Following are the main steps to implement SSL on WLS 8.1
1. Generate private key/certificate/trust for your certificate
2. Create Identity keystore
3. create Trust keystore
4. Configure WLS to pick up the keystores
5. Test the implementation of SSL
CERTIFICATE GENERATION:
create private key using keytool command
-From the domain dir, run setENV.cmd
-----now run the following keytool command to create private key
1. keytool -genkey -keyalg RSA -alias privkey -keystore mykeystore.jks
===================================
EXAMPLE:
--------
C:\bea\user_projects\domains\trialdomain>keytool -genkey -keyalg RSA -alias privkey -keystore mykeystore.jks
Enter keystore password: fttssl2006
What is your first and last name?
[Unknown]: server_name
What is the name of your organizational unit?
[Unknown]: FITS
What is the name of your organization?
[Unknown]: Company Name Inc.
What is the name of your City or Locality?
[Unknown]: city_name
What is the name of your State or Province?
[Unknown]: State
What is the two-letter country code for this unit?
[Unknown]: Country_name
Is CN=aaa, OU=bbb, O=Company Name Inc., L=city_name, ST=Ill
aaa, C=US correct?
[no]: y
Enter key password for
(RETURN if same as keystore password):fttssl2006
==================================
As a result you obtain a file: mykeystore.jks (in the same dir), containing a private key, and a self-signed public key.
Now,
send your public key for getting it signed by trusted authority (Example - pki)
This is done by retrieving the CSR (Cert Signature Request) from mykeystore.jks and sending it to one of the Certificate Authorities.
run the following command to get CSR:
2. keytool -certreq -v -alias privkey -keystore mykeystore.jks
====================================
C:\bea\user_projects\domains\trialdomain>keytool -certreq -v -alias privkey -keystore mykeystore.jks
Enter keystore password: fttssl2006
-----BEGIN NEW CERTIFICATE REQUEST-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxaaaaaaaaaaaaaaaaacccccccccbbbbbbbbbbbb
-----END NEW CERTIFICATE REQUEST----- ====================================
You will need to copy and paste all this (including -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST-----) to the Certification Authority.
open a notepad and copy it there.
3. Submit this CSR at the following site, providing the appropriate details
https://company_url
4. The server certificate, intermediate certificate and trusted certificate will be emailed from the site.
5.
a. Save the server certificate as "servercert.pem"
b. Save the intermediate certificate as "intercert.cer"
c. Save the trusted certificate as "rootcert.cer"
6.
a. Double click on intercert.cer --> Details --> Copy to File --> Next --> Base-64 encoded X.509 --> Next --> save it as intercert1.cer --> Finish
b. Double click on rootcert.cer --> Details --> Copy to File --> Next --> Base-64 encoded X.509 --> Next --> save it as rootcert1.cer --> Finish
7. Merge the contents of "rootcert1.cer", "intercert1.cer" and "servercert.pem" into "servercert.pem" and save it as "servercert.pem"
IMPORT THE PUBLIC KEY INTO YOUR IDENTITY KEYSTORE.
It will go on the same alias as the private key:
Command:
keytool -import -alias mykey -file servercert.pem -keystore mykeystore.jks
Type "y" when you are prompted to trust the certificate.
CREATE THE TRUST KEYSTORE
Command:
keytool -alias mytkey -trustcacerts -import -file getcacert.cer -keystore mytruststore.jks -storepass weblogic
Type "y" when you are prompted to trust the certificate.
CONFIGURE WEBLOGIC SERVER TO PICK UP THE KEYSTORES:
-In the admin server console,under "Keystores & SSL" Tab Page.
Click on "change"
-Select "Custom Identity and Custom Trust" from the drop down menu. click continue.
-Then specify the full path for Identity and Trust Keystores.
-Specify the passwords for both the stores. click continue.
-Now specify the password and alias for private key.
alias for pvt key=mykey
pass phrase = fttssl2006
-Apply the changes and you will need to restart the server.
The above steps will configure SSL. WLS will use the private/public key (certificate) from your Identity keystore and the trust certificate from the trust keystore.
TEST THE IMPLEMENTATION:
-Restart the server and test it.
-go to https://localhost:7002/console (specify the port that is enabled for SSL)
-Wait for the admin console authentication page to open
-Now, double click on the lock that appears at the right lower end of the page
-view the details of the certificate
-check if the certificate chain looks good
1. Generate private key/certificate/trust for your certificate
2. Create Identity keystore
3. create Trust keystore
4. Configure WLS to pick up the keystores
5. Test the implementation of SSL
CERTIFICATE GENERATION:
create private key using keytool command
-From the domain dir, run setENV.cmd
-----now run the following keytool command to create private key
1. keytool -genkey -keyalg RSA -alias privkey -keystore mykeystore.jks
===================================
EXAMPLE:
--------
C:\bea\user_projects\domains\trialdomain>keytool -genkey -keyalg RSA -alias privkey -keystore mykeystore.jks
Enter keystore password: fttssl2006
What is your first and last name?
[Unknown]: server_name
What is the name of your organizational unit?
[Unknown]: FITS
What is the name of your organization?
[Unknown]: Company Name Inc.
What is the name of your City or Locality?
[Unknown]: city_name
What is the name of your State or Province?
[Unknown]: State
What is the two-letter country code for this unit?
[Unknown]: Country_name
Is CN=aaa, OU=bbb, O=Company Name Inc., L=city_name, ST=Ill
aaa, C=US correct?
[no]: y
Enter key password for
(RETURN if same as keystore password):fttssl2006
==================================
As a result you obtain a file: mykeystore.jks (in the same dir), containing a private key, and a self-signed public key.
Now,
send your public key for getting it signed by trusted authority (Example - pki)
This is done by retrieving the CSR (Cert Signature Request) from mykeystore.jks and sending it to one of the Certificate Authorities.
run the following command to get CSR:
2. keytool -certreq -v -alias privkey -keystore mykeystore.jks
====================================
C:\bea\user_projects\domains\trialdomain>keytool -certreq -v -alias privkey -keystore mykeystore.jks
Enter keystore password: fttssl2006
-----BEGIN NEW CERTIFICATE REQUEST-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxaaaaaaaaaaaaaaaaacccccccccbbbbbbbbbbbb
-----END NEW CERTIFICATE REQUEST----- ====================================
You will need to copy and paste all this (including -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST-----) to the Certification Authority.
open a notepad and copy it there.
3. Submit this CSR at the following site, providing the appropriate details
https://company_url
4. The server certificate, intermediate certificate and trusted certificate will be emailed from the site.
5.
a. Save the server certificate as "servercert.pem"
b. Save the intermediate certificate as "intercert.cer"
c. Save the trusted certificate as "rootcert.cer"
6.
a. Double click on intercert.cer --> Details --> Copy to File --> Next --> Base-64 encoded X.509 --> Next --> save it as intercert1.cer --> Finish
b. Double click on rootcert.cer --> Details --> Copy to File --> Next --> Base-64 encoded X.509 --> Next --> save it as rootcert1.cer --> Finish
7. Merge the contents of "rootcert1.cer", "intercert1.cer" and "servercert.pem" into "servercert.pem" and save it as "servercert.pem"
IMPORT THE PUBLIC KEY INTO YOUR IDENTITY KEYSTORE.
It will go on the same alias as the private key:
Command:
keytool -import -alias mykey -file servercert.pem -keystore mykeystore.jks
Type "y" when you are prompted to trust the certificate.
CREATE THE TRUST KEYSTORE
Command:
keytool -alias mytkey -trustcacerts -import -file getcacert.cer -keystore mytruststore.jks -storepass weblogic
Type "y" when you are prompted to trust the certificate.
CONFIGURE WEBLOGIC SERVER TO PICK UP THE KEYSTORES:
-In the admin server console,under "Keystores & SSL" Tab Page.
Click on "change"
-Select "Custom Identity and Custom Trust" from the drop down menu. click continue.
-Then specify the full path for Identity and Trust Keystores.
-Specify the passwords for both the stores. click continue.
-Now specify the password and alias for private key.
alias for pvt key=mykey
pass phrase = fttssl2006
-Apply the changes and you will need to restart the server.
The above steps will configure SSL. WLS will use the private/public key (certificate) from your Identity keystore and the trust certificate from the trust keystore.
TEST THE IMPLEMENTATION:
-Restart the server and test it.
-go to https://localhost:7002/console (specify the port that is enabled for SSL)
-Wait for the admin console authentication page to open
-Now, double click on the lock that appears at the right lower end of the page
-view the details of the certificate
-check if the certificate chain looks good
No comments:
Post a Comment