Configure SSL for WebLogic Server

You can update the Oracle WebLogic Server domain in Oracle Java Cloud Service to use a generated, self-signed certificate, or a certificate that has been issued by a Certifying Authority (CA).

If your service instance does not include a load balancer, and you want to use a different SSL certificate for communication between clients and your Java applications, update the configuration for the Managed Servers in your domain.

After scaling out your service instance, you will also need to update the SSL configuration for the new server.

Note:

Oracle recommends that you back up your service instance prior to updating the SSL configuration. If the SSL configuration fails, you will be able to restore the service instance to a known working state.

By default, if you created your service instance in an Oracle Cloud Infrastructure Classic region, external access to the WebLogic Server administration console is disabled for security purposes. If you did not enable console access while provisioning your service instance, see Enabling Console Access in an Oracle Java Cloud Service Instance.

Create Keystores and Certificates for WebLogic Server

Use keytool to create your own public/private key pairs and self-signed certificates. Optionally, create a Certificate Signing Request (CSR) for each generated certificate and submit it to a CA to obtain a trusted certificate.

  1. Connect to the Administration Server node in your service instance with a secure shell (SSH) client, and then switch to the oracle user.
    sudo su - oracle
  2. Create a directory /u01/data/keystores to hold the keystore files.
    cd /u01/data
    mkdir keystores
    cd keystores

    Caution:

    Do not place your keystore and certificate files in the Middleware Home (MIDDLEWARE_HOME) or Java Home (JAVA_HOME) directories. Any modifications you make to these locations might be lost when you apply a patch.

    Caution:

    Do not place your keystore and certificate files in the Domain Home (DOMAIN_HOME) or /u01/data/domains directories because they are included in backups. A restore operation might include an expired certificate and result in errors during a server restart.
  3. Use the keytool command to create a new identity keystore file, and to add a self-signed certificate to the keystore named server_cert.
    keytool -genkeypair -alias alias -keyalg keyalg -sigalg sigalg -keysize size -dname dn -keystore keystore_file

    For example:

    keytool -genkeypair -alias server_cert -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -dname "CN=example.com,OU=Support,O=Example,L=Reading,ST=Berkshire,C=GB" -keystore identity.jks

    Note that The X.500 Distinguished Name, which consists of the WebLogic Server host and DNS domain name, is example.com.

  4. When prompted, enter a password for the keystore.
  5. When prompted, enter a password for the private key, server_cert, or press Enter to use the same password as the keystore.
  6. If you are using a self-signed certificate to configure SSL, then create a custom trust keystore file.
    1. Use keytool to export the self-signed certificate, server_cert, from the identity store to a file named server_cert.cer.
      keytool -exportcert -alias server_cert -file server_cert.cer -keystore keystore_file

      When prompted, enter the password for the keystore.

    2. Use keytool to create a trust keystore file, and to import server_cert.cer into this new keystore. Use the same alias, server_cert.
      keytool -importcert -alias server_cert -file server_cert.cer -keystore trust_keystore_file

      For example:

      keytool -importcert -alias server_cert -file server_cert.cer -keystore trust.jks
    3. When prompted, enter a password for the new keystore.
    4. When prompted to trust this certificate, enter yes.
  7. If you are using a CA-issued certificate to configure SSL, then create a CSR file from the identity keystore.
    1. Use keytool to create a CSR file for the server_cert private key.
      keytool -certreq -alias alias -file certreq_file -keystore keystore

      For example:

      keytool -certreq -alias server_cert -file server_cert.csr -keystore identity.jks
    2. When prompted, enter the password for the keystore and the private key.
    3. Submit the CSR to a Certificate Authority of your choice in order to obtain a trusted certificate.
    4. Import the CA-issued certificate into the identity keystore.
  8. Copy the keystore files to all the other nodes in your service instance.

    For example:

    ssh myinstance-wls-2
    mkdir /u01/data/keystores
    scp myinstance-wls-1:/u01/data/keystores/identity.jks /u01/data/keystores
    scp myinstance-wls-1:/u01/data/keystores/trust.jks /u01/data/keystores

Add the Oracle Identity Cloud Service Certificate to the Trust Keystore

If your Oracle Java Cloud Service instance is configured to use Oracle Identity Cloud Service for authentication, you must add the Oracle Identity Cloud Service certificate to your custom trust keystore.

  1. Access the Oracle Java Cloud Service console.
  2. Click Manage this service Menu icon for your service instance, and then select Open Fusion Middleware Control Console.
  3. Click WebLogic Domain, select Security, and then select Keystore.
  4. Expand the system folder.
  5. Click trust, and then click Manage.
  6. Click idcs_root_ca, and then click Export.
  7. Click Export Certificate, and then click Close.
  8. SSH to the Administration Server node and switch to the oracle user.
    sudo su - oracle
  9. Navigate to the /u01/data/keystores folder.
  10. Create a new file named idcs_root_ca.cer. Paste the contents of the exported idcs_root_ca certificate into this file.
  11. Use keytool to import idcs_root_ca.cer into your custom trust keystore.
    keytool -import -alias idcs_root_ca -file idcs_root_ca.cer -keystore trust_keystore_file

    For example:

    keytool -import -alias idcs_root_ca -file idcs_root_ca.cer -keystore trust.jks
  12. When prompted, enter the password for the keystore.
  13. When prompted to trust this certificate, enter yes.
  14. Copy the updated trust keystore file to all the other nodes in your service instance.

    For example:

    ssh myinstance-wls-2
    scp myinstance-wls-1:/u01/data/keystores/trust.jks /u01/data/keystores

Associate Keystores and SSL Certificate with WebLogic Server

Use the WebLogic Server Administration Console to update the location of each server’s identity and trust keystore files, and the name of the certificate in the identity keystore that the server uses for SSL communication.

By default, the servers in an Oracle Java Cloud Service instance are configured to use a demo identity keystore and a demo trust keystore. Oracle recommends that you use these demo keystores for development purposes only.

  1. Access the Oracle Java Cloud Service console.
  2. Click the name of your service instance.
  3. From the Overview page, identify the host names of all the nodes in your service instance, and the names of all servers in your domain.
  4. Click Manage this service Menu icon, and select Open WebLogic Server Administration Console.
  5. Log in to the console using the credentials that you specified when provisioning your service instance.
  6. Within the Change Center panel, click Lock and Edit.
  7. Within the Domain Structure panel, expand Environment, and then click Servers.
  8. Click the name of the server for which you want to configure SSL.
  9. Verify that the Configuration tab is selected. Under Configuration, click the Keystores tab.
    1. For Keystores, click Change. Select Custom Identity and Custom Trust, and then click Save.
    2. For Custom Identity Keystore, enter the full path to your identity keystore.
      For example, /u01/data/keystores/identity.jks
    3. For Custom Identity Keystore Type, enter JKS.
    4. For Custom Identity Keystore Passphrase, enter your keystore password. Enter the same value for Confirm Custom Identity Keystore Passphrase.
    5. For Custom Trust Keystore, enter the full path to your trust keystore.
      For example, /u01/data/keystores/trust.jks
    6. For Custom Trust Keystore Type, enter JKS.
    7. For Custom Trust Keystore Passphrase, enter your keystore password. Enter the same value for Confirm Custom Trust Keystore Passphrase.
    8. Click Save.
  10. Under Configuration, click the SSL tab.
    1. For Private Key Alias, enter the name of the certificate (private key) in the identity keystore, server_cert.
    2. For Private Key Passphrase, enter the password for this certificate in the keystore. Enter the same value for Confirm Private Key Passphrase.
      By default, the password for the certificate is the same as the identity keystore password.
    3. Click Save.
  11. Under Change Center, click Activate Changes.
  12. Click the Control tab.
  13. Click Restart SSL. When prompted for confirmation, click Yes.
  14. Repeat from step 6 to update each server in your domain for which you want to configure SSL.

For more information, refer to Overview of Configuring SSL in Administering Security for Oracle WebLogic Server (12.2.1).

Configure Node Manager to Use the SSL Certificate

To ensure a successful SSL handshake among the Administration Server, Managed Servers and Node Manager, you must configure Node Manager to use the custom keystores and the SSL certificate.

  1. Connect to the Administration Server node with a secure shell (SSH) client, and then switch to the oracle user.
    sudo su - oracle
  2. Edit the nodemanager.properties file located under your Domain Home directory.
    vi $DOMAIN_HOME/nodemanager/nodemanager.properties
  3. Add the following lines to the end of the file.
    KeyStores=CustomIdentityAndCustomTrust
    CustomIdentityKeystoreType=jks
    CustomIdentityKeyStoreFileName=path_to_identity_keystore
    CustomIdentityKeyStorePassPhrase=keystore_password
    CustomIdentityPrivateKeyPassPhrase=server_cert_password
    CustomIdentityAlias=server_cert
    CustomTrustKeystoreType=jks
    CustomTrustKeyStoreFileName=path_to_trust_keystore
    CustomTrustKeyStorePassPhrase=keystore_password

    For example:

    KeyStores=CustomIdentityAndCustomTrust
    CustomIdentityKeystoreType=jks
    CustomIdentityKeyStoreFileName=/u01/data/keystores/identity.jks
    CustomIdentityKeyStorePassPhrase=keystore_password
    CustomIdentityPrivateKeyPassPhrase=server_cert_password
    CustomIdentityAlias=server_cert
    CustomTrustKeystoreType=jks
    CustomTrustKeyStoreFileName=/u01/data/keystores/trust.jks
    CustomTrustKeyStorePassPhrase=keystore_password
  4. Regenerate the Node Manager startup files.
    1. Launch the WebLogic Scripting Tool (WLST).
      $MIDDLEWARE_HOME/oracle_common/common/bin/wlst.sh
    2. Connect to the Administration Server.
      connect('admin_user','password','t3://admin_server_host:9071')

      For example:

      connect('weblogic','password','t3://myinstance-wls-1:9071')
    3. Generate the boot.properties and startup.properties files for the server(s) on this node.
      nmGenBootStartupProps('server_name')

      Both the Administration Server and the first Managed Server run on the first node in your service instance. For example:

      nmGenBootStartupProps('myinstance_adminserver')
      nmGenBootStartupProps('myinstance_server_1')
      
    4. Exit WLST.
      exit()
  5. Edit the setDomainEnv.sh file located under your Domain Home directory.
    vi $DOMAIN_HOME/bin/setDomainEnv.sh
  6. Add the following line to the end of the file.
    export WLST_PROPERTIES="${WLST_PROPERTIES} -Dweblogic.ssl.JSSEEnabled=true -Dweblogic.security.SSL.enableJSSE=true -Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.security.TrustKeyStore=CustomTrust -Dweblogic.security.CustomTrustKeyStoreFileName=path_to_trust_keystore -Dweblogic.security.CustomTrustKeyStoreType=JKS"

    For example:

    export WLST_PROPERTIES="${WLST_PROPERTIES} -Dweblogic.ssl.JSSEEnabled=true -Dweblogic.security.SSL.enableJSSE=true -Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.security.TrustKeyStore=CustomTrust -Dweblogic.security.CustomTrustKeyStoreFileName=/u01/data/keystores/trust.jks -Dweblogic.security.CustomTrustKeyStoreType=JKS"
  7. Run source $DOMAIN_HOME/bin/setDomainEnv.sh.
  8. Navigate to the $DOMAIN_HOME/bin directory.
  9. If your service instance is running WebLogic Server 12c, then run the following commands to restart the Node Manager.
    ./stopNodeManager.sh
    ./startNodeManager.sh &
  10. If your service instance is running WebLogic Server 11g, then perform the following steps to restart the Node Manager.
    1. Identity the process ID for the Node Manager.
      ps -ef | grep weblogic.NodeManager
    2. Kill the Node Manager process.
      kill -9 process_id
    3. Run the following commands.
      export JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.ssl.JSSEEnabled=true -Dweblogic.security.SSL.enableJSSE=true"
      $MIDDLEWARE_HOME/wlserver_10.3/server/bin/startNodeManager.sh &
  11. Restart the servers using the Node Manager.
    1. Launch the WebLogic Scripting Tool (WLST).
      $MIDDLEWARE_HOME/oracle_common/common/bin/wlst.sh
    2. Connect to the Node Manager.
      nmConnect(username="weblogic", password="password", domainName="domain_name", domainDir="/u01/data/domains/domain_name", nmType="ssl", host="host_name", port="5556", verbose="false")

      For example:

      nmConnect(username="weblogic", password="password", domainName="myinstance_domain", domainDir="/u01/data/domains/myinstance_domain", nmType="ssl", host="myinstance-wls-1", port="5556", verbose="false")
    3. Restart the server(s) on this node.
      nmKill('server_name')
      nmStart('server_name')
      nmServerStatus('server_name')

      Both the Administration Server and the first Managed Server run on the first node in your service instance. For example:

      nmKill('myinstance_server_1')
      nmKill('myinstance_adminserver')
      nmStart('myinstance_adminserver')
      nmServerStatus('myinstance_adminserver')
      nmStart('myinstance_server_1')
      nmServerStatus('myinstance_server_1')
    4. Exit WLST.
      exit()
  12. Repeat from step 1 for any other nodes in your service instance for which you want to configure SSL.

Configure SSL for New Servers After Scaling Out

After scaling out a cluster in your Oracle Java Cloud Service instance, you must modify the new server's SSL configuration if you want the server to use your custom keystores.

Use the WebLogic Server Administration Console to update the new server. See Associate Keystores and SSL Certificate with WebLogic Server.

Oracle Java Cloud Service automatically performs the following tasks during a scale-out operation:

  • Copy the custom keystore files to the new node.
  • Copy the Node Manager configuration files to the new node.
  • Update the setDomainEnv.sh file on the new node.