You are here:>>>What is SSL ? and How to configure SSL, Keystores and Certificates for Oracle Weblogic Server ?

What is SSL ? and How to configure SSL, Keystores and Certificates for Oracle Weblogic Server ?

Video Tutorial

In this post I will briefly explain the concepts of SSL (Secure Sockets Layer) and how to configure SSL for Oracle Weblogic Server. Please watch the video for detailed explanation.

SSL and Keystores Overview

  • SSL & Its Capabilities
    • SSL is an industry standard for securing communications between client and server (In most cases it will be between your browser and the webserver)
  • Public & Private Key Cryptography
  • SSL Handshake Request Flow
  • Keystore Providers
  • Keystore Types

Keystore Creation Using EM Console

  • Login to Fusion Middleware EM Console using below URL and Weblogic administrator credentials

  • Navigate to Weblogic Domain -> Security -> Keystore
  • Click Create Keystore button
  • Provide new Keystore details and click OK
  • Verify new Keystore under System stripe

Keypair & CSR Creation Using EM Console

  • Select the new Keystore and click Manage
  • Provide Keystore password and click OK
  • Click Generate Keypair which creates a public-private keypair
  • Provide details for your new keypair and click OK
  • Verify the new keypair details. Select it and click Generate CSR to generate a Certificate Signing Request
  • Provide password when prompted
  • Copy the CSR content or export it to local machine to send it to third party Certificate Authority who will provide with a digitally signed certificate and trust certificates

Import Certificates Using EM Console

  • Select alias on click Import on EM Console. Provide Keystore password when prompted
  • Provide details of the received certificates and click OK
    • Select either Trusted Certificate or Certificate depending on the type of certificate you are importing
    • Select the alias from the drop down. Please select the same alias used while generating the CSR
    • Provide the password for your Keystore
    • For Certificate Source, you can either paste the certificate content directly or select the file received from the CA

Keystore Creation Using JAVA Keytool

  • Keytool is a key and certificate management utility which comes with JDK
  • Make sure JAVA executable is added to PATH environment variable
  • Create a directory to store your keystores

  • Navigate to DOMAIN_HOME/bin and set domain environment variables

  • Navigate to the keystore directory created earlier and execute keytool command to create a keystore. Provide required passwords when prompted

  • Make sure mytestkeystore.jks file is created. The details of the keystore can be viewed using below command

CSR Creation Using JAVA Keytool

  • Make sure JAVA executable is added to PATH environment variable & domain environment is set as mentioned in above section
  • Navigate to the keystore directory and execute below keytool command to generate CSR

  • This is the CSR file generated

Import Certificates Using JAVA Keytool

  • Make sure JAVA executable is added to PATH environment variable & domain environment is set as mentioned in above section
  • Navigate to the keystore directory and execute below keytool command to import Root / Trust Certificates received from CA
    • Cacert : Name of CA’s signed public certificate
    • Cacert-alias : Alias of CA’s signed public certificate

  • Navigate to the keystore directory and execute below keytool command to import Server Signed Certificates received from CA
    • mytestalias : Alias of the keypair used while generating the CSR
    • server_signed_cert : Server Signed Certificate received from CA

Weblogic Keystore Configuration using Administration Console

  • Login to Weblogic Administration Console using below URL and Weblogic Admin Credentials

  • Navigate to Environment -> Servers -> ServerName -> Configuration -> Keystores. By default DemoTrust and DemoIdentity stores will be used
  • Click on Change button. Select “Custom Identity and Custom Trust” and click Save
  • Provide details of the Custom Keystore
    • For Oracle Keystore Service (KSS), ie the Keystore created using EM console
      • Custom Identity Key Store : kss://system/MyTestKeyStore
      • Custom Identity Key Store Type: kss
      • Custom Identity Key Store Passphrase : Keystore Password
      • Confirm Custom Identity Key Store : Confirm Keystore Password
    • For JAVA Keystore Service (JKS), ie the Keystore created using JAVA Keytool
      • Custom Identity Key Store : /u01/app/oracle/product/fmw/mykeystore/mytestkeystore.jks
      • Custom Identity Key Store Type: jss
      • Custom Identity Key Store Passphrase : Keystore Password
      • Confirm Custom Identity Key Store : Confirm Keystore Password
  • If you are using same Keystore for Trust and Identity, provide same details in both Trust and Identity sections. If you are using different Keystores (preferred method in production environments), provide respective Keystore details
  • Save and activate the changes. Restart the Managed / Admin server where ever Keystore changes have been done

Thats all !! You have created and configured Keystores for Weblogic Server. Hope it was helpful. Please you have any queries, please post them in comments section.

2017-07-12T19:05:59+00:00

About the Author:

I am a Senior Cloud Professional specialized in AWS Cloud with 11 years of IT experience. I am enthusiastic about Serverless Architecture. I am an expert in Oracle Fusion Middleware.

16 Comments

  1. Yaswanth June 29, 2016 at 1:16 AM - Reply

    Hi Prasad,

    I have keystore and I did the same way you mentioned in the blog. I have done only for Adminserver (Weblogic), but after restarting the https:host:7002/console is now opening. Its throwing connection time out error.

    Do we need to add the certificate issued by CA in our browser?
    I have checked the admin server log and its mentioned server is running on 7002 port with https.

    Can you please suggest on where it went wrong.

    Thanks,
    Yaswanth

    • pdomala June 29, 2016 at 10:27 AM - Reply

      Did you enable SSL for admin server on weblogic console? Also make sure 7002 port is listening using netstat. If both are set properly you should get a certification warning as it is self signed. You need to accept the certificate and you should be able to login to the console.

  2. Yaswanth June 29, 2016 at 1:17 AM - Reply

    sorry for the typo. https:***/console is not* opening

  3. Abdul June 29, 2016 at 3:23 PM - Reply

    Ihave activate checkbox
    Listen pot 7001
    Ssl listen port 7002
    Save & active changes
    Restart ssl AdminServer but netstat 7002 not listen

  4. Yaswanth June 30, 2016 at 12:25 AM - Reply

    Hi Prasad,

    I have done the same and restarted the admin server. Even in log I could see SSL configured on 7002 port. But browser is not popping up for any certificate to add. Moreover, its throwing ERR_CONNECTION_TIMED_OUT. I tried IE and chrome.

    Any further suggestions please.

    Thanks,
    Yaswanth

    • Yaswanth June 30, 2016 at 10:34 AM - Reply

      netstat 7002 is LISTEN in my case.

      • pdomala June 30, 2016 at 1:43 PM - Reply

        Check firewall settings. Do a telnet test from the machine where you are running the browser.

  5. kannan July 1, 2016 at 2:56 PM - Reply

    HI Prasad,

    Awesome blog. Could you please explain about jrockit

  6. cheap fifa 17 coins September 18, 2016 at 12:31 PM - Reply

    Great looking web site. Think you did a great deal of your very ownyour very own html coding
    cheap fifa 17 coins http://cleostuff.com/forum/index.php?action=profile;u=841

  7. Adil Muthukoya September 26, 2016 at 3:08 PM - Reply

    Hi Prasad,

    Your blog is really helpful to make the basics strong about SSL.

    Right now I am facing an issue after upgrading the jRockit version from R28.2.9 to 28.3.11 (patch 23218381) .My node manager is not reachable with the below exception
    “javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown”.
    The issue occurs when the type is SSL. It works fine with PLAIN .I am not in production environment as of now, so I am using ‘DemoIdentity and DemoTrust’ .
    I suspect the issue is with the carets in idk. I tried importing Demo.crt and trust.crt to JDK cacerts.Still issue is not resolved.
    I am really stuck at this point. It will be really helpful if you can give any ideas on this.

    Thanks in advance
    Adil

  8. balu November 14, 2016 at 10:15 PM - Reply

    Hi Prasad,

    I’m new to this Banking domain , my Lead asked me to learn Message Queues , Keystores, Trust Stores and Certificates . could you help me out by posting video on message queues as well .

    Thanks in advance
    Balu

  9. Raymond M November 24, 2016 at 3:09 PM - Reply

    Hi Prasad,

    My goal is to enable https when accessing enterprise manager and admin console. Will this tutorial help me achieve that?

    I had attempted previously to do this configuration and after restarting admin server, I could no longer access em and console…Is there a way to reset to default settings using command-line?

    Than you.

  10. Arturo Flores January 27, 2017 at 1:10 PM - Reply

    Hi, good day

    I need some of your help, in your video I see that you write the following instruction: keytool -importcert -file mycert.pem -alias myAlias ​​-keystore myKeystore.jks
    However I get the following error: keytool error: java.io.FileNotFoundException: mycert.pem (The system can not find the specified file)
    Can you please help me know where the mycert.pem is obtained from.

    Thanks for the help

    • pdomala March 23, 2017 at 5:06 AM - Reply

      You can get the .pem file either from third party certificate provider or create your own self signed certificate using keytool.

  11. Anshuman February 11, 2017 at 12:35 AM - Reply

    Hi Prasad,

    I’m getting the same issue as yashwant.
    However i’m trying the URL – https://hostname:7002 from the local Server with WLS on it.
    It is still not returning any message related to the unsigned certificate. I have followed the steps for Weblogic Admin console & have restarted the Admin server as well. Pls let me know if there are any further steps.

    Thanks,
    Anshuman

  12. Jagadeeshg February 19, 2017 at 12:52 PM - Reply

    Hi prasad, I am jagadeesh and working in a private company. Can you please help me for the below query.
    1. We have cold fusion server running some where in the network.
    2. How can I generate public and private keys to access external web services. Web services deployed in coldfusion server. Please help me with basic steps.

Leave A Comment