Change SSL Certificates and Private Keys

DSR API GW shipped with a demo certificate and private key, which are not recommended for use in a production environment.

To change the demo certificate and private keys of DSR API GW, obtain:

• A CA signed digital certificate (.pem file) and private key for each DSR API GW server separately.
• A root certificate of CA and any other intermediate certificates used to sign the digital certificate.

This procedure is performed on each AppServer.

1. SSH to the server.
2. Browse to the /u03/app/oracle/ocsg-x.x.x/user_projects/domains/ services-gatekeeper-domain/security directory.
   Replace x.x.x with the DSR API GW version.
3. Copy the signed certificate, private key, CA root and intermediate certificates (if any) to the current directory.
4. Execute

   source ../../../../wlserver/server/bin/setWLSEnv.sh

5. Create a custom key store and import the private key and signed digital certificate with this command.

   java utils.ImportPrivateKey -keystore  SeverIdentity.jks -storepass <storepass>
    -storetype JKS -keypass <keypass> -alias <skey> -certfile <serverCert.pem> -keyfile <ServerKey.pem>
    -keyfilepass <keypass>

   Keystore: SeverIdentity.jks -JKS file in which the certificate and key will be imported.

   Storepass: storepass - This is the password of the keystore file severIdentity.jks

   Storetype: JKS - Java Key Store.

   Keypass: keypass - This password will be configured in server which will be used to read the Private Key from the keystore.

   Alias: skey - This is the alias used for reading the Private Key from the Keystore.

   Certfile: serverCert.pem - This is the certificate to be imported into the Keystore.

   Keyfile: ServerKey.pem - This is the Private Key to be imported into the Keystore.

   Keyfilepass: keypass - This is the Password required to read the Private Key from the ServerKey.pem file

6. Create a custom trust store (java key store) and import the CA root certificate with this command.

   keytool -import -file <ca.cert> -alias <firstCA> -keystore <ServerTrust.jks> -storepass <storepass>

   ca.cert - ca root certificate to be imported

   firstCA - an alias to the certificate

   ServerTrust.jks - trust store with the name will be created

   Storepass - trust store pass phrase

7. Access the DSR API GW Admin console using https://<Admin-Server-XMI-IP>:9002/console.
8. Login using the admin account created when configuring the API GW.
   The default username is weblogic.
9. Navigate to Environment > Servers > AdminServer or AppServerx > Configuration > KeyStore.
10. Click Advanced.
11. Click Lock and Edit.
12. Change Keystores to Custom Identity and Custom Trust.
13. Provide these values:
    • Custom Identity Keystore
    • Custom Identity Keystore Type
    • Custom Identity Keystore Passphrase
    • Confirm Custom Identity Keystore Passphrase
    • Custom Trust Keystore
    • Custom Trust Keystore Type
    • Custom Trust Keystore Passphrase
    • Confirm Custom Trust Keystore Passphrase
14. Select the SSL tab and provide these values:
    • Private Key Alias
    • Private Key Passphrase
    • Confirm Private Key Passphrase
15. Click Activate Changes.
16. Navigate to Environment > Servers > Control (tab) to restart the server.