Weblogic SSL Configuration

Steps to configure weblogic SSL

1. Create identity store

keytool -genkey -alias weblogicServer -keyalg RSA -keysize 1024 -keystore weblogic_identity.jks

Where Weblogic_identity.jks is name of identity store which will be created and weblogicServer is the private key alias name.

2. Create CSR

keytool -certreq -alias weblogicServer -file device.csr -keystore weblogic_identity.jks

Where device.csr is the certificate signing request created.

3. Submit Signing request

Now submit this CSR to any certification authorities to get public certificate and root/intermediate certificates.

If using internal CA using openssl execute below command to generate signed certificate from CSR.

openssl x509 -req -in device.csr -CA ca_root_cert.pem -CAkey ca_privkey.pem -CAcreateserial -out device.pem –days 3650

Where ca_root_cert.pem is CA root certificate and ca_privkey.pem is CA private key.

4. Create trust store and import root certificate to trust store

keytool -import -trustcacerts -alias myRoot -file /path/to/ca_root_cert.pem -keystore weblogic_trust.jks

Where ca_root_cert.pem is CA root certificate and myRoot is the root alias name for trust store.

5. Import root certificate to identity store

keytool -import -trustcacerts -alias entRoot -file /path/to/ca_root_cert.pem -keystore weblogic_identity.jks

Where ca_root_cert.pem is CA root certificate and entRoot is the root alias name for identity store.

6. Import signed certificate to identity store

keytool -import -trustcacerts -alias weblogicServer -file /path/to/device.pem -keystore weblogic_identity.jks

Where device.pem is the signed certificate and weblogicServer is private key alias name.

Follow below steps to configure weblogic server to use above keystores:

1. Login to admin console

2. Navigate to servers>[server_name]>Configuration>Keystores

3. Select Custom Identity and Custom Trust and provide below details:

a. -Custom Identity Keystore: /path/to/weblogic_identity.jks

b. -Custom Identity Keystore Type: jks

c. -Custom Identity Keystore Passphrase:<password>

d. -Confirm Custom Identity Keystore Passphrase:<password>

e. -Custom Trust Keystore: /path/to/weblogic_trust.jks

f. -Custom Trust Keystore Type: jks

g. -Custom Trust Keystore Passphrase:<password>

h. -Confirm Custom Trust Keystore Passphrase:<password>

4. Then click on SSL tab next to Keystores and provide values for below parameters:

a. -Private Key Alias: weblogicServer

b. -Private Key Passphrase: <password>

c. -Confirm Private Key Passphrase: <password>

5. Then enable SSL port for that particular weblogic server by navigating servers>[server_name]>Configuration>General

6. Enable SSL port for that particular weblogic server by navigating servers>[server_name]>Configuration>General

7. Save and activate changes.

Note: If SSL port is enabled for first time you need to restart server.

Weblogic Security Realm WLST import and export

Export
$DOMAIN_HOME/bin/setDomainEnv.sh
java weblogic.WLST
connect(‘weblogic’,’weblogic’, ‘t3://adminhostname:7001’)
domainRuntime()
cd(‘/DomainServices/DomainRuntimeService/DomainConfiguration/IDMDomain/SecurityConfiguration/IDMDomain/DefaultRealm/myrealm/AuthenticationProviders/DefaultAuthenticator’)
cmo.exportData(‘DefaultAtn’,’/u01/export/export.ldif’, Properties())

 

Import
$DOMAIN_HOME/bin/setDomainEnv.sh
java weblogic.WLST
connect(‘weblogic’,’weblogic’, ‘t3://adminhostname:7001’)
domainRuntime()
cd(‘/DomainServices/DomainRuntimeService/DomainConfiguration/IDMDomain/SecurityConfiguration/IDMDomain/DefaultRealm/myrealm/AuthenticationProviders/DefaultAuthenticator’)
cmo.importData(‘DefaultAtn’,’/u01/export/import.ldif’, Properties())

EBS–OAM Integration: Webgate allowed access to protected page GUID=null

When a user attempts to login to Oracle E-Business Suite, after entering their credentials the following error is displayed in the browser:
Internal Error: Webgate allowed access to protected page GUID=null

or

When testing response headers in step 4.4.3 a null value is returned for USER_ORCLGUID, instead of a valid value

Bug 19438948

As a workaround specify ‘orclguid’ as a ‘Prefetched Attribute’ in Oracle Access Manager:
Logon to the OAM Console:
http://<oamserver&gt;.<domain>:<adminport>/oamconsole
Click ‘User Identity Stores’ (in the ‘Configuration’ section) > select the Identity Store with a type of ‘OID’ (e.g. ‘EBSIdStore’ or ‘OIDIdentityStore’) in the ‘OAM ID Stores’ table >
Click ‘Edit’ > Enter orclguid in the ‘Prefetched Attributes’ field and click ‘Apply’ to save

ldapsearch with LDIF Files

Search for the existence of a list of userids that will be in the file

# ldapsearch -h hostname -p port -f filename.txt -D “cn=orcladmin” -w “password” -s sub -b “base_dn” “(uid=%s)”

where filename.txt contains userids
testuser1
testuser2

The lines in filename.txt are read one by one, and the value found is inserted where %s is in the search filter.

ldapsearch with LDIF Files

Search for the existence of a list of userids that will be in the file

# ldapsearch -h hostname -p port -f filename.txt -D “cn=orcladmin” -w “password” -s sub -b “base_dn” “(uid=%s)”

where filename.txt contains userids
testuser1
testuser2

The lines in filename.txt are read one by one, and the value found is inserted where %s is in the search filter.