OTN Home > Oracle WebLogic Server 12.2.1.4.0 Documentation > Administration Console Online Help > Configure keystores

Administration Console Online Help

Previous Next Open TOC in new window
Content starts here

Configure keystores

Before you begin

  • Obtain private keys and digital certificates from a reputable certificate authority such as Verisign, Inc. or Entrust.net.
  • Create identity and trust keystores.
  • Load the private keys and trusted CAs into the keystores.
  • If you Enable automatic realm restart in the default security realm, you do not need to restart WebLogic Server after configuring keystores as described in this topic.

For a complete description of these steps, see Configuring Keystores.

By default, WebLogic Server is configured with two keystores, to be used for development only.

DemoIdentity.jks is located in domain_name\security. The trust keystore is located in the WL_HOME\server\lib directory and the JAVA_HOME\jre\lib\security directory. For testing and development purposes, the keystore configuration is complete. Use the steps in this section to configure identity and trust keystores for production use.

As described in Managing Keys and Certificates with the Keystore Service, the OPSS Keystore Service provides an alternate mechanism to manage keys and certificates for message security. You use the OPSS Keystore Service to create and maintain keystores of type KSS. If the Oracle Java Required Files (JRF) template is installed on the WebLogic Server system, you have the option to use KSS keystores. The KSS keystore is available only with the JRF template and is not available with the default WebLogic Server configuration.

To configure the identity and trust keystores:

  1. If you have not already done so, in the Change Center of the Administration Console, click Lock & Edit (see Use the Change Center).
  2. In the left pane of the Console, expand Environment and select Servers.
  3. Click the name of the server for which you want to configure the identity and trust keystores.
  4. Select Configuration > Keystores.
  5. In the Keystores field, select the method for storing and managing private keys/digital certificate pairs and trusted CA certificates. These options are available:
    1. Demo Identity and Demo Trust: The demonstration identity and trust keystores, located in the domain_name\security and MIDDLEWARE_HOME\server\lib directories respectively, and the JDK cacerts keystore, are configured by default. Use for development only. To use a KSS keystore for demo identity and trust, you must first set the Use KSS For Demo field on the Domain > Security > Advanced page. This field determines whether the Demo Identity and Demo Trust key stores should be obtained from the Oracle Key Store Service (KSS).
    2. Custom Identity and Java Standard Trust: A keystore you create and the trusted CAs defined in the cacerts file in the JAVA_HOME\jre\lib\security directory.
    3. Custom Identity and Custom Trust: Identity and trust keystores you create.
    4. Custom Identity and Command Line Trust: An identity keystore you create and command-line arguments that specify the location of the trust keystore.
  6. In the Identity section, define attributes for the identity keystore.
    1. Custom Identity Keystore: The fully qualified path to the identity keystore. For an Oracle Key Store Service (KSS) keystore, the source is the KSS URI. The keystore URI must be of the form: kss://system/keystorename where keystorename is the name of the keystore registered in KSS.
    2. Custom Identity Keystore Type: The type of the keystore. Generally, this attribute is Java KeyStore (JKS); if left blank, it defaults to JKS. If using the Oracle Key Store Service, enter KSS.
    3. Custom Identity Keystore Passphrase: The password you will enter when reading or writing to the keystore. This attribute is optional or required depending on the type of keystore. All keystores require the passphrase in order to write to the keystore. However, some keystores do not require the passphrase to read from the keystore. WebLogic Server only reads from the keystore so whether or not you define this property depends on the requirements of the keystore.

      Note: The passphrase for the Demo Identity keystore is DemoIdentityKeyStorePassPhrase.

  7. In the Trust section, define properties for the trust keystore.

    If you chose Java Standard Trust as your keystore, specify the password defined when creating the keystore. Confirm the password.

    If you chose Custom Trust, define the following attributes:

    1. Custom Trust Keystore: The fully qualified path to the trust keystore. For an Oracle Key Store Service (KSS) keystore, the source is the KSS URI. The keystore URI must be of the form: kss://system/keystorename where keystorename is the name of the keystore registered in KSS.
    2. Custom Trust Keystore Type: The type of the keystore. Generally, this attribute is JKS; if left blank, it defaults to JKS. If using the Oracle Key Store Service, enter KSS.
    3. Custom Trust Keystore Passphrase: The password you will enter when reading or writing to the keystore. This attribute is optional or required depending on the type of keystore. All keystores require the passphrase in order to write to the keystore. However, some keystores do not require the passphrase to read from the keystore. WebLogic Server only reads from the keystore so whether or not you define this property depends on the requirements of the keystore.
  8. Click Save.
  9. In the Change Center, click Activate Changes.

After you finish

All the server SSL attributes are dynamic; when modified via the Console, they cause the corresponding SSL server or channel SSL server to restart and use the new settings for new connections. Old connections will continue to run with the old configuration. If you do not Enable automatic realm restart, you must reboot WebLogic Server to ensure that all the SSL connections exist according to the specified configuration.

Use the Restart SSL button on the Control: Start/Stop page to restart the SSL server when changes are made to the keystore files and need to be applied for subsequent connections without rebooting WebLogic Server. See Restart SSL.


Back to Top