Tuesday, October 21, 2014

Weblogic SSL Setup


Identity keystore - For others to access WebLogic using https
This will be used to store the server certificate(private key/digital certificate pairs). When the client contacts server the digital certificate presented in this keystore will be sent. You may also need to store root and intermediate certificates in truststore.

Trust Keystore - For WebLogic to access others (consumes webservices) using https
This will contain all the certificates for the trusted partners(ie partners/clients). When server connects with the partner it will use this key store.

http://weblogicserveradministration.blogspot.com/2013/03/weblogic-server-ssl-configuration.html


WebLogic SSL self-signed certificate setup

Server49 - admin server and managedserver1
Server50 - managedserver2

on Server49 (repeat on Server50 )

  1. Generate key store and generate key

    2. keytool  -genkey -alias Server49 -keyalg RSA -keysize 1024 -validity 3650 -keypass cat360pa -keystore /appserver/Weblogic/admin/certs/Server49.jks -storepass cat360pa

  2. Save certificate in key store

    3. keytool  -export -alias Server49 -file /appserver/Weblogic/admin/certs/Server49.cer -keystore /appserver/Weblogic/admin/certs/Server49.jks -storepass cat360pa

  3. Save public key in trust store

keytool -import -alias Server49 -file /appserver/Weblogic/admin/certs/Server49.cer -keystore  /appserver/Weblogic/admin/certs/Server49_trust.jks -storepass cat360pa

check:
keytool -list -v -keystore /appserver/Weblogic/admin/certs/Server49.jks -storepass cat360pa
keytool -list -v -keystore /appserver/Weblogic/admin/certs/Server49_trust.jks -storepass cat360pa
keytool -printcert -file  /appserver/Weblogic/admin/certs/Server49.cer -storepass cat360pa


***********

import managed server2's certs into admin server's trust store (no need to import admin server's certificate since it is already there - same host)

keytool -import -alias Server50 -file /tmp/Server50.cer -keystore /appserver/Weblogic/admin/certs/Server49_trust.jks –storepass cat360pa

***
do admin console changes
- in adminserver--> keystores tab, change keystores to custom identity and custom trust
- specify the path to identity and trust key stores
- in adminserver --> ssl tab, under identity, set "private key alias" to local server host name (Server49)

****

Configure Nodemanager for SSL communication between adminserver and nodemanager

Add these to nodemanager.properties file

KeyStores=CustomIdentityAndCustomTrust
CustomIdentityKeyStoreFileName=/appserver/Weblogic/admin/certs/r1cvap1050.jks
CustomIdentityKeyStorePassPhrase=cat360pa
CustomIdentityAlias=r1cvap1050
CustomIdentityPrivateKeyPassPhrase=cat360pa

CustomIdentityKeyStoreType=jks
at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)