You can use SSL Listen port enabled Admin console could be configured. but the Demo Certificates can be applicable only in the development domains. In the domain directory in the security sub directory you could get DemoTrust.jks, DemoIdentity.jks files once you enabled SSL for a WebLogic server.
What are the tools to generate private and public keys?
If you machine installed with JDK then you can use Java Development Kit have default tool keytool will be used.
Alternative to keytool you can also use the OpenSource tool openSSL.
What is SSL? Why you need SSL?
Secure Socket Layer protocol. which will be combined with other protocol to provide secure communication. Secure means the data that you sender and receiver should be protected. When outside world try to trap or open that then it is unreadable format.
Can I have different identity alias names and trust alias?
Yes, you could have different alias names. When you deal with digital certificates you need to provide root alias, intermediate cert also different. But when you import the signed certificate it should be using same alias used when keygen was created.
What is JAAS?
Unlike many other Java Specifications, this is also Java Authorization Authentication Service specification. Know about who are connecting to your application this API gives lot of features. Identifying and what customer doing during his online shopping this would give the some kind of input for feature investments. Which is implemented successfully in many Application Servers. WebLogic allows you to configure SSL communication for web application and for RMI based t3s protocol is supported.
Where Can I buy Digital Certificates?
Certificates can be sold from Certificate Authority CA is the acronym. The digital sign request you can only do when you have created a private key in a keystore and generated a root certificate. And then submit the keystore Some of the best CA are listed below:
There are multiple ways to get digital certificate for your web[WebLogic] server side certificates. Some of the file extensions used in WebLogic admin consoles are here:
Intermediate Certificate means --
After receiving the certificate authority mail from CA. They will provide you the three levels of authentication. In the Windows platform using the Base64 X.509 stores single cert file at a time. The regular Encrypted file formats are:
What is Self-Signed Certificate means?
How do I get Self signed Certificate? or What are the command sequence for Certificate generation?
Step1: Creating identity and Trust key store using JKS
Command 1 :
Note : List of keytool commands which are changed in java 1.6 :
Step2: Generating Certificate signing certificate and send it to certificate signing authority
Command 2 :
Command 3 : importing certifacte authority issued certificate
To see the contents of the keystore use the following command :
Command :
To see the contents of an individual certificate ( like root.cer in our case ).
Command :
Copy the keystore files into the WebLogic $DOMAIN_HOME location :
Below are the steps to configure Custom Identity and Custom Trust with Weblogic Server :
Step 1 : Login to Weblogic Admin console --> Environment --> Servers -->
< server_name_where_ssl_has_to_be_configured > --> Configuration -> General --> SSL Listen Port Enabled ( Check )
Note : The default SSL Listen Port would be 7002, change it if required.
Step 2 : Click on Keystores tab under " Configuration " tab :
Step 2a : Click on the drop down menu next to Keystores and sleect " Custom Identity and Custom Trust " Step 2b : Now fill in the following information :
---Identity---
Custom Identity Keystore : < location_of_identity_keystore_that_you_have_created>
NOTE : By default WLS will look for this keystore file in domain_home location.
Custom Identity Keystore Type : jks
Custom Identity Keystore Passphrase: < This_would_be_your_storepass >
---Trust---
Custom Trust Keystore : < location_of_trust_keystore_that_you_have_created>
NOTE : By default WLS will look for this keystore file in domain_home location.
Custom Trust Keystore Type : jks
Custom Trust Keystore Passphrase: < This_would_be_your_storepass >
Step 2c : Now save the changes and click on " SSL " tab :
Private Key Alias: < This_would_be_your_certificate_alias >
Private Key Passphrase: < This_would_be_your_keypass >
Step 3 : Save the changes and click on the " >Advanced " field under the " SSL " tab :
Set the " Hostname Verification: " to None ( from the drop down menu ).
Note : We need to select the hostname verification as None if the CN of the certificate is not the same as the hostname of the machine where WLS is installed.
Now access your Weblogic Admin console over https URL : " https://localhost:7002/console "
Click on the Advanced link and click on 'Proceed' link. This is due that we have not used the digital signature of a Certification Authority.
How to know that it is self-signed or real certificate?
All self-signed certified urls will be shows "Not Secure" as shown above. When you use the real certificates that is Certifying Authority provided certificate used then the accessing HTTPs URL without prompting loads the webpage.
References:
What are the tools to generate private and public keys?
If you machine installed with JDK then you can use Java Development Kit have default tool keytool will be used.
Alternative to keytool you can also use the OpenSource tool openSSL.
 |
| WebLogic domain SSL configurations 1-way SSL, 2way SSL |
What is SSL? Why you need SSL?
Secure Socket Layer protocol. which will be combined with other protocol to provide secure communication. Secure means the data that you sender and receiver should be protected. When outside world try to trap or open that then it is unreadable format.
Can I have different identity alias names and trust alias?
Yes, you could have different alias names. When you deal with digital certificates you need to provide root alias, intermediate cert also different. But when you import the signed certificate it should be using same alias used when keygen was created.
What is JAAS?
Unlike many other Java Specifications, this is also Java Authorization Authentication Service specification. Know about who are connecting to your application this API gives lot of features. Identifying and what customer doing during his online shopping this would give the some kind of input for feature investments. Which is implemented successfully in many Application Servers. WebLogic allows you to configure SSL communication for web application and for RMI based t3s protocol is supported.
Where Can I buy Digital Certificates?
Certificates can be sold from Certificate Authority CA is the acronym. The digital sign request you can only do when you have created a private key in a keystore and generated a root certificate. And then submit the keystore Some of the best CA are listed below:
- VeriSign
- eTrust
- entrust
- geotrust
There are multiple ways to get digital certificate for your web[WebLogic] server side certificates. Some of the file extensions used in WebLogic admin consoles are here:
- JKS - Java Key Store
- JCEKS - Java Cert Key Store
- KSS - Oracle Wallet
Intermediate Certificate means --
After receiving the certificate authority mail from CA. They will provide you the three levels of authentication. In the Windows platform using the Base64 X.509 stores single cert file at a time. The regular Encrypted file formats are:
- pem
- crt
- cer
What is Self-Signed Certificate means?
How do I get Self signed Certificate? or What are the command sequence for Certificate generation?
Step1: Creating identity and Trust key store using JKS
Command 1 :
keytool -genkey -alias vtkey -keyalg RSA -keysize 1024 -validity 365 -keypass welcome1 -keystore identity.jks -storepass welcome1
Note : List of keytool commands which are changed in java 1.6 :
- -export, renamed to -exportcert
- -genkey, renamed to -genkeypair
- -import, renamed to -importcert
Step2: Generating Certificate signing certificate and send it to certificate signing authority
Command 2 :
keytool -export -alias vtkey -file root.cer -keystore identity.jks -storepass welcome1
Command 3 : importing certifacte authority issued certificate
keytool -import -alias vtkey -file root.cer -keystore trust.jks -storepass welcome1
To see the contents of the keystore use the following command :
Command :
keytool -list -v -keystore identity.jks -storepass welcome1
To see the contents of an individual certificate ( like root.cer in our case ).
Command :
keytool -printcert -file root.cer
Copy the keystore files into the WebLogic $DOMAIN_HOME location :
Below are the steps to configure Custom Identity and Custom Trust with Weblogic Server :
Step 1 : Login to Weblogic Admin console --> Environment --> Servers -->
< server_name_where_ssl_has_to_be_configured > --> Configuration -> General --> SSL Listen Port Enabled ( Check )
Note : The default SSL Listen Port would be 7002, change it if required.
Step 2 : Click on Keystores tab under " Configuration " tab :
Step 2a : Click on the drop down menu next to Keystores and sleect " Custom Identity and Custom Trust " Step 2b : Now fill in the following information :
---Identity---
Custom Identity Keystore : < location_of_identity_keystore_that_you_have_created>
NOTE : By default WLS will look for this keystore file in domain_home location.
Custom Identity Keystore Type : jks
Custom Identity Keystore Passphrase: < This_would_be_your_storepass >
---Trust---
Custom Trust Keystore : < location_of_trust_keystore_that_you_have_created>
NOTE : By default WLS will look for this keystore file in domain_home location.
Custom Trust Keystore Type : jks
Custom Trust Keystore Passphrase: < This_would_be_your_storepass >
Step 2c : Now save the changes and click on " SSL " tab :
Private Key Alias: < This_would_be_your_certificate_alias >
Private Key Passphrase: < This_would_be_your_keypass >
Step 3 : Save the changes and click on the " >Advanced " field under the " SSL " tab :
Set the " Hostname Verification: " to None ( from the drop down menu ).
Note : We need to select the hostname verification as None if the CN of the certificate is not the same as the hostname of the machine where WLS is installed.
Now access your Weblogic Admin console over https URL : " https://localhost:7002/console "
Click on the Advanced link and click on 'Proceed' link. This is due that we have not used the digital signature of a Certification Authority.
How to know that it is self-signed or real certificate?
All self-signed certified urls will be shows "Not Secure" as shown above. When you use the real certificates that is Certifying Authority provided certificate used then the accessing HTTPs URL without prompting loads the webpage.
References:
- +Sample Certificate custom identity, trust create using Java keytool
- Self Sign Certificate generation
Whenever SSL certificate expired then we need to request for the New Certificate and after receiving the New/Renewal Certificate then after applied it then we must need to restart the WebLogic Domain then only HTTPS will work in the Environment.
ReplyDeleteNOTE: This blog is very help to refer for all the WebLogic Environmental issues resolution.