Administration Console Online Help

Previous Next Open TOC in new window
Content starts here

Servers: Configuration: Keystores

Configuration Options     Related Tasks     Related Topics

Keystores ensure the secure storage and management of private keys and trusted certificate authorities (CAs). This page lets you view and define various keystore configurations. These settings help you to manage the security of message transmissions.

WebLogic Server is configured with a default identity keystore ( DemoIdentity.jks) and a default trust keystore ( DemoTrust.jks). In addition, WebLogic Server trusts the CA certificates in the JDK cacerts file. This default keystore configuration is appropriate for testing and development purposes. However, these keystores should not be used in a production environment.

After you configure identity and trust keystores for a WebLogic Server instance, you can configure its SSL attributes These attributes include information about the identity and trust location for particular server instances. Use the Configuration: SSL page to specify this information.

For purposes of backward compatibility, WebLogic Server lets you store private keys and trusted certificates authorities in files or in the WebLogic Keystore provider. If you use either of these mechanisms for identity and trust, choose the Files or Keystore Providers (Deprecated) option on the Configuration: SSL page.

Note: When using the WebLogic Keystore provider, digital certificates are stored in files.

Configuration Options

Name Description
Keystores

Which configuration rules should be used for finding the server's identity and trust keystores?

MBean Attribute:
ServerMBean.KeyStores

Custom Identity Keystore

The path and file name of the identity keystore.

The path name must either be absolute or relative to where the server was booted. The custom identity key store file name is only used if KeyStores is CUSTOM_IDENTITY_AND_JAVA_STANDARD_TRUST, CUSTOM_IDENTITY_AND_CUSTOM_TRUST or CUSTOM_IDENTITY_AND_COMMAND_LINE_TRUST.

MBean Attribute:
ServerMBean.CustomIdentityKeyStoreFileName

Custom Identity Keystore Type

The type of the keystore. Generally, this is JKS.

If empty or null, then the JDK's default keystore type (specified in java.security) is used. The custom identity key store type is only used if KeyStores is CUSTOM_IDENTITY_AND_JAVA_STANDARD_TRUST, CUSTOM_IDENTITY_AND_CUSTOM_TRUST or CUSTOM_IDENTITY_AND_COMMAND_LINE_TRUST.

MBean Attribute:
ServerMBean.CustomIdentityKeyStoreType

Custom Identity Keystore Passphrase

The encrypted custom identity keystore's passphrase. If empty or null, then the keystore will be opened without a passphrase.

This attribute is only used if KeyStores is CUSTOM_IDENTITY_AND_JAVA_STANDARD_TRUST, CUSTOM_IDENTITY_AND_CUSTOM_TRUST or CUSTOM_IDENTITY_AND_COMMAND_LINE_TRUST.

When you get the value of this attribute, WebLogic Server does the following:

  1. Retrieves the value of the CustomIdentityKeyStorePassPhraseEncrypted attribute.

  2. Decrypts the value and returns the unencrypted password as a String.

When you set the value of this attribute, WebLogic Server does the following:

  1. Encrypts the value.

  2. Sets the value of the CustomIdentityKeyStorePassPhraseEncrypted attribute to the encrypted value.

Using this attribute (CustomIdentityKeyStorePassPhrase) is a potential security risk because the String object (which contains the unencrypted password) remains in the JVM's memory until garbage collection removes it and the memory is reallocated. Depending on how memory is allocated in the JVM, a significant amount of time could pass before this unencrypted data is removed from memory.

Instead of using this attribute, use CustomIdentityKeyStorePassPhraseEncrypted.

MBean Attribute:
ServerMBean.CustomIdentityKeyStorePassPhrase

Changes take effect after you redeploy the module or restart the server.

Custom Trust Keystore

The path and file name of the custom trust keystore.

The path name must either be absolute or relative to where the server was booted. This file name is only used if KeyStores is CUSTOM_IDENTITY_AND_CUSTOM_TRUST.

MBean Attribute:
ServerMBean.CustomTrustKeyStoreFileName

Custom Trust Keystore Type

The type of the keystore. Generally, this is JKS.

If empty or null, then the JDK's default keystore type (specified in java.security) is used. This keystore type is only used if KeyStores is CUSTOM_IDENTITY_AND_CUSTOM_TRUST.

MBean Attribute:
ServerMBean.CustomTrustKeyStoreType

Custom Trust Keystore Passphrase

The custom trust keystore's passphrase. If empty or null, then the keystore will be opened without a passphrase.

This attribute is only used if KeyStores is CUSTOM_IDENTITY_AND_CUSTOM_TRUST.

When you get the value of this attribute, WebLogic Server does the following:

  1. Retrieves the value of the CustomTrustKeyStorePassPhraseEncrypted attribute.

  2. Decrypts the value and returns the unencrypted password as a String.

When you set the value of this attribute, WebLogic Server does the following:

  1. Encrypts the value.

  2. Sets the value of the CustomTrustKeyStorePassPhraseEncrypted attribute to the encrypted value.

Using this attribute (CustomTrustKeyStorePassPhrase) is a potential security risk because the String object (which contains the unencrypted password) remains in the JVM's memory until garbage collection removes it and the memory is reallocated. Depending on how memory is allocated in the JVM, a significant amount of time could pass before this unencrypted data is removed from memory.

Instead of using this attribute, use CustomTrustKeyStorePassPhraseEncrypted.

MBean Attribute:
ServerMBean.CustomTrustKeyStorePassPhrase

Changes take effect after you redeploy the module or restart the server.

Java Standard Trust Keystore

The path and file name of the trust keystore.

Java Standard Trust Keystore Type

The type of the keystore. Generally, this is JKS.

Java Standard Trust Keystore Passphrase

The password for the Java Standard Trust keystore. This password is defined when the keystore is created.

If empty or null, then the keystore will be opened without a passphrase.

This attribute is only used if KeyStores is CUSTOM_IDENTITY_AND_JAVA_STANDARD_TRUST or DEMO_IDENTITY_AND_DEMO_TRUST.

When you get the value of this attribute, WebLogic Server does the following:

  1. Retrieves the value of the JavaStandardTrustKeyStorePassPhraseEncrypted attribute.

  2. Decrypts the value and returns the unencrypted password as a String.

When you set the value of this attribute, WebLogic Server does the following:

  1. Encrypts the value.

  2. Sets the value of the JavaStandardTrustKeyStorePassPhraseEncrypted attribute to the encrypted value.

Using this attribute (JavaStandardTrustKeyStorePassPhrase) is a potential security risk because the String object (which contains the unencrypted password) remains in the JVM's memory until garbage collection removes it and the memory is reallocated. Depending on how memory is allocated in the JVM, a significant amount of time could pass before this unencrypted data is removed from memory.

Instead of using this attribute, use JavaStandardTrustKeyStorePassPhraseEncrypted.

MBean Attribute:
ServerMBean.JavaStandardTrustKeyStorePassPhrase

Changes take effect after you redeploy the module or restart the server.

Demo Identity Keystore

The path and file name of the demo identity keystore.

Demo Identity Keystore Type

The type of the demo identity keystore. Generally, this is JKS; if left blank, it defaults to JKS.

Demo Identity Keystore Passphrase

The demo identity keystore's encrypted passphrase. If empty or null, then the keystore will be opened without a passphrase.

Demo Trust Keystore

The path and file name of the demo trust keystore.

Demo Trust Keystore Type

The type of the demo trust keystore. Generally, this is JKS; if left blank, it defaults to JKS.

Demo Trust Keystore Passphrase

The demo trust keystore's encrypted passphrase. If empty or null, then the keystore will be opened without a passphrase.

Related Tasks

Related Topics


Back to Top