These days the enterprise applications have grown more complex and boast a great deal of sensitive and critical data online. Cyber security has become more than important these days to secure the data.
Secure Sockets Layer plays a pivotal role in how a sensitive data can be protected, accessed over a network.
Secure Sockets Layer (SSL) provides secure connections by allowing two applications connecting over a network connection to authenticate the other’s identity and by encrypting the data exchanged between the applications. Authentication allows a server and optionally a client to verify the identity of the application on the other end of a network connection. Encryption makes data transmitted over the network intelligible only to the intended recipient.
It provides transport level security by usage of the SSL certificates which are provided by the Industry standard Certificate Authorities like Verisign, GeoTrust, GoDaddy etc.
WebLogic Server supports SSL on a dedicated listen port which defaults to 7002. To establish an SSL connection, a Web browser connects to WebLogic Server by supplying the SSL listen port and the HTTPs protocol in the connection URL, for example, https://myserver:7002.
The below post describes the complete procedure about procuring the certificate, installing and configuring the certificate to the WebLogic Server. (WebLogic SSL Configuration).
1: Generating and procuring the certificate:
a: Open a command prompt and set the environment by running the setDomainEnv script.
b: Generate the private – public key pair. For demonstration we would use keytool java utility to do so. However we can use other utilities like openssl etc.
keytool -genkey -alias client -keyalg RSA -keysize 2048 -keystore identity.jks -storepass password -keypass password
c: Generate a Certificate Signing Request (CSR) and send it to Certifying Authority.
keytool -certreq -keyalg RSA -keysize 2048 -alias client -file certreq.csr -keystore identity.jks -storepass password
The CA would return with the certificate reply and the RootCA and sometimes an intermediateCA certificate.
d: Import the certificates into the keystore, this can be done in two ways either by importing the certificates in an order of RootCA, intermediateCA and then Certificate reply. Or we can create a certificate chain clubbing them in an order into a .pem file.
For demo, we would create a certificate chain file CertChain.pem and import it into the identity keystore overriding the private key alias which is client in this example.
keytool -import -file CertChain.pem -alias client -keystore identity.jks -storepass password
e: Create a trust keystore, this can be done my importing your RootCA certificate into another keystore that constitutes the trust.
keytool -import -file rootCA.cer -alias RootCA -keystore trust.jks -storepass password
To verify the contents of the keystore, you can use the below command,
Keytool –list –v –keystore <keystore-name> -storepass <keystore-password>
2: Configuring the keystore on the WebLogic Server.
a: Log into the Admin Console, select the server on which you want to configure the SSL certificate.
Server –> Click on the Keystore tab. By default it points to the Demo Certificates.
From the dropdown list select the “Custom Identity and Custom Trust” option.
Enter the identity and trust keystore details.
b: Configure the identity of the server:
Click on the SSL tab and enter the alias of the private key i.e. client in this case and the keypass password.
NOTE: If you enable the SSL for a WebLogic Server, by default it would be One Way SSL. If you want to change to Two Way SSL, you would require to select the two way SSL behavior from the Advanced option list.
c: Configure the SSL port.
By default it would be 7002.
Go to server –> General tab –> Specify and enable SSL port.
You can see the below messages in the server logs which indicate that the certificates are loaded.
<Notice> <Security> <BEA-090171> <Loading the identity certificate and private key stored under the alias client from the JKS keystore file C:WondersWebLogicSecuritySSL-CertsVerisignidentityVerisign.jks.>
<Notice> <Security> <BEA-090169> <Loading trustedcertificates from the JKS keystore file C:WondersWebLogicSecuritySSL-CertsVerisigntrustVerisign.jks.>
3: Test the setup:
You can test the setup by accessing the admin console (if SSL is configured for Admin Server) or any application deployed on the server by accessing it on https protocol.
https://localhost:7002/console
Now verify whether the right certificate is configured or not.
Click on the certificate details and you would find the details about the identity and the RootCA along with the certificate chain.
NOTE: For a production environment make sure that CN (Common Name) of the certificate matches with the server host name.
You can also use self signed certificates or trial certificates for testing purpose. However is it not recommended to use them in production environment.
You can get the Verisign trail certificates from the below link.
http://www.verisign.com/ssl/free-30day-trial/
For further reading :
http://download.oracle.com/docs/cd/E13222_01/wls/docs103/secmanage/ssl.html
Regards,
Wonders Team 🙂
Thank you for the great explanation!
Thanks for the appreciation. 🙂
Cheers,
Wonders Team 🙂
Wonderful explanation 🙂
Nicely documented – very helpful
Thanks for your appreciation. That motivates us to do better.
Cheers,
Anandraj
Also,
it would be good if you cover diff. of identity store and trust store.
I found good details at:
http://one-size-doesnt-fit-all.blogspot.ca/2009/09/weblogic-server-identity-vs-trust.html
In self sign cert setup and store setup, how to setup identity store and trust store.
for identity store, it is not with keytool but trust store setup is not clear. can it be created from system’s CA details?
Hi,
What you do if you want to just ssl for an application?
I have a few apps running on a weblogic server (using 10g oid and 10g oid) where only one app needs the ssl.
How do i enable ssl for this just app?
The F5 VIP is the front end
Thanks
Hi Joe,
SSL cannot be enabled just for one app, its a server wide configuration.
What you can do is configure SSL for F5 and have http between F5 and the Weblogic Server.
I have seen many customers do this.
Thanks,
Faisal
Thanks
I’ve set it via F5 with a ne vip
I would rather use the current vip and just for this 1 app
Update:
This app wont go through sso so no need for sso registration
On the F5 created new new vip with https, added its cert profile for client and server(had created the cert already) add the pool where http ohs is a member in, and was it.
https://newvip.fqdn/appname
Thanks, Very well explained.
Thanks Ram for the appreciation.
Regards,
Wonders team
Hi
Thank you very much ..very well explained …But my concern is is there any way we can force to http to https …..like when ever user enter http://localhost:7001 need that force to https://loaclhost:7002..
Thanks
Vasu
hi anandraj
Thanks, Very well explained and nicely documented. I have one question after enable SSL is there any way we can force the request http to https…like if user type in the http://localhost:7001 in the browser it needs to force the url to https://localhost:7002….
Thanks
Vasu
Hi Vasu,
Yes you can achieve that functionality. This can be done by making changes in the web.xml file of your application.
You would need to define CONFIDENTIAL in the web.xml file.
For ex. refer the below snippet.
Test
/*
CONFIDENTIAL
Further references :
http://middlewaremagic.com/weblogic/?p=2019
Cheers,
Anandraj
wonderful job anand
Thanks for the great article. I followed the post and able to configure SSL on weblogic using a Symantec trial certificate for 30 days. I can access my web application using https://localhost:7002/MyWeb.
But I have the below questions ? Can you please help?
1) How do I know my setup is correct and it encrypts all the data over the network ? Is there any way to test or see the encrypted data to confirm its not a plain data ?
2) After SSL setup, I am able to access my web app in both http://locahost:7001/MyWeb and https://locahost:7002/MyWeb
I need some pages on http and some on https. How can I implement this ?
Many thanks
Jayakumar
Thanks for your appreciation Jaya…
1) You can use any network capture tool like wireshark to analyze the traffic.
2) You can define security constraint and have the transport guarantee as CONFIDENTIAL.
hi,
i am new in weblogic pls send me weblogic materials to email id : srinivasa.u86@gmail.com
thanks for advance
Hi Srinivas,
You can refer the beginners section in Wonders.
It has some useful presentations.
Regards,
Faisal
Hi,
Very useful post !!
I don’t known which host name I need to put in CN for my CRS file, I explain my case :
I have a server named : MYSERVER
his IP address :xxx.xxx.xxx.xxx
An internet line with IP fix : yyy.yyy.yyy.yyy
An internet domain name : http://www.mydomain.com which is map with yyy.yyy.yyy.yyy
A firewall who make a redirection of 7002/7003 port to xxx.xxx.xxx.xxx
We try a test certificate from verisign with CN=www.mydomain.com but where wls_forms start we have an error BEA-090482
Thanks for your help
Regards
Steph
Hi Steph,
Where do u try the verisign certificates?
This alert mean that the server that i trying to communicate with Weblogic has a bad certificate.
You can find out why the certificate was rejected by enabling ssl debug
-Dssl.debug=true
Regards,
Faisal
Hi I stuck on following thing when trying to crete CertChain.pem.
In console i’m getting error message: keytool error: java.io.FileNotFoundException:
keytool error: java.io.FileNotFoundException: C:\Test\Keystore\CertChain.pem (Th
e system cannot find the file specified)
keytool -import -file C:\Keystore\CertChain.pem -alias client -keystore c:\keystore\identity.jks -storepass password1
and not sure about client. is this ip address of my mashine?
does the file CertChain.pem exist in the C:\Test\Keystore directory?
Hi,I’ve got 1 AdminServer & 2 Managed Servers. AdminServer and Mngd Server#1 are in the same server as normally and Managed Server#2 is on the another server. I tried to make as much as identical Mngd Server#1 with Mngd Server#2 in terms of nodemanager.properties, Ident/TrustKeystore files but it is failing while trying to start Managed Server#2.
Failed (FAILED_NOT_RESTARTABLE) with having below notification on “/opt/oracle/middleware/wlserver_10.3/common/nodemanager/nodemanager.log”
javax.net.ssl.SSLException: Inbound closed before receiving peer’s close_notify: possible truncation attack?
I told the issue in detailed in here:
https://community.oracle.com/message/12524936#12524936
Thank you.
can you please mail me the complete server logs and nodemanager logs?
khan.faysal06@gmail.com
very simple and easy to understand article 🙂 amazing