X

Deep dive into various configurations with Oracle Weblogic Server

  • August 23, 2013

Steps to create a self-signed certificate and configure Custom Identity and Custom Trust with Weblogic Server using Keytool...

Puneeth Prakash
Principal Software Engineer

Below are the steps to create a self signed certificate :

Command 1 :

 keytool -genkey -alias mykey -keyalg RSA -keysize 1024 -validity 365 -keypass privatepassword -keystore identity.jks -storepass password

Note :

List of keytool commands which are changed in java 1.6 :

-export, renamed to -exportcert

-genkey, renamed to -genkeypair

-import, renamed to -importcert

All previous commands are still supported in this release ( keytool in java 1.6 ) and will continue to be supported in future releases. 

To create a 2048 bit SHA2/SHA256 certificate use the following command :

Command :

keytool -genkey -alias mykey -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 365 -keypass privatepassword -keystore identity.jks -storepass password

Command 2 :

keytool  -export -alias mykey -file root.cer -keystore identity.jks -storepass password

Command 3 :

 keytool -import -alias mykey -file root.cer -keystore trust.jks -storepass password

">

 < Additional Info >

 To see the contents of the keystore use the following command :

Command :

keytool -list -v -keystore identity.jks -storepass password

To see the contents of an individual certificate ( like root.cer in our case ).

Command :

keytool -printcert -file root.cer

Copy the keystore files in the domain_home location :

Below are the steps to configure Custom Identity and Custom Trust with Weblogic Server :

Step 1 :

Login to Weblogic Admin console --> Environment --> Servers --> < server_name_where_ssl_has_to_be_configured > --> Configuration -> General --> SSL Listen Port Enabled ( Check )

Note : The default SSL Listen Port would be 7002, change it if required. 

Step 2 :

Click on Keystores tab under " Configuration " tab :

Step 2a :

Click on the drop down menu next to Keystores and sleect " Custom Identity and Custom Trust " 

Step 2b :

Now fill in the following information :

---Identity---  

Custom Identity Keystore : < location_of_identity_keystore_that_you_have_created>

NOTE : By default WLS will look for this keystore file in domain_home location.

 Custom Identity Keystore Type : jks

 Custom Identity Keystore Passphrase: < This_would_be_your_storepass >

 ---Trust---

 Custom Trust Keystore : < location_of_trust_keystore_that_you_have_created>

NOTE : By default WLS will look for this keystore file in domain_home location.

 Custom Trust Keystore Type : jks

 Custom Trust Keystore Passphrase: < This_would_be_your_storepass >

Step 2c :

Now save the changes and click on " SSL " tab :

Private Key Alias: < This_would_be_your_certificate_alias >

Private Key Passphrase: < This_would_be_your_keypass >

Step 3 :

Save the changes and click on the " >Advanced " field under the " SSL " tab :  

Set the " Hostname Verification: " to None ( from the drop down menu ).

Note : We need to select the hostname verification as none if the CN of the certificate is not the same as the hostname of the machine where WLS is installed. 

 Now access your Weblogic Admin console over https URL :

 " https://localhost:7002/console "

Join the discussion

Comments ( 15 )
  • guest Saturday, January 11, 2014

    this link will also see another method of making the creation of digital signature

    http://www.systemdeveloper.info/2013/12/generate-self-signed-certificate-keytool.html


  • Puneeth Monday, January 13, 2014

    The link you are pointing to " http://www.systemdeveloper.info/2013/12/generate-self-signed-certificate-keytool.html" is using the same commands --> keytool -genkey

    I dont think its a differetnt method of creating digital signature. I am using the same commands in this post.


  • Guest Wednesday, June 4, 2014

    How does one create/obtain the root.cer file?


  • Puneeth Wednesday, June 4, 2014

    When you create a self signed certificate, use the following command :

    keytool -export -alias mykey -file root.cer -keystore identity.jks -storepass password

    By default when you create a self signed certificate it contains a pair of public and private key in identity.jks.

    So using the export command above we export the public cert ( root in this case ).

    Later we import this root to a keystore to generate a trust store.

    -- Puneeth


  • guest Tuesday, July 15, 2014

    Hi Puneeth

    I tried Steps to create a self-signed certificate and configure Custom Identity and Custom Trust with Weblogic Server using Keytool as explained above.

    Result of Keystore listing is as below and matches exactly as shown above.

    C:\ORACLE\Middleware\user_projects\domains\MYDOMAIN>keytool -list -v -keystore idntflt.jks -storepass testing

    Keystore type: JKS

    Keystore provider: SUN

    Your keystore contains 1 entry

    Alias name: fltweb

    Creation date: Jul 14, 2014

    Entry type: PrivateKeyEntry

    Certificate chain length: 1

    Certificate[1]:

    Owner: CN=PF DUBAI, OU=PFGLOBAL, O=PATHFINDER COMPUTER CONSULTANCY, L=KARAMA, ST

    =DUBAI, C=AE

    Issuer: CN=PF DUBAI, OU=PFGLOBAL, O=PATHFINDER COMPUTER CONSULTANCY, L=KARAMA, S

    T=DUBAI, C=AE

    Serial number: 53c3a242

    Valid from: Mon Jul 14 13:26:26 GST 2014 until: Tue Jul 14 13:26:26 GST 2015

    Certificate fingerprints:

    MD5: BA:8F:94:B9:E9:99:82:D1:74:A1:D6:DE:A9:6F:AC:2D

    SHA1: E4:BF:09:B7:49:DE:F8:9E:F7:91:F1:3C:10:22:10:CB:EE:2B:C8:22

    Signature algorithm name: SHA1withRSA

    Version: 3

    *******************************************

    *******************************************

    C:\ORACLE\Middleware\user_projects\domains\MYDOMAIN>keytool -list -v -keystore trusflt.jks -storepass testing

    Keystore type: JKS

    Keystore provider: SUN

    Your keystore contains 1 entry

    Alias name: fltweb

    Creation date: Jul 14, 2014

    Entry type: trustedCertEntry

    Owner: CN=PF DUBAI, OU=PFGLOBAL, O=PATHFINDER COMPUTER CONSULTANCY, L=KARAMA, ST

    =DUBAI, C=AE

    Issuer: CN=PF DUBAI, OU=PFGLOBAL, O=PATHFINDER COMPUTER CONSULTANCY, L=KARAMA, S

    T=DUBAI, C=AE

    Serial number: 53c3a242

    Valid from: Mon Jul 14 13:26:26 GST 2014 until: Tue Jul 14 13:26:26 GST 2015

    Certificate fingerprints:

    MD5: BA:8F:94:B9:E9:99:82:D1:74:A1:D6:DE:A9:6F:AC:2D

    SHA1: E4:BF:09:B7:49:DE:F8:9E:F7:91:F1:3C:10:22:10:CB:EE:2B:C8:22

    Signature algorithm name: SHA1withRSA

    Version: 3

    *******************************************

    *******************************************

    C:\ORACLE\Middleware\user_projects\domains\FLOTILLADOMAIN>

    ----------------------------------------------------------------------

    Following are the settings doen in Weblogic Admin Console.

    Under Configuration TAB

    SSL Listen Port Enabled - 7002

    Under Keystore TAB

    -----Identity------

    Keystore : Custom Identity and Custom Trust

    Custom Identity Keystore : idntflt.jks

    Custom Identity Keystore Type : JKS

    Custom Identity Keystore Passphrase : testing

    Custom Identity Keystore Passphrase : testing

    -----Trust------

    Custom Trust Keystore : trusflt.jks

    Custom Trust Keystore Type : JKS

    Custom Trust Keystore Passphrase : testing

    Custom Trust Keystore Passphrase : testing

    Under SSL TAB

    Identity and Trust Locations: Keystores

    -----Identity------

    Private Key Location: from Custom Identity Keystore

    Private Key Alias: fltweb

    Private Key Passphrase: testing

    Confirm Private Key Passphrase: testing

    Certificate Location: from Custom Identity Keystore

    -----Trust------

    Trusted Certificate Authorities: from Custom Trust Keystore

    -----Advanced------

    Hostname Verification: NONE

    After above settings, server has been restarted.

    However, when I try to access using https, browser shows page not found.

    Following java exception found while starting Admin Server for Weblogic

    Can you please help me resolve this issue?


  • Puneeth Tuesday, July 15, 2014

    Hi,

    The steps you have followed looks fine, however please check the following :

    CN=PF DUBAI

    Eventhough the keytool -genkey command asks you to enter First and Last name, this field should actually be your machines hostname ( without any spaces ).

    Eg : In my example I have used localhost.

    - Please correct this and try recreating the certificates.

    - Check if there is any other server which is already using the 7002 port?

    - Paste the exception that you are getting while starting the server.

    - Try accessing the https page using chrome/Mozilla, latest version of IE doesnt accept certificates with keysize less than 1024.


  • Puneeth Monday, March 2, 2015

    When you run the weblogic validateCertChain utility to check the chaining of the identity keystore that we generated earlier we see the following errors :

    d:\Oracle\Middleware1036\user_projects\domains\base_domain\cert>java utils.ValidateCertChain -jks mykey identity.jks

    Cert[0]: CN=localhost,OU=wls,O=oracle,L=bangalore,ST=karnataka,C=IN

    CA cert not marked with critical BasicConstraint indicating it is a CA

    Certificate chain is invalid

    If you want to create a certificate with basic constraint set then try the following command :

    Note : Use JDK 7

    C:\Program Files (x86)\Java\jdk1.7.0_75\bin>keytool -genkey -alias mykey -keyalg RSA -keysize 1024 -validity 365 -ext BasicConstraints:critical=ca:true,pathlen:0 -keypass privatepassword -keystore identity.jks -storepass password

    What is your first and last name?

    [Unknown]: localhost

    What is the name of your organizational unit?

    [Unknown]: wls

    What is the name of your organization?

    [Unknown]: oracle

    What is the name of your City or Locality?

    [Unknown]: bangalore

    What is the name of your State or Province?

    [Unknown]: karnataka

    What is the two-letter country code for this unit?

    [Unknown]: IN

    Is CN=localhost, OU=wls, O=oracle, L=bangalore, ST=karnataka, C=IN correct?

    [no]: yes

    --

    d:\Oracle\Middleware1036\user_projects\domains\base_domain\cert>java utils.ValidateCertChain -jks mykey identity.jks

    Cert[0]: CN=localhost,OU=wls,O=oracle,L=bangalore,ST=karnataka,C=IN

    Certificate chain appears valid


  • NEHA Thursday, April 30, 2015

    Hi Puneet

    I generated a self signed certificate and listed it .

    $ keytool -list -v -keystore /DataStdPerf/spl/bea/wlserver_10.3/server/lib/DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase

    Keystore type: JKS

    Keystore provider: SUN

    Your keystore contains 1 entry

    Alias name: demoidentity

    Creation date: Apr 22, 2015

    Entry type: PrivateKeyEntry

    Certificate chain length: 1

    Certificate[1]:

    Owner: CN=Neha Nema, OU=***, O=****, L=Pune, ST=MH, C=IN

    Issuer: CN=Neha Nema, OU=***, O=****, L=Pune, ST=MH, C=IN

    Serial number: 553669e5

    Valid from: Wed Apr 22 01:16:53 EST 2015 until: Sat Apr 19 01:16:53 EST 2025

    Certificate fingerprints:

    MD5: D1:CB:7D:57:65:51:99:B5:2A:B3:F1:89:85:BE:93:44

    SHA1: 80:F5:1C:54:F1:85:1D:48:75:2C:83:FB:EE:B9:CB:97:AF:0E:22:79

    Signature algorithm name: SHA1withRSA

    Version: 3

    *******************************************

    I need to export this cert and provide it to client to let them import it at their server .

    I am using this but the certificate does not gets exported.

    Please help with the proper export command so as the cert gets stored on server .

    keytool -export -alias mykey -file demoidentity -keystore /DataStdPerf/spl/bea/wlserver_10.3/server/lib/DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase


  • Puneeth Thursday, April 30, 2015

    The alias used is wrong.

    Try this command :

    keytool -export -alias demoidentity -file demoidentity -keystore /DataStdPerf/spl/bea/wlserver_10.3/server/lib/DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase


  • guest Thursday, June 25, 2015

    Hello puneeth /all

    I configured customer trust & custom identity for weblogic using openSSL

    config completed and after activating changes the system remains fine and allows login... Today i restarted the web server - web reboots fine with the following error --

    <BEA-002618> <An invalid attempt was made to configure a channel for unconfigured protocol "Invalid identity certificate signature

    <BEA-090034> <Not listening for SSL, java.io.IOException: Invalid identity certificate signature

    I now cant login using https / so i logged in using http and reverted to demo identity and demo trust

    Any inputs will be very helpful thanks!!


  • guest Monday, July 13, 2015

    Hi Puneet thanks for this post. What's the difference between store pass and key pass. When we use keytool it asks for two passwords. For second one cmd asks to hit return if want to keep same.


  • Puneeth Monday, July 13, 2015

    Storepass is the password for entire keystore.

    Keypass is the password for private key entry in the keystore.


  • ACV Wednesday, September 9, 2015

    A very important point! You need to enable Use JSSE SSL! This can be found under the SSL tab > Advanced (on the bottom of the page).


  • guest Wednesday, October 14, 2015

    JSSE needs to be enabled only when you are using SHA2 certificate and above.

    Since Certicom SSL implementation is deprecated now, enabling JSSE on WLS end is always recommended..!!


  • guest Thursday, January 5, 2017

    Hi puneeth,

    i am using weblogic server 11g , and after configuration i am hetting below error in logs

    <Jan 5, 2017 12:37:01 PM IST> <Error> <WebLogicServer> <BEA-000297> <Inconsisten

    t security configuration, weblogic.management.configuration.ConfigurationExcepti

    on: Failed to retrieve identity key/certificate from keystore C:\apps\Oracle\Mid

    dleware\user_projects\domains\interfinance_domain\identity.jks under alias mykey

    on server AdminServer>

    <Jan 5, 2017 12:37:01 PM IST> <Error> <Server> <BEA-002618> <An invalid attempt

    was made to configure a channel for unconfigured protocol "Failed to retrieve id

    entity key/certificate from keystore C:\apps\Oracle\Middleware\user_projects\dom

    ains\interfinance_domain\identity.jks under alias mykey on server AdminServer".>

    <Jan 5, 2017 12:39:40 PM IST> <Notice> <Security> <BEA-090171> <Loading the iden

    tity certificate and private key stored under the alias mykey from the jks keyst

    ore file C:\Users\identity.jks.>

    <Jan 5, 2017 12:39:40 PM IST> <Alert> <Security> <BEA-090716> <Failed to retriev

    e identity key/certificate from keystore C:\Users\identity.jks under ali

    as mykey on server AdminServer>

    <Jan 5, 2017 12:39:40 PM IST> <Error> <WebLogicServer> <BEA-000297> <Inconsisten

    t security configuration, weblogic.management.configuration.ConfigurationExcepti

    on: Failed to retrieve identity key/certificate from keystore C:\Users\agrasho\i

    dentity.jks under alias mykey on server AdminServer>

    <Jan 5, 2017 12:39:40 PM IST> <Error> <Server> <BEA-002618> <An invalid attempt

    was made to configure a channel for unconfigured protocol "Failed to retrieve id

    entity key/certificate from keystore C:\Users\identity.jks under alias m

    ykey on server AdminServer".>

    could you please help in resolving this error.

    Thankyou in advance


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha