 |
 |
***************************************************************************
* Description: Created self-signed certificate for WebLogic managed server
* Date: 11:44 AM EST, 03/02/2021
***************************************************************************
<1> After creating domain and managed server, the admin server & managed server's HTTPS port is assigned with an WebLogic integrated Demo Certs:
|
|__ o. Those Demo certs could not be used in production environment, and vulnerbility scan will be alerting this as well.
|
|__ o. If CA certificates could not be purchased, a self-signed certificate is recommanded.
<2> Several utilities could create self-signed certificate, and in this case, KEYTOOL is preferred:
|
|__ $ which keytool
/usr/java/jdk1.8.0_261-amd64/bin/keytool
<3> Creating a Key Pair in a key store, and a .jks keystore file will be created physically:
|
|__ $ keytool -genkey -keyalg RSA -alias snflwr -keystore /u01/app/oracle/middleware/config/user_projects/domains/pmisd/servers/Sunflower/keystore/identity.jks \
-dname "CN=`hostname`, OU=HHS, O=HHS, L=Rockville, ST=MD, C=US" -storepass Oracle2019 -validity 3600 -keysize 2048 -keypass Oracle2019
Warning: The JKS keystore uses a proprietary format.
It is recommended to migrate to PKCS12 which is an industry standard format using
"keytool -importkeystore -srckeystore /u01/app/oracle/middleware/config/user_projects/domains/pmisd/servers/Sunflower/keystore/identity.jks \
-destkeystore /u01/app/oracle/middleware/config/user_projects/domains/pmisd/servers/Sunflower/keystore/identity.jks -deststoretype pkcs12".
<4> Creating a self-signed identity certificate, and saved in the keystore. The certificate info will be saved in physical keystore file as well:
|
|__ $ keytool -selfcert -v -alias snflwr -keypass Oracle2019 -keystore /u01/app/oracle/middleware/config/user_projects/domains/pmisd/servers/Sunflower/keystore/identity.jks \
-storepass Oracle2019 -storetype jks -validity 3600
New certificate (self-signed):
[
[
Version: V3
Subject: CN=suflwr.emeralit.com, OU=DDS, O=DDS, L=McLean, ST=VA, C=US
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
params: null
modulus: 2088893171860531144544091571977442900781920883519
public exponent: 65547
Validity: [From: Thu Feb 25 10:50:57 EST 2021,
To: Sat Jan 04 10:50:57 EST 2031]
Issuer: CN=suflwr.emeralit.com, OU=DDS, O=DDS, L=McLean, ST=VA, C=US
SerialNumber: [ 01bad90f]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 3A EF 13 C3 95 5B 21 80 53 A7 A6 09 23 E8 09 9A :....[!.S...#...
0010: 5D D5 3B 61 ].=a
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 53 95 6D 87 DF C4 67 25 DD F7 B2 DE E7 8D 1C 51 S.m...g%.......Q
0010: 20 B8 37 B5 27 00 05 0A 44 99 80 00 57 C3 ED 57 .7.'...D...W..W
0020: 80 50 57 70 F0 F0 54 32 A4 A7 CB 69 98 F1 D7 10 .PWp..T2...i....
0030: C8 CD C4 A0 03 8C 66 30 3F 1A 2B 68 06 D1 CE 00 ......f0?.+h....
0040: 99 2D 00 A7 7F 52 CC 5F 67 09 D2 D4 F0 3D 7E EE .-...R._g....=..
0050: 9A 43 1C 03 D1 6D 0B E9 5E 9E FA 66 FB 69 79 18 .C...m..^..f.iy.
0060: 34 5D 30 09 7D C3 CB 79 F7 61 7E 6E CA CD 13 EE 4]0.N..T.a.n....
0070: BE 64 21 2D 73 AF 6C 99 5C B9 C0 76 DB 1E 3A 25 .d!-s.l.\..v..:%
0080: 6F BB D8 79 D5 CE D2 E4 29 44 32 BA 02 EC E2 EC o..N....)D2.....
0090: 4E 11 51 EB 08 C8 3D F6 CC 9B 33 66 6C 1B D7 90 N.Q...=...3fl...
00A0: 24 F2 0E 0A 2D B9 09 63 77 C1 0D 44 78 50 4C E5 $...-..cw..DxPL.
00B0: 85 6A 65 10 56 D0 C5 3F CA 1C 15 28 21 DE 68 CE .je.V..?...(!.h.
00C0: 63 48 59 E8 CC D3 ED 44 5C F8 9A 28 B0 5E E8 64 cHY....D\..(.^.d
00D0: 0C 51 FA 4A 43 71 FD 55 98 75 4C 6F AC AB 38 47 .Q.JKq.U.uLo..8G
00E0: 7D F5 95 F0 41 0C D3 07 DA 73 20 E7 B5 6D 1C 85 ....A....s ..m..
00F0: B1 6D CE 12 A2 38 4B B8 23 AD 3A 12 65 95 EF 1B .m...8K.#.:.e...
]
[Storing /u01/app/oracle/middleware/config/user_projects/domains/pmisd/servers/Sunflower/keystore/identity.jks]
Warning:
The JKS keystore uses a proprietary format.
It is recommended to migrate to PKCS12 which is an industry standard format using
"keytool -importkeystore -srckeystore /u01/app/oracle/middleware/config/user_projects/domains/pmisd/servers/Sunflower/keystore/identity.jks \
-destkeystore /u01/app/oracle/middleware/config/user_projects/domains/pmisd/servers/Sunflower/keystore/identity.jks -deststoretype pkcs12".
<5> Export the identity certificate, from keystore, into a physical file with extension .der:
|
|__ $ keytool -export -v -alias snflwr -file "`hostname`-rootCA.der" \
-keystore /u01/app/oracle/middleware/config/user_projects/domains/pmisd/servers/Sunflower/keystore/identity.jks -storepass Oracle2019
Certificate stored in file
Warning:
The JKS keystore uses a proprietary format.
It is recommended to migrate to PKCS12 which is an industry standard format using
"keytool -importkeystore -srckeystore /u01/app/oracle/middleware/config/user_projects/domains/pmisd/servers/Sunflower/keystore/identity.jks \
-destkeystore /u01/app/oracle/middleware/config/user_projects/domains/pmisd/servers/Sunflower/keystore/identity.jks -deststoretype pkcs12".
You have mail in /var/spool/mail/oracle
<6> Import the same self-signed identity certificate into trust keystore as a ROOT certificate, simutenously, it will create trust keystore as physical file trust.jks:
|
|__ $ keytool -import -v -trustcacerts -alias snflwr \
-file "/u01/app/oracle/middleware/config/user_projects/domains/pmisd/servers/Sunflower/keystore/`hostname`-rootCA.der" \
-keystore /u01/app/oracle/middleware/config/user_projects/domains/pmisd/servers/Sunflower/keystore/trust.jks -storepass Oracle2019 -noprompt
Certificate was added to keystore
[Storing /u01/app/oracle/middleware/config/user_projects/domains/pmisd/servers/Sunflower/keystore/trust.jks]
<7> Configure SSL for the managed server via WebLogic console:
|
|__ o. Domain Structure => Servers => => Keystores => Click on "Change" => To "Custon Identify and Custon Trust" => Go to Tab "SSL" to give alias & Key Passphrase:
<8> Add below info into Node Manager config file, otherwise Admin Server could not communicate with Managed Server via Node Manager:
|
|__ o. /u01/app/oracle/middleware/config/user_projects/domains/pmisd/nodemanager/nodemanager.properties
KeyStores=CustomIdentityAndCustomTrust
CustomIdentityKeystoreType=jks
CustomIdentityKeyStoreFileName=/u01/app/oracle/middleware/config/user_projects/domains/pmisd/servers/Sunflower/keystore/identity.jks
CustomIdentityKeyStorePassPhrase=Oracle2021
CustomIdentityPrivateKeyPassPhrase=Oracle2021
CustomIdentityAlias=snflwr
CustomTrustKeystoreType=jks
CustomTrustKeyStoreFileName=/u01/app/oracle/middleware/config/user_projects/domains/pmisd/servers/Sunflower/keystore/trust.jks
CustomTrustKeyStorePassPhrase=Oracle2021
<9> But, following error comes up, when starting Managed Server via OEM "unable to find valid certification path to requested", but can boot it via command line:
|
|__ o. The reason is since the WebLogic domain or servers are running based on the Java on OS level /usr/bin/java, not Oracle Fusion Middleware integrated Java.
|
|__ o. So, the cert needs to be imported into OS Java Keystore as well by root user:
|
|__ $ sudo keytool -importcert -keystore /usr/java/jdk1.8.0_261-amd64/jre/lib/security/cacerts -storepass changeit \
-file /u01/app/oracle/middleware/config/user_projects/domains/pmisd/servers/Sunflower/keystore/snflwr.emeralit.com-rootCA.der -alias "snflwr"
Enter keystore password:
Owner: CN=snflwr.emeralit.com, OU=DDS, O=DDS, L=McLean, ST=VA, C=US
Issuer: CN=snflwr.emeralit.com, OU=DDS, O=DDS, L=McLean, ST=VA, C=US
Serial number: 1bad90f
Valid from: Thu Feb 25 10:50:57 EST 2021 until: Sat Jan 04 10:50:57 EST 2031
Certificate fingerprints:
MD5: A7:87:AC:32:D0:B1:8B:92:4C:50:98:97:34:08:E0:19
SHA1: DE:A5:3D:7E:5B:20:B0:C8:96:B3:F6:6D:1F:71:5D:C4:16:DD:6F:19
SHA256: 7D:D7:14:16:D7:5D:E9:6F:33:5D:ED:0A:4D:22:1B:53:67:B7:28:37:F2:FB:16:3F:B5:1B:0A:06:A5:A8:E9:D3
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 3A EF 13 C7 95 5B 21 80 58 A7 A1 09 43 E8 09 9A :....[!.S...#...
0010: 5D D5 3D 61 ].=a
]
]
Trust this certificate? [no]: yes
Certificate was added to keystore
Reference:
|
|__ o. https://oracle-base.com/articles/11g/weblogic-configure-ssl-for-a-managed-server
Your Comments