B Setting Up SSL on Oracle WebLogic Server

This section describes how to configure SSL on Oracle WebLogic Server for PeopleTools 8.50.

To set up SSL on Oracle WebLogic Server, perform the following steps:

B.1 Generating Signed Public Encryption Key and Certificate Signing Request

Generate signed public encryption key and certificate signing request (CSR).

  1. Start PSKeyManager by navigating to the appropriate on the MS-DOS command prompt.
  2. Enter the following at the command line:
    pskeymanager –create
    
    start PSKeyManager

    The PSKeyManager opens.

  3. Enter the following at the command line:

    At the Enter current keystore password [press ENTER to quit] command prompt, enter the password. The default password is password.

    At the Specify an alias for this certificate <host_name>? command prompt, enter the certificate alias and press Enter. The default certificate alias is the local machine name.

    At the What is the common name for this certificate <host_name>? command prompt, enter the host name for the certificate, for example <host_name>.corp.myorg.com.

    Press Enter.

    command line values

    Enter the appropriate information at the following command prompts:

    Organization unit

    Organization

    City or Locality

    State or Province

    Country code

    Number of days the certificate should be valid (Default is 90.)

    Key size to use (Default is 1024.)

    Key algorithm (Default is RSA.)

    Signing algorithm (Default is MD5withRSA or SHA1withDSA.)

  4. At the Enter a private key password <press ENTER to use keystore password> prompt, specify the password or press Enter.
    command prompt values
  5. Verify that the values you entered are correct, and press Enter.

    The PSKeyManager generates a public key and provides the CSR that you must submit to the Certificate Authority (CA) for signing.

    The following example shows a sample CSR:

    -----BEGIN NEW CERTIFICATE REQUEST----- MIIBtDCCAR0CAQAwdDELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEDAOBgNVBAcTB1Bob2VuaXgxFDASBgNVBAoTC1Blb3BsZVRvb2xzMRMwEQYDVQQLEwpZW9wbGVzb2Z0MRYwFAYDVQQDEw1NREFXU09OMDUxNTAzMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC43lCZWxrsyxven5QethAdsLIEEPhhhl7TjA0r8pxpO+ukD8LI7TlTntPOMU535qMGfk/jYtG0QbvpwHDYePyNMtVou6wAs2yr1B+wJSp6Zm42m8PPihfMUXYLG9RiIqcmp2FzdIUi4M07J8ob8rf0W+Ni1bGW2dmXZ0jGvBmNHQIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEAKx/ugTt0soNVmiH0YcI8FyW8b81FWGIR0f1Cr2MeDiOQ2pty24dKKLUqIhogTZdFAN0ed6Ktc82/5xBoH1gv7YeqyPBJvAxW6ekMsgOEzLq9OU3ESezZorYFdrQTzqsEXUp1A+cZdfo0eKwZTFmjNAsh1kis+HOLoQQwyjgaxYI=
    -----END NEW CERTIFICATE REQUEST-----
    
    CSR

    The CSR is a text file, and is written to the <PSFT_HOME>\webserv\peoplesoft . The file name is <host_name>_certreq.txt.

B.2 Submitting CSRs to CAs for Signing

Submit CSRs to CAs for signing:

Note:

The set of pages are different depending on what CA you plan on using.

  1. Click Download a CA certificate, certificate chain, or CRL.
    Download a CA certificate
  2. Click advanced certificate request.
    Advanced Certificate Request
  3. Click Submit a certificate request by using a base-64-encoded CMC or PKCS#10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
    Submit Request

    The Submit a Certificate Request or Renewal page appears.

  4. Paste the content of the CSR in the Saved Request list box.
    Certificate page

    The CA may send the signed public key (root) certificate to you by e-mail or require you to download it from a specified web page.

  5. Download and save the signed public key on your local drive.
    Download key

B.3 Downloading the Root Certificate

Download the root certificate.

  1. Click Download a CA certificate, certificate chain, or CRL.
    Download root certificate
  2. From the CA certificate list, select the certificate.
    select certificate
  3. Download and save the root certificate on your local drive.

B.4 Importing a Server-Side Public Key into a Keystore

Import a server-side public key into a keystore.

  1. Open PSKeyManager.
  2. Navigate to the required on the MS-DOS command prompt.
  3. Enter the following at the command line:
    pskeymanager -import
    
    command
  4. At the Enter current keystore password command prompt, enter the password and press Enter.
  5. At the Specify an alias for this certificate <host_name>? command prompt, enter the certificate alias and press Enter.
  6. At the Enter the name of the certification file to import command prompt, enter the path and name of the certificate to import.
    root certificate commands
  7. At the Trust this certificate command prompt, enter Yes and press Enter.
    trust certificate

B.5 Generating and Importing Public Keys

Generate and import public keys.

  1. Place the public key from your CA in the keystore. The location of the keystore is as follows:

    <PSFT_HOME>\webserv\peoplesoft\keystore

  2. Install the certificate for server authentication SSL on Oracle WebLogic Server using the following command:
    pskeymanager -import
    
    Install certificate
  3. At the Enter current keystore password command prompt, enter the password and press Enter.
  4. At the Specify an alias for this certificate <host_name>? command prompt, enter the certificate alias and press Enter.
  5. At the Enter the name of the certification file to import command prompt, enter the path and name of the certificate to import.
    The path and name of the certificate to import

    Certificate is successfully installed in the keystore.

    Successful installation of the certificate

B.6 Configuring the Oracle WebLogic Server to Use the Keystore

Configuring the Oracle WebLogic Server to use the keystore.

  1. Log in to Oracle WebLogic Administration Console.
    Admin Console
  2. Expand PeopleSoft, Environment, Servers, PIA to setup the SSL configuration for the PIA server.
    SSL configuration
  3. Click the Keystores tab.
  4. From the Keystores list, select Custom Identity and Custom Trust.
  5. In the Identity region, complete the following fields:

    - In the Custom Identity Keystore field, enter keystore/pskey.

    - In the Custom Identity Keystore Type field, enter JKS.

    - In the Custom Identity Keystore Passphrase field, enter password.

    - In the Confirm Custom Identity Keystore Passphrase field, enter password again.

    Keystore settings
  6. On the SSL tab, ensure that the parameter Two Way Client Cert Behavior is set to Client Certs Requested and Enforced.
    Keystore tab
  7. Click the Activate Changes button.
    Activate Change

B.7 Adding Root Certificate

Add root certificate.

  1. Expand Security, Security Objects, and then click Digital Certificates.
    configure certificate
  2. Click Add Root.

B.8 Configuring the Peoplesoft Certificates

Configure the Peoplesoft certificates.

Note:

You can use the same root certificate generated in Step 2.

  1. Expand Security, Security Objects, and then click Digital Certificates.
  2. Add a local node type certificate.
  3. Set Alias to the default local node.
    Default local node
  4. Click Request.
  5. Send this certificate request to the CA to get a new certificate.
    certificate request
  6. Click OK.
    certificate signing request
  7. Ensure that the local node appears on the Digital Certificates list.
    local node
  8. Click Import.

    The Import Certificate page appears.

    Import certificate
  9. Click OK.
    digital certificate list
  10. Click Load Gateway Connectors.
    load gateway connector

    The following message appear:

    Loading Process was successful. Number of connectors loaded:0. Number of Properties loaded:0. (158,42)
    

    Click OK.

  11. Click Ping Node to ping your local node.
    ping node