You can configure weblogic server to use self signed certificate which will be signed by yourself and not by any external authority. You can use these certs in non-production environments:
NOTE: You need to create keystores on each physical machine where you have servers running.
I. Generating self signed certificates:
1. Go to weblogic domain directory and create a new directory call as certs
> mkdir certs
2. Go to bin directory available in domain directory and execute setDomainEnv.sh / setDomainEnv.cmd files as below:
Windows: > setDomainEnv.cmd
Unix: . ./setDomainEnv.sh (Do not forget two dots)
3. Change directory to certs and Execute below command to create identity.jks:
> keytool -genkey -alias mycert -keyalg RSA -keypass weblogic1 -keystore identity.jks -storepass weblogic1 -validity 365
Below questions will be asked. Answer them according to your environment:
What is your first and last name?
[Unknown]: techworldrocks.wordpress.com….( NOTE: You need to provide Fully Qualified domain name of your machine where weblogic server is hosted)
What is the name of your organizational unit?
[Unknown]: Middleware
What is the name of your organization?
[Unknown]: techworldrocks
What is the name of your City or Locality?
[Unknown]: Bangalore
What is the name of your State or Province?
[Unknown]: KA
What is the two-letter country code for this unit?
[Unknown]: IN
Is CN=techworldrocks.wordpress.com, OU=Middleware, O=techworldrocks, L=Bangalore, ST=KA, C=IN correct?
[no]: yes
Now we have created a private key in identity.jks file. As we are configuring self signed certificate we will not be creating CSR to order certs from external authority.
4. As its self signed cert we will export same cert which will be also called root in this case from identity.jks:
> keytool -export -alias mycert -file root.cer -keystore identity.jks -storepass weblogic1
5. Now we will import same cert into trust.jks which generally contains only root cert.
NOTE: We can use same identity.jks file in place of trus.jks as we will be having same cert in both but as a good practice we should have both separate. In prod where we have chain of certs it recommended to create two jks stores.
> keytool -import -alias mycert -trustcacerts -file root.cer -keystore trust.jks -storepass weblogic1
Owner: CN=techworldrocks.wordpress.com, OU=Middleware, O=techworldrocks, L=Bangalore, ST=KA, C=IN
Issuer: CN=techworldrocks.wordpress.com, OU=Middleware, O=techworldrocks, L=Bangalore, ST=KA, C=IN
Serial number: 4f738bae
Valid from: Thu Mar 29 03:37:42 IST 2012 until: Fri Mar 29 03:37:42 IST 2013
Certificate fingerprints:
MD5: 19:B9:AB:EC:50:09:F6:D6:46:8D:B0:AD:71:77:22:60
SHA1: 5F:3E:D2:9D:9A:84:D4:06:13:12:A2:9B:C5:F8:A2:EA:83:FB:48:47
Signature algorithm name: SHA1withRSA
Version: 3
Trust this certificate? [no]: yes
Certificate was added to keystore
Now both keystores are ready for configuration. Repeat this process on all physical machines where weblogic servers are hosted
II. Configuring jks with weblogic:
1. Login to admin console
2. Navigate to servers>[server_name]>Configuration>Keystores
3. Select Custom Identity and Custom Trust and provide below details:
-Custom Identity Keystore: <Location of identity.jks>
-Custom Identity Keystore Type: jks
-Custom Identity Keystore Passphrase:weblogic1
-Confirm Custom Identity Keystore Passphrase:weblogic1
-Custom Trust Keystore: <Location of trust.jks>
-Custom Trust Keystore Type: jks
-Custom Trust Keystore Passphrase:weblogic1
-Confirm Custom Trust Keystore Passphrase:weblogic1
4. Then click on SSL tab next to Keystores and provide values for below parameters:
-Private Key Alias: mycert
-Private Key Passphrase: weblogic1
-Confirm Private Key Passphrase: weblogic1
NOTE: As I have given identity keystore password same as private key password I will give same password here. If you have given different make sure to give different password
5. Then enable SSL port for that particular weblogic server by navigating servers>[server_name]>Configuration>General
Also provide Fully Qualified Domain Name (FQDN) in Listen Address field.
6. Save and activate changes. Repeat this 2nd half procedure for all weblogic servers which intend to use SSL
III. CONFIGURING NODE MANAGER
Modify nodemanager.properties file available in $WL_HOME/common/nodemanager folder. Insert the following lines at the end:
KeyStores=CustomIdentityAndCustomTrust
CustomIdentityKeystoreType=jks
CustomIdentityKeyStoreFileName=<Location of identity.jks>
CustomIdentityKeyStorePassPhrase=weblogic1
CustomTrustKeystoreType=jks
CustomTrustKeyStoreFileName=<Location of trust.jks>
CustomTrustKeyStorePassPhrase=weblogic1
CustomIdentityAlias=mycert
CustomIdentityPrivateKeyPassPhrase=weblogic1
NOTE: Make sure SecureListener is set to true which is already present in this file. Also mention Fully Qualified Domain Name (FQDN) in ListenAddress field which is blank by default.
IV. DISABLING HOSTNAME VERIFICATION
NOTE: As we are using self signed certs we need to disable host name verification whereas in production environment we should keep it enabled by configuring certificates authorized by internal or external certificate authority.
i) Disable host name verification at server level
- Navigate to servers>[server_name]>Configuration>SSL
- Click on advanced
- Make Hostname Verification NONE
- Save and activate changes.
- Repeat these steps fore all servers in domain for which self signed certs are configureii) Disable host name verification for Node managerAdd parameter
-Dweblogic.nodemanager.sslHostNameVerificationEnabled=false in startNodeManager.sh/startNodeManager.cmd file as given below:
“${JAVA_HOME}/bin/java” ${JAVA_VM} ${MEM_ARGS} ${JAVA_OPTIONS} -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false -Djava.security.policy=”${WL_HOME}/server/lib/weblogic.policy” -Dweblogic.nodemanager.javaHome=”${JAVA_HOME}” -DListenAddress=”${LISTEN_ADDRESS}” -DListenPort=”${LISTEN_PORT}” weblogic.NodeManager -v
else
"${JAVA_HOME}/bin/java" ${JAVA_VM} ${MEM_ARGS} ${JAVA_OPTIONS} -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false -Djava.security.policy="${WL_HOME}/server/lib/weblogic.policy" -Dweblogic.nodemanager.javaHome="${JAVA_HOME}" -DListenPort="${LISTEN_PORT}" weblogic.NodeManager -v
fi
else
if [ "$LISTEN_ADDRESS" != "" ]
then
"${JAVA_HOME}/bin/java" ${JAVA_VM} ${MEM_ARGS} ${JAVA_OPTIONS} -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false -Djava.security.policy="${WL_HOME}/server/lib/weblogic.policy"-Dweblogic.nodemanager.javaHome="${JAVA_HOME}" -DListenAddress="${LISTEN_ADDRESS}" weblogic.NodeManager -v
else
"${JAVA_HOME}/bin/java" ${JAVA_VM} ${MEM_ARGS} ${JAVA_OPTIONS} -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false -Djava.security.policy="${WL_HOME}/server/lib/weblogic.policy" -Dweblogic.nodemanager.javaHome="${JAVA_HOME}" weblogic.NodeManager -v
Now restart Node manager, you do not have to restart servers if they are already running. This completes SSL configuration with self signed certs.
NOTE: Sometimes you might get some SSL issue at Node manager, in that case import CertGenCA.der into custom trust store trust.jks so that Admin server can trust Node manager.
> keytool -import -alias mycert-trustcacerts -file “<location of CertGenCA.der>” -keystore trust.jks
Hi,
Great tutorial.
I have a problem with weblogic, i did it but when i go to weblogic console via https i got error ssl_error_bad_cert_alert.
Can you help me, please
Comment by Alberto — December 10, 2012 @ 1:18 pm |
Hi Alberto,
You can check on below things:
1. Check if you have disabled host name verification in console by navigating Servers -> [Server_name] -> SSL -> Advanced
2. Put the hostname/FQDN (Fully qualified domain name) in server’s Listen address in console configuration page same as the one you had put as CN while creating certificates
3. Use same DNS/FQDN while accessing console link in browser
4. Import the root certificate (the one which you had imported in trust.jks in browser)
Let me know if you still face issue.
Comment by vaishalipavashe — December 10, 2012 @ 2:03 pm |
I do not know where to put the hostname / FQDN.
4. Import the root certificate (the one which you had imported in trust.jks in browser)
I don´t know what is.
Thank you very much for answering so fast.
Comment by Alberto — December 10, 2012 @ 3:45 pm
In weblogic log:
javax.net.ssl.SSLHandshakeException: null cert chain
at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:1015)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:480)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1120)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1092)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:452)
at weblogic.security.SSL.jsseadapter.JaSSLEngine$1.run(JaSSLEngine.java:68)
at weblogic.security.SSL.jsseadapter.JaSSLEngine.doAction(JaSSLEngine.java:732)
at weblogic.security.SSL.jsseadapter.JaSSLEngine.wrap(JaSSLEngine.java:66)
at weblogic.socket.JSSEFilterImpl.wrap(JSSEFilterImpl.java:475)
at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:133)
at weblogic.socket.JSSEFilterImpl.isMessageComplete(JSSEFilterImpl.java:313)
at weblogic.socket.NTSocketMuxer.processSockets(NTSocketMuxer.java:100)
at weblogic.socket.SocketReaderRequest.run(SocketReaderRequest.java:29)
at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:42)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:145)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:117)
Caused By: javax.net.ssl.SSLHandshakeException: null cert chain
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1429)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:243)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:231)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1369)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:160)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:533)
at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:952)
at weblogic.socket.JSSEFilterImpl.doTasks(JSSEFilterImpl.java:231)
at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:111)
at weblogic.socket.JSSEFilterImpl.isMessageComplete(JSSEFilterImpl.java:313)
at weblogic.socket.NTSocketMuxer.processSockets(NTSocketMuxer.java:100)
at weblogic.socket.SocketReaderRequest.run(SocketReaderRequest.java:29)
at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:42)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:145)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:117)
Comment by Alberto — December 10, 2012 @ 4:28 pm
In weblogic log:
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
#### <>
Comment by Alberto — December 10, 2012 @ 4:26 pm |
Hi, this seems a known issue when JSSE is enabled. Let me know your weblogic version and if you have enabled two way SSL.
Also check if you have set cert requested and not enforced in Admin console by navigating servers -> [server_name] -> SSL -> Advanced tab.
Comment by vaishalipavashe — December 11, 2012 @ 4:10 pm |
Yes, i have JSSE enabled. Versión de WebLogic Server: 10.3.5.0 . I have enabled two way SSL.
I have cert requested and not enforced.
Thank you very much for your atention
Comment by Alberto — December 11, 2012 @ 4:44 pm
Alberto, this is a known bug. Please open an Service request with Oracle and get patch 11874217. That shoud fix this issue.
Comment by vaishalipavashe — December 17, 2012 @ 9:46 am |
Thanks for all.
Comment by Alberto — December 17, 2012 @ 9:53 am |
Hi,
I have also configured JSSE SSL in weblogic 10.3.4 and also “Client Certs Requested but not enforced” for 2 way SSL. The server is still expecting certificates and throwing error if not presented with one (javax.net.ssl.SSLHandshakeException: null cert chain).
When i try to access my app through a Browser, Server rejects it.Where as ideally it should let it go
If i change the setting to “Client Certs Not Required”, my Application works fine.
So the patch you have described 11874217, does it fixe this issue only? The one i am facing.
Thanks in Advace,
Manas
Comment by Manas — March 8, 2013 @ 8:41 am |
Hi Manas, you are right the above patch should fix the issue you are facing and fortunately Oracle has a ready patch for your WLS version 10.3.4. You can raise a service request and get patch 11874217 (ID C6ZP).
Thank You, Vaishali
Comment by vaishalipavashe — March 11, 2013 @ 5:04 am |
Getting the below error while updating the keystore
<Could not load a jks keystore from the file /opt/bea/bea10/wlserver_10.3/server/cert/identity.jks. Exception: java.io.IOException: Invalid keystore format
Comment by krishna — October 24, 2013 @ 9:06 am |
Hi Krishna,
You said you are updating Keystore does that mean you are trying to import custom cert into weblogic default identity.jks or its a keystore created by you?
Comment by vaishalipavashe — October 26, 2013 @ 9:42 am |
HI,
I am also facing the same problem and i done with all the above steps
Comment by Siva — January 30, 2014 @ 11:47 am |
Hi Siva,
Can you please post the error message and brief me on your config/setup?
Thank you, Vaishali
Comment by vaishalipavashe — January 30, 2014 @ 4:37 pm |
HI,
I am also facing the same problem and i done with all the above steps.. and not understanding
Comment by Rajesh — January 30, 2014 @ 11:51 am |