Two Way SSL on Weblogic Server
This Post describes the steps and concepts required to Configure and use Two Way SSL with the Weblogic Server.
Admin Server Console is used as a Testing Application to verify the Configuration is working or not.
Create a WLS domain: ssl_domain.
Open a Command Prompt and navigate to the ssl_domain/bin directory.
Run the setDomainEnv.cmd to set the environment.
Creating Server Cert:
1: Create a dir: ServerCert
2: From the Command prompt where the env was set we need to move to this ServerCert directory.
2: use the CertGen utility to create the certificate.
Two way SSL with Weblogic Server:
First of all let us understand the process of Two Way SSL.
Here we will assume the following:
Weblogic Server as Server:
Mozilla Firefox as the Client:
1: Weblogic Server is configured for SSL:
2: Certificate used by Weblogic Server is: ServerCert
3: Private Key used by Weblogic Server is: ServerKey
4: Trust Store used by Weblogic Server is: DemoTrust.
Two Way SSL Communications:
1: Client initiates a SSL connection with the Server.
2: Server Sends its Identity Certificate to Client.
3: Client will Trust this Identity Certificate from the Server.
4: Server will ask for the Identity Certificate from the Client.
5: Client will send its own Identity certificate to the Server.
6: Server will trust the Certificate send by the Client.
7: Client will ask for a Cipher negotiation from the Server.
8: Server will confirm over a common cipher presented by the Client.
9: Handshake is successful and encrypted data will start flowing over the network.
So From the above process we have to following requirements for configuring two way SSL on Weblogic Server.
1: Identity Certificate for Weblogic Server.
2: Identity Certificate for Client (Mozilla Firefox).
3: Trust Store of Weblogic Server which should contain the root Certificate of the CA which issued the Client Identity Certificate.
4: Trust Store of Client which should contain the root certificate of the CA which issued the Identity Certificate of the Weblogic Server.
Now we will be creating the Certificates required for Weblogic Server:
From the above we need an Identity Certificate for Weblogic Server issued by CA.
Here we will be creating a certificate using the Weblogic CertGen utility and we will be using the Weblogic CertGenCA.der and the Certificate Authority.
- Create a Weblogic Server Domain ssl_domain.
- Open a command prompt and move to ssl_domain/bin directory.
- Run the setDomainEnv.cmd file to set the environment on the command prompt.
- Then create a Directory anywhere on the file system named: ServerCert.
- From the already opened command prompt go to the ServerCert directory.
- Run the following command:
java utils.CertGen -certfile ServerCert -keyfile ServerKey -keyfilepass keypass
The above Command will be creating four files:
ServerCert.der and ServerCert.pem: This is the Identity Certificate in DER and PEM format.
ServerKey.der and ServerKey.pem: This is the Private Key for above certificate in DER and PEM.
Keypass: This is the Private Key password required to read the Private Key.
- Since the CA used above is CertGenCA.der which is by default used by the CertGen utility if it is not explicitly mentioned.
- We need to concatenate the CertGenCA certificate to the end of above created certificate ServerCer.pem.
- In order to concatenate the CertGen.der we have to convert the certificate into PEM format and for that we will be using the Weblogic der2pem utility.
10. First copy the CertGenCA.der file from %BEA_HOME%/wlserver_103/server/lib directory to your newly created ServerCert dir.
11. From the command prompt used above run the following command:
java utils.der2pem CertGenCA.der
12. The above command will convert the CertGenCA.der into CertGenCA.pem format.
13. Now add the contents of the CertGenCA.pem to the end of the contents of ServerCert.pem using the below command:
type serverCert.pem CertGenCA.pem >> myCert.pem
14. Since Weblogic Server uses JKS file store for SSL configuration, hence we will have to import the above create myCert.pem and the Private Key in the JKS file using the Weblogic ImportPrivateKey utility.
15. From the same command Prompt run the below command:
java utils.ImportPrivateKey -keystore SeverIdentity.jks -storepass storepass -storetype JKS -keypass keypass -alias mykey -certfile myCert.pem -keyfile ServerKey.pem -keyfilepass keypass
Keystore: SeverIdentity.jks —This is the JKS file in which the certificate and key will be imported.
Storepass: storepass – This is the password of the keystore file severIdentity.jks
Storetype: JKS – This is the type of keystore to be used. It can be PKCS12, PEM etc.
Keypass: keypass – This password required to read the Private Key from the keystore. For simplicity we will be using keypass only.
Alias: mykey – This is the alias used for reading the Private Key from the Keystore.
Certfile: myCert.pem – This is the certificate to be imported into the Keystore.
Keyfile: ServerKey.pem – This is the Private Key to be imported into the Keystore.
Keyfilepass: keypass – This is the Password used in the CertGen utility command required to read the Private Key from the ServerKey.pem file.
16. The above Command will be creating a file: ServerIdentity.jks file. This file will be used for configuring SSL on Weblogic.
17. As the Certificate Authority for the above Created certificate is the Default CertGenCA.der and this CA is by default present in the Demotrust.jks file.
18. So for the Trust Store of Weblogic Server we will be using the default DemoTrust.jks file present in the %BEA_HOME%wlserver_103/server/lib directory.
19. So Copy the DemoTrust.jks file from the above mentioned directory to our working directory i.e. ServerCert.
20. Now Start the Admin Server of the Weblogic Server and log into the Admin Console.
21. Click on the Admin Server:
22. Enable the SSL port from the General configuration tab of the Admin Server and save it.
23. By Default the Admin Server SSL Port is: 7002.
24. Now click on the keystores tab of the Admin Server.
25. Fill in the Following entries:
Keystores: Custom Identity Custom Trust.
Custom Identity Keystore: C:serverCertSeverIdentity.jks
Custom Identity Keystore Type: JKS
Custom Identity Keystore Passphrase: storepass (same as –storepass value of ImportPrivateKey)
Confirm Custom Identity Keystore Passphrase: storepass
Custom Trust Keystore: C:serverCertDemoTrust.jks
Custom Trust Keystore Type: JKS
Custom Trust Keystore Passphrase: DemoTrustKeyStorePassPhrase
Custom Trust Keystore Passphrase: DemoTrustKeyStorePassPhrase
26. Save it.
27. Click on the SSL tab:
Identity and Trust Locations: Keystores
Private Key Alias: mykey
Private Key Passphrase: keypass (same as –keypass value of ImportPrivateKey utility used above)
28. Click on Advanced option and select the value of Hostname Verification to NONE.
29. Save it.
30. Restart the Admin Server.
31. This completes the SSL configuration of the Weblogic Server.
32. Now after restarting the Admin Server check whether the Admin Console is accessible over the https port or not by using the following URL in the Mozilla Firefox:
If the above url is accessible then this confirms that the SSL configuration is correct for the Weblogic Admin Server.
Now we will try to configure the Two Way SSL.
On the Admin Server >>>> SSL tab: Advanced options:
Two Way Client Cert Behavior: Client Cert Requested and Enforced.
Now if you will try to access the Admin Console over SSL then it will throw some SSL Handshake exception. This is happening because in the process of two way SSL, Client is also requested to submit the certificate and we have not configured any certificate for our client (that is Mozilla Firefox browser).
So, we will be configuring the certificate for the Client.
For that we again need the Certificates for the Client.
We will be using the same CertGen utility of Weblogic Server to create this certificate.
33. So from the above opened command prompt run the following command:
java utils.CertGen -certfile ClientCert -keyfile ClientKey -keyfilepass keypass
34. This will again create four certificates for the client.
35. Now we need to convert the client certificate into the PKCS12 format because the browsers generally accept PKSC12 keystore format for storing certificates.
36. For this conversion we will be using the OpenSSL tool which is freely downloadable for windows from below link:
37. After having OpenSSL installed go to the OpenSSL bin directory and run the openssl.exe file
38. This will open up the OpenSSL command window where we can run the OpenSSL command.
39. On this OpenSSL command use run the following command:
pkcs12 -export -in C:ServerCertClientCert.pem -inkey C:ServerCertClientKey.pem -out C:ServerCertclient-pkcs-12-cert
This will ask for a ClientKey.pem password: keypass
Enter the Export Password: keypass
Confirm the Export Pass: keypass
40. This will create the client-pkcs-12-cert.
41. Now for configuring the above certificate into the Browser:
42. Open Mozilla Firefox >>> Tools >>> Options >>> Encryption >>> View Certificates:
43. On the Your Certificates Tab >>> click on import >>>
44. Select the client-pkcs-12-cert created above.
Enter the Key password: keypass
45. This will import the Client certificate into the Browser.
46. Now Restart the Browser.
47. Try accessing the Admin Console through the Bowser.
48. This time the Browser will be able to access the Admin Console.
If there is any SSL handshake issue then you can follow my post:
How to Debug SSL issues:
If the issue is still there then you can paste your comments here.