All the commands below reference $MIDDLEWARE_HOME for FMW 11g. If using FMW 12c, replace $MIDDLEWARE_HOME with $ORACLE_HOME.
1. Create a directory, for example: $MIDDLEWARE_HOME/keystores
cd /oracle/ofm/Oracle/Middleware ---> (MW_HOME)
$mkdir keystores
2. Run the following to set the environment on UNIX:
ofm11g@host:/ofm/Oracle/Middleware$ cd /ofm/Oracle/Middleware/user_projects/domains/PWCUAT/bin
$./setDomainEnv.sh
3. Create a keystore and private key, by executing the following command:
Syntax: CN=host.DOMAIN.com (Common Name), OU=organization (Organization Unit), O=Organization (Organization), L=organization Street (Locality Unit), ST=Doha, (State Province) C=QA (Country)"
ofm11g@host:/ofm/Oracle/Middleware/keystores$ keytool -genkey -alias server_cert -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -dname "CN=host.DOMAIN.com, OU=organization , O=Organization, L=organization Street, ST=Doha, C=QA" -keypass password -keystore keystore.jks -storepass password
ofm11g@host:/ofm/Oracle/Middleware/keystores$ ls
keystore.jks
4. At this point take a backup of the keystore e.g: keystore.jks
ofm11g@host:/ofm/Oracle/Middleware/keystores$ cp -pr keystore.jks keystore.jks-org
5. To view the contents of the keystore created, execute the following command:
ofm11g@host:/ofm/Oracle/Middleware/keystores$ keytool -list -v -keystore keystore.jks -storepass password
6. Create a Certificate Signing Request (CSR) using the following command:
keytool -certreq -v -alias server_cert -file hpsuaterver.csr -sigalg SHA256withRSA -keypass password -storepass password -keystore keystore.jks
ofm11g@host:/ofm/Oracle/Middleware/keystores$ keytool -certreq -v -alias server_cert -file hpsuaterver.csr -sigalg SHA256withRSA -keypass password -storepass password -keystore keystore.jks
Certification request stored in file <hpsuaterver.csr>
Submit this to your CA
ofm11g@host:/ofm/Oracle/Middleware/keystores$ ls
hpsuaterver.csr keystore.jks keystore.jks-org
Make sure you use the same -alias, -storepass and -keypass passwords from Step 3.
The CSR (server.csr) created looks like this:
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END NEW CERTIFICATE REQUEST-----
7. Send this CSR to a Certificate Authority (CA) of your choice. They will provide two certificate server certificate and root certificate.
8. Once you have received the Certificate back you will need to import this along with the Trusted Root CA certificate(s) that signed it, into your keystore.
Take the server certificate and save it a file called server.cer. Take the Certificate Authority's root certificate and save to a file called rootCA.cer in your keystore directory e.g $MIDDLEWARE_HOME/keystores. Repeat this step for any more Root CA certificates in the chain e.g rootCA2.cer etc..
ofm11g@host:/ofm/Oracle/Middleware/keystores$ mv certnew.cer server.cer
ofm11g@host:/ofm/Oracle/Middleware/keystores$ mv UATroot.cer rootCA.cer
ofm11g@host:/ofm/Oracle/Middleware/keystores$ ls -lrt
total 26
-rw-r--r-- 1 ofm11g hps 2240 Jul 26 14:28 keystore.jks-org
-rw-r--r-- 1 ofm11g hps 2240 Jul 26 14:28 keystore.jks
-rw-r--r-- 1 ofm11g hps 1035 Jul 26 14:39 hpsuaterver.csr
-rw-r--r-- 1 ofm11g hps 2090 Jul 27 13:40 server.cer
-rw-r--r-- 1 ofm11g hps 1328 Jul 27 13:40 rootCA.cer
ofm11g@host:/ofm/Oracle/Middleware/keystores$
9. Import the CA's root certificate into your keystore using the following command:
Syntax: keytool -import -v -noprompt -trustcacerts -alias <alias> -file <rootca_file> -keystore <keystore> -storepass <password>
ofm11g@host:/ofm/Oracle/Middleware/keystores$ keytool -import -v -noprompt -trustcacerts -alias rootcacert -file rootCA.cer -keystore keystore.jks -storepass password
Certificate was added to keystore
[Storing keystore.jks]
If there are other intermediate trust certificates, repeat this for each trust certificate using a different alias each time.
10. Import the Server Certificate into your keystore using the following command:
Syntax: keytool -import -v -noprompt -trustcacerts -alias <alias> -file <rootca_file> -keystore <keystore> -storepass <password>
ofm11g@host:/ofm/Oracle/Middleware/keystores$ keytool -import -v -alias server_cert -file server.cer -keystore keystore.jks -keypass password -storepass password
Certificate reply was installed in keystore
[Storing keystore.jks]
Make sure you use the same -alias from Step 3.
11. To view the contents of the keystore, execute the following command:
Syntax: keytool -list -v -keystore keystore.jks -storepass <PASSWORD>
ofm11g@host:/ofm/Oracle/Middleware/keystores$ keytool -list -v -keystore keystore.jks -storepass password
12. At this point the keystore is now ready for use. To use this Keystore with WLS please refer back to the Master Note for your version:
Configuring Oracle WebLogic Server (10.3.x - 12.1.x) to Use SSL in Fusion Middleware 11g/12c (Doc ID 1235653.1)
Step II: Configure WebLogic Server for SSL
The steps below take you through configuring SSL for a Managed Server.
The steps assumes the reader understands how to start the Admin Server and Managed Server.
1. Start the Admin Server in the Domain
2. Login to the WLS console e.g: http://10.0.00.11:7001/console
3. Select 'Environment' -> 'Servers' and click on the server you want to configure
4. Select the 'Keystores' tab
5. Select 'Keystore -> 'Change'
6.Select 'Custom Identity and Custome Trust'from the drop down list and click 'Save'
7. Enter the relevant information in the Keystores page:
'Custom Identity Keystore' : /ofm/Oracle/Middleware/keystores/keystore.jks
'Custom Identity Keystore' : JKS
'Custom Identity Keystore Passphrase' : password
'Confirm Custom Identity Keystore Passphrase' : password
'Custom Trust Keystore' : /ofm/Oracle/Middleware/keystores/keystore.jks
'Custom Trust Keystore Type' : JKS
'Custom Trust Keystore Passphrase' : password
'Confirm Custom Trust Keystore Passphrase' : password
Click 'Save'
13. Select the 'SSL' tab and enter the relevant information:
'Private Key Alias' : server_cert
'Private Key Password' : password
'Confirm Private Key Password': password
Click 'Save'
14. Select 'Environment' -> 'Servers' and click on the Managed Server configured
In the 'General' tab:
Check 'SSL Listen Port Enabled'
'SSL Listen Port' : <port> e.g 7012 (make sure this is not used by another process)
Click Save
And Click on adnvace and check the Use JSSE SSL and save the changes.
15. Implement the SSL for managed servers. Follow the steps from 12 to 15 for remaining servers.
16 . Click on Environment->Servers-> AdminServer or Managed Server-> Click on SSL -> Click on Advance --> HostnameVerification "Node" --> Click on save -> Activate the changes.
17. Add SSL parameter in nodemanager.
# Added following parameters in nodemanager.properties
KeyStores=CustomIdentityAndCustomTrust
CustomIdentityKeyStoreFileName=/ofm/Oracle/Middleware/keystores/keystore.jks
CustomIdentityKeyStorePassPhrase=password
CustomIdentityAlias=server_cert
CustomIdentityPrivateKeyPassPhrase=password
# added this parameter in startNodeManager.sh
JAVA_OPTIONS="-Dweblogic.security.SSL.enableJSSE=true ${JAVA_OPTIONS}"
export JAVA_OPTIONS
# Validate your certificate.
cd $DOMAIN_HOME/bin
-bash-3.2$ . ./setDomainEnv.sh
-bash-3.2$ java utils.ValidateCertChain -jks server_cert /ofm/Oracle/Middleware/keystores/keystore.jks
Cert[0]: CN=host.DOMAIN.com,OU=organization ,O=Organization,L=organization Street,ST=Doha,C=QA
Cert[1]: CN=Organization-BBSFADS001-CA,dc=Organization,dc=local
Certificate chain appears valid
17. Ask your network/security team to allow new SSL ports (7012/9011/9012) between your machine and server.
18. Restart all the weblogic server services.
19. Test the below new SSL URL should be open.
https://10.0.00.11:7012/console
20. Disable http port and restart the services.
1. In WebLogic Administration Console:
2. Click Lock and Edit.
3. Select Environment, Clusters, and select cluster_forms.
4. Select Configuration, and the Replication tab.
5. Select secure replication enabled.
6. Click Save.
7. Click Activate Changes.
Please do the above steps for cluster_reports also.
Note: Please take config.xml back-up before doing any changes in weblogic console.
++++++++++++++Start the Application services. +++++++++++++====
echo "Starting up the AdminServer ..."
nohup $DOMAIN_HOME/bin/startWebLogic.sh &
sleep 60
echo "Starting Node Manager ..."
nohup $WL_HOME/server/bin/startNodeManager.sh &
sleep 5
echo "Starting Forms Server 11G................."
nohup $DOMAIN_HOME/bin/startManagedWebLogic.sh WLS_FORMS https://10.0.00.12:7012 &
sleep 60
echo "Starting Reports Server 11G................."
nohup sh $DOMAIN_HOME/bin/startManagedWebLogic.sh WLS_REPORTS https://10.0.00.12:7012 &
sleep 90
echo "Starting OPMN ALL ............................"
opmnctl startall
=====================
Oracle Reference Documents:
=====================
Configuring Oracle WebLogic Server (10.3.x - 12.1.x) to Use SSL in Fusion Middleware 11g/12c (Doc ID 1235653.1)
How To Create a Java Keystore via Keytool in FMW 11g/12c (Doc ID 1230333.1)
No comments:
Post a Comment