Kousec Server Certificate Manager

Installing Server Certificates to Oracle WebLogic Server

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Kousec Software, Inc.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Copyright 2009 Kousec Software, Inc.  All rights reserved.

 

Kousec and Kousec Server Certificate Manager are trademarks of Kousec Software, Inc.

WebLogic and BEA WebLogic Server are registered trademarks of BEA Systems, Inc, a subsidiary of Oracle Corporation.

All company names and product names are trademarks of their respective holders.

 

r3

Table of Contents

 

Introduction........................................................................................................................ 4

Product Versions............................................................................................................ 4

Operations in Certificate Enrollment and Obtaining........................................................... 5

Operations in Certificate Deployment................................................................................. 5

(A) Newly Installing the Certificate................................................................................... 6

Preparation on the server computer........................................................................... 6

Operations on CertMgr............................................................................................... 6

Install the certificate on the server computer............................................................... 7

Modifying Keystores and SSL Settings on WebLogic Server....................................... 8

(B) Updating the Certificate............................................................................................ 9

Operations on CertMgr............................................................................................... 9

Procedure for WebLogic Server 9 or Later Versions................................................... 9

Procedure for Versions prior to WebLogic Server 9.................................................. 10

 

Introduction

 

In a WebLogic Server installation, the standard way of obtaining an SSL certificate begins with generating a key pair and CSR within a keystore file on the server.

 

When using Kousec Server Certificate Manager, the key pairs and CSRs are generated within the Kousec Server Certificate Manager computer and will be managed centrally there.  Then, the server administrator imports both the certificate and the corresponding private key to the keystore on the WebLogic server.  Therefore there is no need to generate a CSR on the WebLogic server.  When applying for an SSL certificate to the CA, specify the certificate format of Apache2.  Then obtain the certificate and register it in Kousec Server Certificate Manager.

 

This document explains the procedure to install the certificate and private key registered in a Kousec Server Certificate Manager computer onto a WebLogic Server computer.

 

In this document, Kousec Server Certificate Manager will be referred to as either gKousec CertMgrh or just gCertMgrh.

 

 

Product Versions

Kousec Server Certificate Manager Beta-2

 

Oracle WebLogic Server (formerly known as BEA WebLogic Server)

This document lists specific instructions when using the following product:

  BEA WebLogic Server® 9.2 (for Windows)

 

Large part of the content is also applicable to the following product:

  BEA WebLogic Server® 8.1

 

Operations in Certificate Enrollment and Obtaining

 

Obtain an SSL certificate for WebLogic Server by following standard Kousec Certmgr operations.  Always specify gApache 2h as the software type to the CA, not WebLogic or a Java application server.  Kousec CertMgr will convert the Apache-type certificate and package it in a format suitable for JKS based Server (e.g.,  WebLogic Server).

 

Information on the target server of the certificate install can be entered either in Certificate Definition creation time or during the certificate deployment process.

 

During the certificate definition creation, select gJava(generic)h as the server software type.  As for the server software options, see gOperations in Certificate Deploymenth in the next section.

 

 

Operations in Certificate Deployment

 

New Install and Update of SSL Certificates

Two cases will be considered.

 

A)  You are using Demo Identity JKS now.  Or, you are using a certificate from a commercial CA now, but with introduction of Kousec CertMgr, you want to change the naming rule of ID keystore file, or the keystore password is lost.

 

B) You are using a certificate from a commercial CA now and its filename is gserver.jksh.  You want to keep unchanged the filename of JKS, key alias and keystore password when introducing Kousec CertMgr.

 

In this document A) is referred to as New Install of certificate and B) is referred to as Update of certificate.

 

In case A), SSL configuration of the target WebLogic server is necessary.

1.        Using the certificate package from CertMgr, newly create an ID keystore (JKS file)

2.        On the target WebLogic server, configure Keystores and SSL

3.        Reboot the target WebLogic server

 

In case B), SSL configuration of the target WebLogic server is not necessary.

1.        Stop the target WebLogic server

2.        Using the certificate package from CertMgr, update the ID keystore (JKS file)

3.        Start the target WebLogic server

You must know the key alias, keystore password and key password for the existing JKS file.

 

In WebLogic Server 9 or later versions, there is no need to reboot the target WebLogic server.  You can restart SSL subsystem only.  In that case, the procedure is as follows:

1.        Using the certificate package from CertMgr, update the ID keystore (JKS file)

2.        From the WebLogic Administration Console, select the target server and restart SSL.

 

 

(A) Newly Installing the Certificate

 

Preparation on the server computer

 

We will place the ID keystore in ssl-private directory under WL_HOME\server.  Create the directory ssl-private beforehand.

 

Start a command prompt and make the directory for server certificates:

>cd C:\bea\weblogic92\server

>mkdir ssl-private

 

 

Operations on CertMgr

We name JKS files with <Common-Name>.jks.  If the common name of the certificate to be deployed is www2.example.com, we name it as www2.example.com.jks.

 

In gEnter Deployment Informationh screen, select JKS(generic) in the Server Software Type list box.  Enter the hostname of the target WebLogic server in the Server Name text box.

 

 

Enter the following in the Server Software Options tab.

 

    JKS File Path: C:\bea\weblogic92\server\ssl-private\www2.example.com.jks

    Alias in Keystore: wlserver  (artibrary)

    Keystore Password: changeit  (arbitrary)

 

Lastly click the Set button.

 

 

Install the certificate on the server computer

 

Unzip the certificate install package (cert.zip) and run jks_inst.bat in the archive.

 

C:\work\cert\cert>jks_inst.bat

Kousec Certmgr Cert Installer for JKS 0.1.5a

successfully read parameter file

Creating new keyStore file : C:\bea\weblogic92\server\ssl-private\www2.example.com.jks

Certificate chain length: 2

Subject: CN=www2.example.com

Validity Period: 2009/10/08 22:53:39 to 2010/10/08 22:53:39

Intermediate CA Certificates

Subject: CN=Kousec CertMgr Auto-Generated CA 20090715215939

SUCCESS:A new key store with private key and certificate is created.

Alias and key password are set as follows:

    Alias:wlserver  Password:changeit

You can change them using one of the commands below:

keytool -keypasswd -alias wlserver -keystore "C:\bea\weblogic92\server\ssl-private\www2.example.com.jks"

keytool -changealias -alias wlserver -keystore "C:\bea\weblogic92\server\ssl-private\www2.example.com.jks"

Enter 'y' or 'n' to end this program(y/n)y

Press any key to continue . . .

 

 

Now, a new ID keystore file, www2.example.com.jks, has been created in the directory C:\bea\weblogic92\server\ssl-private.

 

 

Modifying Keystores and SSL Settings on WebLogic Server

 

Next, configure the WebLogic server to use this ID keystore file.

Here we illustrate the procedure for WebLogic Server 9.2.

 

- Log in to the Administration Console.

- Go to Environment > Servers and select target server, and open the Configuration tab.

- Open the Configuration - Keystores tab.

- In the Keystores listbox, Demo Identity and Demo Trust is selected by default.  We recommend saving the screenshot of this screen as we are going to change the ID keystore and trust keystore.

 

- In the Keystores listbox, select Custom Identity and Java Standard Trust, and enter the following:

 

  Custom Identity Keystore: C:\bea\weblogic92\server\ssl-private\www2.example.com.jks

  Custom Identity Keystore Type: jks

  Custom Identity Keystore Passphrase: changeit

  Confirm Custom Identity Keystore Passphrase: changeit

 

  Do not modify settings for Java Standard Trust Keystore.

 

- Click the [Save] button to store the settings.

 

- Open the Configuration - SSL tab.

- In the v Identity and Trust Locations listbox, make sure that Keystores is selected.

- Enter the following:

 

  Private Key Location: from Custom Identity Keystore   (make sure this value is shown)

  Private Key Alias: wlserver

  Private Key Passphrase: changeit

  Confirm Private Key Passphrase: changeit

  Certificate Location: from Custom Identity Keystore  (make sure this value is shown)

  Trusted Certificate Authorities: from Java Standard Trust Keystore  (make sure this value is shown)

 

- Click the [Save] button to store the settings.

 

- Finally, by clicking the [Activate Changes], the SSL certificate will be enabled on the target server.

 

When using WebLogic Server 8.1, the procedure is very similar, except that you must restart the target WebLogic server to put the new ID keystore into effect.

 

(B) Updating the Certificate

 

Operations on CertMgr

Configure the certificate install package so as to match the ID keystore currently used on the WebLogic server.

 

Example

    JKS File Path: C:\bea\weblogic92\server\lib\server.jks

    Alias in Keystore: wl_server

    Keystore Password: Something

Lastly click the Set button.

 

Note: in the current version of Kousec CertMgr, the keystore password and key password must be identical.

 

Procedure for WebLogic Server 9 or Later Versions

 

- Run the certificate install package on the server computer:
  unzip cert.zip and start jks_inst.bat.

 

- From the Administration Console, select the target server and restart SSL.

 Steps for WebLogic Server 9.2 are listed here.

 

E     Click the Environment > Servers node on the left pane and select the target server on the right.

E     Click the Control - Start/Stop tab

E     Go to the Server Status table in lower part of the page and select the check box next to the name of the target server.

E     Click the Restart SSL button.

 

Procedure for Versions prior to WebLogic Server 9

 

For WebLogic Server products that cannot restart SSL (for example, WebLogic Server 8.1), stop the target WebLogic server while running jks_inst.bat program.

 

- Shutdown the target WebLogic server
- Run jks_inst.bat

- Start the target WebLogic server