6.6 Using a Custom CA Certificate for SSL Encryption

6.6.1 Creating a Keystore
6.6.2 Importing a Keystore

By default, Oracle Private Cloud Appliance and Oracle VM Manager use a self-signed SSL certificate for authentication. While it serves to provide SSL encryption for all HTTP traffic, it is recommended that you obtain and install your own custom trusted certificate from a well-known and recognized Certificate Authority (CA).

Both the Oracle Private Cloud Appliance Dashboard and the Oracle VM Manager web interface run on Oracle WebLogic Server. The functionality to update the digital certificate and keystore is provided by the Oracle VM Key Tool in conjunction with the Java Keytool in the JDK. The tools are installed on the Oracle Private Cloud Appliance management nodes.

6.6.1 Creating a Keystore

If you do not already have a third-party CA certificate, you can create a new keystore. The keystore you create contains one entry for a private key. After you create the keystore, you generate a certificate signing request (CSR) for that private key and submit the CSR to a third-party CA. The CA then signs the CSR and returns a signed SSL certificate and a copy of the CA certificate, which you then import into your keystore.

Creating a Keystore with a Custom CA Certificate

  1. Using SSH and an account with superuser privileges, log into the management node.

    Note

    The data center IP address used in this procedure is an example. 

    # ssh root@10.100.1.101
root@10.100.1.101's password:
[root@ovcamn05r1 ~]#

  2. Go to the security directory of the Oracle VM Manager WebLogic domain. 

    # cd /u01/app/oracle/ovm-manager-3/domains/ovm_domain/security

  3. Create a new keystore. Transfer ownership to user oracle in the user group dba. 

    # /u01/app/oracle/java/bin/keytool -genkeypair -alias ca -keyalg RSA -keysize 2048 \
-keypass Welcome1 -storetype jks -keystore mykeystore.jks -storepass Welcome1
# chown oracle.dba mykeystore.jks

  4. Generate a certificate signing request (CSR). Transfer ownership to user oracle in the user group dba. 

    # /u01/app/oracle/java/bin/keytool -certreq -alias ca -file pcakey.csr \
-keypass Welcome1 -storetype jks -keystore mykeystore.jks -storepass Welcome1
# chown oracle.dba pcakey.csr

  5. Submit the CSR file to the relevant third-party CA for signing.

  6. For the signed files returned by the CA, transfer ownership to user oracle in the user group dba. 

    # chown oracle.dba ca_cert_file
# chown oracle.dba ssl_cert_file

  7. Import the signed CA certificate into the keystore. 

    # /u01/app/oracle/java/bin/keytool -importcert -trustcacerts -noprompt -alias ca \
-file ca_cert_file -storetype jks -keystore mykeystore.jks -storepass Welcome1

  8. Import the signed SSL certificate into the keystore. 

    # /u01/app/oracle/java/bin/keytool -importcert -trustcacerts -noprompt -alias ca \
-file ssl_cert_file -keypass Welcome1 -storetype jks -keystore mykeystore.jks \
-storepass Welcome1

  9. Use the setsslkey command to configure the system to use the new keystore. 

    # /u01/app/oracle/ovm-manager-3/ovm_upgrade/bin/ovmkeytool.sh setsslkey
Path for SSL keystore: /u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/mykeystore.jks
Keystore password: 
Alias of key to use as SSL key: ca
Key password: 
Updating keystore information in WebLogic
Oracle MiddleWare Home (MW_HOME): [/u01/app/oracle/Middleware] 
WebLogic domain directory: [/u01/app/oracle/ovm-manager-3/domains/ovm_domain] 
Oracle WebLogic Server name: [AdminServer] 
WebLogic username: [weblogic] 
WebLogic password: [********] 
WLST session logged at: /tmp/wlst-session5820685079094897641.log

  10. Configure the client certificate login. 

    # /u01/app/oracle/ovm-manager-3/bin/configure_client_cert_login.sh \
/u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/pcakey.crt

  11. Test the new SSL configuration by logging into the Oracle Private Cloud Appliance Dashboard. From there, proceed to Oracle VM Manager with the button "Login to OVM Manager". The browser now indicates that your connection is secure.

6.6.2 Importing a Keystore

If you already have a CA certificate and SSL certificate, use the SSL certificate to create a keystore. You can then import that keystore into Oracle PCA and configure it as the SSL keystore.

Importing a Keystore with an Existing CA and SSL Certificate

  1. Using SSH and an account with superuser privileges, log into the management node.

    Note

    The data center IP address used in this procedure is an example. 

    # ssh root@10.100.1.101
root@10.100.1.101's password:
[root@ovcamn05r1 ~]#

  2. Import the keystore. 

    # /u01/app/oracle/java/bin/keytool -importkeystore -noprompt \
-srckeystore existing_keystore.jks -srcstoretype source_format -srcstorepass Welcome1
-destkeystore mykeystore.jks -deststoretype jks -deststorepass Welcome1

  3. Use the setsslkey command to configure the system to use the new keystore. 

    # /u01/app/oracle/ovm-manager-3/ovm_upgrade/bin/ovmkeytool.sh setsslkey
Path for SSL keystore: /u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/mykeystore.jks
Keystore password: 
Alias of key to use as SSL key: ca
Key password: 
Updating keystore information in WebLogic
Oracle MiddleWare Home (MW_HOME): [/u01/app/oracle/Middleware] 
WebLogic domain directory: [/u01/app/oracle/ovm-manager-3/domains/ovm_domain] 
Oracle WebLogic Server name: [AdminServer] 
WebLogic username: [weblogic] 
WebLogic password: [********] 
WLST session logged at: /tmp/wlst-session5820685079094897641.log

  4. Test the new SSL configuration by logging into the Oracle Private Cloud Appliance Dashboard. From there, proceed to Oracle VM Manager with the button "Login to OVM Manager". The browser now indicates that your connection is secure.

Copyright © 2013, 2020, Oracle and/or its affiliates. Legal Notices