Configuring SSL on Weblogic Server – Custom Identity and Custom Trust

I have been getting a lot of request for creating a very simple document for configuring SSL on Weblogic Server.

Its a pretty straight forward configuration, but most people are not aware of it. WLS is by default configured with DemoIdentity and DemoTrust, we just need to enable SSL port under General Tab of the Server and WLS will start listening over SSL on that port. However using Demo Certificates are not recommended in Production Environment so we can either get our certificates signed by a third party certifying authority or use our own root ca which we can use to sign our own certificates. To keep things simple I have developed a simple build script to generate SELF SIGNED CERTIFICATES. You just need to set the environment by running setWLSEnv.cmd present under WL_HOME\server\bin. Run the build script and the keystores will be generated in that directory. I have used keytool to generate the keystores, you can get more details here

http://download.oracle.com/javase/1.4.2/docs/tooldocs/windows/keytool.html

Follow the steps below to configure WLS with your Custom Certificates. Later you can modify the values in the build.xml to suit your requirement. Which makes it very easy to generate the Keys Just by Modifying the Attribute values….

Step1).Create a Directory somewhere like :

C:\MyCertificates

Step2).Write the following “build.xml” file inside “C:\MyCertificates

———————————————–

<project name=”Generate Keystores” default=”all” basedir=”.”>
<property name=”alias” value=”alias” />
<property name=”dname” value=”CN=localhost, OU=Customer Support, O=BEA Systems Inc, L=Denver, ST=Colorado, C=US”/>
<property name=”keypass” value=”keypass” />
<property name=”identity.jks” value=”identity.jks” />
<property name=”storepass” value=”storepass” />
<property name=”cert.cer” value=”cert.cer” />
<property name=”trust.jks” value=”trust.jks” />
<property name=”jdk.home” value=”C:/bea/jdk150_06? />
<target name=”all” depends=”create-keystores”/>

<target name=”create-keystores”>
<echo>Generating Identity of the Server</echo>
<exec executable=”${jdk.home}/bin/keytool.exe”>
<arg line=’-genkey -alias ${alias} -keyalg RSA -keysize 1024 -dname “${dname}” -keypass ${keypass} -keystore ${identity.jks} -storepass ${storepass}’ />
</exec>
<echo>Self Signing the Certificate</echo>
<exec executable=”${jdk.home}/bin/keytool.exe”>
<arg line=’-selfcert -alias ${alias} -dname “${dname}” -keypass ${keypass} -keystore ${identity.jks} -storepass ${storepass}’ />
</exec>
<echo>Exporting the Server certificate</echo>
<exec executable=”${jdk.home}/bin/keytool.exe”>
<arg line=’-export -alias ${alias} -file ${cert.cer} -keystore ${identity.jks} -storepass ${storepass}’ />
</exec>
<echo>Creating Trust Store</echo>
<exec executable=”${jdk.home}/bin/keytool.exe”>
<arg line=’-import -alias ${alias} -file ${cert.cer} -keystore ${trust.jks} -storepass ${storepass} -noprompt’ />
</exec>
</target>

</project>
———————————————–

Step3).Now Open a command/Shell Prompt and then run the “. ./setWLSEnv.sh” to setup the Environment.

Step4).Now Just run the ANT script by typing “ant” in the command prompt…. It will create all the required Certificates.

Step5). Now Login to the Amdin Console to Configure these Certificates…

Home >Summary of Servers >AdminServer > General
SSL Listen Port: Enabled (Check)
SSL Listen Port: 7002

Home >Summary of Servers >AdminServer > Keystores
Keystores: Custom Identity Custom Trust
Identity
Custom Identity Keystore: <path>/identity.jks
Custom Identity Keystore Type: JKS
Custom Identity Keystore Passphrase: storepass
Confirm Custom Identity Keystore Passphrase: storepass
Trust
Custom Trust Keystore:<path>/trust.jks
Custom Trust Keystore Type: JKS
Custom Trust Keystore Passphrase: storepass
Confirm Custom Trust Keystore Passphrase: storepass
Click SAVE

Home >Summary of Servers >AdminServer > SSL
Identity and Trust Locations: Keystores
Private Key Alias: alias
Private Key Passphrase: keypass
Confirm Private Key Passphrase: keypass
Click SAVE

Step6).Now try to access the Admin Console…on HTTPS port

https://localhost:7002/console

30 comments

  1. Hi,

    Can you please post the method to create custom identity and custom trust using CA certificates from a signing authority?

    Thanks

  2. HI,
    when we use java home different from one given inside weblogic setup(but same version),we get SSL handshake error in “machine” configuration.how to resolve this ?
    Thanks,

    1. can u enable ssl debug and paste the log file
      -Dssl.debug= true

      You can do one thing, copy the cacerts file present in jre/lib/security to the jdk wer it is not working.

      Thanks,
      Faisal

  3. thanks admin,
    its working now.
    i jst created custom identity and custom trust.and configured it with both admin server and nod manager.

  4. Faisal,

    I am bit confused over this after reading the weblogic documentation (http://download.oracle.com/docs/cd/E12840_01/wls/docs103/secmanage/ssl.html) . What is the exact steps for generating the certificate
    1. Create the identity . This include the private key and self signed certificate. The first command used by u will generate this.
    2. What is the use of the 2nd command (selfcert) and then export??
    3. Why we are not generating the csr??
    4.In the last command what we are trying to import??

    Thanks
    Sumit

  5. My friend, you are GREAT.
    I was in big trouble with this until I found this.
    I have installed weblogic in Linux and I prefered to convert your xml to a unix script in which I’m more familiar with.
    Thanks again

  6. Hi again.
    Unfortunately, it didn’t work.
    The 1st impression was good but as soon as I tried to access my servers from weblogic console, the following exception came out in nodemanager.log:

    It seems that nodemanager can’t see the new cert file and it sees the demo one:

    How can I make it read the location where the new keystores are stored?

    1. Hi Nik,

      You can go to your nodemanager home
      e.g.
      C:\bea103\wlserver_10.3\common\nodemanager

      You will find nodemanager.properties file.

      You can spefcify the following properties

      Keystores=CustomIdentityandCustomTrust
      CustomIdentityAlias=
      CustomIdentityKeyStoreFileName=
      CustomIdentityKeyStorePassPhrase = xxxxxx
      CustomIdentityKeyStoreType = JKS
      CustomIdentityPrivateKeyPassPhrase = xxxxxxx

  7. Hi Faisal,

    I have a question.

    suppose in my keystore the indentity certificate is going to get expired, i have got a new certificate from verisign.

    How do i import that new certificate into the same keystore,because if i remove the older one with below command :

    keytool -delete -alias mydomain -keystore keystore.jks

    and then import the same alias again with the new certificate then it does not work as the alias was removed completely.

    Need to know a way to achieve this.

    Thanks in advance,
    Chetan

  8. Hi Faisal,

    I have the same problem here. My ssl certificates are going to expire and need to renew it.

    But if i create a new CSR to renew it, can i import it back to the old keystore which is existing in the domain currently.

    Please advice a way to renew the certs.

    Thanks,
    Thomas

    1. Yes you should be able to… infact it has to be imported into the same keystore on which you did a genkey.. but please make sure you take a backup of your keystore.

  9. Hi

    Does it work with the Weblogic Server which is installed on Solaris/Linux platform.

    Please if someone can help me out as i need it urgently.

    Thanks,
    Ashish

    1. Hi Rick,

      You are right, setWLSEnv does not help in creating the certs, it makes sure that the JAVA_HOME is properly set and you can type the keytool commands directly.

      Cheers,
      Wonders Team

  10. Does SSL have to be enabled? I am going through a security cert and I have create my own .jks files. When I go to change the trust type in the console or enable SSL I get a big old Java stack trace.

  11. Hi Faisal,
    We are using two load balancere in my project. Only one will serve the traffic at a time, other will be down or disabled.
    In order to use any one load balancere for weblogic I need to modify alias name and nodemanager.peroperties file each time. For example two load balancers are abc.int.com and def.int.com, I need to change alias name and the nodemanager.properties file every time to divert the traffic. Please advise is there any way to use the two load balancers without changing the alias name and nodemanager properties file every time..? Please advise. Thanks in Advance.

    Rajendra

    1. Hi Rajendra,

      Can you please elaborate on the changes you are doing currently?

      What changes you are doing in nodemanager.properties file?

      Please let us know.

      Regards,
      Faisal

  12. Nice and smooth Faisal.

    Just a question: Is it possible to use the configured Identity for SSL from a servlet deployed in the same server?

    This is, use the same identity (Weblogic’s SSL identity) to do client certificate authentication from the servlet deployed in weblogic.

    I wouldn’t want the servlet had to load the key. I’d prefer that the servlet would use the weblogic’s key. Is it possible via weblogic API?

    Cheers.

    Javier

    1. Thanks Javier..

      Is it possible to use the configured Identity for SSL from a servlet deployed in the same server?
      Yes, when you make SSL Connection from the Servlet, by default Weblogic keys will be used.

      Cheers!
      Faisal

Leave a Reply