Configuring the Admin Server

This article is the second in a three-part series that details how to secure a WebLogic server.  

The Oracle WebLogic Admin Server can be configured through the Admin Console to run on a secure port.  WebLogic provides default keystores that can be used to simulate SSL access in a test environment.  This article details the steps in configuring the WebLogic Admin Server to use keystores with certificates that can be used in a production environment.

Relevant Topics: Oracle DBA,  Oracle WebLogic, Admin Server, Keystores, WebLogic Security,  NIST SP 800-53

Following are variables used in the article.

 Environment Variables

 MW_HOME: This variable refers to the location where Oracle Fusion Middleware resides.

For this example, MW_HOME is:

 /u01/app/weblogic/wls12130

 WL_HOME: This variable refers to the location which contains installed files necessary to host a WebLogic Server.  For this example, WL_HOME is:

/u01/app/weblogic/wls/wlserver

DOMAIN_HOME: This is the home for our current WebLogic domain.  For this example, DOMAIN_HOME is:

/u01/app/weblogic/wls12130/user_projects/domains/base_domain

Configure WebLogic to Use the Keystores

1. Make a copy of the WebLogic configuration file – config.xml before making any changes. The config.xml file is found in

$MW_HOME/user_projects/domains/<domain_name>/config/config.xml

            This should be the same as:

$DOMAIN_HOME/config/config.xml

This backup file can be used to restore the config.xml file if there are any problems with the configuration.

2. Login to the WebLogic Server

3. Make sure the domain is in production mode. Once a domain is changed to production mode, it can’t be changed back to development mode.

 Click base_domain on the left hand side under Domain Structure.

Select the box next to Production Mode.

Click Save.

4. The screen indicates that the servers must be restarted.

 Click on Servers --> Control.

5. The Summary of Servers screen displays.

6. Select the box next to the managed server.

Select Shutdown.  Select “When work completes” from the drop down.

7. The screen will indicate that the managed server has been shut down.

8. Click on the AdminServer. The AdminServer settings screen displays.

 Select the Configuration --> Keystores tab.

9. The AdminServer Settings, Configuration --> Keystores screen displays.

Click on the Keystores Change button. 

Choose Custom Identity and Custom Trust.

Click Save.

Identity

Custom Identity Keystore: <directory containing the keystores>/identity_keystore.jks

Custom Identity Keystore Type:  JKS

Custom Identity Keystore Passphrase: 

<password for identity_keystore.jks that was specified when it was created>

Confirm Custom Identity Keystore Passphrase:

<password for identity_keystore.jks that was specified when it was created>

Trust

Custom Trust Keystore: <directory containing the keystores>/trust_keystore.jks

Custom Trust Keystore Type:  JKS

Custom Trust Keystore Passphrase: 

<password for trust_keystore.jks that was specified when it was created>

Confirm Custom Trust Keystore Passphrase:

<password for trust_keystore.jks that was specified when it was created>

Click Save

Click the SSL tab.

10. The AdminServer Settings General --> SSL screen displays.

Identity and Trust Locations:   Make sure this is set to Keystores

Identity

Private Key Location:    from Custom Identity Keystore

Private Key Alias:       This is the private key that we defined in the identity keystore

                              For example forge_private_key

Private Key Passphrase:  <The password defined when the private key was created in the keystore>

Confirm Private Key Passphrase:  <The password defined when the private key was created in the keystore>

Certificate Location:            from Custom Identity Keystore

Trust

Trusted Certificate Authorities:   from Custom Trust Keystore

Click Save

11. The screen indicates that the server must be restarted in order for the new settings to take effect.

Click Servers.

12. The Summary of Servers screen displays.

Click the Control tab.

13. Select the box next to the AdminServer.

Select Shutdown.  Select “When work completes” from the drop down.

14. A screen displays showing that the AdminServer has been shut down. It must be restarted in order for the web interface to be available.

15. Restart WebLogic on the server with the following command.

startWebLogic.sh

For example:

[oracle@Forge ~]$ cd $MW_HOME/user_projects/domains/base_domain

[oracle@Forge base_domain]$ ./startWebLogic.sh &

.

.

.

<Server state changed to RUNNING.>

16. Once the server state is changed to RUNNING, the web interface will be available.  Log back into WebLogic.  Note the Change Center in the upper left since WebLogic has been changed from development mode to production mode.

 Click on Servers

17. The Summary of Servers screen displays.

Click on the AdminServer.

18. The Settings for AdminServer screen displays. Click Lock & Edit in the Change Center on the left hand side. 

Select the box next to SSL Listen Port Enabled.  Enter a port number for SSL Listen Port.

Click Save.

Enabling the SSL port could have been done prior to shutting down the AdminServer in Step 12, but this is an example of using the Change Center in Production Mode.

19. Shutdown the AdminServer and restart WebLogic as in Steps 12 – 15 above.

20. You can now use the secure SSL Listen Port to run WebLogic. Note that the site is now locked and verified.

For security, for example to satisfy NIST SP 800-53 security controls, the non-secure Listen Port can be disabled.