Configuring SSL for an Oracle Java Cloud Service Instance

Secure Socket Layer (SSL) is the most commonly-used method of securing data sent across the internet, and assures visitors that transactions with your application are secure. You can configure SSL between the client browser and the load balancer in your Oracle Java Cloud Service instance in order to ensure that applications are accessed securely.

By default SSL is already enabled within the software components of an Oracle Java Cloud Service instance, including Oracle WebLogic Server and the load balancer. They are configured to use a self-signed SSL certificate that was generated by Oracle Java Cloud Service. Clients will typically receive a message indicating that the signing CA for the certificate is unknown and not trusted.

You can update the load balancer to use a different certificate. Before you begin, ensure that you have enabled the load balancer in your Oracle Java Cloud Service instance and registered your custom domain name, as described in Defining a Custom Domain Name for an Oracle Java Cloud Service Instance.

Tasks:

Creating a Self-Signed SSL Certificate in the Load Balancer

For development Oracle Java Cloud Serviceenvironments, you can use either a CA-issued or a self-signed certificate. You can create a self-signed certificate using the Load Balancer Console.

To obtain and use a CA-issued certificate instead, see Importing a CA-Issued SSL Certificate to the Load Balancer.

  1. Navigate to the Services page of the Oracle Java Cloud Service console.
  2. Click menu icon for the desired service instance and select Open Load Balancer Console.
  3. Log in to console using the credentials defined when provisioning your service instance.

    If you created your service instance using the Oracle Java Cloud Service console, the user name and password default to the Oracle WebLogic Server Administration Console user name and password.

  4. Access the load balancer configuration (for example, opc-config):
    • If your service instance is running Oracle Traffic Director 12c, click the Target Navigation icon Target Navigation icon. Expand the Traffic Director folder and click the name of the Traffic Director configuration.
    • If your service instance is running Oracle Traffic Director 11g, click Configurations and then click the name of the Traffic Director configuration.
  5. If your service instance is running Oracle Traffic Director 12c, perform these steps to create a self-signed certificate:
    1. Click Traffic Director Configuration and select Security > Manage Certificates.
    2. Click Generate Keypair.
    3. Enter an Alias for the new certificate.
    4. Set the Common Name to your custom domain name. For example, example.com.
    5. Complete the remaining fields and click OK.
  6. If your service instance is running Oracle Traffic Director 11g, perform these steps to create a self-signed certificate:
    1. Expand SSL in the navigation pane and click Server Certificates.
    2. Click New Self Signed Certificate.
    3. Set the Server Name to your custom domain name. For example, example.com.
    4. Complete the remaining fields and click Next.
    5. On the Certificate Options page, enter a Nickname (alias) for the certificate. Click Next.
    6. Click Create Certificate.

Importing a CA-Issued SSL Certificate to the Load Balancer

For production Oracle Java Cloud Service environments, it is recommended that you use a CA-issued SSL certificate. A CA-issued SSL certificate reduces the chances of experiencing a man-in-the-middle attack.

There are multiple CA vendors in the marketplace today, each offering different levels of service at varying price points. Research and choose a CA vendor that meets your service-level and budget requirements.

For a CA vendor to issue you a CA-issued SSL certificate, you need to provide the following information:

  • Your custom domain name.

  • Public information associated with the domain confirming you as the owner.

  • Email address associated with the custom domain for verification.

Create a Certificate Signing Request (CSR) by using the Load Balancer Console and submit the CSR to the CA vendor. After receiving the CA-issued certificate, import it into the Load Balancer configuration.

  1. Navigate to the Services page of the Oracle Java Cloud Service console.
  2. Click menu icon for the desired service instance and select Open Load Balancer Console.
  3. Log in to console using the credentials defined when provisioning your service instance.

    If you created your service instance using the Oracle Java Cloud Service console, the user name and password default to the Oracle WebLogic Server Administration Console user name and password.

  4. Access the load balancer configuration (for example, opc-config):
    • If your service instance is running Oracle Traffic Director 12c, click the Target Navigation icon Target Navigation icon. Expand the Traffic Director folder and click the name of the Traffic Director configuration.
    • If your service instance is running Oracle Traffic Director 11g, click Configurations and then click the name of the Traffic Director configuration.
  5. If your service instance is running Oracle Traffic Director 12c, perform these steps to generate a CSR:
    1. Click Traffic Director Configuration and select Security > Manage Certificates.
    2. Click Generate Keypair.
    3. Enter an Alias for the new certificate.
    4. Set the Common Name to your custom domain name. For example, example.com.
    5. Complete the remaining fields and click OK.
    6. Select your new certificate and click Generate CSR.
  6. If your service instance is running Oracle Traffic Director 11g, perform these steps to generate a CSR:
    1. Expand SSL in the navigation pane and click Server Certificates.
    2. Click Create Certificate Request.
    3. Set the Server Name to your custom domain name. For example, example.com.
    4. Complete the remaining fields and click Next.
    5. On the Certificate Options page, click Next to accept the defaults.
    6. Click Create CSR.
  7. Save the generated CSR text, including the header line -----BEGIN NEW CERTIFICATE REQUEST----- and footer line -----END NEW CERTIFICATE REQUEST-----.

    For example:

    -----BEGIN NEW CERTIFICATE REQUEST-----
    MIIC9jCCAd4CAQAwYDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQwwCgYDVQQH
    EwNTQ0ExDzANBgNVBAoTBk9yYWNsZTEPMA0GA1UECxMGT3JhY2xlMRQwEgYDVQQD
    I+XY7ByYRma1XlM1cYoMUiKSnRHdllUZMRwYHu4AZvrEMIhKjB6YiC0F
    -----END NEW CERTIFICATE REQUEST-----
    

    The CSR includes the public key and other information that the CA vendor needs to verify the identity of the load balancer server.

  8. Submit the CSR to your CA vendor to request a new CA-issued SSL certificate.

    For more information about submitting the CSR, refer to your CA vendor documentation.

    Your CA vendor uses the CSR information to validate the domain and provides you with a valid SSL certificate, typically via email.

  9. Return to the Load Balancer Console for your service instance.
  10. If your service instance is running Oracle Traffic Director 12c, perform these steps to import the CA-issued certificate:
    1. Click Traffic Director Configuration and select Security > Manage Certificates.
    2. Click Import.
    3. Verify that Certificate Type is set to Certificate.
    4. Select the Alias of the certificate you generated earlier.
    5. You can paste the certificate text directly in the Paste Certificate String Here field, or click Choose File and select the certificate on your local file system. If you opt to paste the certificate text, be sure to include the headers BEGIN CERTIFICATE and END CERTIFICATE, including the beginning and ending hyphens.
    6. Click OK.
  11. If your service instance is running Oracle Traffic Director 11g, perform these steps to import the CA-issued certificate:
    1. Expand SSL in the navigation pane and click Server Certificates.
    2. Click Install Certificate.
    3. Enter a Nickname (alias) for the certificate.
    4. You can paste the certificate text directly in the Certificate Data field, or provide the path to the certificate file in the Certificate File field. If you opt to paste the certificate text, be sure to include the headers BEGIN CERTIFICATE and END CERTIFICATE, including the beginning and ending hyphens.
    5. Click Next.
    6. Click Install Certificate.

For more information about managing load balancer certificates, see:

Associating the SSL Certificate With the Load Balancer

After installing a CA-issued or self-signed SSL certificate to the load balancer, you must associate it with the HTTPS listeners in the load balancer’s configuration. After the association is made, the load balancer will present the SSL certificate while processing any new HTTPS requests.

  1. Navigate to the Services page of the Oracle Java Cloud Service console.
  2. Click menu icon for the desired service instance and select Open Load Balancer Console.
  3. Log in to console using the credentials defined when provisioning your service instance.

    If you created your service instance using the Oracle Java Cloud Service console, the user name and password default to the Oracle WebLogic Server Administration Console user name and password.

  4. Access the load balancer configuration (for example, opc-config):
    • If your service instance is running Oracle Traffic Director 12c, click the Target Navigation icon Target Navigation icon. Expand the Traffic Director folder and click the name of the Traffic Director configuration.
    • If your service instance is running Oracle Traffic Director 11g, click Configurations and then click the name of the Traffic Director configuration.
  5. Navigate to the Listeners in this configuration:
    • If your service instance is running Oracle Traffic Director 12c, click Traffic Director Configuration and select Administration > Listeners.

    • If your service instance is running Oracle Traffic Director 11g, click Listeners in the navigation pane.

  6. Click https-listener-1.
  7. In the SSL/TLS Settings section select your new certificate in the RSA Certificate field.
  8. Activate your changes:
    • If your service instance is running Oracle Traffic Director 12c, click OK.

    • If your service instance is running Oracle Traffic Director 11g, click Deploy Changes.

  9. Repeat from step 3 to update the certificate of any additional HTTPS listeners in this configuration.

    Alternatively, you can configure SSL/TLS Settings for an entire Virtual Server in the load balancer configuration.

After modifying a listener’s certificate you must also restart the load balancer node(s) in your service instance for the change to take effect. See Stopping, Starting, and Restarting Managed Server and Load Balancer VMs.

For more information about the SSL settings of the load balancer, see: