How generateSSLCertificates Creates Two-Way Host Certificates

To create two-way host certificates using generateSSLCertificates, follow these steps:

  1. If there is a CA root certificate in the deployment_template\ssl_certs_utility\bin\ssl directory, the generateSSLCertificates utility loads the filename of this certificate. It will use the CA root certificate to sign the SSL host certificates that it generates.

  2. If there is no CA root certificate in deployment_template\ssl_certs_utility\bin\ssl, the generateSSLCertificates utility:

    1. Generates a self-signed root certificate.

    2. Places the root certificate in the directory deployment_template\ssl_certs_utility\bin\ssl .

  3. The generateSSLCertificates utility generates SSL host certificates in PEM, PKCS12, and JKS formats. To do this, it:

    1. Prompts the user to specify the hostname and domain name of the server.

    2. Generates a host certificate.

    3. Adds the hostname and domain name to the host certificate.

    4. Places the host certificate in the directory deployment_template\ssl_certs_utility\bin\ssl.

    5. Prompts the user to specify passphrases for the keystore and trust store files.

    6. Prompts the user to specify a keyname to add passphrases to OCS with the mapName oracleCommerceSSLPassPhrase.

    Note

    Each of the host certificates is digitally signed by the CA root certificate.

  4. It prompts users to indicate whether they want to generate a certificate for another host.

The hosts in the distributed system use the certificates created by generateSSLCertificates as follows:

  1. The server and each client load one of the SSL host certificates created by generateSSLCertificates.

  2. When a client asks to verify the server, the server sends its SSL host certificate to the client.

  3. The client verifies the SSL host certificate by comparing it to its own CA Certificate, which was signed by the Certificate Authority that signed the root certificate.

  4. When a server asks to verify a client, the client sends its SSL client certificate to the server.

  5. The server verifies the SSL client certificate by comparing it to its own CA Certificate, which was signed by the Certificate Authority that signed the root certificate.

Because the server and the clients have certificates signed by a Certificate Authority whom they all trust, they can recognize each other as trustworthy.

The following figure illustrates how generateSSLCertificates establishes SSL connections between Oracle Commerce components:

Copyright © Legal Notices