OTN Home > Oracle WebLogic Server 12.2.1.3.0 Documentation > Administration Console Online Help > Configure keystores and SSL attributes specific to a network channel

Administration Console Online Help

Previous Next Open TOC in new window
Content starts here

Configure keystores and SSL attributes specific to a network channel

Before you begin

  • See Configure keystores for information about how to create the identity and trust keystores that are to be specific to the network channel you are configuring. These are referred to as the customkeystores, to distinguish them from the default keystores used in the domain.
  • If you Enable automatic realm restart in the default security realm, you do not need to restart WebLogic Server after configuring keystores and SSL attributes as described in this topic.

Each channel you configure for a particular server instance must have a unique combination of listen address, listen port, and protocol.

You can configure a network channel to use keystores and other SSL attributes that are specific only to that channel and that override the default values set in the domain. This enables you to configure a Managed Server to use one identity and one set of SSL attributes with one channel, and a different identity and SSL attributes with a different channel. For more information, see Configuring an Identity Keystore Specific to a Network Channel.

To configure keystores and other SSL attributes specific to a network channel:

  1. If you have not already done so, in the Change Center of the Administration Console, click Lock & Edit (see Use the Change Center).
  2. In the left pane of the Console, expand Environment and select Servers.
  3. Select the server for which you want to configure a network channel to use nondefault keystores and other SSL attributes.
  4. Select Protocols > Channels.
  5. Click New.
  6. Enter the name of the new network channel and the protocol it will use, then click Next.
  7. Enter the following information:
    • Listen address
    • Listen port
    • External listen address
    • External listen port

    The external listen address and port are used to support Network Address Translation (NAT) firewalls. These should match the IP address or DNS name that clients use to access application on the server.
  8. Click Next.
  9. Configure any additional properties for this network channel. For more information, see Configure custom network channels.
  10. Click Finish.
  11. From the server-name > Protocols > Channels page, click the name of the new network channel configured in the preceding steps.

    The Settings for channel-name page is displayed.

  12. Select Configuration > Security.
  13. Optionally, set Two Way SSL Enabled and Client Certificate Enforced, as appropriate.
  14. Set Channel Identity to Customize Identity.
  15. Configure one or more of the following values for this channel to override the SSL values that are set for the server or for the domain:
    • Custom Channel Private Key Alias: The string alias used to store and retrieve the channel's private key in the custom identity keystore.
    • Custom Channel Private Key Pass Phrase: The password used to retrieve the channel's private key from the custom identity keystore.
  16. Click Advanced, and configure one or more of the following SSL values specific to this network channel:
    • Custom Identity Keystore Passphrase: The password used when reading or writing to the custom identity keystore.
    • Custom Identity Keystore Type: The type of the keystore. Generally, this attribute is Java KeyStore (JKS). If left blank, it defaults to JKS. If using the Oracle Key Store Service, enter KSS.
    • Custom Identity Keystore: The fully qualified path to the custom identity keystore. For KSS, this would be the KSS URI.
    • Hostname Verification: Specifies whether this channel should ignore the installed implementation of the weblogic.security.SSL.HostnameVerifier interface.
    • Custom Hostname Verifier: The name of the class that implements the weblogic.security.SSL.HostnameVerifier interface to be used for this channel.
    • Ciphersuites: The cipher suites that are to be used with the SSL listener for the network channel. An empty list implies no specific ciphersuites have been enabled, falling back to the default enabled ciphersuites from JVM installation.
    • Unencrypted Null Ciphers: Specifies whether unencrypted cipher suites are enabled for this channel.
    • Inbound Certificate Validation: Indicates the client certificate validation rules for inbound SSL.
    • Outbound Certificate Validation: Indicates the server certificate validation rules for outbound SSL.

    Note: WebLogic Server has validation rules regarding values specified for the Custom Identity Keystore that are related to the NetworkAccessPointMBean.ChannelIdentityCustomized MBean attribute. If any Custom Identity Keystore attributes are set, all of the following values must also be set:

    • All Custom Identity Keystore attributes must be set.
    • The Channel Identity value must be set to Customize Identity.
    • The Custom Channel Private Key Alias must be set.

    This validaton ensures that the channel alias relates to the channel keystore and does not default to an alias in the server keystore. Note also that if the Custom Identity Keystore attributes are not set, the Channel Private Key Alias may be set so that it refers to the server keystore.

  17. In the Change Center, click Activate Changes. If automatic realm restart is enabled, you do not need to restart WebLogic Server for updates to take effect.

Back to Top