Configure SSL for JD Edwards at Royal Koopmans
Content
2. Generate a Certificate Signing Request from your Keystore. 2
3. Import the CA root and wildcard certificate into the java keystore. 3
5. Configure Weblogic to use the java keystore. 3
6. Enable support for wildcard certificates in Weblogic. 4
7. Adjust HTML Server in Server Manager. 4
Create Java keystore
From a command-line execute the commands in bold below.
d:
cd d:\Java_64\jdk\bin
keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore d:\Oracle\SSL\erp_royalkoopmans_com.jks -dname "CN=erp.royalkoopmans.com, OU=Royal Koopmans, O=IT Department, L=Leeuwarden, ST=Friesland, C=NL"
Enter keystore password: < Staat in Lastpass >
Re-enter new password: < Staat in Lastpass >
Enter key password for <server>
(RETURN if same as keystore password): [RETURN]
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore d:\Oracle\SSL\erp_royalkoopmans_com.jks -destkeystore d:\Oracle\SSL\erp_royalkoopmans_com.jks -deststoretype pkcs12".
keytool -importkeystore -srckeystore d:\Oracle\SSL\royalkoopmans_com.jks -destkeystore
d:\Oracle\SSL\royalkoopmans_com.jks -deststoretype pkcs12
Enter source keystore password: < Staat in Lastpass >
Entry for alias server successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
Warning:
Migrated "d:\Oracle\SSL\royalkoopmans.com.jks" to Non JKS/JCEKS. The JKS keystore is backed up as "d:\Oracle\SSL\royalkoopmans.com.jks.old".
Generate a Certificate Signing Request from your Keystore
keytool -certreq -alias server -keyalg RSA -file d:\Oracle\SSL\erp_royalkoopmans.com.csr
-keystore d:\Oracle\SSL\erp_royalkoopmans_com.jks
Enter keystore password: < Staat in Lastpass >
This creates the file d:\Oracle\SSL\royalkoopmans_com.csr.
Sent this file to the Certificate Authority authorized to sign the request on behalf of Royal Koopmans.
Import the CA root and wildcard certificate into the java keystore
Back-up d:\Oracle\SSL
keytool -import -trustcacerts -alias server -file d:\Oracle\SSL\erp_royalkoopmans_com.p7b
-keystore d:\Oracle\SSL\erp_royalkoopmans_com.jks
Enable SSL in Weblogic
- On your WebLogic server, expand the Servers node and select the server you need to configure.
- Next, go to Configuration-->General.
- Click Lock & Edit
- Select SSL Listen Port Enabled
- Set the SSL Listen Port to 443 (for production/p-jdewe01 only !!)
- Click Save and Activate Changes.
Configure Weblogic to use the java keystore
- On your WebLogic server, expand the Servers node and select the server you need to configure.
- Next, go to Configuration--> Keystores.
Note: Under Keystore Configuration, several default Keystores or previously installed Keystores may be displayed.
- To enable your new keystore, under Keystores, click the Change... link
- Select Custom Identity and Java Standard Trust as your keystore configuration type, and then click Save.
- As the Custom Identity Keystore file name, type the full path to the erp_royalkoopmans_com.jks file on your WebLogic server, including the file name itself.
- For Custom Identity Keystore Type, select jks.
- For Custom Identity Keystore PassPhrase, type the <password> you created when creating the Keystore.
- When asked again, type your Keystore password and confirm.
(Leave the Trust section as it is.)
- Click Save
- Click the SSL tab.
- Accept Keystores as the default value for Identity and Trust Locations.
- Specify the Private Key Alias (“server”) and Passphrase (identical to the keystore password) that were used when creating your Keystore.
- Click Save.
Enable support for wildcard certificates in Weblogic
- On your WebLogic server, expand the Servers node and select the server you need to configure.
- Next, go to Configuration-->SSL.
- Go to Advanced. Click Lock & Edit
- Set the Hostname Verification field to Custom Hostname Verifier.
- In the Custom Hostname Verifier field, enter the name of the implementation of the weblogic.security.SSL.HostnameVerifier interface:
weblogic.security.utils.SSLWLSWildcardHostnameVerifier
- Click Save and Activate Changes.
- Navigate to d:\Oracle\Middleware\user_projects\domains\base_domain\bin and update setDomainEnv.cmd with this line:
set EXTRA_JAVA_PROPERTIES=-Dweblogic.security.SSL.hostnameVerifier=weblogic.security.utils.SSLWLSWildcardHostnameVerifier
- Restart the Admin and Manager Server.
- Check logs
Adjust HTML Server in Server Manager
- In Server Manager, click on the link of the HTML Server
- In the Instance Access Configuration section, adjust the domain name to royalkoopmans.com and enable SSL
Perform this actions for each HTML Server.
Renew certificate
- Logon to P-JDEWE01
- Create a back-up of d:\Oracle\SSL
- From a command-line navigate to d:\Java_64\jdk\bin
- Create a new certificate request by executing the following command:
(Maybe you will first have to delete the existing request:
keytool.exe -delete -alias server) *de alias is sever*
keytool -certreq -alias server -keyalg RSA -file d:\Oracle\SSL\new_erp_royalkoopmans.com.csr
-keystore d:\Oracle\SSL\erp_royalkoopmans_com.jks
Enter keystore password: Staat in Lastpass
- Import the new certificate:
keytool -import -trustcacerts -alias server -file d:\Oracle\SSL\new_erp_royalkoopmans_com.p7b
-keystore d:\Oracle\SSL\erp_royalkoopmans_com.jks
Enter keystore password: Staat in Lastpass
- Na deze bewerking moet er worden ingelogd op weblogic dan naar environmentà servers en dan kiezen voor J2EE_HTML_PD920
- Daarna naar: Control à Start/Stop en kiezen voor Restart SSL
- Kies bij de laatste melding nog voor Yes:
Nieuwe sessies zullen dan het nieuwe certificaat krijgen
Documentation
- How to Configure WebLogic Server to Support Wildcard Certificates (Doc ID 1474989.1)
- https://www.digicert.com/kb/csr-ssl-installation/weblogic-8-12x.htm
- https://coderanch.com/t/692329/application-servers/Wildcard-Certificate-WebLogic-cR