SOACS - SSL Configuration

Creating KSS keystores and generating Certificate Signing Request (CSR)

• Login to em console and open Weblogic domain -> Security -> Keystores page.
• Create a new stripe, or use an existing one (eg. "system")
• Under selected stripe, create a new keystore myKSSIdentity, password based, for custom identity
• Under selected stripe, create a new keystore myKSSTrust, password based, for custom trust.
• Open manage section of myKSSIdentity, create a new key pair inside myKSSIdentity with alias as myKSSIdentity and password as required.
• Use the below values while creating keypair:
• Alias Name: myIdentity
• Common Name: mysoacsdomain.com (domain name registered with public DNS)
• The rest of information from keypair generation form is optional.
• Select the new keypair created and click generate CSR.
• Export the created CSR, share it with CA, and get root, intermediate and signed certificates.

Importing CA Certificates

• Login to em console and open weblogic domain -> security -> keystores page.
• Select the identity keystore (myKSSIdentity) and click manage
• Import root certificate from CA as trusted certificate (alias myRootCA).
• Import intermediate certificate from CA as trusted certificate (alias myInterCA).
• Import signed certificate as certificate and select alias as myIdentity from drop down. This should be same alias that used to create keypair for generating CSR.
• Select the trust keystore (myKSSTrust) keystore and click manage.
• Import root certificate from CA as trusted certificate (alias myRootCA).
• Import intermediate certificate from CA as trusted certificate (alias myInterCA).
• Import signed certificate as trusted certificate (alias mySignedCert).
•  Using putty, login to soa CS VM and open /u01/jdk/jre/lib/security
•  Import the intermediate certificate into cacerts using below command:  
• keytool -import -keystore cacerts -storepass changeit -file inter.crt
•  Take a backup from cacerts file, for future use (eg. in case of JDK upgrade).
  

Sync Key Stores

• Login to SOA CS VM using putty.
• Open /u01/oracle/middleware/oracle_common/common/bin
• Run ./wlst.sh and execute below commands to sync custom identity and custom trust keystores.

connect('weblogic',’****,'t3://x.x.x.93:7001')

svc = getOpssService(name='KeyStoreService')

svc. listKeyStoreAliases (appStripe="system”, name="myKSSIdentity”, password=” ****”, type="*")

syncKeyStores(appStripe='system',keystoreFormat='KSS')

svc. listKeyStoreAliases (appStripe="system”, name="myKSSTrust”, password='****’, type="*")

syncKeyStores(appStripe='system',keystoreFormat='KSS')

 

• Restart both admin and managed servers.

Note: This step is needed only if using "system" stripe.

Change weblogic keystores to Custom Identity and Custom Trust

• On weblogic server admin console open Servers -> Admin Server -> Keystores tab:
• Change the keystore to Custom Identity and Custom Trust
• Save
• Provide the values for Custom Identity
• Custom Identity Keystore: kss://system/myKSSIdentity and Press ENTER.
• Custom Identity KeyStore Type:  KSS and ENTER
• Custom Identity PassPhrase: enter password given while creating myKSSIdentity keystore
• Confirm Custom Identity PassPhrase:
• enter password given while creating myKSSIdentity   keystore

• Provide the values for Custom Trust
• Custom Trust Keystore: kss://system/myKSSTrust and Press ENTER.
•  Custom Trust KeyStore Type: KSS and ENTER
•  Custom Trust PassPhrase: enter password given while creating myKSSTrust keystore
•  Confirm Custom Trust PassPhrase: 
• enter password given while creating myKSSTrust  keystore

• Click Save
• Open SSL tab
•  Provide Private Key Alias: myIdentity and Press ENTER.
•  > This is the alias given while create keypair in myIdentitykeystore
•   Private Key PassPhrase: Password given while creating key pair under idenity keystore
•  Confirm Private Key PassPhrase:
•  Password given while creating key pair under idenity keystore
• Change HostNameVerfication = None. Not sure if its required.
• Click Save.
• Repeat steps 1 to 8 for Managed Server also.
• Stop Admin, Managed Server and Node Manager.

Node Manager Changes

1. Open /domain_home/nodemanager
2. Edit nodemanager.properties and add the below properties.

# added for custom identity and custom trust
KeyStores=CustomIdentityAndCustomTrust
CustomIdentityAlias=myKSSIdentity
CustomIdentityKeyStoreFileName=kss://system/myKSSIdentity
CustomIdentityKeyStorePassPhrase=*********
CustomIdentityKeyStoreType=KSS
CustomIdentityPrivateKeyPassPhrase=*********
CustomTrustKeyStoreFileName=kss://system/myKSSTrust

3. Edit startNodeManager.sh file under /domain_home/bin to add the below properties during startup: 

JAVA_OPTIONS="${JAVA_OPTIONS} -Doracle.security.jps.config=/u01/data/domains/SOA_domain/config/fmwconfig/jps-config-jse.xml -Dcommon.components.home=/u01/app/oracle/middleware/oracle_common -Dopss.version=12.2.1.2 -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false -Djava.security.egd=file:/dev/./urandom.egd=file:/dev/./urandom"

Note: -Dopss.version=12.2.1.2 property is specific to version 12.2.1.2.

Changes in boot.properties

Note: This step is not needed if the environment is using OTD.

1. Login the SOA CS VM through putty and open /domain_home/servers/AdminServer/data/nodemanager
2. Take a backup copy of boot.properties.
3. Open boot.properties and comment the below line and save.

#TrustKeyStore=DemoTrust

4. Open /domain_home/servers/soa_server1/data/nodemanager/
5. Take a backup copy of boot.properties.
6. Edit boot.properties file, comment the below line.

#TrustKeyStore=DemoTrust

7. Add the below lines at the end.

CustomTrustKeyStoreFileName=kss://system/myKSSTrust
TrustKeyStore=CustomTrust
CustomTrustKeyStorePassPhrase=****
CustomTrustKeyStoreType=KSS

8. save boot.properties.

In setDomainEnv.sh remove this property:

-Djavax.net.ssl.trustStore=%WL_HOME%\server\lib\DemoTrust.jks