Before you begin
For a complete description of these steps, see Configuring Keystores.
By default, WebLogic Server is configured with two keystores, to be used for development only.
DemoIdentity.jks
:
Contains a demonstration private key for WebLogic Server. This
keystore establishes an identity for WebLogic Server. This file is
created when you create a domain.DemoTrust.jks
:
Contains a list of certificate authorities trusted by WebLogic Server.
This keystore establishes trust for WebLogic Server.DemoIdentity.jks is located in domain_name\security. The trust
keystore is located in the WL_HOME\server\lib
directory and the JAVA_HOME\jre\lib\security
directory. For testing and development purposes, the keystore
configuration is complete. Use the steps in this section to configure
identity and trust keystores for production use.
As described in Managing Keys and Certificates with the Keystore Service, the OPSS Keystore Service provides an alternate mechanism to manage keys and certificates for message security. You use the OPSS Keystore Service to create and maintain keystores of type KSS. If the Oracle Java Required Files (JRF) template is installed on the WebLogic Server system, you have the option to use KSS keystores. The KSS keystore is available only with the JRF template and is not available with the default WebLogic Server configuration.
To configure the identity and trust keystores:
MIDDLEWARE_HOME\server\lib
directories respectively, and the JDK cacerts
keystore, are configured by default. Use for development only. To
use a KSS keystore for demo identity and trust, you must first set
the Use KSS For Demo field on the Domain > Security
> Advanced page. This field determines whether the
Demo Identity and Demo Trust key stores should be obtained from
the Oracle Key Store Service (KSS).
cacerts
file in the JAVA_HOME\jre\lib\security
directory.
kss://system/keystorename
where keystorename
is the name
of the keystore registered in KSS.
Note: The passphrase for the Demo Identity keystore is
DemoIdentityKeyStorePassPhrase
.
If you chose Java Standard Trust as your keystore, specify the password defined when creating the keystore. Confirm the password.
If you chose Custom Trust, define the following attributes:
kss://system/keystorename
where keystorename
is the name
of the keystore registered in KSS.
After you finish
All the server SSL attributes are dynamic; when modified via the Console, they cause the corresponding SSL server or channel SSL server to restart and use the new settings for new connections. Old connections will continue to run with the old configuration. To ensure that all the SSL connections exist according to the specified configuration, you must reboot WebLogic Server.
Use the Restart SSL button on the Control: Start/Stop page to restart the SSL server when changes are made to the keystore files and need to be applied for subsequent connections without rebooting WebLogic Server. See Restart SSL.