I was surprised to see a lack of usable documentation for installing SSL certificates on a BEA Weblogic server. Most of the big Certificate Authorities have some instructions, but they’re certainly not complete and some are outdated. BEA’s documentation is literally written in pseudo code with If-Else statements. Hopefully these instructions will help somebody out there. Read on for specific directions on generating a request and installing the certificate.
Step 1 – Enable certificate.war to generate a Certificate Signing Request (CSR)
The first step is to enable the certificate request generator to allow CSR generation. There is mixed documentation about whether to use this applet or the Java “keytool” command line utility instead. The current version of weblogic says that the generator is deprecated, but I used it anyway.
From Administration console (http://<servername>:7001/console) (Your port might be different)
- Click “Deployments”
- Click “Lock & Edit”
- Click Install
- On the “Install Application Assistant” page, navigate to the correct location.
- Click the URL for the application (highlighted as a link)
- Follow the path to certificate.war. For me, this was /appl/bea/wlserver_10.0/server/lib/certificate.war
- Once you’re in the correct folder, click the radio button next to certificate.war and click Next
- Leave “Install this deployment as an application” selected and click next
- Leave all the defaults selected and click Finish
- Back at the “Summary of Deployments” page, certificate should show up in the list in the “Installed” state.
- Check the box next to certificate and click Start. I picked “servicing all requests” rather than only administration requests.
- Finally, click the Activate Changes (where Lock and Edit usually is) to make the change. This starts the certificate module.
certificate application in administration console
Step 2 – Generate a CSR and submit it to a certificate authority
The next step is to use the newly enabled certificate request generator to create the CSR. Point a browser to http://<servername>:7001/certificate and fill out the fields.
Note that “Full host name” should be the fully qualified URL to your site, not your local host name. Also, don’t forget the password! After the CSR is generated, you’ll be able to copy and paste it from the resulting web site. Submit the CSR to your favorite certificate authority (I like Geotrust) to get a signed certificate.
This process also creates 3 files in your domain directory:
- The private key file in der format
- The CSR in dem format
- The CSR in pem format
If you just copy and paste the CSR as suggested above, it’s safe to delete both of the CSR files from the domain directory. You’ll need the key file in a minute, so don’t delete it.
Step 3 – Create a keystore
Now comes the goofy part (IMHO, of course). We must create a JKS keystore, then import the trusted CA certificate, the signed certificate from the CA, and the key file. We’ll then tell Weblogic to use the key store and we’ll be finished. For this step you’ll need command line access and permissions to write to the domain directory. BEA’s documentation goes in to great detail about whether or not to include the trusted certificate (trust) in the same store as the signed certificate and the key file (identity). While in general they have good advice, my deployment did not require the flexibility of separate keystores. I just protected the resulting single identity and trust keystore with permissions 600 and left it at that.
You’ll need the root certificate from the certificate authority you used to sign your CSR. I used Geotrust, and their root certificates are found here. I used the Base-64 encoded format.
It’s time to assemble all the files for the key store. Create each of the files in the same directory (your preference. I used my home directory).
- Copy and paste the root certificate (or use wget, if you have it) in to a plain text file on your system.
- Copy and paste the PEM-formatted certificate that came from the CA to a plain text file.
- Copy the DER-formatted private key file from your domain directory. The file should be named your_url_name-key.der.
First I created a single file from the trusted CA certificate and the signed certificate:
% cat signed_cert.pem geotrust.pem >> certs.pem
Then I used the ImportPrivateKey utility as suggested by BEA. The following command creates a single keystore file:
% java -cp /appl/bea/wlserver_10.0/server/lib/weblogic.jar utils.ImportPrivateKey -keystore mykeystore -storepass <yourpassword> -keyfile mykey -keyfilepass <keyfilepass> -certfile certs.pem -keyfile my_key_file-key.der -alias myalias No password was specified for the key entry Key file password will be used Imported private key my_key_file-key.der and certificate certs.pem into a new keystore mykeystore of type jks under alias myalias
In this example, a keystore file called mykeystore is created in the current directory. Copy this file to your domain directory and set the permissions appropriately.
Step 4 – Enable the keystore in Weblogic
Phew! We finally have a keystore to use for SSL. Now it’s time to configure it in Weblogic.
- Back in the administration console, click the Servers link from the home page, then click your server (mine is called AdminServer).
- On the configuration tab, click Keystores. You may need to click “Lock & Edit” again.
- From the Keystores directory, choose “Custom Identity and Custom Trust”. Then you’ll need to fill out the key store information. For both Custome Identity Keystore and Custom Trust Keystore, put the path to the key store we generated. The type for both is JKS. Enter your passwords where indicated and click Save.
- Now navigate to the SSL tab. Use the alias from the ImportPrivateKey command (in this case it was “myalias”) and enter the password. Click save.
- If you clicked “Lock & Edit”, you may need to click Activate changes again.
Configuring the keystore in the administration console
Once this step is complete, SSL is enabled. Confirm it by checking the lock icon when visiting https://<servername>:7002. It should have the correct expiration date and the server name you filled out when generating the CSR.
![[Slashdot]](/wp-content/plugins/slashdot.ico){kind=small}
![[Digg]](/wp-content/plugins/digg.ico){kind=small}
![[Reddit]](/wp-content/plugins/reddit.ico){kind=small}
![[del.icio.us]](/wp-content/plugins/delicious.gif){kind=small}
![[Technorati]](/wp-content/plugins/technorati.ico){kind=small}
![[StumbleUpon]](/wp-content/plugins/stumbleupon.ico){kind=small}
Leave a Comment