D Configuring a Self-Signed Digital Certificate for HTTPS
This appendix explains how to create a custom SSL encryption certificate for the AcslsDomain in your WebLogic server. This procedure is required if you intend to create a self-signed digital certificate for use with browsers that do not accept the demo certificate provided by default with the ACSLS GUI.
Internet Explorer 8 (and above) and FireFox Version 39 (and above) requires this WebLogic set-up procedure for use with HTTPS servers that do not employ certificates verified by a third-party digital signing authority.
- Generate a keystore database of cryptographic keys.
- As
root
user, source the basicacsls
environmental variables.. /var/tmp/acsls/.acsls_env
- Define keyStore parameters:
keyPath=$installDir/Oracle/Middleware/wlserver_10.3/server/lib identStore=acslsIdent.jks trustStore=acslsTrust.jks keyPass=<password> storPass=<password>
- Generate the public/private encryption key pair and digital certificate. Place them in the keyStore.
keytool -genkeypair -alias selfsigned -keyalg RSA -keysize 2048 \ -validity 365 -keypass $keyPass -storepass $storPass \ -keystore $keyPath/$identStore
This produces a certificate valid for 365 days with encryption key that is 2048 bits in length. The keytool prompts you with the following questions. The answers you give are written to a certificate that can be displayed on a remote browser any time the ACSLS GUI user is asked to confirm the authenticity of the HTTPS connection.
What is your first and last name? [Unknown]: ACSLS Library Server What is the name of your organizational unit? [Unknown]: Tape Library Services What is the name of your organization? [Unknown]: Our Organization What is the name of your City or Locality? [Unknown]: Our Town What is the name of your State or Province? [Unknown]: Our Province? What is the two-letter country code for this unit? [Unknown]: XY
When prompted for a password, click Return to use the value for $
identPass
that you set in step 1b.The tool summarizes the parameters you submitted and asks you to confirm (yes/no) that the parameters are correct.
- Export the
ident
certificate and import it to the trust certificate.keytool -exportcert -alias selfsigned -file $keyPath/root.cer \ -keystore $keyPath/$identStore -storepass $storPass keytool -importcert -alias selfsigned -file $keyPath/root.cer \ -keystore $keyPath/$trustStore -storepass $storPass
Answer yes to the prompt to confirm.
- Copy the files,
$keyPath/acslsIdent.jks
and$keyPath/acslsTrust.jks
, to the$SSLM_HOME/AcslsDomain/
directory.
- As
- Configure WebLogic to use the newly-generated keyStore.
- Logon to the WebLogic console as
acsls_admin
using theacsls_admin
password.http://
<acsls_server
>:7001/console
- From the main page top-left corner of the console page, click Lock & Edit.
- Just below the Lock and Edit button, you see 'Domain Structure'. Select Environment under the
AcslsDomain
. - From the Summary of Environment frame, click Servers.
- From the Summary of Servers frame, select the Configuration tab and click AdminServer(admin) from the Servers table.
- From the Settings for AdminServer frame, select the Keystores tab.
- Under the Keystores tab, click Change and select Custom Identity and Custom Trust. Click Save.
- In the Custom Identity Keystore text box, enter the path to the
acslsIdent.jks
file using the$keyPath/$identStore
values that you defined in step 1b above. In the Custom Identity Keystore Type box, enter jks. - In the Custom Identity Keystore Passphrase text box, enter the password that you defined as
$storPass
in step 1-b above. Confirm the Custom Identity Keystore Passphrase in the next text box. - In the Custom Trust Keystore text box, enter the full path to the
acslsTrust.jks
file using the$keyPath/$trustStore
values that you defined in step 1-b. In the Custom Trust Keystore Type text box, enter jks. - In the Custom Trust Keystore Passphrase text box, enter the password you defined for
$storPass
in step 1-b. Enter confirmation of that password in the remaining text box. - Click Save. Observe the verification message at the top of the page.
- Select SSL tab in the Settings for Administrator frame.
- In Identity and Trust Locations ensure that Keystores is selected. If necessary, click Change to correct the setting.
- In the Private Key Alias text box, enter selfsigned.
- In the Private Key Passphrase text box, enter the same password you defined as
$keyPass
in step 1-b above. Confirm it using the same password in the remaining text box. - Click Save. Look for the green verification message at the top of the page.
- Click the Advanced field under the SSL tab. Set Hostname Verification to none. Select the check box for Use JSEE SSL.
- Click Save. Look for the green verification message at the top of the page.
- Click Activate Changes in the top-left corner of the page. Observe the verification message at the top of the page.
- Restart the
weblogic
service.
- Logon to the WebLogic console as