8i | 9i | 10g | 11g | 12c | 13c | 18c | 19c | 21c | 23c | Misc | PL/SQL | SQL | RAC | WebLogic | Linux

Home » Articles » 11g » Here

WebLogic Server 11g and 12c : Configure SSL for a Managed Server

By default WebLogic managed servers are configured with demo identity and trust information. This should be reconfigured to use real, or self-signed certificates. This article describes how this is done.

Related articles.

Create Keystores and Certificates

Before you begin, make sure you are using the latest version of Java. Approaches to upgrading Java for WebLogic are described here.

In order to configure SSL for a managed server, you are going to need identity and trust keystores and a certificate. If you don't have a real certificate, you can create a self-signed certificate, as described here and in this article.

For this article we will use a self-signed certificate, created using the keytool utility. Perform the following steps as the "oracle" user.

Make a directory to hold the keystores.

$ mkdir ~/keystore
$ cd ~/keystore

Create the identity and trust keystores using the following commands. Notice the result of the hostname command is used in the "CN=" entry.

$JAVA_HOME/jre/bin/keytool -genkey -keyalg RSA -alias selfsigned -keystore identity.jks \
   -dname "CN=`hostname`, OU=My Department, O=My Company, L=Birmingham, ST=West Midlands, C=GB" \
   -storepass password1 -validity 3600 -keysize 2048 -keypass password1

$JAVA_HOME/jre/bin/keytool -selfcert -v -alias selfsigned -keypass password1 -keystore identity.jks \
   -storepass password1 -storetype jks -validity 3600

$JAVA_HOME/jre/bin/keytool -export -v -alias selfsigned -file "`hostname`-rootCA.der" -keystore identity.jks \
   -storepass password1

# Trust? yes
$JAVA_HOME/jre/bin/keytool -import -v -trustcacerts -alias selfsigned -file "`hostname`-rootCA.der" \
   -keystore trust.jks -storepass password1 -noprompt

We now have a self-signed certificate in a keystore will the following details, which will be referred back to later.

Clustered Environments

If you are working with WebLogic clusters spanning multiple machines, you have to make sure all certificates in the cluster are marked as trusted, otherwise the AdminServer will not be able to communicate with all the node managers.

Assuming you have a two node cluster, as described in this article, you would have to do the following.

Make sure you have followed the process described in the previous section on each of the machines making up the cluster before continuing.

Make sall certificates are available on all nodes by copying them into the keystore folders on each server.

cd ~/keystore
scp wls11g-1.localdomain-rootCA.der oracle@wls11g-2.localdomain:/home/oracle/keystore
scp oracle@wls11g-2.localdomain:/home/oracle/keystore/wls11g-2.localdomain-rootCA.der .

On the first node, load the certificate generated on the second node into the local trust keystore using the following command.

$JAVA_HOME/jre/bin/keytool -import -v -trustcacerts -alias selfsigned2 -file wls11g-2.localdomain-rootCA.der \
   -keystore trust.jks -storepass password1 -noprompt

On the second node, load the certificate generated on the first node into the local trust keystore using the following command.

$JAVA_HOME/jre/bin/keytool -import -v -trustcacerts -alias selfsigned2 -file wls11g-1.localdomain-rootCA.der \
   -keystore trust.jks -storepass password1 -noprompt

You can now continue with the rest of the configuration.

Configure SSL for Managed Server

This section describes the manual approach to amending the SSL configuration. You may prefer to do this using a script, as described here.

This process should be followed for the AdminServer and all managed servers.

The managed server will now be using the new identity and trust keystores.

Configure Node Manager

Edit the "$WL_HOME/common/nodemanager/nodemanager.properties" file, adding the following entries. The values used reflect the information used to create the keystores above.

KeyStores=CustomIdentityAndCustomTrust
CustomIdentityKeystoreType=jks
CustomIdentityKeyStoreFileName=/home/oracle/keystore/identity.jks
CustomIdentityKeyStorePassPhrase=password1
CustomIdentityPrivateKeyPassPhrase=password1
CustomIdentityAlias=selfsigned
CustomTrustKeystoreType=jks
CustomTrustKeyStoreFileName=/home/oracle/keystore/trust.jks
CustomTrustKeyStorePassPhrase=password1

Restart the node manager.

Basic Constraints Extension Error

If you are using an older JRE, like Java 1.6, you may get the following type of error in the AdminServer logs.

<BEA-090548> <The certificate chain received from ??? contained a V3 CA certificate
which was missing the basic constraints extension>

To fix this we need to replace the old certificates used by the JRE, and therefore keytool, when generating our self-signed certificates.

Perform the following operations as the "oracle" user.

Test you know the password for the JREs keystore. The default is "changeit".

cd $JAVA_HOME/jre/lib/security
$JAVA_HOME/bin/keytool -keystore cacerts -list -storepass changeit

If that works, you are good to proceed.

cd $JAVA_HOME/jre/lib/security
chmod 755 cacerts
$JAVA_HOME/bin/keytool -keystore cacerts -delete -alias entrust2048ca -storepass changeit

Download the following updated certificates and place them in the security directory on the server.

Perform the following commands to load the certificates. The comment above certain commands gives you an idea of answers to prompts, or possible outcomes.

# Trust? yes
$JAVA_HOME/bin/keytool -keystore cacerts -import -alias entrust_l1c_chain -file entrust_l1c.cer -storepass changeit
$JAVA_HOME/bin/keytool -keystore cacerts -import -alias entrust_2048_ssl_chain -file entrust_2048_ssl.cer -storepass changeit
# Overwrite? yes
$JAVA_HOME/bin/keytool -keystore cacerts -import -alias entrust_1024_ssl_ca_root -file entrust_ssl_ca.cer -storepass changeit
# May fail. That's OK.
$JAVA_HOME/bin/keytool -keystore cacerts -delete -alias entrustsslca -storepass changeit

You will have to recreate the keystores you built previously, so they will use the new certificates.

Once this is done, restart the node manager and any domains using the identity and trust keystores.

Hardening

Make sure you are using the latest version of Java. Approaches to upgrading Java for WebLogic are described here.

If you have upgraded Java, you should recreate your keystore.

If you are on the latest version of Java, the medium ciphers will be disabled automatically. If not you will need to amend the jdk.tls.disabledAlgorithms settings in the JRE, as described here. For example.

sed -i -e "s|EC keySize < 224, DES40_CBC, RC4_40|EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC|g" /u01/app/oracle/java/latest/jre/lib/security/java.security

Disable any old protocols on all managed servers. For later versions you might specify TLSv1.1 or TLSv1.2 as the minimum acceptable version, but this will break WebLogic 11g which requires the TLS1 setting.

Append the following to the end of the "setDomainEnv.sh" file for each domain, or if you don't start the managed servers with the scripts add the parameters to the startup arguments.

JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.security.SSL.protocolVersion=TLS1 -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1"
export JAVA_OPTIONS

Disable old protocols in the Node Manager configuration. Add the following to the "startNodeManager.sh" file at approximately line 82. Remember, this file might be under the WLS_HOME or the DOMAIN_HOME depending on if you use a single or domain-specific node manager. The same rule about using TLSv1, TLSv1.1 or TLSv1.2 applies based on the version.

JAVA_OPTIONS="-Dweblogic.security.SSL.enableJSSE=true ${JAVA_OPTIONS}"
JAVA_OPTIONS="-Dweblogic.security.SSL.protocolVersion=TLS1 -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1 ${JAVA_OPTIONS}"

If you are using the Oracle HTTPS Server (OHS) you will need to harden this also, as described here.

For more information see:

Hope this helps. Regards Tim...

Back to the Top.