Keywords: Custom Identity and Custom Trust, Keystore, Identity Store, Trust Store, Identity and Trust Store, Weblogic, SSL, 1-way SSl, 2-way SSL, one-way ssl, two-way ssl, security, keystores, java keystore, weblogic keystore
In this document we will learn step by step to create a
custom identity keystore and custom trust
keystore.
I will generate:-
- myIdentity.jks
(This is my Identity Keystore to hold the private key)
- myTrust.jks (This
is my Trust Keystore to hold the trusted certificates)
In
this exercise my java is pre-set and I can run ‘keytool’ command being at any
directory location. So I am going to the directory where I have to generate the
keystores.
1.
Go to a directory where you want to generate the
keystores (identity and trust keystores)
Example:-
Suppose
In command prompt, I am currently in the directory ‘E:\’ and I want to create
my keystores at the directory location ‘E:\_CreateKeystore_WithKeytool’. So I
will have to go as below:-
E:\>cd
E:\_CreateKeystore_WithKeytool
E:\_CreateKeystore_WithKeytool>
2.
Now, run below keytool command to create an
identity keystore 'myIdentity.jks' with a private key with alias 'mykey':-
keytool -genkey -alias mykey -keyalg RSA -keysize 1024 -validity 1825
-keypass password
-keystore myIdentity.jks
-storepass password
(All
the things highlighted above in yellow can be changed as per your need. But in
this exercise we are keeping these as above.)
It
will ask few questions like below, just answer them and go ahead:-
It will generate the file ‘myIdentity.jks’ at your folder
location as below:-
3.
Now, export this private key 'mykey' with a name
'root.cer' on the same folder as below:-
keytool -export -alias mykey
-file root.cer -keystore myIdentity.jks -storepass password
The
file is exported with the name ‘root.cer’ in the same folder location as
below:-
4.
Now, create a trust store with the name of
'myTrust.jks' and import the file 'root.cer' into it:-
keytool -import -alias mykey -file root.cer -keystore myTrust.jks
-storepass password
When
you run the above command, just write ‘y’ and press enter when it asks ‘Trust
this certificate?’
When
you run the above command, just write ‘y’ and press enter when it asks ‘Trust
this certificate?’
5. Now,
copy the AXIOM (or any other third party certificate) on the same folder to
import it into trust store ‘myTrust.jks’
Now, import
the axiom certificate into the same 'myTrust.jks'. Also, similarly you can import
any number of certificates into the same trust store
keytool -import -alias myaxiomcert
-file uat.axiom.acledabank.local.cer
-keystore myTrust.jks -storepass password
It
will again prompt for ‘Trust this certificate?’. Type ‘y’ and press enter as
below:-
In
above command I am importing the AXIOM’s certificate (from the same folder
location) having the file name ‘uat.axiom.acledabank.local.cer’.
NOTE: If your certificate is at different location then you
will need to give full path also.
Now, Axiom’s certificate is imported into the trust store
‘myTrust.jks’ file.
Now,
you must see all these files present in your directory as below:-
Now,
you will need to set up these keystores in weblogic console.
6. Before
doing this, you need to make sure that below pre-requisites should already been
there
Prerequisite 1:
Enable SSL listen port on Admin Server and all managed
servers.
In
Our case we have an ‘AdminServer’ and a managed server ‘Osb_Server1’ in our
domain:-
Prerequisite 2:
Your domain must have the nodemanager folder and this folder
must have the nodemanager.properties file.
For
example see below:-
Because
after configuring the ‘Custom Identity And Custom Trust’ in weblogic, we need
to add these information into the above property file (nodemanager.properties)
as well, so that your managed servers can read these keystores at the time of
restart and your keystores can work properly.
So
please make sure that your domain must have both the pre-requisites already.
7.
Now, start the managed servers and admin servers
of your domain and login to admin console
Once you log-in to the
admin console. Go to:-
Home >newosb_domain
>AdminServer
And open ‘Keystore’ Tab
Now,
Click on ‘Change’ button and select ‘Custom Identity and Custom Trust’ as
below:-
Now set ‘Keystore’ tab as
below:-
IDENTITY
|
Custom
Identity Keystore:
|
C:\app\oracle\product\fmw12211\MyKeystores\myIdentity.jks
|
Custom
Identity Keystore Type:
|
jks
|
Custom
Identity Keystore Passphrase:
|
Password
|
Confirm
Custom Identity Keystore Passphrase:
|
password
|
|
TRUST
|
Custom
Trust Keystore:
|
C:\app\oracle\product\fmw12211\MyKeystores\myTrust.jks
|
Custom
Trust Keystore Type:
|
jks
|
Custom
Trust Keystore Passphrase:
|
Password
|
Confirm
Custom Trust Keystore Passphrase:
|
password
|
Now, go to ‘SSL’ tab and
configure as below:-
|
|
Private Key
Alias:
|
mykey
|
Private Key
Passphrase:
|
password
|
Confirm
Private Key Passphrase:
|
password
|
Now, on the same ‘SSL’
page, click on ‘advanced’ at the bottom of the page to see advanced settings
Now,
set ‘Hostname Verification:’ as ‘None’. See as below:-
8.
Similarly we will repeat the Step 7 for the
managed server ‘Osb_Server1’ under it’s ‘Keystore’ tab and ‘SSL’ tab
9. If
there are more managed servers, then we have to do the similar configuration
for those managed servers as well, which we are doing in Step 7
10. Now,
open the folder where your domain is existing and then go to node manager
folder
In, our case it is:-
‘C:\app\oracle\product\fmw12211\user_projects\domains\newosb_domain\nodemanager'
Go to ‘nodemanager’
folder and open the file ‘nodemanager.properties’ in notepad
By
default, this property file looks like as below:-
11.
Now add below lines at the bottom of the above
property file:-
KeyStores=CustomIdentityAndCustomTrust
CustomIdentityKeyStoreType=jks
CustomIdentityKeyStoreFileName=C\:\\app\\oracle\\product\\fmw12211\\MyKeystores\\myIdentity.jks
CustomIdentityKeyStorePassPhrase=password
CustomIdentityPrivateKeyPassPhrase=password
CustomIdentityAlias=mykey
CustomTrustKeyStoreType=jks
CustomTrustKeyStoreFileName=C\:\\app\\oracle\\product\\fmw12211\\MyKeystores\\myTrust.jks
CustomTrustKeyStorePassPhrase=password
|
Now, start your nodemanager
and restart your managed servers and admin server to reflect the change.
Once
you do it, the file ‘nodemanager.properties’ look like as below:-
You can see that the passwords
automatically get’s encrypted/hidden after restarting nodemanager of your
domain.
Now,
your domains starts reading your custom identity and custom trust keystores.
Keywords: Custom Identity and Custom Trust, Keystore, Identity Store, Trust Store, Identity and Trust Store, Weblogic, SSL, 1-way SSl, 2-way SSL, one-way ssl, two-way ssl, security, keystores, java keystore, weblogic keystore