!!!WebLogic SSL Configuration\\ !!Notice\\ The information contained in this document is subject to change without notice. All information in this document is based on the 4.50 release of Personality. This material is provided “AS IS” and there is no warranty of any kind, expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.\\ High Line Corporation shall not be liable for errors contained in this document or for incidental or consequential damages (including lost profits in connection with the furnishing, performance or use of this material whether based on warranty, contract, or other legal theory).\\ This document contains proprietary information and is protected by copyright. All rights reserved. No part of this document may be photocopied, reproduced or translated into another language without the prior consent of High Line Corporation.\\ HIGH LINE CORPORATION\\ 145 Renfrew Drive, Suite 210\\ Markham, Ontario L3R 9R6\\ Canada\\ !!Revision History |Name|Date|Reason for Changes|Ver./Rev. |Aubrey Pantlitz|2015-03-16|Original Version|1 |Robert Forbes|2015-03-17|Edits|2 |Iain Barr|2015-05-25|Corrections to KEYTOOL command lines|3 !!!OVERVIEW:\\ By default the communication of Personality and Self-Service applications deployed on a WebLogic server are not encrypted. Customers wishing to secure the communication can follow the steps outlined below for both applications or separately for individual application deployed to separate server(s).\\ !!SYSTEM REQUIREMENTS:\\ Personality must already be installed and configured. If you have not done so already, please refer to the installation documentation to get started.\\ \\ \\ \\ !!!Step 1: Create Java Keystore\\ Create a directory called __keystore__ in the Highline folder on the WebLogic server.\\ For documentation purposes, we will assume the following path: ''d:\highline\keystore as the path. If you are installing on a Linux server, please change the directory name accordingly.\\ '' Open a command prompt as an administrator\\ Navigate to your $DOMAIN_HOME/bin directory (may be something like D:\Oracle\Middleware\user_projects\highline\bin)\\ Run the following command to set the environment variables accordingly:\\ On Linux: $DOMAIN_HOME/bin/setDomainEnv.sh\\ On Windows: %DOMAIN_HOME%/bin/setDomainEnv.cmd\\ Run the following command to create a Java keystore: \\ \\ keytool –genkeypair –alias server_cert –keyalg RSA –keysize 2048 –sigalg SHA256withRSA –dname "CN=__server.domain.com__, OU=__support__, O=__Highlinecorp__" -keypass __welcome1 __–keystore d:\highline\keystore\keystore.jks –storepass __welcome1__\\ Where: \\ __server.domain.com__ is the fully qualified server name\\ __support__ is ''your department managing the environment\\ '' __Highlinecorp__ is ''your organization that manages the application\\ '' __welcome1__ is the password ''you choose\\ '' !!!Step 2: Generate a Certificate Request\\ Run the following command to generate a certificate request:\\ \\ keytool –certreq –v -alias server_cert –file d:\highline\keystore\keystore.csr –sigalg SHA256withRSA –keypass __welcome1__ –storepass __welcome1__ –keystore d:\highline\keystore\keystore.jks\\ \\ Note: Make sure you use the same –alias, -storepass and –keypass password from step 5.\\ Send the above certificate request file to a Certificate Authority (CA) of your choice.\\ !!!Step 3: Install Certificate\\ Once you have received the certificate back from your certificate authority (CA), you will need to import it along with the Root CA certificate(s) and any intermediate cerificates into your keystore.\\ In the file explorer of MS Windows, open the server certificate from your CA and select the Certificate Path tab. \\ [GoDaddyCert.jpg]\\ The server name has been blocked out for security reasons.\\ \\ If the certificate shows several CA's above the server name as in the GoDaddy example above, each CA ''must be'' imported into the keystore.\\ \\ In the case of GoDaddy, the CA certificates are included in a certificate bundle. However each certificate will need to be separated out into its own file an imported. Alternately you can download the individual certificates from their web site at [GoDaddy repository|https://certs.godaddy.com/repository]\\ \\ Follow steps 2 through 4 above to get to the correct directory on your WebLogic server\\ Run the following command to import your root CA’s into your keystore. The command below assumes the rootca.cer is the file received from your CA and it’s stored in d:\highline\keystore directory\\ \\ keytool –import –v –noprompt –trustcacerts –alias rootcacert –file ''d:\highline\keystore\__rootca.cer__ –keystore d:\highline\keystore\keystore.jks –storepass __welcome1__\\ '' \\ Repeat this step for each Root and Intermediate certificate, ensuring each has a unique alias in the keystore (IE. change both the -alias and -file options for each import). These certificates need to be imported in order listed in the certificate path of the server.\\ \\ Run the following command to import your server certificate into your keystore. The above command assumes the __server.cer__ is the file received from your CA and it’s stored in d:\highline\keystore directory\\ \\ Keytool –import –v –alias server_cert –file d:\highline\keystore\__server.cer__ –keystore d:\highline\keystore\keystore.jks –keypass __welcome1__ –storepass __welcome1__\\ \\ If an error during the import is generated with the string "failed to establish chain from reply", a certificate may have been missed or imported in the wrong order.\\ !!!Step 4: Configure WebLogic Server for SSL\\ Log in to the WebLogic Console: http://server.domain:7001/console\\ Select ‘Environment’ -> ‘Servers’ and click on the ePersonality or Self Service server you want to configure with SSL.\\ Select ‘Lock & Edit’ from the upper left corner of the page\\ Locate the ‘SSL Listen Enabled’ Toggle and place a check in the box to enable SSL\\ In the ‘SSL Listen Port’ field, enter a port to use for SSL communication. For example: 443\\ Click the Save button\\ Select the ‘Keystore’ tab\\ Select the ‘Custom Identity and Custom Trust’ from the drop down list and click ‘Save’\\ Enter the below information to configure your server:\\ [Identity keystore\\ |] ’Custom Identity Keystore’: <path_to_keystore> e.g d:\highline\keystore\keystore.jks\\ ‘Custom Identity Keystore Type’: JKS (This should be in upper case)\\ ‘Custom Identity Keystore Passphrase’: <storepass_pwd> e.g: __welcome1__\\ ‘Confirm Custom Identity Identity Keystore Passphrase’: <storepass_pwd> e.g __welcome1__\\ [Trust keystore\\ |] ‘Custom Identity Keystore’: <path_to_keystore> e.g d:\highline\keystore\keystore.jks\\ ‘Custom Identity Keystore Type’: JKS (This should be in upper case)\\ ‘Custom Identity Keystore Passphrase’: <storepass_pwd> e.g: __welcome1__\\ ‘ Confirm Custom Trust Keystore Passphrase’: <storepass_pwd> e.g __welcome1__\\ Click Save\\ \\ Select the ‘SSL’ tab \\ Enter the below information to configure your server:\\ ‘Private key Alias’: <alias_given_when_creating_key> e.g server_cert\\ ‘Private Key Password’: <keypass_pwd> e.g __welcome1__\\ ‘Confirm Private Key Password’: <keypass_pwd> e.g __welcome1__\\ Click on the 'Advanced' and ensure the 'Use JSSE SSL' check mark is turned on. Click Save\\ Select the Server Start tab \\ in the 'Arguments text area add:\\ %%prettify {{{ -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.1 }}} /% This defines the minimum protocol version to use during SSL handshake.\\ !!!Step 5: JNLP Configuration ''**Optional**\\ '' For those who want to encrypt communications for Self-Service user only, your configuration is now complete and you can proceed to step 6 to restart the server(s) and test your configuration. If you also wish to apply this certificate to the Personality administration interface, follow these additional steps\\ Open the ePersonality.jnlp file with a text editor of your choice.\\ Change all HTTP references to HTTPS\\ Change the port reference to a secure port: e.g 443\\ Change the T3 protocol to T3S\\ Save your changes\\ !!!Step 6: Restart Server(s)\\ Restart the server(s) and launch ePersonality\\ \\ \\ \\ \\