Below are the steps to configure Custom Keystores with NodeManger on SSL : (Weblogic 12c and above)

 

Step 1:

– Below are the keytool commands to create a self signed certificate :

keytool -genkeypair -alias mykey -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -validity 365 -dname "cn=localhost, ou=WLS, o=Oracle, c=IN" -storepass password -keypass privatepassword -keystore identity.jks

keytool -export -alias mykey -file root.cer -keystore identity.jks -storepass password

keytool -import -alias mykey -file root.cer -keystore trustjks -storepass password -trustcacerts -noprompt 

NOTE : 

– You could skip the above step if you already have custom keystores created.

– nodemanager.properties file is created in <domain_Home>/nodemanager location (in case of per-domain nodemanager) when you run the startNodeManager script for the very first time. 

– By default Nodemanager is configured with Demo Identity and Demo Trust.

 

Step 2:

You can configure custom keystores for Nodemanager by adding the NM parameters in nodemanager.properties file 

Edit the nodemanager.properties file and add the following paramaters :

KeyStores=CustomIdentityAndCustomTrust
CustomIdentityKeyStoreFileName=identity.jks
CustomIdentityAlias=mykey
CustomIdentityPrivateKeyPassPhrase=privatepassword
CustomIdentityKeyStorePassPhrase=password

NOTE :

The parameter CustomIdentityKeyStorePassPhrase is optional or required depending on the type of keystore. All keystores require the passphrase (storepass) in order to write to the keystore. However, some keystores do not require the passphrase (storepass) to read from the keystore. WebLogic Server only reads from the keystore, so whether or not you define this property depends on the requirements of the keystore.

A quick way to test if your keystore requires passphrase (storepass) to read the contents is to run the following command: "keytool -list -v -keystore <keystore_name>". Do not enter any password and hit enter when the commands prompts for a password. If you are able to see the list of certificates in the keystore then you do not need a passphrase (storepass) to read the contents of the jks.

Example on Windows :

KeyStores=CustomIdentityAndCustomTrust
CustomIdentityKeyStoreFileName=C\:\\Weblogic\\user_projects\\domains\\base_domain\\identity.jks
CustomIdentityAlias=mykey
CustomIdentityPrivateKeyPassPhrase=privatepassword
CustomIdentityKeyStorePassPhrase=password

Example on Linux :

KeyStores=CustomIdentityAndCustomTrust
CustomIdentityKeyStoreFileName=/WLHOME/Oracle_Home/user_projects/domains/base_domain/nodemanager/identity.jks
CustomIdentityAlias=mykey
CustomIdentityPrivateKeyPassPhrase=privatepassword
CustomIdentityKeyStorePassPhrase=password

NOTE :

– Unlike in the older WLS version we would not recommend using the -D parameters to configure the custom keystores for NodeManager.

– If Managed Server disables non-SSL port, Node Manager needs to trust the certificate received from the server. 

  To configure the trust store for Node Manager, add -Djavax.net.ssl.trustStore to the Node Manager start scripts.

– If you want Weblogic Hostname Verification to support WildCard OR SAN certificates then set the following parameter :

-Dweblogic.security.SSL.HostnameVerifier=weblogic.security.utils.SSLWLSWildcardHostnameVerifier

– You could disable the hostname verification by using the following parameter :

-Dweblogic.security.SSL.ignoreHostnameVerification=true

NOTE:

There a known BUG related to HostNameVerification in WLS 12.2.1.3 :

Bug 30510407: IGNOREHOSTNAMEVERIFIER VALUE IN SSLMBEAN IS NOT HONOURED

 

<Additional Info>

Administration Servers and Managed Servers communicate with Java-based Node Manager using one-way SSL. (Two-way SSL between Weblogic Servers or NodeManager is not supported).

Node Manager can have its own certificate or it can share a certificate with another aspect of the domain.

You do not need a separate certificate for each Node Manager instance, but you can configure this option if desired. In production environments, Node Manager can use the same public certificate used for all server instances.

By default Nodemanager uses DemoIdentityAndDemoTrust

It uses the demonstration Identity and Trust keystores located in the DOMAIN_HOME\security and WL_HOME\server\lib directories that are configured by default. The demonstration Trust keystore trusts all the certificate authorities in the Java Standard Trust keystore (JAVA_HOME\jre\lib\security\cacerts)

 

  Keystore Name                  Default StorePass                       Default KeyPass                            Default Location              
DemoIdentity.jks DemoIdentityKeyStorePassPhrase DemoIdentityPassPhrase DOMAIN_HOME\security
DemoTrust.jks DemoTrustKeyStorePassPhrase NA WL_HOME\server\lib
cacerts changeit NA JAVA_HOME\jre\lib\security\cacerts

Default alias name for private key in DemoIdentity.jks is demoidentity

 

You could enable the following debug flags to get more information on what Keystores are being used by Nodemanager :

-Dweblogic.security.SSL.verbose=true
-Dssl.debug=true
-Dweblogic.StdoutDebugEnabled=true

You can enable the following debug flags to check the SSL handshake information :

-Djavax.net.debug=all

Example :

Edit the startNodeManager script and add the following :

In Linux :

JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.RootDirectory=${DOMAIN_HOME} -Djavax.net.debug=all  -Dweblogic.StdoutDebugEnabled=true -Dssl.debug=true -Dweblogic.security.SSL.verbose=true"
export JAVA_OPTIONS

In Windows :

set JAVA_OPTIONS=%JAVA_OPTIONS% -Dweblogic.RootDirectory=%DOMAIN_HOME%  -Dweblogic.RootDirectory=${DOMAIN_HOME} -Djavax.net.debug=all -Dweblogic.StdoutDebugEnabled=true -Dssl.debug=true -Dweblogic.security.SSL.verbose=true