1. Using Oracle WebLogic Server for OCI
  2. Manage a Domain
  3. Configure SSL for WebLogic Server
  4. Create Keystores and Certificates for WebLogic Server

Create Keystores and Certificates for WebLogic Server

Use keytool to create your own public/private key pairs and self-signed certificates. Optionally, create a Certificate Signing Request (CSR) for each generated certificate and submit it to a CA to obtain a trusted certificate.

  1. Connect to the Administration Server node in your service instance with a secure shell (SSH) client, and then switch to the oracle user.
    sudo su - oracle
  2. Create a directory /u01/data/keystores to hold the keystore files.
    cd /u01/data
mkdir keystores
cd keystores

    Caution:

    Do not place your keystore and certificate files in the Middleware Home (MIDDLEWARE_HOME) or Java Home (JAVA_HOME) directories. Any modifications you make to these locations might be lost when you apply a patch.

    Caution:

    Do not place your keystore and certificate files in the Domain Home (DOMAIN_HOME) or /u01/data/domains directories because they are included in backups. A restore operation might include an expired certificate and result in errors during a server restart.
  3. Use the keytool command to create a new identity keystore file, and to add a self-signed certificate to the keystore named server_cert.
    keytool -genkeypair -alias alias -keyalg keyalg -sigalg sigalg -keysize size -dname dn -keystore keystore_file

    For example:

    keytool -genkeypair -alias server_cert -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -dname "CN=example.com,OU=Support,O=Example,L=Reading,ST=Berkshire,C=GB" -keystore identity.jks

    Note that The X.500 Distinguished Name, which consists of the WebLogic Server host and DNS domain name, is example.com.

  4. When prompted, enter a password for the keystore.
  5. When prompted, enter a password for the private key, server_cert, or press Enter to use the same password as the keystore.
  6. If you are using a self-signed certificate to configure SSL, then create a custom trust keystore file.
    1. Use keytool to export the self-signed certificate, server_cert, from the identity store to a file named server_cert.cer.
      keytool -exportcert -alias server_cert -file server_cert.cer -keystore keystore_file

      When prompted, enter the password for the keystore.

    2. Use keytool to create a trust keystore file, and to import server_cert.cer into this new keystore. Use the same alias, server_cert.
      keytool -importcert -alias server_cert -file server_cert.cer -keystore trust_keystore_file

      For example:

      keytool -importcert -alias server_cert -file server_cert.cer -keystore trust.jks
    3. When prompted, enter a password for the new keystore.
    4. When prompted to trust this certificate, enter yes.
  7. If you are using a CA-issued certificate to configure SSL, then create a CSR file from the identity keystore.
    1. Use keytool to create a CSR file for the server_cert private key.
      keytool -certreq -alias alias -file certreq_file -keystore keystore

      For example:

      keytool -certreq -alias server_cert -file server_cert.csr -keystore identity.jks
    2. When prompted, enter the password for the keystore and the private key.
    3. Submit the CSR to a Certificate Authority of your choice in order to obtain a trusted certificate.
    4. Import the CA-issued certificate into the identity keystore.
  8. Copy the keystore files to all the other nodes in your service instance.

    For example:

    ssh myinstance-wls-2
mkdir /u01/data/keystores
scp myinstance-wls-1:/u01/data/keystores/identity.jks /u01/data/keystores
scp myinstance-wls-1:/u01/data/keystores/trust.jks /u01/data/keystores