WebLogic Production Certificate for HTTPS full version

Server Certificate Installation Configuration Guide (Weblogic)

Before looking for a lot of information on the Internet, according to the implementation of the step, but at last, are missing a little, finally integrated, from their own production CA certificate to WebLogic configuration and client IE settings, all OK

First, the environment preparation

1.installationJDK(optional) 
Weblogicafter installation comes withJDKinstallation. If you generate a certificate request directly on the server, go toWeblogicunder installation directoryJDKlocation of the pathbindirectory, runningKeytoolcommand.
If you need to generate a certificate request file in a different environment, you can choose to installJDK, and later upload the generated keystore fileKeystore.jksto the server for configuration.
Java SE Development Kit (JDK)download. :
http://www.oracle.com/technetwork/java/javase/downloads/index.html

2. Preparation OpenSSL

Prerequisites: Download www.openssl.org from the OpenSSL website

Install Openssl[windows and Linux install differently]

If you do not configure environment variables, you will need to execute commands in the bin directory of OpenSSL, such as: C:/openssl/bin, this is wrong, I downloaded the latest openssl-0.9.8zc, no bin, directory, test the next, can be executed directly under Win7 with the C:\OPENSSL-0.9.8ZC directory,

If only environment variables are configured, they can be executed anywhere

Before executing the command, create a new two directory CA and server, which should be noted in the OPENSSL-0.9.8ZC.

First, using OpenSSL to make CA certificates and server certificates

We do not currently use a third-party authoritative CA to authenticate, because there is a charge, so we use OpenSSL ourselves to make the CA certificate and the server certificate and act as the CA's role.

One: Generate CA Certificate

1. Create the private key:

OpenSSL genrsa-out Ca/ca-key.pem 1024

2. Create a certificate request:

OpenSSL req-new-out ca/ca-req.csr-key Ca/ca-key.pem  

this is a mistake. As a result, this error occurred : Unable to load config info from/usr/local/ssl/openssl.cnf

Baidu a bit, follow the blue This section of the implementation on OK

The original is directly used by others to generate a good key, unfortunately he is used on Unix , not suitable for Win32! There is no way to start the whole Opensso, But, in the use Opensso, there was a [ Unable to load config info from/usr/local/ssl/openssl.cnf] exception . It turns out this is Unix The default settings, no way, had to build files [C:/usr/local/ssl], download from the Internet openssl.conf, and then instead of openssl.cnf, put it in the c:/usr/local/ssl directory, okay, finally fix the key,Apache. can also be started, celebrate.  
access to Https://localhost/login, is white screen, is not launched by Apache SSL, in CMD run apache-d ssl,ok, everything is done.
    Some of the optimizations are in ssl.conf file, comment out <IFDEFINE&NBSP;SSL> You can start directly ssl .

in the configuration, there are also some issues, such as[ Invalid sslmutex argument file:logs/dd (Valid Sslmutex mechanisms are: ' None ',
default ') ], this is a Bug for Apache and can only be used by default or  None.

The above parameters are arbitrary, but I have more password to request, must be 4 bits, I set to test

3. Self-Signed certificate:

1>3650 is a 10-year certificate validity period, basically enough

OpenSSL x509-req-in ca/ca-req.csr-out ca/ca-cert.pem-signkey ca/ca-key.pem-days 3650

2> generate Ca-cert.cer Certificate for client Import

OpenSSL x509-req-in ca/ca-req.csr-out ca/ca-cert.cer-signkey ca/ca-key.pem-days 3650

4. Export the certificate to a browser-supported. P12 format: (no need to omit)

OpenSSL pkcs12-export-clcerts-in Ca/ca-cert.pem-inkey ca/ca-key.pem-out ca/ca.p12

Password continues to be set to test

Making a server certificate

Generate a secret key, a certificate request file with the Keytool tool, and then use the CA root certificate from the previous step of OpenSSL to visa the certificate request,

The files generated below are generated in the C:\Users\xia\AppData\Local\VirtualStore\Program files (x86) \java\jdk1.6.0\bin directory.

The files generated under UNIX are generated in the following:/openssl-0.9.8zc/server/ directory below

The following two steps use the Keytool tool

Generate key Pair

Keytool-genkey-alias example-validity 3650-keyalg rsa-keysize 1024-keypass 123456-storepass 123456-keystore exampl E.jks

Generate a certificate request

Keytool-certreq-alias example-sigalg md5withrsa-file example.csr-keypass 123456-keystore example.jks-storepass 1234 56

The following command uses OpenSSL

Generate a server certificate based on a certificate request

OpenSSL x509-req-in server/example.csr-out server/example.pem-ca ca/ca-cert.pem-cakey ca/ca-key.pem-days 3650-set_s Erial 1

to Keystore Import Certificate in

Switch back to the Keytool tool

Import CA Certificate

Keytool-import-v-trustcacerts-keypass 123456-storepass 123456-alias root-file C:\openssl-0.9.8zc\ca\ca-cert.pem-ke Ystore C:\openssl-0.9.8zc\example.jks

the commands in Aix are as follows :

Keytool-import-v-trustcacerts-keypass 123456-storepass 123456-alias root-file/home/eteller/openssl/openssl-0.9.8z C/ca/ca-cert.pem-keystore/home/eteller/openssl/openssl-0.9.8zc/server/example.jks

Import server Certificate

Keytool-import-v-trustcacerts-storepass 123456-alias example-file C:\openssl-0.9.8zc\example.pem-keystore C:\opens Sl-0.9.8zc\example.jks

the commands in Aix are as follows :

Keytool-import-v-trustcacerts-storepass 123456-alias example-file/home/eteller/openssl/openssl-0.9.8zc/server/ Example.pem-keystore/home/eteller/openssl/openssl-0.9.8zc/server/example.jks

View Keystore file contents

Keytool-list-keystore C:\openssl-0.9.8zc\example.jks-storepass 123456

the commands in Aix are as follows :

Keytool-list-keystore/home/eteller/openssl/openssl-0.9.8zc/server/example.jks-storepass 123456

See there are 2 certificates, one is the root certificate, one is the server certificate, where the root certificate is the public key, the server certificate is the private key

keystore file: Example.jks is used in SSL configuration. First copy this file to the following location:
C:\bea\user_projects\domains\base_domain is the root directory of the domain.

the commands in Aix are as follows :

CP example.jks/home/eteller/base_domain/

Weblogic Configuration

Turn on the SSL service

Set KeyStore

Password 4 are the 123456 that were previously requested to generate Example.jks

Setting Up SSL

This private Key alias: is the alias of our server, that is, the previous set of example, password or 123456

You need to set this server name authentication to NONE

Block HTTP Access

After the setup is complete, the Weblogic is restarted and can be accessed by https://localhost:7002/ETellerbb/ , but the original http ://localhost:7001/etellerbb/ is still accessible and needs to be added under Web . config

< Security-constraint >

< web-resource-collection >

< Web-resource-name > SSL</web-resource-name>

< Url-pattern >/*</url-pattern>

</ web-resource-collection >

< User-data-constraint >

< Transport-guarantee > Confidential</transport-guarantee>

</ User-data-constraint >

</ Security-constraint >

This will automatically jump to HTTPS when you access http

Client actions

Import CA Certificate

1. Open Internet option -"Select content -" Click Certificate

2.open a trusted root certification Authority -Click on the import button

Browser removes address mismatch warning

After all the modifications are complete, restart the browser

WebLogic Production Certificate for HTTPS full version