Sunday, March 7, 2010

How WebLogic Server Locates Trust when using own SSL certificate

It is necessary to provide JVM property -Dweblogic.security.SSL.trustedCAKeyStore in all scripts connecting to weblogic SSL port.
Other option is to add server SSL certificate into cacerts trust keystore inside WLS installation.

Default trust key store is located in WL_HOME/server/lib and also in JDK
find . -name cacerts
./jrockit_160_14_R27.6.5-32/jre/lib/security/cacerts
./wlserver_10.3/server/lib/cacerts
./jdk160_14_R27.6.5-32/jre/lib/security/cacerts



export JAVA_OPTIONS="-Dweblogic.security.SSL.trustedCAKeyStore=/app/cert/ServerTrust.jks ${JAVA_OPTIONS}"


This is defined is Oracle® Fusion Middleware Securing Oracle WebLogic
Server 11g Release 1 (10.3.1) , Chpt 11, Configuring identity and
trust



WebLogic Server uses the following algorithm when it loads its trusted
CA certificates:

1.  I<span style="font-weight:bold;">f the keystore is specified by the
-Dweblogic.security.SSL.trustedCAkeystore command-line argument,</span> load
the trusted CA certificates from that keystore.
2. Else if the keystore is specified in the configuration file
(config.xml), load trusted CA certificates from the specified
keystore. If the server is configured with DemoTrust, trusted CA
certificates will be loaded from the WL_HOME\server\lib\DemoTrust.jks
and the JDK cacerts keystores.
3. Else if the trusted CA file is specified in the configuration
file (config.xml), load trusted CA certificates from that file (this
is only for compatibility with 6.x SSL configurations).
4.Else load trusted CA certificates from <span style="font-weight:bold;">WL_HOME\server\lib\cacerts</span> keystore.



10.3.2
http://download.oracle.com/docs/cd/E15523_01/web.1111/e13707/identity_trust.htm#i1202187

10.3.1
http://download.oracle.com/docs/cd/E12839_01/web.1111/e13707/identity_trust.htm#i1202182

10.3
http://download.oracle.com/docs/cd/E12840_01/wls/docs103/secmanage/identity_trust.html#wp1183754