03 June 2015

Weblogic SSL Renewal Steps

When you wish to install secure certificate on your WebLogic server, it's a 3 step procedure:

STEP 1: Creating a keystore (.jks file ) 

(this is the prime entity which stores your certificates)

Command to generate public key

$ java/bin/keytool -genkey -alias punit -keyalg RSA -keysize 2048 -keypass weblogic1 -keystore identity_keystore.jks -storepass weblogic1

the above command will prompt you for following questions:

What is your first and last name?
[Unknown]: abc.com
What is the name of your organizational unit?
[Unknown]: MW
What is the name of your organization?
[Unknown]: CTS
What is the name of your City or Locality?
What is the name of your State or Province?
What is the two-letter country code for this unit?
[Unknown]: IN

it will prompt for confirmation so give > yes

this will create a file named > identity_keystore.jks

STEP 2: Generating CSR (Certificate Signing Request )

$ java/bin/keytool -certreq -alias punit -file csr.txt -keypass weblogic1 -keystore identity_keystore.jks -storepass weblogic1

this will create a file named > csr.txt

copy the content of csr.txt and send it to signing authority, they will encrypt their private key into the CSR's and send three files (root.pem, interim.pem & server.pem)

STEP 3: Importing the Certificates:

open all the three certificates and copy & paste the content into certificate_chain.pem in order
server > intermediate > root
now import this certificate_chain.pem into identity keystore (identity_keystore.jks) using below command

$ java/bin/keytool -v -import -alias punit -file certificate_chain.pem -keypass weblogic1 -keystore identity_keystore.jks -storepass weblogic1

(use alias & password defined by you while requesting the certificate)

it will prompt you for Yes/No  > Yes

this will import the certificate chain (Root, Interim, Server) into identity_keystore.jks

if required import (Root, Interim) into trust_keystore.jks as well (optional/Depends)

(now define the ssl & keystore properites from Admin console for identity & trust keystore and bounce the servers)

Select keystore type as: Custom Identity and Command-Line Trust
Define attributes for the Identity keystore
Custom Identity Keystore File Name - The fully qualified path to the Identity keystore
Keystore type - The type of the keystore. Generally, this attribute is jks
Keystore PassPhrase—The password defined when creating the keystore
-Enable SSL port of server (from server SSL tab)
-click continue
-click finish
-Reboot weblogic server


NOTE: for SHA2 certs we need to enable JSSE ssl options corresponding to the servers & sometime if required add below java_options also in server starts or in nodemanger.properties files if node manager is configured.

-Dweblogic.security.SSL.enableJSSE=true    (client)

-Dweblogic.ssl.JSSEEnabled=true            (server)


No comments:

Post a comment