Implement SSL In Weblogic

SSL– Secure Socket Layer Protocol which employs a third party, a certificate authority to identify secure transactions of data at both ends.

In layman’s terms, this means that all data transmitted between the client & web-server is encrypted & hence is secured.

Basic terms to understand-

1) Private Key/Public Key :-
You generate a key pair using various tools like (keytool, certgen) out of which one is kept secret which is called the Private key & is used to decrypt the data. Other key known as Public key is distributed to everybody so that they can send an encrypted message.
The encryption using a private key/public key pair ensures that the data can be encrypted by one key but can only be decrypted by the other key pair.

2) Certificate & certificate Authority – A certificate, contains information about the owner of the certificate, like e-mail address, owner’s name, certificate usage, duration of validity, resource location or Distinguished Name (DN) which includes the Common Name (CN) (web site address or e-mail address depending of the usage) and the certificate ID of the person who certifies (signs) this information.This certifying body is called Certificate Authority.Well known CA’s include Verisgn & Entrust etc.

3) The trusted certificate authority (CA) certificate establishes trust for a certificate

4) Private keys and trusted CA certificates are stored in a keystore.
The preferred keystore format in weblogic is JKS(Java KeyStore).

5) The PEM (Privacy Enhanced Mail) format is the preferred format for private keys, digital certificates, and trusted certificate authorities (CAs).

6)Servers need a private key, a digital certificate containing the matching public key, and a certificate for at least one trusted certificate authority

7)  WebLogic Server supports private keys, digital certificates, and trusted CA certificates from the following sources:
*      The demonstration digital certificates, private keys, and trusted CA certificates in the WL_HOME\server\lib directory and the JAVA_HOME\jre\lib\security directory.
*      Sun Microsystem’s keytool utility can also be used to generate a private key, a self-signed digital certificate for WebLogic Server, and a Certificate Signing Request (CSR).
*     The CertGen utility generates digital certificates and private keys that should be used only for demonstration or testing purposes in a development environment.

.

Steps- To implement SSL in weblogic

1)First step is to Generate CSR (Certificate signing request)

Generally to create a CSR we use key tool utility (Location in Linux- $JDK_HOME/bin) . Follow the below keytool commands to create a CSR.

./keytool -genkey -alias mykey -keyalg RSA -keysize 2048 -dname “CN=<domain name like test.com etc>, OU=<unite like Customer Support etc>, O=<your organization>, L=<your location>, ST=<state>, C=<country code like US>” -keystore identity.jks ./keytool -certreq -alias mykey -file cert.csr -keystore identity.jks

By executing the above commands you can create a CSR with name cert.csr which can be forwarded to the signing team for further process of signing.

CA will issue you root CA certificate , intermediate certificate & SSL certificate which you need to install in your browser & trust keystores respectively.

2) Install the test root CA certificate into the browser from where you will access the webserver, in my case its firefox
2.1. Click on the “ Download Secure Site Trial Root Certificate” link
2.2. Save the certificate into a file with a .cer extension.
2.3. Open a Firefox browser.
2.4. Go to Tools> Options > Advanced > View Certificates>Authorities.
2.5. Click Import.
2.6. Select the Trial Root certificate > click Open.
2.7. A dialog box appears that says, “Do you want to trust ‘VeriSign Trial Secure Server Test Root CA’ for the following purposes?”.  Check “Trust this CA to identify web sites”.
2.8. Click OK.

3) Install the Trial SSL Intermediate CA Certificates.

CA will issue two intermediate certificate- Primary & secondary, we have to install them in a keystore, lets say “trust”

save the codes of primary & secondary certificates in notepad files with .cer extension.Then issue below commands:-

./keytool -import -alias primaryca -keystore trust.jks -trustcacerts -file primaryintermediate.cer
Enter keystore password:
Re-enter new password:
Certificate was added to keystore./keytool -import -alias secondaryca -keystore trust.jks -trustcacerts -file secondaryintermidiate.cer
Enter keystore password: 
Certificate was added to keystore

4) Install the trial SSl certificate in keystore

CA will send you code of your SSL certificate in email, copy it & save it in notepad with .cer extension. Then run following from webserver

./keytool -import -alias sslcert -keystore trust.jks -trustcacerts -file ssl.cer
Enter keystore password: 

Once you enter password you will see lines like
=======================================================
Owner: CN=innowave03.com, OU=Terms of use at www.verisign.com/cps/testca (c)05, OU=Customer Support, O=ABC, L=London, ST=England, C=UK
Issuer: CN=VeriSign Trial Secure Server CA – G2, OU=Terms of use at https://www.verisign.com/cps/testca (c)09, OU=”For Test Purposes Only.  No assurances.”, O=”VeriSign, Inc.”, C=US
Trust this certificate? [no]:  yes
Certificate was added to keystore

================================================================================

.

5) Configure Keystore & SSL in weblogic
To configure SSL:

5.1. Go to weblogic administration console (http://<hostname>:<port>/console). Under Domain–>Environment, expand the Servers node.
5.2. Select the name of the server for which you want to configure keystores (for example, testserver).
5.3. Select the Configuration–>Keystores and SSL tab.
Information about the demonstration Identity and Trust keystores is displayed in the Keystore Configuration.
5.4. Configure new Identity and Trust keystores for WebLogic Server.

5.5. Click the Change. link in the SSL Configuration to configure attributes for SSL.

The Configure SSL page appears.

5.6. Specify how the identity and trust for WebLogic Server is stored. The following options are available:
* Key Stores—Use this option if you created Identity and Trust keystores for WebLogic Server. If you choose this option, go to step 8.
* Files or Key Store Providers—Use this option if you stored private keys and trusted CA certificates in a file or in a JKS keystore accessed via the WebLogic Keystore provider

In our case its keystores
5.7. Click Continue.
5.8. Specify the alias used to load the private key into the keystore . Then the Private Key Alias and the password used to retrieve the private key from the keystore in the Passphrase attibute. You may have specified this information when creating the Identity keystore; however, for the purpose of SSL configuration specify the information again. Skip to step 10.

5.9. Specify information about the location of identity and trust for WebLogic Server.

Note: This step only applies if the Files or Key Store Providers option is specified.

5.10. Click Continue.
5.11. Click save.

Note- By default, WebLogic Server has host name verification enabled. As a function of the SSL handshake, WebLogic Server compares the common name in the SubjectDN in the SSL server’s digital certificate with the host name of the SSL server used to accept the SSL connection.If it doesn’t match, connection drops. For testing purpose you can set it to “NONE” in case your common name is different then what mention in certificate

5.12 Go to general tab of configuration under the selected server & tick mark the ssl port mark.
5.13. Restart WebLogic Server.

You shall now be able to access the weblogic server on https://<hostaname>:<ssl port>

About the Author Atul Kumar

Leave a Comment:

18 comments
abhishek says June 28, 2011

Hi,

Can you tell me if the CA always sends back intermediate certificates? I received via email only one txt file which I believe is the SSL certificate.

Thanks,

-Abhishek

Reply
Neha Mittal says June 29, 2011

@Abhishek

Verisign CA always sends back an email which contains-
1) link to navigate to root CA certificate code
2) link to navigate to intermediate CA certificate codes
3) SSL certificate in form of text at bottom of mail.

In the mail, it will be mention in Step 2- To download intermedtiate certs along with a link.

Regards
Neha Mittal

Reply
Atul Kumar says June 29, 2011

@ abhishek,
As Neha mentioned, if CA send certificate with intermediate CA then that will be part of certificate itself. You can extract certificate.

Usually for test certificates its manily with intermediate CA but with actual certificates CA usually send just one certificate (Though this is not mandatory, actual certificates can also come with intermediate CA)

Reply
Abhishek says June 29, 2011

Thank you both for your responses.
FYI Neha: This is one of the most helpful posts I have read for using SSL with WebLogic.

We are using Entrust as a CA instead of Verisign. Once I asked our security folks about the intermediate cert, I was sent 3 files.
File 1: Entrust Root Certificate
File 2: Entrust L1 Chain Certificate
File 3: It’s called .NERCERT.txt which I’m assuming is the SSL cert

My questions are:
(1) Is the Entrust Root Certificate my primary certificate as mentioned in the instructions above (Step 3 part 1)?
(2) Is the Entrust L1 Chain Certificate the secondary certificate as mentioned in step 3 above?
(3) Can you confirm that the .NEWCERT.txt is my SSL cert and I need to import it as described in step 4 above?

Thanks again for all your help.

-Abhishek

Reply
ashish says June 15, 2012

Hi Neha,

I have deployed an web application on Weblogic server.It comes with the URL with HTTP only.

I want to change it to HTTPS .

Please advise if I need to configure SSL on weblogic in this case or any application level changes allow me to do so.

Please if you could advise me as its really urgent.

Thanks,
Ashish

Reply
    Atul Kumar says June 15, 2012

    @ Weblogic Admin and Managed server comes with both HTTP and HTTPS (this is disabled by default). You just need to enabled HTTPS. SSL certificates are pre-bundled so for production you may wish to use certificates from verisign or other certifying authority (CA)

    Reply
ashish says June 15, 2012

@Atul : Thank you for the response.

Reply
joe says October 2, 2012

Hello,

I have a few apps running on a weblogic server (using 10g oid and 10g oid) where only one app needs the ssl.
How do i enable ssl for this just app?
The F5 VIP is the front end

Thanks, Joe

Reply
Neha Mittal says October 2, 2012

@Joe
You can create another managed server in WLS Domain and deploy that specific application on the new managed server.
Then use the above steps to enable SSL on the new managed server where only this app is deployed.

Thanks
Neha

Reply
Atul Kumar says October 2, 2012

@ Joe,
Do as Neha said or weblogic server can run on both ssl and non ssl listener and then it is down to you to decide which protocol (SSL or Non SSL) to use while accessing application.

Reply
joe says October 11, 2012

Update:

This app wont through sso so no need for sso registration

On the F5 created new new vip with https, added its cert profile for client and server(had created the cert already) add the pool where http ohs is a member in, and was it.
https://newvip.fqdn/appname

Reply
Maggi says January 29, 2014

Hi Neha,

I have a weblogic server with 2 managed servers. For this cluster there is vip on F5 with http:///analytics.
To implement SSL, do I need to just implement it the vip level by asking the F5 team to create a new vip with https and add the vip’s cert profile to all the servers in the weblogic cluster ?

Please help me understand as this is a critical requirement to us to implement SSL in all our obiee 11g clusters.

Thanks
Maggi

Reply
    Atul Kumar says January 29, 2014

    @ Maggi,
    Its down to where you want to terminate SSL. F5 supports SSL termincation at load balancer which means you have two options

    a) SSL terminate at F5 : Client — SSL—> F5 —– Non SSL —–> WebLogic : In this case weblogic managed server are listening on non SSL

    b) SSL terminate at webLogic : Client — SSL—> F5 —– SSL —–> WebLogic : In this case weblogic managed server are listening on SSL

    You don’t change any thing at F5 but ask F5 team to

    1. Enable SSL at F5
    2. Import certificate of site (anayltics) to F5
    3. Configure F5 on ssl port to forward request to WebLogic port (ssl or non ssl depending on where are you terminating SSL)

    Reply
Rajender kasala says April 7, 2014

Hi Atul,

Can you explain more on the second point which u have mentioned above i.e.

2. Import certificate of site (anayltics) to F5

How to import the certificate of a site?

Reply
    Atul Kumar says April 7, 2014

    @ Certificates for site (analytics) are issued by certifying authority (CA). If you have load balancer then these must be imported in to load balancer using tool provided by load balancer

    Reply
Devi says September 24, 2015

HI All,

My Doubt is:

If I configure SSL with identity and trust keystore in weblogic server.

If some one in my team changed the keystore or saved NON SSL, then how can I roll back that configurations as before.

Please anyone reply to this question & do needful.

Thanks.

Reply
Devi says September 24, 2015

Do we have any configuration file or any location to restore or rollback the SSL old configurations…..??

Reply
Ashish says September 25, 2015

Hi ,

Its not possible if you r looking for old file on server itself however if a backup of sever is running then you can get it re-stored by backup team. It may cost your firm to restore the file.

Regards,
Ashish

Reply
Add Your Reply

Not found