Recently I need to test SSL in weblogic. For the same I have to generate a self signed certificate for Weblogic. We can use keytool command to generate self signed certificate.

Generating Certificate
1. Create a directory to store certificate. Remember do not delete this directory, you may need to use generated files for future use also.

mkdir ~/csr
cd ~/csr

2. Create a key pair

keytool -genkey -alias techienote -keyalg RSA -keypass privatepassword -keystore identity.jks -storepass password -validity 365

The above command will ask following information. Feel it carefully.

What is your first and last name?
  [Unknown]:  ubuntu.home.network                                                                                              
What is the name of your organizational unit?
  [Unknown]:  IT
What is the name of your organization?
  [Unknown]:  TECHIENOTE
What is the name of your City or Locality?
  [Unknown]:  MUMBAI
What is the name of your State or Province?
  [Unknown]:  MAHARASHTRA
What is the two-letter country code for this unit?
  [Unknown]:  in
Is CN=ubuntu.home.network, OU=IT, O=TECHIENOTE, L=MUMBAI, ST=MAHARASHTRA, C=IN correct?
  [no]:  yes

3. Export the certificate from identity keystore into a file, say root.cer

keytool -export -alias techienote -file root.cer -keystore identity.jks

OUTPUT

Enter keystore password:  
Certificate stored in file 

Enter keystore password specified in step 2

4. Import the certificate you exported into trust.jks

keytool -import -alias techienote -trustcacerts -file root.cer -keystore trust.jks

OUTPUT

Enter keystore password:  
Re-enter new password: 
Owner: CN=ubuntu.home.network, OU=IT, O=TECHIENOTE, L=MUMBAI, ST=MAHARASHTRA, C=IN
Issuer: CN=ubuntu.home.network, OU=IT, O=TECHIENOTE, L=MUMBAI, ST=MAHARASHTRA, C=IN
Serial number: 4e05c41e
Valid from: Sat Jun 25 16:48:54 IST 2011 until: Fri Jun 24 16:48:54 IST 2011
Certificate fingerprints:
	 MD5:  1D:BF:62:CA:A1:72:88:83:BE:CA:CB:D5:E2:60:22:43
	 SHA1: E7:7C:6B:01:63:33:CD:37:1E:2F:D8:3A:01:E2:15:C3:97:2A:4E:52
	 Signature algorithm name: SHA1withRSA
	 Version: 3
Trust this certificate? [no]:  yes
Certificate was added to keystore

Enter keystore password specified in step 2

Installing Certificate in Weblogic
Now we need to specify certificare in Weblogic server. We are going to set SSL for AdminServer as well as for Node Manager

5. Login to weblogic administration Console
http://admin_server_ip:admin_server_port/console

6. Go to Domain Structure > techienote > Environment > Servers And click on AdminServer

7. In AdminServer click on keystores > Change

8. Choose Custom Identity and Custom Trust in Keystores and click on save.

9. Now we need to specify certificate details.
We copy our generated certificate to weblogic directory

mkdir /MIDDILEWARE_HOME/user_projects/domains/techinote/csr
cp ~/csr/* /MIDDILEWARE_HOME/user_projects/domains/techinote/csr

In weblogic, enter following details

Custom Identity Keystore: /app/Oracle/Middleware/user_projects/domains/techienote/csr/identity.jks
Custom Identity keystore Type: jks
Custom Identity keystore Passphrase: password
Confirm Custom Identity Keystore Passphrase: password
Custom Trust Keystore: /app/Oracle/Middleware/user_projects/domains/techienote/csr/trust.jks
Custom Trust Keystore Type: jks
Custom Trust Keystore Passphrase: password
Confirm Custom Trust Keystore Passphrase: password

PN Enter keystore password specified in step 2

Save the configuration and click on Activate Changes

10. We also need to specify ssl details in SSL tab, so click on SSL tab

Private Key Alias: techienote
Private Key Passphrase: privatepassword
Confirm Private Key Passphrase: privatepassword

PN Enter Private keystore password specified in step 2

Save the configuration and click on Activate Changes

11. Now here is one tip I don’t want ssl hostname verification. For that I need to edit weblogic startup script and nodemanager startup script
Weblogic startup script

cd /MIDDILEWARE_HOME/user_projects/domains/techinote/bin
vi startWebLogic.sh

In JAVA_OPTIONS insert -Dweblogic.security.SSL.ignoreHostnameVerification=true
Here is the sample file

JAVA_OPTIONS="${SAVE_JAVA_OPTIONS} -Dweblogic.security.SSL.ignoreHostnameVerification=true"

nodemanager startup script

cd /MIDDILEWARE_HOME/wlserver_10.3/server/bin
vi startNodeManager.sh

In JAVA_OPTIONS insert -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false
Here is the sample file

cd "${NODEMGR_HOME}"
set -x
if [ "$LISTEN_PORT" != "" ]
 then
   if [ "$LISTEN_ADDRESS" != "" ]
    then
     "${JAVA_HOME}/bin/java" ${JAVA_VM} ${MEM_ARGS} ${JAVA_OPTIONS} -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false -Djava.security.policy="${WL_HOME}/server/lib/weblogic.policy" -Dweblogic.nodemanager.javaHome="${JAVA_HOME}" -DListenAddress="${LISTEN_ADDRESS}" -DListenPort="${LISTEN_PORT}" weblogic.NodeManager -v
    else
     "${JAVA_HOME}/bin/java" ${JAVA_VM} ${MEM_ARGS} ${JAVA_OPTIONS} -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false -Djava.security.policy="${WL_HOME}/server/lib/weblogic.policy" -Dweblogic.nodemanager.javaHome="${JAVA_HOME}" -DListenPort="${LISTEN_PORT}" weblogic.NodeManager -v
   fi
 else
   if [ "$LISTEN_ADDRESS" != "" ]
    then
     "${JAVA_HOME}/bin/java" ${JAVA_VM} ${MEM_ARGS} ${JAVA_OPTIONS} -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false -Djava.security.policy="${WL_HOME}/server/lib/weblogic.policy" -Dweblogic.nodemanager.javaHome="${JAVA_HOME}" -DListenAddress="${LISTEN_ADDRESS}" weblogic.NodeManager -v
    else
     "${JAVA_HOME}/bin/java" ${JAVA_VM} ${MEM_ARGS} ${JAVA_OPTIONS} -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false -Djava.security.policy="${WL_HOME}/server/lib/weblogic.policy" -Dweblogic.nodemanager.javaHome="${JAVA_HOME}" weblogic.NodeManager -v

12. Now we need to modify nodemanager.properties

vi /MIDDILEWARE_HOME/wlserver_10.3/common/nodemanager/nodemanager.properties

Insert following line at end

KeyStores=CustomIdentityAndCustomTrust
CustomIdentityKeyStoreFileName=/app/Oracle/Middleware/user_projects/domains/techienote/csr/identity.jks
CustomIdentityAlias=techienote
CustomTrustKeyStoreFileName=/app/Oracle/Middleware/user_projects/domains/techienote/csr/trust.jks
CustomIdentityPrivateKeyPassPhrase=privatepassword

13. Now you need to refresh Admin server and Node Manager by taking restart of NodeManager and AdminServer

Self Signed Certificate Weblogic

Leave a Reply

Your email address will not be published. Required fields are marked *