Configure SSL for WebLogic Server
You can update the Oracle WebLogic Server domain in Oracle Java Cloud Service to use a generated, self-signed certificate, or a certificate that has been issued by a Certifying Authority (CA).
If your service instance does not include a load balancer, and you want to use a different SSL certificate for communication between clients and your Java applications, update the configuration for the Managed Servers in your domain.
After scaling out your service instance, you will also need to update the SSL configuration for the new server.
Note:
Oracle recommends that you back up your service instance prior to updating the SSL configuration. If the SSL configuration fails, you will be able to restore the service instance to a known working state.By default, if you created your service instance in an Oracle Cloud Infrastructure Classic region, external access to the WebLogic Server administration console is disabled for security purposes. If you did not enable console access while provisioning your service instance, see Enabling Console Access in an Oracle Java Cloud Service Instance.
Tasks:
-
Add the Oracle Identity Cloud Service Certificate to the Trust Keystore
-
Associate Keystores and SSL Certificate with WebLogic Server
-
Configure Node Manager to Use the SSL Certificate (Important: To ensure a successful SSL handshake)
Create Keystores and Certificates for WebLogic Server
Use keytool to create your own public/private key pairs and self-signed certificates. Optionally, create a Certificate Signing Request (CSR) for each generated certificate and submit it to a CA to obtain a trusted certificate.
Add the Oracle Identity Cloud Service Certificate to the Trust Keystore
If your Oracle Java Cloud Service instance is configured to use Oracle Identity Cloud Service for authentication, you must add the Oracle Identity Cloud Service certificate to your custom trust keystore.
Associate Keystores and SSL Certificate with WebLogic Server
Use the WebLogic Server Administration Console to update the location of each server’s identity and trust keystore files, and the name of the certificate in the identity keystore that the server uses for SSL communication.
By default, the servers in an Oracle Java Cloud Service instance are configured to use a demo identity keystore and a demo trust keystore. Oracle recommends that you use these demo keystores for development purposes only.
For more information, refer to Overview of Configuring SSL in Administering Security for Oracle WebLogic Server (12.2.1).
Configure Node Manager to Use the SSL Certificate
To ensure a successful SSL handshake among the Administration Server, Managed Servers and Node Manager, you must configure Node Manager to use the custom keystores and the SSL certificate.
Configure SSL for New Servers After Scaling Out
After scaling out a cluster in your Oracle Java Cloud Service instance, you must modify the new server's SSL configuration if you want the server to use your custom keystores.
Use the WebLogic Server Administration Console to update the new server. See Associate Keystores and SSL Certificate with WebLogic Server.
Oracle Java Cloud Service automatically performs the following tasks during a scale-out operation:
- Copy the custom keystore files to the new node.
- Copy the Node Manager configuration files to the new node.
- Update the
setDomainEnv.sh
file on the new node.