SSL in WebLogic (CA, KeyStore, Identity & Trust Store) : Things you must know – Part I

This post covers basics of SSL in WebLogic Server and how to configure SSL with Custom Certificates and Certifying Authority. For SSL in Oracle E-Business Suite click here, SSL in Oracle Internet Directory (OID) click here , SSL in Oracle Virtual Directory (OVD) click here , and for SSL in Oracle Access Manager (OAM) click here

Secure Socket Layer (SSL) is used to encrypt data between client and Server (WebLogic in this case).

1. When user connects to WebLogic Server they can connect
a) Directly to WebLogic Server (Admin or Managed Server Port , more on WebLogic Admin/Managed Server here ) or
b) via Web Server or Load Balancer (Web Server or Load Balancer then connects to WebLogic Server). To configure WebServer (OHS) in front of WebLogic Server click here

User –> Load Balancer (or WebServer) –> WebLogic Server
User –> WebLogic Server

a) You can terminate SSL at Load Balancer (or WebServer) and communication from Load Balancer (or WebServer) to WebLogic Server as non SSL (In this case Load Balancer (or Web Server) is configured to listen on SSL but WebLogic Server is configured to listen on NON SSL)
or
b) You can terminate SSL at WebLogic Server (In this case Load Balancer (or Web Server) and WebLogic Server are all configured to listen on SSL)

2. WebLogic Server (Admin or Managed Server) are configured for both both non-SSL and SSL port (To enable SSL you just need to select SSL Listen Port Enabled in WebLogic Console).

3. SSL certificates are issued to a Server by an certificate signing authority (aka Certifying Authority or CA)

4. There could be one Certifying Authority (root CA) and zero or more intermediate Certifying Authority (root CA delegates authority to issue certificates to intermediary CA)

In above screen
a) Root CA is “Class 3 Public Primary Certification Authority” that issued certificate to
b)VeriSign Class 3 Public Primary Certification Authority – G5” (intermediate CA) that issued certificate to
c)VeriSign Class 3 International Server CA – G3” (intermediate CA) that issued certificate to
d) *.oracle.com

In this case *.oracle.com is certificate where as three certificates above that are trusted certificates (certificates of certifying authority)

5. By default certificates for SSL Listener on WebLogic are Self Signed (i.e. Certificate and Certifying Authority both are WebLogic Server)

6. There are two types of certificate
a) Trusted Certificates – These are certificates of Certifying Authority (CA) . In second screen shot (above) certificates of “VeriSign Class 3 International Server CA – G3” or “VeriSign Class 3 Public Primary Certification Authority – G5” are trusted certificates
b) Identity Certificates – These are certificates of Server to which certificates are issued. In above screen shot certificate of *.oracle.com is identity certificate

7. Certificates (Trusted and Identity) for WebLogic are stored in Keystore. There are various types of Keystore that WebLogic Server Supports. Most common of them is Java Key Store (JKS) , file based repository with extension .jks

8. Java Key Store (JKS) stores two type of keys
a) Trust Store – to store Trusted Certificates (or certificates of certifying authority)
b) Identity Store – to store Identity Certificates (or certificates issues to a server by CA)

Note: You can keep both Trust Store and Identity Store in same Keystore (JKS) or they can be stored in different Keystore (one jks file for identity certificate and second jks file for trust certificates)

 

9. WebLogic comes with default (self signed) identity and trust store under $WL_HOME/server/lib
a) DemoIdentity.jks – Identity Store containing certificates of server (identity certificate)
b) DemoTrust.jks – Identity Store containing certificates of CA (trusted certificate)

10. keystore is managed by java utility keytool. keytool is used to generate certificates request, import certificates (issues by CA) or to import CA’s certificates.

 

Related

More on SSL certificates , keytool and configuring SSL with WebLogic in next post

 

Learn Oracle Weblogic Server Administration

 

Get 100 USD OFF + 100% Money Back Guarantee

Click here to get Early Bird Discounts

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Oracle Gold Partner specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

16 comments
subrata23 says February 6, 2013

Well written. Thanks.

Reply
srinu says February 7, 2013

hi

in my project i am using IDM 11g(11.1.1.3.0) i had instilled the exchange and AD connector 9.1.1.7.0. but in my case AD is provisioning properly. where exchange is not provisioning resource it is giving the error (create mailbox is rejected) and i had installed the remote manager in the exchange server system

please help me in this issue

Reply
» SSL in WebLogic Server – Part II : Create KeyStore, generate CSR, Import CERT and configure KeyStore with WebLogic Online Apps DBA: One Stop Shop for Apps DBA’s says February 10, 2013

[…] SSL in WebLogic Server – Part II : Create KeyStore, generate CSR, Import CERT and configure KeyStore with WebLogic Posted in February 10th, 2013 byAtul Kumar in ssl, weblogic This is part II of SSL in WebLogic Server that covers creating KeyStore, generating Certificate Signing Request (CSR), importing Certificate in KeyStore, and finally using this keyStore with WebLogic Server. I strongly recommend to go through Part I “SSL in WebLogic KeyStore, Identity & Trust Store, Root and Intermediate CA“ […]

Reply
WebLogic Partner Community Newsletter February 2013 | WebLogic Community says February 27, 2013

[…] newsletter edition we have published many new technical WebLogic articles like WLST Examples or SSL in WebLogic by Atul Kumar or Troubleshooting Tools by Laurent Goldsztejn. If you also write articles, Please […]

Reply
zia says August 5, 2013

Hi
i am new to the Weblogic, confused on importing the cert process, i followed the below,
Imported the certs in identity.jks in the below sequence
rootCa.cer
Intermediary.cer
Certificate.cer
my question, which of these files need to be imported in the Trust.jks file and in what sequence

Reply
Atul Kumar says August 5, 2013

@ Zia,

rootCa.cer & Intermediary.cer are Trusted Certs and are stored in Trust Store where as Certificate.cer is Idnetity Certs and is stored in Identity Store.

Having said that both Identity store and trust store can be stored in same file or in two different files (If same file then in weblogic give path to same file and if different then give different file location for Trust and Identity Store)

Still confused ??

Reply
Atul Kumar says August 6, 2013

@ ZIa,
Please paste error you are hitting here and also command used to import signed certificate in to identity store .

Reply
» WebLogic SSL configuration : Inconsistent security configuration Cannot convert identity certificate Online Apps DBA: One Stop Shop for Apps DBA’s says August 8, 2013

[…] Posted in August 8th, 2013 byAtul Kumar in troubleshooting, weblogic I discussed about SSL basics and SSL configuration in WebLogic Server. In this post I am going to cover an issue encountered […]

Reply
zia says August 13, 2013

Hey Atul,

i ran the below commands to import the certs, and i was able to over come the issue with the Application related to scheduling the Flowcharts, the way i imported the certs is different, but it just worked for me.

Identity store
——————-
keytool -importcert -alias root -keystore Identity.jks -file primary_inter.cer

keytool -importcert -alias intermediate -keystore Identity.jks -file secondary_inter.cer

keytool -import -alias Alias-name -keystore Identity.jks -trustcacerts -file server.cer

Trust Store
—————-
keytool -import -alias Alias-name -keystore Trust.jks -trustcacerts -file server.cer

any advice on this Procedure

Thanks

Reply
» SSL / Wallets in OID/OHS : How to manage certificates in Wallet using command line ?? ORAPKI Online Apps DBA: One Stop Shop for Apps DBA’s says August 24, 2013

[…] line ?? ORAPKI Posted in August 24th, 2013 byAtul Kumar in oid, ssl I discussed about  SSL basics in WebLogic like Certifying Authority and Certificate and configuring SSL for OID using Graphical User Interface (GUI) like Fusion Middleware Control […]

Reply
how to configure SSL in WebLogic Server | hafizsameerahmad says March 19, 2014

[…] This is part II of SSL in WebLogic Server that covers creating KeyStore, generating Certificate Signing Request (CSR), importing Certificate in KeyStore, and finally using this keyStore with WebLogic Server. I strongly recommend to go through Part I “SSL in WebLogic KeyStore, Identity & Trust Store, Root and Intermediate CA“ […]

Reply
ajay says July 6, 2015

hi,

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found

can anybody help to fix it up

Reply
    Atul Kumar says July 6, 2015

    @Ajay, In which component you are getting this error ? This means certificate of Certifying Authority is missing on client side. You need to import root and intermediate (if any) certificates in client trust store . Explain setup and place where you are hitting this issue .

    Reply
Gupta Katakam says October 12, 2015

Hi Atul,

I have SOAP API based web service standalone application which will set challenge questions and answers for OAAM users. When I am connecting with http url from my standalone application it is working fine. When the moment I started using OAAM https url to fetch Bharsoa session from OAAM I am getting exception as “Exception Occurred while Reading license file”. So I added webserviceclient+ssl.jar file and changed the configuration of http handler to sun as “-DUseSunHttpHandler=true and -Dssl.debug=true” as oracle support suggested. After that I started getting exception as “BAD Certificate Recieved.”
Could you please suggest me anything on this?

Thanks in Advance,
Gupta Katakam

Reply
Add Your Reply