This post covers basics of SSL in WebLogic Server and how to configure SSL with Custom Certificates and Certifying Authority. For SSL in Oracle E-Business Suite click here, SSL in Oracle Internet Directory (OID) click here , SSL in Oracle Virtual Directory (OVD) click here , and for SSL in Oracle Access Manager (OAM) click here

Secure Socket Layer (SSL) is used to encrypt data between client and Server (WebLogic in this case).

1. When user connects to WebLogic Server they can connect
a) Directly to WebLogic Server (Admin or Managed Server Port , more on WebLogic Admin/Managed Server here ) or
b) via Web Server or Load Balancer (Web Server or Load Balancer then connects to WebLogic Server). To configure WebServer (OHS) in front of WebLogic Server click here

User –> Load Balancer (or WebServer) –> WebLogic Server
User –> WebLogic Server

a) You can terminate SSL at Load Balancer (or WebServer) and communication from Load Balancer (or WebServer) to WebLogic Server as non SSL (In this case Load Balancer (or Web Server) is configured to listen on SSL but WebLogic Server is configured to listen on NON SSL)
or
b) You can terminate SSL at WebLogic Server (In this case Load Balancer (or Web Server) and WebLogic Server are all configured to listen on SSL)

2. WebLogic Server (Admin or Managed Server) are configured for both both non-SSL and SSL port (To enable SSL you just need to select SSL Listen Port Enabled in WebLogic Console).

3. SSL certificates are issued to a Server by an certificate signing authority (aka Certifying Authority or CA)

4. There could be one Certifying Authority (root CA) and zero or more intermediate Certifying Authority (root CA delegates authority to issue certificates to intermediary CA)

In above screen
a) Root CA is “Class 3 Public Primary Certification Authority” that issued certificate to
b)VeriSign Class 3 Public Primary Certification Authority – G5” (intermediate CA) that issued certificate to
c)VeriSign Class 3 International Server CA – G3” (intermediate CA) that issued certificate to
d) *.oracle.com

In this case *.oracle.com is certificate where as three certificates above that are trusted certificates (certificates of certifying authority)

5. By default certificates for SSL Listener on WebLogic are Self Signed (i.e. Certificate and Certifying Authority both are WebLogic Server)

6. There are two types of certificate
a) Trusted Certificates – These are certificates of Certifying Authority (CA) . In second screen shot (above) certificates of “VeriSign Class 3 International Server CA – G3” or “VeriSign Class 3 Public Primary Certification Authority – G5” are trusted certificates
b) Identity Certificates – These are certificates of Server to which certificates are issued. In above screen shot certificate of *.oracle.com is identity certificate

7. Certificates (Trusted and Identity) for WebLogic are stored in Keystore. There are various types of Keystore that WebLogic Server Supports. Most common of them is Java Key Store (JKS) , file based repository with extension .jks

8. Java Key Store (JKS) stores two type of keys
a) Trust Store – to store Trusted Certificates (or certificates of certifying authority)
b) Identity Store – to store Identity Certificates (or certificates issues to a server by CA)

Note: You can keep both Trust Store and Identity Store in same Keystore (JKS) or they can be stored in different Keystore (one jks file for identity certificate and second jks file for trust certificates)

 

9. WebLogic comes with default (self signed) identity and trust store under $WL_HOME/server/lib
a) DemoIdentity.jks – Identity Store containing certificates of server (identity certificate)
b) DemoTrust.jks – Identity Store containing certificates of CA (trusted certificate)

10. keystore is managed by java utility keytool. keytool is used to generate certificates request, import certificates (issues by CA) or to import CA’s certificates.

 

Related

More on SSL certificates , keytool and configuring SSL with WebLogic in next post