SSL certificate configuration
The following steps describe how to generate private keys, import certificates into a keystore and how to configure SSL via the WebLogic admin server console.
1. Access the WebLogic domain files.
Open a DOS window and CD to the Webserve directory under your ps_home. (e.g. CD C:\pshome\webserv\ ) and then CD to bin folder which contains pskeymanager.cmd
2. Create a new private key and certificate request for your server.
1. To create a new private key and certificate signing request, run pskeymanager.cmd -create
2. Follow the prompts and specify the information that you normally would when creating a certificate.
Keystore password: The default keystore password will be "password". It is adviced to be changed and made a note of.
DV - DevendraVaidya
Alias: MyPS (This is what is export over the internet) https://myps.dv.com:/psp/myps/
Common name: myps.dv.com (domain)
OU: DVIT
Organization: Devendra Vaidya Ltd
City: Mumbai
State: Maharashtra
Country: India
Take the defaults on the rest of the fields
3. Submit your certificate request to a Certificate Authority (RapidSSL / Verisign/Thwate) to obtain your certificate (a.k.a public key).
Once the certificate it received, paste it into a .txt file. (dv.txt)
4. Obtain the root certificate of the CA which processed your request.
Download the root CA certificate from for eg GeoTrust/ Thwate which ever you go with.
The root that is used to issue Versign/Thwate/ certificates(one you choose) is the root labeled "Equifax Secure Certificate Authority (Base-64 encoded X.509)" (Root 1). Once the certificate it received, paste it into a .txt file. (cert1.txt)
5. Create a combined certificate.
The certificate received from Versign/Thwate/ (one you choose) must also contain a copy of the root certificate. Paste the text of cert1.txt into dv.txt after the existing text with no blank lines between the two certs. Save the file (dv_combined.txt).
6. Place the certificates on the webserver.
Place the files (cert1.txt and dv_combined.txt) into the Weblogic domain directory. (C:\pshome\webserv\dv)
7. Import your Certificate Authority's certificate into your keystore.
To import your Certificate Authority's public certificate, which you received from your CA, into your keystore, execute "pskeymanager.cmd -import". When prompted for an alias, specify "equifax". This name is simply an alias for this certificate. When prompted for the certificate file to import, specify the cert1.txt certificate file.
8. Import your certificate into your keystore.
To import your public certificate, which you received from your CA, into your keystore, execute "pskeymanager.cmd -import". When prompted for an alias specify the same alias you did when you created your private key and cert request in step 2 (e.g. your machine name MyPs). When prompted for the certificate file to import, specify your combined certificate (dv_combined.txt).
9. Restart WebLogic Server
Restart the PIA server either via C:\pshome\webserv\dv\bin\stopPIA.cmd and startPIA.cmd or, if installed as an NT service, " NET START dv
10. Logon to the WebLogic Server Administrative Console.
Access the WebLogic Server console at http:///console. When prompted for a User Name and password, specify the WebLogic system ID and password which you indicated during the PIA install. If accepted the default ID and password during the PIA install they are 'system' and 'password'.
11. Access Keystores & SSL configuration from the WebLogic Admin console.
In the graphical domain structure hierarchy on the left navigate the following;
- Click on Servers and select PIA
- Click on "keystores" tab
- Click on "Lock & Edit" button in the left panel.
- Select 'Custom Identity And Custom Trust' from the keystores dropdown field
12. Update keystore properties.
Update the following fields and then press the 'save' button.
Click on "Activate changes" button to activate the changes
|
Field
|
Value
|
Comment
|
|
Custom Identity Key Store File Name:
|
keystore/pskey
|
If a different keystore was specified via pskeymanger -keystore file, specify that name here.
|
|
Custom Identity Key Store Type:
|
JKS
|
Always JKS
|
|
CustomIdentityKeyStorePass Phrase:
|
password
|
See note below regarding password
|
|
Confirm CustomIdentityKeyStorePass Phrase:
|
password
|
See note below regarding password
|
|
Custom Trust Key Store File Name:
|
keystore/pskey
|
If a different keystore was specified via pskeymanger -keystore file, specify that name here.
|
|
Custom Trust Key Store Type:
|
JKS
|
Always JKS
|
|
CustomTrustKeyStorePass Phrase:
|
password
|
See note below regarding password
|
|
Confirm CustomTrustKeyStorePass Phrase:
|
password
|
See note below regarding password
|
Note regarding passwords: The default keystore and private key password is 'password'. This should NEVER be used in a production environment. A private key's password and a keystore's password can be changed via pskeymanager's -changepassword option.
13. Update private key properties.
Click on "SSL" tab
Update the following fields for your private key and then press the 'Save' button.
|
Field
|
Value
|
Comment
|
|
Private key Alias:
|
(e.g machine name)
|
Alias you specified when you created the private key for this server in step 4.
|
|
passphrase:
|
password
|
See note below regarding password
|
|
Confirm passphrase:
|
password
|
See note below regarding password
|
14. Save your keystore changes.
You MUST click the "Activate changes" button to activate the changes that you have made.
15. Restart WebLogic Server and make sure the SSL port is listening on the configured port.
(See step 9.)
This information will be displayed when running the startPIA.cmd or you can run netstat –a.
16. Configure the other web server(s).
To install this cert on other web servers, just copy the /keystore/pskey file to the second webserver and make the same configurations in the Admin Console to pick the right Private Key Alias. Then restart.
Word of Thanks to Dan Ashburn- We worked together in setting this up successfully.
