2 Choose the Identity and Trust Stores
This topic provides the information for choosing the identity and trust stores.
- Custom Identity and Command Line Trust
- Custom Identity and Custom Trust
- Custom Identity and Java Standard Trust
- Demo Identity and Demo Trust
Oracle Financial Services does not recommend choosing Demo Identity and Demo Trust for production environments.
It is recommend to separate the identity and trust stores, since each WebLogic server tends to have its own identity but might have the same set of trust CA certificates. Trust stores are usually copied across Oracle WebLogic servers, to standardize trust rules; it is acceptable to copy trust stores since they contain public keys and certificates of CAs. Unlike trust stores, identity stores contain private keys of the OracleWebLogic server, and hence should be protected against unauthorized access.
Command Line Trust, if choosen requires the trust store to be specified as a command line argument in the Weblogic Server startup script. No additional configuration of the trust store is required in the Weblogic Server Administration Console.
Java Standard Trust would rely on the cacerts files provided by the Java Runtime. This file contains the list of trust CA certificates that ship with the Java Runtime, and is located in the ‘JAVA_HOME/jre/lib/security’ directory. It is highly recommended to change the default Java standard trust store password, and the default access permission of the file. Certificates of most commercial CAs are already present in the Java Standard Trust store. Therefore, it is recommended to use the Java Standard Trust store whenever possible. The rest of the document will assume the use of Java Standard Trust, since most CA certificates are already present in it.
One can also create custom trust stores containing the list of certificates of trusted CAs. For further details on identity and trust stores, please refer the Oracle WebLogic Server documentation on Securing Oracle WebLogic Server.