techworldrocks

March 28, 2012

Configure self signed certificate with Weblogic server

Filed under: Weblogic — vaishalipavashe @ 10:52 pm

You can configure weblogic server to use self signed certificate which will be signed by yourself and not by any external authority. You can use these certs in non-production environments:

NOTE: You need to create keystores on each physical machine where you have servers running.

I. Generating self signed certificates:

1. Go to weblogic domain directory and create a new directory call as certs

> mkdir certs

2. Go to bin directory available in domain directory and execute setDomainEnv.sh / setDomainEnv.cmd files as below:

Windows: > setDomainEnv.cmd

Unix: . ./setDomainEnv.sh (Do not forget two dots)

3. Change directory to certs and Execute below command to create identity.jks:

> keytool -genkey -alias mycert -keyalg RSA -keypass weblogic1 -keystore identity.jks -storepass weblogic1 -validity 365

Below questions will be asked. Answer them according to your environment:

What is your first and last name?
[Unknown]: techworldrocks.wordpress.com….( NOTE: You need to provide Fully Qualified domain name of your machine where weblogic server is hosted)
What is the name of your organizational unit?
[Unknown]: Middleware
What is the name of your organization?
[Unknown]: techworldrocks
What is the name of your City or Locality?
[Unknown]: Bangalore
What is the name of your State or Province?
[Unknown]: KA
What is the two-letter country code for this unit?
[Unknown]: IN
Is CN=techworldrocks.wordpress.com, OU=Middleware, O=techworldrocks, L=Bangalore, ST=KA, C=IN correct?
[no]: yes

Now we have created a private key in identity.jks file. As we are configuring self signed certificate we will not be creating CSR to order certs from external authority.

4. As its self signed cert we will export same cert which will be also called root in this case from identity.jks:

> keytool -export -alias mycert -file root.cer -keystore identity.jks -storepass weblogic1

5. Now we will import same cert into trust.jks which generally contains only root cert.

NOTE: We can use same identity.jks file in place of trus.jks as we will be having same cert in both but as a good practice we should have both separate. In prod where we have chain of certs it recommended to create two jks stores.

> keytool -import -alias mycert -trustcacerts -file root.cer -keystore trust.jks -storepass weblogic1

Owner: CN=techworldrocks.wordpress.com, OU=Middleware, O=techworldrocks, L=Bangalore, ST=KA, C=IN
Issuer: CN=techworldrocks.wordpress.com, OU=Middleware, O=techworldrocks, L=Bangalore, ST=KA, C=IN
Serial number: 4f738bae
Valid from: Thu Mar 29 03:37:42 IST 2012 until: Fri Mar 29 03:37:42 IST 2013
Certificate fingerprints:
MD5: 19:B9:AB:EC:50:09:F6:D6:46:8D:B0:AD:71:77:22:60
SHA1: 5F:3E:D2:9D:9A:84:D4:06:13:12:A2:9B:C5:F8:A2:EA:83:FB:48:47
Signature algorithm name: SHA1withRSA
Version: 3
Trust this certificate? [no]: yes
Certificate was added to keystore

Now both keystores are ready for configuration. Repeat this process on all physical machines where weblogic servers are hosted

II. Configuring jks with weblogic:

1. Login to admin console

2. Navigate to servers>[server_name]>Configuration>Keystores

3. Select Custom Identity and Custom Trust and provide below details:

-Custom Identity Keystore: <Location of identity.jks>

-Custom Identity Keystore Type: jks

-Custom Identity Keystore Passphrase:weblogic1

-Confirm Custom Identity Keystore Passphrase:weblogic1

-Custom Trust Keystore:  <Location of trust.jks>

-Custom Trust Keystore Type: jks

-Custom Trust Keystore Passphrase:weblogic1

-Confirm Custom Trust Keystore Passphrase:weblogic1

4. Then click on SSL tab next to Keystores and provide values for below parameters:

-Private Key Alias: mycert

-Private Key Passphrase: weblogic1

-Confirm Private Key Passphrase: weblogic1

NOTE: As I have given identity keystore password same as private key password I will give same password here. If you have given different make sure to give different password

5. Then enable SSL port for that particular weblogic server by navigating servers>[server_name]>Configuration>General

Also provide Fully Qualified Domain Name (FQDN) in Listen Address field.

6. Save and activate changes. Repeat this 2nd half procedure for all weblogic servers which intend to use SSL

III. CONFIGURING NODE MANAGER

Modify nodemanager.properties file available in $WL_HOME/common/nodemanager folder. Insert the following lines at the end:

KeyStores=CustomIdentityAndCustomTrust

CustomIdentityKeystoreType=jks

CustomIdentityKeyStoreFileName=<Location of identity.jks>

CustomIdentityKeyStorePassPhrase=weblogic1

CustomTrustKeystoreType=jks

CustomTrustKeyStoreFileName=<Location of trust.jks>

CustomTrustKeyStorePassPhrase=weblogic1

CustomIdentityAlias=mycert

CustomIdentityPrivateKeyPassPhrase=weblogic1

NOTE: Make sure SecureListener is set to true which is already present in this file. Also mention Fully Qualified Domain Name (FQDN) in ListenAddress field which is blank by default.

IV. DISABLING HOSTNAME VERIFICATION

NOTE: As we are using self signed certs we need to disable host name verification whereas in production environment we should keep it enabled by configuring certificates authorized by internal or external certificate authority.

i) Disable host name verification at server level

  1. Navigate to servers>[server_name]>Configuration>SSL
  2. Click on advanced
  3. Make Hostname Verification NONE
  4. Save and activate changes.
  5. Repeat these steps fore all servers in domain for which self signed certs are configureii) Disable host name verification for Node managerAdd parameter -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false in startNodeManager.sh/startNodeManager.cmd file as given below:

    “${JAVA_HOME}/bin/java” ${JAVA_VM} ${MEM_ARGS} ${JAVA_OPTIONS} -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false -Djava.security.policy=”${WL_HOME}/server/lib/weblogic.policy” -Dweblogic.nodemanager.javaHome=”${JAVA_HOME}” -DListenAddress=”${LISTEN_ADDRESS}” -DListenPort=”${LISTEN_PORT}” weblogic.NodeManager -v

    else
    "${JAVA_HOME}/bin/java" ${JAVA_VM} ${MEM_ARGS} ${JAVA_OPTIONS} -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false -Djava.security.policy="${WL_HOME}/server/lib/weblogic.policy" -Dweblogic.nodemanager.javaHome="${JAVA_HOME}" -DListenPort="${LISTEN_PORT}" weblogic.NodeManager -v
    fi
    else
    if [ "$LISTEN_ADDRESS" != "" ]
    then
    "${JAVA_HOME}/bin/java" ${JAVA_VM} ${MEM_ARGS} ${JAVA_OPTIONS} -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false -Djava.security.policy="${WL_HOME}/server/lib/weblogic.policy"     -Dweblogic.nodemanager.javaHome="${JAVA_HOME}" -DListenAddress="${LISTEN_ADDRESS}" weblogic.NodeManager -v
    else
    "${JAVA_HOME}/bin/java" ${JAVA_VM} ${MEM_ARGS} ${JAVA_OPTIONS} -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false -Djava.security.policy="${WL_HOME}/server/lib/weblogic.policy" -Dweblogic.nodemanager.javaHome="${JAVA_HOME}" weblogic.NodeManager -v

Now restart Node manager, you do not have to restart servers if they are already running. This completes SSL configuration with self signed certs.

NOTE: Sometimes you might get some SSL issue at Node manager, in that case import CertGenCA.der into custom trust store trust.jks so that Admin server can trust Node manager.

> keytool -import -alias mycert-trustcacerts -file “<location of CertGenCA.der>” -keystore trust.jks

18 Comments »

  1. Hi,

    Great tutorial.

    I have a problem with weblogic, i did it but when i go to weblogic console via https i got error ssl_error_bad_cert_alert.

    Can you help me, please

    Comment by Alberto — December 10, 2012 @ 1:18 pm | Reply

    • Hi Alberto,

      You can check on below things:
      1. Check if you have disabled host name verification in console by navigating Servers -> [Server_name] -> SSL -> Advanced
      2. Put the hostname/FQDN (Fully qualified domain name) in server’s Listen address in console configuration page same as the one you had put as CN while creating certificates
      3. Use same DNS/FQDN while accessing console link in browser
      4. Import the root certificate (the one which you had imported in trust.jks in browser)

      Let me know if you still face issue.

      Comment by vaishalipavashe — December 10, 2012 @ 2:03 pm | Reply

      • I do not know where to put the hostname / FQDN.

        4. Import the root certificate (the one which you had imported in trust.jks in browser)
        I don´t know what is.

        Thank you very much for answering so fast.

        Comment by Alberto — December 10, 2012 @ 3:45 pm

      • In weblogic log:

        javax.net.ssl.SSLHandshakeException: null cert chain
        at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:1015)
        at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:480)
        at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1120)
        at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1092)
        at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:452)
        at weblogic.security.SSL.jsseadapter.JaSSLEngine$1.run(JaSSLEngine.java:68)
        at weblogic.security.SSL.jsseadapter.JaSSLEngine.doAction(JaSSLEngine.java:732)
        at weblogic.security.SSL.jsseadapter.JaSSLEngine.wrap(JaSSLEngine.java:66)
        at weblogic.socket.JSSEFilterImpl.wrap(JSSEFilterImpl.java:475)
        at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:133)
        at weblogic.socket.JSSEFilterImpl.isMessageComplete(JSSEFilterImpl.java:313)
        at weblogic.socket.NTSocketMuxer.processSockets(NTSocketMuxer.java:100)
        at weblogic.socket.SocketReaderRequest.run(SocketReaderRequest.java:29)
        at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:42)
        at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:145)
        at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:117)
        Caused By: javax.net.ssl.SSLHandshakeException: null cert chain
        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
        at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1429)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:243)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:231)
        at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1369)
        at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:160)
        at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
        at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:533)
        at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:952)
        at weblogic.socket.JSSEFilterImpl.doTasks(JSSEFilterImpl.java:231)
        at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:111)
        at weblogic.socket.JSSEFilterImpl.isMessageComplete(JSSEFilterImpl.java:313)
        at weblogic.socket.NTSocketMuxer.processSockets(NTSocketMuxer.java:100)
        at weblogic.socket.SocketReaderRequest.run(SocketReaderRequest.java:29)
        at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:42)
        at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:145)
        at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:117)

        Comment by Alberto — December 10, 2012 @ 4:28 pm

  2. In weblogic log:

    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>
    #### <>

    Comment by Alberto — December 10, 2012 @ 4:26 pm | Reply

    • Hi, this seems a known issue when JSSE is enabled. Let me know your weblogic version and if you have enabled two way SSL.

      Also check if you have set cert requested and not enforced in Admin console by navigating servers -> [server_name] -> SSL -> Advanced tab.

      Comment by vaishalipavashe — December 11, 2012 @ 4:10 pm | Reply

      • Yes, i have JSSE enabled. Versión de WebLogic Server: 10.3.5.0 . I have enabled two way SSL.

        I have cert requested and not enforced.

        Thank you very much for your atention

        Comment by Alberto — December 11, 2012 @ 4:44 pm

  3. Alberto, this is a known bug. Please open an Service request with Oracle and get patch 11874217. That shoud fix this issue.

    Comment by vaishalipavashe — December 17, 2012 @ 9:46 am | Reply

    • Thanks for all.

      Comment by Alberto — December 17, 2012 @ 9:53 am | Reply

  4. Hi,
    I have also configured JSSE SSL in weblogic 10.3.4 and also “Client Certs Requested but not enforced” for 2 way SSL. The server is still expecting certificates and throwing error if not presented with one (javax.net.ssl.SSLHandshakeException: null cert chain).
    When i try to access my app through a Browser, Server rejects it.Where as ideally it should let it go

    If i change the setting to “Client Certs Not Required”, my Application works fine.
    So the patch you have described 11874217, does it fixe this issue only? The one i am facing.

    Thanks in Advace,
    Manas

    Comment by Manas — March 8, 2013 @ 8:41 am | Reply

    • Hi Manas, you are right the above patch should fix the issue you are facing and fortunately Oracle has a ready patch for your WLS version 10.3.4. You can raise a service request and get patch 11874217 (ID C6ZP).

      Thank You, Vaishali

      Comment by vaishalipavashe — March 11, 2013 @ 5:04 am | Reply

  5. Getting the below error while updating the keystore
    <Could not load a jks keystore from the file /opt/bea/bea10/wlserver_10.3/server/cert/identity.jks. Exception: java.io.IOException: Invalid keystore format

    Comment by krishna — October 24, 2013 @ 9:06 am | Reply

  6. Hi Krishna,

    You said you are updating Keystore does that mean you are trying to import custom cert into weblogic default identity.jks or its a keystore created by you?

    Comment by vaishalipavashe — October 26, 2013 @ 9:42 am | Reply

  7. HI,
    I am also facing the same problem and i done with all the above steps

    Comment by Siva — January 30, 2014 @ 11:47 am | Reply

    • Hi Siva,

      Can you please post the error message and brief me on your config/setup?

      Thank you, Vaishali

      Comment by vaishalipavashe — January 30, 2014 @ 4:37 pm | Reply

  8. HI,
    I am also facing the same problem and i done with all the above steps.. and not understanding

    Comment by Rajesh — January 30, 2014 @ 11:51 am | Reply


RSS feed for comments on this post. TrackBack URI

Leave a comment

Create a free website or blog at WordPress.com.