7 Using the SSL Automation Tool

This chapter contains the following sections:

7.1 Introduction to the SSL Automation Tool

The Oracle SSL Automation Tool enables you to configure multiple components in a domain using a domain-specific CA certificate.

The task of enabling SSL in a deployment can be intimidating and cumbersome for administrators. Manual configuration of SSL generally requires an administrator to have some expertise in several areas, such as:

  • SSL as a technology

  • Low-level tools available to perform SSL configuration and administration

  • Best security practices

The Oracle SSL Automation Tool replaces manual procedures and simplifies SSL configuration. It enables you to generate a central, self-signed CA certificate, configure component servers with that certificate, and provide the CA certificate as a trusted certificate to multiple clients. It ensures that a network of trust is established in a consistent manner on all clients and servers, and can be used for both outward facing connections and for connections within the DMZ.

The SSL Automation Tool is based on a trust model, which introduces the concept of SSL Domains. An SSL domain is the security environment in which all the SSL components are deployed with the same CA signed certificates. Each SSL Domain has associated with it a self-signed Domain CA. All components within this SSL Domain implicitly trust the Domain CA. Additionally, this Domain CA can generate SSL Server Certificates for the server components deployed within that SSL Domain. If the server components in one SSL Domain (A) need to be trusted by a client component in another SSL Domain (B), then only the Domain CA certificate from (A) need be imported and trusted by the client component in SSL Domain (B).

The tool consists of a series of shell scripts: three main SSL scripts and several component-specific scripts.

Table 7-1 lists the main scripts.

Table 7-1 Main Scripts

Script Function

SSLGenCA.sh

Generates the CA certificate and stores it in an LDAP directory

SSLServerConfig.sh

Configures the servers

SSLClientConfig.sh

Configures the clients


The server and client configuration scripts invoke component-specific scripts, depending on the value of an option that you specify on the command line when you invoke the main script.

The scripts use the LDAP Policy Store present in a deployment to centrally store the SSL Domain CA wallets. These SSL Domain CA wallets are protected by LDAP access controls, with access granted only to members of the SSL Administrators group. You must be a member of the group to run the scripts.

The SSL Automation Tool provides the following benefits:

  • It provides a consistent set of interfaces for consumption by administrators.

  • It removes the propagation of self-signed certificates and reduces the number of relevant trust points, which are now limited to SSL Domain CAs.

  • It ensures that only properly authorized SSL Administrators are allowed to perform SSL related administrative tasks.

  • It allows support for additional components to be added incrementally without the need for fundamental change.

7.2 Prerequisites

Before you attempt to use this tool, ensure that you have performed the tasks described in this section.

7.2.1 Setting up Oracle Fusion Middleware Environment

All the components of your Oracle Fusion Middleware environment must be up and running before you invoke the scripts to configure SSL on those components.

If your components are running on Windows platforms, you must obtain and install Cygwin from http://www.cygwin.com before you can use the scripts. Set the ORACLE_HOME environment variable in the Cygwin shell. For example:

export ORACLE_HOME='C:/rc8/fmwhome/Oracle_Home/'

7.2.2 Assembling Required Information

Make sure you have the values of the following variables listed in Table 7-2 and Table 7-3 available before you invoke the SSL scripts.

Table 7-2 Domain-Level Information Variables for SSL Automation Tool

Variable

HOSTNAME

ORACLE_HOME (Fusion Middleware)

ORACLE_COMMON

MIDDLEWARE_HOME

DOMAIN_NAME

DOMAIN_HOME

DOMAIN_ADMINISTRATOR_USERNAME

DOMAIN_ADMINISTRATION_PASSWORD

DOMAIN_HOST_NAME

ADMINSERVER_PORT

DOMAIN_ADMINISTRATOR_USERNAME

DOMAIN_ADMINISTRATION_PASSWORD

INSTANCE_HOME

INSTANCE_NAME


Table 7-3 Component-Specific Information Variables for SSL Automation Tool

Variable

OVD_NAME

OVD_PORT

OID_NAME

OID_PORT

OID_SSL_PORT

OID_ADMIN

OID_ADMIN_PASSWORD

DB_HOST

DB_PORT

DB_SERVICE_NAME

DB_SID


7.3 Generating the CA Certificate

You invoke the CA certificate generating script SSLGenCA.sh to initialize and create an SSL Domain and generate the SSL Domain CA. Run the script only once for the whole SSL domain. If you run it again, you must configure all the servers and clients with the newly-generated CA wallet. An SSL domain is the security environment in which all the SSL components will be deployed with the same CA signed certificates.

Enter a shell that is set up with the default environment for an Oracle Fusion Middleware installation.

To run this script, you need the following information:

  • Connection information (host and port) for the LDAP directory used by the deployment

  • Administrator credentials that enable you to access that LDAP directory

  • The name of the SSL Domain

Execute this command:

$ORACLE_COMMON_HOME/oracle_common/bin/SSLGenCA.sh

Provide information when prompted.

This script performs the following tasks:

  • Creates a Demo Signing CA wallet for use in the domain.

  • Extracts the public Demo CA Certificate from the CA wallet.

  • Uploads the wallet and the certificate to LDAP and stores them in the entry: cn=demoCA,Deployment_SSL_Domain.

  • Creates an access group in LDAP: cn=sslAdmins, cn=demoCA,Deployment_SSL_Domain and grants that group administrative privileges to the parent container. All other entities are denied access. (Add users to the group to give access.)

    The Demo CA Certificate is now available for download by an anonymous or authenticated user.

  • The Demo CA Wallet password is stored locally in an obfuscated wallet for future use. Its path is: $ORACLE_HOME/credCA/castore.

    As administrator, you must secure this wallet so that only SSL administrators can read it.

7.3.1 Example: Generating a Certificate

This example shows a run of SSLGenCA.sh to generate a new CA wallet and store it in the Policy Store (LDAP server).

$ SSLGenCA.sh 

SSL Certificate Authority Generation Script: Release 11.1.1.4.0 - Production
Copyright (c) 2010 Oracle.  All rights reserved.

 ************************************************************************
*********** This tool will generate a self-signed CA wallet ************
*********** and store it in a central LDAP directory        ************
*********** for IDM and FA SSL setup and provisioning       ************
************************************************************************
>>>Enter the LDAP hostname [adc2100651.example.com]: 
>>>Enter the LDAP port [3060]: 20040
>>>Enter the admin user [cn=orcladmin] 
>>>Enter password for cn=orcladmin:  
>>>Enter the LDAP sslDomain where your CA will be stored [idm]: 
>>>Enter a password to protect your CA wallet:  
>>>Enter confirmed password for your CA wallet: 
 
Generate a new CA Wallet...
Create SSL Domains Container for cn=idm,cn=sslDomains...
Storing the newly generated CA to the LDAP...
Setup ACL to protect the CA wallet...
The newly generated CA is stored in LDAP entry cn=demoCA,cn=idm,cn=sslDomains successfully

7.4 Configuring a Component Server

You configure a server by invoking the SSLServerConfig.sh script. This script uses the SSL Domain CA to generate a Server Certificate. Then the script passes control to a component specific configuration script, which picks up the generated Server Certificate and configures the component to accept SSL connections.

To run this script, you need the following information:

  • Connection information (host and port) for the LDAP directory used by the deployment.

  • Administrator credentials that enable you to access that LDAP directory.

  • Server name. This can be either the WebLogic Administration Server or a Managed Server.

Before invoking the script, enter a shell that is set up with the default environment for an Oracle Fusion Middleware installation. The location of the script is: $ORACLE_COMMON_HOME/oracle_common/bin/SSLServerConfig.sh The syntax for the script is:

SSLServerConfig.sh -component [oid|ovd|oam|wls] [-v]

Specify one and only one component. Depending on the component you specify, SSLServerConfig.sh invokes a component-specific script. Component-specific server scripts have names of the form COMPONENT_NAME_SSL_Server_Config.sh.

If you specify the component option wls, the script configures all Java EE components on the named server. Java EE components include Oracle Identity Navigator, Oracle Access Manager 11g, Oracle Identity Manager, and Oracle Identity Federation.

To configure Oracle Internet Directory, Oracle Virtual Directory, or Oracle Access Manager 10g, use the appropriate component option, as shown in Table 7-4.

Table 7-4 Component Options to SSLServerConfig.sh

Component Option Script Invoked Component Configured

wls

WLS_SSL_Server_Config.sh

Oracle WebLogic Server and Java EE components

oid

OID_SSL_Server_Config.sh

Oracle Internet Directory server

ovd

OVD_SSL_Server_Config.sh

Oracle Virtual Directory server

oam

OAM_SSL_Server_Config.sh

Oracle Access Manager 10g server


Provide information when prompted.

This script performs the following tasks:

  • Downloads the Demo Signing CA generated in Section 7.3 and stores it in $ORACLE_HOME/rootCA.

  • Executes the component-specific script COMPONENT_NAME_SSL_Server_Config.sh, if appropriate.

The component-specific script performs the following tasks:

  • Generates a server certificate based on the Demo Signing CA Wallet.

  • Imports the certificate into the component-specific wallet/keystore.

  • Configures the component instance for SSL Server-Auth, based on the new server certificate in the component specific wallet/keystore.

7.4.1 Example: Configuring a WebLogic Server and Java EE Components

$ ./SSLServerConfig.sh -component wls

Server SSL Automation Script: Release 11.1.1.4.0 - Production
Copyright (c) 2010 Oracle.  All rights reserved.

Downloading the CA wallet from the central LDAP location...
>>>Enter the LDAP Hostname [adc2100651.example.com]:
>>>Enter the LDAP port [3060]: 16468
>>>Enter an admin user DN [cn=orcladmin]
>>>Enter password for cn=orcladmin:
>>>Enter the sslDomain for the CA [idm]:
>>>Enter a password to protect your SSL wallet/keystore:
>>>Enter confirmed password for your SSL wallet/keystore:
>>>Enter password for the CA wallet:
>>>Searching the LDAP for the CA usercertificate ...
Importing the CA certifcate into trust stores...
>>>Searching the LDAP for the CA userpkcs12 ...

Invoking Weblogic SSL Server Configuration Script...
Enter attribute values for your certificate DN
>>>Country Name 2 letter code [US]:
>>>State or Province Name [California]:
>>>Locality Name(eg, city) []:Belmont
>>>Organization Name (eg, company) [mycompany]:Oracle
>>>Organizational Unit Name (eg, section) [wls-20101123115644]:wls-admin
>>>Common Name (eg, hostName.domainName.com) [adc2100651.example.com]:
The subject DN is
 cn=adc2100651.example.com,ou=wls-admin,O=Oracle,l=Belmont,st=California,c=US
>>>Import the existing CA at /mw784/im7335/rootCA/cacert.der into keystore...
>>>Import the server certificate at /mw784/im7335/rootCA/keystores/wls/cert.txt into kstore...
Configuring SSL for your WLS server instance...
>>>Enter your WLS domain home directory: /mw784/user_projects/domains/imdomain8017
>>>Enter your WLS server instance name [AdminServer]
Enter SSL Listen Port: [7002] 7778
>>>Enter weblogic admin port: [7001] 19249
>>>Enter weblogic admin user: [weblogic]
>>>Enter password for weblogic:
>>>Enter your keystore name [identity.jks]: id.jks /mw784/im7335/rootCA/keystores/wls/mw784/user_projects/domains/imdomain8017/keystores/id.jks
Configuring WLS AdminServer ...
Running /mw784/im7335/common/bin/wlst.sh /mw784/im7335/rootCA/keystores/wls/wlssvr.py...
Your WLS server has been set up successfully 

7.4.2 Example: Configuring an Oracle Internet Directory Server Component

$ ./SSLServerConfig.sh -component oid
Server SSL Automation Script: Release 11.1.1.4.0 - Production
Copyright (c) 2010 Oracle.  All rights reserved.

Downloading the CA wallet from the central LDAP location...
>>> Enter the LDAP Hostname [adc2100651.example.com]: 
>>> Enter the LDAP port [3060]: 16468
>>> Enter an admin user DN [cn=orcladmin] 
>>> Enter password for cn=orcladmin:  
>>> Enter the sslDomain for the CA [idm]: 
>>> Enter a password to protect your SSL wallet/keystore:  
>>> Enter confirmed password for your SSL wallet/keystore:  
>>> Enter password for the CA wallet:  Searching the LDAP for the CA usercertificate ...
Importing the CA certifcate into trust stores...
>>> Searching the LDAP for the CA userpkcs12 ...

Invoking OID SSL Server Configuration Script...
Enter attribute values for your certificate DN
>>> Country Name 2 letter code [US]:
>>> State or Province Name [California]:
>>> Locality Name(eg, city) []:Belmont
>> Organization Name (eg, company) [mycompany]:Example
>>> Organizational Unit Name (eg, section) [oid-20101118211946]:
>>> Common Name (eg, hostName.domainName.com) [adc2100651.example.com]:
The subject DN is cn=adc2100651.example.com,ou=oid-20101118211946,O=Example,l=Belmont,st=California,c=US

Creating an Oracle SSL Wallet for oid instance...
/mw784/im7335/../oracle_common/bin
>>> Enter your OID component name: [oid1] Enter the weblogic admin port: [7001] 19249
>>> Enter the weblogic admin user: [weblogic] 
>>> Enter weblogic password:  
>>> Enter your AS instance name:[asinst_1] iminst8017
>>> Enter an SSL wallet name for OID component [oid_wallet1] 
Checking the existence of oid_wallet1 in the OID server...
Configuring the newly generated Oracle Wallet with your OID component...
Do you want to restart your OID component?[y/n]y

Do you want to test your SSL set up?[y/n]y
>>> Please enter your OID ssl port:[3131] 16180
>>> Invoking /mw784/im7335/bin/ldapbind -h adc2100651.example.com -p 16180 -U 2 -D cn=orcladmin ...
Bind successful

Your oid1 SSL server has been set up successfully

7.4.3 Example: Configuring an Oracle Virtual Directory Server Component

$ ./SSLServerConfig.sh -component ovd
Server SSL Automation Script: Release 11.1.1.4.0 - Production
Copyright (c) 2010 Oracle.  All rights reserved.

Downloading the CA wallet from the central LDAP location...
>>> Enter the LDAP Hostname [adc2100651.example.com]: 
>>> Enter the LDAP port [3060]: 16468
>>> Enter an admin user DN [cn=orcladmin] 
>>> Enter password for cn=orcladmin:  
>>> Enter the sslDomain for the CA [idm]: 
>>> Enter a password to protect your SSL wallet/keystore:  
>>> Enter confirmed password for your SSL wallet/keystore:  
>>> Enter password for the CA wallet:  
Searching the LDAP for the CA usercertificate ...
Importing the CA certifcate into trust stores...
>>> Searching the LDAP for the CA userpkcs12 ...

Invoking OVD SSL Server Configuration Script...
Enter attribute values for your certificate DN
>>> Country Name 2 letter code [US]:
>>> State or Province Name [California]:
>>> Locality Name(eg, city) []:redwood
>>> Organization Name (eg, company) [mycompany]:
>>> Organizational Unit Name (eg, section) [ovd-20101118212540]:
>>> Common Name (eg, hostName.domainName.com) [adc2100651.example.com]:
The subject DN is cn=adc2100651.example.com,ou=ovd-20101118212540,l=redwood,st=California,c=US
>>> Import the existing CA at /mw784/im7335/rootCA/cacert.der into keystore...
>>> Import the server certificate at /mw784/im7335/rootCA/keystores/ovd/cert.txt into kstore... 
>>> Enter your OVD instance name [ovd1] 
>>> Enter your Oracle instance [asinst_1]: iminst8017
>>> Enter weblogic admin port: [7001] 19249
>>> Enter weblogic admin user: [weblogic] 
>>> Enter password for weblogic:  
>>> Enter your keystore name [ovdks1.jks]:
 
Checking the existence of ovdks1.jks in the OVD...
Configuring ovdks1.jks for ovd1 listener...
Do you want to restart your OVD instance?[y/n]y

Do you want to test your OVD SSL set up?[y/n]y

Please enter your OVD ssl port:[3131] 24888
/mw784/im7335/bin/ldapbind -h adc2100651.example.com -p 24888 -U 2 -D =orcladmin ...
Bind successfully to OVD SSL port 24888
Your  SSL server has been set up successfully

7.4.4 Example: Configuring an Oracle Access Manager 10g Server Component

$ SSLServerConfig.sh -component oam

Server SSL Automation Script: Release 11.1.1.4.0 - ProductionCopyright (c) 2010 Oracle.  All rights reserved.
 
 
Downloading the CA wallet from the central LDAP location...
>>>Enter the LDAP Hostname [adc123.example.com]: 
>>>Enter the LDAP port [3060]: 16625
>>>Enter an admin user DN [cn=orcladmin] 
>>>Enter password for cn=orcladmin:  
>>>Enter the ssl domain name [idm]: 
>>>Searching the LDAP for the CA usercertificate ...
>>>Searching the LDAP for the CA userpkcs12 ...

 Invoking OAM SSL Server Configuration Script...
>>>Enter your OAM10 Access Server install location: [e.g. /scratch/aime/OAM10/access] /scratch/install/OAM10/access
****************************************************************
*** CA root cert has been converted from DER to PEM format.  ***
****************************************************************
****************************************************************
*** This script will first invoke configureAAAServer tool to ***
*** reconfig AAA server in cert mode, and then generate a    ***
*** certificate request. Please select 3(Cert), 1(request a  ***
*** certificate), and enter pass phrase for the first 3      ***
*** prompts. Otherwise, this script is not guaranteed to     ***
*** work properly.                                           ***
****************************************************************

 Please enter the Mode in which you want the Access Server to run : 1(Open) 2(Simple) 3(Cert) : 3

 Do you want to request a certificate (1) or install a certificate (2) ? : 1

 Please enter the Pass phrase for this Access Server : 

 Do you want to store the password in the file ? : 1(Y) 2(N) : 1

 Preparing to generate certificate.  This may take up to 60 seconds.  Please wait.
Generating a 1024 bit RSA private key
.++++++
...................++++++
writing new private key to '/scratch/install/OAM10/access/oblix/config/aaa_key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:Redwood Shores
Organization Name (eg, company) [Some-Organization Pty Ltd]:Example
Organizational Unit Name (eg, section) []:OAM
Common Name (eg, hostName.domainName.com) []:adc123.example.com
Email Address []:
writing RSA key

 Your certificate request is in file : /scratch/install/OAM10/access/oblix/config/aaa_req.pem
 Please get your certificate request signed by the Certificate Authority.
 On obtaining your certificate, please place your certificate in '/scratch/install/OAM10/access/oblix/config/aaa_cert.pem' file and the certificate authority's certificate for the corresponding component (for example: WebGate, AXML Server) in '/scratch/install/OAM10/access/oblix/config/aaa_chain.pem' file.
 Once you have your certificate placed at the above mentioned location, please follow the instructions on how to start the Access Server.

 More Information on setting up Access Server in Certificate mode can be obtained from the Setup Installation Guide.
 Access Server mode has been re-configured successfully.

 Please note that new security mode will take effect only after the security mode for this Access Server is changed to 'cert' from the Access Manager System Console.
 Do you want to specify or update the failover information ? : 1(Y) 2(N) :

 Please restart your Access Server by executing the '/scratch/install/OAM10/access/oblix/apps/common/bin/restart_access_server' program from command line once you have placed your certificates at the above mentioned location.

 Press enter key to continue ...


****************************************************************
*** Now we will sign the certificate request using CA cert.  ***
****************************************************************

>>>Enter the CA wallet password: 

Certificate request (aaa_req.pem) has been converted to orapki acceptable format in /scratch/install/WT/Oracle_WT1/rootCA/OAM

The certificate has been signed by the root CA

****************************************************************
*** OAM server certificate have been installed into Access   ***
*** Server config directory.                                 ***
****************************************************************

****************************************************************
*** Restarting AAA Server ...                                ***
****************************************************************

Do you want to restart your Access Server? [y/n] y

Access Server has been started/restarted

****************************************************************
*** Your OAM10 Access Server has been setup successfully in  ***
*** cert mode.                                               ***
****************************************************************

7.5 Configuring a Client

You configure a client by invoking the script SSLClientConfig.sh. The script retrieves the SSL Domain CA then passes control to a component-specific script to import it and perform any additional configuration steps required.

To run this script, you need the following information:

  • Connection information (host and port) for the LDAP directory used by the deployment

  • Administrator credentials that enable you to access that LDAP directory

  • The name of the SSL deployment, for example: idm, fmw

Before invoking the script, enter a shell that is set up with the default environment for an Oracle Fusion Middleware installation. The location of the script is: $ORACLE_COMMON_HOME/oracle_common/bin/SSLClientConfig.sh The syntax for the script is:

SSLClientConfig.sh -component [cacert|wls|webgate] [-v]

Depending on the -component option specified, SSLClientConfig.sh may invoke a component script listed in Table 7-5. The component-specific client scripts have names of the form COMPONENT_NAME_SSL_Client_Config.sh.

Table 7-5 Component Options to SSLClientConfig.sh

Component Option Script Invoked Component Configured

cacert

None

Other SSL Clients

wls

WLS_SSL_Client_Config.sh

Oracle WebLogic clients and Java EE components.

webgate

OAMWG_SSL_Client_Config.sh

Oracle Access Manager WebGate


Provide information when prompted.

The client script performs the following tasks:

  • Downloads the CA certificate or wallet from the LDAP server in the SSL Domain.

  • Creates the related Java Trust Store, Oracle Wallet, or Java Keystore for the OIM or OAM client.

  • Imports the Signing CA certificate as a trusted certificate into the relevant trust stores, wallet, or keystore.

    For WebGate clients, it creates a full Java KeyStore with a private certificate, a client certificate, and the CA signing certificate.

    For other client components, which only need a common trust store or wallet, the script imports the CA certificate into the newly generated trust store.

7.5.1 Example: Downloading the CA Certificate for SSL Clients

$ ./SSLClientConfig.sh -component cacert

SSL Automation Script: Release 11.1.1.4.0 - Production
Copyright (c) 2010 Oracle.  All rights reserved.

Downloading the CA certificate from a central LDAP location
Creating a common trust store in JKS and Oracle Wallet formats ...
Configuring SSL clients with the common trust store...
Make sure that your LDAP server is currently up and running.

Downloading the CA certificate from the LDAP server...
>>> Enter the LDAP hostname [adc2100651.example.com]: Enter the LDAP port: [3060]? 16468
>>> Enter your LDAP user [cn=orcladmin]: 
>>> Enter password for cn=orcladmin:  
>>> Enter the sslDomain for the CA [idm]: 
Searching the LDAP for the CA usercertificate ...
Importing the CA certifcate into trust stores...
>>> The common trust store in JKS format is located at /mw784/im7335/rootCA/keystores/tmp/trust.jks
>>> The common trust store in Oracle wallet format is located at /mw784/im7335/rootCA/keystores/tmp/ewallet.p12
Generate trust store for the CA cert at cn=idm,cn=sslDomains
>>> Enter a password to protect your truststore:  
>>> Enter confirmed password for your truststore:  

Updating the existing /mw784/im7335/rootCA/keystores/common/trust.jks...
Importing the CA certifcate into trust stores...
>>> The common trust store in JKS format is located at /mw784/im7335/rootCA/keystores/common/trust.jks
>>> The common trust store in Oracle wallet format is located at /mw784/im7335/rootCA/keystores/common/ewallet.p12

7.5.2 Example: Downloading the Certificate and Configuring a WebLogic Client

$ ./SSLClientConfig.sh -component wls

SSL Automation Script: Release 11.1.1.4.0 - Production
Copyright (c) 2010 Oracle.  All rights reserved.

Downloading the CA certificate from a central LDAP location
Creating a common trust store in JKS and Oracle Wallet formats ...
Configuring SSL clients with the common trust store...
Make sure that your LDAP server is currently up and running.

Downloading the CA certificate from the LDAP server...
>>> Enter the LDAP hostname [adc2100651.example.com]:
>>> Enter the LDAP port: [3060]? 16468
>>> Enter your LDAP user [cn=orcladmin]:
>>> Enter password for cn=orcladmin:
>>> Enter the sslDomain for the CA [idm]:
>>> Searching the LDAP for the CA usercertificate ...
Importing the CA certifcate into trust stores...
>>> The common trust store in JKS format is located at /mw784/im7335/rootCA/keystores/tmp/trust.jks
>>> The common trust store in Oracle wallet format is located at /mw784/im7335/rootCA/keystores/tmp/ewallet.p12
Invoking Weblogic SSL Client Configuration Script...
>>> Enter a password to protect your truststore:
>>> Enter confirmed password for your truststore:

Updating the existing /mw784/im7335/rootCA/keystores/wls/trust.jks...
Importing the CA certifcate into trust stores...
>>> The common trust store in JKS format is located at /mw784/im7335/rootCA/keystores/wls/trust.jks
>>> The common trust store in Oracle wallet format is located at /mw784/im7335/rootCA/keystores/wls/ewallet.p12
cat: /mw784/im7335/rootCA/cacert_tmp.txt: No such file or directory
Configuring SSL Trust for your WLS server instance...
>>> Enter your trust store name: [trust.jks]mytrust.jkds
>>> Enter your WLS domain home directory: /mw784/user_projects/domains/imdomain8017
>>> Enter your WLS server instance name [AdminServer]
>>> Enter weblogic admin port: [7001] 19249
>>> Enter weblogic admin user: [weblogic]
>>> Enter password for weblogic:
>>> Copy /mw784/im7335/rootCA/keystores/wls/trust.jks to /mw784/user_projects/domains/imdomain8017/servers/AdminServer/keystores/mytrust.jkds...
Configuring WLS AdminServer ...
Running /mw784/im7335/common/bin/wlst.sh /mw784/im7335/rootCA/keystores/wls/wlscln.py...
Your WLS server has been set up successfully

7.5.3 Example: Downloading the Certificate and Configuring a WebGate Client

$ SSLClientConfig.sh -component webgate
Script started on Thu 28 Oct 2010 10:23:38 AM PDT

SSL Automation Script: Release 11.1.1.4.0 - Production
Copyright (c) 2010 Oracle.  All rights reserved.

Downloading the CA certificate from a central LDAP location
Creating a common trus store in JKS and Oracle Wallet formats ...
Configuring SSL clients with the common trust store...
Make sure that your LDAP server is currently up and running.
 
Downloading the CA certificate from the LDAP server...
>>>Enter the LDAP hostname [adc123.example.com]: 
>>>Enter the LDAP port: [3060]? 16625
>>>Enter your LDAP user [cn=orcladmin]: 
>>>Enter password for cn=orcladmin:  
>>>Enter the sslDomain for the CA [idm]: 
>>>Searching the LDAP for the CA usercertificate ...
Invoking Webgate SSL Client Configuration Script...
>>>Searching the LDAP for the CA userpkcs12 ...
>>>Enter your 10g WebGate install location: [e.g. /scratch/aime/wg10/access] /scratch/install/OAM10/cwg/access

****************************************************************
*** CA root cert has been converted from DER to PEM format.  ***
****************************************************************

>>>Enter WebGate ID: wg7777

>>>Enter WebGate Password: 

>>>Enter the Access Server Host Name [adc123.example.com]: 

>>>Enter the Access Server Port [6021]: 

>>>Enter Access Server ID: aaa1

>>>Enter WebGate Pass Phrase: 

****************************************************************
*** This script will first invoke configureWebGate tool to   ***
*** reconfig webgate in cert mode, and then generate a       ***
*** certificate request.                                     ***
****************************************************************


 Preparing to generate certificate.  This may take up to 60 seconds.  Please wait.
Generating a 1024 bit RSA private key
...............++++++
....................++++++
writing new private key to '/scratch/install/OAM10/cwg/access/oblix/config/aaa_key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:Redwood Shores
Organization Name (eg, company) [Some-Organization Pty Ltd]:Example
Organizational Unit Name (eg, section) []:OAM
Common Name (eg, hostName.domainName.com) []:adc123.example.com
Email Address []:
writing RSA key

 Your certificate request is in file : /scratch/install/OAM10/cwg/access/oblix/config/aaa_req.pem

 Please get your certificate request signed by the Certificate Authority

 On obtaining your certificate, please place your certificate in '/scratch/install/OAM10/cwg/access/oblix/config/aaa_cert.pem' file and Access Server's CA certificate in '/scratch/install/OAM10/cwg/access/oblix/config/aaa_chain.pem' file

 Once you have your certificate placed at the above mentioned location, please run '/scratch/install/OAM10/cwg/access/oblix/tools/configureWebGate/configureWebGate' program

 More Information on setting up Web Gate in Certificate mode can be obtained from the Setup Installation Guide

 Press enter key to continue ...

****************************************************************
*** Now we will sign the certificate request using CA cert.  ***
****************************************************************

>>>Enter the CA wallet password: 

Certificate request (aaa_req.pem) has been converted to orapki acceptable format in /scratch/install/WT/Oracle_WT1/rootCA/WEBGATE

The certificate has been signed by the root CA

****************************************************************
*** WebGate certificate have been installed into WebGate     ***
*** config directory.                                        ***
****************************************************************

****************************************************************
*** Testing connection to AAA Server ...                     ***
*** (Make sure AAA Server is up and running.)                ***
****************************************************************

 Preparing to connect to Access Server.  Please wait.

 Web Gate installed Successfully.

****************************************************************
*** Restarting OHS ...                                       ***
****************************************************************

Do you want to restart your OHS webserver? [y/n] y

>>>Enter ORACLE_HOME for your OHS webtier install [e.g. /scratch/aime/WT/Oracle_WT1]: /scratch/install/WT/Oracle_WT1

>>>Enter ORACLE_INSTANCE for your OHS webtier instance [e.g. /scratch/aime/WT/Oracle_WT1/instances/instance1]: /scratch/install/WT/Oracle_WT1/instances/instance1

>>>Enter OHS component id [ohs1]: 

OHS instance has been started/restarted

****************************************************************
*** Your 10g WebGate has been setup successfully in cert     ***
*** mode.                                                    ***
****************************************************************