SSL– Secure Socket Layer Protocol which employs a third party, a certificate authority to identify secure transactions of data at both ends.
In layman’s terms, this means that all data transmitted between the client & web-server is encrypted & hence is secured.
Basic terms to understand-
1) Private Key/Public Key :-
You generate a key pair using various tools like (keytool, certgen) out of which one is kept secret which is called the Private key & is used to decrypt the data. Other key known as Public key is distributed to everybody so that they can send an encrypted message.
The encryption using a private key/public key pair ensures that the data can be encrypted by one key but can only be decrypted by the other key pair.
2) Certificate & certificate Authority – A certificate, contains information about the owner of the certificate, like e-mail address, owner’s name, certificate usage, duration of validity, resource location or Distinguished Name (DN) which includes the Common Name (CN) (web site address or e-mail address depending of the usage) and the certificate ID of the person who certifies (signs) this information.This certifying body is called Certificate Authority.Well known CA’s include Verisgn & Entrust etc.
3) The trusted certificate authority (CA) certificate establishes trust for a certificate
4) Private keys and trusted CA certificates are stored in a keystore.
The preferred keystore format in weblogic is JKS(Java KeyStore).
5) The PEM (Privacy Enhanced Mail) format is the preferred format for private keys, digital certificates, and trusted certificate authorities (CAs).
6)Servers need a private key, a digital certificate containing the matching public key, and a certificate for at least one trusted certificate authority
7) WebLogic Server supports private keys, digital certificates, and trusted CA certificates from the following sources:
* The demonstration digital certificates, private keys, and trusted CA certificates in the WL_HOME\server\lib directory and the JAVA_HOME\jre\lib\security directory.
* Sun Microsystem’s keytool utility can also be used to generate a private key, a self-signed digital certificate for WebLogic Server, and a Certificate Signing Request (CSR).
* The CertGen utility generates digital certificates and private keys that should be used only for demonstration or testing purposes in a development environment.
.
Steps- To implement SSL in weblogic
1)First step is to Generate CSR (Certificate signing request)
Generally to create a CSR we use key tool utility (Location in Linux- $JDK_HOME/bin) . Follow the below keytool commands to create a CSR.
./keytool -genkey -alias mykey -keyalg RSA -keysize 2048 -dname “CN=<domain name like test.com etc>, OU=<unite like Customer Support etc>, O=<your organization>, L=<your location>, ST=<state>, C=<country code like US>” -keystore identity.jks ./keytool -certreq -alias mykey -file cert.csr -keystore identity.jks
By executing the above commands you can create a CSR with name cert.csr which can be forwarded to the signing team for further process of signing.
CA will issue you root CA certificate , intermediate certificate & SSL certificate which you need to install in your browser & trust keystores respectively.
2) Install the test root CA certificate into the browser from where you will access the webserver, in my case its firefox
2.1. Click on the “ Download Secure Site Trial Root Certificate” link
2.2. Save the certificate into a file with a .cer extension.
2.3. Open a Firefox browser.
2.4. Go to Tools> Options > Advanced > View Certificates>Authorities.
2.5. Click Import.
2.6. Select the Trial Root certificate > click Open.
2.7. A dialog box appears that says, “Do you want to trust ‘VeriSign Trial Secure Server Test Root CA’ for the following purposes?”. Check “Trust this CA to identify web sites”.
2.8. Click OK.
3) Install the Trial SSL Intermediate CA Certificates.
CA will issue two intermediate certificate- Primary & secondary, we have to install them in a keystore, lets say “trust”
save the codes of primary & secondary certificates in notepad files with .cer extension.Then issue below commands:-
./keytool -import -alias primaryca -keystore trust.jks -trustcacerts -file primaryintermediate.cer
Enter keystore password:
Re-enter new password:
Certificate was added to keystore./keytool -import -alias secondaryca -keystore trust.jks -trustcacerts -file secondaryintermidiate.cer
Enter keystore password:
Certificate was added to keystore
4) Install the trial SSl certificate in keystore
CA will send you code of your SSL certificate in email, copy it & save it in notepad with .cer extension. Then run following from webserver
./keytool -import -alias sslcert -keystore trust.jks -trustcacerts -file ssl.cer
Enter keystore password:
Once you enter password you will see lines like
=======================================================
Owner: CN=innowave03.com, OU=Terms of use at www.verisign.com/cps/testca (c)05, OU=Customer Support, O=ABC, L=London, ST=England, C=UK
Issuer: CN=VeriSign Trial Secure Server CA – G2, OU=Terms of use at https://www.verisign.com/cps/testca (c)09, OU=”For Test Purposes Only. No assurances.”, O=”VeriSign, Inc.”, C=US
Trust this certificate? [no]: yes
Certificate was added to keystore
================================================================================
.
5) Configure Keystore & SSL in weblogic
To configure SSL:
5.1. Go to weblogic administration console (http://<hostname>:<port>/console). Under Domain–>Environment, expand the Servers node.
5.2. Select the name of the server for which you want to configure keystores (for example, testserver).
5.3. Select the Configuration–>Keystores and SSL tab.
Information about the demonstration Identity and Trust keystores is displayed in the Keystore Configuration.
5.4. Configure new Identity and Trust keystores for WebLogic Server.
5.5. Click the Change. link in the SSL Configuration to configure attributes for SSL.
The Configure SSL page appears.
5.6. Specify how the identity and trust for WebLogic Server is stored. The following options are available:
* Key Stores—Use this option if you created Identity and Trust keystores for WebLogic Server. If you choose this option, go to step 8.
* Files or Key Store Providers—Use this option if you stored private keys and trusted CA certificates in a file or in a JKS keystore accessed via the WebLogic Keystore provider
In our case its keystores
5.7. Click Continue.
5.8. Specify the alias used to load the private key into the keystore . Then the Private Key Alias and the password used to retrieve the private key from the keystore in the Passphrase attibute. You may have specified this information when creating the Identity keystore; however, for the purpose of SSL configuration specify the information again. Skip to step 10.
5.9. Specify information about the location of identity and trust for WebLogic Server.
Note: This step only applies if the Files or Key Store Providers option is specified.
5.10. Click Continue.
5.11. Click save.
Note- By default, WebLogic Server has host name verification enabled. As a function of the SSL handshake, WebLogic Server compares the common name in the SubjectDN in the SSL server’s digital certificate with the host name of the SSL server used to accept the SSL connection.If it doesn’t match, connection drops. For testing purpose you can set it to “NONE” in case your common name is different then what mention in certificate
5.12 Go to general tab of configuration under the selected server & tick mark the ssl port mark.
5.13. Restart WebLogic Server.
You shall now be able to access the weblogic server on https://<hostaname>:<ssl port>