How to create self signed certificate in Weblogic

 

There are two ways to generate certificates for WebLogic Server.

1. CA Signed Certs

CA Signed certificates are recommended. Some wellknown Certificate Authorities (CAs) are listed below:

http://www.verisign.com/
http://www.thawte.com/
Home Data Security

2. Self-Signed Certs

Self-Signed Certificates are meant to secure the communication between servers and WebLogic Server components, such as Node Manager.

Below are steps for creating and using Self-Signed Certificates in WebLogic Server.

Below are the locations and passwords assumed.

Certificates will be located at: /opt/ssl/tmp
Keypass=privatepassword
Storepass=password

Generate the certificate for the machine where the remote Node Manager is.

— GENERATING CERTIFICATE

Create a Directory. For example:
mkdir /opt/ssl/tmp
Get into the directory. For example:
cd /opt/ssl/tmp
Run the following keytool command:

keytool -genkey -alias selfsignedcert -keyalg RSA -keypass privatepassword -keystore identity.jks -storepass password -validity 365

Expected output:
What is your first and last name?
[Unknown]: tp.techpaste.com => Machine name
What is the name of your organizational unit?
[Unknown]: Support => Organizational Unit
What is the name of your organization?
[Unknown]: TechPaste => Organization
What is the name of your City or Locality?
[Unknown]: Boston => City
What is the name of your State or Province?
[Unknown]: Massachusetts => State
What is the two-letter country code for this unit?
[Unknown]: US => Country code
Is CN=tp.techpaste.com, OU=Support, O=TechPaste, L=Boston, ST=Massachusetts, C=CL correct?
[no]: yes
Export the certificate from the identity keystore into a file, for example root.cer:

keytool -export -alias selfsignedcert -file root.cer -keystore identity.jks

Expected Output:
Enter keystore password: <password>
Certificate stored in file <root.cer>
Import the certificate you exported into trust.jks.
keytool -import -alias selfsignedcert -trustcacerts -file root.cer -keystore trust.jks
Expected Output:
Enter keystore password:
Re-enter new password:
Owner: CN=tp.techpaste.com, OU=Support, O=Oracle, L=Boston, ST=Massachusetts, C=CL
Issuer: CN=tp.techpaste.com, OU=Support, O=Oracle, L=Boston, ST=Massachusetts, C=CL
Serial number: 4e1b67e3
Valid from: Mon Jul 11 17:15:15 CLT 2011 until: Tue Jul 10 17:15:15 CLT 2012
Certificate fingerprints:
MD5: 74:EC:1E:90:05:EC:E6:49:62:52:B9:72:20:BF:30:3F
SHA1: 5C:6E:80:94:9C:72:15:DC:F7:5F:49:DD:2F:2B:D2:49:7C:4C:0C:A0
Signature algorithm name: SHA1withRSA
Version: 3
Trust this certificate? [no]: yes
Certificate was added to keystore
Repeat these steps on each machine that has a Node Manager.

— CONFIGURING IN WEBLOGIC

Log into the WLS Administration Console.
Go to Environment -> Domain -> Servers -> Admin Server.
Go to the Keystores tab and click on change.
Select Custom Identity and Custom Trust.
Fill in the fields with the following information:

Custom Identity Keystore: /opt/ssl/tmp/identity.jks
Custom Identity Keystore Type: jks
Custom Identity Keystore Passphrase: password
Confirm Custom Identity Keystore Passphrase: password
Custom Trust Keystore: /opt/ssl/tmp/trust.jks
Custom Trust Keystore Type: jks
Custom Trust Keystore Passphrase: password
Confirm Custom Trust Keystore Passphrase: password
Save configuration and click on activate changes if necessary.
On the SSL Tab, fill in the files with the following information:

Private Key Alias: selfsignedcert
Private Key Passphrase: privatepassword
Confirm Private Key Passphrase: privatepassword

— CONFIGURING NODE MANAGER

Modify nodemanager.properties. Insert the following lines at the end:

KeyStores=CustomIdentityAndCustomTrust
CustomIdentityKeyStoreFileName=/opt/ssl/tmp/identity.jks
CustomIdentityAlias=selfsignedcert
CustomTrustKeyStoreFileName=/opt/ssl/tmp/trust.jks
CustomIdentityPrivateKeyPassPhrase=privatepassword

 

There might be a chance that when attempting to start a server using node manager, it fails with a security exception (BAD CERTIFICATE error for example).

If this is the case, configure node manager to use SSL instead of plain connection by going:

– Environment > Machines

– Select machine to configure

– Go to configuration > Node Manager and flip it to SSL

 

 

IV. DISABLING HOSTNAME VERIFICATION

NOTE: Disabling hostname verification is not recommended on production environments. This is only recomended for testing purposes.

The hostname verification ensures that the hostname in the URL to which the client connects matches the hostname in the digital certificate that the server sends back as part of the SSL connection.

To disable hostname verification for testing purposes, follow these steps:

Go to Environment -> Domain -> Servers -> Admin Server.

Click on the SSL tab.

Click on Advanced.

On Hostname Verification, select NONE.

Save and activate changes.

On the Node Manager startup script, look for JAVA. Add the line

-Dweblogic.nodemanager.sslHostNameVerificationEnabled=false.

After this change, the script should look like this:

(----)
"${JAVA_HOME}/bin/java" ${JAVA_VM} ${MEM_ARGS} ${JAVA_OPTIONS} -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false -Djava.security.policy="${WL_HOME}/server/lib/weblogic.policy" -Dweblogic.nodemanager.javaHome="${JAVA_HOME}" weblogic.NodeManager -v
(----)

 

In case of any ©Copyright or missing credits issue please check CopyRights page for faster resolutions.