Thursday, December 10, 2009

Configuring SSL on Weblogic


.  /usr/bea/wlserver_10.3/server/bin/

rm -f *jks *pem *der

# create CA self signed certificate
java utils.CertGen -certfile ServerCACert -keyusage digitalSignature,keyAgreement,keyCertSign,keyEncipherment,dataEncipherment -keyusagecritical false -keyfile ServerCAKey -keyfilepass ServerCAKey -selfsigned -e -ou FOR-DEVELOPMENT-ONLY -o XXXX -l PRAGUE -s CZ -c EU

#print certificate
openssl x509 -text -inform der -in ServerCACert.der

# store the private key and the digital certificate in the identity keystore
java utils.ImportPrivateKey -certfile ServerCACert.der -keyfile ServerCAKey.der -keyfilepass ServerCAKey -keystore ServerIdentity.jks -storepass ServerCAKey -alias identity -keypass ServerCAKey

#Store the same digital certificate into the trust keystore
keytool -import -v -trustcacerts -alias identity -file ServerCACert.der -keystore ServerTrust.jks -storepass ServerTrustStorePass

keytool -list -keystore ServerIdentity.jks -storepass ServerCAKey
keytool -list -keystore ServerTrust.jks -storepass ServerTrustStorePass

<Dec 11, 2009 12:17:40 AM CET> <Notice> <Security> <BEA-090171> <Loading the identity certificate and private key stored under the alias identity from the JKS keystore file /home/dave/workspace/cert/ServerIdentity.jks.> 
<Dec 11, 2009 12:17:44 AM CET> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the JKS keystore file /home/dave/workspace/cert/ServerTrust.jks.>
<Dec 11, 2009 12:17:44 AM CET> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure" is now listening on for protocols iiops, t3s, ldaps, https.>

java  -Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true \ \ \ \


java utils.CertGen -help

Usage: java utils.CertGen
-certfile <cert_file> -keyfile <private_key_file>
-keyfilepass <private_key_password>
[-cacert <ca_cert_file>][-cakey <ca_key_file>]
[-cakeypass <ca_key_password>]
[-selfsigned][-strength <key_strength>]
[-e <email_address>][-cn <common_name>]
[-ou <org_unit>][-o <organization>]
[-l <locality>][-s <state>][-c <country_code>]
[-keyusage [digitalSignature,nonRepudiation,keyEncipherment,
[-keyusagecritical true|false]
[-subjectkeyid <subject_key_identifier>]
[-subjectkeyidformat UTF-8|BASE64]

-cacert, -cakey, -cakeypass
public certificate, private key file names, and private key
password of the CA to be used as an issuer of the generated
certificate. When these options are not specified Demo CA files:
CertGenCA.der, CertGenCAKey.der from the current working directory
or from WebLogic lib directory will be used.

generate a self-signed certificate. CA options will be ignored
when this option is specified

-certfile, -keyfile
output file names without extensions for the generated public
certificate and private key. Appropriate extensions are appended
when the pem and der files are created.

password of the generated private key.

size of the generated keys. The default is 1024 bits.

-e, -cn, -ou, -o, -l, -s, -c
Subject DN attributes of the generated public certificate.

generate certificate with keyusage extension, and with bits set
according to the comma-separated list of bit names.
Extension will be marked as critical by default.
Use [-keyusagecritical false] to generate certificate with
non-critical extension.

generate certificate with the specified subject key identifier
Use [-subjectkeyidformat UTF-8|BASE64] to indicate the format of
the specified subject key identifier string. The default is UTF-8.

WLSTException: Error occured while performing connect : "Cannot connect to WLST." : The command line trust keystore configuration is incorrect. Either TrustKeyStore is set to an illegal value or TrustKeyStore is set to CustomTrust and CustomTrustKeyStoreFileName is not set.

To use the trusted CAs in the JDK's cacerts, specify:
defaults to JavaStandardTrust
defaults to no passphrase which means
read-only access to the JDK's cacerts.

To use the trusted CAs in DemoTrust.jks and in the JDK's cacerts, specify:
defaults to no passphrase which means
read-only access to the JDK's cacerts.

To use the trusted CAs from another keystore, specify:
either an absolute pathname or a pathname relative to the
directory the server was booted in.
defaults to the default keystore type specified
in the JDK's file.
defaults to no passphrase. Some keystore types allow this
but only grant read-access (eg. jks). Other keystore types
require a keystore passphrase even for read-access.

Sunday, December 6, 2009

Starting AdminServer with WLST

Use the WLST startServer command to start the Administration Server.

startServer([adminServerName], [domainName], [url], [username],
[password],[domainDir], [block], [timeout], [serverLog],
[systemProperties], [jvmArgs] [spaceAsJvmArgsDelimiter])

import os

adminServerName = "AdminServer"
adminServerUrl = "t3://localhost:7001"
adminUser = "weblogic"
adminPassword = "weblogic123"

domainName = "base_domain"
domainHome = "/app/bea/domains/base_domain"

print "JAVA_HOME %s" % os.getenv("JAVA_HOME")
print "CLASSPATH %s" % os.getenv("CLASSPATH")

print "try connect to WLS %s" % adminServerName
connect(adminUser, adminPassword, adminServerUrl)
print "Connected to %s" % adminServerName
except WLSTException:
print "Server not started, try start %s " % adminServerName
adminServerUrl, adminUser, adminPassword,
print "started %s" % adminServerName
connect(adminUser, adminPassword, adminServerUrl)




Initializing WebLogic Scripting Tool (WLST) ...

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands

JAVA_HOME /usr/java/jdk160_05
try connect to WLS AdminServer
Connecting to t3://localhost:7001 with userid weblogic ...
Server not started, try start AdminServer
Starting weblogic server ...

Server started successfully.
started AdminServer
Connecting to t3://localhost:7001 with userid weblogic ...
WLST-WLS-1260094522421: <Dec 6, 2009 11:15:45 AM CET> <Warning> <JMX> <BEA-149517> <An attempt was made to unregister an mbean that was already unregistered: weblogic.servlet.internal.ServletRuntimeMBeanImpl@146de01>
Successfully connected to Admin Server 'AdminServer' that belongs to domain 'mydomain'.

Warning: An insecure protocol was used to connect to the
server. To ensure on-the-wire security, the SSL port or
Admin port should be used instead.