Creating SSL certificates

This topic describes how to run the generate_ssl_keys utility.

Before running this utility, make sure that you have chosen a strong passphrase for the keys. For detailed information on the utility's syntax, see Key generation utility syntax.

Important: If you are deploying an Endeca Server cluster, make sure to generate SSL certificates after you have installed the Endeca Server on the Admin Server and before you have cloned the Admin Server to create Managed Servers in the WebLogic domain configured for the Endeca Server application.

To generate SSL certificates:

Start the Admin Server for the Endeca Server domain in WebLogic.

The start-up procedure should ask you for the administrator user name and password that you specified when you created the WebLogic domain.
From a command prompt, change to the $DOMAIN_HOME/EndecaServer/bin directory.
Run the generate_ssl_keys utility with a domain username/password and specify the passphrase for the certificates. For example:
```
generate_ssl_keys --username ESUser --password welcome1 --sslPassphrase thx1138
```
A successful procedure is indicated when you see a message that ends as follows:
```
...
Activation completed

Done! Your WLS server(s) may need to be restarted for
all changes to take effect.
```
Stop and then re-start the WebLogic Admin Server.

The generate_ssl_keys utility creates these SSL certificates in the $DOMAIN_HOME/config/ssl directory:

dgraphCA.pem — Certificate authority file used by all clients and servers to authenticate the other endpoint of a communication channel with the Endeca Server. Used with the Dgraph --sslcafile flag.
dgraphCert.pem — Certificate file used by all clients and servers to specify their identity when using SSL to connect to the Oracle Endeca Server. This certificate should be thought of as the identity of the system powered by the Dgraph, or as the identity of all components of the system. Used with the Dgraph --sslcertfile flag.
endecaServerCerts.ks — Java identity keystore.
endecaServerClientCert.ks — Java keystore used for Endeca Server clients. Used for the keystore parameter of EndecaCmd.properties.
endecaServerTrustStore.ks — Java truststore used for Endeca Server clients. Used for the truststore parameter of EndecaCmd.properties.
esClientCert.p12 — Personal Information Exchange (PKCS12-format) key file. Note that this client key has its own password, which is the user-entered passphrase plus "clientkey" appended.

Besides generating the SSL keys, the utility also:

Updates the EndecaServer.properties and EndecaCmd.properties files (in the $DOMAIN_HOME/config directory) with the pathnames of the key files.
Enables the SSL Listen Port of 7002 in WebLogic Server, and sets 7002 as the port on which Endeca Server is started.
For the Admin Server, sets endecaServerCerts.ks as the custom identity keystore and endecaServerTrustStore.ks as the custom trust keystore. Both settings are visible from the Admin Server's Keystores tab.
For the Admin Server, sets Oracle Endeca Server Certificate as the Private Key Alias. This setting is visible from the Admin Server's SSL tab.

Note that although the SSL port 7002 is enabled, the non-SSL (HTTP) port 7001 is still enabled.