Two Way SSL Configuration in Weblogic 10.3
This forum gives how to configure SSL (two way) in weblogic 10.3. Generally some admins find very difficult to configure ssl in weblogic and they will go with default demo keystores provided in weblogic. By the below example you will come to know how to create custom identity and trust keystores in weblogic and two way ssl .
Generally lot of tools are avaialble to generate private keys and csr’s . For example openssl, java keytool, bea certgen , bea modified keytool that is Importprivatekey. As we need a test certificate instantly we will use CertGen utility of bea in the below example.
Enjoy the example below :
Before you start, run setDomainEnv in the bin directory of your server domain. In this example i am using my domain path as
C:OracleWeblogicuser_projectsdomainsTD1binsetDomainEnv.cmd
Use CertGen to Generate Server Private Key and Certificate
What we need at the outset is for everyone to trust us. We’re all going to trust each other here because I say so. That’s what the self-signed switch is all about. In the real world, we trust each other because we mutually trust a Certificate Authority (CA) like Verisign. Here we’re saying “I am the CA”.
java utils.CertGen -selfsigned -certfile Test_selfCA.cer -keyfile Test_selfkey.key -keyfilepass password -cn “middlewareforum.com”
Output as below:
Create the Identity Keystore
CertGen created a unique and secret Private Key for the server we’re using and the Self-signed Root Certificate for us. But Java wants them packaged up neatly into a keystore.
The one thing Java keytool doesn’t do is import a ready-made private key…Fortunately BEA is a smart bunch and created a utility to help.And just to make sure there was no confusion about what it does, they called it ImportPrivateKey.
Now run this:
java utils.ImportPrivateKey -keystore Test_Identitystore.jks -storepass password -keypass password -alias trustself -certfile Test_selfCA.cer.pem -keyfile Test_selfkey.key.pem -keyfilepass password
Output as below:
Import the Certificate into a new Trust Keystore
The client asks the server for a connection, the server will only allow access if it trusts the signer of the client’s certificate. This is going to be the “My Own Self CA” and to make it happen we need our trusty MyOwnSelf certificate packed up into a separate keystore called the Trust Keystore. When the client presents itscertificate, this is where the server will look to see if it trusts the signature of the CA.
keytool -import -trustcacerts -alias trustself -keystore Trust_Test.jks -file Test_selfCA.cer.der -keyalg RSA
Output as below:
Configure weblogic with Custom Identity and Trust keystores
Now we have an Identity Keystore for Server to Client communication (to supply certificates to the client) and a Trust Keystore for Client to Server communication (to accept certificates supplied by the client). We now need to tell Weblogic to use them. Access your admin server in weblogic console and navigate to Keystore tab and change the settign as below:
Enter the locations of your Identity and Trust keystores, the passphrases identitypass and trustpass respectively; along with the alias in the SSL tab (I used ‘trustself’ above). The Private Key password in this example is ‘keypassword’.
Test One Way SSL
Under the SSL tab, make sure Two Way Client Cert Behavior is set to “Client Certificates Not Requested”
This is important – make sure you have these entries in your config.xml file in the config directory of your domain:
If any are different, edit and save the config.xml to match, and then restart the Weblogic server. See the log file of admin server , it should load the entire ssl configuretion the we have done above showed in below screenshot:
Now browse to https://localhost:7002/console
All being well, the server should present the client with a certificate.
However, the client has no reason to trust our Self-Signed Certificate yet, so it will throw up a dialog. (Also the name doesn’t match that of the server. This isn’t too important in a development environment – but something you’d definitely fix for production.)
To have the client trust the server permanently, we need to install the certificate. Hit install and follow the instructions. When you next go into the Certificate Management screen you will see the “Test_selfCA.cer” listed under “Trusted Root Certification Authorities”
Now if you test the two way ssl , go to admin console and switch to following property as below :
Post doing the above changes , view the admin server log file and you can see the response as “No Certificate ” as below :
Configuring Client Certificate using CertGen
Now we basically need to set up the opposite situation on the client that we did on the server. But, of course, there are some crucial differences. Wouldn’t be any fun otherwise…
It’s time to generate the certificate for the client. This time we want the Certificate to identify the client machine (usually the user of the machine – you can set up one client certificate per user and have more than one on a machine if you need to), AND we want to ensure that the Client is linked to the Trusted CA Root Certificate we fabricated earlier. (This is why the ou (operating unit) of the client certificate must match the identity of the Trusted CA Certificate – in this case “Test_selfCA”.)
java utils.CertGen -certfile karthy_client.cer -keyfile karthy_client.key -keyfilepass clientkeypass -cacert Test_selfCA.cer.der -cakey Test_selfkey.key.der -cakeypass mykeypass -cn “karthy_client” -e “Test@self.com” -ou “Test_selfCA”
Output as below:
Now bundle up the certificate and key into a format the browser will accept.
Having the client certificate in bits won’t be much appreciated by the browser, so we need to package it up – like a identity keystore, but in a different format that browsers like.
java utils.ImportPrivateKey -keystore karthy_cliientstore.p12 -storepass password -storetype pkcs12 -keypass password -alias clientcert -certfile karthy_client.cer.pem -keyfile karthy_client.key.pem -keyfilepass password
Output as below:
Import Trusted CA cert and client cert to browser
There are essentially two pieces to the pie. First you need to import the Root CA Certificate so the browser trusts certificates sent from the server. Locate the Test_selfCA.cer.der file that was made in the very first step, and import it into your browser as a Trusted Root Certification Authority (Tools > Options > Content > Certificates in IE)If using IE doesn’t make you go weak at the knees, the easiest thing to do now is double-click the certificate file you just made. (MyClientCert.p12) IE will launch it’s import certificate wizard and you’ll be ready to roll.
Test Two Way SSL
Browse to https://localhost:7002/console
- Client request to server
- Server response – sends certificate signed by “middlewareforum.com” and requests a Certificate from the client
- Client examines certificate – decides to Trust it since it has the CA certificate for “middlewareforum.com”
- Client sends its certificate to the server, again signed by “middlewareforum.com”
- Server finds up “middlewareforum.com” in its Trust store and decides to trust the client
- Server sends requested resource back to the client in encrypted form
- Client deciphers the encryption and displays the result – in this case the Weblogic Admin Console login page.