Oracle 8i | Oracle 9i | Oracle 10g | Oracle 11g | Oracle 12c | Miscellaneous | PL/SQL | SQL | Oracle RAC | Oracle Apps | Linux

WebLogic Server 11g and 12c : Configure SSL for a Managed Server

By default WebLogic managed servers are configured with demo identity and trust information. This should be reconfigured to use real, or self-signed certificates. This article describes how this is done.

Related articles.

Create Keystores and Certificates

In order to configure SSL for a managed server, you are going to need identity and trust keystores and a certificate. If you don't have a real certificate, you can create a self-signed certificate, as described here and in this article.

For this article we will use a self-signed certificate, created using the keytool utility. Perform the following steps as the "oracle" user.

Make a directory to hold the keystores.

$ mkdir ~/keystore
$ cd ~/keystore

Create the identity and trust keystores using the following commands. Notice the result of the hostname command is used in the "CN=" entry.

$JAVA_HOME/jre/bin/keytool -genkey -keyalg RSA -alias selfsigned -keystore identity.jks \
   -dname "CN=`hostname`, OU=My Department, O=My Company, L=Birmingham, ST=West Midlands, C=GB" \
   -storepass password1 -validity 3600 -keysize 2048 -keypass password1

$JAVA_HOME/jre/bin/keytool -selfcert -v -alias selfsigned -keypass password1 -keystore identity.jks \
   -storepass password1 -storetype jks -validity 3600

$JAVA_HOME/jre/bin/keytool -export -v -alias selfsigned -file "`hostname`-rootCA.der" -keystore identity.jks \
   -storepass password1

# Trust? yes
$JAVA_HOME/jre/bin/keytool -import -v -trustcacerts -alias selfsigned -file "`hostname`-rootCA.der" \
   -keystore trust.jks -storepass password1

We now have a self-signed certificate in a keystore will the following details, which will be referred back to later.

Clustered Environments

If you are working with WebLogic clusters spanning multiple machines, you have to make sure all certificates in the cluster are marked as trusted, otherwise the AdminServer will not be able to communicate with all the node managers.

Assuming you have a two node cluster, as described in this article, you would have to do the following.

Make sure you have followed the process described in the previous section on each of the machines making up the cluster before continuing.

Make sall certificates are available on all nodes by copying them into the keystore folders on each server.

cd ~/keystore
scp wls11g-1.localdomain-rootCA.der oracle@wls11g-2.localdomain:/home/oracle/keystore
scp oracle@wls11g-2.localdomain:/home/oracle/keystore/wls11g-2.localdomain-rootCA.der .

On the first node, load the certificate generated on the second node into the local trust keystore using the following command.

$JAVA_HOME/jre/bin/keytool -import -v -trustcacerts -alias selfsigned2 -file wls11g-2.localdomain-rootCA.der \
   -keystore trust.jks -storepass password1

On the second node, load the certificate generated on the first node into the local trust keystore using the following command.

$JAVA_HOME/jre/bin/keytool -import -v -trustcacerts -alias selfsigned2 -file wls11g-1.localdomain-rootCA.der \
   -keystore trust.jks -storepass password1

You can now continue with the rest of the configuration.

Configure SSL for Managed Server

This process should be followed for the AdminServer and all managed servers.

The managed server will now be using the new identity and trust keystores.

Configure Node Manager

Edit the "$WL_HOME/common/nodemanager/nodemanager.properties" file, adding the following entries. The values used reflect the information used to create the keystores above.

KeyStores=CustomIdentityAndCustomTrust
CustomIdentityKeystoreType=jks
CustomIdentityKeyStoreFileName=/home/oracle/keystore/identity.jks
CustomIdentityKeyStorePassPhrase=password1
CustomIdentityPrivateKeyPassPhrase=password1
CustomIdentityAlias=selfsigned
CustomTrustKeystoreType=jks
CustomTrustKeyStoreFileName=/home/oracle/keystore/trust.jks
CustomTrustKeyStorePassPhrase=password1

Restart the node manager.

Basic Constraints Extension Error

If you are using an older JRE, like Java 1.6, you may get the following type of error in the AdminServer logs.

<BEA-090548> <The certificate chain received from ??? contained a V3 CA certificate
which was missing the basic constraints extension>

To fix this we need to replace the old certificates used by the JRE, and therefore keytool, when generating our self-signed certificates.

Perform the following operations as the "oracle" user.

Test you know the password for the JREs keystore. The default is "changeit".
cd $JAVA_HOME/jre/lib/security
$JAVA_HOME/bin/keytool -keystore cacerts -list -storepass changeit
If that works, you are good to proceed.
cd $JAVA_HOME/jre/lib/security
chmod 755 cacerts
$JAVA_HOME/bin/keytool -keystore cacerts -delete -alias entrust2048ca -storepass changeit

Download the following updated certificates and place them in the security directory on the server.

Perform the following commands to load the certificates. The comment above certain commands gives you an idea of answers to prompts, or possible outcomes.

# Trust? yes
$JAVA_HOME/bin/keytool -keystore cacerts -import -alias entrust_l1c_chain -file entrust_l1c.cer -storepass changeit
$JAVA_HOME/bin/keytool -keystore cacerts -import -alias entrust_2048_ssl_chain -file entrust_2048_ssl.cer -storepass changeit
# Overwrite? yes
$JAVA_HOME/bin/keytool -keystore cacerts -import -alias entrust_1024_ssl_ca_root -file entrust_ssl_ca.cer -storepass changeit
# May fail. That's OK.
$JAVA_HOME/bin/keytool -keystore cacerts -delete -alias entrustsslca -storepass changeit

You will have to recreate the keystores you built previously, so they will use the new certificates.

Once this is done, restart the node manager and any domains using the identity and trust keystores.

For more information see:

Hope this helps. Regards Tim...

Back to the Top.