Sei sulla pagina 1di 25

OFSS Ltd.

- OBP
Configure SSL

Name
Author

Kishore Mukati

Current Status

Initial

Date

01-Sep-2011

Contents
OID Authenticator on SSL............................................................................................................2
OID Policy Store on SSL.............................................................................................................5
One-Way-SSL between Presentation and Application Weblogic Servers.....................................6
Generate Server Private Key and Certificate........................................................................6
Create the Identity Keystore.................................................................................................8
Import the Certificate into a new Trust keystore....................................................................8
Configure Application Domains Weblogic with Custom Identity and Trust keystores............9
Import Certificate in the JRE of Presentation Domain.........................................................24

OID Authenticator on SSL


It is assumed that Oracle Internet Directory Authenticator is already configured.
Open Weblogic server admin console and go to Home >Summary of Security Realms >myrealm
>Providers

Click on OIDAuthenticator and select Provider Specific tab.

Change Port to 3131 and check SSLEnabled checkbox.

Save these changes and restart Weblogic Server.

OID Policy Store on SSL


It is assumed that Weblogic domain is already re-associated with Oracle Internet Directory.
Open jps-config.xml file and replace all ldap://<OID SERVER IP>:3060 with ldaps://<OID SERVER
IP>:3131

Save these changes and restart Weblogic Server.

One-Way-SSL between Presentation and Application Weblogic


Servers
Following are the steps to configure one-way-ssl between presentation and application weblogic servers.

Generate Server Private Key and Certificate


Open command prompt and go to Application domain home.

Execute setDomainEnv.cmd which is available in bin folder of the domain.

Now run following command


java utils.CertGen -selfsigned -certfile SampleSelfCA.cer -keyfile SampleSelfKey.key -keyfilepass
welcome1 -cn "Sample Self CA"

Create the Identity Keystore


Now run this command
java utils.ImportPrivateKey -keystore SampleIdentityStore.jks -storepass welcome1 -keypass welcome1
-alias sampletrustself -certfile SampleSelfCA.cer.pem -keyfile SampleSelfKey.key.pem -keyfilepass
welcome1

Import the Certificate into a new Trust keystore


Execute following command
keytool -import -trustcacerts -alias sampletrustself -keystore SampleTrust.jks -file SampleSelfCA.cer.der
-keyalg RSA
It will prompt for keystore password, Enter welcome1

Configure Application Domains Weblogic with Custom Identity and Trust keystores
Open Weblogic admin console and go to Home >Summary of Servers >AdminServer and click on
Keystores tab

Click on Change button

Select Custom Identity and Custom Trust from drop down and press save button.

Provide following details


Custom Identity Keystore
Custom Identity Keystore Type
Custom Identity Keystore Passphrase
Confirm Custom Identity Keystore Passphrase
Custom Trust Keystore
Custom Trust Keystore Type
Custom Trust Keystore Passphrase
Confirm Custom Trust Keystore Passphrase

Absolute path of SampleIdentityStore.jks file


JKS
welcome1
welcome1
Absolute path of SampleTrust.jks file
JKS
welcome1
welcome1

Click Save button and click on SSL tab.

Provide following details and click Save button.


Private Key Alias
Private Key Passphrase
Confirm Private Key Passphrase

sampletrustself
welcome1
welcome1

Click on Advanced link.

Make sure Two Way Client Cert Behavior is set to Client Certs Not Requested.
Open General tab and check SSL Listen Port Enabled checkbox and press Save button.

Now restart admin server of Application Domain.


See the log file of admin server, it should load the entire SSL configuration.

Now browse to https://localhost:7002/console


All being well, the server should present the client with a certificate.

Click on Certificate Error button.

Click on Install Certificate button and follow the instructions. When you next go into the Certificate
Management screen you will see the SampleSelfCA.cer listed under Trusted Root Certification
Authorities

Click on Export button.

Press Next button.

Select Base-64 encoded X.509(.CER) and click on Next button.

Specify the file name and click Next button.

Click Finish button.

Import Certificate in the JRE of Presentation Domain


Go to <MIDDLEWARE_HOME>\<JDK_HOME>\jre\lib\security

Run following command.


keytool -import -alias sampletrustself -file D:\SampleSelfCA.cer -keystore cacerts
It will prompt for keystore password, enter changeit

Now restart admin server of Presentation Domain.