Installing Web Server-Based Digital Certificates

This section discusses how to install digital certificates on Oracle WebLogic web servers.

In addition to using the information in this section to generate and install web server-based digital certificates, you can use this information to generate and install gateway-based digital certificates for:

  • Integration gateway encryption.

  • Client authentication.

  • WS-Security.

Note that for integration gateway encryption if the integration gateway is installed on a web server that has SSL/TLS implemented, the integration gateway and web server can share the digital certificates. As a result, you do not need to install separate integration gateway certificates. However, if the integration gateway is installed on a web server where SSL/TLS is not implemented, you must generate and install digital certificates on that web server.

For more information about generating and installing integration gateway-based digital certificates see

You must install web server-based digital certificates to implement web server SSL encryption.

You use utilities provided with the Oracle WebLogic software to install web server-based certificates for SSL encryption. This authentication secures inbound messages. The web server requires three elements:

  • The web server's private key.

  • A certificate containing the web server's public key, digitally signed by a trusted certificate authority (CA).

  • A root certificate from the CA that signed the web server's public key.

The information in section outlines the basic steps required to obtain and install the certificates and keys that you need. Oracle WebLogic provides their own interface and methodology for establishing SSL encryption—you should refer to the documentation supplied with the web server software for detailed information about this process. In addition, refer to the information supplied by the selected CA.

Note: PeopleSoft delivers a number of certificate authorities and root certificates. If your certificate authority or root certificate is not listed, you need to add it to the PeopleSoft system.

You use the web server software to generate its own private key. At the same time, it also generates a certificate signing request (CSR), which contains the web server's public key. You submit the CSR to the selected CA, which creates, digitally signs, and returns your web server's public key certificate to you. This certificate might be in standard DER-encoded binary format; however, it can be converted to PEM format if necessary. You then install both signed certificates, and you register them and your private key with your web server, so that the web server recognizes and uses them.

PSKeyManager is a command-line utility delivered with PeopleTools that you use to generate and import digital certificates into the keystore. The location of the PSKeyManager utility is:

<PIA_HOME>\webserv\peoplesoft\piabin

The basic syntax of PSKeyManager is:

pskeymanager -command

Note: The first time you launch a command using the PSKeyManager utility you are prompted to define a unique keystore password.

Each command can be followed by a variety of options. Both the command and the keyword for each option that you invoke with it must be preceded by a hyphen, and most options must be followed by a value.

When you navigate to the PSKeyManager utility, start it with the command pskeymanager and hit the Enter key, a list of all commands and their options is displayed. The PSKeyManager utility provides ten or so commands, but you'll use only two of the options for this task:

pskeymanager -create
pskeymanager -import

Note: The pskeymanager -create command supports the Subject Alternate Name (SAN) attribute, which allows you to specify more than one host name, IP address, or other value for a single SSL certificate.

The keystore location for SSL/TLS digital certificates is:

<PIA_HOME>\webserv\peoplesoft\piaconfig\keystore

In addition, integration gateway, client authentication, and WS-Security certificates are stored in this location.

This section describes how to install digital certificates for SSL/TLS encryption for the Oracle WebLogic environment and discusses how to:

  • Generate and import public keys.

  • Generate private keys and CSRs.

  • Submit CSRs to CAs for signing.

  • Import signed private keys into keystores.

  • Set up gateway private keys.

  • Set up Oracle WebLogic Console for SSL.

Generating and Importing Public Keys (WebLogic)

Before you can generate and import public keys into PeopleSoft, you must access and download the signed public key from your CA. The process for accessing and downloading the signed public key varies, depending on your CA. Contact your CA for information on how to perform these tasks.

To generate and import public keys:

  1. Place the public key from your CA in the keystore. The location of the keystore is:

    <PIA_HOME>\webserv\<DOMAIN>\piaconfig\keystore

  2. Open a command prompt and navigate to the keystore:

    <PIA_HOME>\webserv\peoplesoft\piaconfig\keystore

  3. Enter the following at the prompt:

    pskeymanager -import

  4. At the Enter current keystore password prompt, enter the password and press Enter.

  5. At the Specify an alias for this certificate prompt, enter the alias name and press Enter.

    The alias name you enter must be the same one you entered when you generated the private key.

  6. At the Enter the name of the certificate file to import prompt, enter the path and name of the certificate to import, and press Enter.

  7. At the Trust this certificate prompt, enter Yes and press Enter.

Generating Private Keys and CSRs (WebLogic)

You use PSKeyManager to generate private keys. PSKeyManager is a wrapper to Sun Microsystem's Keytool for managing keys and certificates.

While using PSKeyManager, press the Enter key to select any of the default values presented.

To generate the private key and the CSR on Oracle WebLogic:

  1. Open a command prompt and navigate to the keystore:

    <PIA_HOME>\webserv\peoplesoft\piaconfig\keystore

  2. Enter the following at the prompt:

    pskeymanager -create

  3. Enter the current keystore password and press Enter.

  4. At the Specify an Alias for this Certificate <host_name>? prompt, enter the certificate alias and press Enter.

    The default certificate alias is the local machine name.

  5. At the What is the common name for this certificate <host_name>? prompt, enter the host name for the certificate. For example:

    <host_name>.corp.example.com

    Press Enter.

    Enter the exact name as it will be accessed in a browser URL. For example, for a URL of https://server.example.com/ps/signon.html, enter server.example.com. The default common name is the same as the alias.

  6. At the What is the Subject Alternate Name for this certificate? prompt, enter one or more host names.

    Enter a Subject Alternate Name (SAN) in the format type:value, where type can be any of domain name server (DNS), IP address, EMAIL, URI, or an arbitrary object identifier (OID). For example, DNS:server.example.com or IP:192.0.2.1. The default SAN is DNS:common_name.

    To enter more than one value, separate the type:value entries with commas and no spaces. For example: DNS:server.example.com,DNS:server2.example.com,IP:192.0.2.1.

  7. Enter the appropriate information at the following prompts. Press Enter after each entry.

    1. Organization unit.

    2. Organization.

    3. City of locality.

    4. State or province.

      You must spell out the entire state name. Do not enter an abbreviation.

    5. Country code.

    6. Number of days the certificate should be valid.

      The default value is 90.

    7. Key size to use.

      The default value is 1024.

    8. Key algorithm.

      The default value is RSA.

    9. Signing algorithm.

      The default value is SHA256withRSA.

  8. At the Enter a private key password prompt, enter the password or press Enter to use the keystore password.

  9. Verify that the values you entered are correct, and press Enter. To go back and change any values, enter No and press Enter.

PSKeyManager generates a private key and provides the certificate signing request (CSR) that you will provide to the CA for signing. The following example shows a sample CSR.

-----BEGIN NEW CERTIFICATE REQUEST----- MIIBtDCCAR0CAQAwdDELMAk
GAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxFD
ASxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxDV
QQxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx43
lCxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxMGfk
/jYxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx2F
zdxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxEE
BQxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxqI
hoxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxQT
qsxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxaxYI= 
-----END NEW CERTIFICATE REQUEST-----

The CSR is written in as a text file to the <PIA_HOME>\webserv\peoplesoft directory. The file name is <host_name>_certreq.txt.

Submitting CSRs to CAs for Signing (WebLogic)

After you generate the private key and a certificate signing request (CSR), you must submit the CSR to the certificate authority (CA) for signing.

The process of obtaining the signature varies, depending on the CA that you select. Typically, a CA requires you to paste the content of the PEM-formatted CSR into a form that you submit online. However, the CA may send the signed public key (root) certificate to you by email or require you to download it from a specified web page. The CA may also provide its root certificate or instructions for retrieving it.

Use the appropriate method to submit a CSR for signing as determined by your CA.

When you do submit the CSR for signing the content you provide must include the begin section (-----BEGIN NEW CERTIFICATE REQUEST-----) and the end section (-----END NEW CERTIFICATE REQUEST-----) of the CSR.

The CA will return the signed certificate to you that you must import into the keystore.

Importing Signed Private Keys into Keystores (WebLogic)

You use PSKeyManager to import a server-side private key into the keystore.

  1. Open a command prompt and navigate to the keystore:

    <PIA_HOME>\webserv\peoplesoft\piaconfig\keystore

  2. Enter the following at the prompt:

    pskeymanager -import

  3. At the Enter current keystore password prompt, enter the password and press Enter.

  4. At the Specify an alias for this certificate prompt, enter the alias name and press Enter.

    The alias name you enter must be the same one you entered when you generated the private key.

  5. At the Enter the name of the certificate file to import prompt, enter the path and name of the certificate to import, and press Enter.

  6. At the Trust this certificate prompt, enter Yes and press Enter.

Setting Up Gateway Private Keys (WebLogic)

To set up private keys for gateways, follow the procedures outlined in the following topics presented earlier in this section:

  • Generating Private Keys and CSRs.

  • Submitting CSRs to CAs for Signing.

  • Importing Server-Side Private Keys into Keystores.

The only difference is that for the following prompts you enter names that are gateway-specific:

Prompt

Sample Values

Certificate alias.

Enter an alias, such as PT860GATEWAY.

Common name for this certificate.

Enter a name, such as PT860GATEWAY.

Setting Up Oracle WebLogic for SSL/TLS Encryption

This section describes how to set up Oracle WebLogic for SSL/TLS encryption.

Note: Several pages and fields mentioned in this section reference only SSL. These pages and fields are also used for setting up TLS.

To set up Oracle WebLogic for SSL/TLS:

  1. Login to WebLogic Console.

    1. Open a web browser.

    2. In the URL or address field, enter http://localhost/index.html and press Enter. The Web Server Index Page displays.

    3. Click Access WebLogic Server Console. The signon page for WebLogic Server Administration Console appears.

    4. Enter the Username and Password and click Sign In. WebLogic Administration Console displays.

      The username and password are those that you specified when you installed PeopleSoft Pure Internet Architecture.

  2. Navigate to the PIA server Configuration page using one of these methods:

    • In the WebLogic Server Console In the left navigation area, navigate to PeopleSoft > Servers > PIA.

    • In the WebLogic Server Console, in the Domain Configuration section, click Servers. The Servers page displays. In the table that appears on the page, click the PIA link.

  3. Click the Keystores and SSL tab.

  4. In the Keystore Configuration section, on the right side of the page, click the Change link. The Specify Keystore Type page displays.

  5. From the Keystores drop-down list, select Custom Identity and Custom Trust.

  6. Click the Continue button. The Configure Keystore Properties page displays.

  7. In the Custom Identity section complete the following fields:

    1. In the Custom Identity Key Store File Name field, enter keystore/pskey.

    2. In the Custom Identity Key Store Type field, enter JKS.

    3. In the Custom Identity Key Store Pass Phrase field, enter password.

    4. In the Confirm Custom Identity Key Store Pass Phrase field, enter password again.

    5. Click the Continue button. The Review SSL Private Key Settings page displays.

  8. In the Review SSL Private Key Setting page, review the information and click the Continue button.

  9. Click the Finish button. You will restart the web server at a later time. You are returned to the Keystore Configuration tab.

  10. Scroll down the page to the Advanced Options section and click the Show link.

  11. In the Server Attributes section, from the Two Way Client Cert Behavior drop-down list box, select Client Certs Requested and Enforced.

    Note: Set this option only if the node is set up for certificate-based authentication or non-repudiation, or if required for two-way SSL.

  12. Click the Apply button.

  13. Restart the web server.