-Djavax.net.ssl.keyStore
-Djavax.net.ssl.trustStore
-Djavax.net.ssl.trustStorePassword
-Djavax.net.ssl.keyStorePassword
-Djavax.net.ssl.keyStoreProvider
In WebLogic, it is done via Admin Console.
One Way SSL
It is quite straight forward to configure one way SSL. I believe preferred way is to use Custom Identity and Custom Trust store, which is much better to manage than Demo trust and identity.
Using DemoTrust and DemoIdentity
The location of DemoTrust and DemoIdentity can be found from Admin Console:
The default passwords are:
DemoIdentity.jks -> DemoIdentityKeyStorePassPhrase
DemoTrust.jks -> DemoTrustKeyStorePassPhrase
We can open them in Portecle and import the SSL cert.
Using Custom Identity and Custom Trust
I prefer this option better than Demo. I usually use jre/lib/cacerts as starting point and import all necessary certs in cacerts. Once all certs are imported in cacerts, then weblogic configuration as below
Under KeyStores tab:
It needs to be done on all servers which would be affected, and server restart would be necessary after this.
Two Way SSL
Using Custom Identity and Custom Trust
I imported both private key and root cert in cacerts file. The password of the cacerts file was same as password of private key, I was not sure if it was absolutely necessary but that is how it worked in standalone JVM. Once private key is imported, below is the WebLogic configuration
Enable SSL Debug
-Dssl.debug=true
-Dweblogic.security.SSL.verbose=true
-Djavax.net.debug=all
Loosen up Security Constraint
-Dweblogic.webservice.client.ssl.strictcertchecking=false
-Dweblogic.security.SSL.allowSmallRSAExponent=true
-Dweblogic.security.SSL.enforceConstraints=off
-Dweblogic.security.SSL.enable.renegotiation=true
-Dsun.security.ssl.allowUnsafeRenegotiation=true
No comments:
Post a Comment