I have been getting a lot of request for creating a very simple document for configuring SSL on Weblogic Server.

Its a pretty straight forward configuration, but most people are not aware of it. WLS is by default configured with DemoIdentity and DemoTrust, we just need to enable SSL port under General Tab of the Server and WLS will start listening over SSL on that port. However using Demo Certificates are not recommended in Production Environment so we can either get our certificates signed by a third party certifying authority or use our own root ca which we can use to sign our own certificates. To keep things simple I have developed a simple build script to generate SELF SIGNED CERTIFICATES. You just need to set the environment by running setWLSEnv.cmd present under WL_HOME\server\bin. Run the build script and the keystores will be generated in that directory. I have used keytool to generate the keystores, you can get more details here

http://download.oracle.com/javase/1.4.2/docs/tooldocs/windows/keytool.html

Follow the steps below to configure WLS with your Custom Certificates. Later you can modify the values in the build.xml to suit your requirement. Which makes it very easy to generate the Keys Just by Modifying the Attribute values….

Step1).Create a Directory somewhere like :

C:\MyCertificates

Step2).Write the following “build.xml” file inside “C:\MyCertificates

———————————————–

<project name=”Generate Keystores” default=”all” basedir=”.”>
<property name=”alias” value=”alias” />
<property name=”dname” value=”CN=localhost, OU=Customer Support, O=BEA Systems Inc, L=Denver, ST=Colorado, C=US”/>
<property name=”keypass” value=”keypass” />
<property name=”identity.jks” value=”identity.jks” />
<property name=”storepass” value=”storepass” />
<property name=”cert.cer” value=”cert.cer” />
<property name=”trust.jks” value=”trust.jks” />
<property name=”jdk.home” value=”C:/bea/jdk150_06? />
<target name=”all” depends=”create-keystores”/>

<target name=”create-keystores”>
<echo>Generating Identity of the Server</echo>
<exec executable=”${jdk.home}/bin/keytool.exe”>
<arg line=’-genkey -alias ${alias} -keyalg RSA -keysize 1024 -dname “${dname}” -keypass ${keypass} -keystore ${identity.jks} -storepass ${storepass}’ />
</exec>
<echo>Self Signing the Certificate</echo>
<exec executable=”${jdk.home}/bin/keytool.exe”>
<arg line=’-selfcert -alias ${alias} -dname “${dname}” -keypass ${keypass} -keystore ${identity.jks} -storepass ${storepass}’ />
</exec>
<echo>Exporting the Server certificate</echo>
<exec executable=”${jdk.home}/bin/keytool.exe”>
<arg line=’-export -alias ${alias} -file ${cert.cer} -keystore ${identity.jks} -storepass ${storepass}’ />
</exec>
<echo>Creating Trust Store</echo>
<exec executable=”${jdk.home}/bin/keytool.exe”>
<arg line=’-import -alias ${alias} -file ${cert.cer} -keystore ${trust.jks} -storepass ${storepass} -noprompt’ />
</exec>
</target>

</project>
———————————————–

Step3).Now Open a command/Shell Prompt and then run the “. ./setWLSEnv.sh” to setup the Environment.

Step4).Now Just run the ANT script by typing “ant” in the command prompt…. It will create all the required Certificates.

Step5). Now Login to the Amdin Console to Configure these Certificates…

Home >Summary of Servers >AdminServer > General
SSL Listen Port: Enabled (Check)
SSL Listen Port: 7002

Home >Summary of Servers >AdminServer > Keystores
Keystores: Custom Identity Custom Trust
Identity
Custom Identity Keystore: <path>/identity.jks
Custom Identity Keystore Type: JKS
Custom Identity Keystore Passphrase: storepass
Confirm Custom Identity Keystore Passphrase: storepass
Trust
Custom Trust Keystore:<path>/trust.jks
Custom Trust Keystore Type: JKS
Custom Trust Keystore Passphrase: storepass
Confirm Custom Trust Keystore Passphrase: storepass
Click SAVE

Home >Summary of Servers >AdminServer > SSL
Identity and Trust Locations: Keystores
Private Key Alias: alias
Private Key Passphrase: keypass
Confirm Private Key Passphrase: keypass
Click SAVE

Step6).Now try to access the Admin Console…on HTTPS port

https://localhost:7002/console

28 Thoughts on “Configuring SSL on Weblogic Server – Custom Identity and Custom Trust

  1. Hi,

    Can you please post the method to create custom identity and custom trust using CA certificates from a signing authority?

    Thanks

  2. jappi gill on March 1, 2011 at 5:44 am said:

    HI,
    when we use java home different from one given inside weblogic setup(but same version),we get SSL handshake error in “machine” configuration.how to resolve this ?
    Thanks,

    • Administrator on March 1, 2011 at 8:54 am said:

      can u enable ssl debug and paste the log file
      -Dssl.debug= true

      You can do one thing, copy the cacerts file present in jre/lib/security to the jdk wer it is not working.

      Thanks,
      Faisal

  3. jappi gill on March 3, 2011 at 4:18 am said:

    thanks admin,
    its working now.
    i jst created custom identity and custom trust.and configured it with both admin server and nod manager.

  4. sumit on March 13, 2011 at 2:09 am said:

    Faisal,

    I am bit confused over this after reading the weblogic documentation (http://download.oracle.com/docs/cd/E12840_01/wls/docs103/secmanage/ssl.html) . What is the exact steps for generating the certificate
    1. Create the identity . This include the private key and self signed certificate. The first command used by u will generate this.
    2. What is the use of the 2nd command (selfcert) and then export??
    3. Why we are not generating the csr??
    4.In the last command what we are trying to import??

    Thanks
    Sumit

  5. nikos_s on April 21, 2011 at 7:53 am said:

    My friend, you are GREAT.
    I was in big trouble with this until I found this.
    I have installed weblogic in Linux and I prefered to convert your xml to a unix script in which I’m more familiar with.
    Thanks again

  6. nikos_s on April 26, 2011 at 8:12 am said:

    Hi again.
    Unfortunately, it didn’t work.
    The 1st impression was good but as soon as I tried to access my servers from weblogic console, the following exception came out in nodemanager.log:

    It seems that nodemanager can’t see the new cert file and it sees the demo one:

    How can I make it read the location where the new keystores are stored?

    • Administrator on April 30, 2011 at 4:35 am said:

      Hi Nik,

      You can go to your nodemanager home
      e.g.
      C:\bea103\wlserver_10.3\common\nodemanager

      You will find nodemanager.properties file.

      You can spefcify the following properties

      Keystores=CustomIdentityandCustomTrust
      CustomIdentityAlias=
      CustomIdentityKeyStoreFileName=
      CustomIdentityKeyStorePassPhrase = xxxxxx
      CustomIdentityKeyStoreType = JKS
      CustomIdentityPrivateKeyPassPhrase = xxxxxxx

  7. Lucia on April 29, 2011 at 5:17 am said:

    Excellent tutorial! It simply worked on my part. Thanks!

  8. Chetan Jain on December 22, 2011 at 12:07 am said:

    Hi Faisal,

    I have a question.

    suppose in my keystore the indentity certificate is going to get expired, i have got a new certificate from verisign.

    How do i import that new certificate into the same keystore,because if i remove the older one with below command :

    keytool -delete -alias mydomain -keystore keystore.jks

    and then import the same alias again with the new certificate then it does not work as the alias was removed completely.

    Need to know a way to achieve this.

    Thanks in advance,
    Chetan

  9. WeblogicAdmin on May 31, 2012 at 5:21 am said:

    Hi Faisal,

    I have the same problem here. My ssl certificates are going to expire and need to renew it.

    But if i create a new CSR to renew it, can i import it back to the old keystore which is existing in the domain currently.

    Please advice a way to renew the certs.

    Thanks,
    Thomas

    • Administrator on June 5, 2012 at 12:52 am said:

      Yes you should be able to… infact it has to be imported into the same keystore on which you did a genkey.. but please make sure you take a backup of your keystore.

  10. Hi

    Does it work with the Weblogic Server which is installed on Solaris/Linux platform.

    Please if someone can help me out as i need it urgently.

    Thanks,
    Ashish

  11. whats the purpose of step 3 . ./setWLSEnv.sh … how does this affect anything with creating the certs?

    • anandraj on December 18, 2012 at 2:51 am said:

      Hi Rick,

      You are right, setWLSEnv does not help in creating the certs, it makes sure that the JAVA_HOME is properly set and you can type the keytool commands directly.

      Cheers,
      Wonders Team

  12. Robert on March 13, 2013 at 1:41 pm said:

    Does SSL have to be enabled? I am going through a security cert and I have create my own .jks files. When I go to change the trust type in the console or enable SSL I get a big old Java stack trace.

  13. janardhan on November 21, 2013 at 8:37 am said:

    hi all, http://download.oracle.com/javase/1.4.2/docs/tooldocs/windows/keytool.html is not working :( kindly guide me with correct link

  14. Rajendra on November 28, 2013 at 1:29 am said:

    Hi Faisal,
    We are using two load balancere in my project. Only one will serve the traffic at a time, other will be down or disabled.
    In order to use any one load balancere for weblogic I need to modify alias name and nodemanager.peroperties file each time. For example two load balancers are abc.int.com and def.int.com, I need to change alias name and the nodemanager.properties file every time to divert the traffic. Please advise is there any way to use the two load balancers without changing the alias name and nodemanager properties file every time..? Please advise. Thanks in Advance.

    Rajendra

    • Administrator on December 9, 2013 at 6:26 am said:

      Hi Rajendra,

      Can you please elaborate on the changes you are doing currently?

      What changes you are doing in nodemanager.properties file?

      Please let us know.

      Regards,
      Faisal

  15. Administrator on September 1, 2012 at 7:59 am said:

    Hi Joe,

    The steps to install certificates on managed server is the same as admin server.
    I am not sure about the page your are viewing.
    If you log in using

    http://host:port/console

    You should see all the server under servers.

    Thanks,
    Faisal

Leave a Reply

Post Navigation