Configuring Keystores for WebLogic Servers

This article is the first in a three-part series that details how to secure a WebLogic server. Keystores can be used to add a certificate to a WebLogic server. There are two types of keystores – Trust and Identity. A trust keystore contains certificates from a trusted Certificate Authority (CA) and does not contain sensitive information. An identity keystore contains the certificate for the WebLogic server and contains sensitive information used to verify the server.
Relevant Topics: Oracle DBA, Oracle WebLogic, Keystores, WebLogic Security, NIST SP 800-53
Oracle WebLogic provides default keystores that can be used to simulate SSL access in a test environment. This article details the steps in configuring keystores that can be used in a production environment to enhance Oracle WebLogic security.Following are variables used in the article.
Environment Variables
MW_HOME: This variable refers to the location where Oracle Fusion Middleware resides.
For this example, MW_HOME is:
/u01/app/weblogic/wls12130
WL_HOME: This variable refers to the location which contains installed files necessary to host a WebLogic Server. For this example, WL_HOME is:
/u01/app/weblogic/wls/wlserver
DOMAIN_HOME: This is the home for our current WebLogic domain. For this example, DOMAIN_HOME is:
/u01/app/weblogic/wls12130/user_projects/domains/base_domain
Create and Configure the Keystores
- Create keystores
First, generate a public/private key pair and a self-signed certificate. Set the environment by running the setDomainEnv command.
For example:
[oracle@Forge wls12130]$ $DOMAIN_HOME/bin/setDomainEnv
Decide on a directory to store the keystores and change to that directory. For example:
$MW_HOME/keystores
Execute the keytool genkeypair command to generate the key pair and create a keystore.
keytool -genkeypair -alias <private_key_alias> -keyalg RSA -keysize 2048 -dname “CN=<server_name>,OU=<Department>,O=<Organization>” -keystore identity_keystore.jks
For example:
[oracle@Forge wls12130]$ mkdir keystores
[oracle@Forge keystores]$ cd $MW_HOME/keystores
[oracle@Forge keystores]$ pwd
/u01/app/weblogic/wls12130/keystores
[oracle@Forge keystores]$ keytool -genkeypair -alias forge_private_key -keyalg RSA -keysize 2048 -dname "CN=forge.database.local,OU=Servers,O=Tech DBA Providers" -keystore identity_keystore.jks
Enter keystore password:
Re-enter new password:
Enter key password for <forge_private_key>
(RETURN if same as keystore password):
[oracle@Forge keystores]$
This command creates the keystore if it does not already exist. The key pair and the self-signed certificate are placed in the keystore.
Display the contents of the identity_keystore.jks keystore with the following command.
[oracle@Forge keystores]$ keytool -list -v -keystore identity_keystore.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: forge_private_key
.
.
.
2. Obtain the Root CA certificate. There are various options here depending on organization policy.
- Create a Certificate Signing Request (CSR) with the following command:
keytool -certreq -v -alias <private_key_alias> -file <CSR File Name>
-keysize 2048 -keystore identity_keystore.jks
For example:
[oracle@Forge keystores]$ keytool -certreq -v -alias forge_private_key -file forge_csr -keysize 2048 -keystore identity_keystore.jks
Enter keystore password:
Certification request stored in file <forge_csr>
Submit this to your CA
- As directed, submit the resulting file to your Certificate Authority. The CA should return a signed certificate.
- Import the Root CA Certificate into a trusted keystore. This is the Root CA certificate obtained in Step 2.
keytool -importcert -v -noprompt -trustcacerts -alias <CA Root Cert alias> -file <CA Root Cert file name> -keystore trust_keystore.jks
For example:
[oracle@Forge keystores]$ keytool -importcert -v -noprompt -trustcacerts -alias cacert -file ca.cert.pem -keystore trust_keystore.jks
This will create the trusted keystore if it does not exist and place the CA Root certificate in the trusted keystore.
When configuring keystores, it is important that the certificate chain from the CA Root certificate to the signed certificate is completed. In some cases, for example, when there is an intermediate CA, it may be necessary to import a certificate chain file into the trusted keystore. Check with your CA or organization policy to determine if what is necessary. The following command is used to import a certificate chain if necessary.
keytool -importcert -v -noprompt -trustcacerts -alias <Chain file alias> -file <Chain file> -keystore trust_keystore.jks
For example:
[oracle@Forge keystores]$ keytool -importcert -v -noprompt -trustcacerts -alias chain -file chain.cert.pem -keystore trust_keystore.jks
- Import the Root CA Certificate into the identity keystore created in Step 1. This is the Root CA certificate obtained in Step 2.
keytool -importcert -v -noprompt -trustcacerts -alias <CA Root Cert alias> -file <CA Root Cert file name> -keystore identity_keystore.jks
For example:
[oracle@Forge keystores]$ keytool -importcert -v -noprompt -trustcacerts -alias cacert -file ca.cert.pem -keystore identity_keystore.jks
If necessary, import the certificate chain into the identity keystore. See step 5 above for an explanation. Execute the following command if necessary.
keytool -importcert -v -noprompt -trustcacerts -alias <Chain file alias> -file <Chain file> -keystore trust_keystore.jks
For example:
[oracle@Forge keystores]$ keytool -importcert -v -noprompt -trustcacerts -alias cachain -file ca-chain.cert.pem -keystore identity_keystore.jks
- Import the signed certificate into the identity keystore using the following command.
keytool -importcert -v -alias <Private key alias> -file <Signed Cert file> -keystore identity_keystore.jks
Note: The private key alias should be the same as the private key alias from Step 1.
For example:
[oracle@Forge keystores]$ keytool -importcert -v -alias forge_private_key -file forge.cert.pem -keystore identity_keystore.jks
- Examine the contents of the keystores.
[oracle@Forge keystores]$ keytool -list -v -keystore identity_keystore.jks
Enter keystore password:
.
.
.
[oracle@Forge keystores]$ keytool -list -v -keystore trust_keystore.jks
Enter keystore password:
.
.
.
- At this point, the keystores should be configured. Now WebLogic should be configured to recognize the keystores.