Installing Apache
down load the atache from http://www.apache.org/
extract the tar
goto extracted location
cd httpd-2.0.63
run the below commands
prefix=/<>/apache2054
pfexec make install
pwd
pfexec ./configure --prefix=/<>/apache2054
pfexec make
pfexec make install
Wednesday, October 13, 2010
Monday, October 11, 2010
Configure one way SSL for WebLogic
Secure Sockets Layer (SSL) provides secure connections by allowing applications connecting over a network connection to authenticate the other's identity and by encrypting the data exchanged between the applications. Authentication allows a server and optionally a client to verify the identity of the application on the other end of a network connection. Encryption makes data transmitted over the network intelligible only to the intended recipient.
SSL can be configured in 1-way or 2-way
With one-way SSL, the server is required to present a certificate to the client but the client is not required to present a certificate to the server. Genarally we see this in bank sites
Here the stpts to configure 1-way SSL
Step A
create a new WLS domain as below:
run config.cmd script
<WL_HOME>/common/bin/config.sh
create a new weblogic configuration
select next...
select BEA WebLogic Server Domain
select next...
Select Express Installation
select next...
username/password = weblogic/weblogic
select next...
select default
development mode/Sun SDK 1.5
select next...
select the configuration name=domain name = ssldomain
click create
in my case - my domain is created under
C:\bea\user_projects\domains\ssldomain
This domain is created with only http listen port(7001) enabled.
Now, enable the SSL listen port as below:
go to
Servers --> myserver --> general tab
select the "SSL Listen Port Enabled"
By default this will listen on port 7002 using default weblogic demo certificates.
click on apply.
At this point - WLS is configured for one way SSL using default demo certificates.
Restart the server.
--------------
Step B
As of now, your server is using default private key/default public key(certificate) and default trust.
Now, steps to use your own certificate and setup SSL on Weblogic is as follows:
1. get your own private key/certificate/trust for your certificate
2. create identity keystore (which will have your private key + certificate)
and
create trust keystore (which will have trust cert for your own digital cert)
3. use the identity and trust keystore created in step 2 and configure wls to replace demo keystores with your own keystores.
Now, details for step 1:
create private key using keytool command
- go to your domain dir and run setENV.cmd
-------- now run the following keytool command to create private key (use your own name and rest you can keep the same)
C:\bea\WLS_81_SP3\user_projects\domains\ssldomain>keytool -genkey -keyalg RSA -alias mykey -keystore mykeystore.jks
Enter keystore password: weblogic
What is your first and last name?
[Unknown]: Srikar
What is the name of your organizational unit?
[Unknown]: Support
What is the name of your organization?
[Unknown]: BEA
What is the name of your City or Locality?
[Unknown]: Denver
What is the name of your State or Province?
[Unknown]: CT
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=Srikar, OU=Support, O=BEA, L=, ST=CT, C=US correct?
[no]: yes
Enter key password for <mykey>
(RETURN if same as keystore password):
As a result you obtain a file: mykeystore.jks (in the same dir), containing a private key, and a self-signed public key.
Now, send your public key for getting it signed by trusted authority (we will send it to verisign)
This is done by retrieving the CSR (Cert Signature Request) from mykeystore.jks and sending it to one of the Certificate Authorities like verisign.
run the following command to get CSR:
C:\bea\user_projects\domains\ssldomain>keytool -certreq -keystore mykeystore.jks
Enter keystore password: weblogic
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBqzCCARQCAQAwazELMAkGA1UEBhMCSU4xEjAQBgNVBAgTCUthcm5hdGFrYTESMBAGA1UEBxMJ
QmFuZ2Fsb3JlMQwwCgYDVQQKEwNCRUExEDAOBgNVBAsTB1N1cHBvcnQxFDASBgNVBAMTC1JhbWFr
cmlzaG5hMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxB2BdG1iBsIJvK3x2lcnn7GclEShT
ib5sbiHa7h1DBqMZZc1lezGI55Nz1YSUZukgj7aZj9N4K7haV93LoD4pNREpLcp7DGxNODNclp5F
DHTevqWx0rXqjwei5Euh2f5ACSFo3tL5o5QXkS3o4TeZ2QSypAyeu/+qtnk7Od/xGQIDAQABoAAw
DQYJKoZIhvcNAQEEBQADgYEAXOYBI9LJPBVA+OyK/4od6ORkJnew/K7WWMjeLwZjwKI7INCHw4VG
dG0v7z2JnSpgi43fipWyywt5fmXZqfKNtki5SNxV3kLHAWxardgZbZ8H/kO95CtbOcFtagPLH8pi
+rp2iGFSlH6+UYtW1qXL3FM0srIxam6RgYqCixf5gGQ=
-----END NEW CERTIFICATE REQUEST-----
C:\bea\WLS_81_SP3\user_projects\domains\ssldomain>
===============================
You will need to copy and paste all this (including -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST-----) to the Certification Authority.
open a notepad and copy it there.
Now we will go to verisign site to get this signed.
go to
https://www.verisign.com/cgi-bin/clearsales_cgi/leadgen.htm?form_id=0110&toc=w63780188130110000&ra=65.205.251.51&email=
Enter your information and follow the instructions to submit the CSR
First Name: Srikar
Last Name: Yalam
e-mail: srikar@bea.com
company: BEA Systems Inc
phone: 8882327878
state: Outside the US or Canada
Zip: 06902
Country: USA
select "research only"
select "no budget"
select "research only"
click "Submit" button.
click the "Continue" button
again, click the "Continue" button
========================
Technical details:
enter you details...........
...........
...........
E-mail - your email. specify bea email id. (eg. your email@bea.com)
================
select server platform = "all others" and paste your CSR
if it ask for password/chalenge phrase = weblogic
once done, verisign will send you your digital cert in an email
--------------------------------
Step C
Verisign will then send you an email with the PEM content of the public key.
Scroll at the end of the email and Save it under
a file name mycert.pem.
It also contains a link to get a root CA cert for your certificate i.e. a link to download the Test CA Root.
follow the link to download Test CA Root - getcacert.cer.
save it under your domain dir.
This file is in binary format.
Lets convert this in txt format.
double click on this file.
click on details tab page --> copy to file (at the bottom) --> base 64 encoded x.509 format --> save as testrootca.cer under your domain dir.
now you have
your cert - mycert.pem
test ca cert - testrootca.cer
now open a textpad editor and merge testrootca.cer in your mycert.pem
so at the end -
you will have
your cert - mycert.pem (which will have a chain i.e. your cert + test ca root)
test ca cert - testrootca.cer
-------------------
Step D
Import the public key into your identity keystore. It will go on the same alias as the private key:
C:\bea\WLS_81_SP3\user_projects\domains\ssldomain>keytool -import -alias mykey -file mycert.pem -keystore mykeystore.jks
Enter keystore password: weblogic
Top-level certificate in reply:
Owner: OU=For VeriSign authorized testing only. No assurances (C)VS1997, OU=www.
verisign.com/repository/TestCPS Incorp. By Ref. Liab. LTD., O="VeriSign, Inc"
Issuer: OU=For VeriSign authorized testing only. No assurances (C)VS1997, OU=www
.verisign.com/repository/TestCPS Incorp. By Ref. Liab. LTD., O="VeriSign, Inc"
Serial number: 52a9f424da674c9daf4f537852abef6e
Valid from: Sun Jun 07 05:30:00 IST 1998 until: Wed Jun 07 05:29:59 IST 2006
Certificate fingerprints:
MD5: 40:06:53:11:FD:B3:3E:88:0A:6F:7D:D1:4E:22:91:87
SHA1: 93:71:C9:EE:57:09:92:5D:0A:8E:FA:02:0B:E2:F5:E6:98:6C:60:DE
... is not trusted. Install reply anyway? [no]: yes
Certificate reply was installed in keystore
C:\bea\WLS_81_SP3\user_projects\domains\ssldomain>
=====================================================================
Lets create the trust keystore:
WL_HOME\user_projects\domains\ssldomain>keytool -alias mytkey -trustcacerts -import -file getcacert.cer -keystore mytruststore.jks -storepass weblogic
Owner: OU=For VeriSign authorized testing only. No assurances (C)VS1997, OU=www.
verisign.com/repository/TestCPS Incorp. By Ref. Liab. LTD., O="VeriSign, Inc"
Issuer: OU=For VeriSign authorized testing only. No assurances (C)VS1997, OU=www
.verisign.com/repository/TestCPS Incorp. By Ref. Liab. LTD., O="VeriSign, Inc"
Serial number: 52a9f424da674c9daf4f537852abef6e
Valid from: Sun Jun 07 05:30:00 IST 1998 until: Wed Jun 07 05:29:59 IST 2006
Certificate fingerprints:
MD5: 40:06:53:11:FD:B3:3E:88:0A:6F:7D:D1:4E:22:91:87
SHA1: 93:71:C9:EE:57:09:92:5D:0A:8E:FA:02:0B:E2:F5:E6:98:6C:60:DE
Trust this certificate? [no]: yes
Certificate was added to keystore
WL_HOME\user_projects\domains\ssldomain>
This command will create getcacert.jks i.e. your trust keystore. so at this time - you have
1. identity keystore = mykeystore.jks
2. trust keystore = mytruststore.jks
Cheers!!!.. you are almost done.
Now just need to configure wls to use the above keystores instead of default demoidentity and default demo trust keystore.
-----------------------------
Step E
so finally, you are done creating your own custom Identity keystore which contains your private key + your certificate signed by verisign.
and your own custom trust keystore which contains test root CA.
now lets setup SSL on your server using your custom keystores.
your server is currently using default demo cert.
Setup SSL in the admin server console under "Keystores & SSL" Tab Page.
Click on "change" and then select "Custom Identity and Custom Trust" from the drop down menu. click continue.
Then specify the full path for Identity and Trust Keystores. Specify the passwords for both the stores. click continue.
Now specify the password and alias for private key. apply the changes and you will need to restart the server.
The above steps will configure SSL. WLS will use the private/public key (certificate) from your Identity keystore and the trust certificate from the trust keystore.
restart your server and test it.
go to https://localhost:7002/console
it will warn you as this is a test cert.
you are done setting up one way SSL with your own custom keystores.
-Srikar
SSL can be configured in 1-way or 2-way
With one-way SSL, the server is required to present a certificate to the client but the client is not required to present a certificate to the server. Genarally we see this in bank sites
Here the stpts to configure 1-way SSL
Step A
create a new WLS domain as below:
run config.cmd script
<WL_HOME>/common/bin/config.sh
create a new weblogic configuration
select next...
select BEA WebLogic Server Domain
select next...
Select Express Installation
select next...
username/password = weblogic/weblogic
select next...
select default
development mode/Sun SDK 1.5
select next...
select the configuration name=domain name = ssldomain
click create
in my case - my domain is created under
C:\bea\user_projects\domains\ssldomain
This domain is created with only http listen port(7001) enabled.
Now, enable the SSL listen port as below:
go to
Servers --> myserver --> general tab
select the "SSL Listen Port Enabled"
By default this will listen on port 7002 using default weblogic demo certificates.
click on apply.
At this point - WLS is configured for one way SSL using default demo certificates.
Restart the server.
--------------
Step B
As of now, your server is using default private key/default public key(certificate) and default trust.
Now, steps to use your own certificate and setup SSL on Weblogic is as follows:
1. get your own private key/certificate/trust for your certificate
2. create identity keystore (which will have your private key + certificate)
and
create trust keystore (which will have trust cert for your own digital cert)
3. use the identity and trust keystore created in step 2 and configure wls to replace demo keystores with your own keystores.
Now, details for step 1:
create private key using keytool command
- go to your domain dir and run setENV.cmd
-------- now run the following keytool command to create private key (use your own name and rest you can keep the same)
C:\bea\WLS_81_SP3\user_projects\domains\ssldomain>keytool -genkey -keyalg RSA -alias mykey -keystore mykeystore.jks
Enter keystore password: weblogic
What is your first and last name?
[Unknown]: Srikar
What is the name of your organizational unit?
[Unknown]: Support
What is the name of your organization?
[Unknown]: BEA
What is the name of your City or Locality?
[Unknown]: Denver
What is the name of your State or Province?
[Unknown]: CT
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=Srikar, OU=Support, O=BEA, L=, ST=CT, C=US correct?
[no]: yes
Enter key password for <mykey>
(RETURN if same as keystore password):
As a result you obtain a file: mykeystore.jks (in the same dir), containing a private key, and a self-signed public key.
Now, send your public key for getting it signed by trusted authority (we will send it to verisign)
This is done by retrieving the CSR (Cert Signature Request) from mykeystore.jks and sending it to one of the Certificate Authorities like verisign.
run the following command to get CSR:
C:\bea\user_projects\domains\ssldomain>keytool -certreq -keystore mykeystore.jks
Enter keystore password: weblogic
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBqzCCARQCAQAwazELMAkGA1UEBhMCSU4xEjAQBgNVBAgTCUthcm5hdGFrYTESMBAGA1UEBxMJ
QmFuZ2Fsb3JlMQwwCgYDVQQKEwNCRUExEDAOBgNVBAsTB1N1cHBvcnQxFDASBgNVBAMTC1JhbWFr
cmlzaG5hMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxB2BdG1iBsIJvK3x2lcnn7GclEShT
ib5sbiHa7h1DBqMZZc1lezGI55Nz1YSUZukgj7aZj9N4K7haV93LoD4pNREpLcp7DGxNODNclp5F
DHTevqWx0rXqjwei5Euh2f5ACSFo3tL5o5QXkS3o4TeZ2QSypAyeu/+qtnk7Od/xGQIDAQABoAAw
DQYJKoZIhvcNAQEEBQADgYEAXOYBI9LJPBVA+OyK/4od6ORkJnew/K7WWMjeLwZjwKI7INCHw4VG
dG0v7z2JnSpgi43fipWyywt5fmXZqfKNtki5SNxV3kLHAWxardgZbZ8H/kO95CtbOcFtagPLH8pi
+rp2iGFSlH6+UYtW1qXL3FM0srIxam6RgYqCixf5gGQ=
-----END NEW CERTIFICATE REQUEST-----
C:\bea\WLS_81_SP3\user_projects\domains\ssldomain>
===============================
You will need to copy and paste all this (including -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST-----) to the Certification Authority.
open a notepad and copy it there.
Now we will go to verisign site to get this signed.
go to
https://www.verisign.com/cgi-bin/clearsales_cgi/leadgen.htm?form_id=0110&toc=w63780188130110000&ra=65.205.251.51&email=
Enter your information and follow the instructions to submit the CSR
First Name: Srikar
Last Name: Yalam
e-mail: srikar@bea.com
company: BEA Systems Inc
phone: 8882327878
state: Outside the US or Canada
Zip: 06902
Country: USA
select "research only"
select "no budget"
select "research only"
click "Submit" button.
click the "Continue" button
again, click the "Continue" button
========================
Technical details:
enter you details...........
...........
...........
E-mail - your email. specify bea email id. (eg. your email@bea.com)
================
select server platform = "all others" and paste your CSR
if it ask for password/chalenge phrase = weblogic
once done, verisign will send you your digital cert in an email
--------------------------------
Step C
Verisign will then send you an email with the PEM content of the public key.
Scroll at the end of the email and Save it under
a file name mycert.pem.
It also contains a link to get a root CA cert for your certificate i.e. a link to download the Test CA Root.
follow the link to download Test CA Root - getcacert.cer.
save it under your domain dir.
This file is in binary format.
Lets convert this in txt format.
double click on this file.
click on details tab page --> copy to file (at the bottom) --> base 64 encoded x.509 format --> save as testrootca.cer under your domain dir.
now you have
your cert - mycert.pem
test ca cert - testrootca.cer
now open a textpad editor and merge testrootca.cer in your mycert.pem
so at the end -
you will have
your cert - mycert.pem (which will have a chain i.e. your cert + test ca root)
test ca cert - testrootca.cer
-------------------
Step D
Import the public key into your identity keystore. It will go on the same alias as the private key:
C:\bea\WLS_81_SP3\user_projects\domains\ssldomain>keytool -import -alias mykey -file mycert.pem -keystore mykeystore.jks
Enter keystore password: weblogic
Top-level certificate in reply:
Owner: OU=For VeriSign authorized testing only. No assurances (C)VS1997, OU=www.
verisign.com/repository/TestCPS Incorp. By Ref. Liab. LTD., O="VeriSign, Inc"
Issuer: OU=For VeriSign authorized testing only. No assurances (C)VS1997, OU=www
.verisign.com/repository/TestCPS Incorp. By Ref. Liab. LTD., O="VeriSign, Inc"
Serial number: 52a9f424da674c9daf4f537852abef6e
Valid from: Sun Jun 07 05:30:00 IST 1998 until: Wed Jun 07 05:29:59 IST 2006
Certificate fingerprints:
MD5: 40:06:53:11:FD:B3:3E:88:0A:6F:7D:D1:4E:22:91:87
SHA1: 93:71:C9:EE:57:09:92:5D:0A:8E:FA:02:0B:E2:F5:E6:98:6C:60:DE
... is not trusted. Install reply anyway? [no]: yes
Certificate reply was installed in keystore
C:\bea\WLS_81_SP3\user_projects\domains\ssldomain>
=====================================================================
Lets create the trust keystore:
WL_HOME\user_projects\domains\ssldomain>keytool -alias mytkey -trustcacerts -import -file getcacert.cer -keystore mytruststore.jks -storepass weblogic
Owner: OU=For VeriSign authorized testing only. No assurances (C)VS1997, OU=www.
verisign.com/repository/TestCPS Incorp. By Ref. Liab. LTD., O="VeriSign, Inc"
Issuer: OU=For VeriSign authorized testing only. No assurances (C)VS1997, OU=www
.verisign.com/repository/TestCPS Incorp. By Ref. Liab. LTD., O="VeriSign, Inc"
Serial number: 52a9f424da674c9daf4f537852abef6e
Valid from: Sun Jun 07 05:30:00 IST 1998 until: Wed Jun 07 05:29:59 IST 2006
Certificate fingerprints:
MD5: 40:06:53:11:FD:B3:3E:88:0A:6F:7D:D1:4E:22:91:87
SHA1: 93:71:C9:EE:57:09:92:5D:0A:8E:FA:02:0B:E2:F5:E6:98:6C:60:DE
Trust this certificate? [no]: yes
Certificate was added to keystore
WL_HOME\user_projects\domains\ssldomain>
This command will create getcacert.jks i.e. your trust keystore. so at this time - you have
1. identity keystore = mykeystore.jks
2. trust keystore = mytruststore.jks
Cheers!!!.. you are almost done.
Now just need to configure wls to use the above keystores instead of default demoidentity and default demo trust keystore.
-----------------------------
Step E
so finally, you are done creating your own custom Identity keystore which contains your private key + your certificate signed by verisign.
and your own custom trust keystore which contains test root CA.
now lets setup SSL on your server using your custom keystores.
your server is currently using default demo cert.
Setup SSL in the admin server console under "Keystores & SSL" Tab Page.
Click on "change" and then select "Custom Identity and Custom Trust" from the drop down menu. click continue.
Then specify the full path for Identity and Trust Keystores. Specify the passwords for both the stores. click continue.
Now specify the password and alias for private key. apply the changes and you will need to restart the server.
The above steps will configure SSL. WLS will use the private/public key (certificate) from your Identity keystore and the trust certificate from the trust keystore.
restart your server and test it.
go to https://localhost:7002/console
it will warn you as this is a test cert.
you are done setting up one way SSL with your own custom keystores.
-Srikar
Subscribe to:
Comments (Atom)