This is version 1 2 3 4 5 6 7 8 9 10 . It is not the current version, and thus it cannot be edited.

Back to current versionRestore this version

WebLogic SSL Configuration
#

Notice
#

The information contained in this document is subject to change without notice. All information in this document is based on the 4.50 release of Personality. This material is provided “AS IS” and there is no warranty of any kind, expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.
High Line Corporation shall not be liable for errors contained in this document or for incidental or consequential damages (including lost profits in connection with the furnishing, performance or use of this material whether based on warranty, contract, or other legal theory).
This document contains proprietary information and is protected by copyright. All rights reserved. No part of this document may be photocopied, reproduced or translated into another language without the prior consent of High Line Corporation.
HIGH LINE CORPORATION
145 Renfrew Drive, Suite 210
Markham, Ontario L3R 9R6
Canada

Revision History#

Name	Date	Reason for Changes	Ver./Rev.
Aubrey Pantlitz	2015-03-16	Original Version	1
Robert Forbes	2015-03-17	Edits	2
Iain Barr	2015-05-25	Corrections to KEYTOOL command lines	3

OVERVIEW:
#

By default the communication of Personality and Self-Service applications deployed on a WebLogic server are not encrypted. Customers wishing to secure the communication can follow the steps outlined below for both applications or separately for individual application deployed to separate server(s).

SYSTEM REQUIREMENTS:
#

Personality must already be installed and configured. If you have not done so already, please refer to the installation documentation to get started.

Step 1: Create Java Keystore
#

Create a directory called keystore in the Highline folder on the WebLogic server.
For documentation purposes, we will assume the following path: d:\highline\keystore as the path. If you are installing on a Linux server, please change the directory name accordingly.
Open a command prompt as an administrator
Navigate to your $DOMAIN_HOME/bin directory (may be something like D:\Oracle\Middleware\user_projects\highline\bin)
Run the following command to set the environment variables accordingly:
On Linux: $DOMAIN_HOME/bin/setDomainEnv.sh
On Windows: %DOMAIN_HOME%/bin/setDomainEnv.cmd
Run the following command to create a Java keystore:

keytool –genkeypair –alias server_cert –keyalg RSA –keysize 2048 –sigalg SHA256withRSA –dname "CN=server.domain.com, OU=support, O=Highlinecorp" -keypass welcome1 –keystore d:\highline\keystore\keystore.jks –storepass welcome1
Where:
server.domain.com is the fully qualified server name
support is your department managing the environment
Highlinecorp is your organization that manages the application
welcome1 is the password you choose

Step 2: Generate a Certificate Request
#

Run the following command to generate a certificate request:

keytool –certreq –v -alias server_cert –file d:\highline\keystore\keystore.csr –sigalg SHA256withRSA –keypass welcome1 –storepass welcome1 –keystore d:\highline\keystore\keystore.jks

Note: Make sure you use the same –alias, -storepass and –keypass password from step 5.
Send the above certificate request file to a Certificate Authority (CA) of your choice.

Step 3: Install Certificate
#

Once you have received the certificate back from your certificate authority (CA), you will need to import it along with the Root CA certificate(s) and any intermediate cerificates into your keystore.
In the file explorer of MS Windows, open the server certificate from your CA and select the Certificate Path tab.

GoDaddyCert.jpg
The server name has been blocked out for security reasons.

If the certificate shows several CA's above the server name as in the GoDaddy example above, each CA must be imported into the keystore.

In the case of GoDaddy, the CA certificates are included in a certificate bundle. However each certificate will need to be separated out into its own file an imported. Alternately you can download the individual certificates from their web site at GoDaddy repository

Follow steps 2 through 4 above to get to the correct directory on your WebLogic server
Run the following command to import your root CA’s into your keystore. The command below assumes the rootca.cer is the file received from your CA and it’s stored in d:\highline\keystore directory

keytool –import –v –noprompt –trustcacerts –alias rootcacert –file d:\highline\keystore\rootca.cer –keystore d:\highline\keystore\keystore.jks –storepass welcome1

Repeat this step for each Root and Intermediate certificate, ensuring each has a unique alias in the keystore (IE. change both the -alias and -file options for each import). These certificates need to be imported in order listed in the certificate path of the server.

Run the following command to import your server certificate into your keystore. The above command assumes the server.cer is the file received from your CA and it’s stored in d:\highline\keystore directory

Keytool –import –v –alias server_cert –file d:\highline\keystore\server.cer –keystore d:\highline\keystore\keystore.jks –keypass welcome1 –storepass welcome1

If an error during the import is generated with the string "failed to establish chain from reply", a certificate may have been missed or imported in the wrong order.

Step 4: Configure WebLogic Server for SSL
#

Log in to the WebLogic Console: http://server.domain:7001/console
Select ‘Environment’ -> ‘Servers’ and click on the ePersonality or Self Service server you want to configure with SSL.
Select ‘Lock & Edit’ from the upper left corner of the page
Locate the ‘SSL Listen Enabled’ Toggle and place a check in the box to enable SSL
In the ‘SSL Listen Port’ field, enter a port to use for SSL communication. For example: 443
Click the Save button
Select the ‘Keystore’ tab
Select the ‘Custom Identity and Custom Trust’ from the drop down list and click ‘Save’
Enter the below information to configure your server:
Identity keystore\\ ’Custom Identity Keystore’: <path_to_keystore> e.g d:\highline\keystore\keystore.jks
‘Custom Identity Keystore Type’: JKS (This should be in upper case)
‘Custom Identity Keystore Passphrase’: <storepass_pwd> e.g: welcome1
‘Confirm Custom Identity Identity Keystore Passphrase’: <storepass_pwd> e.g welcome1
Trust keystore\\ ‘Custom Identity Keystore’: <path_to_keystore> e.g d:\highline\keystore\keystore.jks
‘Custom Identity Keystore Type’: JKS (This should be in upper case)
‘Custom Identity Keystore Passphrase’: <storepass_pwd> e.g: welcome1
‘ Confirm Custom Trust Keystore Passphrase’: <storepass_pwd> e.g welcome1
Click Save

Select the ‘SSL’ tab
Enter the below information to configure your server:
‘Private key Alias’: <alias_given_when_creating_key> e.g server_cert
‘Private Key Password’: <keypass_pwd> e.g welcome1
‘Confirm Private Key Password’: <keypass_pwd> e.g welcome1
Click on the 'Advanced' and ensure the 'Use JSSE SSL' check mark is turned on. Click Save
Select the Server Start tab
in the 'Arguments text area add:
This defines the minimum protocol version to use during SSL handshake.

Step 5: JNLP Configuration **Optional**
#

For those who want to encrypt communications for Self-Service user only, your configuration is now complete and you can proceed to step 6 to restart the server(s) and test your configuration. If you also wish to apply this certificate to the Personality administration interface, follow these additional steps
Open the ePersonality.jnlp file with a text editor of your choice.
Change all HTTP references to HTTPS
Change the port reference to a secure port: e.g 443
Change the T3 protocol to T3S
Save your changes

Step 6: Restart Server(s)
#

Restart the server(s) and launch ePersonality