Steps to create a self-signed certificate and configure Custom Identity and Custom Trust with Weblogic Server using Keytool...

Below are the steps to create a self signed certificate :

Command 1 :

 keytool -genkey -alias mykey -keyalg RSA -keysize 1024 -validity 365 -keypass privatepassword -keystore identity.jks -storepass password

Note :

List of keytool commands which are changed in java 1.6 :

-export, renamed to -exportcert

-genkey, renamed to -genkeypair

-import, renamed to -importcert

All previous commands are still supported in this release ( keytool in java 1.6 ) and will continue to be supported in future releases. 

Command 2 :

keytool  -export -alias mykey -file root.cer -keystore identity.jks -storepass password

Command 3 :

 keytool -import -alias mykey -file root.cer -keystore trust.jks -storepass password

">

 < Additional Info >

 To see the contents of the keystore use the following command :

Command :

keytool -list -v -keystore identity.jks -storepass password

To see the contents of an individual certificate ( like root.cer in our case ).

Command :

keytool -printcert -file root.cer

Copy the keystore files in the domain_home location :

Below are the steps to configure Custom Identity and Custom Trust with Weblogic Server :

Step 1 :

Login to Weblogic Admin console --> Environment --> Servers --> < server_name_where_ssl_has_to_be_configured > --> Configuration -> General --> SSL Listen Port Enabled ( Check )

Note : The default SSL Listen Port would be 7002, change it if required. 

Step 2 :

Click on Keystores tab under " Configuration " tab :

Step 2a :

Click on the drop down menu next to Keystores and sleect " Custom Identity and Custom Trust " 

Step 2b :

Now fill in the following information :

---Identity---  

Custom Identity Keystore : < location_of_identity_keystore_that_you_have_created>

NOTE : By default WLS will look for this keystore file in domain_home location.

 Custom Identity Keystore Type : jks

 Custom Identity Keystore Passphrase: < This_would_be_your_storepass >

 ---Trust---

 Custom Trust Keystore : < location_of_trust_keystore_that_you_have_created>

NOTE : By default WLS will look for this keystore file in domain_home location.

 Custom Trust Keystore Type : jks

 Custom Trust Keystore Passphrase: < This_would_be_your_storepass >

Step 2c :

Now save the changes and click on " SSL " tab :

Private Key Alias: < This_would_be_your_certificate_alias >

Private Key Passphrase: < This_would_be_your_keypass >

Step 3 :

Save the changes and click on the " >Advanced " field under the " SSL " tab :  

Set the " Hostname Verification: " to None ( from the drop down menu ).

Note : We need to select the hostname verification as none if the CN of the certificate is not the same as the hostname of the machine where WLS is installed. 

 Now access your Weblogic Admin console over https URL :

 " https://localhost:7002/console "

Comments:

this link will also see another method of making the creation of digital signature
http://www.systemdeveloper.info/2013/12/generate-self-signed-certificate-keytool.html

Posted by guest on January 12, 2014 at 12:12 AM IST #

The link you are pointing to " http://www.systemdeveloper.info/2013/12/generate-self-signed-certificate-keytool.html" is using the same commands --> keytool -genkey

I dont think its a differetnt method of creating digital signature. I am using the same commands in this post.

Posted by Puneeth on January 13, 2014 at 06:38 PM IST #

How does one create/obtain the root.cer file?

Posted by Guest on June 04, 2014 at 09:15 PM IST #

When you create a self signed certificate, use the following command :

keytool -export -alias mykey -file root.cer -keystore identity.jks -storepass password

By default when you create a self signed certificate it contains a pair of public and private key in identity.jks.

So using the export command above we export the public cert ( root in this case ).

Later we import this root to a keystore to generate a trust store.

-- Puneeth

Posted by Puneeth on June 04, 2014 at 09:41 PM IST #

Hi Puneeth

I tried Steps to create a self-signed certificate and configure Custom Identity and Custom Trust with Weblogic Server using Keytool as explained above.

Result of Keystore listing is as below and matches exactly as shown above.

C:\ORACLE\Middleware\user_projects\domains\MYDOMAIN>keytool -list -v -keystore idntflt.jks -storepass testing

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: fltweb
Creation date: Jul 14, 2014
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=PF DUBAI, OU=PFGLOBAL, O=PATHFINDER COMPUTER CONSULTANCY, L=KARAMA, ST
=DUBAI, C=AE
Issuer: CN=PF DUBAI, OU=PFGLOBAL, O=PATHFINDER COMPUTER CONSULTANCY, L=KARAMA, S
T=DUBAI, C=AE
Serial number: 53c3a242
Valid from: Mon Jul 14 13:26:26 GST 2014 until: Tue Jul 14 13:26:26 GST 2015
Certificate fingerprints:
MD5: BA:8F:94:B9:E9:99:82:D1:74:A1:D6:DE:A9:6F:AC:2D
SHA1: E4:BF:09:B7:49:DE:F8:9E:F7:91:F1:3C:10:22:10:CB:EE:2B:C8:22
Signature algorithm name: SHA1withRSA
Version: 3

*******************************************
*******************************************

C:\ORACLE\Middleware\user_projects\domains\MYDOMAIN>keytool -list -v -keystore trusflt.jks -storepass testing

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: fltweb
Creation date: Jul 14, 2014
Entry type: trustedCertEntry

Owner: CN=PF DUBAI, OU=PFGLOBAL, O=PATHFINDER COMPUTER CONSULTANCY, L=KARAMA, ST
=DUBAI, C=AE
Issuer: CN=PF DUBAI, OU=PFGLOBAL, O=PATHFINDER COMPUTER CONSULTANCY, L=KARAMA, S
T=DUBAI, C=AE
Serial number: 53c3a242
Valid from: Mon Jul 14 13:26:26 GST 2014 until: Tue Jul 14 13:26:26 GST 2015
Certificate fingerprints:
MD5: BA:8F:94:B9:E9:99:82:D1:74:A1:D6:DE:A9:6F:AC:2D
SHA1: E4:BF:09:B7:49:DE:F8:9E:F7:91:F1:3C:10:22:10:CB:EE:2B:C8:22
Signature algorithm name: SHA1withRSA
Version: 3

*******************************************
*******************************************

C:\ORACLE\Middleware\user_projects\domains\FLOTILLADOMAIN>

----------------------------------------------------------------------

Following are the settings doen in Weblogic Admin Console.

Under Configuration TAB
SSL Listen Port Enabled - 7002

Under Keystore TAB
-----Identity------
Keystore : Custom Identity and Custom Trust
Custom Identity Keystore : idntflt.jks
Custom Identity Keystore Type : JKS
Custom Identity Keystore Passphrase : testing
Custom Identity Keystore Passphrase : testing
-----Trust------
Custom Trust Keystore : trusflt.jks
Custom Trust Keystore Type : JKS
Custom Trust Keystore Passphrase : testing
Custom Trust Keystore Passphrase : testing

Under SSL TAB
Identity and Trust Locations: Keystores

-----Identity------
Private Key Location: from Custom Identity Keystore
Private Key Alias: fltweb
Private Key Passphrase: testing
Confirm Private Key Passphrase: testing
Certificate Location: from Custom Identity Keystore

-----Trust------
Trusted Certificate Authorities: from Custom Trust Keystore

-----Advanced------
Hostname Verification: NONE

After above settings, server has been restarted.

However, when I try to access using https, browser shows page not found.

Following java exception found while starting Admin Server for Weblogic

Can you please help me resolve this issue?

Posted by guest on July 15, 2014 at 12:26 PM IST #

Hi,

The steps you have followed looks fine, however please check the following :

CN=PF DUBAI

Eventhough the keytool -genkey command asks you to enter First and Last name, this field should actually be your machines hostname ( without any spaces ).

Eg : In my example I have used localhost.

- Please correct this and try recreating the certificates.

- Check if there is any other server which is already using the 7002 port?

- Paste the exception that you are getting while starting the server.

- Try accessing the https page using chrome/Mozilla, latest version of IE doesnt accept certificates with keysize less than 1024.

Posted by Puneeth on July 15, 2014 at 06:38 PM IST #

When you run the weblogic validateCertChain utility to check the chaining of the identity keystore that we generated earlier we see the following errors :

d:\Oracle\Middleware1036\user_projects\domains\base_domain\cert>java utils.ValidateCertChain -jks mykey identity.jks
Cert[0]: CN=localhost,OU=wls,O=oracle,L=bangalore,ST=karnataka,C=IN
CA cert not marked with critical BasicConstraint indicating it is a CA
Certificate chain is invalid

If you want to create a certificate with basic constraint set then try the following command :

Note : Use JDK 7

C:\Program Files (x86)\Java\jdk1.7.0_75\bin>keytool -genkey -alias mykey -keyalg RSA -keysize 1024 -validity 365 -ext BasicConstraints:critical=ca:true,pathlen:0 -keypass privatepassword -keystore identity.jks -storepass password
What is your first and last name?
[Unknown]: localhost
What is the name of your organizational unit?
[Unknown]: wls
What is the name of your organization?
[Unknown]: oracle
What is the name of your City or Locality?
[Unknown]: bangalore
What is the name of your State or Province?
[Unknown]: karnataka
What is the two-letter country code for this unit?
[Unknown]: IN
Is CN=localhost, OU=wls, O=oracle, L=bangalore, ST=karnataka, C=IN correct?
[no]: yes

--

d:\Oracle\Middleware1036\user_projects\domains\base_domain\cert>java utils.ValidateCertChain -jks mykey identity.jks
Cert[0]: CN=localhost,OU=wls,O=oracle,L=bangalore,ST=karnataka,C=IN
Certificate chain appears valid

Posted by Puneeth on March 02, 2015 at 08:39 PM IST #

Hi Puneet

I generated a self signed certificate and listed it .
$ keytool -list -v -keystore /DataStdPerf/spl/bea/wlserver_10.3/server/lib/DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: demoidentity
Creation date: Apr 22, 2015
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Neha Nema, OU=***, O=****, L=Pune, ST=MH, C=IN
Issuer: CN=Neha Nema, OU=***, O=****, L=Pune, ST=MH, C=IN
Serial number: 553669e5
Valid from: Wed Apr 22 01:16:53 EST 2015 until: Sat Apr 19 01:16:53 EST 2025
Certificate fingerprints:
MD5: D1:CB:7D:57:65:51:99:B5:2A:B3:F1:89:85:BE:93:44
SHA1: 80:F5:1C:54:F1:85:1D:48:75:2C:83:FB:EE:B9:CB:97:AF:0E:22:79
Signature algorithm name: SHA1withRSA
Version: 3

*******************************************

I need to export this cert and provide it to client to let them import it at their server .
I am using this but the certificate does not gets exported.
Please help with the proper export command so as the cert gets stored on server .
keytool -export -alias mykey -file demoidentity -keystore /DataStdPerf/spl/bea/wlserver_10.3/server/lib/DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase

Posted by NEHA on April 30, 2015 at 09:05 AM IST #

The alias used is wrong.

Try this command :

keytool -export -alias demoidentity -file demoidentity -keystore /DataStdPerf/spl/bea/wlserver_10.3/server/lib/DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase

Posted by Puneeth on April 30, 2015 at 07:04 PM IST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Oracle Fussion Middleware - WebLogic

Search

Archives
« May 2015
SunMonTueWedThuFriSat
     
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
      
Today