Configuring the Admin Server

This article is the second in a three-part series that details how to secure a WebLogic server.
The Oracle WebLogic Admin Server can be configured through the Admin Console to run on a secure port. WebLogic provides default keystores that can be used to simulate SSL access in a test environment. This article details the steps in configuring the WebLogic Admin Server to use keystores with certificates that can be used in a production environment.
Relevant Topics: Oracle DBA, Oracle WebLogic, Admin Server, Keystores, WebLogic Security, NIST SP 800-53
Following are variables used in the article.
Environment Variables
MW_HOME: This variable refers to the location where Oracle Fusion Middleware resides.
For this example, MW_HOME is:
/u01/app/weblogic/wls12130
WL_HOME: This variable refers to the location which contains installed files necessary to host a WebLogic Server. For this example, WL_HOME is:
/u01/app/weblogic/wls/wlserver
DOMAIN_HOME: This is the home for our current WebLogic domain. For this example, DOMAIN_HOME is:
/u01/app/weblogic/wls12130/user_projects/domains/base_domain
Configure WebLogic to Use the Keystores
- Make a copy of the WebLogic configuration file – config.xml before making any changes. The config.xml file is found in
$MW_HOME/user_projects/domains/<domain_name>/config/config.xml
This should be the same as:
$DOMAIN_HOME/config/config.xml
This backup file can be used to restore the config.xml file if there are any problems with the configuration.
- Login to the WebLogic Server
- Make sure the domain is in production mode. Once a domain is changed to production mode, it can’t be changed back to development mode.
Click base_domain on the left hand side under Domain Structure.
Select the box next to Production Mode.
Click Save.
- The screen indicates that the servers must be restarted.
Click on Servers --> Control.
- The Summary of Servers screen displays.
- Select the box next to the managed server.
Select Shutdown. Select “When work completes” from the drop down.
- The screen will indicate that the managed server has been shut down.
- Click on the AdminServer. The AdminServer settings screen displays.
Select the Configuration --> Keystores tab.
- The AdminServer Settings, Configuration --> Keystores screen displays.
Click on the Keystores Change button.
Choose Custom Identity and Custom Trust.
Click Save.
Identity
Custom Identity Keystore: <directory containing the keystores>/identity_keystore.jks
Custom Identity Keystore Type: JKS
Custom Identity Keystore Passphrase:
<password for identity_keystore.jks that was specified when it was created>
Confirm Custom Identity Keystore Passphrase:
<password for identity_keystore.jks that was specified when it was created>
Trust
Custom Trust Keystore: <directory containing the keystores>/trust_keystore.jks
Custom Trust Keystore Type: JKS
Custom Trust Keystore Passphrase:
<password for trust_keystore.jks that was specified when it was created>
Confirm Custom Trust Keystore Passphrase:
<password for trust_keystore.jks that was specified when it was created>
Click Save
Click the SSL tab.
- The AdminServer Settings General --> SSL screen displays.
Identity and Trust Locations: Make sure this is set to Keystores
Identity
Private Key Location: from Custom Identity Keystore
Private Key Alias: This is the private key that we defined in the identity keystore
For example forge_private_key
Private Key Passphrase: <The password defined when the private key was created in the keystore>
Confirm Private Key Passphrase: <The password defined when the private key was created in the keystore>
Certificate Location: from Custom Identity Keystore
Trust
Trusted Certificate Authorities: from Custom Trust Keystore
Click Save
- The screen indicates that the server must be restarted in order for the new settings to take effect.
Click Servers.
- The Summary of Servers screen displays.
Click the Control tab.
- Select the box next to the AdminServer.
Select Shutdown. Select “When work completes” from the drop down.
- A screen displays showing that the AdminServer has been shut down. It must be restarted in order for the web interface to be available.
- Restart WebLogic on the server with the following command.
startWebLogic.sh
For example:
[oracle@Forge ~]$ cd $MW_HOME/user_projects/domains/base_domain
[oracle@Forge base_domain]$ ./startWebLogic.sh &
.
.
.
<Server state changed to RUNNING.>
- Once the server state is changed to RUNNING, the web interface will be available. Log back into WebLogic. Note the Change Center in the upper left since WebLogic has been changed from development mode to production mode.
Click on Servers
- The Summary of Servers screen displays.
Click on the AdminServer.
- The Settings for AdminServer screen displays. Click Lock & Edit in the Change Center on the left hand side.
Select the box next to SSL Listen Port Enabled. Enter a port number for SSL Listen Port.
Click Save.
Enabling the SSL port could have been done prior to shutting down the AdminServer in Step 12, but this is an example of using the Change Center in Production Mode.
- Shutdown the AdminServer and restart WebLogic as in Steps 12 – 15 above.
- You can now use the secure SSL Listen Port to run WebLogic. Note that the site is now locked and verified.
For security, for example to satisfy NIST SP 800-53 security controls, the non-secure Listen Port can be disabled.