Server Certificate Installation and Configuration Guide (Weblogic)
I found a lot of information on the Internet before, and followed the steps, but in the end it didn't work, it was missing a little bit, and finally it was integrated, from making my own CA certificate to weblogic configuration and client IE settings, all OK
1. Environmental preparation
1. Install JDK (optional) Weblogic comes with JDK installation after installation. If you generate a certificate request directly on the server, go to the bin directory of the path where the JDK is located in the Weblogic installation directory , and run the keytool command. If you need to generate certificate request files in other environments, you can choose to install JDK and upload the generated keystore file keystore.jks to the server for configuration later. Java SE Development Kit (JDK) download. Download address: http://www.oracle.com/technetwork/java/javase/downloads/index.html
2. Prepare openssl
Prerequisite: Download from openssl official website www.openssl.org
Install openssl [windows and linux installations are different]
If there is no environment variable configured, you need to enter the bin directory of openssl to execute the command, such as: C:/OpenSSL/bin, this is wrong, I downloaded the latest openssl-0.9.8zc, there is no bin, directory, and tested it. , it can be executed directly in the directory C:\openssl-0.9.8zc under win7,
If only environment variables are configured, it can be executed anywhere
Before executing the command, create two new directories ca and server. Pay attention to this. Create them in openssl-0.9.8zc.
1. Use openssl to make CA certificate and server certificate
At present, we do not use the CA of the third-party authority for certification, because we need to charge, so we use openssl to make the CA certificate and server certificate, and act as the CA.
One: Generate a CA certificate
1. Create a private key:
openssl genrsa -out ca/ca-key.pem 1024
2. Create a certificate request:
openssl req -new -out ca/ca-req.csr -key ca/ca-key.pem
This sentence went wrong, and this error occurred : Unable to load config info from /usr/local/ssl/openssl.cnf
Baidu a bit, according to the blue paragraph behind the implementation is OK
It turned out that the key generated by someone else was directly used, but unfortunately it was used on Unix , not suitable for Win32 ! There is no way to start the whole openSSO from scratch. However, when using openSSO , the exception [ Unable to load config info from /usr/local/ssl/openssl.cnf ] appears . However, it turns out that this is the default setting of Unix , there is no way , I had to create a file [ c:/usr/local/ssl ] , download openssl.conf from the Internet , then change it to openssl.cnf , put it in the c:/usr/local/ssl directory, well, finally get the key , Apache can also be started, celebrate. Visit https://localhost/login , it is a white screen, it is SSL without Apache started , run apache -D SSL under CMD , OK
, everything is done. Some optimization methods are to comment out <IfDefine SSL> in the ssl.conf file, and you can start SSL directly .
In the configuration, there are still some problems, for example, [ Invalid SSLMutex argument file:logs/dd (Valid SSLMutex mechanisms are: `none', default' ) ] , this is a bug of Apache , only default or none can be used.
The above parameters are all written arbitrarily, but I have more passwords that need to be requested, which must be 4 digits, and I set it to test
3. Self-signed certificate:
1>3650 is to set a 10-year certificate validity period, which is basically enough
openssl x509 -req -in ca/ca-req.csr -out ca/ca-cert.pem -signkey ca/ca-key.pem -days 3650
2> Generate ca-cert.cer certificate for client import
openssl x509 -req -in ca/ca-req.csr -out ca/ca-cert.cer -signkey ca/ca-key.pem -days 3650
4. Export the certificate to the .p12 format supported by the browser: (you can omit it if you don’t need it)
openssl pkcs12 -export -clcerts -in ca/ca-cert.pem -inkey ca/ca-key.pem -out ca/ca.p12
The password continues to be set to test
Make a server certificate
Generate the secret key and certificate request file through the keytool tool, and then use the ca root certificate generated in the previous step of openssl to sign the certificate request,
The files generated below are all generated to the C:\Users\xia\AppData\Local\VirtualStore\Program Files (x86)\Java\jdk1.6.0\bin directory
The files generated under Unix are all generated to: /openssl-0.9.8zc/server/ directory
The following two steps use the keytool tool
Generate key pair
keytool -genkey -alias example -validity 3650 -keyalg RSA -keysize 1024 -keypass 123456 -storepass 123456 -keystore example.jks
Generate certificate request
keytool -certreq -alias example -sigalg MD5withRSA -file example.csr -keypass 123456 -keystore example.jks -storepass 123456
The latter command uses openssl
Generate server certificate based on certificate request
openssl x509 -req -in server/example.csr -out server/example.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -days 3650 -set_serial 1
Import certificate into Keystore
Switch back to the keytool tool
Import CA certificate
keytool -import -v -trustcacerts -keypass 123456 -storepass 123456 -alias root -file C:\openssl-0.9.8zc\ca\ca-cert.pem -keystore C:\openssl-0.9.8zc\example.jks
The command in AIX is as follows :
keytool -import -v -trustcacerts -keypass 123456 -storepass 123456 -alias root -file /home/eteller/openssl/openssl-0.9.8zc/ca/ca-cert.pem -keystore /home/eteller/openssl/openssl-0.9.8zc/server/example.jks
Import server certificate
keytool -import -v -trustcacerts -storepass 123456 -alias example -file C:\openssl-0.9.8zc\example.pem -keystore C:\openssl-0.9.8zc\example.jks
The command in AIX is as follows :
keytool -import -v -trustcacerts -storepass 123456 -alias example -file /home/eteller/openssl/openssl-0.9.8zc/server/example.pem -keystore /home/eteller/openssl/openssl-0.9.8zc/server/example.jks
View keystore file content
keytool -list -keystore C:\openssl-0.9.8zc\example.jks -storepass 123456
The command in AIX is as follows :
keytool -list -keystore /home/eteller/openssl/openssl-0.9.8zc/server/example.jks -storepass 123456
See that there are 2 certificates, one is the root certificate and the other is the server certificate, where the root certificate is the public key and the server certificate is the private key
Keystore file: example.jks is used in the ssl configuration. First copy this file to the following location:
C:\bea\user_projects\domains\base_domain is the root directory of the domain.
The command in AIX is as follows :
cp example.jks /home/eteller/base_domain/
Weblogic configuration
open ssl service
set keystore
The 4 passwords are all 123456 of the previous application to generate example.jks
Set up SSL
Here Private Key Alias: is the alias of our server, which is the example set before, and the password is still 123456
This server name authentication needs to be set to NONE
Block http access
After the setting is completed, restart Weblogic, you can access it through https://localhost:7002/ETellerbb/ , but the original http://localhost:7001/ETellerbb/ can still be accessed, you need to add configuration under web.xml
<security-constraint>
<web-resource-collection >
<web-resource-name >SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
In this way, when accessing http , it will automatically jump to https
client operation
Import CA certificate
1. Open Internet Options - "Select Content - "Click Certificate
2. Open Trusted Root Certification Authorities - > Click the "Import" button
Browser remove address mismatch warning
After all changes are made, restart the browser