'WebLogic SSL 설정'에 해당되는 글 1건

  1. 2012.11.13 WebLogic SSL 설정
WEB
posted by 구름너머 2012. 11. 13. 10:38

1.첫번째

http://image.inames.co.kr/upload/1193292118.pdf

2.두번째 

http://cheese.springnote.com/pages/4649569

Applies to: WLS 8.1 / WLS 6.1 - how to generate self-signed SSL certificates [ID 775115.1]

Oracle Weblogic Server / WebLogic Server / 8.1, 6.1
Information in this document applies to any platform

Goal

          What is the procedure to generate self-signed SSL certificates for use with WLS 8.1 and WLS 6.1?  The certificates will
          be used for internal testing; permanent certificates issued by a CA are not required.
          

Solution

          Demo certificates are provided with all of these releases of WLS.  If these demo certificates are not appropriate,
          however, here are some procedures that can be used.
          
          For WLS 8.1:
          There are (at least) 2 approaches to generating your own certificates:
          1) Use self-signed certificates, with you as the certificate authority.
          2) Use WLS's CertGen utility to create certificates signed by the WLS demonstration certificate authority.
          
          Useful references for information about certificates, etc., are:
          - The man page for the keytool utility, which is part of the JDK.  See
          http://java.sun.com/j2se/1.4.2/docs/tooldocs/solaris/keytool.html
          - The WLS document "Managing WebLogic Security" at http://e-docs/bea.com/wls/docs81/pdf/secmanage.pdf,
          especially Chapter 7.
          - The documentation for the openssl utility at http://www.openssl.org.  openssl can be downloaded from this web site.
          
          Procedure for generating a self-signed certificate for use with WLS 8.1 (option 1):
          
          1) Generate the key pair and self-signed certificate.
          Use keysize 512 if you have an export license (look for SSL/Export in license.bea).
          Use keysize 1024 if you have a domestic license (look for SSL/Domestic in license.bea).
          Pick your own keystore name, alias name, and passwords; these are only examples.
          See also Table 7.1 in "Managing WebLogic Security".
          
          $JAVA_HOME/bin/keytool -genkey -keyalg rsa -keystore mykeystore.jks -alias weblogic -keysize 512 -keypass weblogic
          -storepass weblogic -validity 365
          
          Supply your hostname to the prompt "First and last name" (e.g., myhost.bea.com)
          
          2) Now extract the self-signed certificate into trust.pem
          
          keytool -export -alias weblogic -file trust.pem -keystore mykeystore.jks -storepass weblogic -rfc
          
          3) Import the self-signed certificate (which functions as its own certificate authority) into trust.jks.
          
          keytool -import -alias weblogic -file trust.pem -keystore trust.jks -storepass weblogic
          
          Now you have mykeystore.jks containing your own host-specific certificate and private key, and trust.jks containing
          the trusted certificate.
          
          4) Configure WLS via the console to use this custom identity and custom trust keystores.
          
          Point your browser to http://host:port/console
          Go to servers->myserver->Keystore & SSL->Change
          Choose Custom Identity and Custom Trust and supply mykeystore.jks as the custom identity keystore file name, type JKS,
          pass phrase weblogic.
          Use trust.jks as the customer trust keystore file name, etc.
          Then restart WLS.
          
          The result is a modified <Server> section in your config.xml file that looks approximately like this (with your
          own file names, encrypted passwords, etc.):
          
          <Server CustomIdentityKeyStoreFileName="./certgen/mykeystore.jks"
                  CustomIdentityKeyStorePassPhrase="{3DES}diJlCtIrNaBWwZfoa66Glg=="
                  CustomIdentityKeyStoreType="JKS"
                  CustomTrustKeyStoreFileName="./certgen/mykeystore.jks"
                  CustomTrustKeyStorePassPhrase="{3DES}diJlCtIrNaBWwZfoa66Glg=="
                  CustomTrustKeyStoreType="JKS"
                  KeyStores="CustomIdentityAndCustomTrust"
                  ListenAddress="1.2.3.4" ListenPort="7001" Name="myserver"
                  NativeIOEnabled="true" ReliableDeliveryPolicy="RMDefaultPolicy"
          ServerVersion="8.1.2.0">
                  <SSL Enabled="true" HostnameVerificationIgnored="false"
                      IdentityAndTrustLocations="KeyStores" ListenPort="7002"
                      Name="myserver" ServerPrivateKeyAlias="weblogic"
          ServerPrivateKeyPassPhrase="{3DES}diJlCtIrNaBWwZfoa66Glg=="/>
              </Server>
          
          Note that you must generate a self-signed certificate for each host system (the CN will be different in each
          certificate) unless you disable host name verification (HostnameVerificationIgnored="true" in the config.xml
          file).
          
          Procedure for generating a self-signed certificate for use with WLS 8.1 (option 2):
          
          This procedure is an alternative to option 1.  It uses the demonstration certificate authority.
          
          The following instructions are derived from page 7-6 in "Managing WebLogic Security".  See also
          http://e-docs.bea.com/wls/docs81/admin_ref/utils.html#1184336 for additional details.
          
          1) Copy the needed files into the current directory for easy access.
          
          cp $WL_HOME/server/lib/CertgenCA.der .
          cp $WL_HOME/server/lib/CertgenCAKey.der .
          
          2) Generate a certificate signed by the demonstration CA with domestic key strength.  The common name (CN) is the same
          as the current hostname.  The issuer CA name is CN=CertGenCAB,OU=FOR TESTING
          ONLY,O=MyOrganization,L=MyTown,ST=MyState,C=US.
          The following command must be executed with CLASSPATH set for the WLS 8.1 environment.
          
          java utils.CertGen weblogic mycertfile mykeyfile
          
          The files created are mycertfile.{der,pem} and mykeyfile.{der.pem}
          
          3) Convert CertgenCA.der to .pem format
          
          java utils.der2pem CertgenCA.der
          
          4) Concatenate the 2 certificates to form a chain.
          
          cat mycertfile.pem CertgenCA.pem > certs.pem
          
          5) Create a new keystore, load the private key and certificate chain.
          
          java utils.ImportPrivateKey mykeystore.jks weblogic weblogic weblogic certs.pem mykeyfile.pem
          
          6) List the keystore to make sure it's OK.
          
          keytool -v -list keystore mykeystore.jks
          
          7) Create a separate keystore for the trusted CA certificate.
          
          keytool -import -alias weblogic -file CertgenCA.pem -keystore trust.jks -storepass weblogic
          
          8) Configure WLS 8.1 as previously to use mykeystore.jks and trust.jks.
          
          
          For WLS 6.1:
          
          1) Create a new copy of the configuration file used by openssl and modify it so that the basic constraint is marked
          "critical".
          
          cp $OPENSSL_HOME/bin/openssl.cnf .
          edit openssl.cnf.  In the section [ v3_ca ] uncomment the line
            basicConstraints = critical,CA:true
          and comment the line (about 2 lines down)
            basicConstraints = CA:true
          
          2) Generate a self-signed certificate for use as a root CA and an associated unencrypted private key (i.e., no
          password).  When prompted, supply the hostname as the common name and omit the email address.  For an export
          certificate use rsa:512.  For a domestic certificate use rsa:1024.
          
          openssl req -config ./openssl.cnf -nodes -extensions v3_ca -x509 -newkey rsa:512 -keyout key.pem -out cert.pem -days
          365
          
          You can also supply the answers to the prompted on the command line if wished:
          
          openssl req -config ./openssl.cnf -nodes -extensions v3_ca -x509 -newkey rsa:512 -keyout key.pem -out cert.pem -days
          365 -subj '/C=US/ST=NJ/L=Liberty Corner/O=BEA Systems/OU=Support/CN=<hostname>'
          
          where <hostname> is the hostname.
          
          3) Inspect the generated certificate.
          
          openssl x509 -in cert.pem -noout -text
          
          4) Modify the WLS 6.1 SSL configuration (through the console or by editing the config.xml file).
          
          The resulting config.xml file should look something like this:
          
          <SSL Enabled="true" KeyEncrypted="false" ListenPort="7002"
          Name="myserver"
          ServerCertificateChainFileName="d:/meq/cases.d/492379/cert/cert.pem"
          ServerCertificateFileName="d:/meq/cases.d/492379/cert/cert.pem"
          ServerKeyFileName="d:/meq/cases.d/492379/cert/key.pem" 
          TrustedCAFileName="d:/meq/cases.d/492379/cert/cert.pem"/>