Fusion Middleware Documentation
Advanced Search


Administering Security for Oracle WebLogic Server
Close Window

Table of Contents

Show All | Collapse

13 Configuring Oracle OPSS Keystore Service

This chapter describes how to configure the Oracle OPSS Keystore Service for use with WebLogic Server.

Chapter 11, "Configuring Identity and Trust" describes how to configure identity and trust for WebLogic Server with the default JKS keystore type.

As described in "Managing Keys and Certificates with the Keystore Service" in Application Security Guide, the OPSS Keystore Service provides an alternate mechanism to manage keys and certificates for message security. The OPSS Keystore Service makes using certificates and keys easier by providing central management and storage of keys and certificates for all servers in a domain. You use the OPSS Keystore Service to create and maintain keystores of type KSS.

This section includes the following sections:

This section assumes that you are familiar with a basic overview of the OPSS Keystore Service, as described in "Managing Keys and Certificates with the Keystore Service".

Prerequisites for Using the OPSS Keystore Service

You can use the OPSS Keystore Service with WebLogic Server only if you have installed the Oracle JRF template on the WebLogic Server system and used this template to create the domain.

The OPSS Keystore Service is available only with the JRF template and is not available with the default WebLogic Server configuration.

Where is the OPSS Keystore Service Documented?

The OPSS Keystore Service is documented in "Managing Keys and Certificates with the Keystore Service" in Application Security Guide. In particular, "Managing Keys and Certificates with the Keystore Service" describes how you create the KSS keystore, how to manage it, and what tools and commands are available.

This section briefly summarizes the steps you follow to configure the OPSS Keystore Service, but "Managing Keys and Certificates with the Keystore Service" in Application Security Guide is the definitive source.

Configuring the OPSS Keystore Service for Demo Identity and Trust: Main Steps

You can perform the OPSS Keystore Service operations using either Fusion Middleware Control or the Keystore Service commands with WLST. This section demonstrates the Fusion Middleware Control steps, but "Managing Keys and Certificates with the Keystore Service" describes both options.

You must configure the OPSS Keystore Service before you can use it for demo identity and trust with WebLogic Server.

Perform the following steps to configure an OPSS Keystore Service for demo identity and trust:

  1. Launch Fusion Middleware Control.

  2. From the WebLogic Domain menu, select Security then Keystore.

  3. Create a keystore named demoidentity in the system stripe. (See "Creating a Keystore with Fusion Middleware Control" for more information.)

    1. Select the system stripe and click Create Keystore.

      The Create Keystore page is shown in Figure 13-1.

      Figure 13-1 Create Keystore

      Description of Figure 13-1 follows
      Description of "Figure 13-1 Create Keystore"

    2. Name this keystore demoidentity.

    3. Set the protection type to Password.

    4. Set the password to DemoIdentityKeyStorePassPhrase, and confirm.

    5. Uncheck the Grant Permission check box.

    6. Do not specify a code base URL.

  4. Select the demoidentity keystore you just created and click Manage.

    Enter the DemoIdentityKeyStorePassPhrase password.

    The Manage Certificates screen shown in Figure 13-2 appears.

    Figure 13-2 Manage Certificates

    Description of Figure 13-2 follows
    Description of "Figure 13-2 Manage Certificates"

  5. Click Generate Keypair to generate a private/public key pair.

    The Generate Keypair screen is shown in Figure 13-3.

    Figure 13-3 Generate Keypair

    Description of Figure 13-3 follows
    Description of "Figure 13-3 Generate Keypair"

    1. Specify DemoIdentity as the alias for the key pair.

    2. Specify the Common Name as DemoCertFor_<WLS Domain Name>, where DemoCertFor_ is a required constant and <WLS Domain Name> is the WebLogic Server domain name. For Example: DemoCertFor_base_domain.

      Note:

      The WebLogic Server DefaultHostnameVerifier has been modified to accept this non-standard hostname format when you set the "Use KSS For Demo" flag in the security configuration for the Weblogic Server domain. Other hostname verifiers may not support this format.

    3. Specify other site-specific information as appropriate.

    4. You can accept the default RSA key size if appropriate for your environment. Oracle requires a key length of 1024 bits or larger.

    5. Specify the password as DemoIdentityPassPhrase.

    6. Click OK.

  6. From the WebLogic Server Administration Console, navigate to the Domain -> Security -> Advanced page, and enable the "Use KSS For Demo" check box.

  7. Configure the WebLogic Server instance to use Demo Identity and Demo Trust, as described in Configure keystores.

  8. Configure SSL for the WebLogic Server instance, as described in Set Up SSL.

    Remember that the WebLogic Server DefaultHostnameVerifier has been modified to accept the non-standard DemoCertFor_<WLS Domain Name> hostname format. Other hostname verifiers may not support this format.

  9. Restart WebLogic Server.

Configuring the OPSS Keystore Service for Custom Identity and Trust: Main Steps

You must configure the OPSS Keystore Service before you can use it for custom identity and trust with WebLogic Server.

You can perform the OPSS Keystore Service operations using either Fusion Middleware Control or the Keystore Service commands with WLST. This section demonstrates the Fusion Middleware Control steps, but "Managing Keys and Certificates with the Keystore Service" describes both options.

Perform the following steps to configure an OPSS Keystore Service for custom identity and trust:

  1. Launch Fusion Middleware Control.

  2. From the WebLogic Domain menu, select Security then Keystore.

  3. Create a keystore in the system stripe. (See "Creating a Keystore with Fusion Middleware Control" for more information.)

    1. Select the system stripe and click Create Keystore.

      The Create Keystore page is shown in Figure 13-1.

      Figure 13-4 Create Keystore

      Description of Figure 13-4 follows
      Description of "Figure 13-4 Create Keystore"

    2. Name this keystore.

    3. Set the protection type to Password.

    4. Set the password.

    5. Uncheck the Grant Permission check box.

    6. Do not specify a code base URL.

  4. Select the keystore you just created and click Manage.

    Enter the password.

    The Manage Certificates screen shown in Figure 13-2 appears.

    Figure 13-5 Manage Certificates

    Description of Figure 13-5 follows
    Description of "Figure 13-5 Manage Certificates"

  5. Click Generate Keypair to generate a private/public key pair.

    The Generate Keypair screen is shown in Figure 13-3.

    Figure 13-6 Generate Keypair

    Description of Figure 13-6 follows
    Description of "Figure 13-6 Generate Keypair"

    1. Specify the alias for the key pair.

    2. Specify site-specific information as appropriate.

    3. You can accept the default RSA key size if appropriate for your environment. Oracle requires a key length of 1024 bits or larger.

    4. Specify the password.

    5. Click OK.

  6. You have the option to use this KSS Demo CA-signed key pair as-is, or to obtain a signed certificate from a reputable vendor such as Entrust, Verisign, and so forth.

    To obtain the signed certificate from a reputable vendor, select the alias for the key pair and click Generate CSR. After you create a CSR, send it to your CA, which will authenticate the certificate request and create a digital certificate based on the request.

    See "Importing a Certificate or Trusted Certificate with Fusion Middleware Control" in Application Security Guide for instructions on how to import the CA-signed certificate.

  7. If you do not use the preconfigured OPSS Keystore Service trust store kss://system/trust, you must create your own.

    Note:

    Oracle recommends you use the preconfigured OPSS Keystore Service trust store.

    To create your own trust store, create another OPSS Keystore Service keystore, and import trusted certificates. See "Importing a Certificate or Trusted Certificate with Fusion Middleware Control" in Application Security Guide for instructions on how to import trusted certificates.

  8. Configure the WebLogic Server instance to use KSS for Custom Identity and Trust, as described in Configure keystores. You specify the fully-qualified path to the keystore as the URI in the form kss://system/keystore-name. The keystore type is KSS.

  9. Configure SSL for the WebLogic Server instance, as described in Set Up SSL.

All the server SSL attributes are dynamic; when modified via the Console, they cause the corresponding SSL server or channel SSL server to restart and use the new settings for new connections. Old connections will continue to run with the old configuration. To ensure that all the SSL connections exist according to the specified configuration, you must reboot WebLogic Server.