh
Note that you need to remove the reference of DemoTrust from setDomainEnv.sh file. Either remove this entry from the EXTRA_JAVA_PROPERTIES or update it with the location of your custom trust store.
-Djavax.net.ssl.trustStore=${WL_HOME}/server/lib/DemoTrust.jks
If you are removing it then add the value in startup arguments of your admin and managed servers otherwise Weblogic will fall back on cacerts of Java as truststore.
To find out the location of the trust store in force add the following lines in startup arguments -
-Dssl.debug=true -Djavax.net.debug=ssl
==============================================================================================
After performing all the above steps Weblogic is configured to use the custom identity and truststore. Import all the trusted certificates in custom truststore to achieve SSL related functions for e.g. to invoke a webservice over SSL first retrieve the certificates from the URL and import all root, intermediate LB certificates in this truststore. Refer to another post on this here.
To create an identity store we use key tool command. Actually here we will not only create an identity store but will also generate a private key for our WebLogic server. The below command does both.
keytool -genkeypair -alias serverCert -keyalg RSA -keysize 2048 -validity 3650 -keypass <private key password> -keystore IdentityKeystore.jks -storepass <keystore password>
keytool -genkeypair -alias serverCert -keyalg RSA -keysize 2048 -validity 3650 -keypass welcome1 -keystore IdentityKeystore.jks -storepass welcome1
====================================================================================================
Step-2 Create Sign Request
Next generate a certificate signing request with the private key that was created in earlier step. Run this command.
keytool -certreq -alias serverCert -file certreq.pem -keystore IdentityKeystore.jks
It will create a CSR file 'certreq.pem'. Once you provide this to CA they will sign and return signed certificate along with root and intermediate certificates if any.
======================================================================================================
Step-3 Import Signed Certificates
Now the signed certificates must be imported to the Keystore. Note that the sequence of import must be root, intermediate and server signed certificate.
keytool -importcert -trustcacerts -alias root -file certs/RootCert.cer -keystore IdentityKeystore.jks
keytool -importcert -alias inter -file certs/IntermediateCert.cer -keystore IdentityKeystore.jks
keytool -importcert -alias serverCert -file certs/SignedCert.cer -keystore IdentityKeystore.jks
========================================================================================================
Step-4 Create TrustStore
Here as well the single command will create a trust store and also adds the trusted certificate into it.
keytool -importcert -trustcacerts -file Certs/RootCert.cer -alias root -keystore Truststore.jks
keytool -importcert -file Certs/Intermediate.cer -alias root -keystore Truststore.jks
======================================================================================================
Step-5 Point Weblogic to use Custom Keystore
Now that we have both custom identity and truststore ready, its time to change WebLogic to use these keystore. For this login to admin console and select 'Admin Server' in summary of servers page. Goto Configuration > Keystore and update identity and trust keystore with custom ones.
=========================================================================================================
Step 6 - Update setDomainEnv.sh
Note that you need to remove the reference of DemoTrust from setDomainEnv.sh file. Either remove this entry from the EXTRA_JAVA_PROPERTIES or update it with the location of your custom trust store.
-Djavax.net.ssl.trustStore=${WL_HOME}/server/lib/DemoTrust.jks
If you are removing it then add the value in startup arguments of your admin and managed servers otherwise Weblogic will fall back on cacerts of Java as truststore.
To find out the location of the trust store in force add the following lines in startup arguments -
-Dssl.debug=true -Djavax.net.debug=ssl
==============================================================================================
After performing all the above steps Weblogic is configured to use the custom identity and truststore. Import all the trusted certificates in custom truststore to achieve SSL related functions for e.g. to invoke a webservice over SSL first retrieve the certificates from the URL and import all root, intermediate LB certificates in this truststore. Refer to another post on this here.
No comments:
Post a Comment