If you're new to SSL, please read our SSL Overview. You may also find BEA documenation and BEA viewlet helpful. The information contained herein supplements BEA documentation, and answers some of the unanswered questions.
SSL installation on Weblogic 8.1 involves 4 main steps:
- Obtain SSL Certificate from a trusted certificate authority.
- Create Keystores
- Configure Keystores through WebLogic Administrative Console
- Configure SSL through Administrative Console
Obtain SSL Certificate
To setup SSL, the server needs a private key, a digital certificate containing the matching public key, and a certificate for at least one trusted certificate authority. To obtain a digital certificate from a trusted certificate authority, a Certificate Signing Request (CSR) must be generated. A Sun Microsystem provided keytool utility can be used to generate a CSR and a private key. The keytool utility is included with the Java SDK. The RSA algorithm must be used instead of default DSA algorithm, since WebLogic does not support DSA.
Create a private key with a self signing certificate.
# keytool -genkey -alias {server} -keyalg RSA -keysize 1024 -keypass {serverpass} -keystore {server}.jks -storepass {storepassphrase}
Create a CSR.
# keytool -certreq -alias {server} -sigalg "MD5withRSA" -file {server}.pem -keypass {serverpass} -keystore {server}.jks -storepass {storepassphrase}
Replace the names enclosed in curly braces with your own names and pass phrases.
Submit the CSR to a certificate authority to obtain a SSL certificate. Please note that WebLogic server does NOT support the use of the DSA (Digital Signature Algorithm). When using the keytool utility, the default key pair generation algorithm is DSA. Specify RSA as the key pair generation and signature algorithm. WebLogic Server can use digital certificates in either PEM or DER format. Private key not stored in a keystore must be in PEM format.
Store the certificate files received from the certificate authority, and save it as .pem file.
Create Keystores
A keystore is a mechanism designed to create and manage private keys/digital certificate pairs and trusted CA certificates. Although a single keystore can be used to store both Identity and Trust, it is recommended that two separate keystores are used. The Identity keystore will store private key and digital certificate pairs for the server, while Trust keystore will store Trusted Certificate.
Important: The Identity keystore should have at least two certificates: (1) Server Certificate and Private Key pair, and (2) Root Certificate. The Trust keystore would have one trust certificate. The trust certificate may or may not be same as the root certificate. The root certificate is needed in Identity keystore in order to validate its certification via a certificate chaining. The root certificate and trust certificate will NOT have private keys.
Create an Identify keystore from the VeriSign certificate.
# keytool -import -alias {server} -file {certfromverisign}.pem -keypass {privatekeypassword} -keystore {keystorename} -storepass {keystorepassword}
Note: We should use the same keystore that we created in the earlier step. This will update the self-signed digital certificate with the one returned by Verisign.
Create a Trust keystore for the Versign Trust
# keytool -import -alias {trustca} -trustcacerts -file {verisign_cacert.pem} -keystore {trust}.jks -storepass {keystorepassphrase}
Configure Keystores through WebLogic Administrative Console
Follow BEA documenatation & BEA Viewlet. It should be noted that the initial screen asks for Identity and Trust Keystore/PassPhrases, and upon submit it asks for Private Key PassPhrase. Make sure you enter a Private Key pass phrase rather than the Keystore Pass Phrase on the follow up screen.
Configure SSL through Administrative Console
BEA uses port 7002 as the default SSL port, while everyone else uses port 443. Make sure that you enable SSL on port 443 (or whatever port you desire), and configure it through WebLogic administrative console. Please follow BEA documentation noted above.
Comments
Add new comment