white paper: enabling ssl on oracle weblogic cluster · pdf fileenabling ssl on oracle...
TRANSCRIPT
White Paper
Abstract
This white paper describes the procedure to enable SSL on WebLogic Cluster using self-signed certificates September 2013
Enabling SSL on Oraclereg WebLogic Cluster Using Self-Signed Certificates
2 Enabling SSL on Oracle WebLogic Cluster
Copyright copy 2013 EMC Corporation All Rights Reserved EMC believes the information in this publication is accurate of its publication date The information is subject to change without notice The information in this publication is provided ldquoas isrdquo EMC Corporation makes no representations or warranties of any kind with respect to the information in this publication and specifically disclaims implied warranties of merchantability or fitness for a particular purpose Use copying and distribution of any EMC software described in this publication requires an applicable software license For the most up-to-date listing of EMC product names see EMC Corporation Trademarks on EMCcom VMware is a registered trademark of VMware Inc All other trademarks used herein are the property of their respective owners Part Number H12383
3 Enabling SSL on Oracle WebLogic Cluster
Table of Contents
Introduction 4
Audience 4
Related documents 4
Enabling Production Mode 4
Production and Development Modes 4
Generating the Identity KeyStore 5
Generating the Trust KeyStore 6
Configuring the Identity and Trust KeyStores 6
Identity 6
Trust 6
Configure the Identity KeyStore details 8
Configure the SSL port on WebLogic Managed Server 8
Configuring the Second WebLogic Managed Server 9
Restart and Verification of WebLogic Managed Servers 9
Generate Trust CA file for Apache Webserver 10
Apache Webserver Configuration 10
Troubleshooting 11
Sample Keytool Commands 13
References 15
4 Enabling SSL on Oracle WebLogic Cluster
Introduction This white paper discusses the steps to enable SSL with self-signed certificates on an Oracle WebLogic application server in a clustered Environment Enable one way SSL communication between the WebLogic Managed Server and Apache Webserver The procedure for generating self-signed certificate and configuring the certificate to the WebLogic Server involves the following steps
1 Enabling Production Mode
2 Generating the Identity KeyStore
3 Generating the Trust KeyStore
4 Configuring the Identity and Trust KeyStores
5 Configure the Identity KeyStore details
6 Configure the SSL port on WebLogic Managed Server
7 Configure the second WebLogic Managed Server
8 Restart and Verification of WebLogic Managed Servers
9 Generate Trust CA file for Apache Webserver
10 Apache Webserver Configuration
Audience
This white paper is intended for testers who want to understand the process of generating self-signed certificates and configuring SSL an Oracle WebLogic application server in a clustered environment
Related documents Installing and Configuring an Oracle WebLogic Application server for EMC Documentum WDKWebtop
Enabling Production Mode
Production and Development Modes
WebLogic Managed Servers in domain can be configured to start in one of two modes development or production
Development mode is used while developing applications Development mode uses a relaxed security configuration and enables us to auto-deploy applications In development mode the demonstration digital certificates provided by the WebLogic Server security services can be used The demonstration digital certificates private keys and trusted CA certificates should be used in a development environment only
Production mode when application is running in its final form A production domain uses full security and may use clusters or other advanced features Sun Microsystems keytool utility can be used to generate a private key a self-signed
5 Enabling SSL on Oracle WebLogic Cluster
digital certificate for WebLogic Server and a Certificate Signing Request (CSR) Submit the CSR to a certificate authority to obtain a digital certificate for WebLogic Server Use keytool to update the self-signed digital certificate with a new digital certificate Use the keytool utility to obtain trust and identity when using WebLogic Server in a production environment
In the WebLogic Admin Console navigate to Domain Node
On the Configurations gt General Tab ensure the Production Mode option is true
Generating the Identity KeyStore Identity KeyStore is generated for each WebLogic Managed Servers
Using Keytool Utility an Identity KeyStore of JKS Type is generated
Run the below command to generate Identity KeyStore Provide the machine fully qualified domain name for Common Name
6 Enabling SSL on Oracle WebLogic Cluster
keytool -genkey -alias node1 -keyalg RSA -keysize 1024 -keystore
identity1jks -storepass password -keypass password
Generating the Trust KeyStore
Trust KeyStore of JKS type is generated for each of the WebLogic Managed Servers
The Certificate file is exported from Identity KeyStore and imported as Trusted CA file in Trust KeyStore Provide the machine fully qualified domain name for Common Name while generating the Trust KeyStore
Exporting the Certificate file from Identity KeyStore keytoolexe -exportcert -alias node1 -file node1certcer -keystore
Identity1jks -storetype JKS
Generating Trust KeyStore of JKS type and importing the certificate as Trusted CA file keytoolexe -importcert -trustcacerts ndashalias node1 -file node1certcer -
keystore Truststore1jks -storetype JKS
Configuring the Identity and Trust KeyStores In the WebLogic Admin Console (eg httpWebLogicServerIP7001console) Under Domain gt Servers - select the Managed server [Managed Node1] to configure the SSL
On the settings for Managed Server ndash navigate to Configuration gt KeyStores tab
For the KeyStores field from the dropdown list select the ldquoCustom Identity and Custom Trustrdquo
Provide the Identity KeyStore and Trust KeyStore details
Identity Custom Identity KeyStore Provide the path and file name of the Identity KeyStore
Custom Identity KeyStore Type JKS
Custom Identity KeyStore Passphrase storepass (Identity KeyStorersquos storepass value)
Trust Custom Trust KeyStore Provide the path and file name of the Trust KeyStore
Custom Trust KeyStore Type JKS
Custom Trust KeyStore Passphrase storepass (Trust KeyStorersquos storepass value)
7 Enabling SSL on Oracle WebLogic Cluster
8 Enabling SSL on Oracle WebLogic Cluster
Configure the Identity KeyStore details In the Admin Console navigate to Configuration gt SSL tab of the Managed Servers
Provide the details for Private Key Alias and Private Key Passphrase These are the values given while generating the Identity KeyStore keytool -genkey -alias node1 -keyalg RSA -keysize 1024 -keystore
csslidentity1jks -storepass password -keypass password
In the above command
Private Key Alias = node1
Private Key PassPhrase = password (keypass value)
NOTE By default SSL enabled on WebLogic managed server is One Way SSL To change to Two Way SSL select the
two way SSL behavior from the ldquoAdvancedrdquo option list
Configure the SSL port on WebLogic Managed Server In the WebLogic Admin Console navigate to Configuration - gt General Tab of Managed Server The SSL port for the WebLogic Managed Server is defined here
9 Enabling SSL on Oracle WebLogic Cluster
Check ldquoSSL listen Port Enablerdquo Provide the SSL Listen port details
Configuring the Second WebLogic Managed Server The Identity and Trust KeyStores are generated for the second WebLogic Managed Server
Configure the Identity and Trust KeyStores Follow the steps 1 to 6
Restart and Verification of WebLogic Managed Servers After generating and configuring the Identity and Trust Stores for each WebLogic Managed Servers in WebLogic Admin Console restart the WebLogic Managed Servers
The below messages in the server logs indicate that the certificates are loaded
ltNoticegt ltSecuritygt ltBEA-090171gt ltLoading the identity certificate and private key stored under the alias client from the JKS keystore file CWondersWebLogicSecuritySSL-CertsVerisignidentityVerisignjksgt
ltNoticegt ltSecuritygt ltBEA-090169gt ltLoading trustedcertificates from the JKS keystore file CWondersWebLogicSecuritySSL-CertsVerisigntrustVerisignjksgt
10 Enabling SSL on Oracle WebLogic Cluster
Access the Application URL from the WebLogic Managed Server httpsManagedServerIpSSLportapplication_name
Click on the certificate details and verify the certificate information
Generate Trust CA file for Apache Webserver SSL Communication between the Apache webserver plug-in and the WebLogic Server the below parameters need to be added in ldquohttpdconfldquo
SecureProxy set to On
TrustedCAFile point to the file that contains the digital certificates for the trusted certificate authorities
To generate the Trusted CA file follow the below steps
Import the Identity Stores of each WebLogic Managed Server into a single temporary Keystore using keytool Keytool ndashimportkeystore -srckeystore identity1jks -destkeystore
tempkeystorejks -srcstoretype JKS -deststoretype JKS -srcstorepass
password -deststorepass password
Keytool ndashimportkeystore -srckeystore identity2jks -destkeystore
tempkeystorejks -srcstoretype JKS -deststoretype JKS -srcstorepass
password -deststorepass password
Convert the JKS format temporary keystore to PKCS12 and then PEM format
Conversion from JKS to PKCS12 format using keytool keytool -importkeystore -srckeystore keystore3jks -destkeystore
trustpkcs -srcstoretype JKS -deststoretype PKCS12
Conversion from PKCS12 to PEM format using openssl openssl pkcs12 -in trustpkcs -out trustpem
Apache Webserver Configuration On the Apache webserver used for clustering WebLogic do the following changes
The PEM file generated in the previous step is used as trusted CA file
Copy the trusted CA file to the Apache webserver machine
For the parameter lsquoTrustedCAFilersquo in httpdconf file point the trusted CA file
In ldquohttpdconfrdquo file add one of the below lines depending on Apache Webserver Version LoadModule WebLogic_module modulesmod_wl_22so (for apache webserver
22x)
11 Enabling SSL on Oracle WebLogic Cluster
LoadModule WebLogic_module modulesmod_wl_20so (for apache webserver
20xx)
Next add the following lines in rdquohttpdconfrdquo ltIfModule mod_WebLogiccgt
SetHandler WebLogic-handler
WebLogicCluster IPSSLPort1 IPSSLPort2
MatchExpression
SecureProxy On
WLProxySSL ON
RequireSSLHostMatch false
TrustedCAFile ctrustpem
EnforceBasicConstraints false
DEBUG
WLLogFile Cwlproxylog
Debug ALL
DebugConfigInfo ON
ConnectTimeoutSecs 600
ltIfModulegt
Troubleshooting
Sl No
Issues Possible Cause Solution
1
From Client SSLexception javasecuritycertCertificateException No name ldquohostnamerdquo matching found
Accessing the URL with different hostnameIP which is not used in specific certificate
While accessing Application server Webserver URL hostname should be used as full CN name in URL That same CN has been set while creating the keystore
IP should not be used for creating the keystore or accessing the URLs
2
From WebLogic Side javaioFileNotFoundException Keystore was tampered with or
Wrong keystore password is provided while configuring for lsquokeystorePassrsquo
Check and provide the correct password for keystore as lsquokeystorePassrsquo attribute in Identity keystore
12 Enabling SSL on Oracle WebLogic Cluster
password was incorrect
attribute page
Or
User can create a new keystore with new password and reconfigure the same
3 From WebLogic Side ltWarninggt ltSecuritygt ltBEA-090164gt ltFailed to load
trusted certificates from keystore COracleMIDDLE~1WLSERV~13serverlibDemo
Trustjks of type JKSgt
ltWarninggt ltSecuritygt ltBEA-090172gt ltNo trusted cert
ificates have been loaded Server will not trust to any certificate it receives
gt
Trust Keystore is not generate properly
Recreate the Trust Keystore and configure
4
From Webserver Side
INFO No CA was trusted validation failed
WARN DeleteSessionCallback No match found
ERROR SSLWrite failed
SEND failed (ret=-1) at 793 of file nsapiURLcpp
Exception type [WRITE_ERROR_TO_SERVER] raised at line 794 of nsapiURLcpp
Correct Trusted CA file is not configured on Webserver
Recreate the Trusted CA file and reconfigure the webserver with the Trusted CA file
13 Enabling SSL on Oracle WebLogic Cluster
Marking 101010107002 as bad
got exception in sendRequest phase WRITE_ERROR_TO_SERVER [os error=0 line 794 of nsapiURLcpp] at line 3160
INFO Closing SSL context
Sample Keytool Commands
Generate Key in Appserver1(Identity1jks) and appserver2(identity2jks)
COracleMiddlewarejdk160_29bingtkeytoolexe -genkey -alias newclient1 -keyalg RSA -keysize 1024 -keystore cSSLIdentity1jks
Enter keystore password
Re-enter new password
What is your first and last name
[Unknown] AS1Prathimaemcswatemcccsacom (- dns name of the host machine)
What is the name of your organizational unit
[Unknown] IIG
What is the name of your organization
[Unknown] EMC
What is the name of your City or Locality
[Unknown] BAng
What is the name of your State or Province
[Unknown] KAr
What is the two-letter country code for this unit
[Unknown] IN
Is CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN corre
ct
[no] yes
Enter key password for ltnewclient1gt
14 Enabling SSL on Oracle WebLogic Cluster
(RETURN if same as keystore password)
Re-enter new password
Generate Certificate in Appserver1(cert1jks and client newclient1) and appserver2(cert2jks and client newclient2)
COracleMiddlewarejdk160_29bingtkeytoolexe -exportcert -alias newclient1 -file ccert1cer -keystore cSSLIdentity1jks -storetype JKS
Enter keystore password
Certificate stored in file ltccert1cergt
Generate Truststore in Appserver1(Truststore1jks) and Appserver2(Truststore2jks)
COracleMiddlewarejdk160_29bingtkeytoolexe -importcert -trustcacerts -alias
newclient1 -file ccert1cer -keystore cSSLTruststore1jks -storetype JKS
Enter keystore password
Re-enter new password
Owner CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN
Issuer CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN
Serial number 51b171f7
Valid from Thu Jun 06 223903 PDT 2013 until Wed Sep 04 223903 PDT 2013
Certificate fingerprints
MD5 339AE6887716A10E3C128196F958FC5A
SHA1 CC843B67EC385B337D8B906374253215AE384727
Signature algorithm name SHA1withRSA
Version 3
Trust this certificate [no] yes
Certificate was added to keystore
15 Enabling SSL on Oracle WebLogic Cluster
References The following documents provide additional relevant information Access to the following Documentum documents is based on your Support site login credentials If you do not have access to the following content contact your EMC representative
Installing and Configuring an Oracle WebLogic Application server for EMC Documentum WDKWebtop
The following are third-party references
httpdocsoraclecomcdE13222_01wlsdocs81secmanagesslhtml
httpdocsoraclecomcdE23943_01web1111e13707identity_trusthtm
httpdocsoraclecomcdE13222_01wlsdocs81pluginsplugin_paramshtml
- Introduction
-
- Audience
- Related documents
-
- Enabling Production Mode
-
- Production and Development Modes
-
- Generating the Identity KeyStore
- Generating the Trust KeyStore
- Configuring the Identity and Trust KeyStores
-
- Identity
- Trust
-
- Configure the Identity KeyStore details
- Configure the SSL port on WebLogic Managed Server
- Configuring the Second WebLogic Managed Server
- Restart and Verification of WebLogic Managed Servers
- Generate Trust CA file for Apache Webserver
- Apache Webserver Configuration
- Troubleshooting
- Sample Keytool Commands
- References
-
2 Enabling SSL on Oracle WebLogic Cluster
Copyright copy 2013 EMC Corporation All Rights Reserved EMC believes the information in this publication is accurate of its publication date The information is subject to change without notice The information in this publication is provided ldquoas isrdquo EMC Corporation makes no representations or warranties of any kind with respect to the information in this publication and specifically disclaims implied warranties of merchantability or fitness for a particular purpose Use copying and distribution of any EMC software described in this publication requires an applicable software license For the most up-to-date listing of EMC product names see EMC Corporation Trademarks on EMCcom VMware is a registered trademark of VMware Inc All other trademarks used herein are the property of their respective owners Part Number H12383
3 Enabling SSL on Oracle WebLogic Cluster
Table of Contents
Introduction 4
Audience 4
Related documents 4
Enabling Production Mode 4
Production and Development Modes 4
Generating the Identity KeyStore 5
Generating the Trust KeyStore 6
Configuring the Identity and Trust KeyStores 6
Identity 6
Trust 6
Configure the Identity KeyStore details 8
Configure the SSL port on WebLogic Managed Server 8
Configuring the Second WebLogic Managed Server 9
Restart and Verification of WebLogic Managed Servers 9
Generate Trust CA file for Apache Webserver 10
Apache Webserver Configuration 10
Troubleshooting 11
Sample Keytool Commands 13
References 15
4 Enabling SSL on Oracle WebLogic Cluster
Introduction This white paper discusses the steps to enable SSL with self-signed certificates on an Oracle WebLogic application server in a clustered Environment Enable one way SSL communication between the WebLogic Managed Server and Apache Webserver The procedure for generating self-signed certificate and configuring the certificate to the WebLogic Server involves the following steps
1 Enabling Production Mode
2 Generating the Identity KeyStore
3 Generating the Trust KeyStore
4 Configuring the Identity and Trust KeyStores
5 Configure the Identity KeyStore details
6 Configure the SSL port on WebLogic Managed Server
7 Configure the second WebLogic Managed Server
8 Restart and Verification of WebLogic Managed Servers
9 Generate Trust CA file for Apache Webserver
10 Apache Webserver Configuration
Audience
This white paper is intended for testers who want to understand the process of generating self-signed certificates and configuring SSL an Oracle WebLogic application server in a clustered environment
Related documents Installing and Configuring an Oracle WebLogic Application server for EMC Documentum WDKWebtop
Enabling Production Mode
Production and Development Modes
WebLogic Managed Servers in domain can be configured to start in one of two modes development or production
Development mode is used while developing applications Development mode uses a relaxed security configuration and enables us to auto-deploy applications In development mode the demonstration digital certificates provided by the WebLogic Server security services can be used The demonstration digital certificates private keys and trusted CA certificates should be used in a development environment only
Production mode when application is running in its final form A production domain uses full security and may use clusters or other advanced features Sun Microsystems keytool utility can be used to generate a private key a self-signed
5 Enabling SSL on Oracle WebLogic Cluster
digital certificate for WebLogic Server and a Certificate Signing Request (CSR) Submit the CSR to a certificate authority to obtain a digital certificate for WebLogic Server Use keytool to update the self-signed digital certificate with a new digital certificate Use the keytool utility to obtain trust and identity when using WebLogic Server in a production environment
In the WebLogic Admin Console navigate to Domain Node
On the Configurations gt General Tab ensure the Production Mode option is true
Generating the Identity KeyStore Identity KeyStore is generated for each WebLogic Managed Servers
Using Keytool Utility an Identity KeyStore of JKS Type is generated
Run the below command to generate Identity KeyStore Provide the machine fully qualified domain name for Common Name
6 Enabling SSL on Oracle WebLogic Cluster
keytool -genkey -alias node1 -keyalg RSA -keysize 1024 -keystore
identity1jks -storepass password -keypass password
Generating the Trust KeyStore
Trust KeyStore of JKS type is generated for each of the WebLogic Managed Servers
The Certificate file is exported from Identity KeyStore and imported as Trusted CA file in Trust KeyStore Provide the machine fully qualified domain name for Common Name while generating the Trust KeyStore
Exporting the Certificate file from Identity KeyStore keytoolexe -exportcert -alias node1 -file node1certcer -keystore
Identity1jks -storetype JKS
Generating Trust KeyStore of JKS type and importing the certificate as Trusted CA file keytoolexe -importcert -trustcacerts ndashalias node1 -file node1certcer -
keystore Truststore1jks -storetype JKS
Configuring the Identity and Trust KeyStores In the WebLogic Admin Console (eg httpWebLogicServerIP7001console) Under Domain gt Servers - select the Managed server [Managed Node1] to configure the SSL
On the settings for Managed Server ndash navigate to Configuration gt KeyStores tab
For the KeyStores field from the dropdown list select the ldquoCustom Identity and Custom Trustrdquo
Provide the Identity KeyStore and Trust KeyStore details
Identity Custom Identity KeyStore Provide the path and file name of the Identity KeyStore
Custom Identity KeyStore Type JKS
Custom Identity KeyStore Passphrase storepass (Identity KeyStorersquos storepass value)
Trust Custom Trust KeyStore Provide the path and file name of the Trust KeyStore
Custom Trust KeyStore Type JKS
Custom Trust KeyStore Passphrase storepass (Trust KeyStorersquos storepass value)
7 Enabling SSL on Oracle WebLogic Cluster
8 Enabling SSL on Oracle WebLogic Cluster
Configure the Identity KeyStore details In the Admin Console navigate to Configuration gt SSL tab of the Managed Servers
Provide the details for Private Key Alias and Private Key Passphrase These are the values given while generating the Identity KeyStore keytool -genkey -alias node1 -keyalg RSA -keysize 1024 -keystore
csslidentity1jks -storepass password -keypass password
In the above command
Private Key Alias = node1
Private Key PassPhrase = password (keypass value)
NOTE By default SSL enabled on WebLogic managed server is One Way SSL To change to Two Way SSL select the
two way SSL behavior from the ldquoAdvancedrdquo option list
Configure the SSL port on WebLogic Managed Server In the WebLogic Admin Console navigate to Configuration - gt General Tab of Managed Server The SSL port for the WebLogic Managed Server is defined here
9 Enabling SSL on Oracle WebLogic Cluster
Check ldquoSSL listen Port Enablerdquo Provide the SSL Listen port details
Configuring the Second WebLogic Managed Server The Identity and Trust KeyStores are generated for the second WebLogic Managed Server
Configure the Identity and Trust KeyStores Follow the steps 1 to 6
Restart and Verification of WebLogic Managed Servers After generating and configuring the Identity and Trust Stores for each WebLogic Managed Servers in WebLogic Admin Console restart the WebLogic Managed Servers
The below messages in the server logs indicate that the certificates are loaded
ltNoticegt ltSecuritygt ltBEA-090171gt ltLoading the identity certificate and private key stored under the alias client from the JKS keystore file CWondersWebLogicSecuritySSL-CertsVerisignidentityVerisignjksgt
ltNoticegt ltSecuritygt ltBEA-090169gt ltLoading trustedcertificates from the JKS keystore file CWondersWebLogicSecuritySSL-CertsVerisigntrustVerisignjksgt
10 Enabling SSL on Oracle WebLogic Cluster
Access the Application URL from the WebLogic Managed Server httpsManagedServerIpSSLportapplication_name
Click on the certificate details and verify the certificate information
Generate Trust CA file for Apache Webserver SSL Communication between the Apache webserver plug-in and the WebLogic Server the below parameters need to be added in ldquohttpdconfldquo
SecureProxy set to On
TrustedCAFile point to the file that contains the digital certificates for the trusted certificate authorities
To generate the Trusted CA file follow the below steps
Import the Identity Stores of each WebLogic Managed Server into a single temporary Keystore using keytool Keytool ndashimportkeystore -srckeystore identity1jks -destkeystore
tempkeystorejks -srcstoretype JKS -deststoretype JKS -srcstorepass
password -deststorepass password
Keytool ndashimportkeystore -srckeystore identity2jks -destkeystore
tempkeystorejks -srcstoretype JKS -deststoretype JKS -srcstorepass
password -deststorepass password
Convert the JKS format temporary keystore to PKCS12 and then PEM format
Conversion from JKS to PKCS12 format using keytool keytool -importkeystore -srckeystore keystore3jks -destkeystore
trustpkcs -srcstoretype JKS -deststoretype PKCS12
Conversion from PKCS12 to PEM format using openssl openssl pkcs12 -in trustpkcs -out trustpem
Apache Webserver Configuration On the Apache webserver used for clustering WebLogic do the following changes
The PEM file generated in the previous step is used as trusted CA file
Copy the trusted CA file to the Apache webserver machine
For the parameter lsquoTrustedCAFilersquo in httpdconf file point the trusted CA file
In ldquohttpdconfrdquo file add one of the below lines depending on Apache Webserver Version LoadModule WebLogic_module modulesmod_wl_22so (for apache webserver
22x)
11 Enabling SSL on Oracle WebLogic Cluster
LoadModule WebLogic_module modulesmod_wl_20so (for apache webserver
20xx)
Next add the following lines in rdquohttpdconfrdquo ltIfModule mod_WebLogiccgt
SetHandler WebLogic-handler
WebLogicCluster IPSSLPort1 IPSSLPort2
MatchExpression
SecureProxy On
WLProxySSL ON
RequireSSLHostMatch false
TrustedCAFile ctrustpem
EnforceBasicConstraints false
DEBUG
WLLogFile Cwlproxylog
Debug ALL
DebugConfigInfo ON
ConnectTimeoutSecs 600
ltIfModulegt
Troubleshooting
Sl No
Issues Possible Cause Solution
1
From Client SSLexception javasecuritycertCertificateException No name ldquohostnamerdquo matching found
Accessing the URL with different hostnameIP which is not used in specific certificate
While accessing Application server Webserver URL hostname should be used as full CN name in URL That same CN has been set while creating the keystore
IP should not be used for creating the keystore or accessing the URLs
2
From WebLogic Side javaioFileNotFoundException Keystore was tampered with or
Wrong keystore password is provided while configuring for lsquokeystorePassrsquo
Check and provide the correct password for keystore as lsquokeystorePassrsquo attribute in Identity keystore
12 Enabling SSL on Oracle WebLogic Cluster
password was incorrect
attribute page
Or
User can create a new keystore with new password and reconfigure the same
3 From WebLogic Side ltWarninggt ltSecuritygt ltBEA-090164gt ltFailed to load
trusted certificates from keystore COracleMIDDLE~1WLSERV~13serverlibDemo
Trustjks of type JKSgt
ltWarninggt ltSecuritygt ltBEA-090172gt ltNo trusted cert
ificates have been loaded Server will not trust to any certificate it receives
gt
Trust Keystore is not generate properly
Recreate the Trust Keystore and configure
4
From Webserver Side
INFO No CA was trusted validation failed
WARN DeleteSessionCallback No match found
ERROR SSLWrite failed
SEND failed (ret=-1) at 793 of file nsapiURLcpp
Exception type [WRITE_ERROR_TO_SERVER] raised at line 794 of nsapiURLcpp
Correct Trusted CA file is not configured on Webserver
Recreate the Trusted CA file and reconfigure the webserver with the Trusted CA file
13 Enabling SSL on Oracle WebLogic Cluster
Marking 101010107002 as bad
got exception in sendRequest phase WRITE_ERROR_TO_SERVER [os error=0 line 794 of nsapiURLcpp] at line 3160
INFO Closing SSL context
Sample Keytool Commands
Generate Key in Appserver1(Identity1jks) and appserver2(identity2jks)
COracleMiddlewarejdk160_29bingtkeytoolexe -genkey -alias newclient1 -keyalg RSA -keysize 1024 -keystore cSSLIdentity1jks
Enter keystore password
Re-enter new password
What is your first and last name
[Unknown] AS1Prathimaemcswatemcccsacom (- dns name of the host machine)
What is the name of your organizational unit
[Unknown] IIG
What is the name of your organization
[Unknown] EMC
What is the name of your City or Locality
[Unknown] BAng
What is the name of your State or Province
[Unknown] KAr
What is the two-letter country code for this unit
[Unknown] IN
Is CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN corre
ct
[no] yes
Enter key password for ltnewclient1gt
14 Enabling SSL on Oracle WebLogic Cluster
(RETURN if same as keystore password)
Re-enter new password
Generate Certificate in Appserver1(cert1jks and client newclient1) and appserver2(cert2jks and client newclient2)
COracleMiddlewarejdk160_29bingtkeytoolexe -exportcert -alias newclient1 -file ccert1cer -keystore cSSLIdentity1jks -storetype JKS
Enter keystore password
Certificate stored in file ltccert1cergt
Generate Truststore in Appserver1(Truststore1jks) and Appserver2(Truststore2jks)
COracleMiddlewarejdk160_29bingtkeytoolexe -importcert -trustcacerts -alias
newclient1 -file ccert1cer -keystore cSSLTruststore1jks -storetype JKS
Enter keystore password
Re-enter new password
Owner CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN
Issuer CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN
Serial number 51b171f7
Valid from Thu Jun 06 223903 PDT 2013 until Wed Sep 04 223903 PDT 2013
Certificate fingerprints
MD5 339AE6887716A10E3C128196F958FC5A
SHA1 CC843B67EC385B337D8B906374253215AE384727
Signature algorithm name SHA1withRSA
Version 3
Trust this certificate [no] yes
Certificate was added to keystore
15 Enabling SSL on Oracle WebLogic Cluster
References The following documents provide additional relevant information Access to the following Documentum documents is based on your Support site login credentials If you do not have access to the following content contact your EMC representative
Installing and Configuring an Oracle WebLogic Application server for EMC Documentum WDKWebtop
The following are third-party references
httpdocsoraclecomcdE13222_01wlsdocs81secmanagesslhtml
httpdocsoraclecomcdE23943_01web1111e13707identity_trusthtm
httpdocsoraclecomcdE13222_01wlsdocs81pluginsplugin_paramshtml
- Introduction
-
- Audience
- Related documents
-
- Enabling Production Mode
-
- Production and Development Modes
-
- Generating the Identity KeyStore
- Generating the Trust KeyStore
- Configuring the Identity and Trust KeyStores
-
- Identity
- Trust
-
- Configure the Identity KeyStore details
- Configure the SSL port on WebLogic Managed Server
- Configuring the Second WebLogic Managed Server
- Restart and Verification of WebLogic Managed Servers
- Generate Trust CA file for Apache Webserver
- Apache Webserver Configuration
- Troubleshooting
- Sample Keytool Commands
- References
-
3 Enabling SSL on Oracle WebLogic Cluster
Table of Contents
Introduction 4
Audience 4
Related documents 4
Enabling Production Mode 4
Production and Development Modes 4
Generating the Identity KeyStore 5
Generating the Trust KeyStore 6
Configuring the Identity and Trust KeyStores 6
Identity 6
Trust 6
Configure the Identity KeyStore details 8
Configure the SSL port on WebLogic Managed Server 8
Configuring the Second WebLogic Managed Server 9
Restart and Verification of WebLogic Managed Servers 9
Generate Trust CA file for Apache Webserver 10
Apache Webserver Configuration 10
Troubleshooting 11
Sample Keytool Commands 13
References 15
4 Enabling SSL on Oracle WebLogic Cluster
Introduction This white paper discusses the steps to enable SSL with self-signed certificates on an Oracle WebLogic application server in a clustered Environment Enable one way SSL communication between the WebLogic Managed Server and Apache Webserver The procedure for generating self-signed certificate and configuring the certificate to the WebLogic Server involves the following steps
1 Enabling Production Mode
2 Generating the Identity KeyStore
3 Generating the Trust KeyStore
4 Configuring the Identity and Trust KeyStores
5 Configure the Identity KeyStore details
6 Configure the SSL port on WebLogic Managed Server
7 Configure the second WebLogic Managed Server
8 Restart and Verification of WebLogic Managed Servers
9 Generate Trust CA file for Apache Webserver
10 Apache Webserver Configuration
Audience
This white paper is intended for testers who want to understand the process of generating self-signed certificates and configuring SSL an Oracle WebLogic application server in a clustered environment
Related documents Installing and Configuring an Oracle WebLogic Application server for EMC Documentum WDKWebtop
Enabling Production Mode
Production and Development Modes
WebLogic Managed Servers in domain can be configured to start in one of two modes development or production
Development mode is used while developing applications Development mode uses a relaxed security configuration and enables us to auto-deploy applications In development mode the demonstration digital certificates provided by the WebLogic Server security services can be used The demonstration digital certificates private keys and trusted CA certificates should be used in a development environment only
Production mode when application is running in its final form A production domain uses full security and may use clusters or other advanced features Sun Microsystems keytool utility can be used to generate a private key a self-signed
5 Enabling SSL on Oracle WebLogic Cluster
digital certificate for WebLogic Server and a Certificate Signing Request (CSR) Submit the CSR to a certificate authority to obtain a digital certificate for WebLogic Server Use keytool to update the self-signed digital certificate with a new digital certificate Use the keytool utility to obtain trust and identity when using WebLogic Server in a production environment
In the WebLogic Admin Console navigate to Domain Node
On the Configurations gt General Tab ensure the Production Mode option is true
Generating the Identity KeyStore Identity KeyStore is generated for each WebLogic Managed Servers
Using Keytool Utility an Identity KeyStore of JKS Type is generated
Run the below command to generate Identity KeyStore Provide the machine fully qualified domain name for Common Name
6 Enabling SSL on Oracle WebLogic Cluster
keytool -genkey -alias node1 -keyalg RSA -keysize 1024 -keystore
identity1jks -storepass password -keypass password
Generating the Trust KeyStore
Trust KeyStore of JKS type is generated for each of the WebLogic Managed Servers
The Certificate file is exported from Identity KeyStore and imported as Trusted CA file in Trust KeyStore Provide the machine fully qualified domain name for Common Name while generating the Trust KeyStore
Exporting the Certificate file from Identity KeyStore keytoolexe -exportcert -alias node1 -file node1certcer -keystore
Identity1jks -storetype JKS
Generating Trust KeyStore of JKS type and importing the certificate as Trusted CA file keytoolexe -importcert -trustcacerts ndashalias node1 -file node1certcer -
keystore Truststore1jks -storetype JKS
Configuring the Identity and Trust KeyStores In the WebLogic Admin Console (eg httpWebLogicServerIP7001console) Under Domain gt Servers - select the Managed server [Managed Node1] to configure the SSL
On the settings for Managed Server ndash navigate to Configuration gt KeyStores tab
For the KeyStores field from the dropdown list select the ldquoCustom Identity and Custom Trustrdquo
Provide the Identity KeyStore and Trust KeyStore details
Identity Custom Identity KeyStore Provide the path and file name of the Identity KeyStore
Custom Identity KeyStore Type JKS
Custom Identity KeyStore Passphrase storepass (Identity KeyStorersquos storepass value)
Trust Custom Trust KeyStore Provide the path and file name of the Trust KeyStore
Custom Trust KeyStore Type JKS
Custom Trust KeyStore Passphrase storepass (Trust KeyStorersquos storepass value)
7 Enabling SSL on Oracle WebLogic Cluster
8 Enabling SSL on Oracle WebLogic Cluster
Configure the Identity KeyStore details In the Admin Console navigate to Configuration gt SSL tab of the Managed Servers
Provide the details for Private Key Alias and Private Key Passphrase These are the values given while generating the Identity KeyStore keytool -genkey -alias node1 -keyalg RSA -keysize 1024 -keystore
csslidentity1jks -storepass password -keypass password
In the above command
Private Key Alias = node1
Private Key PassPhrase = password (keypass value)
NOTE By default SSL enabled on WebLogic managed server is One Way SSL To change to Two Way SSL select the
two way SSL behavior from the ldquoAdvancedrdquo option list
Configure the SSL port on WebLogic Managed Server In the WebLogic Admin Console navigate to Configuration - gt General Tab of Managed Server The SSL port for the WebLogic Managed Server is defined here
9 Enabling SSL on Oracle WebLogic Cluster
Check ldquoSSL listen Port Enablerdquo Provide the SSL Listen port details
Configuring the Second WebLogic Managed Server The Identity and Trust KeyStores are generated for the second WebLogic Managed Server
Configure the Identity and Trust KeyStores Follow the steps 1 to 6
Restart and Verification of WebLogic Managed Servers After generating and configuring the Identity and Trust Stores for each WebLogic Managed Servers in WebLogic Admin Console restart the WebLogic Managed Servers
The below messages in the server logs indicate that the certificates are loaded
ltNoticegt ltSecuritygt ltBEA-090171gt ltLoading the identity certificate and private key stored under the alias client from the JKS keystore file CWondersWebLogicSecuritySSL-CertsVerisignidentityVerisignjksgt
ltNoticegt ltSecuritygt ltBEA-090169gt ltLoading trustedcertificates from the JKS keystore file CWondersWebLogicSecuritySSL-CertsVerisigntrustVerisignjksgt
10 Enabling SSL on Oracle WebLogic Cluster
Access the Application URL from the WebLogic Managed Server httpsManagedServerIpSSLportapplication_name
Click on the certificate details and verify the certificate information
Generate Trust CA file for Apache Webserver SSL Communication between the Apache webserver plug-in and the WebLogic Server the below parameters need to be added in ldquohttpdconfldquo
SecureProxy set to On
TrustedCAFile point to the file that contains the digital certificates for the trusted certificate authorities
To generate the Trusted CA file follow the below steps
Import the Identity Stores of each WebLogic Managed Server into a single temporary Keystore using keytool Keytool ndashimportkeystore -srckeystore identity1jks -destkeystore
tempkeystorejks -srcstoretype JKS -deststoretype JKS -srcstorepass
password -deststorepass password
Keytool ndashimportkeystore -srckeystore identity2jks -destkeystore
tempkeystorejks -srcstoretype JKS -deststoretype JKS -srcstorepass
password -deststorepass password
Convert the JKS format temporary keystore to PKCS12 and then PEM format
Conversion from JKS to PKCS12 format using keytool keytool -importkeystore -srckeystore keystore3jks -destkeystore
trustpkcs -srcstoretype JKS -deststoretype PKCS12
Conversion from PKCS12 to PEM format using openssl openssl pkcs12 -in trustpkcs -out trustpem
Apache Webserver Configuration On the Apache webserver used for clustering WebLogic do the following changes
The PEM file generated in the previous step is used as trusted CA file
Copy the trusted CA file to the Apache webserver machine
For the parameter lsquoTrustedCAFilersquo in httpdconf file point the trusted CA file
In ldquohttpdconfrdquo file add one of the below lines depending on Apache Webserver Version LoadModule WebLogic_module modulesmod_wl_22so (for apache webserver
22x)
11 Enabling SSL on Oracle WebLogic Cluster
LoadModule WebLogic_module modulesmod_wl_20so (for apache webserver
20xx)
Next add the following lines in rdquohttpdconfrdquo ltIfModule mod_WebLogiccgt
SetHandler WebLogic-handler
WebLogicCluster IPSSLPort1 IPSSLPort2
MatchExpression
SecureProxy On
WLProxySSL ON
RequireSSLHostMatch false
TrustedCAFile ctrustpem
EnforceBasicConstraints false
DEBUG
WLLogFile Cwlproxylog
Debug ALL
DebugConfigInfo ON
ConnectTimeoutSecs 600
ltIfModulegt
Troubleshooting
Sl No
Issues Possible Cause Solution
1
From Client SSLexception javasecuritycertCertificateException No name ldquohostnamerdquo matching found
Accessing the URL with different hostnameIP which is not used in specific certificate
While accessing Application server Webserver URL hostname should be used as full CN name in URL That same CN has been set while creating the keystore
IP should not be used for creating the keystore or accessing the URLs
2
From WebLogic Side javaioFileNotFoundException Keystore was tampered with or
Wrong keystore password is provided while configuring for lsquokeystorePassrsquo
Check and provide the correct password for keystore as lsquokeystorePassrsquo attribute in Identity keystore
12 Enabling SSL on Oracle WebLogic Cluster
password was incorrect
attribute page
Or
User can create a new keystore with new password and reconfigure the same
3 From WebLogic Side ltWarninggt ltSecuritygt ltBEA-090164gt ltFailed to load
trusted certificates from keystore COracleMIDDLE~1WLSERV~13serverlibDemo
Trustjks of type JKSgt
ltWarninggt ltSecuritygt ltBEA-090172gt ltNo trusted cert
ificates have been loaded Server will not trust to any certificate it receives
gt
Trust Keystore is not generate properly
Recreate the Trust Keystore and configure
4
From Webserver Side
INFO No CA was trusted validation failed
WARN DeleteSessionCallback No match found
ERROR SSLWrite failed
SEND failed (ret=-1) at 793 of file nsapiURLcpp
Exception type [WRITE_ERROR_TO_SERVER] raised at line 794 of nsapiURLcpp
Correct Trusted CA file is not configured on Webserver
Recreate the Trusted CA file and reconfigure the webserver with the Trusted CA file
13 Enabling SSL on Oracle WebLogic Cluster
Marking 101010107002 as bad
got exception in sendRequest phase WRITE_ERROR_TO_SERVER [os error=0 line 794 of nsapiURLcpp] at line 3160
INFO Closing SSL context
Sample Keytool Commands
Generate Key in Appserver1(Identity1jks) and appserver2(identity2jks)
COracleMiddlewarejdk160_29bingtkeytoolexe -genkey -alias newclient1 -keyalg RSA -keysize 1024 -keystore cSSLIdentity1jks
Enter keystore password
Re-enter new password
What is your first and last name
[Unknown] AS1Prathimaemcswatemcccsacom (- dns name of the host machine)
What is the name of your organizational unit
[Unknown] IIG
What is the name of your organization
[Unknown] EMC
What is the name of your City or Locality
[Unknown] BAng
What is the name of your State or Province
[Unknown] KAr
What is the two-letter country code for this unit
[Unknown] IN
Is CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN corre
ct
[no] yes
Enter key password for ltnewclient1gt
14 Enabling SSL on Oracle WebLogic Cluster
(RETURN if same as keystore password)
Re-enter new password
Generate Certificate in Appserver1(cert1jks and client newclient1) and appserver2(cert2jks and client newclient2)
COracleMiddlewarejdk160_29bingtkeytoolexe -exportcert -alias newclient1 -file ccert1cer -keystore cSSLIdentity1jks -storetype JKS
Enter keystore password
Certificate stored in file ltccert1cergt
Generate Truststore in Appserver1(Truststore1jks) and Appserver2(Truststore2jks)
COracleMiddlewarejdk160_29bingtkeytoolexe -importcert -trustcacerts -alias
newclient1 -file ccert1cer -keystore cSSLTruststore1jks -storetype JKS
Enter keystore password
Re-enter new password
Owner CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN
Issuer CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN
Serial number 51b171f7
Valid from Thu Jun 06 223903 PDT 2013 until Wed Sep 04 223903 PDT 2013
Certificate fingerprints
MD5 339AE6887716A10E3C128196F958FC5A
SHA1 CC843B67EC385B337D8B906374253215AE384727
Signature algorithm name SHA1withRSA
Version 3
Trust this certificate [no] yes
Certificate was added to keystore
15 Enabling SSL on Oracle WebLogic Cluster
References The following documents provide additional relevant information Access to the following Documentum documents is based on your Support site login credentials If you do not have access to the following content contact your EMC representative
Installing and Configuring an Oracle WebLogic Application server for EMC Documentum WDKWebtop
The following are third-party references
httpdocsoraclecomcdE13222_01wlsdocs81secmanagesslhtml
httpdocsoraclecomcdE23943_01web1111e13707identity_trusthtm
httpdocsoraclecomcdE13222_01wlsdocs81pluginsplugin_paramshtml
- Introduction
-
- Audience
- Related documents
-
- Enabling Production Mode
-
- Production and Development Modes
-
- Generating the Identity KeyStore
- Generating the Trust KeyStore
- Configuring the Identity and Trust KeyStores
-
- Identity
- Trust
-
- Configure the Identity KeyStore details
- Configure the SSL port on WebLogic Managed Server
- Configuring the Second WebLogic Managed Server
- Restart and Verification of WebLogic Managed Servers
- Generate Trust CA file for Apache Webserver
- Apache Webserver Configuration
- Troubleshooting
- Sample Keytool Commands
- References
-
4 Enabling SSL on Oracle WebLogic Cluster
Introduction This white paper discusses the steps to enable SSL with self-signed certificates on an Oracle WebLogic application server in a clustered Environment Enable one way SSL communication between the WebLogic Managed Server and Apache Webserver The procedure for generating self-signed certificate and configuring the certificate to the WebLogic Server involves the following steps
1 Enabling Production Mode
2 Generating the Identity KeyStore
3 Generating the Trust KeyStore
4 Configuring the Identity and Trust KeyStores
5 Configure the Identity KeyStore details
6 Configure the SSL port on WebLogic Managed Server
7 Configure the second WebLogic Managed Server
8 Restart and Verification of WebLogic Managed Servers
9 Generate Trust CA file for Apache Webserver
10 Apache Webserver Configuration
Audience
This white paper is intended for testers who want to understand the process of generating self-signed certificates and configuring SSL an Oracle WebLogic application server in a clustered environment
Related documents Installing and Configuring an Oracle WebLogic Application server for EMC Documentum WDKWebtop
Enabling Production Mode
Production and Development Modes
WebLogic Managed Servers in domain can be configured to start in one of two modes development or production
Development mode is used while developing applications Development mode uses a relaxed security configuration and enables us to auto-deploy applications In development mode the demonstration digital certificates provided by the WebLogic Server security services can be used The demonstration digital certificates private keys and trusted CA certificates should be used in a development environment only
Production mode when application is running in its final form A production domain uses full security and may use clusters or other advanced features Sun Microsystems keytool utility can be used to generate a private key a self-signed
5 Enabling SSL on Oracle WebLogic Cluster
digital certificate for WebLogic Server and a Certificate Signing Request (CSR) Submit the CSR to a certificate authority to obtain a digital certificate for WebLogic Server Use keytool to update the self-signed digital certificate with a new digital certificate Use the keytool utility to obtain trust and identity when using WebLogic Server in a production environment
In the WebLogic Admin Console navigate to Domain Node
On the Configurations gt General Tab ensure the Production Mode option is true
Generating the Identity KeyStore Identity KeyStore is generated for each WebLogic Managed Servers
Using Keytool Utility an Identity KeyStore of JKS Type is generated
Run the below command to generate Identity KeyStore Provide the machine fully qualified domain name for Common Name
6 Enabling SSL on Oracle WebLogic Cluster
keytool -genkey -alias node1 -keyalg RSA -keysize 1024 -keystore
identity1jks -storepass password -keypass password
Generating the Trust KeyStore
Trust KeyStore of JKS type is generated for each of the WebLogic Managed Servers
The Certificate file is exported from Identity KeyStore and imported as Trusted CA file in Trust KeyStore Provide the machine fully qualified domain name for Common Name while generating the Trust KeyStore
Exporting the Certificate file from Identity KeyStore keytoolexe -exportcert -alias node1 -file node1certcer -keystore
Identity1jks -storetype JKS
Generating Trust KeyStore of JKS type and importing the certificate as Trusted CA file keytoolexe -importcert -trustcacerts ndashalias node1 -file node1certcer -
keystore Truststore1jks -storetype JKS
Configuring the Identity and Trust KeyStores In the WebLogic Admin Console (eg httpWebLogicServerIP7001console) Under Domain gt Servers - select the Managed server [Managed Node1] to configure the SSL
On the settings for Managed Server ndash navigate to Configuration gt KeyStores tab
For the KeyStores field from the dropdown list select the ldquoCustom Identity and Custom Trustrdquo
Provide the Identity KeyStore and Trust KeyStore details
Identity Custom Identity KeyStore Provide the path and file name of the Identity KeyStore
Custom Identity KeyStore Type JKS
Custom Identity KeyStore Passphrase storepass (Identity KeyStorersquos storepass value)
Trust Custom Trust KeyStore Provide the path and file name of the Trust KeyStore
Custom Trust KeyStore Type JKS
Custom Trust KeyStore Passphrase storepass (Trust KeyStorersquos storepass value)
7 Enabling SSL on Oracle WebLogic Cluster
8 Enabling SSL on Oracle WebLogic Cluster
Configure the Identity KeyStore details In the Admin Console navigate to Configuration gt SSL tab of the Managed Servers
Provide the details for Private Key Alias and Private Key Passphrase These are the values given while generating the Identity KeyStore keytool -genkey -alias node1 -keyalg RSA -keysize 1024 -keystore
csslidentity1jks -storepass password -keypass password
In the above command
Private Key Alias = node1
Private Key PassPhrase = password (keypass value)
NOTE By default SSL enabled on WebLogic managed server is One Way SSL To change to Two Way SSL select the
two way SSL behavior from the ldquoAdvancedrdquo option list
Configure the SSL port on WebLogic Managed Server In the WebLogic Admin Console navigate to Configuration - gt General Tab of Managed Server The SSL port for the WebLogic Managed Server is defined here
9 Enabling SSL on Oracle WebLogic Cluster
Check ldquoSSL listen Port Enablerdquo Provide the SSL Listen port details
Configuring the Second WebLogic Managed Server The Identity and Trust KeyStores are generated for the second WebLogic Managed Server
Configure the Identity and Trust KeyStores Follow the steps 1 to 6
Restart and Verification of WebLogic Managed Servers After generating and configuring the Identity and Trust Stores for each WebLogic Managed Servers in WebLogic Admin Console restart the WebLogic Managed Servers
The below messages in the server logs indicate that the certificates are loaded
ltNoticegt ltSecuritygt ltBEA-090171gt ltLoading the identity certificate and private key stored under the alias client from the JKS keystore file CWondersWebLogicSecuritySSL-CertsVerisignidentityVerisignjksgt
ltNoticegt ltSecuritygt ltBEA-090169gt ltLoading trustedcertificates from the JKS keystore file CWondersWebLogicSecuritySSL-CertsVerisigntrustVerisignjksgt
10 Enabling SSL on Oracle WebLogic Cluster
Access the Application URL from the WebLogic Managed Server httpsManagedServerIpSSLportapplication_name
Click on the certificate details and verify the certificate information
Generate Trust CA file for Apache Webserver SSL Communication between the Apache webserver plug-in and the WebLogic Server the below parameters need to be added in ldquohttpdconfldquo
SecureProxy set to On
TrustedCAFile point to the file that contains the digital certificates for the trusted certificate authorities
To generate the Trusted CA file follow the below steps
Import the Identity Stores of each WebLogic Managed Server into a single temporary Keystore using keytool Keytool ndashimportkeystore -srckeystore identity1jks -destkeystore
tempkeystorejks -srcstoretype JKS -deststoretype JKS -srcstorepass
password -deststorepass password
Keytool ndashimportkeystore -srckeystore identity2jks -destkeystore
tempkeystorejks -srcstoretype JKS -deststoretype JKS -srcstorepass
password -deststorepass password
Convert the JKS format temporary keystore to PKCS12 and then PEM format
Conversion from JKS to PKCS12 format using keytool keytool -importkeystore -srckeystore keystore3jks -destkeystore
trustpkcs -srcstoretype JKS -deststoretype PKCS12
Conversion from PKCS12 to PEM format using openssl openssl pkcs12 -in trustpkcs -out trustpem
Apache Webserver Configuration On the Apache webserver used for clustering WebLogic do the following changes
The PEM file generated in the previous step is used as trusted CA file
Copy the trusted CA file to the Apache webserver machine
For the parameter lsquoTrustedCAFilersquo in httpdconf file point the trusted CA file
In ldquohttpdconfrdquo file add one of the below lines depending on Apache Webserver Version LoadModule WebLogic_module modulesmod_wl_22so (for apache webserver
22x)
11 Enabling SSL on Oracle WebLogic Cluster
LoadModule WebLogic_module modulesmod_wl_20so (for apache webserver
20xx)
Next add the following lines in rdquohttpdconfrdquo ltIfModule mod_WebLogiccgt
SetHandler WebLogic-handler
WebLogicCluster IPSSLPort1 IPSSLPort2
MatchExpression
SecureProxy On
WLProxySSL ON
RequireSSLHostMatch false
TrustedCAFile ctrustpem
EnforceBasicConstraints false
DEBUG
WLLogFile Cwlproxylog
Debug ALL
DebugConfigInfo ON
ConnectTimeoutSecs 600
ltIfModulegt
Troubleshooting
Sl No
Issues Possible Cause Solution
1
From Client SSLexception javasecuritycertCertificateException No name ldquohostnamerdquo matching found
Accessing the URL with different hostnameIP which is not used in specific certificate
While accessing Application server Webserver URL hostname should be used as full CN name in URL That same CN has been set while creating the keystore
IP should not be used for creating the keystore or accessing the URLs
2
From WebLogic Side javaioFileNotFoundException Keystore was tampered with or
Wrong keystore password is provided while configuring for lsquokeystorePassrsquo
Check and provide the correct password for keystore as lsquokeystorePassrsquo attribute in Identity keystore
12 Enabling SSL on Oracle WebLogic Cluster
password was incorrect
attribute page
Or
User can create a new keystore with new password and reconfigure the same
3 From WebLogic Side ltWarninggt ltSecuritygt ltBEA-090164gt ltFailed to load
trusted certificates from keystore COracleMIDDLE~1WLSERV~13serverlibDemo
Trustjks of type JKSgt
ltWarninggt ltSecuritygt ltBEA-090172gt ltNo trusted cert
ificates have been loaded Server will not trust to any certificate it receives
gt
Trust Keystore is not generate properly
Recreate the Trust Keystore and configure
4
From Webserver Side
INFO No CA was trusted validation failed
WARN DeleteSessionCallback No match found
ERROR SSLWrite failed
SEND failed (ret=-1) at 793 of file nsapiURLcpp
Exception type [WRITE_ERROR_TO_SERVER] raised at line 794 of nsapiURLcpp
Correct Trusted CA file is not configured on Webserver
Recreate the Trusted CA file and reconfigure the webserver with the Trusted CA file
13 Enabling SSL on Oracle WebLogic Cluster
Marking 101010107002 as bad
got exception in sendRequest phase WRITE_ERROR_TO_SERVER [os error=0 line 794 of nsapiURLcpp] at line 3160
INFO Closing SSL context
Sample Keytool Commands
Generate Key in Appserver1(Identity1jks) and appserver2(identity2jks)
COracleMiddlewarejdk160_29bingtkeytoolexe -genkey -alias newclient1 -keyalg RSA -keysize 1024 -keystore cSSLIdentity1jks
Enter keystore password
Re-enter new password
What is your first and last name
[Unknown] AS1Prathimaemcswatemcccsacom (- dns name of the host machine)
What is the name of your organizational unit
[Unknown] IIG
What is the name of your organization
[Unknown] EMC
What is the name of your City or Locality
[Unknown] BAng
What is the name of your State or Province
[Unknown] KAr
What is the two-letter country code for this unit
[Unknown] IN
Is CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN corre
ct
[no] yes
Enter key password for ltnewclient1gt
14 Enabling SSL on Oracle WebLogic Cluster
(RETURN if same as keystore password)
Re-enter new password
Generate Certificate in Appserver1(cert1jks and client newclient1) and appserver2(cert2jks and client newclient2)
COracleMiddlewarejdk160_29bingtkeytoolexe -exportcert -alias newclient1 -file ccert1cer -keystore cSSLIdentity1jks -storetype JKS
Enter keystore password
Certificate stored in file ltccert1cergt
Generate Truststore in Appserver1(Truststore1jks) and Appserver2(Truststore2jks)
COracleMiddlewarejdk160_29bingtkeytoolexe -importcert -trustcacerts -alias
newclient1 -file ccert1cer -keystore cSSLTruststore1jks -storetype JKS
Enter keystore password
Re-enter new password
Owner CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN
Issuer CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN
Serial number 51b171f7
Valid from Thu Jun 06 223903 PDT 2013 until Wed Sep 04 223903 PDT 2013
Certificate fingerprints
MD5 339AE6887716A10E3C128196F958FC5A
SHA1 CC843B67EC385B337D8B906374253215AE384727
Signature algorithm name SHA1withRSA
Version 3
Trust this certificate [no] yes
Certificate was added to keystore
15 Enabling SSL on Oracle WebLogic Cluster
References The following documents provide additional relevant information Access to the following Documentum documents is based on your Support site login credentials If you do not have access to the following content contact your EMC representative
Installing and Configuring an Oracle WebLogic Application server for EMC Documentum WDKWebtop
The following are third-party references
httpdocsoraclecomcdE13222_01wlsdocs81secmanagesslhtml
httpdocsoraclecomcdE23943_01web1111e13707identity_trusthtm
httpdocsoraclecomcdE13222_01wlsdocs81pluginsplugin_paramshtml
- Introduction
-
- Audience
- Related documents
-
- Enabling Production Mode
-
- Production and Development Modes
-
- Generating the Identity KeyStore
- Generating the Trust KeyStore
- Configuring the Identity and Trust KeyStores
-
- Identity
- Trust
-
- Configure the Identity KeyStore details
- Configure the SSL port on WebLogic Managed Server
- Configuring the Second WebLogic Managed Server
- Restart and Verification of WebLogic Managed Servers
- Generate Trust CA file for Apache Webserver
- Apache Webserver Configuration
- Troubleshooting
- Sample Keytool Commands
- References
-
5 Enabling SSL on Oracle WebLogic Cluster
digital certificate for WebLogic Server and a Certificate Signing Request (CSR) Submit the CSR to a certificate authority to obtain a digital certificate for WebLogic Server Use keytool to update the self-signed digital certificate with a new digital certificate Use the keytool utility to obtain trust and identity when using WebLogic Server in a production environment
In the WebLogic Admin Console navigate to Domain Node
On the Configurations gt General Tab ensure the Production Mode option is true
Generating the Identity KeyStore Identity KeyStore is generated for each WebLogic Managed Servers
Using Keytool Utility an Identity KeyStore of JKS Type is generated
Run the below command to generate Identity KeyStore Provide the machine fully qualified domain name for Common Name
6 Enabling SSL on Oracle WebLogic Cluster
keytool -genkey -alias node1 -keyalg RSA -keysize 1024 -keystore
identity1jks -storepass password -keypass password
Generating the Trust KeyStore
Trust KeyStore of JKS type is generated for each of the WebLogic Managed Servers
The Certificate file is exported from Identity KeyStore and imported as Trusted CA file in Trust KeyStore Provide the machine fully qualified domain name for Common Name while generating the Trust KeyStore
Exporting the Certificate file from Identity KeyStore keytoolexe -exportcert -alias node1 -file node1certcer -keystore
Identity1jks -storetype JKS
Generating Trust KeyStore of JKS type and importing the certificate as Trusted CA file keytoolexe -importcert -trustcacerts ndashalias node1 -file node1certcer -
keystore Truststore1jks -storetype JKS
Configuring the Identity and Trust KeyStores In the WebLogic Admin Console (eg httpWebLogicServerIP7001console) Under Domain gt Servers - select the Managed server [Managed Node1] to configure the SSL
On the settings for Managed Server ndash navigate to Configuration gt KeyStores tab
For the KeyStores field from the dropdown list select the ldquoCustom Identity and Custom Trustrdquo
Provide the Identity KeyStore and Trust KeyStore details
Identity Custom Identity KeyStore Provide the path and file name of the Identity KeyStore
Custom Identity KeyStore Type JKS
Custom Identity KeyStore Passphrase storepass (Identity KeyStorersquos storepass value)
Trust Custom Trust KeyStore Provide the path and file name of the Trust KeyStore
Custom Trust KeyStore Type JKS
Custom Trust KeyStore Passphrase storepass (Trust KeyStorersquos storepass value)
7 Enabling SSL on Oracle WebLogic Cluster
8 Enabling SSL on Oracle WebLogic Cluster
Configure the Identity KeyStore details In the Admin Console navigate to Configuration gt SSL tab of the Managed Servers
Provide the details for Private Key Alias and Private Key Passphrase These are the values given while generating the Identity KeyStore keytool -genkey -alias node1 -keyalg RSA -keysize 1024 -keystore
csslidentity1jks -storepass password -keypass password
In the above command
Private Key Alias = node1
Private Key PassPhrase = password (keypass value)
NOTE By default SSL enabled on WebLogic managed server is One Way SSL To change to Two Way SSL select the
two way SSL behavior from the ldquoAdvancedrdquo option list
Configure the SSL port on WebLogic Managed Server In the WebLogic Admin Console navigate to Configuration - gt General Tab of Managed Server The SSL port for the WebLogic Managed Server is defined here
9 Enabling SSL on Oracle WebLogic Cluster
Check ldquoSSL listen Port Enablerdquo Provide the SSL Listen port details
Configuring the Second WebLogic Managed Server The Identity and Trust KeyStores are generated for the second WebLogic Managed Server
Configure the Identity and Trust KeyStores Follow the steps 1 to 6
Restart and Verification of WebLogic Managed Servers After generating and configuring the Identity and Trust Stores for each WebLogic Managed Servers in WebLogic Admin Console restart the WebLogic Managed Servers
The below messages in the server logs indicate that the certificates are loaded
ltNoticegt ltSecuritygt ltBEA-090171gt ltLoading the identity certificate and private key stored under the alias client from the JKS keystore file CWondersWebLogicSecuritySSL-CertsVerisignidentityVerisignjksgt
ltNoticegt ltSecuritygt ltBEA-090169gt ltLoading trustedcertificates from the JKS keystore file CWondersWebLogicSecuritySSL-CertsVerisigntrustVerisignjksgt
10 Enabling SSL on Oracle WebLogic Cluster
Access the Application URL from the WebLogic Managed Server httpsManagedServerIpSSLportapplication_name
Click on the certificate details and verify the certificate information
Generate Trust CA file for Apache Webserver SSL Communication between the Apache webserver plug-in and the WebLogic Server the below parameters need to be added in ldquohttpdconfldquo
SecureProxy set to On
TrustedCAFile point to the file that contains the digital certificates for the trusted certificate authorities
To generate the Trusted CA file follow the below steps
Import the Identity Stores of each WebLogic Managed Server into a single temporary Keystore using keytool Keytool ndashimportkeystore -srckeystore identity1jks -destkeystore
tempkeystorejks -srcstoretype JKS -deststoretype JKS -srcstorepass
password -deststorepass password
Keytool ndashimportkeystore -srckeystore identity2jks -destkeystore
tempkeystorejks -srcstoretype JKS -deststoretype JKS -srcstorepass
password -deststorepass password
Convert the JKS format temporary keystore to PKCS12 and then PEM format
Conversion from JKS to PKCS12 format using keytool keytool -importkeystore -srckeystore keystore3jks -destkeystore
trustpkcs -srcstoretype JKS -deststoretype PKCS12
Conversion from PKCS12 to PEM format using openssl openssl pkcs12 -in trustpkcs -out trustpem
Apache Webserver Configuration On the Apache webserver used for clustering WebLogic do the following changes
The PEM file generated in the previous step is used as trusted CA file
Copy the trusted CA file to the Apache webserver machine
For the parameter lsquoTrustedCAFilersquo in httpdconf file point the trusted CA file
In ldquohttpdconfrdquo file add one of the below lines depending on Apache Webserver Version LoadModule WebLogic_module modulesmod_wl_22so (for apache webserver
22x)
11 Enabling SSL on Oracle WebLogic Cluster
LoadModule WebLogic_module modulesmod_wl_20so (for apache webserver
20xx)
Next add the following lines in rdquohttpdconfrdquo ltIfModule mod_WebLogiccgt
SetHandler WebLogic-handler
WebLogicCluster IPSSLPort1 IPSSLPort2
MatchExpression
SecureProxy On
WLProxySSL ON
RequireSSLHostMatch false
TrustedCAFile ctrustpem
EnforceBasicConstraints false
DEBUG
WLLogFile Cwlproxylog
Debug ALL
DebugConfigInfo ON
ConnectTimeoutSecs 600
ltIfModulegt
Troubleshooting
Sl No
Issues Possible Cause Solution
1
From Client SSLexception javasecuritycertCertificateException No name ldquohostnamerdquo matching found
Accessing the URL with different hostnameIP which is not used in specific certificate
While accessing Application server Webserver URL hostname should be used as full CN name in URL That same CN has been set while creating the keystore
IP should not be used for creating the keystore or accessing the URLs
2
From WebLogic Side javaioFileNotFoundException Keystore was tampered with or
Wrong keystore password is provided while configuring for lsquokeystorePassrsquo
Check and provide the correct password for keystore as lsquokeystorePassrsquo attribute in Identity keystore
12 Enabling SSL on Oracle WebLogic Cluster
password was incorrect
attribute page
Or
User can create a new keystore with new password and reconfigure the same
3 From WebLogic Side ltWarninggt ltSecuritygt ltBEA-090164gt ltFailed to load
trusted certificates from keystore COracleMIDDLE~1WLSERV~13serverlibDemo
Trustjks of type JKSgt
ltWarninggt ltSecuritygt ltBEA-090172gt ltNo trusted cert
ificates have been loaded Server will not trust to any certificate it receives
gt
Trust Keystore is not generate properly
Recreate the Trust Keystore and configure
4
From Webserver Side
INFO No CA was trusted validation failed
WARN DeleteSessionCallback No match found
ERROR SSLWrite failed
SEND failed (ret=-1) at 793 of file nsapiURLcpp
Exception type [WRITE_ERROR_TO_SERVER] raised at line 794 of nsapiURLcpp
Correct Trusted CA file is not configured on Webserver
Recreate the Trusted CA file and reconfigure the webserver with the Trusted CA file
13 Enabling SSL on Oracle WebLogic Cluster
Marking 101010107002 as bad
got exception in sendRequest phase WRITE_ERROR_TO_SERVER [os error=0 line 794 of nsapiURLcpp] at line 3160
INFO Closing SSL context
Sample Keytool Commands
Generate Key in Appserver1(Identity1jks) and appserver2(identity2jks)
COracleMiddlewarejdk160_29bingtkeytoolexe -genkey -alias newclient1 -keyalg RSA -keysize 1024 -keystore cSSLIdentity1jks
Enter keystore password
Re-enter new password
What is your first and last name
[Unknown] AS1Prathimaemcswatemcccsacom (- dns name of the host machine)
What is the name of your organizational unit
[Unknown] IIG
What is the name of your organization
[Unknown] EMC
What is the name of your City or Locality
[Unknown] BAng
What is the name of your State or Province
[Unknown] KAr
What is the two-letter country code for this unit
[Unknown] IN
Is CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN corre
ct
[no] yes
Enter key password for ltnewclient1gt
14 Enabling SSL on Oracle WebLogic Cluster
(RETURN if same as keystore password)
Re-enter new password
Generate Certificate in Appserver1(cert1jks and client newclient1) and appserver2(cert2jks and client newclient2)
COracleMiddlewarejdk160_29bingtkeytoolexe -exportcert -alias newclient1 -file ccert1cer -keystore cSSLIdentity1jks -storetype JKS
Enter keystore password
Certificate stored in file ltccert1cergt
Generate Truststore in Appserver1(Truststore1jks) and Appserver2(Truststore2jks)
COracleMiddlewarejdk160_29bingtkeytoolexe -importcert -trustcacerts -alias
newclient1 -file ccert1cer -keystore cSSLTruststore1jks -storetype JKS
Enter keystore password
Re-enter new password
Owner CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN
Issuer CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN
Serial number 51b171f7
Valid from Thu Jun 06 223903 PDT 2013 until Wed Sep 04 223903 PDT 2013
Certificate fingerprints
MD5 339AE6887716A10E3C128196F958FC5A
SHA1 CC843B67EC385B337D8B906374253215AE384727
Signature algorithm name SHA1withRSA
Version 3
Trust this certificate [no] yes
Certificate was added to keystore
15 Enabling SSL on Oracle WebLogic Cluster
References The following documents provide additional relevant information Access to the following Documentum documents is based on your Support site login credentials If you do not have access to the following content contact your EMC representative
Installing and Configuring an Oracle WebLogic Application server for EMC Documentum WDKWebtop
The following are third-party references
httpdocsoraclecomcdE13222_01wlsdocs81secmanagesslhtml
httpdocsoraclecomcdE23943_01web1111e13707identity_trusthtm
httpdocsoraclecomcdE13222_01wlsdocs81pluginsplugin_paramshtml
- Introduction
-
- Audience
- Related documents
-
- Enabling Production Mode
-
- Production and Development Modes
-
- Generating the Identity KeyStore
- Generating the Trust KeyStore
- Configuring the Identity and Trust KeyStores
-
- Identity
- Trust
-
- Configure the Identity KeyStore details
- Configure the SSL port on WebLogic Managed Server
- Configuring the Second WebLogic Managed Server
- Restart and Verification of WebLogic Managed Servers
- Generate Trust CA file for Apache Webserver
- Apache Webserver Configuration
- Troubleshooting
- Sample Keytool Commands
- References
-
6 Enabling SSL on Oracle WebLogic Cluster
keytool -genkey -alias node1 -keyalg RSA -keysize 1024 -keystore
identity1jks -storepass password -keypass password
Generating the Trust KeyStore
Trust KeyStore of JKS type is generated for each of the WebLogic Managed Servers
The Certificate file is exported from Identity KeyStore and imported as Trusted CA file in Trust KeyStore Provide the machine fully qualified domain name for Common Name while generating the Trust KeyStore
Exporting the Certificate file from Identity KeyStore keytoolexe -exportcert -alias node1 -file node1certcer -keystore
Identity1jks -storetype JKS
Generating Trust KeyStore of JKS type and importing the certificate as Trusted CA file keytoolexe -importcert -trustcacerts ndashalias node1 -file node1certcer -
keystore Truststore1jks -storetype JKS
Configuring the Identity and Trust KeyStores In the WebLogic Admin Console (eg httpWebLogicServerIP7001console) Under Domain gt Servers - select the Managed server [Managed Node1] to configure the SSL
On the settings for Managed Server ndash navigate to Configuration gt KeyStores tab
For the KeyStores field from the dropdown list select the ldquoCustom Identity and Custom Trustrdquo
Provide the Identity KeyStore and Trust KeyStore details
Identity Custom Identity KeyStore Provide the path and file name of the Identity KeyStore
Custom Identity KeyStore Type JKS
Custom Identity KeyStore Passphrase storepass (Identity KeyStorersquos storepass value)
Trust Custom Trust KeyStore Provide the path and file name of the Trust KeyStore
Custom Trust KeyStore Type JKS
Custom Trust KeyStore Passphrase storepass (Trust KeyStorersquos storepass value)
7 Enabling SSL on Oracle WebLogic Cluster
8 Enabling SSL on Oracle WebLogic Cluster
Configure the Identity KeyStore details In the Admin Console navigate to Configuration gt SSL tab of the Managed Servers
Provide the details for Private Key Alias and Private Key Passphrase These are the values given while generating the Identity KeyStore keytool -genkey -alias node1 -keyalg RSA -keysize 1024 -keystore
csslidentity1jks -storepass password -keypass password
In the above command
Private Key Alias = node1
Private Key PassPhrase = password (keypass value)
NOTE By default SSL enabled on WebLogic managed server is One Way SSL To change to Two Way SSL select the
two way SSL behavior from the ldquoAdvancedrdquo option list
Configure the SSL port on WebLogic Managed Server In the WebLogic Admin Console navigate to Configuration - gt General Tab of Managed Server The SSL port for the WebLogic Managed Server is defined here
9 Enabling SSL on Oracle WebLogic Cluster
Check ldquoSSL listen Port Enablerdquo Provide the SSL Listen port details
Configuring the Second WebLogic Managed Server The Identity and Trust KeyStores are generated for the second WebLogic Managed Server
Configure the Identity and Trust KeyStores Follow the steps 1 to 6
Restart and Verification of WebLogic Managed Servers After generating and configuring the Identity and Trust Stores for each WebLogic Managed Servers in WebLogic Admin Console restart the WebLogic Managed Servers
The below messages in the server logs indicate that the certificates are loaded
ltNoticegt ltSecuritygt ltBEA-090171gt ltLoading the identity certificate and private key stored under the alias client from the JKS keystore file CWondersWebLogicSecuritySSL-CertsVerisignidentityVerisignjksgt
ltNoticegt ltSecuritygt ltBEA-090169gt ltLoading trustedcertificates from the JKS keystore file CWondersWebLogicSecuritySSL-CertsVerisigntrustVerisignjksgt
10 Enabling SSL on Oracle WebLogic Cluster
Access the Application URL from the WebLogic Managed Server httpsManagedServerIpSSLportapplication_name
Click on the certificate details and verify the certificate information
Generate Trust CA file for Apache Webserver SSL Communication between the Apache webserver plug-in and the WebLogic Server the below parameters need to be added in ldquohttpdconfldquo
SecureProxy set to On
TrustedCAFile point to the file that contains the digital certificates for the trusted certificate authorities
To generate the Trusted CA file follow the below steps
Import the Identity Stores of each WebLogic Managed Server into a single temporary Keystore using keytool Keytool ndashimportkeystore -srckeystore identity1jks -destkeystore
tempkeystorejks -srcstoretype JKS -deststoretype JKS -srcstorepass
password -deststorepass password
Keytool ndashimportkeystore -srckeystore identity2jks -destkeystore
tempkeystorejks -srcstoretype JKS -deststoretype JKS -srcstorepass
password -deststorepass password
Convert the JKS format temporary keystore to PKCS12 and then PEM format
Conversion from JKS to PKCS12 format using keytool keytool -importkeystore -srckeystore keystore3jks -destkeystore
trustpkcs -srcstoretype JKS -deststoretype PKCS12
Conversion from PKCS12 to PEM format using openssl openssl pkcs12 -in trustpkcs -out trustpem
Apache Webserver Configuration On the Apache webserver used for clustering WebLogic do the following changes
The PEM file generated in the previous step is used as trusted CA file
Copy the trusted CA file to the Apache webserver machine
For the parameter lsquoTrustedCAFilersquo in httpdconf file point the trusted CA file
In ldquohttpdconfrdquo file add one of the below lines depending on Apache Webserver Version LoadModule WebLogic_module modulesmod_wl_22so (for apache webserver
22x)
11 Enabling SSL on Oracle WebLogic Cluster
LoadModule WebLogic_module modulesmod_wl_20so (for apache webserver
20xx)
Next add the following lines in rdquohttpdconfrdquo ltIfModule mod_WebLogiccgt
SetHandler WebLogic-handler
WebLogicCluster IPSSLPort1 IPSSLPort2
MatchExpression
SecureProxy On
WLProxySSL ON
RequireSSLHostMatch false
TrustedCAFile ctrustpem
EnforceBasicConstraints false
DEBUG
WLLogFile Cwlproxylog
Debug ALL
DebugConfigInfo ON
ConnectTimeoutSecs 600
ltIfModulegt
Troubleshooting
Sl No
Issues Possible Cause Solution
1
From Client SSLexception javasecuritycertCertificateException No name ldquohostnamerdquo matching found
Accessing the URL with different hostnameIP which is not used in specific certificate
While accessing Application server Webserver URL hostname should be used as full CN name in URL That same CN has been set while creating the keystore
IP should not be used for creating the keystore or accessing the URLs
2
From WebLogic Side javaioFileNotFoundException Keystore was tampered with or
Wrong keystore password is provided while configuring for lsquokeystorePassrsquo
Check and provide the correct password for keystore as lsquokeystorePassrsquo attribute in Identity keystore
12 Enabling SSL on Oracle WebLogic Cluster
password was incorrect
attribute page
Or
User can create a new keystore with new password and reconfigure the same
3 From WebLogic Side ltWarninggt ltSecuritygt ltBEA-090164gt ltFailed to load
trusted certificates from keystore COracleMIDDLE~1WLSERV~13serverlibDemo
Trustjks of type JKSgt
ltWarninggt ltSecuritygt ltBEA-090172gt ltNo trusted cert
ificates have been loaded Server will not trust to any certificate it receives
gt
Trust Keystore is not generate properly
Recreate the Trust Keystore and configure
4
From Webserver Side
INFO No CA was trusted validation failed
WARN DeleteSessionCallback No match found
ERROR SSLWrite failed
SEND failed (ret=-1) at 793 of file nsapiURLcpp
Exception type [WRITE_ERROR_TO_SERVER] raised at line 794 of nsapiURLcpp
Correct Trusted CA file is not configured on Webserver
Recreate the Trusted CA file and reconfigure the webserver with the Trusted CA file
13 Enabling SSL on Oracle WebLogic Cluster
Marking 101010107002 as bad
got exception in sendRequest phase WRITE_ERROR_TO_SERVER [os error=0 line 794 of nsapiURLcpp] at line 3160
INFO Closing SSL context
Sample Keytool Commands
Generate Key in Appserver1(Identity1jks) and appserver2(identity2jks)
COracleMiddlewarejdk160_29bingtkeytoolexe -genkey -alias newclient1 -keyalg RSA -keysize 1024 -keystore cSSLIdentity1jks
Enter keystore password
Re-enter new password
What is your first and last name
[Unknown] AS1Prathimaemcswatemcccsacom (- dns name of the host machine)
What is the name of your organizational unit
[Unknown] IIG
What is the name of your organization
[Unknown] EMC
What is the name of your City or Locality
[Unknown] BAng
What is the name of your State or Province
[Unknown] KAr
What is the two-letter country code for this unit
[Unknown] IN
Is CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN corre
ct
[no] yes
Enter key password for ltnewclient1gt
14 Enabling SSL on Oracle WebLogic Cluster
(RETURN if same as keystore password)
Re-enter new password
Generate Certificate in Appserver1(cert1jks and client newclient1) and appserver2(cert2jks and client newclient2)
COracleMiddlewarejdk160_29bingtkeytoolexe -exportcert -alias newclient1 -file ccert1cer -keystore cSSLIdentity1jks -storetype JKS
Enter keystore password
Certificate stored in file ltccert1cergt
Generate Truststore in Appserver1(Truststore1jks) and Appserver2(Truststore2jks)
COracleMiddlewarejdk160_29bingtkeytoolexe -importcert -trustcacerts -alias
newclient1 -file ccert1cer -keystore cSSLTruststore1jks -storetype JKS
Enter keystore password
Re-enter new password
Owner CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN
Issuer CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN
Serial number 51b171f7
Valid from Thu Jun 06 223903 PDT 2013 until Wed Sep 04 223903 PDT 2013
Certificate fingerprints
MD5 339AE6887716A10E3C128196F958FC5A
SHA1 CC843B67EC385B337D8B906374253215AE384727
Signature algorithm name SHA1withRSA
Version 3
Trust this certificate [no] yes
Certificate was added to keystore
15 Enabling SSL on Oracle WebLogic Cluster
References The following documents provide additional relevant information Access to the following Documentum documents is based on your Support site login credentials If you do not have access to the following content contact your EMC representative
Installing and Configuring an Oracle WebLogic Application server for EMC Documentum WDKWebtop
The following are third-party references
httpdocsoraclecomcdE13222_01wlsdocs81secmanagesslhtml
httpdocsoraclecomcdE23943_01web1111e13707identity_trusthtm
httpdocsoraclecomcdE13222_01wlsdocs81pluginsplugin_paramshtml
- Introduction
-
- Audience
- Related documents
-
- Enabling Production Mode
-
- Production and Development Modes
-
- Generating the Identity KeyStore
- Generating the Trust KeyStore
- Configuring the Identity and Trust KeyStores
-
- Identity
- Trust
-
- Configure the Identity KeyStore details
- Configure the SSL port on WebLogic Managed Server
- Configuring the Second WebLogic Managed Server
- Restart and Verification of WebLogic Managed Servers
- Generate Trust CA file for Apache Webserver
- Apache Webserver Configuration
- Troubleshooting
- Sample Keytool Commands
- References
-
7 Enabling SSL on Oracle WebLogic Cluster
8 Enabling SSL on Oracle WebLogic Cluster
Configure the Identity KeyStore details In the Admin Console navigate to Configuration gt SSL tab of the Managed Servers
Provide the details for Private Key Alias and Private Key Passphrase These are the values given while generating the Identity KeyStore keytool -genkey -alias node1 -keyalg RSA -keysize 1024 -keystore
csslidentity1jks -storepass password -keypass password
In the above command
Private Key Alias = node1
Private Key PassPhrase = password (keypass value)
NOTE By default SSL enabled on WebLogic managed server is One Way SSL To change to Two Way SSL select the
two way SSL behavior from the ldquoAdvancedrdquo option list
Configure the SSL port on WebLogic Managed Server In the WebLogic Admin Console navigate to Configuration - gt General Tab of Managed Server The SSL port for the WebLogic Managed Server is defined here
9 Enabling SSL on Oracle WebLogic Cluster
Check ldquoSSL listen Port Enablerdquo Provide the SSL Listen port details
Configuring the Second WebLogic Managed Server The Identity and Trust KeyStores are generated for the second WebLogic Managed Server
Configure the Identity and Trust KeyStores Follow the steps 1 to 6
Restart and Verification of WebLogic Managed Servers After generating and configuring the Identity and Trust Stores for each WebLogic Managed Servers in WebLogic Admin Console restart the WebLogic Managed Servers
The below messages in the server logs indicate that the certificates are loaded
ltNoticegt ltSecuritygt ltBEA-090171gt ltLoading the identity certificate and private key stored under the alias client from the JKS keystore file CWondersWebLogicSecuritySSL-CertsVerisignidentityVerisignjksgt
ltNoticegt ltSecuritygt ltBEA-090169gt ltLoading trustedcertificates from the JKS keystore file CWondersWebLogicSecuritySSL-CertsVerisigntrustVerisignjksgt
10 Enabling SSL on Oracle WebLogic Cluster
Access the Application URL from the WebLogic Managed Server httpsManagedServerIpSSLportapplication_name
Click on the certificate details and verify the certificate information
Generate Trust CA file for Apache Webserver SSL Communication between the Apache webserver plug-in and the WebLogic Server the below parameters need to be added in ldquohttpdconfldquo
SecureProxy set to On
TrustedCAFile point to the file that contains the digital certificates for the trusted certificate authorities
To generate the Trusted CA file follow the below steps
Import the Identity Stores of each WebLogic Managed Server into a single temporary Keystore using keytool Keytool ndashimportkeystore -srckeystore identity1jks -destkeystore
tempkeystorejks -srcstoretype JKS -deststoretype JKS -srcstorepass
password -deststorepass password
Keytool ndashimportkeystore -srckeystore identity2jks -destkeystore
tempkeystorejks -srcstoretype JKS -deststoretype JKS -srcstorepass
password -deststorepass password
Convert the JKS format temporary keystore to PKCS12 and then PEM format
Conversion from JKS to PKCS12 format using keytool keytool -importkeystore -srckeystore keystore3jks -destkeystore
trustpkcs -srcstoretype JKS -deststoretype PKCS12
Conversion from PKCS12 to PEM format using openssl openssl pkcs12 -in trustpkcs -out trustpem
Apache Webserver Configuration On the Apache webserver used for clustering WebLogic do the following changes
The PEM file generated in the previous step is used as trusted CA file
Copy the trusted CA file to the Apache webserver machine
For the parameter lsquoTrustedCAFilersquo in httpdconf file point the trusted CA file
In ldquohttpdconfrdquo file add one of the below lines depending on Apache Webserver Version LoadModule WebLogic_module modulesmod_wl_22so (for apache webserver
22x)
11 Enabling SSL on Oracle WebLogic Cluster
LoadModule WebLogic_module modulesmod_wl_20so (for apache webserver
20xx)
Next add the following lines in rdquohttpdconfrdquo ltIfModule mod_WebLogiccgt
SetHandler WebLogic-handler
WebLogicCluster IPSSLPort1 IPSSLPort2
MatchExpression
SecureProxy On
WLProxySSL ON
RequireSSLHostMatch false
TrustedCAFile ctrustpem
EnforceBasicConstraints false
DEBUG
WLLogFile Cwlproxylog
Debug ALL
DebugConfigInfo ON
ConnectTimeoutSecs 600
ltIfModulegt
Troubleshooting
Sl No
Issues Possible Cause Solution
1
From Client SSLexception javasecuritycertCertificateException No name ldquohostnamerdquo matching found
Accessing the URL with different hostnameIP which is not used in specific certificate
While accessing Application server Webserver URL hostname should be used as full CN name in URL That same CN has been set while creating the keystore
IP should not be used for creating the keystore or accessing the URLs
2
From WebLogic Side javaioFileNotFoundException Keystore was tampered with or
Wrong keystore password is provided while configuring for lsquokeystorePassrsquo
Check and provide the correct password for keystore as lsquokeystorePassrsquo attribute in Identity keystore
12 Enabling SSL on Oracle WebLogic Cluster
password was incorrect
attribute page
Or
User can create a new keystore with new password and reconfigure the same
3 From WebLogic Side ltWarninggt ltSecuritygt ltBEA-090164gt ltFailed to load
trusted certificates from keystore COracleMIDDLE~1WLSERV~13serverlibDemo
Trustjks of type JKSgt
ltWarninggt ltSecuritygt ltBEA-090172gt ltNo trusted cert
ificates have been loaded Server will not trust to any certificate it receives
gt
Trust Keystore is not generate properly
Recreate the Trust Keystore and configure
4
From Webserver Side
INFO No CA was trusted validation failed
WARN DeleteSessionCallback No match found
ERROR SSLWrite failed
SEND failed (ret=-1) at 793 of file nsapiURLcpp
Exception type [WRITE_ERROR_TO_SERVER] raised at line 794 of nsapiURLcpp
Correct Trusted CA file is not configured on Webserver
Recreate the Trusted CA file and reconfigure the webserver with the Trusted CA file
13 Enabling SSL on Oracle WebLogic Cluster
Marking 101010107002 as bad
got exception in sendRequest phase WRITE_ERROR_TO_SERVER [os error=0 line 794 of nsapiURLcpp] at line 3160
INFO Closing SSL context
Sample Keytool Commands
Generate Key in Appserver1(Identity1jks) and appserver2(identity2jks)
COracleMiddlewarejdk160_29bingtkeytoolexe -genkey -alias newclient1 -keyalg RSA -keysize 1024 -keystore cSSLIdentity1jks
Enter keystore password
Re-enter new password
What is your first and last name
[Unknown] AS1Prathimaemcswatemcccsacom (- dns name of the host machine)
What is the name of your organizational unit
[Unknown] IIG
What is the name of your organization
[Unknown] EMC
What is the name of your City or Locality
[Unknown] BAng
What is the name of your State or Province
[Unknown] KAr
What is the two-letter country code for this unit
[Unknown] IN
Is CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN corre
ct
[no] yes
Enter key password for ltnewclient1gt
14 Enabling SSL on Oracle WebLogic Cluster
(RETURN if same as keystore password)
Re-enter new password
Generate Certificate in Appserver1(cert1jks and client newclient1) and appserver2(cert2jks and client newclient2)
COracleMiddlewarejdk160_29bingtkeytoolexe -exportcert -alias newclient1 -file ccert1cer -keystore cSSLIdentity1jks -storetype JKS
Enter keystore password
Certificate stored in file ltccert1cergt
Generate Truststore in Appserver1(Truststore1jks) and Appserver2(Truststore2jks)
COracleMiddlewarejdk160_29bingtkeytoolexe -importcert -trustcacerts -alias
newclient1 -file ccert1cer -keystore cSSLTruststore1jks -storetype JKS
Enter keystore password
Re-enter new password
Owner CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN
Issuer CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN
Serial number 51b171f7
Valid from Thu Jun 06 223903 PDT 2013 until Wed Sep 04 223903 PDT 2013
Certificate fingerprints
MD5 339AE6887716A10E3C128196F958FC5A
SHA1 CC843B67EC385B337D8B906374253215AE384727
Signature algorithm name SHA1withRSA
Version 3
Trust this certificate [no] yes
Certificate was added to keystore
15 Enabling SSL on Oracle WebLogic Cluster
References The following documents provide additional relevant information Access to the following Documentum documents is based on your Support site login credentials If you do not have access to the following content contact your EMC representative
Installing and Configuring an Oracle WebLogic Application server for EMC Documentum WDKWebtop
The following are third-party references
httpdocsoraclecomcdE13222_01wlsdocs81secmanagesslhtml
httpdocsoraclecomcdE23943_01web1111e13707identity_trusthtm
httpdocsoraclecomcdE13222_01wlsdocs81pluginsplugin_paramshtml
- Introduction
-
- Audience
- Related documents
-
- Enabling Production Mode
-
- Production and Development Modes
-
- Generating the Identity KeyStore
- Generating the Trust KeyStore
- Configuring the Identity and Trust KeyStores
-
- Identity
- Trust
-
- Configure the Identity KeyStore details
- Configure the SSL port on WebLogic Managed Server
- Configuring the Second WebLogic Managed Server
- Restart and Verification of WebLogic Managed Servers
- Generate Trust CA file for Apache Webserver
- Apache Webserver Configuration
- Troubleshooting
- Sample Keytool Commands
- References
-
8 Enabling SSL on Oracle WebLogic Cluster
Configure the Identity KeyStore details In the Admin Console navigate to Configuration gt SSL tab of the Managed Servers
Provide the details for Private Key Alias and Private Key Passphrase These are the values given while generating the Identity KeyStore keytool -genkey -alias node1 -keyalg RSA -keysize 1024 -keystore
csslidentity1jks -storepass password -keypass password
In the above command
Private Key Alias = node1
Private Key PassPhrase = password (keypass value)
NOTE By default SSL enabled on WebLogic managed server is One Way SSL To change to Two Way SSL select the
two way SSL behavior from the ldquoAdvancedrdquo option list
Configure the SSL port on WebLogic Managed Server In the WebLogic Admin Console navigate to Configuration - gt General Tab of Managed Server The SSL port for the WebLogic Managed Server is defined here
9 Enabling SSL on Oracle WebLogic Cluster
Check ldquoSSL listen Port Enablerdquo Provide the SSL Listen port details
Configuring the Second WebLogic Managed Server The Identity and Trust KeyStores are generated for the second WebLogic Managed Server
Configure the Identity and Trust KeyStores Follow the steps 1 to 6
Restart and Verification of WebLogic Managed Servers After generating and configuring the Identity and Trust Stores for each WebLogic Managed Servers in WebLogic Admin Console restart the WebLogic Managed Servers
The below messages in the server logs indicate that the certificates are loaded
ltNoticegt ltSecuritygt ltBEA-090171gt ltLoading the identity certificate and private key stored under the alias client from the JKS keystore file CWondersWebLogicSecuritySSL-CertsVerisignidentityVerisignjksgt
ltNoticegt ltSecuritygt ltBEA-090169gt ltLoading trustedcertificates from the JKS keystore file CWondersWebLogicSecuritySSL-CertsVerisigntrustVerisignjksgt
10 Enabling SSL on Oracle WebLogic Cluster
Access the Application URL from the WebLogic Managed Server httpsManagedServerIpSSLportapplication_name
Click on the certificate details and verify the certificate information
Generate Trust CA file for Apache Webserver SSL Communication between the Apache webserver plug-in and the WebLogic Server the below parameters need to be added in ldquohttpdconfldquo
SecureProxy set to On
TrustedCAFile point to the file that contains the digital certificates for the trusted certificate authorities
To generate the Trusted CA file follow the below steps
Import the Identity Stores of each WebLogic Managed Server into a single temporary Keystore using keytool Keytool ndashimportkeystore -srckeystore identity1jks -destkeystore
tempkeystorejks -srcstoretype JKS -deststoretype JKS -srcstorepass
password -deststorepass password
Keytool ndashimportkeystore -srckeystore identity2jks -destkeystore
tempkeystorejks -srcstoretype JKS -deststoretype JKS -srcstorepass
password -deststorepass password
Convert the JKS format temporary keystore to PKCS12 and then PEM format
Conversion from JKS to PKCS12 format using keytool keytool -importkeystore -srckeystore keystore3jks -destkeystore
trustpkcs -srcstoretype JKS -deststoretype PKCS12
Conversion from PKCS12 to PEM format using openssl openssl pkcs12 -in trustpkcs -out trustpem
Apache Webserver Configuration On the Apache webserver used for clustering WebLogic do the following changes
The PEM file generated in the previous step is used as trusted CA file
Copy the trusted CA file to the Apache webserver machine
For the parameter lsquoTrustedCAFilersquo in httpdconf file point the trusted CA file
In ldquohttpdconfrdquo file add one of the below lines depending on Apache Webserver Version LoadModule WebLogic_module modulesmod_wl_22so (for apache webserver
22x)
11 Enabling SSL on Oracle WebLogic Cluster
LoadModule WebLogic_module modulesmod_wl_20so (for apache webserver
20xx)
Next add the following lines in rdquohttpdconfrdquo ltIfModule mod_WebLogiccgt
SetHandler WebLogic-handler
WebLogicCluster IPSSLPort1 IPSSLPort2
MatchExpression
SecureProxy On
WLProxySSL ON
RequireSSLHostMatch false
TrustedCAFile ctrustpem
EnforceBasicConstraints false
DEBUG
WLLogFile Cwlproxylog
Debug ALL
DebugConfigInfo ON
ConnectTimeoutSecs 600
ltIfModulegt
Troubleshooting
Sl No
Issues Possible Cause Solution
1
From Client SSLexception javasecuritycertCertificateException No name ldquohostnamerdquo matching found
Accessing the URL with different hostnameIP which is not used in specific certificate
While accessing Application server Webserver URL hostname should be used as full CN name in URL That same CN has been set while creating the keystore
IP should not be used for creating the keystore or accessing the URLs
2
From WebLogic Side javaioFileNotFoundException Keystore was tampered with or
Wrong keystore password is provided while configuring for lsquokeystorePassrsquo
Check and provide the correct password for keystore as lsquokeystorePassrsquo attribute in Identity keystore
12 Enabling SSL on Oracle WebLogic Cluster
password was incorrect
attribute page
Or
User can create a new keystore with new password and reconfigure the same
3 From WebLogic Side ltWarninggt ltSecuritygt ltBEA-090164gt ltFailed to load
trusted certificates from keystore COracleMIDDLE~1WLSERV~13serverlibDemo
Trustjks of type JKSgt
ltWarninggt ltSecuritygt ltBEA-090172gt ltNo trusted cert
ificates have been loaded Server will not trust to any certificate it receives
gt
Trust Keystore is not generate properly
Recreate the Trust Keystore and configure
4
From Webserver Side
INFO No CA was trusted validation failed
WARN DeleteSessionCallback No match found
ERROR SSLWrite failed
SEND failed (ret=-1) at 793 of file nsapiURLcpp
Exception type [WRITE_ERROR_TO_SERVER] raised at line 794 of nsapiURLcpp
Correct Trusted CA file is not configured on Webserver
Recreate the Trusted CA file and reconfigure the webserver with the Trusted CA file
13 Enabling SSL on Oracle WebLogic Cluster
Marking 101010107002 as bad
got exception in sendRequest phase WRITE_ERROR_TO_SERVER [os error=0 line 794 of nsapiURLcpp] at line 3160
INFO Closing SSL context
Sample Keytool Commands
Generate Key in Appserver1(Identity1jks) and appserver2(identity2jks)
COracleMiddlewarejdk160_29bingtkeytoolexe -genkey -alias newclient1 -keyalg RSA -keysize 1024 -keystore cSSLIdentity1jks
Enter keystore password
Re-enter new password
What is your first and last name
[Unknown] AS1Prathimaemcswatemcccsacom (- dns name of the host machine)
What is the name of your organizational unit
[Unknown] IIG
What is the name of your organization
[Unknown] EMC
What is the name of your City or Locality
[Unknown] BAng
What is the name of your State or Province
[Unknown] KAr
What is the two-letter country code for this unit
[Unknown] IN
Is CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN corre
ct
[no] yes
Enter key password for ltnewclient1gt
14 Enabling SSL on Oracle WebLogic Cluster
(RETURN if same as keystore password)
Re-enter new password
Generate Certificate in Appserver1(cert1jks and client newclient1) and appserver2(cert2jks and client newclient2)
COracleMiddlewarejdk160_29bingtkeytoolexe -exportcert -alias newclient1 -file ccert1cer -keystore cSSLIdentity1jks -storetype JKS
Enter keystore password
Certificate stored in file ltccert1cergt
Generate Truststore in Appserver1(Truststore1jks) and Appserver2(Truststore2jks)
COracleMiddlewarejdk160_29bingtkeytoolexe -importcert -trustcacerts -alias
newclient1 -file ccert1cer -keystore cSSLTruststore1jks -storetype JKS
Enter keystore password
Re-enter new password
Owner CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN
Issuer CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN
Serial number 51b171f7
Valid from Thu Jun 06 223903 PDT 2013 until Wed Sep 04 223903 PDT 2013
Certificate fingerprints
MD5 339AE6887716A10E3C128196F958FC5A
SHA1 CC843B67EC385B337D8B906374253215AE384727
Signature algorithm name SHA1withRSA
Version 3
Trust this certificate [no] yes
Certificate was added to keystore
15 Enabling SSL on Oracle WebLogic Cluster
References The following documents provide additional relevant information Access to the following Documentum documents is based on your Support site login credentials If you do not have access to the following content contact your EMC representative
Installing and Configuring an Oracle WebLogic Application server for EMC Documentum WDKWebtop
The following are third-party references
httpdocsoraclecomcdE13222_01wlsdocs81secmanagesslhtml
httpdocsoraclecomcdE23943_01web1111e13707identity_trusthtm
httpdocsoraclecomcdE13222_01wlsdocs81pluginsplugin_paramshtml
- Introduction
-
- Audience
- Related documents
-
- Enabling Production Mode
-
- Production and Development Modes
-
- Generating the Identity KeyStore
- Generating the Trust KeyStore
- Configuring the Identity and Trust KeyStores
-
- Identity
- Trust
-
- Configure the Identity KeyStore details
- Configure the SSL port on WebLogic Managed Server
- Configuring the Second WebLogic Managed Server
- Restart and Verification of WebLogic Managed Servers
- Generate Trust CA file for Apache Webserver
- Apache Webserver Configuration
- Troubleshooting
- Sample Keytool Commands
- References
-
9 Enabling SSL on Oracle WebLogic Cluster
Check ldquoSSL listen Port Enablerdquo Provide the SSL Listen port details
Configuring the Second WebLogic Managed Server The Identity and Trust KeyStores are generated for the second WebLogic Managed Server
Configure the Identity and Trust KeyStores Follow the steps 1 to 6
Restart and Verification of WebLogic Managed Servers After generating and configuring the Identity and Trust Stores for each WebLogic Managed Servers in WebLogic Admin Console restart the WebLogic Managed Servers
The below messages in the server logs indicate that the certificates are loaded
ltNoticegt ltSecuritygt ltBEA-090171gt ltLoading the identity certificate and private key stored under the alias client from the JKS keystore file CWondersWebLogicSecuritySSL-CertsVerisignidentityVerisignjksgt
ltNoticegt ltSecuritygt ltBEA-090169gt ltLoading trustedcertificates from the JKS keystore file CWondersWebLogicSecuritySSL-CertsVerisigntrustVerisignjksgt
10 Enabling SSL on Oracle WebLogic Cluster
Access the Application URL from the WebLogic Managed Server httpsManagedServerIpSSLportapplication_name
Click on the certificate details and verify the certificate information
Generate Trust CA file for Apache Webserver SSL Communication between the Apache webserver plug-in and the WebLogic Server the below parameters need to be added in ldquohttpdconfldquo
SecureProxy set to On
TrustedCAFile point to the file that contains the digital certificates for the trusted certificate authorities
To generate the Trusted CA file follow the below steps
Import the Identity Stores of each WebLogic Managed Server into a single temporary Keystore using keytool Keytool ndashimportkeystore -srckeystore identity1jks -destkeystore
tempkeystorejks -srcstoretype JKS -deststoretype JKS -srcstorepass
password -deststorepass password
Keytool ndashimportkeystore -srckeystore identity2jks -destkeystore
tempkeystorejks -srcstoretype JKS -deststoretype JKS -srcstorepass
password -deststorepass password
Convert the JKS format temporary keystore to PKCS12 and then PEM format
Conversion from JKS to PKCS12 format using keytool keytool -importkeystore -srckeystore keystore3jks -destkeystore
trustpkcs -srcstoretype JKS -deststoretype PKCS12
Conversion from PKCS12 to PEM format using openssl openssl pkcs12 -in trustpkcs -out trustpem
Apache Webserver Configuration On the Apache webserver used for clustering WebLogic do the following changes
The PEM file generated in the previous step is used as trusted CA file
Copy the trusted CA file to the Apache webserver machine
For the parameter lsquoTrustedCAFilersquo in httpdconf file point the trusted CA file
In ldquohttpdconfrdquo file add one of the below lines depending on Apache Webserver Version LoadModule WebLogic_module modulesmod_wl_22so (for apache webserver
22x)
11 Enabling SSL on Oracle WebLogic Cluster
LoadModule WebLogic_module modulesmod_wl_20so (for apache webserver
20xx)
Next add the following lines in rdquohttpdconfrdquo ltIfModule mod_WebLogiccgt
SetHandler WebLogic-handler
WebLogicCluster IPSSLPort1 IPSSLPort2
MatchExpression
SecureProxy On
WLProxySSL ON
RequireSSLHostMatch false
TrustedCAFile ctrustpem
EnforceBasicConstraints false
DEBUG
WLLogFile Cwlproxylog
Debug ALL
DebugConfigInfo ON
ConnectTimeoutSecs 600
ltIfModulegt
Troubleshooting
Sl No
Issues Possible Cause Solution
1
From Client SSLexception javasecuritycertCertificateException No name ldquohostnamerdquo matching found
Accessing the URL with different hostnameIP which is not used in specific certificate
While accessing Application server Webserver URL hostname should be used as full CN name in URL That same CN has been set while creating the keystore
IP should not be used for creating the keystore or accessing the URLs
2
From WebLogic Side javaioFileNotFoundException Keystore was tampered with or
Wrong keystore password is provided while configuring for lsquokeystorePassrsquo
Check and provide the correct password for keystore as lsquokeystorePassrsquo attribute in Identity keystore
12 Enabling SSL on Oracle WebLogic Cluster
password was incorrect
attribute page
Or
User can create a new keystore with new password and reconfigure the same
3 From WebLogic Side ltWarninggt ltSecuritygt ltBEA-090164gt ltFailed to load
trusted certificates from keystore COracleMIDDLE~1WLSERV~13serverlibDemo
Trustjks of type JKSgt
ltWarninggt ltSecuritygt ltBEA-090172gt ltNo trusted cert
ificates have been loaded Server will not trust to any certificate it receives
gt
Trust Keystore is not generate properly
Recreate the Trust Keystore and configure
4
From Webserver Side
INFO No CA was trusted validation failed
WARN DeleteSessionCallback No match found
ERROR SSLWrite failed
SEND failed (ret=-1) at 793 of file nsapiURLcpp
Exception type [WRITE_ERROR_TO_SERVER] raised at line 794 of nsapiURLcpp
Correct Trusted CA file is not configured on Webserver
Recreate the Trusted CA file and reconfigure the webserver with the Trusted CA file
13 Enabling SSL on Oracle WebLogic Cluster
Marking 101010107002 as bad
got exception in sendRequest phase WRITE_ERROR_TO_SERVER [os error=0 line 794 of nsapiURLcpp] at line 3160
INFO Closing SSL context
Sample Keytool Commands
Generate Key in Appserver1(Identity1jks) and appserver2(identity2jks)
COracleMiddlewarejdk160_29bingtkeytoolexe -genkey -alias newclient1 -keyalg RSA -keysize 1024 -keystore cSSLIdentity1jks
Enter keystore password
Re-enter new password
What is your first and last name
[Unknown] AS1Prathimaemcswatemcccsacom (- dns name of the host machine)
What is the name of your organizational unit
[Unknown] IIG
What is the name of your organization
[Unknown] EMC
What is the name of your City or Locality
[Unknown] BAng
What is the name of your State or Province
[Unknown] KAr
What is the two-letter country code for this unit
[Unknown] IN
Is CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN corre
ct
[no] yes
Enter key password for ltnewclient1gt
14 Enabling SSL on Oracle WebLogic Cluster
(RETURN if same as keystore password)
Re-enter new password
Generate Certificate in Appserver1(cert1jks and client newclient1) and appserver2(cert2jks and client newclient2)
COracleMiddlewarejdk160_29bingtkeytoolexe -exportcert -alias newclient1 -file ccert1cer -keystore cSSLIdentity1jks -storetype JKS
Enter keystore password
Certificate stored in file ltccert1cergt
Generate Truststore in Appserver1(Truststore1jks) and Appserver2(Truststore2jks)
COracleMiddlewarejdk160_29bingtkeytoolexe -importcert -trustcacerts -alias
newclient1 -file ccert1cer -keystore cSSLTruststore1jks -storetype JKS
Enter keystore password
Re-enter new password
Owner CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN
Issuer CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN
Serial number 51b171f7
Valid from Thu Jun 06 223903 PDT 2013 until Wed Sep 04 223903 PDT 2013
Certificate fingerprints
MD5 339AE6887716A10E3C128196F958FC5A
SHA1 CC843B67EC385B337D8B906374253215AE384727
Signature algorithm name SHA1withRSA
Version 3
Trust this certificate [no] yes
Certificate was added to keystore
15 Enabling SSL on Oracle WebLogic Cluster
References The following documents provide additional relevant information Access to the following Documentum documents is based on your Support site login credentials If you do not have access to the following content contact your EMC representative
Installing and Configuring an Oracle WebLogic Application server for EMC Documentum WDKWebtop
The following are third-party references
httpdocsoraclecomcdE13222_01wlsdocs81secmanagesslhtml
httpdocsoraclecomcdE23943_01web1111e13707identity_trusthtm
httpdocsoraclecomcdE13222_01wlsdocs81pluginsplugin_paramshtml
- Introduction
-
- Audience
- Related documents
-
- Enabling Production Mode
-
- Production and Development Modes
-
- Generating the Identity KeyStore
- Generating the Trust KeyStore
- Configuring the Identity and Trust KeyStores
-
- Identity
- Trust
-
- Configure the Identity KeyStore details
- Configure the SSL port on WebLogic Managed Server
- Configuring the Second WebLogic Managed Server
- Restart and Verification of WebLogic Managed Servers
- Generate Trust CA file for Apache Webserver
- Apache Webserver Configuration
- Troubleshooting
- Sample Keytool Commands
- References
-
10 Enabling SSL on Oracle WebLogic Cluster
Access the Application URL from the WebLogic Managed Server httpsManagedServerIpSSLportapplication_name
Click on the certificate details and verify the certificate information
Generate Trust CA file for Apache Webserver SSL Communication between the Apache webserver plug-in and the WebLogic Server the below parameters need to be added in ldquohttpdconfldquo
SecureProxy set to On
TrustedCAFile point to the file that contains the digital certificates for the trusted certificate authorities
To generate the Trusted CA file follow the below steps
Import the Identity Stores of each WebLogic Managed Server into a single temporary Keystore using keytool Keytool ndashimportkeystore -srckeystore identity1jks -destkeystore
tempkeystorejks -srcstoretype JKS -deststoretype JKS -srcstorepass
password -deststorepass password
Keytool ndashimportkeystore -srckeystore identity2jks -destkeystore
tempkeystorejks -srcstoretype JKS -deststoretype JKS -srcstorepass
password -deststorepass password
Convert the JKS format temporary keystore to PKCS12 and then PEM format
Conversion from JKS to PKCS12 format using keytool keytool -importkeystore -srckeystore keystore3jks -destkeystore
trustpkcs -srcstoretype JKS -deststoretype PKCS12
Conversion from PKCS12 to PEM format using openssl openssl pkcs12 -in trustpkcs -out trustpem
Apache Webserver Configuration On the Apache webserver used for clustering WebLogic do the following changes
The PEM file generated in the previous step is used as trusted CA file
Copy the trusted CA file to the Apache webserver machine
For the parameter lsquoTrustedCAFilersquo in httpdconf file point the trusted CA file
In ldquohttpdconfrdquo file add one of the below lines depending on Apache Webserver Version LoadModule WebLogic_module modulesmod_wl_22so (for apache webserver
22x)
11 Enabling SSL on Oracle WebLogic Cluster
LoadModule WebLogic_module modulesmod_wl_20so (for apache webserver
20xx)
Next add the following lines in rdquohttpdconfrdquo ltIfModule mod_WebLogiccgt
SetHandler WebLogic-handler
WebLogicCluster IPSSLPort1 IPSSLPort2
MatchExpression
SecureProxy On
WLProxySSL ON
RequireSSLHostMatch false
TrustedCAFile ctrustpem
EnforceBasicConstraints false
DEBUG
WLLogFile Cwlproxylog
Debug ALL
DebugConfigInfo ON
ConnectTimeoutSecs 600
ltIfModulegt
Troubleshooting
Sl No
Issues Possible Cause Solution
1
From Client SSLexception javasecuritycertCertificateException No name ldquohostnamerdquo matching found
Accessing the URL with different hostnameIP which is not used in specific certificate
While accessing Application server Webserver URL hostname should be used as full CN name in URL That same CN has been set while creating the keystore
IP should not be used for creating the keystore or accessing the URLs
2
From WebLogic Side javaioFileNotFoundException Keystore was tampered with or
Wrong keystore password is provided while configuring for lsquokeystorePassrsquo
Check and provide the correct password for keystore as lsquokeystorePassrsquo attribute in Identity keystore
12 Enabling SSL on Oracle WebLogic Cluster
password was incorrect
attribute page
Or
User can create a new keystore with new password and reconfigure the same
3 From WebLogic Side ltWarninggt ltSecuritygt ltBEA-090164gt ltFailed to load
trusted certificates from keystore COracleMIDDLE~1WLSERV~13serverlibDemo
Trustjks of type JKSgt
ltWarninggt ltSecuritygt ltBEA-090172gt ltNo trusted cert
ificates have been loaded Server will not trust to any certificate it receives
gt
Trust Keystore is not generate properly
Recreate the Trust Keystore and configure
4
From Webserver Side
INFO No CA was trusted validation failed
WARN DeleteSessionCallback No match found
ERROR SSLWrite failed
SEND failed (ret=-1) at 793 of file nsapiURLcpp
Exception type [WRITE_ERROR_TO_SERVER] raised at line 794 of nsapiURLcpp
Correct Trusted CA file is not configured on Webserver
Recreate the Trusted CA file and reconfigure the webserver with the Trusted CA file
13 Enabling SSL on Oracle WebLogic Cluster
Marking 101010107002 as bad
got exception in sendRequest phase WRITE_ERROR_TO_SERVER [os error=0 line 794 of nsapiURLcpp] at line 3160
INFO Closing SSL context
Sample Keytool Commands
Generate Key in Appserver1(Identity1jks) and appserver2(identity2jks)
COracleMiddlewarejdk160_29bingtkeytoolexe -genkey -alias newclient1 -keyalg RSA -keysize 1024 -keystore cSSLIdentity1jks
Enter keystore password
Re-enter new password
What is your first and last name
[Unknown] AS1Prathimaemcswatemcccsacom (- dns name of the host machine)
What is the name of your organizational unit
[Unknown] IIG
What is the name of your organization
[Unknown] EMC
What is the name of your City or Locality
[Unknown] BAng
What is the name of your State or Province
[Unknown] KAr
What is the two-letter country code for this unit
[Unknown] IN
Is CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN corre
ct
[no] yes
Enter key password for ltnewclient1gt
14 Enabling SSL on Oracle WebLogic Cluster
(RETURN if same as keystore password)
Re-enter new password
Generate Certificate in Appserver1(cert1jks and client newclient1) and appserver2(cert2jks and client newclient2)
COracleMiddlewarejdk160_29bingtkeytoolexe -exportcert -alias newclient1 -file ccert1cer -keystore cSSLIdentity1jks -storetype JKS
Enter keystore password
Certificate stored in file ltccert1cergt
Generate Truststore in Appserver1(Truststore1jks) and Appserver2(Truststore2jks)
COracleMiddlewarejdk160_29bingtkeytoolexe -importcert -trustcacerts -alias
newclient1 -file ccert1cer -keystore cSSLTruststore1jks -storetype JKS
Enter keystore password
Re-enter new password
Owner CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN
Issuer CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN
Serial number 51b171f7
Valid from Thu Jun 06 223903 PDT 2013 until Wed Sep 04 223903 PDT 2013
Certificate fingerprints
MD5 339AE6887716A10E3C128196F958FC5A
SHA1 CC843B67EC385B337D8B906374253215AE384727
Signature algorithm name SHA1withRSA
Version 3
Trust this certificate [no] yes
Certificate was added to keystore
15 Enabling SSL on Oracle WebLogic Cluster
References The following documents provide additional relevant information Access to the following Documentum documents is based on your Support site login credentials If you do not have access to the following content contact your EMC representative
Installing and Configuring an Oracle WebLogic Application server for EMC Documentum WDKWebtop
The following are third-party references
httpdocsoraclecomcdE13222_01wlsdocs81secmanagesslhtml
httpdocsoraclecomcdE23943_01web1111e13707identity_trusthtm
httpdocsoraclecomcdE13222_01wlsdocs81pluginsplugin_paramshtml
- Introduction
-
- Audience
- Related documents
-
- Enabling Production Mode
-
- Production and Development Modes
-
- Generating the Identity KeyStore
- Generating the Trust KeyStore
- Configuring the Identity and Trust KeyStores
-
- Identity
- Trust
-
- Configure the Identity KeyStore details
- Configure the SSL port on WebLogic Managed Server
- Configuring the Second WebLogic Managed Server
- Restart and Verification of WebLogic Managed Servers
- Generate Trust CA file for Apache Webserver
- Apache Webserver Configuration
- Troubleshooting
- Sample Keytool Commands
- References
-
11 Enabling SSL on Oracle WebLogic Cluster
LoadModule WebLogic_module modulesmod_wl_20so (for apache webserver
20xx)
Next add the following lines in rdquohttpdconfrdquo ltIfModule mod_WebLogiccgt
SetHandler WebLogic-handler
WebLogicCluster IPSSLPort1 IPSSLPort2
MatchExpression
SecureProxy On
WLProxySSL ON
RequireSSLHostMatch false
TrustedCAFile ctrustpem
EnforceBasicConstraints false
DEBUG
WLLogFile Cwlproxylog
Debug ALL
DebugConfigInfo ON
ConnectTimeoutSecs 600
ltIfModulegt
Troubleshooting
Sl No
Issues Possible Cause Solution
1
From Client SSLexception javasecuritycertCertificateException No name ldquohostnamerdquo matching found
Accessing the URL with different hostnameIP which is not used in specific certificate
While accessing Application server Webserver URL hostname should be used as full CN name in URL That same CN has been set while creating the keystore
IP should not be used for creating the keystore or accessing the URLs
2
From WebLogic Side javaioFileNotFoundException Keystore was tampered with or
Wrong keystore password is provided while configuring for lsquokeystorePassrsquo
Check and provide the correct password for keystore as lsquokeystorePassrsquo attribute in Identity keystore
12 Enabling SSL on Oracle WebLogic Cluster
password was incorrect
attribute page
Or
User can create a new keystore with new password and reconfigure the same
3 From WebLogic Side ltWarninggt ltSecuritygt ltBEA-090164gt ltFailed to load
trusted certificates from keystore COracleMIDDLE~1WLSERV~13serverlibDemo
Trustjks of type JKSgt
ltWarninggt ltSecuritygt ltBEA-090172gt ltNo trusted cert
ificates have been loaded Server will not trust to any certificate it receives
gt
Trust Keystore is not generate properly
Recreate the Trust Keystore and configure
4
From Webserver Side
INFO No CA was trusted validation failed
WARN DeleteSessionCallback No match found
ERROR SSLWrite failed
SEND failed (ret=-1) at 793 of file nsapiURLcpp
Exception type [WRITE_ERROR_TO_SERVER] raised at line 794 of nsapiURLcpp
Correct Trusted CA file is not configured on Webserver
Recreate the Trusted CA file and reconfigure the webserver with the Trusted CA file
13 Enabling SSL on Oracle WebLogic Cluster
Marking 101010107002 as bad
got exception in sendRequest phase WRITE_ERROR_TO_SERVER [os error=0 line 794 of nsapiURLcpp] at line 3160
INFO Closing SSL context
Sample Keytool Commands
Generate Key in Appserver1(Identity1jks) and appserver2(identity2jks)
COracleMiddlewarejdk160_29bingtkeytoolexe -genkey -alias newclient1 -keyalg RSA -keysize 1024 -keystore cSSLIdentity1jks
Enter keystore password
Re-enter new password
What is your first and last name
[Unknown] AS1Prathimaemcswatemcccsacom (- dns name of the host machine)
What is the name of your organizational unit
[Unknown] IIG
What is the name of your organization
[Unknown] EMC
What is the name of your City or Locality
[Unknown] BAng
What is the name of your State or Province
[Unknown] KAr
What is the two-letter country code for this unit
[Unknown] IN
Is CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN corre
ct
[no] yes
Enter key password for ltnewclient1gt
14 Enabling SSL on Oracle WebLogic Cluster
(RETURN if same as keystore password)
Re-enter new password
Generate Certificate in Appserver1(cert1jks and client newclient1) and appserver2(cert2jks and client newclient2)
COracleMiddlewarejdk160_29bingtkeytoolexe -exportcert -alias newclient1 -file ccert1cer -keystore cSSLIdentity1jks -storetype JKS
Enter keystore password
Certificate stored in file ltccert1cergt
Generate Truststore in Appserver1(Truststore1jks) and Appserver2(Truststore2jks)
COracleMiddlewarejdk160_29bingtkeytoolexe -importcert -trustcacerts -alias
newclient1 -file ccert1cer -keystore cSSLTruststore1jks -storetype JKS
Enter keystore password
Re-enter new password
Owner CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN
Issuer CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN
Serial number 51b171f7
Valid from Thu Jun 06 223903 PDT 2013 until Wed Sep 04 223903 PDT 2013
Certificate fingerprints
MD5 339AE6887716A10E3C128196F958FC5A
SHA1 CC843B67EC385B337D8B906374253215AE384727
Signature algorithm name SHA1withRSA
Version 3
Trust this certificate [no] yes
Certificate was added to keystore
15 Enabling SSL on Oracle WebLogic Cluster
References The following documents provide additional relevant information Access to the following Documentum documents is based on your Support site login credentials If you do not have access to the following content contact your EMC representative
Installing and Configuring an Oracle WebLogic Application server for EMC Documentum WDKWebtop
The following are third-party references
httpdocsoraclecomcdE13222_01wlsdocs81secmanagesslhtml
httpdocsoraclecomcdE23943_01web1111e13707identity_trusthtm
httpdocsoraclecomcdE13222_01wlsdocs81pluginsplugin_paramshtml
- Introduction
-
- Audience
- Related documents
-
- Enabling Production Mode
-
- Production and Development Modes
-
- Generating the Identity KeyStore
- Generating the Trust KeyStore
- Configuring the Identity and Trust KeyStores
-
- Identity
- Trust
-
- Configure the Identity KeyStore details
- Configure the SSL port on WebLogic Managed Server
- Configuring the Second WebLogic Managed Server
- Restart and Verification of WebLogic Managed Servers
- Generate Trust CA file for Apache Webserver
- Apache Webserver Configuration
- Troubleshooting
- Sample Keytool Commands
- References
-
12 Enabling SSL on Oracle WebLogic Cluster
password was incorrect
attribute page
Or
User can create a new keystore with new password and reconfigure the same
3 From WebLogic Side ltWarninggt ltSecuritygt ltBEA-090164gt ltFailed to load
trusted certificates from keystore COracleMIDDLE~1WLSERV~13serverlibDemo
Trustjks of type JKSgt
ltWarninggt ltSecuritygt ltBEA-090172gt ltNo trusted cert
ificates have been loaded Server will not trust to any certificate it receives
gt
Trust Keystore is not generate properly
Recreate the Trust Keystore and configure
4
From Webserver Side
INFO No CA was trusted validation failed
WARN DeleteSessionCallback No match found
ERROR SSLWrite failed
SEND failed (ret=-1) at 793 of file nsapiURLcpp
Exception type [WRITE_ERROR_TO_SERVER] raised at line 794 of nsapiURLcpp
Correct Trusted CA file is not configured on Webserver
Recreate the Trusted CA file and reconfigure the webserver with the Trusted CA file
13 Enabling SSL on Oracle WebLogic Cluster
Marking 101010107002 as bad
got exception in sendRequest phase WRITE_ERROR_TO_SERVER [os error=0 line 794 of nsapiURLcpp] at line 3160
INFO Closing SSL context
Sample Keytool Commands
Generate Key in Appserver1(Identity1jks) and appserver2(identity2jks)
COracleMiddlewarejdk160_29bingtkeytoolexe -genkey -alias newclient1 -keyalg RSA -keysize 1024 -keystore cSSLIdentity1jks
Enter keystore password
Re-enter new password
What is your first and last name
[Unknown] AS1Prathimaemcswatemcccsacom (- dns name of the host machine)
What is the name of your organizational unit
[Unknown] IIG
What is the name of your organization
[Unknown] EMC
What is the name of your City or Locality
[Unknown] BAng
What is the name of your State or Province
[Unknown] KAr
What is the two-letter country code for this unit
[Unknown] IN
Is CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN corre
ct
[no] yes
Enter key password for ltnewclient1gt
14 Enabling SSL on Oracle WebLogic Cluster
(RETURN if same as keystore password)
Re-enter new password
Generate Certificate in Appserver1(cert1jks and client newclient1) and appserver2(cert2jks and client newclient2)
COracleMiddlewarejdk160_29bingtkeytoolexe -exportcert -alias newclient1 -file ccert1cer -keystore cSSLIdentity1jks -storetype JKS
Enter keystore password
Certificate stored in file ltccert1cergt
Generate Truststore in Appserver1(Truststore1jks) and Appserver2(Truststore2jks)
COracleMiddlewarejdk160_29bingtkeytoolexe -importcert -trustcacerts -alias
newclient1 -file ccert1cer -keystore cSSLTruststore1jks -storetype JKS
Enter keystore password
Re-enter new password
Owner CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN
Issuer CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN
Serial number 51b171f7
Valid from Thu Jun 06 223903 PDT 2013 until Wed Sep 04 223903 PDT 2013
Certificate fingerprints
MD5 339AE6887716A10E3C128196F958FC5A
SHA1 CC843B67EC385B337D8B906374253215AE384727
Signature algorithm name SHA1withRSA
Version 3
Trust this certificate [no] yes
Certificate was added to keystore
15 Enabling SSL on Oracle WebLogic Cluster
References The following documents provide additional relevant information Access to the following Documentum documents is based on your Support site login credentials If you do not have access to the following content contact your EMC representative
Installing and Configuring an Oracle WebLogic Application server for EMC Documentum WDKWebtop
The following are third-party references
httpdocsoraclecomcdE13222_01wlsdocs81secmanagesslhtml
httpdocsoraclecomcdE23943_01web1111e13707identity_trusthtm
httpdocsoraclecomcdE13222_01wlsdocs81pluginsplugin_paramshtml
- Introduction
-
- Audience
- Related documents
-
- Enabling Production Mode
-
- Production and Development Modes
-
- Generating the Identity KeyStore
- Generating the Trust KeyStore
- Configuring the Identity and Trust KeyStores
-
- Identity
- Trust
-
- Configure the Identity KeyStore details
- Configure the SSL port on WebLogic Managed Server
- Configuring the Second WebLogic Managed Server
- Restart and Verification of WebLogic Managed Servers
- Generate Trust CA file for Apache Webserver
- Apache Webserver Configuration
- Troubleshooting
- Sample Keytool Commands
- References
-
13 Enabling SSL on Oracle WebLogic Cluster
Marking 101010107002 as bad
got exception in sendRequest phase WRITE_ERROR_TO_SERVER [os error=0 line 794 of nsapiURLcpp] at line 3160
INFO Closing SSL context
Sample Keytool Commands
Generate Key in Appserver1(Identity1jks) and appserver2(identity2jks)
COracleMiddlewarejdk160_29bingtkeytoolexe -genkey -alias newclient1 -keyalg RSA -keysize 1024 -keystore cSSLIdentity1jks
Enter keystore password
Re-enter new password
What is your first and last name
[Unknown] AS1Prathimaemcswatemcccsacom (- dns name of the host machine)
What is the name of your organizational unit
[Unknown] IIG
What is the name of your organization
[Unknown] EMC
What is the name of your City or Locality
[Unknown] BAng
What is the name of your State or Province
[Unknown] KAr
What is the two-letter country code for this unit
[Unknown] IN
Is CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN corre
ct
[no] yes
Enter key password for ltnewclient1gt
14 Enabling SSL on Oracle WebLogic Cluster
(RETURN if same as keystore password)
Re-enter new password
Generate Certificate in Appserver1(cert1jks and client newclient1) and appserver2(cert2jks and client newclient2)
COracleMiddlewarejdk160_29bingtkeytoolexe -exportcert -alias newclient1 -file ccert1cer -keystore cSSLIdentity1jks -storetype JKS
Enter keystore password
Certificate stored in file ltccert1cergt
Generate Truststore in Appserver1(Truststore1jks) and Appserver2(Truststore2jks)
COracleMiddlewarejdk160_29bingtkeytoolexe -importcert -trustcacerts -alias
newclient1 -file ccert1cer -keystore cSSLTruststore1jks -storetype JKS
Enter keystore password
Re-enter new password
Owner CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN
Issuer CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN
Serial number 51b171f7
Valid from Thu Jun 06 223903 PDT 2013 until Wed Sep 04 223903 PDT 2013
Certificate fingerprints
MD5 339AE6887716A10E3C128196F958FC5A
SHA1 CC843B67EC385B337D8B906374253215AE384727
Signature algorithm name SHA1withRSA
Version 3
Trust this certificate [no] yes
Certificate was added to keystore
15 Enabling SSL on Oracle WebLogic Cluster
References The following documents provide additional relevant information Access to the following Documentum documents is based on your Support site login credentials If you do not have access to the following content contact your EMC representative
Installing and Configuring an Oracle WebLogic Application server for EMC Documentum WDKWebtop
The following are third-party references
httpdocsoraclecomcdE13222_01wlsdocs81secmanagesslhtml
httpdocsoraclecomcdE23943_01web1111e13707identity_trusthtm
httpdocsoraclecomcdE13222_01wlsdocs81pluginsplugin_paramshtml
- Introduction
-
- Audience
- Related documents
-
- Enabling Production Mode
-
- Production and Development Modes
-
- Generating the Identity KeyStore
- Generating the Trust KeyStore
- Configuring the Identity and Trust KeyStores
-
- Identity
- Trust
-
- Configure the Identity KeyStore details
- Configure the SSL port on WebLogic Managed Server
- Configuring the Second WebLogic Managed Server
- Restart and Verification of WebLogic Managed Servers
- Generate Trust CA file for Apache Webserver
- Apache Webserver Configuration
- Troubleshooting
- Sample Keytool Commands
- References
-
14 Enabling SSL on Oracle WebLogic Cluster
(RETURN if same as keystore password)
Re-enter new password
Generate Certificate in Appserver1(cert1jks and client newclient1) and appserver2(cert2jks and client newclient2)
COracleMiddlewarejdk160_29bingtkeytoolexe -exportcert -alias newclient1 -file ccert1cer -keystore cSSLIdentity1jks -storetype JKS
Enter keystore password
Certificate stored in file ltccert1cergt
Generate Truststore in Appserver1(Truststore1jks) and Appserver2(Truststore2jks)
COracleMiddlewarejdk160_29bingtkeytoolexe -importcert -trustcacerts -alias
newclient1 -file ccert1cer -keystore cSSLTruststore1jks -storetype JKS
Enter keystore password
Re-enter new password
Owner CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN
Issuer CN=AS1Prathimaemcswatemcccsacom OU=IIG O=EMC L=BAng ST=KAr C=IN
Serial number 51b171f7
Valid from Thu Jun 06 223903 PDT 2013 until Wed Sep 04 223903 PDT 2013
Certificate fingerprints
MD5 339AE6887716A10E3C128196F958FC5A
SHA1 CC843B67EC385B337D8B906374253215AE384727
Signature algorithm name SHA1withRSA
Version 3
Trust this certificate [no] yes
Certificate was added to keystore
15 Enabling SSL on Oracle WebLogic Cluster
References The following documents provide additional relevant information Access to the following Documentum documents is based on your Support site login credentials If you do not have access to the following content contact your EMC representative
Installing and Configuring an Oracle WebLogic Application server for EMC Documentum WDKWebtop
The following are third-party references
httpdocsoraclecomcdE13222_01wlsdocs81secmanagesslhtml
httpdocsoraclecomcdE23943_01web1111e13707identity_trusthtm
httpdocsoraclecomcdE13222_01wlsdocs81pluginsplugin_paramshtml
- Introduction
-
- Audience
- Related documents
-
- Enabling Production Mode
-
- Production and Development Modes
-
- Generating the Identity KeyStore
- Generating the Trust KeyStore
- Configuring the Identity and Trust KeyStores
-
- Identity
- Trust
-
- Configure the Identity KeyStore details
- Configure the SSL port on WebLogic Managed Server
- Configuring the Second WebLogic Managed Server
- Restart and Verification of WebLogic Managed Servers
- Generate Trust CA file for Apache Webserver
- Apache Webserver Configuration
- Troubleshooting
- Sample Keytool Commands
- References
-
15 Enabling SSL on Oracle WebLogic Cluster
References The following documents provide additional relevant information Access to the following Documentum documents is based on your Support site login credentials If you do not have access to the following content contact your EMC representative
Installing and Configuring an Oracle WebLogic Application server for EMC Documentum WDKWebtop
The following are third-party references
httpdocsoraclecomcdE13222_01wlsdocs81secmanagesslhtml
httpdocsoraclecomcdE23943_01web1111e13707identity_trusthtm
httpdocsoraclecomcdE13222_01wlsdocs81pluginsplugin_paramshtml
- Introduction
-
- Audience
- Related documents
-
- Enabling Production Mode
-
- Production and Development Modes
-
- Generating the Identity KeyStore
- Generating the Trust KeyStore
- Configuring the Identity and Trust KeyStores
-
- Identity
- Trust
-
- Configure the Identity KeyStore details
- Configure the SSL port on WebLogic Managed Server
- Configuring the Second WebLogic Managed Server
- Restart and Verification of WebLogic Managed Servers
- Generate Trust CA file for Apache Webserver
- Apache Webserver Configuration
- Troubleshooting
- Sample Keytool Commands
- References
-