2012. 11. 13. 10:38
1.첫번째
http://image.inames.co.kr/upload/1193292118.pdf
2.두번째
http://cheese.springnote.com/pages/4649569
Applies to: WLS 8.1 / WLS 6.1 - how to generate self-signed SSL certificates [ID 775115.1]
Oracle Weblogic Server / WebLogic Server / 8.1, 6.1
Information in this document applies to any platform
Goal
What is the procedure to generate self-signed SSL certificates for use with WLS 8.1 and WLS 6.1? The certificates will
be used for internal testing; permanent certificates issued by a CA are not required.
Solution
Demo certificates are provided with all of these releases of WLS. If these demo certificates are not appropriate,
however, here are some procedures that can be used.
For WLS 8.1:
There are (at least) 2 approaches to generating your own certificates:
1) Use self-signed certificates, with you as the certificate authority.
2) Use WLS's CertGen utility to create certificates signed by the WLS demonstration certificate authority.
Useful references for information about certificates, etc., are:
- The man page for the keytool utility, which is part of the JDK. See
http://java.sun.com/j2se/1.4.2/docs/tooldocs/solaris/keytool.html
- The WLS document "Managing WebLogic Security" at http://e-docs/bea.com/wls/docs81/pdf/secmanage.pdf,
especially Chapter 7.
- The documentation for the openssl utility at http://www.openssl.org. openssl can be downloaded from this web site.
Procedure for generating a self-signed certificate for use with WLS 8.1 (option 1):
1) Generate the key pair and self-signed certificate.
Use keysize 512 if you have an export license (look for SSL/Export in license.bea).
Use keysize 1024 if you have a domestic license (look for SSL/Domestic in license.bea).
Pick your own keystore name, alias name, and passwords; these are only examples.
See also Table 7.1 in "Managing WebLogic Security".
$JAVA_HOME/bin/keytool -genkey -keyalg rsa -keystore mykeystore.jks -alias weblogic -keysize 512 -keypass weblogic
-storepass weblogic -validity 365
Supply your hostname to the prompt "First and last name" (e.g., myhost.bea.com)
2) Now extract the self-signed certificate into trust.pem
keytool -export -alias weblogic -file trust.pem -keystore mykeystore.jks -storepass weblogic -rfc
3) Import the self-signed certificate (which functions as its own certificate authority) into trust.jks.
keytool -import -alias weblogic -file trust.pem -keystore trust.jks -storepass weblogic
Now you have mykeystore.jks containing your own host-specific certificate and private key, and trust.jks containing
the trusted certificate.
4) Configure WLS via the console to use this custom identity and custom trust keystores.
Point your browser to http://host:port/console
Go to servers->myserver->Keystore & SSL->Change
Choose Custom Identity and Custom Trust and supply mykeystore.jks as the custom identity keystore file name, type JKS,
pass phrase weblogic.
Use trust.jks as the customer trust keystore file name, etc.
Then restart WLS.
The result is a modified <Server> section in your config.xml file that looks approximately like this (with your
own file names, encrypted passwords, etc.):
<Server CustomIdentityKeyStoreFileName="./certgen/mykeystore.jks"
CustomIdentityKeyStorePassPhrase="{3DES}diJlCtIrNaBWwZfoa66Glg=="
CustomIdentityKeyStoreType="JKS"
CustomTrustKeyStoreFileName="./certgen/mykeystore.jks"
CustomTrustKeyStorePassPhrase="{3DES}diJlCtIrNaBWwZfoa66Glg=="
CustomTrustKeyStoreType="JKS"
KeyStores="CustomIdentityAndCustomTrust"
ListenAddress="1.2.3.4" ListenPort="7001" Name="myserver"
NativeIOEnabled="true" ReliableDeliveryPolicy="RMDefaultPolicy"
ServerVersion="8.1.2.0">
<SSL Enabled="true" HostnameVerificationIgnored="false"
IdentityAndTrustLocations="KeyStores" ListenPort="7002"
Name="myserver" ServerPrivateKeyAlias="weblogic"
ServerPrivateKeyPassPhrase="{3DES}diJlCtIrNaBWwZfoa66Glg=="/>
</Server>
Note that you must generate a self-signed certificate for each host system (the CN will be different in each
certificate) unless you disable host name verification (HostnameVerificationIgnored="true" in the config.xml
file).
Procedure for generating a self-signed certificate for use with WLS 8.1 (option 2):
This procedure is an alternative to option 1. It uses the demonstration certificate authority.
The following instructions are derived from page 7-6 in "Managing WebLogic Security". See also
http://e-docs.bea.com/wls/docs81/admin_ref/utils.html#1184336 for additional details.
1) Copy the needed files into the current directory for easy access.
cp $WL_HOME/server/lib/CertgenCA.der .
cp $WL_HOME/server/lib/CertgenCAKey.der .
2) Generate a certificate signed by the demonstration CA with domestic key strength. The common name (CN) is the same
as the current hostname. The issuer CA name is CN=CertGenCAB,OU=FOR TESTING
ONLY,O=MyOrganization,L=MyTown,ST=MyState,C=US.
The following command must be executed with CLASSPATH set for the WLS 8.1 environment.
java utils.CertGen weblogic mycertfile mykeyfile
The files created are mycertfile.{der,pem} and mykeyfile.{der.pem}
3) Convert CertgenCA.der to .pem format
java utils.der2pem CertgenCA.der
4) Concatenate the 2 certificates to form a chain.
cat mycertfile.pem CertgenCA.pem > certs.pem
5) Create a new keystore, load the private key and certificate chain.
java utils.ImportPrivateKey mykeystore.jks weblogic weblogic weblogic certs.pem mykeyfile.pem
6) List the keystore to make sure it's OK.
keytool -v -list keystore mykeystore.jks
7) Create a separate keystore for the trusted CA certificate.
keytool -import -alias weblogic -file CertgenCA.pem -keystore trust.jks -storepass weblogic
8) Configure WLS 8.1 as previously to use mykeystore.jks and trust.jks.
For WLS 6.1:
1) Create a new copy of the configuration file used by openssl and modify it so that the basic constraint is marked
"critical".
cp $OPENSSL_HOME/bin/openssl.cnf .
edit openssl.cnf. In the section [ v3_ca ] uncomment the line
basicConstraints = critical,CA:true
and comment the line (about 2 lines down)
basicConstraints = CA:true
2) Generate a self-signed certificate for use as a root CA and an associated unencrypted private key (i.e., no
password). When prompted, supply the hostname as the common name and omit the email address. For an export
certificate use rsa:512. For a domestic certificate use rsa:1024.
openssl req -config ./openssl.cnf -nodes -extensions v3_ca -x509 -newkey rsa:512 -keyout key.pem -out cert.pem -days
365
You can also supply the answers to the prompted on the command line if wished:
openssl req -config ./openssl.cnf -nodes -extensions v3_ca -x509 -newkey rsa:512 -keyout key.pem -out cert.pem -days
365 -subj '/C=US/ST=NJ/L=Liberty Corner/O=BEA Systems/OU=Support/CN=<hostname>'
where <hostname> is the hostname.
3) Inspect the generated certificate.
openssl x509 -in cert.pem -noout -text
4) Modify the WLS 6.1 SSL configuration (through the console or by editing the config.xml file).
The resulting config.xml file should look something like this:
<SSL Enabled="true" KeyEncrypted="false" ListenPort="7002"
Name="myserver"
ServerCertificateChainFileName="d:/meq/cases.d/492379/cert/cert.pem"
ServerCertificateFileName="d:/meq/cases.d/492379/cert/cert.pem"
ServerKeyFileName="d:/meq/cases.d/492379/cert/key.pem"
TrustedCAFileName="d:/meq/cases.d/492379/cert/cert.pem"/>
'WEB' 카테고리의 다른 글
| windows script 5.6 한글 매뉴얼 (0) | 2013.01.02 |
|---|---|
| 구글 크롬 버전별 다운로드하기 (0) | 2012.11.29 |
| HTML5 변경 및 Validator를 이용한 검사 (0) | 2012.11.09 |
| appengine templete 렌더링시 한글오류 처리 (0) | 2012.11.07 |
| google appengine 으로 app 만들고 올리기 (0) | 2012.10.19 |