Installing Web Server-Based Digital Certificates

This section discusses how to:

  • Install digital certificates on Oracle WebLogic web servers.

  • Install digital certificates on IBM WebSphere web servers.

In addition to using the information in this section to generate and install web server-based digital certificates, you can use this information to generate and install gateway-based digital certificates for:

  • Integration gateway encryption.

  • Client authentication.

  • WS-Security.

Note that for integration gateway encryption if the integration gateway is installed on a web server that has SSL/TLS implemented, the integration gateway and web server can share the digital certificates. As a result, you do not need to install separate integration gateway certificates. However, if the integration gateway is installed on a web server where SSL/TLS is not implemented, you must generate and install digital certificates on that web server.

For more information about generating and installing integration gateway-based digital certificates see:

You must install web server-based digital certificates to implement web server SSL encryption.

You use utilities provided with the Oracle WebLogic or IBM WebSphere software to install web server-based certificates for SSL encryption. This authentication secures inbound messages. The web server requires three elements:

  • The web server's private key.

  • A certificate containing the web server's public key, digitally signed by a trusted certificate authority (CA).

  • A root certificate from the CA that signed the web server's public key.

The information in section outlines the basic steps required to obtain and install the certificates and keys that you need. Oracle WebLogic and IBM WebSphere provide their own interface and methodology for establishing SSL encryption—you should refer to the documentation supplied with the web server software for detailed information about this process. In addition, refer to the information supplied by the selected CA.

Note: PeopleSoft delivers a number of certificate authorities and root certificates. If your certificate authority or root certificate is not listed, you need to add it to the PeopleSoft system.

You use the web server software to generate its own private key. At the same time, it also generates a certificate signing request (CSR), which contains the web server's public key. You submit the CSR to the selected CA, which creates, digitally signs, and returns your web server's public key certificate to you. This certificate might be in standard DER-encoded binary format; however, it can be converted to PEM format if necessary. You then install both signed certificates, and you register them and your private key with your web server, so that the web server recognizes and uses them.

PSKeyManager is a command-line utility delivered with PeopleTools that you use to generate and import digital certificates into the keystore. The location of the PSKeyManager utility is:

<PIA_HOME>\webserv\peoplesoft\piabin

The basic syntax of PSKeyManager is:

pskeymanager -command

Note: The first time you launch a command using the PSKeyManager utility you are prompted to define a unique keystore password.

Each command can be followed by a variety of options. Both the command and the keyword for each option that you invoke with it must be preceded by a hyphen, and most options must be followed by a value.

When you navigate to the PSKeyManager utility and pskeymanager and hit the Enter key, a list of all commands and their options is displayed. The PSKeyManager utility provides ten or so commands, but you'll use only two of the options for this task:

pskeymanager -create
pskeymanager -import

The keystore location for SSL/TLS digital certificates is:

<PIA_HOME>\webserv\peoplesoft\piaconfig\keystore

In addition, integration gateway, client authentication, and WS-Security certificates are stored in this location.

This section describes how to install digital certificates for SSL/TLS encryption for the Oracle WebLogic environment and discusses how to:

  • Generate and import public keys.

  • Generate private keys and CSRs.

  • Submit CSRs to CAs for signing.

  • Import signed private keys into keystores.

  • Set up gateway private keys.

  • Set up Oracle WebLogic Console for SSL.

Generating and Importing Public Keys (WebLogic)

Before you can generate and import public keys into PeopleSoft, you must access and download the signed public key from your CA. The process for accessing and downloading the signed public key varies, depending on your CA. Contact your CA for information on how to perform these tasks.

To generate and import public keys:

  1. Place the public key from your CA in the keystore. The location of the keystore is:

    <PIA_HOME>\webserv\<DOMAIN>\piaconfig\keystore

  2. Open a command prompt and navigate to the keystore:

    <PIA_HOME>\webserv\peoplesoft\piaconfig\keystore

  3. Enter the following at the prompt:

    pskeymanager -import

  4. At the Enter current keystore password prompt, enter the password and press Enter.

  5. At the Specify an alias for this certificate prompt, enter the alias name and press Enter.

    The alias name you enter must be the same one you entered when you generated the private key.

  6. At the Enter the name of the certificate file to import prompt, enter the path and name of the certificate to import, and press Enter.

  7. At the Trust this certificate prompt, enter Yes and press Enter.

Generating Private Keys and CSRs (WebLogic)

You use PSKeyManager to generate private keys. PSKeyManager is a wrapper to Sun Microsystem's Keytool for managing keys and certificates.

While using PSKeyManager, press the Enter key to select any of the default values presented.

To generate the private key and the CSR on Oracle WebLogic:

  1. Open a command prompt and navigate to the keystore:

    <PIA_HOME>\webserv\peoplesoft\piaconfig\keystore

  2. Enter the following at the prompt:

    pskeymanager -create

  3. Enter the current keystore password and press Enter.

  4. At the Specify an Alias for this Certificate <host_name>? prompt, enter the certificate alias and press Enter.

    The default certificate alias is the local machine name.

  5. At the What is the common name for this certificate <host_name>? prompt, enter the host name for the certificate. For example:

    <host_name>.corp.peoplesoft.com

    Press Enter.

  6. Enter the appropriate information at the following prompts. Press Enter after each entry.

    1. Organization unit.

    2. Organization.

    3. City of locality.

    4. State or province.

      You must spell out the entire state name. Do not enter an abbreviation.

    5. Country code.

    6. Number of days the certificate should be valid.

      The default value is 90.

    7. Key size to use.

      The default value is 1024.

    8. Key algorithm.

      The default value is RSA.

    9. Signing algorithm.

      The default value is SHA256withRSA.

  7. At the Enter a private key password prompt, enter the password or press Enter to use the keystore password.

  8. Verify that the values you entered are correct, and press Enter. To go back and change any values, enter No and press Enter.

PSKeyManager generates a private key and provides the certificate signing request (CSR) that you will provide to the CA for signing. The following example shows a sample CSR.

-----BEGIN NEW CERTIFICATE REQUEST----- MIIBtDCCAR0CAQAwdDELMAk
GA1UEBhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEDAOBgNVBAcTB1Bob2VuaXgxFD
ASBgNVBAoTC1Blb3BsZVRvb2xzMRMwEQYDVQQLEwpQZW9wbGVzb2Z0MRYwFAYDV
QQDEw1NREFXU09OMDUxNTAzMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC43
lCZWxrsyxven5QethAdsLIEEPhhhl7TjA0r8pxpO+ukD8LI7TlTntPOMU535qMGfk
/jYtG0QbvpwHDYePyNMtVou6wAs2yr1B+wJSp6Zm42m8PPihfMUXYLG9RiIqcmp2F
zdIUi4M07J8ob8rf0W+Ni1bGW2dmXZ0jGvBmNHQIDAQABoAAwDQYJKoZIhvcNAQEE
BQADgYEAKx/ugTt0soNVmiH0YcI8FyW8b81FWGIR0f1Cr2MeDiOQ2pty24dKKLUqI
hogTZdFAN0ed6Ktc82/5xBoH1gv7YeqyPBJvAxW6ekMsgOEzLq9OU3ESezZorYFdrQT
qsEXUp1A+cZdfo0eKwZTFmjNAsh1kis+HOLoQQwyjgaxYI= 
-----END NEW CERTIFICATE REQUEST-----

The CSR is written in as a text file to the <PIA_HOME>\webserv\peoplesoft directory. The file name is <host_name>_certreq.txt.

Submitting CSRs to CAs for Signing (WebLogic)

After you generate the private key and a certificate signing request (CSR), you must submit the CSR to the certificate authority (CA) for signing.

The process of obtaining the signature varies, depending on the CA that you select. Typically, a CA requires you to paste the content of the PEM-formatted CSR into a form that you submit online. However, the CA may send the signed public key (root) certificate to you by email or require you to download it from a specified web page. The CA may also provide its root certificate or instructions for retrieving it.

Use the appropriate method to submit a CSR for signing as determined by your CA.

When you do submit the CSR for signing the content you provide must include the begin section (-----BEGIN NEW CERTIFICATE REQUEST-----) and the end section (-----END NEW CERTIFICATE REQUEST-----) of the CSR.

The CA will return the signed certificate to you that you must import into the keystore.

Importing Signed Private Keys into Keystores (WebLogic)

You use PSKeyManager to import a server-side private key into the keystore.

  1. Open a command prompt and navigate to the keystore:

    <PIA_HOME>\webserv\peoplesoft\piaconfig\keystore

  2. Enter the following at the prompt:

    pskeymanager -import

  3. At the Enter current keystore password prompt, enter the password and press Enter.

  4. At the Specify an alias for this certificate prompt, enter the alias name and press Enter.

    The alias name you enter must be the same one you entered when you generated the private key.

  5. At the Enter the name of the certificate file to import prompt, enter the path and name of the certificate to import, and press Enter.

  6. At the Trust this certificate prompt, enter Yes and press Enter.

Setting Up Gateway Private Keys (WebLogic)

To set up private keys for gateways, follow the procedures outlined in the following topics presented earlier in this section:

  • Generating Private Keys and CSRs.

  • Submitting CSRs to CAs for Signing.

  • Importing Server-Side Private Keys into Keystores.

The only difference is that for the following prompts you enter names that are gateway-specific:

Prompt

Sample Values

Certificate alias.

Enter an alias, such as PT853GATEWAY.

Common name for this certificate.

Enter a name, such as PT853GATEWAY.

Setting Up Oracle WebLogic for SSL/TLS Encryption

This section describes how to set up Oracle WebLogic for SSL/TLS encryption.

Note: Several pages and fields mentioned in this section reference only SSL. These pages and fields are also used for setting up TLS.

To set up Oracle WebLogic for SSL/TLS:

  1. Login to WebLogic Console.

    1. Open a web browser.

    2. In the URL or address field, enter http://localhost/index.html and press Enter. The Web Server Index Page displays.

    3. Click Access WebLogic Server Console. The signon page for WebLogic Server Administration Console appears.

    4. Enter the Username and Password and click Sign In. WebLogic Administration Console displays.

      The username and password are those that you specified when you installed PeopleSoft Pure Internet Architecture.

  2. Navigate to the PIA server Configuration page.

    • In the WebLogic Server Console In the left navigation area, navigate to PeopleSoft > Servers > PIA. Or,

    • In the WebLogic Server Console, in the Domain Configuration section, click Servers. The Servers page displays. In the table that appears on the page, click the PIA link.

  3. Click the Keystores and SSL tab.

  4. In the Keystore Configuration section, on the right side of the page, click the Change link. The Specify Keystore Type page displays.

  5. From the Keystores drop-down list, select Custom Identity and Custom Trust.

  6. Click the Continue button. The Configure Keystore Properties page displays.

  7. In the Custom Identity section complete the following fields:

    1. In the Custom Identity Key Store File Name field, enter keystore/pskey.

    2. In the Custom Identity Key Store Type field, enter JKS.

    3. In the Custom Identity Key Store Pass Phrase field, enter password.

    4. In the Confirm Custom Identity Key Store Pass Phrase field, enter password again.

    5. Click the Continue button. The Review SSL Private Key Settings page displays.

  8. In the Review SSL Private Key Setting page, review the information and click the Continue button.

  9. Click the Finish button. You will restart the web server at a later time. You are returned to the Keystore Configuration tab.

  10. Scroll down the page to the Advanced Options section and click the Show link.

  11. In the Server Attributes section, from the Two Way Client Cert Behavior drop-down list box, select Client Certs Requested and Enforced.

    Note: Set this option only if the node is set up for certificate-based authentication or non-repudiation, or if required for two-way SSL.

  12. Click the Apply button.

  13. Restart the web server.

This section describes how to install digital certificates for SSL/TLS encryption for the IBM WebSphere environment and discusses how to:

  • Generate and import public keys.

  • Generate private keys and CSRs.

  • Submit CSRs to CAs for signing.

  • Import signed private keys into keystores.

  • Set up gateway private keys.

  • Set up IBM WebSphere for web server SSL encryption.

Generating and Importing Public Keys (WebSphere)

Before you can generate and import public keys into PeopleSoft, you must access and download the signed public key from your CA. The process for accessing and downloading the signed public key varies, depending on your CA. Contact your CA for information on how to perform these tasks.

To generate and import a root certificate:

  1. From the Key Database File menu, select Open PSKEY. The location is:

    <PIA_HOME>\webserv\<cell_name>_<node_name>_<server_name>\peoplesoft.ear\keystore\pskey

  2. Click the Download button and load the file to <PIA_HOME>\webserv\<DOMAIN>. For example:

    <PIA_HOME>\webserv\<DOMAIN>\<host_name>_PeopleTools.cer

  3. In the Password field, enter password.

  4. In the Key Database Content section, from the drop-down list select Signer Certificates.

  5. Click the Add button to add a CA certificate.

  6. Enter the following values:

    1. In the Data Type field, select or enter Binary DER data.

    2. In the Certificate File Name field, enter <host_name>_PeopleTools.cer.

    3. In the Location field, specify <WAS_HOME>\ssl.

  7. Click the OK button and select a label.

Generating Private Keys and CSRs (WebSphere)

To generate private keys in IBM WebSphere you use IBM Key Management.

To generate server-side private keys and CSRs:

  1. Open IBM Key Management.

    1. Open a command prompt and navigate to <WEBSPHERE_HOME>\appserver\bin.

    2. At the prompt, enter the following:

      Ikeyman

    3. Press the Enter key. IBM Key Management opens.

  2. Select Key Database File > Open PSKEY.

    The location is:

    <PIA_HOME>\webserv\<cell_name>_<node_name>_<server_name>\peoplesoft.ear\
keystore\pskey

  3. Enter the password.

  4. In the Key Database Content section, from the drop-down list select Personal Certificate Requests.

  5. Click the New button. The Create New Key Certificate Request window opens.

  6. Enter the appropriate information in the following required fields:

    Field or Control

    Definition
    Key Label

    Enter the host name.
    Key Size

    From the drop-down list select 1024.
    Common Name

    Enter the host name for the certificate. For example:

    <host_name>.corp.peoplesoft.com
    Organization

    Enter the organization name.

  7. In the Enter the name of a file in which to store the certificate request field, enter the location in Step 2.

  8. Click the OK button. The window closes.

    In the Key Database Content section, the key label appears under the Personal Certificate Requests section.

IBM Key Management generates and writes the private key to <WAS_HOME>\ssl\certreq.arm.

Submitting CSRs to CAs for Signing (WebSphere)

After you generate the private key and a certificate signing request (CSR), you must submit the CSR to the certificate authority (CA) for signing.

The process of obtaining the signature varies, depending on the CA that you select. Typically, a CA requires you to paste the content of the PEM-formatted CSR into a form that you submit online. However, the CA may send the signed public key certificate to you by email or require you to download it from a specified web page. The CA may also provide its root certificate or instructions for retrieving it.

Use the appropriate method for submitting a CSR for signing as determined by your CA.

When you do submit the CSR for signing the content you provide must include the begin section (-----BEGIN NEW CERTIFICATE REQUEST-----) and end section (-----END NEW CERTIFICATE REQUEST-----) of the CSR.

The CA will return the signed certificate to you.

Importing Signed Public Keys into Keystores (WebSphere)

After you receive a signed certificate back from the CA, you must import it into the keystore.

To import server-side public keys into keystores:

  1. Open IBM Key Management.

    1. Open a command prompt and navigate to <WEBSPHERE_HOME>\appserver\bin.

    2. At the prompt, enter the following:

      Ikeyman

    3. Press the Enter key. IBM Key Management opens.

  2. In the Key Database Content section, from the drop-down list select Personal Certificates.

  3. Click the Receive button. The Receive Certificate from a File box displays.

  4. From the Data Type drop-down list, select Base64-encoded ASCII Data.

  5. In the Certificate File Name field enter the name of the certificate to import or click the Browse button to locate the file.

  6. In the Location field, enter the path to the certificate file.

  7. Click the OK button.

    The Receive Certificate from a File box closes and the name of the certificate appears in the Personal Certificates section in IBM Key Management.

Setting Up Gateway Private Keys (WebSphere)

To set up private keys for gateways, follow the procedures outlined in the following topics presented earlier in this section:

  • Generating Private Keys and CSRs.

  • Submitting CSRs to CAs for Signing.

  • Importing Server-Side Private Keys into Keystores.

The only difference is that for the following prompts you enter names that are gateway-specific:

Prompt

Sample Values

Certificate alias.

Enter an alias, such as PT853GATEWAY.

Common name for this certificate.

Enter a name, such as PT853GATEWAY.

Setting Up IBM WebSphere for Web Server SSL Encryption

Setting up IBM WebSphere for web server SSL/TLS encryption requires that you perform the following tasks:

Note: Several pages and fields mentioned in this section reference only SSL. These pages and fields are also used for setting up TLS.

  • Configure SSL/TLS repertoires.

  • Set up WebSphere servers for SSL/TLS encryption.

  • Set up inbound Common Secure Interoperability (CSI) authentication.

To configure an SSL/TLS repertoire:

  1. 1. Start the WebSphere Administration Console.

    The URL is http://localhost:9090/admin/.

  2. 2. In the left navigation area, navigate to Security > SSL. The SSL Repertories page displays.

  3. Click the New button. The SSL Configuration Repertoires page displays.

  4. On the Configuration tab, enter values for the following fields:

    1. In the Alias field enter Web Container SSL.

    2. In the Key File Name field enter the location of the JKS file or the location of PSKey. For example: 

      <PIA_HOME>\webserv\<cell_name>_<node_name>_<server_name>\peoplesoft.ear\
keystore\pskey

    3. In the Key File Password field, enter the keystore password.

    4. In the Key File Format field, enter JKS.

    5. In the Trust File Name field, enter the location of the location of the JKS file or the location of PSKey.

    6. In the Trust File Password field, enter the certificate password.

    7. In the Trust File Format field, enter JKS.

    8. Clear the Client Authentication box, if selected.

    9. In the Security Level field, select High.

    10. Click OK.

  5. Save the configuration.

To set up a WebSphere server for SSL/TLS encryption:

  1. Open the WebSphere Administration Console, if it is not already open.

    The URL is http://localhost:9090/admin/.

  2. In the left navigation area, select Servers > Application Servers and select the server with which you would like to work. The Application Servers page displays.

  3. Click the name of the server that appears as a hyperlink on the page.

  4. Click the Configuration tab.

  5. In the Additional Properties section, click Web Container. The Web Container page displays.

  6. In the Additional Properties section, click the HTTP Transports link.

  7. Check the box of the row that contains the entry for the transfer you want to secure.

  8. In the Hosts column click the asterisk (*). The HTTP Transports page displays.

  9. In the Configuration panel in the General Properties section, for the SSL Enabled property check the Enable SSL box.

  10. From the SSL drop-down list, select the desired SSL entry from the repertoire.

  11. Click the OK button and save the changes.

To set up CSI authentication:

  1. Open the WebSphere Administration Console, if it is not already open.

    The URL is http://localhost:9090/admin/.

  2. In the left navigation area, navigate to Security, Authentication Protocol, CSIV2InboundAuthentication. The CSI Authentication ->Inbound page displays.

  3. For Basic Authentication, select Supported.

  4. For Client Certificate Authentication, select Required.

  5. Save the changes and reboot the web server.