Method for enabling SSL on BEA WebLogic Server 8.1
Zhao Donglu
September 2004
This method uses standard Java KeyTool ways, and provides Private Key, Identity Cert, and Trusted Cert storage based on standard Java KeyStore mode.
The basic steps are as follows:
1. Apply for a digital certificate for the server through keytool
2, configure the BEA server, install related certificates and Private Key
3, activate and adjust the SSL service function
1. Apply for a digital certificate for the server via keytool
The keytool provided by JDK can generate a key pair and certificate application file. In this step, a certificate issuance agency (CA mechanism) is also required, and the server certificate is issued for the certificate generated by KeyTool. The basic steps are as follows:
1, generate a key pair
2, generate certificate application documents
3, import server certificate
4, import certificate issuing agency certificate document
1.1. Generate a key pair
Generate a key pair, run as follows:
/ r r = = = = =, = =: = = =: = k: k:::: k:: /myKeyStore.jks -StorePass Admin123 -Validity 180
Note: This step will create a KeyStore file "c: /temp/mykeystore/mykeystore.jks", keystore's password is "admin123", the password of the keystore in the keystore is "admin123", the key length is 512, the key alias For "business", the server certificate is "cn = zhao.iei-china.com, Ou = Rd, O = IEi, C = CN".
1.2. Generate certificate application documentation
Generate a certificate application file, run as follows:
./keytool -ternreq -alias business-keystore c: /temp/mykeystore/mykeystore.jks -file c: /temp/mykeystore/server.csr
Note: This step will create a certificate request file "C: /Temp/myKeyStore/server.csr" for a key called BusinessStore.jks.
1.3. Import server certificate
Importing server certificate files should post after the CA organization handles our certificate requests and issues a certificate for our servers. We can submit the CSR file or content to the CA organization through the CA institution's application procedure, and after the certificate is accepted, and after the certificate is issued, we can download the certificate file.
The following figure is the page of the certificate after the certificate is issued by the Iplanet Certificate Management System.
Get a server certificate that is encoded with CERT Chain information in BASE 64 from the CA service organization. Copy the zone of the icon, create a certificate file "c: /temp/mykeystore/serverwithchain.cer" with this content.
Run the following command to import the certificate file into the KeyStore.
./keytool -import -alias business -keystore c: /temp/mykeystore/mykeystore.jks -file c: /temp/mykeystore/serverwithchain.cer1.4. Certificate file for import certificate issuing agency
Get the issuance certificate of the certificate issuing agency, save the certificate as the "C: /TEMP/mykeyStore/trust-ca.cer" file, run the following command to import the certificate into the keystore.
./keytool -meystore c: /temp/mykeystore/mykeystore.jks -file c: /temp/mykeystore/trust-ca.cer
2. Configure the BEA server, install relevant certificates and Private Key
Start the BEA WebLogic Server, access the WebLogic server console, configure it as follows.
1. Select the KeyStore & SSL option on the BEA server that needs to install the certificate.
2, choose the keystore configuration of the Change of KeyStore Configuration
3, select the type of keystore as "Custom Identity and Custom Trust", click the "Continue" button
Fill in the full path to the keystore file created in front of the Customer Identity Key Store File Name; Custom Identity Key Store Type is filled in JKS; Pass Phrase fills in the previous creation The specified password "admin123". Then click the "Continue" button.
4, fill in the provate key settings
Fill in the alias and passwords of the Private Key in the KeyStore. And click on the "Continue" button.
3. Activate and adjust the SSL service function
Select the General page in the Console interface of the BEA WebLogic server to perform SSL configuration.
Select the SSL Listen Port Enable option and assign port to the SSL Listen Port. Click the Apply button after the setting is complete.
If you need to force the CLIENT certificate, you can select the "Two Way Client Cert Behavior" of the advanced options in the General page. "
Restart the BEA server, the following information will appear during the server startup process, indicating that the server starts normally.
<
2004-9-27
At 18:32 in the afternoon 46 seconds CST>
<
2004-9-27
At 18:32 in the afternoon 46 seconds CST>
<
2004-9-27
At 18:32 in the afternoon 46 seconds CST>
After the server is started normally, Access Https: // YourHost will appear as follows, that is, the installation configuration is normal.
5. Appendix
5.1. Reference documentation
BEA WebLogic 8.x's Security Configuration Document
Http://edocs.beasys.com/wls/docs81/secmanage/ssl.html
JDK KeyTool's User Manual
http://java.sun.com/j2se/
1.4.2
/DOCS/ToolDocs/Windows/keytool.html
5.2. File content
The contents of the files involved in this configuration (only files listing files)
Server.csr
----- Begin New Certificate Request -----
MiH / MigqageameuxczajbgnvbaytakNomqwwcGydvqqKewnjrukxczajbgnvbastaljemwgqyd
VQQdexj6agfvlmllas1jagluys5jb20wxdanbgkqhkig9w0baqefaanladbiakeaxe14thz2entz
GCNJZ5RGOYFR7QUQAQAF144CJKVUL3N52IJS542SBTMSUQDE9QTNPB0 / NCCNGRYUE2EFZNXGDRQID
Aqaboaawdqyjkozihvcnaquebqadqqch7btysphydfghd fnqc9svlhdm3S3DC
3M
/ L3naxse 7dk
KSV3IWD4IMD9FRDQQPOXY9EI7SZCMSHTTS
44961G
----- End new certificate request -----
ServerwithChain.Cer
----- Begin Certificate -----
Miiergyjkozihvcnaqccoiienzccbdmcaqexadapbgkqhkig9w0bbwggagqaoiie
Fzccafywgggoamcaqicaq8wdqyjkozihvcnaqeebqawwtelmakga1uebhmcq04x
EDAOBGNVBACTB0JLAWPPBMCXDDAKBGNVBAOTA0LFSTEMMAOGA1UECXQDUIZEMRWW
GGydvqqdexndzxj0awzpy
2F
0zsbnyw5hz2vymb4xdta0mdkynzewmjg0nloxdta1
MDkynzewmjg0nlowrtelmakga1uebhmcq04xddakbgnvbaota0lfstelmakga1ue
Cxmcukqxgzazbgnvbamtenpoyw8uawvplwnoaw5hlmnvbtbcma0gcsqgsib3dqeb
Aquaa0samegcqqdetxhmdnz423mzw0lnmsy7j8avtbsoaxxjhympvsxc3nyinlnj
Zifmyy6On72Q02LVT DWKCZFI57Z5 / OFGANFAGMBAAGJZZBLMBEGCWCGSAGGG EIB
AQQEAWIGQDAOBGNVHQ8BAF8EBAMCBPAWHWYDVR0JBBGWFOAUOGDJHEQLOQKUUUUUZQU
41AWZSOPINOWYDVR0RBBGWFOEUEMHB2RSQGLLLLS1JAGLUYS5JB20WDQYJKOZI
HVCNAQEEBQADQQAY6S8WEDWL9KFEILZLZLZO9W1 R R92 YRK5NQ9YYG FP2ITKOKWIOXMPUSRJDTTWXXLCRJ3OM6MG3HCF AG8KSQMIICGTCCCCOGAWIBAGIBATANBGKQ
HKIG9W0BAQUFADBZMQSWCQYDVQQGEWJDTJEQMA4GA1UEBXMHQMVPAMLUZEMMAOG
A1uechmdsuvjmqwwcGydvqqlfansjkqxhdaabgnvbamte0nlcnrpzmljyxrlie1h
BMFNZXIWHHCNMDQWOTIWMTYWMDAWWHCNMDYWOTIWMTYWMDAWJBZMQSWCQYDVQQQG
EWJDTJEQMA4GA1UEBXMHQMVPAMLUZZEMMAOGA1UECHMDSUVJMQWCGYDVQQLFANS
Jkqxhdaabgnvbamte0nlcnrpzmljyxrlie1HBMFNZXIWXDANBGKQHKIG9W0BAQEF
Aanladbiakea4oilctkjf tadpbpk8ldgqgkw3QGBT8RCVBNAZ / MBQL1S2X FWL
FJP / EF Y / K1VEVYVUTWDLGRSJU4U0UUUXQIDAQABO3YWDDARBGLGHKGBHVHCAQEE
Bamcaacwdwydvr0taqh / bauwaweb / zadbgnvhq4efquogdjheqloqkuuzqu41aw
Zsopinowhwydvr0jbbgwfoauogdjheqloqkuuzqu41awzsopinowdgydvr0Paqh /
Baqdaggma0gcsqgsib3dqebbquaa0eafmckvihs2khca9r9kuoubsj7y1ucgtj
JDGSC25IQITZOW2LYCXKMJOVSSIP6DZHVMY / SLQD7 VLQBWOFWL4EZEA
----- End certificate ------
Trust-ca.cer
----- Begin Certificate -----
Miicgtccacogawibagibatanbgkqhkig9w0baqufadbzmqswcqydvqqgewjdtjeq
Ma4ga1uebxmhqmvpamluzzemMaoga1uechmdsuvjmqwwcGydvqqlfansjkqxhdaa
Bgnvbamte0nlcnrpzmljyxrlie1HBMFNZXIWHHCNMDQWOTIWMTYWMDAWWHCNMDYW
OtiWMTYWMDAWWJBZMQSWCQYDVQQGEWJDTJEQMA4GA1UEBXMHQMVPAMLUZZEMMAOG
A1uechmdsuvjmqwwcGydvqqlfansjkqxhdaabgnvbamte0nlcnrpzmljyxrlie1h
BMFNZXIWXDANBGKQHKIG9W0BAQEFAANLADBIAKEA4OILCTKJF TADPBPK8LDGQGK
W3QGGBT8RCVBNAZ / MBQL1S2X FWLFJP / EF Y / K1VEVYVUTWDLGRSJU4U0UUUXQID
Aqabo3ywddarbglghkgbhvhcaqeebamcaacwdwydvr0taqh / bauwaweb / zadbgnv
HQ4efquogdjheqloqkuuzqu41awzsopinowhwydvr0jbbgwfoauogdjheqloqku
Uzqu41awzsopinowdgydvr0paqh / baqdaggma0gcsqgsib3dqebbquaa0eafmck
Vihs2khca9r9kuoubsj7y1ucgtj jdgsc25iqitzow2lycxkmjovssip6dzhvmy /
SLQD7 VLQBWOFWL4EW ==
