Tuesday, 17 April 2012

How to Enable 1 way-SSL in Weblogic Server


Steps for configuring Inbound SSL in FMW

Scenario:
We have a Development Environment which has One Admin Server and three managed Server.
Admin Server runs on port 7001.
Managed Server1 (soa_server1) listens on port 8001
Managed Server2 (osb_server1) listens on port 8011
Managed Server3 (bam_server1) listens on port 9001

We need to configure osb_server1 to listen on ssl port 8012 using Custom Certificate to secure our webservices.
This certificate will be sent to business providers who will import it in their trusted Keystore.
Only the business partners who have this certificate imported in their trust store should be successfully able to invoke the webservice else they should get SSLHandshakeException

Steps Followed to generate a web service certificate:
1. CREATING A PRIVATE KEY IN KEY STORE:
<JAVA_HOME>\bin\keytool.exe -keystore <Path to a (new) key store> -storepass <(New) key store
password> -genkey -alias <Arbitrary Name> -keyalg RSA -dname <DN of certificate>

Concrete Example:
$ keytool -keystore  “/Oracle/Middleware/wlserver_10.3/server/lib/server_keystore.jks" -storepass "weblogic1" -genkey -alias "webservice_nexus" -keyalg RSA –dname "CN=fus@isdev,OU=webServices,OU=pkiObjects,DC=Nexus,DC=com"

2. CREATING A CERTIFICATE SIGNING REQUEST (CSR):
<JAVA_HOME>\bin\keytool.exe -keystore <Path to the key store> -storepass <Key store password>
-certreq -alias <Alias name from private key> -keypass <Password of private key> -file <Path
to CSR file to be created>

Concrete Example:
$ keytool  –keystore  "/Oracle/Middleware/wlserver_10.3/server/lib/server_keystore.jks " -storepass "weblogic1" -certreq -alias "webservice_nexus" -keypass "weblogic1" -file "/Oracle/Middleware/wlserver_10.3/server/lib /webService.csr"

3. GENERATING A CERTIFICATE:   
Submit the CSR file created in the last step to any of the trusted Certificate Authority.certificate authority will use a CSR to create your SSL certificate, but it does not need your private key. You need to keep your private key secret.
Download the certificate on the local hard drive.

4. INSTALLING WEB SERVICE CERTIFICATE IN KEY STORE:
<JAVA_HOME>\bin\keytool.exe -keystore <Path to the key store> -storepass <Key store password>
-import -alias <Alias name from private key> -keypass <Password of private key> -file <Path to
CER file containing the WSC>

Concrete Example:
$ keytool -keystore "/Oracle/Middleware/wlserver_10.3/server/lib/server_keystore.jks" -storepass "weblogic1" -import -alias "webservice_nexus" -keypass "weblogic1" -file "/Oracle/Middleware/wlserver_10.3/server/lib/Certificates/webservice_nexus.cer"

After Adding the certificate in the keystore, you can list the certificate by giving the following command:

5. LISTING THE CERTIFICATE:
<JAVA_HOME>\bin\keytool.exe –v –list -keystore <Path to the key store> -storepass <Key store password>

Concrete Example:
$ keytool –v –list –keystore server_keystore.jks 


After successful creating and adding the certificate in the keystore, we need to configure the server to use the custom keystore which we created.

  •          Login to the admin Console.
  •          Enter admin usename and password
  •          In the Home Page, go to Servers  --> osb_server1
  •          Go to keystores in the Configuration tab
o   Change the keystore to Custom Identity and Standard Java Trust
o   Enter the following details for Identity Keystore:
§  Custom Identity Keystore : /Oracle/Middleware/wlserver_10.3/server/lib/server_keystore.jks
§  Custom Identity Keystore Type: JKS
§  Custom Identity Keystore Passphrase: <password for keystore>
§  Confirm Custom Identity Keystore Passphrase: <password for keystore>
o   Save all the configurations.

  •         Now go to SSL in Configuration Tab
o   Enter the details for Private Key Alias : webservice_nexus
o   Enter the passphrase : <password for private key>
o   Go to advance, In hostname verificate make it NONE(if not already so).
o   Save all the changes made.

  •          Now go to General in Configuration Tab.
  •         Check the SSL Listen Port Enabled box
  •          SSL Listen Port should be 8012, if not enter it.
  •          Save all the changes.
  •          Finally restart the osb_server1.

No comments:

Post a Comment