Monday May 30, 2016

Steps to create partitions in WLS 12.2.1

Below are the steps to create partitions in Weblogic Server 12.2.1 :

Step 1 :

- Create a weblogic domain (say Partition_From_Windows_Domain)

FMW control is the recommended console for Partition management, so it is good to enable it at the time of  domain creation.  

To enable FMW control select "Oracle Enterprise Manager-Restricted JRF - 12.2.1 [em]" template in the configuration wizard, as shown below :

To access FMW control access : http://<host>:<port>/em

NOTE : We will continue using Weblogic Admin console to create partitions in this example.

Partition names : coke-partition and pepsi-partition

Partition specific realms : coke_realm and pepsi_realm

Partition specific Admin Users : coke_admin and pepsi_admin

Virtual Targets for these partitions : coke-vt and pepsi-vt

Partition Specific Resource Groups : coke-rg1 and pepsi-rg1

Step 2 :

Before creating a partition, you need to create a security realm (then create an Admin user inside this realm, say coke_admin and pepsi_admin) and virtual target for this partition :

To create a new security realm :

Login to console -> Security Realms -> new (say 'coke_realm' and 'pepsi_realm') -> "create default providers within this new realm" (check)

Now create a Virtual target :

Login to console -> + Environment -> Virtual Targets -> new (say coke-vt) and target it to Weblogic Server (say Admin Server) -> specify a URI Prefix

Step 3 :

Lets create a partition now :

Login to console -> Domain Partitions -> new (say coke-partition)-> then target it to a Virtual target (say coke-vt) -> select the security realm for this partition from the drop down menu (say coke_realm)

 Step 4 :

Create a Resource Group inside domain partition

 Step 5 : 

Check the Identity Domains of the partitions :

Step 6 :

You can now deploy applications to Global scope / to a resource group of a partition

To access the application deployed to your partition use the following URL :

http://<host>:<port>/coke/Weblogic_SP_sample_App/login.jsp  ==> Try to login with the coke Admin and also test the login using weblogic user.

Perform similar tests with application deployed on pepsi-partition and global scoped deployment.

Monday Aug 31, 2015

X509 Certificate Revocation Checking using OCSP (Online Certificate Status Protocol) in Weblogic Server

The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate.

It was created as an alternative to certificate revocation lists (CRL)

When you enable Certificate Revocation Checking in Weblogic, you can select the order for Revocation checks.

Default Behavior is to check the certificate's revocation status using OCSP and if it returns "unknown" then do a CRL check.

Optionally you can force Weblogic to do only OCSP check, only CRL check OR CRL then OCSP check.

By default if the certificate's revocation status cannot be determined then the certificate is accepted. If you want to change this behavior then select "Fail On Unknown Revocation Status" check-box in WLS console.

In this post we will see how to configure OCSP in Weblogic and demonstrate Certificate revocation checking...

[Read More]

Monday May 05, 2014

Steps to configure Custom Identity and Custom Trust with Weblogic Server

What are the different ways keystore can be configured with Weblogic Server ?

What is the default keystore configuration in Weblogic ? 

Weblogic is configured with DemoIdentity and DemoTrust by default.

If you have generated any of the following certficate / keystores then you need to configure a CustomIdentity and CustomTrust as shown in this blog post :

 - Self signed certificate / keystore

- Generated a csr and got a certificate signed from a 3rd party Certificate Signing Authority ( CA ) 

- Generated a csr and got the certificate signed by an internal CA.

 You can also configure a Custom Identity and Java Standard Trust when you have any of the above certificates.

 In case of CustomIdentity and JavaStandardTrust, we create a Identity keystore and for the Trust keystore we make use of the default JDK Trust store i.e cacerts.

We need to import the root/intermediate certificate to cacerts using the following command :

keytool -import -file <root_certificate> -keystore <JDK>/lib/security/cacerts -storepass changeit 

In this post we will see how to configure a Custom Identity and Custom Trust with Weblogic Server.........

[Read More]

Wednesday Dec 18, 2013

Steps to create a csr ( certificate signing request ) using keytool and get it signed from an external CA ( Certificate Authority - Thawte )

How to create a csr ?

How to get a certificate signed from an external / third party CA ?

How to create a certificate chain ?


 Defaults for keytool command in Java 1.6 :

-alias "mykey"


    "DSA" (when using -genkeypair)

    "DES" (when using -genseckey)


    1024 (when using -genkeypair)

    56 (when using -genseckey and -keyalg is "DES")

    168 (when using -genseckey and -keyalg is "DESede")

-validity 90

In generating a public/private key pair, the signature algorithm (-sigalg option) is derived from the algorithm of the underlying private key: If the underlying private key is of type "DSA", the -sigalg option defaults to "SHA1withDSA", and if the underlying private key is of type "RSA", -sigalg defaults to "MD5withRSA".


Defaults for keytool command in Java 1.7 :

-alias "mykey"


    "DSA" (when using -genkeypair)

    "DES" (when using -genseckey)


    2048 (when using -genkeypair and -keyalg is "RSA")

    1024 (when using -genkeypair and -keyalg is "DSA")

    256 (when using -genkeypair and -keyalg is "EC")

    56 (when using -genseckey and -keyalg is "DES")

    168 (when using -genseckey and -keyalg is "DESede")

-validity 90

If the underlying private key is of type "DSA", the -sigalg option defaults to "SHA1withDSA"

If the underlying private key is of type "RSA", the -sigalg option defaults to "SHA256withRSA".

If the underlying private key is of type "EC", the -sigalg option defaults to "SHA256withECDSA".


The chaining can be of 2 types :

root……………………….ow = xxx

…………………………… xxx

inter ……………………… ow= xxx

………………………………is= yyy

signedcert……………….. ow= yyy

……………………………… is= ppp


signedcert ……………… ow= ppp

…………………………….. is= yyy

inter……………………… ow= yyy

…………………………….. is= xxx

root………………………. ow= xxx

…………………………….. is= xxx

In this post we will see how to create a csr and get it signed from a third party CA like Thawte...

[Read More]

Saturday Aug 24, 2013

Steps to create a self-signed certificate and configure Custom Identity and Custom Trust with Weblogic Server using Keytool...

 What are self signed certificates and how to create them ?

A self-signed certificate is an identity certificate that is signed by the same entity whose identity it certifies.

 This term has nothing to do with the identity of the person or organization that actually performed the signing procedure. In technical terms a self-signed certificate is one signed with its own private key.
 Note :
 Identity keystores must contain a private key entry
 Trust store must contain all trusted key entries
 Below are few default values when using keytool command on JDK 1.6 :
 -alias "mykey"
    "DSA" (when using -genkeypair)
    "DES" (when using -genseckey)
    1024 (when using -genkeypair)
    56 (when using -genseckey and -keyalg is "DES")
    168 (when using -genseckey and -keyalg is "DESede")
-validity 90

Note :

-genkey is used in the example here. This was an old name used in previous releases. This old name is still supported in this release and will be supported in future releases, but for clarify the new name, -genkeypair, is preferred going forward.

Changes in keytool in Java 1.6 :

keytool no longer displays password input when entered by users. Since password input can no longer be viewed when entered, users will be prompted to re-enter passwords any time a password is being set or changed (for example, when setting the initial keystore password, or when changing a key password).

Some commands have simply been renamed, and other commands deemed obsolete are no longer listed in this document. All previous commands (both renamed and obsolete) are still supported in this release and will continue to be supported in future releases. The following summarizes all of the changes made to the keytool command interface:

Renamed commands:

-export, renamed to -exportcert
-genkey, renamed to -genkeypair
-import, renamed to -importcert
Commands deemed obsolete and no longer documented:



In this post we will see how to create self-signed cretificates and configure it Weblogic Server 10.3.6 ( CustomIdentityandCustomTrust ).

[Read More]

Oracle Fussion Middleware - WebLogic


« July 2016