How to configure Custom Identity and Custom Trust store in Weblogic

In this we will see how to generate self-signed certificate and configure to Weblogic Admin server .Before configuration we have demo certificate

Generated Self-Signed certificate with the below command . We can generate CSR from it and get it signed from third party . SSL configuration steps remain same .

/apps/java11_64/bin/keytool -genkey -v -alias weblogic -keyalg RSA -keysize 2048 -sigalg SHA256withRSA \
-dname “CN=www.abc.com, OU=abc, O=ABC Corp, C=IN, ST=Banglore, L=India” \
–keypass password -storepass password -validity 365 -keystore keystore.jks

Configuring Custom Keystore and truststore will see now .

Login to WLS Admin console
–> Go to Enviroment /Servers and click on the server for which ssl need to enable
–> Go Keystores tab change keystore to Custom Identity and Custom Trust
–> Enter keystore and truststore details then save
–> GO to SSL Tab then enter the certificate to use and keypassword and save

Restart the Admin sever since we did the SSL configuration to Admin server . We need to follow same for each Managed instance on Weblogic for SSL

Now admin logs are loding cert and trust certs from /apps/ssl/keystore.jks 
Here we used same keystore for both key and trust certs . We can configure seperate trust store if need.

<Dec 25, 2020, 12:24:07,261 PM Singapore Standard Time> <Notice> <Security> <BEA-090171> <Loading the identity certificate and private key stored under the alias weblogic from the jks keystore file /apps/ssl/keystore.jks.> 
<Dec 25, 2020, 12:24:07,565 PM Singapore Standard Time> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file /apps/ssl/keystore.jks.> 
<Dec 25, 2020, 12:24:07,929 PM Singapore Standard Time> <Warning> <Security> <BEA-090172> <No trusted certificates have been loaded. Server will not trust to any certificate it receives.> 
Expot same cert and import back to same keystore as trust cert. because self signed is signed by it self so same cert is need in trust as well.
Export certificate
keytool -exportcert -alias weblogic -file wls.cer -keystore keystore.jks

Add as trust 
[wlsuser@localhost ssl]$ /apps/java11_64/bin/keytool -import -alias root -file wls.cer -keystore keystore.jks 

Enter keystore password:  
Certificate already exists in keystore under alias <weblogic>
Do you still want to add it? [no]:  yes
Certificate was added to keystore
[wlsuser@localhost ssl]$ /apps/java11_64/bin/keytool -list -keystore keystore.jks 
Enter keystore password:  
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 2 entries

root, Dec 25, 2020, trustedCertEntry, 
Certificate fingerprint (SHA-256): B9:CE:10:5C:7C:9D:D9:6B:DF:DC:62:25:DF:FE:86:E2:EF:A0:58:A0:C3:EC:7A:51:93:8E:CC:4D:5E:09:AE:E2
weblogic, Dec 25, 2020, PrivateKeyEntry, 
Certificate fingerprint (SHA-256): B9:CE:10:5C:7C:9D:D9:6B:DF:DC:62:25:DF:FE:86:E2:EF:A0:58:A0:C3:EC:7A:51:93:8E:CC:4D:5E:09:AE:E2
[wlsuser@localhost ssl]$

If we dont import same cert as trust certificate then the server will start but cannot able to load the page .

After successful SSL configuration we can see new certificate in Weblogic console .

Related Posts

One thought on “How to configure Custom Identity and Custom Trust store in Weblogic

Leave a Reply

Your email address will not be published. Required fields are marked *