Setting up SSL in WebLogic starting from SSL certs and key

I would like to share something that I had to solve with WebLogic. It took me some time to compile the list of things that needed to be done to set SSL using certs that were generated internally.

Prerequisites

  • Make sure you have valid cert and key. If it is not valid you will get a bunch of errors that you will need to resolve.
  • An installation of WebLogic (although this was for version 12.1.3 you probably can use this post for 12.2.X)

Steps

1) Rename the cert and key files as following:

dummy.crt --> dummy_crt.pem
dummy.key --> dummy_key.pem

2) Source setWLSEnv.sh you can find that file usually in the following WebLogic installation directory.

source /weblogic/installation/path/product/Oracle_Home/wlserver/server/bin/setWLSEnv.sh

3) Run ImportPrivateKey utility to combine the cert and key files with the following command

java utils.ImportPrivateKey -keystore identity.jks -storepass password -keyfile mykey -keyfilepass password -certfile dummy_crt.pem -keyfile dummy_key.pem -alias mykey

It is important here that mykey is same for both keyfile and alias. Make sure that password is set and remembered as it will be re-used.

This command creates an identity.jks file. This will be our identity file.

One can view what is in the identity file using the following command:

keytool -list -v -keystore identity.jks -storepass password

4) Next I extracted the certificate file using the following command:

$JAVA_HOME/jre/bin/keytool -export -v -alias mykey -file "`hostname`-rootCA.der" -keystore identity.jks -storepass password

This will create a hostname-rootCA.der file.

5) Created a trust key using the following command

$JAVA_HOME/jre/bin/keytool -import -v -trustcacerts -alias mykey -file "`hostname`-rootCA.der" -keystore trust.jks -storepass password

This creates the trust.jks file which can be used for trust key fiel in WebLogic console.

6) Log into WebLogic console and do the following:

  • In the WebLogic Server Administration Console, click on "Servers" in the "Domain Structure" tree.
  • Click on the managed server you wish to configure.
  • Click on the "Configuration > Keystores" tab and sub-tab.
  • If you are running on production mode, click the "Lock & Edit" Button.
  • Click the "Change" button next to the "Keystores" setting.
  • Select the "Custom Identity and Custom Trust" option and click the "Save" button.
  • Enter the identity details. For example.
    • Custom Identity Keystore: /path/to/identity.jks
    • Custom Identity Keystore Type: JKS
    • Custom Identity Keystore Passphrase: password
    • Confirm Custom Identity Keystore Passphrase: password
  • Enter the trust information. For example.
    • Custom Identity Keystore: /path/to/trust.jks
    • Custom Identity Keystore Type: JKS
    • Custom Identity Keystore Passphrase: password
    • Confirm Custom Identity Keystore Passphrase: password
  • Click the "Save" button.
  • Click the "SSL" tab.
  • Enter the identity details. For example.
    • Private Key Alias: mykey
    • Private Key Passphrase: password
    • Confirm Private Key Passphrase: password
  • Click the "Save" button.
  • If you are running in production mode, click the "Activate Changes" button.
  • Restart the managed server

This will get you to having an SSL managed server!

Have fun!