jeudi 14 septembre 2017

SSL Configuration on Weblogic

This article decribes all steps to configure SSL on Weblogic Server.
For a Weblogic Cluster, these steps must be configured for each cluster member.

1.    Configure java stores

To configure java stores (keystore for storing certificate, truststore for Certification Authorities), follow these steps :
Connect to Weblogic Admin Console (click Lock & Edit in production mode) :
-                     Go to “Environment / Servers / <ServerName> »
-                     Go to “Configuration / Keystore” tab.
-                     click on “Change” button.




-                     Select “Custom Identity and Custom Trust” in "keystore" list, then click on “Save”
Note : If certificates are provided by a well-known CA, use « Custom Identity and Java Standard Trust ».



-                     Make the following changes :
o        Custom Identity Store : « /u01/app/security/mykeystore.jks” (store previously created)
o        Custom Identity Keystore Type : « JKS »
o        Custom Identity Keystore Passphrase : <password for the keystore> (password used during java keystore creation)
o        Confirm Custom Identity Keystore Passphrase : <password for the keystore>
o        Custom Trust Keystore Passphrase : <password for the truststore> (password used during java truststore creation)
-                     Confirm Java Standard Trust Keystore Passphrase : <password for the truststore>
-                     Click on “Save”


-                     Click on « Activate changes ».

2.    SSL Configuration

To configure SSL using keysotres previously installed : 

-                     Go to «  Environment / Servers / <ServerName> »
-                     Click on «  Configuration / SSL » tab
-                     Apply the following modifications :
o        Identity and Trust Location : Keystores (default)
o        Private Key Location : from Custom Identity Keystore (default).
o        Private Key Alias : « alias used for the key ». (use the value when adding certificate to keystore).
o        Private Key Passphrase : « password used when creating the key alias ».
o        Confirm Private Key Passphrase : « password used when creating the key alias »
-                     Click on “Save”.
Note : Passphrase cannot be empty, if not added during creation, use keytool to add a passphrase.




-                  Click on « Activate changes ».


3.   Hostname Verification


It can be usefull to disable hostname verification (only for testing purpose, not recommanded for production).

Weblogic doesn't allow certificate not matching hostname by default. 
To disable hostname verification.
-                     Go to “ Environment / Servers / <ServerName> »
-                     Click on « Configuration / SSL» tab
-                     Click on “Advanced” section and make the following changes :
o        Hostname Verification : « NONE »
o        Custom Hostname Verifier : Leave empty
-                     Click on  “Save”

-                     Click on « Activate Changes. »

Note : To use certifcates using Wildcards, you can use a Custom Verifier :
Example : *.ddy.com
-                     Go to “ Environment / Servers / <ServerName> »
-                     Click on « Configuration / SSL » tab
-                     Click on “Advanced” section  and set the following values :
o        Hostname Verification : Custom Hostname Verifier
o        Custom Hostname Verifier : weblogic.security.utils.SSLWLSWildcardHostnameVerifier
-                     Click on  “Save”

-                     Click on « Activate Changes. »
Publié par à

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)