Friday, July 29, 2016

Weblogic integrated server Demo Identity Keystore and Demo Trust Keystore


Weblogic has two kinds of keystore, one is IdentityKeyStore and other is TrustStore.

IdentityKeyStore: This keystore contains the identity for WebLogic Server. It means if any client wants to make an SSL request to server, server will send him this certificate. By default, file is located in <WL_HOME>\server\lib\DemoIdentity.jks. Its password is DemoIdentityKeyStorePassPhrase. Private key password is DemoIdentityPassPhrase. 

If you want clients to call an application on weblogic server over SSL then you need to set IdentityKeyStore and you need to add a certificate in it. You have two options to get certificate.
1. Contact verisign or other certificate authority to provide you a certificate.
2. You can yourself generate a certificate using keytool
keytool -genkey -keystore keystorename -storepass keystorepassword

You will use CA provided certificate if you want browser not to throw any warning of certificate when user tries to access your site. With self-signed certificate, browser throws exception and user needs to accept that OR alternatively they need to add that certificate to browser. 


TrustStoreThis keystore establishes trust for WebLogic Server. It means if this weblogic server needs to make a call to some secured server over SSL then its going to use this certificate. If you are making a call to thirdpart webservice using a java code, which is deployed on weblogic then weblogic will use this keystore to verify identity of thirdpart-server. This keystore is located at 
<WL_HOME>\server\lib\DemoTrust.jks. Its password is DemoTrustKeyStorePassPhrase. 

In truststore you generally need to add those certificates which are provided by third-party services, which weblogic is going to call. To get those cerficate is simple.
1. Access their service in IE, it will be an https call and you will see a lock icon.
 Install certificate as shown above.

2Export certificate from browser Tools >> Internet Options >> Content >> Certificate >> Other People >> Select Certificate >> Export
Import certificate in DemoTrust.jks by following these steps
a. Navigate to <WL_HOME>\server\lib and Take backup of DemoTrust.jks
b. Import certificate
keytool -importcert -file <location-of-your-cer-file> –keystore <location-of-trust-keystore> -alias <youraliasname> -storepass DemoTrustKeyStorePassPhrase
For example
keytool -importcert -file D:\temp\OracleOutSourcing_DER.cer –keystore D:\Oracle\Product\11.1.1.7.1-Cloud\Middleware64\wlserver_10.3\server\lib\DemoTrust.jks -alias oracleoutsourcing -storepass DemoTrustKeyStorePassPhrase

Once certificate is imported then you should be able to call thirdparty webservices over SSL.

NOTE: Jdeveloper also using same DemoTrust.jks for standalone program. If you run a java program in jdeveloper,
<your-jdk>\bin\javaw.exe -client -classpath <your-jars> -Djavax.net.ssl.trustStore=<WL_HOME>\server\lib\DemoTrust.jks <Your-java-class>

You can configure it in jdev using Tools > Preferences > Credentials


You can also change keystore/truststore in weblogic console and point to completely new keystore files. 




NOTE: keystore/trustore is server specific. It means all applications of one server are forced to use same keystore/truststore. If you want different keystore/truststore, you may need to create a new managed server.

NOTE: If you get bad-certificate issue after importing certificate in trusstore, then verify if certificate has entries like *.<domain>.com kind of entries. If yes, then you need to remove host verification in weblogic as wildcard host certificates are not allowed if host verification is enabled.

1 comment:

Priya Amar said...

Hi,

your post helped me in configuring the SSL certificates.am using the integrated weblogic server to connect to IDCS.However I get below error.any idea on what else needs to be changed

<Failed to communicate with proxy: www-proxy-idc.in.oracle.com/80. Will try connection mydemotenant1.idcs.internal.oracle.com/8943 now.
java.net.UnknownHostException: www-proxy-idc.in.oracle.com
at java.net.InetAddress.getAllByName0(InetAddress.java:1259)
at java.net.InetAddress.getAllByName(InetAddress.java:1171)
at java.net.InetAddress.getAllByName(InetAddress.java:1105)
at java.net.InetAddress.getByName(InetAddress.java:1055)
at weblogic.socket.ChannelSocketFactory.createSocket(ChannelSocketFactory.java:39)
Truncated. see log file for complete stacktrace