Tuesday, November 5, 2013

WebLogic NodeManager

Hello Everyone,

Node Manager is a optional feature that will allow to start the Managed Server remotely(like from Admin console).Once we start the nodemanager we can check the nodemanager status in admin console(Machines->(machine name)->Monitoring) and we will see the status as "Reachable".This means we now we can start that particular instance through the console.

By default we when we start a server by nodemanager it will in-turn creates a java process which will start the managed server.
But we can make some change in the configuration and make it use our own script.

Also Node Manager provides a fuctionality called “CrashRecovery” which will help to start the Managed server if it got down unexpectly or when the server crashes.




Lets see how Node Manager can be configured.

Below is the default configuration of a working node manager

DomainsFile=D\:\\WLS\\bea1030\\WLSERV~1.3\\common\\NODEMA~1\\nodemanager.domains
LogLimit=0
PropertiesVersion=10.3
javaHome=D\:\\WLS\\bea1030\\JROCKI~1
AuthenticationEnabled=true
NodeManagerHome=D\:\\WLS\\bea1030\\WLSERV~1.3\\common\\NODEMA~1
JavaHome=D\:\\WLS\\bea1030\\JROCKI~1\\jre
LogLevel=INFO
DomainsFileEnabled=true
StartScriptName=startWebLogic.cmd--------------------------------------------
ListenAddress=-------------------------------------------------------------
NativeVersionEnabled=true
ListenPort=5556
LogToStderr=true
SecureListener=true
LogCount=1
StopScriptEnabled=false
QuitEnabled=false
LogAppend=true
StateCheckInterval=500
CrashRecoveryEnabled=false
StartScriptEnabled=false --------------------------------------
LogFile=D\:\\WLS\\bea1030\\WLSERV~1.3\\common\\NODEMA~1\\nodemanager.log
LogFormatter=weblogic.nodemanager.server.LogFormatter
ListenBacklog=50


General issues we encounters are below

1)SSL HandShake error:-

By default nodemanger uses 5556 port which is a standard SSL port.
If we don't want to use SSL change the port number of nodemanager in the WebLogic console and change "SecureListener=false" in the above configuration.

2)If you want use a custom script as a start up script:-

If we have a custom script which we wants we call when the nodemanger is starting then we have to make change in two places in the above configurations
a)StartScriptEnabled=true
b)StartScriptName=

3)Logs will be updated in a file called "nodemanager.log" file.

4)To ensure that Node Manager properly restarts servers after a system crash, we must perform the following:

Ensure that CrashRecoveryEnabled is set to true.
The CrashRecoveryEnabled configuration property allows Node Manager to restart servers after a system crash. The property is not enabled by default.

We should start the Administration Server via Node Manager.
All managed servers should be started via the Administration Server. We can accomplish this via WLST or the Administration Console.
After the system is restarted, Node Manager checks each managed domain specified in the nodemanager.domains file to determine if there are any server instances that were not cleanly shutdown. This is determined by the presence of any lock files which are created by Node Manager when a WebLogic Server process is created. This lock file contains the process identifier for WebLogic Server startup script. If the lock file exists, but the process ID is not running, Node Manager will attempt to automatically restart the server.

If the process is running, Node Manager performs an additional check to access the management servlet running in the process to verify that the process corresponding to the process ID is a WebLogic Server instance.

Note: When Node Manager performs a check to access the management servlet, an alert may appear in the server log regarding improper credentials.
Posted by at No comments:
Labels:

Friday, October 18, 2013

SOA Suite 11.1.1.7.0 installation step

Hello All,

Recently I installed SOA Suite and below are steps which I followed for the same.

You can download the SOA suite and all the pre-requisites from below link

http://www.oracle.com/technetwork/middleware/soasuite/downloads/index.html

Below are the mandate things you required for a successful installation and please follow these steps in the same sequences.

From the above link, you should download below files.

1) OracleXE112_Win32
2) ofm_rcu_win_11.1.1.7.0_32_disk1_1of1
3) wls1036_win32 (Please make sure you a weblogic server downloaded from the FMW home and not a standalone, because if you use standalone server to integrate the same then you will face "Fatal Error" during domain creation)
4) ofm_soa_generic_11.1.1.7.0_disk1_1of2
5) ofm_soa_generic_11.1.1.7.0_disk1_2of2


OracleXE112_Win32 Installation

Now to start with, first you need to install "OracleXE112_Win32"

Consider you have installed "OracleXE112_Win32" under C:\SOA.


Repository Creation Utility Installation

After than you need to run "Repository Creation Utility". By running this the schemas which are required for your Oracle Fusion Middleware components (that is SOA, BAM etc) are created and this needs to be run before the FMW installation.

You can refer below link for further information
http://docs.oracle.com/cd/E28280_01/doc.1111/e14259/rcu.htm#RCUUG240

Once you have installed "ofm_rcu_win_11.1.1.7.0_32_disk1_1of1" to run please follow below steps

1) Go to "ofm_rcu_win_11.1.1.7.0_32_disk1_1of1\rcuHome\BIN"
2) Run "rcu.cmd" file
3) Select create and click next
4) In DataBase connection details you need to provide the informations of OracleXE database which you installed in the first Steps.(In this make sure the role is SYSDBA else it might give some permission issue)


 When you click next it will be testing the connection too and move to next page it the connection is established.
5) In the select component page you need to check the components you intent to install so that corresponding schemas will be created.



In this example I have selected the SOA and BAM schemas.

6) After that you need to provide a password, which which the server will be accessing these schema's.
 You can you same password for all the components for simplicity.

Then next which will Map the table space and then create those tables.

By this your DB pre-requisites are done.


Now lets move to WebLogic server and SOA installation.


WebLogic Installation.


WebLogic Server Installation is pretty straight forward

1) Run "wls1036_win32.exe" file.
2) Select a Middleware home (In our case C:\SOA)
3) Select a JDK and then install.

Once the server is installed successfully, we move to SOA installation.


SOA Installation

For installing SOA first we need to run "Setup.exe" which will be under "ofm_soa_generic_11.1.1.7.0_disk1_1of2\Disk1\install\win32"

Once you run it, it will be asking for a JDK home which should have already installed in the WebLogic server installation. We should give that location.

For example "C:\SOA\jdk160_29" as the Java Home and enter.

During the installation step it will ask for a Middleware home which we need to give.(Same Weblogic home :- C:\SOA).

After that it will automatically detect which Application Server it is.(In our case "WebLogic").

So we will be installing the SOA on "C:\SOA" so that after the installation we will see a folder called "Oracle_SOA1" is created.

So installation of SOA is done.

Once we have successfully installed, we need to create a domain.

For that we need to go to "C:\SOA\Oracle_SOA1\common\bin".

And need to run "config.cmd" file.

This will initiate below page.


After that we need to select below options.

After this we will provide a "Domain_Home", "Domain Location" and "Application Location"

Provide a password for Admin and move ahead.

On the next step you need to JDBC components schemas.

This is the point where the schemas we created by RCU in step 2 is required.

We have a to select the schema's and provide correct information's. It will be looking like below.




In the above we need to take care of below parameters,

a) Service = XE
b) Hostname = Same host name where you installed OracleXE112_Win32, in my case localhost
c) Port = 1521 (Default port of XE)
b) Schema password = Same password we give during "ofm_rcu_win_11.1.1.7.0_32_disk1_1of1" installation on step 6.

When you click next you should get below screen which says all the schema lookup's are fine.



Continue by clicking next and create the domain.

Thats it!!!!!!

Regards,
Anish
Posted by at No comments:

Sunday, July 14, 2013

Starting WebLogic as a Windows Service

WebLogic can be started by different ways and "Windows Service" is one of them.

If you check to create the service during the installation time a Windows service to start a weblogic domain will be created automatically, which we normally miss :)

So by following below steps you can create a Windows Service by which you can start a WebLogic server.

Install a weblogic instance (from 8.1 or above).

Now the script that help us do this process is "installSvc.cmd" which will be present under WL_Home\server\bin

We need to make a explicit script say "services.cmd" and it should contain the below configuration.

************************
echo off
SETLOCAL
call "\bin\setDomainEnv.cmd"
set DOMAIN_NAME=
set USERDOMAIN_HOME=
set SERVER_NAME=
set WLS_USER=
set WLS_PW=
set JAVA_OPTIONS=-Dweblogic.Stdout="\stdout.out"
-Dweblogic.Stderr="\stderr.txt" %JAVA_OPTIONS%
call "\server\bin\installSvc.cmd"
ENDLOCAL
************************

Description of the above script line by line.

First we call the setDomainEnv.cmd file which will set the environment.
Then we set the Domain name, domain location, which server we want to start via service, the username and password respectively.

Option "Dweblogic.Stdout" and "Dweblogic.Stderr" and not mandatory but is recommended to have it so that we will understand if there is any issue while executing the script or starting the server.
In the end we ill call "installSvc.cmd" and which will be creating a windows service.

Save the above file as a ".cmd" file and run it.

A new service called "bea__Domain__ServerNmae" will get created.And start the service.


That's it you service has been created successfully.

If you make the service run "Automatically" then the server will startup when ever you start your Operating System.

Posted by at No comments:
Labels:

Friday, July 12, 2013

Apache WebLogic Integration

Apache- Weblogic integration

Recently I had a chance integrate Apache and WebLogic by following below steps you too can do it :)

For this I am using weblogic 10.3.4(Doesn't really matter which WLS version you ar using) and Apache 2.0.

WebLogic server setting

1) Make sure you are 1 Admin and 1 or more managed server.
2) Deploy a sample application in Managed Server which we will     be connecting via Apache WebServer.
3) Make sure you have a valid entry in "Listen Address:" for the managed server.(You can validate the same from Admin Console--> Server-->Managed Server-->Configuration-->General)


Configure a Admin and a Managed Server and make sure its running

Make sure you have a valid entry in "Listen Address" tab of Managed Server like below.




Now deploy a sample application and try to hit the same.

I have uploaded a sample application which will give you the server and host IP address

You will get below page


Sinne you have already installed apache we are going to configure the Apache so that when you hit a request to Apache it should redirect the same to respective WebLogic server

For that we need to go to below location.

C:\Apache2\conf

Where Apache2 is where w have installed the apache.

There we should see a file called httpd.

Take a backup of the existing one and open the file.

If you go to bottom you should see a entry for "Location" and IfModule, which we need to edit it as below

<Location />
 SetHandler weblogic-handler
</Location>


<IfModule mod_weblogic.c>
 WebLogicCluster <CLuster IP address>
 Debug ON
 WLLogFile C:\Apache\logs\wlproxy.log
 WLTempDir C:\Apache\logs
</IfModule>


Now if you having one IP address then inside IFModule you should enter like below

WebLogicHost myweblogic.server.com
WebLogicPort 7001

If you have multple server in a cluster then the entry should be like

WebLogicCluster myweblogic1.server.com:7001,myweblogic2.server.com:7003,myweblogic3.server.com:7003

Keep the Debug ON and route the wlproxy logs to a location, so that incase of any issue or failure you should get the logs which shows the reason of failure.

Also for testing purpose you can add below parameter inside the IfModule

"DebugConfigInfo ON"

By which you can hit below url

 http://myWebServerServerIP:WebServerPort/myApp/index.jsp?__WebLogicBridgeConfig

But this is not recommended on production.

Also we need to load the WebLogic module in the Apache by adding below entry.

LoadModule weblogic_module modules/mod_wl_20.so

"mod_wl_20.so" file can be found unders WLS_Home\server\plugin\<Your_OS>\<Whether 32 or 64 bit>


By hitting above url we will come to know that, to waht all servers Apache is able to lookup and other tcp level parameters.

That's it , restart the Apache and try to access the application via Apache.

Now you will be able to access the application via Apache
Posted by at No comments:
Labels:

Wednesday, July 10, 2013

JMS Bridge Creation and configuration

JMS Bridge Creation and configuration

In this chapter I will be giving a basic idea about JMS bridge creation and configuration.

What is a JMS bridge and why JMS bridge?

JMS bridge enables you to connect between to Messaging server.

The main advantage of bridge over SAF(Store and Forward which is a WebLogic implemented Messaging Implementation) is that its server independent.

That is you can have the JMS bridge configured to connect between, WebLogic and MQ or Weblogic and JBoss etc. Although SAF can used to connect between two WebLogic servers.

HOW JMS BRIDGE CONFIGURED AND HOW IT IS ABLE TO CONNECT TO OTHER MESSAGING SERVER.

Configuring a JMS bridge is very easy, provided you have proper destination.

In a JMS bridge mainly two connections are made,
   
1) To the Source
2) To the Destination.


We can make the connection XA or non-XA, depending on the requirement and respective resource adaptor with respect to weblogic will be installed.

There are two types of adaptor

jms-xa-adp.rar     :--or which the jndi name will be "eis.jms.WLSConnectionFactoryJNDIXA"

jms-notran-adp.rar :--- for which the jndi name will be "eis.jms.WLSConnectionFactoryJNDINoTX"

Below are the steps for creating the JMS bridge

When you click Bridge from the Admin console you willget below menu

As the above picture shows a Bridge needs a Name, Source Bridge Destination and Target Bridge Destination.
Source bridge destination is from where the messages are picked up and target bridge destination is where the messages are posted to.
**One main feature of bridge is that the communication is uni-directional, i.e. On a single bridge you can’t have source bridge to receive messages from a target bridge.
If you want bi-directional communication you need to configure 2 bridges.(One for sending and other for receiving).
This is the main difference between SAF and Bridge as in SAF you can send and receive messages with one SAF agent.
Now let’s start the configuration.

When you try the create a JMS bridge below screen will appear.
Where you need to give a bridge name and Quality of Service(QOS).




QOS will determine service quality of messaging bridge.
When you are using XA transaction’s, it is always recommended to use Exactly once, which will envelops a received message and sends it within a user transaction (XA/JTA).
When you use Exactly_once mode then it ensures that the message is send only once and will rollback if there is any issue occurs during the message flow. This ensures that message will reach if the client is up and will roll back if there is any issue. Either way the message is secure are can’t be lost.
The other two QOS state are Atmost-once and Duplicate-okay. These are mainly recommended for non-XA messages.
Atmost-once :-  the resource adapter uses the AUTO_ACKNOWLEDGE mode(It will be send only once and doesn’t wait for the receiver to send a acknowledgement, which can cause message lost)
Duplicate-okay :- uses CLIENT_ACKNOWLEDGE(where there is a chance of having duplicate messages).





When you click next you see below page where you need to configure/select(if its already there) the Source Destination.
When I click “New Destination” I will get below page.

In the above page you need to add “connection url” ,”connection factory JNDI Name” and “Destination JNDI Name”
Example values
Connection_url :- t3://localhost:7001
Connection factory jndi :-  cf
Destination jndi :- “jndi configured for Queue or Topic”
The first column is the name of the Source bridge(which you give user specific if needed ) and second is the JNDI adaptor name.
As I mentioned in the beginning you can choose two adaptors, XA or non-XA

Similar for Destination

That's it with the Bridge Creation.
Now if you click bridge --> Monitoring you will be able to see the state of both Source and Destination Bridge.

Ideally if all lookup and configuration is correct the you will be seeing "Forwarding Messages".
If you start the bridge from the admin console, can will be seeing "Started by Administrator"

As we all know this will not work at when you are trying first time. So below are the main issue you could encounter.
1) Failed to connect to Source
2) Failed to connect to Destination.

If you see any above error in the "Monitoring tab" of Bridge, then the message flow will not work.
The main reason for the above issue will be the parameter that you have given in anyone of the below
“connection url” ,”connection factory JNDI Name” or “Destination JNDI Name”
Make sure you have given the connection url in the below format
“t3://localhost:7001”.
If you want to connect to multiple IP’s then you can give the url like below
“t3://<First IP Address>:<Port>,<Second IP Address>,<Port>

Also make sure the jndi names of connection factory and Queue or Topic, which you provided in the source and destination are correct.
It’s always recommended to restart the servers if you have changed any above parameters, so that binding will be refreshed.

In the logs if you see any exception with is mentioning  “eis.jms.WLSConnectionFactoryJNDIXA" or "eis.jms.WLSConnectionFactoryJNDINoTX" then it will be a problem with the adaptor.

Whenever you configure a XA or non-XA bridge to a server or a cluster of servers a file called jms-xa-adp.rar (for XA) or jms-notran-adp.rar(for non-XA) will be deployed automatically.

Make sure the files are in Active state in the “Deployment tab” at the Admin Console  and its targeted to correct servers where the bridge resides.

Posted by at No comments:
Labels:

Tuesday, June 25, 2013

WebLogic Password Reset

Below is the step where we can reset the Weblogic Password, if you are not able to login to Admin Console or forget the admin password.

1.Stop all running weblogic instances.

2.Rename the ldap folder (For eg. path <Domain_home>\servers\AdminServer\data).

3.Rename boot.properties file (For eg.  <Domain_home>\AdminServer\security).

4.Go to the domain's bin directory.

5.Run setDomainEnv.cmd
   In Windows: >setDomainEnv.cmd
   In Unix: # . ./setDomainEnv.sh
 
6.Run below command. Don't forget to give a "." at the nd of the syntax, both on Unix and windows.

  For Unix: java weblogic.security.utils.AdminAccount <username> <new_password> .

  For Windows: java -cp C:\wls103\wlserver_10.3\server\lib\weblogic.jar:%CLASSPATH% weblogic.security.utils.AdminAccount <username> <new_password> .

7. A file called "DefaultAuthenticatorInit.ldift" will get created in the domain directory(from where you are ran the above command).

8.Copy it and paste it in domain security folder (For eg. <Domain_Home>\security) (Make sure you have a back up of old 7.DefaultAuthenticatorInit.ldift  file )


9.Run startWeblogic.cmd/startWeblogic.sh to start Administrator server

10.It will ask to put the user name and password. Put the new credentials.


Changes which needs to be done on the boot.properties so that server will startup  automatically.

1. Edit or create the boot.properties file under location <Domain_home>/server/<Admin_Server>/security
2. Add username and password as below:
   username=<User_Name>
   password=<New_Password>

   Make sure you are not giving any extra spaces.
 
3. Save it and again try to restart Administrator server. It will use boot.properties file and starts running.

If you check the boot.properties files after the statup you will see it encrypted.

Posted by at No comments:
Labels:

JMS AutoMigration

JMS AutoMigration

In this I will be help you understanding the configuration and working of JMS Auto Migration.

WebLogic Server supports migration at the server level—a complete server instance, and all of the services it hosts can be migrated to another machine, either automatically, or manually. For more information
WebLogic Server supports service-level migration for JMS-related services, the JTA Transaction Recovery Service, and user-defined singleton services. These are referred to as migratable services, because you can move them from one server to another within a cluster.

For this you will need below setup configured.

1)      A WebLogic 11g or higher server

2)      1 Admin and (atleast) 2 Managed Server in a cluster.

3)      Node Manager should be configured and both the managed server should be in its server list.

Below are the steps to configure and test the JMS auto migration.

First decide which type of migration you want to use.


* Database -- requires that Data Source For Automatic Migration field is set with a valid JDBC system resource. It implies that there is a table created on that resource that migrating servers will use for leasing.
  * Consensus -- requires that all servers that are migratable, or which could host an auto-migratable target, have a Node Manager associated with them.

In my example I am using Consensus method for which you need to set the cluster -à Migration tab like
below.





1)      Make sure that the NodeManager is running and reachable.


2)      Create 2 JMS server and target them to ms1 (migratable) and ms2 (migratable) respectively.

 3)      Create a connection factory and Queue targeting to cluster and JMS server 1(JMS server 1 is inturn targeted to managed server 1)


4)      The Migration policy of both the server should be “Auto-Migrate Exactly-Once Services” (Same can be found in Admin Console-à Configuration -à  Migration page)

Also in the “Constrained Candidate Servers:” tab make sure both the server are in chosen tab.



 5)      Start both Managed servers
We can see that the JMS servers are targeted to their respective servers.



 Check the JNDI tree of both the server and confirm that the connection factory and Queue name is mapped properly





Shutdown one server (Say ms1).



Check the JMS server summary. In the Current server you will see that JMS Server-1 is now targetted to ms2 instead of ms1.
Same can be confirmed by checking the JNDI tree


Posted by at No comments:
Labels:

Monday, June 24, 2013

Creating A Private Root CA to sign the SSL certificates using OpenSSL


Goal of the Document is to demonstrate the step-by-step procedure to create the CA using OpenSSL on Windows and getting the Certificates signed from the CA created.

NOTE:- This can only be used for testing puposes and cannot be used for Production Systems and this would be Private CA and will not be providing Security as provided by Authorised CA bodies.
Step1. Download and setup the open SSL Environment

 Download the required binaries from the below link:

This link will also offers you to download “Visual C++ 2008 Redistributable for Windows” without which you will not be able to run openssl binaries and will hit the below Error. So download the openssl appropriate for your machine along with the Visual C++ Redistributable   :-



Once Installation is completed you will get the folder name “C:\OpenSSL-Win64” created under C:/ by default. (Name may vary according to the binaries used)
In order to identify the windows to openssl commands set the C:\OpenSSL-Win64\bin in your computer system PATH variable

Step 2 : Create Root CA Certificate and key
Open a DOS Command Prompt
Navigate to the OpenSSL Binaries directory type

cd  C:\OpenSSL-Win64\bin

Create the private key. Type

openssl genrsa -des3 -out PrivateRootCA.key 4096

This will create a Private Key named “RootCA.key”

When prompted enter a *very* strong password

And then verify the password

Create the public key. Type

openssl req -new -x509 -days 365 -key PrivateRootCA.key -out PrivateRootCA.cer

When prompted enter the *very* strong password

For Country Name enter the international standard two letter abbreviation (use GB, NOT UK if in the UK)
For State enter the state name in full, or for IN the county name
For Locality, enter where your company is registered, town or city
For organization name enter either the full company name e.g. Mycompany LTD
For organization unit enter Development or Support
For common name use your domain name e.g mycompany.com
For email address enter a valid address e.g. support@mycompany.com Or you can leave this blank and hit Enter

This will create a Public Key for the root ca named “PrivateRootCA.cer”

Now you are done with creation of a Root CA who can sign your Certificates.

You can verify the Root CA by double clicking on RootCA.cer and you would see Issuer and Owner to be same as below:-







From above screen shots you it can be verified as the Subject Type is CA.


Step3:-  Trusting the New CA in Windows trust Store
In order to use this certificate as trusted certificate for your windows  machine please install the certificate in to your Windows trusted CA list as below:-

1. Double Click on the certificate named RootCA.cer
2. Click on “Install Certificate” button at the bottom in the General Tab




3.You will get below screen and click on “Next”



4.Clicking on the next you will get below screen in this select “Place all certificate in the following store” and in the popup window select “Trusted Root certification Authorities” and click “Ok” and Finsh





5.Once you finish importing the new Trusted Root CA into the store you will get below warning appearing into the windows





Please read through the same and say yes if you are fine with this.If not please do not import the Rot CA into your  Windows trust Store.

Step4:- How to get your Self-Signed certificate Signed from this CA?

Generate a self signed certificate using

keytool -genkey -alias server_cert -keyalg RSA -keypass privatepassword -keystore keystore.jks -storepass password ( create a key pair )

keytool -export -alias server_cert -file self-signed.cer -keystore keystore.jks ( export the certificate from keystore keystore into a file, say self-signed.cer

 keytool -certreq -v -alias server_cert -file server.csr -keypass privatepassword -storepass password  -keystore keystore.jks

Once above 3 commands executed you will get three files named

keystore.jks
self-signed.cer
server.csr

Now double click on the file named “self-signed.cer” and click on “Details” Tab inside details tab click on the “Serial number” on the lower box you will find a hex values something like
“‎4f b9 da 8c “ and keep it saved somewhere we would need it in the next step.





Now copy the file named “server.csr” to location “C:\OpenSSL-Win64\bin”

Execute the below command:-

openssl x509 -req -days 365 -in server.csr -CA PrivateRootCA.cer -CAkey PrivateRootCA.key -set_serial 0x4fb9da8c -out server.cer

NOTE:- Please look at the parameter named “-set_serial” which is given a value “0x4fb63530” which is nothing but the Serial Key which we had saved earlier as “4f b6 35 30″ from the self-signed certificate so as to generate the signed-certificate with the same key as we need to import this back to the keystore.It is prefixed with 0x to support the Hex value as 0x is not needed if you  Serial value if in Decimal format.
Once above command is executed successfully you will get a file named “server.cer” created on the same location.

Double Click on the file named “server.cer” and you will see as below:-




Where the things to be noticed are “Issued to” and Issued by” which are showing it as the signed by Private RootCA Ltd.

Now go to “Details” tab and check whether the signed certificate has been generated with the same Serial as self-signed certificate:-



Check in the Certification Path and you would be able to see hierarchy of the certification:-





NOTE:- You might not see the chain directly and would see only one cert in the list that happens because the CA (Our  own created) is not known to windows Trust store so in order to get away with that you would have to add this CA into Windows Trust store. (As mentioned above step-by-step) in Step 3


Step 5:- Importing the Signed Certificate into your Keystore to create a cert-chain  and use the same

Now copy the server.cer and PrivateRootCA.cer file to the location where you have created/generated  your keystore.

Execute below command to import the RootCA.cer certificate into your keystore as this is needed to be present in the keystore before importing the signed certificate.

keytool -import -v -noprompt -trustcacerts -alias rootcacert -file PrivateRootCA.cer -keystore keystore.jks -storepass password

Output Would be as below:-
Certificate was added to keystore
[Storing keystore.jks]

Now import the Signed certificate into your keystore

keytool -import -v -alias server_cert -file server.cer -keystore keystore.jks -keypass privatepassword -storepass password


Output would be as below:-

Certificate reply was installed in keystore
[Storing keystore.jks]

Which implies the Signed certificate had been imported successfully.

Now list the keystore and verify that the certificate chain had been created successfully in the keystore:-
keytool -list -v -keystore keystore.jks  -alias server_cert  -storepass password
You would see the output as below:-

D:\keystore>keytool -list -keystore keystore.jks -v -alias server_cert
Enter keystore password:
Alias name: server_cert
Creation date: May 21, 2012
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=My.Machine.Host.Name, OU=Support, O=Oracle, L=KA, ST=Ban, C=IN
Issuer: CN=Private RootCA Ltd., OU=Support, O=Oracle, L=BAN, ST=KA, C=IN
Serial number: 4fb9da8c
Valid from: Mon May 21 11:44:04 IST 2012 until: Tue May 21 11:44:04 IST 2013
Certificate fingerprints:
MD5:  5F:FF:6F:8A:C5:22:3D:51:23:A8:FF:AF:96:5A:98:BB
SHA1: 29:4A:14:5A:42:31:57:94:57:3A:CA:B4:E2:AB:00:90:D5:69:96:1C
Signature algorithm name: SHA1withRSA
Version: 1
Certificate[2]:
Owner: CN=Private RootCA Ltd., OU=Support, O=Oracle, L=BAN, ST=KA, C=IN
Issuer: CN=Private RootCA Ltd., OU=Support, O=Oracle, L=BAN, ST=KA, C=IN
Serial number: 9126d09b3c5e8c3c
Valid from: Mon May 21 11:40:41 IST 2012 until: Tue May 21 11:40:41 IST 2013
Certificate fingerprints:
MD5:  7A:8E:2A:3B:19:51:8C:F7:B3:3A:31:CE:78:30:DF:E6
SHA1: B7:7D:58:B2:85:EC:44:15:FB:78:F6:B3:4E:A3:AD:A4:25:5C:B4:C2
Signature algorithm name: SHA1withRSA
Version: 3Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 99 A1 64 8D 58 58 2F AE   05 04 4B 3D C4 35 EA 39  ..d.XX/...K=.5.9
0010: 04 E3 8F 7F                                        ....
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 99 A1 64 8D 58 58 2F AE   05 04 4B 3D C4 35 EA 39  ..d.XX/...K=.5.9
0010: 04 E3 8F 7F                                        ....
]
]
D:\keystore>
Where you can see the Certificate[1] as your server certificate and Certificate[2] as RootCA certificate who signed the certificate.


Step 6:- Configuring and using the Keystore and Certificates created
From the Admin console, go to your server page, and in the Keystore&SSL tab choose:
Custom Identity and Custom Trust
Custom Identity
Custom Identity Key Store File Name:  keystore.jks
Custom Identity Key Store Type: jks
Custom Identity Key Store Pass Phrase:  password
Confirm Custom Identity Key Store Pass Phrase: password
Custom Trust
Custom Trust Key Store File Name:  keystore.jks
Custom Trust Key Store Type: jks
Custom Trust Key Store Pass Phrase:  password
Confirm Custom Trust Key Store Pass Phrase: password
Private Key Alias: server_cert
Passphrase: password  privatepassword
Confirm Passphrase:   privatepassword

Ensure that SSL Listen Port Enabled is selected, then restart your server.
You are done.
WebLogic is now configured successfully to do one-way SSL (no client authentication).
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)