OHS SSL WILDCARD CONFIGURATION

WildCard file server.pfx (format PKCS)Generate Java Keystore from WildCard

Convert PKCS to JAVA KEYSTORE
keytool -v -importkeystore –srckeystore server.pfx -srcstoretype PKCS12 -destkeystore yournewkeystore.jks -deststoretype JKS

Convert JAVA KEYSTORE to WALLET
Create new wallet
mw_home\oracle_common\bin\orapki wallet create -wallet ./ -pwd “mypassword”

Convert to wallet
orapki wallet jks_to_pkcs12 -wallet ./ -pwd “mypassword” -keystore ./yournewkeystore.jks -jkspwd “mypassword”

A new wallet file ewallet.p12 will be created.

Use this wallet for SSL in OHS. It can be configured using wallet manager or weblogic enterprise manager.

Below is procedure to import from enterprise manager.
1. Login to Enterprise manager
2. Go to WebTier –> Right Click on OHS component –> Security –> Wallets
3. Click Import
4. Choose File ewallet.p12, uncheck Auto-Login, specify wallet password (mypassword in create wallet step) password
5. Click Ok
6. Go to WebTier –> Right Click on OHS component –> Virtual Hosts
7. Select SSL port virtual host, Select SSL Configuration from drop down
8. Under Server Wallet Name, select the new created wallet, click on OK
9. Restart OHS

Advertisements

Weblogic SSL WildCard Configuration

Weblogic 10.3.6 +
WildCard file server.pfx (format PKCS)Generate Java Keystore from WildCard

Generate Java Keystore from WildCard
1. Source environment
.setDomainEnv.sh

2. Use OpenSSL to check the pfx certificate’s content.
openssl pkcs12 -in server.pfx -out KEYSTORE.pem –nodes

3. Open KEYSTORE.pem file from step 2. You should find three certificates in it and the private key.
a. Private Key. To identify the private key, look for the following headings:
—–BEGIN RSA PRIVATE KEY—–
—–END RSA PRIVATE KEY—–

b. Root Certificate. To identify the Root Certificate, look for the following headings:
subject=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

Subject and issuer must be the same. Save the content of it into a file called my_key_root.pem. Include all the content from BEGIN CERTIFICATE TO END CERTIFICATE.

c. Intermediate Certificate. To identify an Intermediate Certificate, look for the following heading:
subject=/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

Subject and issuer are different only on the CN. Save the content of it into a file called my_key_intermediate.pem. Include all the content from BEGIN CERTIFICATE TO END CERTIFICATE.

NOTE: This certificate is optional and there are some cases where it will not be present. If this is the case, go ahead and skip this step. In any other case, this needs to be added to the identity keystore jks file.

d. Server Certificate. To identify a Server Certificate, look for the following heading:
friendlyName: some.thing.com
subject=/serialNumber=sj6QjpTjKcpQGZ9QqWO-pFvsakS1t8MV/C=US/ST=Missouri/L=CHESTERFIELD/O=Oracle_Corp, Inc./OU=Oracle/CN=some.thing.com

A server certificate includes a heading called Friendly Name. Go ahead and save the content of it into a file called my_key_crt.pem. Include all the content from BEGIN CERTIFICATE TO END CERTIFICATE.

4. Create a Trust Keystore and import the Root certificate into it.
keytool -import -trustcacerts -file my_key_root.pem -alias my_key_root -keystore my_key_trust.jks -storepass <store_pass> -keypass <key_pass>

5. Generate an Identity Keystore and import the private key into it.
java utils.ImportPrivateKey -keystore my_key_identity.jks -storepass <store_pass> -storetype JKS -keypass <key_pass> -alias server_identity -certfile my_key_crt.pem -keyfile my_key_pk.pem -keyfilepass <pfx_password>

With these instructions, two jks files will be produced:
my_key_identity.jks & my_key_trust.jks

Configure WebLogic Server To Support Wildcard Certificates
1. Navigate to Home->Summary of Servers->ServerName
a. go to SSL tab
b. Click on Advanced
2. Lock and Edit
3. Set the Hostname Verification field to Custom Hostname Verifier.
4. Enter the name of the implementation of the weblogic.security.utils.SSLWLSWildcardHostnameVerifier interface in the Custom Hostname Verifier field.
5. Click Save.
6. To activate these changes, in the Change Center of the Administration Console, click Activate Changes.
7. Restart Server

Configure Weblogic SSL
Follow below steps to configure weblogic server to use above keystores:
1. Login to admin console
2. Navigate to servers>[server_name]>Configuration>Keystores
3. Select Custom Identity and Custom Trust and provide below details:
a. -Custom Identity Keystore: /path/to/my_key_identity.jks
b. -Custom Identity Keystore Type: jks
c. -Custom Identity Keystore Passphrase:<password>
d. -Confirm Custom Identity Keystore Passphrase:<password>
e. -Custom Trust Keystore: /path/to/my_key_trust.jks
f. -Custom Trust Keystore Type: jks
g. -Custom Trust Keystore Passphrase:<password>
h. -Confirm Custom Trust Keystore Passphrase:<password>
4. Then click on SSL tab next to Keystores and provide values for below parameters:
a. -Private Key Alias: server_identity
b. -Private Key Passphrase: <password>
c. -Confirm Private Key Passphrase: <password>
5. Then enable SSL port for that particular weblogic server by navigating servers>[server_name]>Configuration>General
6. Enable SSL port for that particular weblogic server by navigating servers>[server_name]>Configuration>General
7. Save and activate changes.

Note: If SSL port is enabled for first time you need to restart server.