Saturday, July 26, 2008

Configuring Commercial certificates on weblogic server

Following are the steps that are required to configure SSL.

************************************************************************
1. Open a new command prompt window and set the path to your domain directory.

2. Run setDomainEnv.cmd to set the environment.

Eg :-

C:\bea8.1\user_projects\domains\mydomain\bin>setDomainEnv.cmd

Here , mydomain is the name of my domain. You can use your domain name over here.


3. Now , run the following command :-

C:\bea8.1\user_projects\domains\mydomain>keytool -genkey -keyalg RSA -alias mykey -keystore mykeystore.jks


Enter keystore password: weblogic

What is your first and last name?


[Unknown]: Hans


What is the name of your organizational unit?


[Unknown]: BEA


What is the name of your organization?


[Unknown]: BEA


What is the name of your City or Locality?


[Unknown]: AAAA


What is the name of your State or Province?


[Unknown]: BBBB


What is the two-letter country code for this unit?


[Unknown]: IN


Is CN=Hans, OU=BEA, O=BEA, L=AAAA, ST=BBBB, C=IN correct?


[no]: yes


Enter key password for

(RETURN if same as keystore password): weblogic

Press Enter


4. As a result , you will obtain a file mykeystore.jks in your domain directory. This is your Identity Keystore.

5. In order to obtain the Certificate Signing Request , you need to run the following command :-

C:\bea8.1\user_projects\domains\mydomain>keytool -certreq -alias mykey -keystore mykeystore.jks


Enter keystore password: weblogic

As a result , you will get a certificate request.


6. You will need to copy and paste all this(including ------Begin New Certificate Request ------ and -----End New Certificate Request----) to the certification authority.

7. Certificate authority will then send you a mail containing the required certificates and the signed public key.

8. You would observe 3 certificates.

9. Select the first certificate -> Click on View Certificate -> Click on details tab of that newly opened window -> Click on Copy to File -> Click next -> Choose the second option i.e Base 64 encoded -> Save it as "a.cer" under a folder in the domain directory.

10. Repeat the above step for the second and third certificate too and save it as b.cer and c.cer respectively.


11. Now go to that folder where you have saved the certificates and open the first certificate -> a.cer. If the "issued to" and "issued by" are same then that is the root certificate. So save it as "rootCA.cer".


12. Now open b.cer. If the "issued to" is your CN name and "issued by"
is the certification authority then this is your signed certificate. So save it as"supportcert.pem"


13. So the remaining certificate is intermediate certificate. So rename it as "intermediate.cer"


Note :- While saving the certificates , remember to enclose the name in inverted commas. Moreover , check that there shouldn't be any whitespace characters.


14. Now , you need to form a chain of the certificates. For this , open the "supportcert.pem" in Edit mode. Check that there should not be any whitespace characters at the end. Press Enter. Press Save.


15. Open the "intermediate.cer" in Edit mode. Check that there are no whitespace characters at the end. Press Save. Then select the entire contents. Copy them and paste them at the end of "supportcert.pem". Make sure that there are no whitespace characters. Save "supportcert.pem".


16. Open the "rootCA.cer" in Edit mode. Check that there are no whitespace characters at the end. Press Save. Then select the entire contents. Copy them and paste them at the end of "supportcert.pem" (i.e after adding "intermediate.cer"). Make sure that there are no whitespace characters. Save "supportcert.pem".


17. Now the "supportcert.pem" will comprise of the following :-

a. signed public key content

b. Then the intermediate certificate

c. Then the root certificate.

That is a chain of certificates is created. Now you can close the "supportcert.pem"


18. Goto the command prompt window and run the following command after setting the domain environment ( i.e. by executing . setEnv.cmd) :-


C:\bea8.1\user_projects\domains\mydomain>keytool -import -alias rootca -trustcacerts -file C:\bea8.1\user_projects\domains\mydomain\rootCA.cer
-keystore C:\bea8.1\user_projects\domains\mydomain\supporttrust.jks
-storepass weblogic

Note :- Please remember to change the following values in this command before executing it :-

a. Alias name

b. Path after the file attribute

c. Path of your trust keystore

d. Password of the trust keystore


Please do , change these according to your settings.

Press Enter. It will prompt you to trust this certificate. Type yes.


19. Now run the following command at the command prompt :-

C:\bea8.1\user_projects\domains\mydomain>keytool -import -trustcacerts -alias mykey -file C:\bea8.1\user_projects\domains\mydomain\supportcert.pem -keypass weblogic -keystore C:\bea8.1\user_projects\domains\mydomain\mykeystore.jks -storepass weblogic

Note :- Please remember to change the following values in this command before executing it :-


a. Alias name for the private key


b. Path of the supportcert.pem


c. Keypass for the private key


d. Path of your identity keystore


e. Storepass for your identity keystore


Please do , change these according to your settings.


20. Press Enter. It will prompt to trust this certificate. Type yes.


21. Cross check for the following files in your domain directory :-

a. supportcert.pem


b.rootCA.cer


c.mykeystore.jks (i.e. the Identity certificate that got created when you ran the first keytool command )

No comments: