Thursday, December 10, 2009

Configuring SSL on Weblogic

http://download.oracle.com/docs/cd/E12839_01/web.1111/e13707
/identity_trust.htm


http://java.sun.com/javase/6/docs/technotes/tools/windows/keytool.html#importCertCmd


http://chrismuir.sys-con.com/node/1075471/mobile

ProfessionalWeblogic



.  /usr/bea/wlserver_10.3/server/bin/setWLSEnv.sh

rm -f *jks *pem *der

# create CA self signed certificate
java utils.CertGen -certfile ServerCACert -keyusage digitalSignature,keyAgreement,keyCertSign,keyEncipherment,dataEncipherment -keyusagecritical false -keyfile ServerCAKey -keyfilepass ServerCAKey -selfsigned -e somebody@dave.com -ou FOR-DEVELOPMENT-ONLY -o XXXX -l PRAGUE -s CZ -c EU

#print certificate
openssl x509 -text -inform der -in ServerCACert.der

# store the private key and the digital certificate in the identity keystore
java utils.ImportPrivateKey -certfile ServerCACert.der -keyfile ServerCAKey.der -keyfilepass ServerCAKey -keystore ServerIdentity.jks -storepass ServerCAKey -alias identity -keypass ServerCAKey

#Store the same digital certificate into the trust keystore
keytool -import -v -trustcacerts -alias identity -file ServerCACert.der -keystore ServerTrust.jks -storepass ServerTrustStorePass

keytool -list -keystore ServerIdentity.jks -storepass ServerCAKey
keytool -list -keystore ServerTrust.jks -storepass ServerTrustStorePass




<Dec 11, 2009 12:17:40 AM CET> <Notice> <Security> <BEA-090171> <Loading the identity certificate and private key stored under the alias identity from the JKS keystore file /home/dave/workspace/cert/ServerIdentity.jks.> 
<Dec 11, 2009 12:17:44 AM CET> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the JKS keystore file /home/dave/workspace/cert/ServerTrust.jks.>
<Dec 11, 2009 12:17:44 AM CET> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure" is now listening on 127.0.0.1:7002 for protocols iiops, t3s, ldaps, https.>



java  -Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true \
-Dweblogic.security.TrustKeyStore=CustomTrust \
-Dweblogic.security.CustomTrustKeyStoreFileName=/home/dave/workspace/cert/ServerTrust.jks \
-Dweblogic.security.CustomTrustKeyStoreType=jks \
-Dweblogic.security.SSL.trustedCAKeyStore=/home/dave/workspace/cert/ServerTrust.jks

weblogic.WLST connectSSL.py






java utils.CertGen -help

Usage: java utils.CertGen
-certfile <cert_file> -keyfile <private_key_file>
-keyfilepass <private_key_password>
[-cacert <ca_cert_file>][-cakey <ca_key_file>]
[-cakeypass <ca_key_password>]
[-selfsigned][-strength <key_strength>]
[-e <email_address>][-cn <common_name>]
[-ou <org_unit>][-o <organization>]
[-l <locality>][-s <state>][-c <country_code>]
[-keyusage [digitalSignature,nonRepudiation,keyEncipherment,
dataEncipherment,keyAgreement,keyCertSign,
cRLSign,encipherOnly,decipherOnly]]
[-keyusagecritical true|false]
[-subjectkeyid <subject_key_identifier>]
[-subjectkeyidformat UTF-8|BASE64]
[-help]

Where:
-cacert, -cakey, -cakeypass
public certificate, private key file names, and private key
password of the CA to be used as an issuer of the generated
certificate. When these options are not specified Demo CA files:
CertGenCA.der, CertGenCAKey.der from the current working directory
or from WebLogic lib directory will be used.

-selfsigned
generate a self-signed certificate. CA options will be ignored
when this option is specified

-certfile, -keyfile
output file names without extensions for the generated public
certificate and private key. Appropriate extensions are appended
when the pem and der files are created.

-keyfilepass
password of the generated private key.

-strength
size of the generated keys. The default is 1024 bits.

-e, -cn, -ou, -o, -l, -s, -c
Subject DN attributes of the generated public certificate.

-keyusage
generate certificate with keyusage extension, and with bits set
according to the comma-separated list of bit names.
Extension will be marked as critical by default.
Use [-keyusagecritical false] to generate certificate with
non-critical extension.

-subjectkeyid
generate certificate with the specified subject key identifier
Use [-subjectkeyidformat UTF-8|BASE64] to indicate the format of
the specified subject key identifier string. The default is UTF-8.



WLSTException: Error occured while performing connect : "Cannot connect to WLST." : The command line trust keystore configuration is incorrect. Either TrustKeyStore is set to an illegal value or TrustKeyStore is set to CustomTrust and CustomTrustKeyStoreFileName is not set.

To use the trusted CAs in the JDK's cacerts, specify:

-Dweblogic.security.TrustKeyStore=JavaStandardTrust
defaults to JavaStandardTrust

-Dweblogic.security.JavaStandardTrustKeyStorePassPhrase=passphrase
defaults to no passphrase which means
read-only access to the JDK's cacerts.

To use the trusted CAs in DemoTrust.jks and in the JDK's cacerts, specify:

-Dweblogic.security.TrustKeyStore=DemoTrust
-Dweblogic.security.JavaStandardTrustKeyStorePassPhrase=passphrase
defaults to no passphrase which means
read-only access to the JDK's cacerts.

To use the trusted CAs from another keystore, specify:

-Dweblogic.security.TrustKeyStore=CustomTrust

-Dweblogic.security.CustomTrustKeyStoreFileName=filename
either an absolute pathname or a pathname relative to the
directory the server was booted in.

-Dweblogic.security.CustomTrustKeyStoreType=type
defaults to the default keystore type specified
in the JDK's java.security file.

-Dweblogic.security.CustomTrustKeyStorePassPhrase=passphrase
defaults to no passphrase. Some keystore types allow this
but only grant read-access (eg. jks). Other keystore types
require a keystore passphrase even for read-access.

1 comment:

  1. Hi Daniel.. im getting the same WLSTException as above , when trying to connect to WLST, do you have a solution for that.. ?and why im getting that exception?

    ReplyDelete