Sunday, September 9, 2018

self-signed ssl certificate for weblogic


First we need to generate the self-signed ssl certificate to use

Now there are many ways to achieve this ,in this blog i'm going to use keytool. 

 steps to generate the certificate and the jks stores needed for weblogic server 
  • Open cmd prompet as admin.
  • Navigate to your jdk directory.
cd C:\Program Files\Java\jdk1.8.0_181\bin
  • Use the below command to generate the keypair and keystore
keytool -genkey -alias [key alias] -keyalg RSA -keysize [1024] –validity[ 365] -keypass [keypassword] -keystore [keystoreName].jks -storepass [keystorepassword]

*you can change the signing algorithem by adding -sigalg [SHA256withRSA | SHA1withRSA | MD5withRSA ]
to the command 

You will be required to enter the below information:-

Common Name:
 The fully qualified domain name (FQDN) of your server. This must match exactly what you type in your web browser or you will receive a name mismatch error.
Organization:
The legal name of your organization. This should not be abbreviated and should include suffixes such as Inc., Corp, or LLC.
Organizational Unit:
The division of your organization handling the certificate.
City/Locality:
The city where your organization is located.
State/County/Region:
The state/region where your organization is located. This shouldn't be abbreviated.
Country: 
The two-letter ISO code for the country where your organization is location.

* if you're working with multiple domains or your domains have multiple names or ips you can add the below to the command to solve this issue 
"-ext san=dns:localhost,dns:myComputerName,ip:127.0.0.1,ip:::1"

Where "san" stands for Subject Alternative Name

the final command will be

keytool -genkey -alias Identity -keyalg RSA -keysize 1024 -validity 365 -keypass privatepassword -keystore identity.jks -storepass password -ext san=dns:localhost,dns:Yaqoub-lab,ip:127.0.0.1,ip:::1

  • The below command is to export the certificate
keytool  -export -alias [key alias] -file [certName].cer -keystore [keyStoreName].jks -storepass [keystorePassword]
example
keytool  -export -alias Identity -file root.cer -keystore identity.jks -storepass password
the generated certificate will have the following info under the Subject alternative name

  • The below command is to import the certificate into the trust keystore

keytool -import -alias [certAlias] -file root.cer -keystore [keystoreName].jks -storepass [keystorePassword]
example
keytool -import -alias Identity -file root.cer -keystore trust.jks -storepass password

secound step is to configure the weblogic server to use the generated self-signed ssl certificate

  • Move the generated keystores in your relative server path 
~DefaultDomain\security
  • Navigate to you weblogic console http://host:port/console
  • Navigate to servers => specify the server => configuration => keystores
  • Change the option to Custom Identity and Custom Trust
  • Specify the path for the stores and the keystore type as JKS and passwords and save the changes
  • Navigate to ssl tab and specify the Private Key Alias and passphrase
  • Navigate to the general settings and check the enable ssl listen port and specify the port


  • Restart the server
  • A similer line will be found in the logs 

<Channel "DefaultSecure[2]" is now listening on 0:0:0:0:0:0:0:1:7102 for protocols iiops, t3s, ldaps, https.> 



Further configuration may be applied when working with servers other than integrated weblogic such as host name verification & 2 way client cetificate behaviour.  



Hostname verification is set to none if the common name of the certificate is not the same as the hostname.

  • Open the console with ssl listen port https://localhost:7102/console


  • The connection as states by the browser in unsafe , this is because the self signed certificate are not signed by a trusted certificate authority 
To solve we will follow the below steps:
  • Open the certificate.  
  • Click install certificate
  • Specify the system area option as local machine and click next

  • Specify the certificate store option as "place all certificate in the following store" and click browse
  • Choose Trusted root and click ok , next and finish.
  • Reopen the link , certificate should be valid and opens normally.





at No comments:
Labels: , , , , , ,
Subscribe to: Posts (Atom)

Microservices Communication Enhancement Using Service Discovery

What is Service Discovery? Sevice Discovery is the process of automatically detecting devices and services on a network, we will be using Eu...