Configure SSL for JD Edwards at Royal Koopmans

 

 

Content

1.      Create Java keystore2

2.      Generate a Certificate Signing Request from your Keystore2

3.      Import the CA root and wildcard certificate into the java keystore3

4.      Enable SSL in Weblogic3

5.      Configure Weblogic to use the java keystore3

6.      Enable support for wildcard certificates in Weblogic4

7.      HTML Certificate in BI server4

8.      BI Certificate in HTML server5

9.      Renew certificate6

Documentation7

 

 
 

 

  1. Create Java keystore

 

From a command-line execute the commands in bold below.

 

d:

cd d:\Java_64\jdk\bin

keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore    d:\Oracle\SSL\bip_royalkoopmans_com.jks -dname "CN=bip.royalkoopmans.com, OU=IT, O=Royal Koopmans, L=Leeuwarden, ST=Friesland, C=NL"

 

Enter keystore password: <see password in keepass>

Re-enter new password: <see password in keepass>

 

Enter key password for <server>

        (RETURN if same as keystore password): [RETURN]

 

 

Warning:

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore d:\Oracle\SSL\bip_royalkoopmans_com.jks -destkeystore d:\Oracle\SSL\bip_royalkoopmans_com.jks -deststoretype pkcs12".

 

 

 

keytool -importkeystore -srckeystore d:\Oracle\SSL\bip_royalkoopmans_com.jks -destkeystore d:\Oracle\SSL\bip_royalkoopmans_com.jks -deststoretype pkcs12

 

Enter source keystore password: <see password in keepass>

 

Entry for alias server successfully imported.

Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

 

Warning:

Migrated "d:\Oracle\SSL\bip_royalkoopmans_com.jks" to Non JKS/JCEKS. The JKS keystore is backed up as "d:\Oracle\SSL\bip_royalkoopmans_com.jks.old".

 

 

  1. Generate a Certificate Signing Request from your Keystore

 

keytool -certreq -alias server -keyalg RSA -file d:\Oracle\SSL\bip_royalkoopmans.com.csr  -keystore d:\Oracle\SSL\bip_royalkoopmans_com.jks

 

Enter keystore password: <see password in keepass>

 

 

This creates the file d:\Oracle\SSL\bip_royalkoopmans_com.csr.

 

Sent this file to the Certificate Authority authorized to sign the request on behalf of Royal Koopmans.

 

 

<tot zover>

 

  1. Import the CA root and wildcard certificate into the java keystore

 

Back-up d:\Oracle\SSL

 

 

keytool -import -trustcacerts -alias server -file d:\Oracle\SSL\bip_royalkoopmans_com.p7b -keystore d:\Oracle\SSL\bip_royalkoopmans_com.jks

 

 

 

 

 

  1. Enable SSL in Weblogic

 

  1. On your WebLogic server, expand the Servers node and select the server you need to configure.

 

  1. Next, go to Configuration-->General.

 

  1. Click Lock & Edit

 

  1. Select SSL Listen Port Enabled

 

  1. Set the SSL Listen Port to 9503 

 

  1. Click Save and Activate Changes.

 

 

  1. Configure Weblogic to use the java keystore

 

  1. On your WebLogic server, expand the Servers node and select the server you need to configure.

 

  1. Next, go to Configuration--> Keystores.

 

Note: Under Keystore Configuration, several default Keystores or previously installed Keystores may be displayed.

 

  1. To enable your new keystore, under Keystores, click the Change... link

 

  1. Select Custom Identity and Java Standard Trust as your keystore configuration type, and then click Save.

 

  1. As the Custom Identity Keystore file name, type the full path to the erp_royalkoopmans_com.jks file on your WebLogic server, including the file name itself.

 

  1. For Custom Identity Keystore Type, select jks.

 

  1. For Custom Identity Keystore PassPhrase, type the <password> you created when creating the Keystore.

 

  1. When asked again, type your Keystore password and confirm.

 

(Leave the Trust section as it is.)

 

  1. Click Save

 

  1. Click the SSL tab.

 

  1. Accept Keystores as the default value for Identity and Trust Locations.

 

  1. Specify the Private Key Alias (“server”) and Passphrase (identical to the keystore password) that were used when creating your Keystore.

 

  1. Click Save.

 

 

  1. Enable support for wildcard certificates in Weblogic

 

  1. On your WebLogic server, expand the Servers node and select the server you need to configure.

 

  1. Next, go to Configuration-->SSL.

 

  1. Go to Advanced. Click Lock & Edit

 

  1. Set the Hostname Verification field to Custom Hostname Verifier.

 

  1. In the Custom Hostname Verifier field, enter the name of the implementation of the weblogic.security.SSL.HostnameVerifier interface: 

 

weblogic.security.utils.SSLWLSWildcardHostnameVerifier

 

  1. Click Save and Activate Changes.

 

  1. Navigate to D:\Oracle\Middleware\user_projects\domains\bi\bin and update setDomainEnv.cmd with this line:

 

set EXTRA_JAVA_PROPERTIES=-Dweblogic.security.SSL.hostnameVerifier=weblogic.security.utils.SSLWLSWildcardHostnameVerifier

 

 

 

 

 

 

 

 

 

 

 

  1. Restart the Admin and Manager Server.

 

  1. Check logs

  1. HTML Certificate in BI server

  2. Export HMTL certificate from browser

Installing the EnterpriseOne HTML Certificate on the Web Browser Install the EnterpriseOne HTML certificate that you generated following the steps in section Section 17.2.1. 

1. Enter the SSL URL of the EnterpriseOne HTML Server, for example: https://host:sslport/jde/E1Menu.maf 

2. If a security message appears warning you about the security certificate or whether the site can be trusted, select the option to continue. You will see a "Certificate Error" next to the URL address: 

3. Click the error to view the certificate, making sure that you recognize the certificate that you created from the previous steps. 

4. Click Install Certificate. If you do not see the install option, then you need to add the server to the trusted site in the browser. 

5. Install the certificate to "Trusted Root Certification Authorities." 

6. Restart the Browser and you should see a "lock" icon instead of the error: 

 

Exporting the EnterpriseOne HTML Certificate 

1. Click the Lock icon, and then click View Certificates. 

2. Click the Details tab. 

3. Depending on the browser you are using, click Export or Copy to File. The Export Wizard appears. 

4. Select the Base-64 encoded X.509 option. 

5. Name the export file and location. Note: For Oracle BI Publisher with JDK 1.7, you need to enable the "Use JSSE SSL" check box in the Advanced Section on the SSL tab. Implementing the SSL Connection for EnterpriseOne One View Reporting 17-8 JD Edwards EnterpriseOne Tools Security Administration Guide 

6. Transfer the export file to the BI Publisher Server.

 

Import HTML certificate in BI keystore:

keytool -import -trustcacerts -alias htmlserver -file d:\Oracle\SSL\P_JDEWE01_HTML_PD.cer -keystore d:\Oracle\SSL\bip_royalkoopmans_com.jks

 

  1. BI Certificate in HTML server

 

  1. Export HMTL certificate from browser

Installing the EnterpriseOne HTML Certificate on the Web Browser Install the EnterpriseOne HTML certificate that you generated following the steps in section Section 17.2.1. 

1. Enter the SSL URL of the EnterpriseOne HTML Server, for example: https://bip.royalkoopmans.com:9503/xmlpserver/

2. If a security message appears warning you about the security certificate or whether the site can be trusted, select the option to continue. You will see a "Certificate Error" next to the URL address: 

3. Click the error to view the certificate, making sure that you recognize the certificate that you created from the previous steps. 

4. Click Install Certificate. If you do not see the install option, then you need to add the server to the trusted site in the browser. 

5. Install the certificate to "Trusted Root Certification Authorities." 

6. Restart the Browser and you should see a "lock" icon instead of the error: 

 

Exporting the EnterpriseOne HTML Certificate 

1. Click the Lock icon, and then click View Certificates. 

2. Click the Details tab. 

3. Depending on the browser you are using, click Export or Copy to File. The Export Wizard appears. 

4. Select the Base-64 encoded X.509 option. 

5. Name the export file and location. Note: For Oracle BI Publisher with JDK 1.7, you need to enable the "Use JSSE SSL" check box in the Advanced Section on the SSL tab. Implementing the SSL Connection for EnterpriseOne One View Reporting 17-8 JD Edwards EnterpriseOne Tools Security Administration Guide 

6. Transfer the export file to the BI Publisher Server.

 

Import HTML certificate in BI keystore:

keytool -import -trustcacerts -alias biserver -file d:\Oracle\SSL\P_JDEBI01_BI_PD.cer -keystore d:\Oracle\SSL\erp_royalkoopmans_com.jks

 

  1. Renew certificate

 

  1. On P-JDEBI01: Create a new certificate request (P_JDEBI01_BI_PD.csr):

keytool -certreq -alias server -keyalg RSA -file d:\Oracle\SSL\<new_bip_royalkoopmans_com>.csr

-keystore d:\Oracle\SSL\bip_royalkoopmans_com.jks

Enter keystore password: ………..

  1. .csr -> Certificate Authority -> .p7b

 

  1. On P-JDEBI01: Import the new certificate:

keytool -import -trustcacerts -alias server -file d:\Oracle\SSL\<new_bip_royalkoopmans_com>.p7b 

-keystore d:\Oracle\SSL\bip_royalkoopmans_com.jks

Enter keystore password: ………..

  1. On P-JDEWE01: perform the steps from Chapter 8 again and save as D:\Oracle\SSL\P_JDEBI01_BI_PD.cer
  2. Chapter 8 was not working, you can use the following steps to achieve the same output:
    1. open the .p7b File by double clicking it you will get the following screen
    2. unfold it till you see the bip certificate
    3. after double clicking it go to details and then choose copy to file
    4. choose the der option and next
    5. in the file tab choose browse --> go to d:\Oracle\ssl and choose P_JDEBI01_BI_PD.cer
    6. you will get a warning about overwriting the file choose yes
    7. on the last tab choose finish

 


  1. on the JDEBI01: Check if the alias biserver already exist and what the expiration is with the following command: keytool -v -list -keystore d:\oracle\ssl\erp_royalkoopmans_com.jks Enter keystore password: ………..  scroll trough the output till you find the alias bipserver
  2. if it is valid for 1 year it is probable the old one and we need to rename this alias to import the new one. You can do this with the following command: keytool -changealias -alias biserver -destalias biserverold<year> -keystore d:\oracle\ssl\erp_royalkoopmans_com.jks Enter keystore password: ………..

  3. On P-JDEBI01: Import the saved certificate:

    keytool -import -trustcacerts -alias biserver -file D:\Oracle\SSL\P_JDEBI01_BI_PD.cer -keystore d:\oracle\ssl\erp_royalkoopmans_com.jks

    Enter keystore password: ………..

  4. Copy the .cer file to the P-JDEWE01 server to the following location: D:\Oracle\SSL\
  5. on the P-JDEWE01: Check if the alias biserver already exist and what the expiration is with the following command: keytool -v -list -keystore d:\oracle\ssl\erp_royalkoopmans_com.jks Enter keystore password: ………..  scroll trough the output till you find the alias bipserver if it is valid for 1 year it is probable the old one and we need to rename this alias to import the new one. You can do this with the following command: keytool -changealias -alias biserver -destalias biserverold<year> -keystore d:\oracle\ssl\erp_royalkoopmans_com.jks Enter keystore password: ………..
  6. On P-JDEWE01: Import the saved certificate:

keytool -import -trustcacerts -alias biserver -file D:\Oracle\SSL\P_JDEBI01_BI_PD.cer -keystore d:\oracle\ssl\erp_royalkoopmans_com.jks

Enter keystore password: ………..


if everything works as expected you still need to do the following:

on P-JDEBI01: D:\java_64\jdk\bin\keytool.exe -delete -alias biserver<year> -keystore d:\oracle\ssl\erp_royalkoopmans_com.jks
 

Documentation

 

  • How to Configure WebLogic Server to Support Wildcard Certificates (Doc ID 1474989.1)
  • https://www.digicert.com/kb/csr-ssl-installation/weblogic-8-12x.htm
  • https://coderanch.com/t/692329/application-servers/Wildcard-Certificate-WebLogic-cR