First we need to generate the self-signed ssl certificate to use
Now there are many ways to achieve this ,in this blog i'm going to use keytool.
steps to generate the certificate and the jks stores needed for weblogic server
steps to generate the certificate and the jks stores needed for weblogic server
- Open cmd prompet as admin.
- Navigate to your jdk directory.
cd C:\Program Files\Java\jdk1.8.0_181\bin
- Use the below command to generate the keypair and keystore
keytool -genkey -alias
[key alias] -keyalg RSA -keysize [1024] –validity[ 365] -keypass [keypassword]
-keystore [keystoreName].jks -storepass [keystorepassword]
*you can change the signing algorithem by adding -sigalg [SHA256withRSA | SHA1withRSA | MD5withRSA ]
to the command
to the command
You will be required to enter the below information:-
Common Name:
The fully qualified
domain name (FQDN) of your server. This must match exactly what you type in
your web browser or you will receive a name mismatch error.
Organization:
The legal name of your organization. This should not be
abbreviated and should include suffixes such as Inc., Corp, or LLC.
Organizational Unit:
The division of your organization handling the certificate.
City/Locality:
The city where your organization is located.
State/County/Region:
The state/region where your organization is located. This
shouldn't be abbreviated.
Country:
The two-letter ISO code for the country where your organization is location.
The two-letter ISO code for the country where your organization is location.
* if you're working with multiple domains or your domains have multiple names or ips you can add the below to the command to solve this issue
"-ext san=dns:localhost,dns:myComputerName,ip:127.0.0.1,ip:::1"
Where "san" stands for Subject Alternative Name
the final command will be
keytool -genkey -alias Identity -keyalg RSA -keysize 1024 -validity 365 -keypass privatepassword -keystore identity.jks -storepass password -ext san=dns:localhost,dns:Yaqoub-lab,ip:127.0.0.1,ip:::1
- The below command is to export the certificate
keytool -export
-alias [key alias] -file [certName].cer -keystore [keyStoreName].jks
-storepass [keystorePassword]
example
keytool -export -alias Identity -file root.cer -keystore identity.jks -storepass password
keytool -export -alias Identity -file root.cer -keystore identity.jks -storepass password
the generated certificate will have the following info under the Subject alternative name
- The below command is to import the certificate into the trust keystore
keytool -import -alias [certAlias] -file
root.cer -keystore [keystoreName].jks -storepass [keystorePassword]
example
keytool -import -alias Identity -file root.cer -keystore trust.jks -storepass password
keytool -import -alias Identity -file root.cer -keystore trust.jks -storepass password
secound step is to configure the weblogic server to use the generated self-signed ssl certificate
- Move the generated keystores in your relative server path
~DefaultDomain\security
- Navigate to you weblogic console http://host:port/console
- Navigate to servers => specify the server => configuration => keystores
- Change the option to Custom Identity and Custom Trust
- Specify the path for the stores and the keystore type as JKS and passwords and save the changes
- Navigate to ssl tab and specify the Private Key Alias and passphrase
- Restart the server
- A similer line will be found in the logs
<Channel
"DefaultSecure[2]" is now listening on 0:0:0:0:0:0:0:1:7102 for
protocols iiops, t3s, ldaps, https.>
Further configuration may
be applied when working with servers other than integrated weblogic such
as host name verification & 2 way client cetificate behaviour.
Hostname verification is
set to none if the common name of the certificate is not the same as the
hostname.
- Open the console with ssl listen port https://localhost:7102/console
- The connection as states by the browser in unsafe ,
this is because the self signed certificate are not signed by a trusted
certificate authority
To solve we will follow the below steps:
- Open the certificate.
- Click install certificate
- Specify the system area option as
local machine and click next