Appendix C: SSL Configuration
#Create new Certs for
# create keystore in home directory
Login to [Server Long Name] with RDP
Open the command prompt
Navigate to D:\Oracle\Middleware\user_projects\domains\SSL
type 'keytool -genkey -keystore vendorTrust.jks -storepass srinfosolutions -alias [Server Long Name] -validity 3650 -keyalg RSA -keysize 2048' and press 'Enter'
When prompted, 'What is your first and last name?' type '[Server Long Name]' and press 'Enter'
When prompted, 'What is the name of your organizational unit?', type 'Global Solutions' and press 'Enter'
When prompted, 'What is the name of your organization?', type 'srinfosolutions' and press 'Enter'
When prompted, 'What is then name of your City or Locality?, type 'chennai' and press 'Enter'
When prompted, 'What is the name of your State or Province?', type 'TN' and press 'Enter'
When prompted, 'What is the two-letter country code for this unit?', type IN and press 'Enter'
When prompted if entries are correct, verify and type 'yes' and press 'Enter'
When prompted to 'Enter key password for <[Server Long Name]> press ENTER.
keytool -certreq -alias 127.0.0.1 -storepass srinfosolutions -keyalg RSA -file certreq.csr -keystore vendorTrust.jks
#Download Certificate Authority files
https://uskan-secsa01.srinfosolutions.net/certsrv/
Click on Download a CA certificate, certificate chain, or CRL
Select 'Base64' encoding method and click on 'Download CA Certificate chain'
When prompted, 'Do you want to open or save this file?' click Save.
Save in a location for later
When 'Download Complete' dialog appears, click 'Open'
When 'certificates' application appears drill down to 'certificates' folder
Right-click [Portal Server Long name], select 'All Tasks->Export'
On Welcome screen, click 'Next'
On 'Export File Format' screen, click 'Base-64 encoded X.509(.CER) and click 'Next'
Right-click uskan-secs02, select 'All Tasks->Export'
On Welcome screen, click 'Next'
On 'Export File Format' screen, click 'Base-64 encoded X.509(.CER) and click 'Next'
On File to Export screen, type '[Directory]\s02.cer' as 'File name', click 'Next' where [Directory] is desired save location directory
On Completing the Certificate Export Wizard, click 'Finish'
On 'The export was successful' message, click 'Ok'
Right-click uskan-secsa01, select 'All Tasks->Export'
On Welcome screen, click 'Next'
On 'Export File Format' screen, click 'Base-64 encoded X.509(.CER) and click 'Next'
On File to Export screen, type '[Directory]\a01.cer' as 'File name', click 'Next' where [Directory] is desired save location directory
On Completing the Certificate Export Wizard, click 'Finish'
On 'The export was successful' message, click 'Ok'
#copy s02.cer and a01.cer from [Directory] to D:\Oracle\Middleware\user_projects\domains\SSL
# Import the Chain Certificate into the keystore as follows (need three different files (Cert Authority1, Cert Authority2):
Login to [Server Long Name] with RDP
Open the command prompt
Navigate to D:\Oracle\Middleware\user_projects\domains\SSL
Type 'keytool -import -alias uskan-secs02 -keystore vendorTrust.jks -trustcacerts -storepass srinfosolutions -file sec.cer' and press 'Enter'
If prompted 'Trust this certificate?', type 'yes' and press 'Enter'
Type 'keytool -import -alias USKAN-SECSA01 -keystore vendorTrust.jks -trustcacerts -storepass srinfosolutions -file a01.cer' and press 'Enter'
#Download Third Party certificates from TFS
Download the Trusted Certificates (ca.webcrf, GoDaddyClass2CA, GoDaddySecureCA, usadc-vsab8p01.srinfosolutions.net
) from D:\5_Setup\SSL to D:\Oracle\Middleware\user_projects\domains\SSL
# Import the Trusted Certificates into the keystore
Type “keytool -import -keystore vendorTrust.jks -storepass srinfosolutions -alias usadc-vsab8p01.srinfosolutions.net -file usadc-vsab8p01.srinfosolutions.net.cer” and press 'Enter'
Type “keytool -import -keystore vendorTrust.jks -storepass srinfosolutions -alias GoDaddyClass2CA -file GoDaddyClass2CA.cer” and press 'Enter'
Type “keytool -import -keystore vendorTrust.jks -storepass srinfosolutions -alias GoDaddySecureCA -file GoDaddySecureCA.cer” and press 'Enter'
Type “keytool -import -keystore vendorTrust.jks -storepass srinfosolutions -alias ca.webcrf -file ca.webcrf.cer” and press 'Enter'
Repeat above steps for each Server
#Manual steps for SSL Configuration on WLS Servers
#WLS1 Managed Server
Logon to the server [FQDN Admin Server] with administrator privileges with terminal emulator using SSH.
Launch browser, go to ‘http://[FQDN Admin Server]:7001/console’, type valid username and password and click ‘Login’
Click ‘Servers’ link in the ‘Environment’ section.
Click on ‘WLS1’ link.
Click on ‘Keystores’ tab.
Click on ’Lock & Edit’ link in Change Center.
Select ‘Custom Identity and Custom Trust’ option in the ‘Keystores’ pull down menu
Enter ‘ D:\Oracle\Middleware\user_projects\domains\SSL\vendorTrust.jks in the ‘ Custom Trust Keystore field.
Enter ‘JKS’ in the ‘Custom Trust Keystore Type’ field.
Enter ‘srinfosolutions’ in the ‘Custom Trust Keystore Passphrase’ and ‘Confirm Custom Trust Keystore Passphrase’ fields.
Click on the ‘Save’ button.
Click on ‘SSL’ tab and select ‘Keystores’ in the ‘Identity and Trust Locations’ pull down menu.
Enter [FQDN WLS1 Server] in Private Key Alias
Enter ‘srinfosolutions’ in the ‘Private Key Passphrase’, ‘Confirm Private Key Passphrase’ fields and click ‘Save’.
Click on ‘Advanced’ link and
Select ‘None’ in the ‘Host Name Verification’ pull down menu.
Click on check box ‘USE JSSE SSL’
Click on the ‘Save’ button
#WLS2 Managed Server
Click ‘Home’ link
Click ‘Servers’ link in the ‘Environment’ section.
Click on ‘WLS2’ link.
Click on ‘Keystores’ tab.
Select ‘Custom Identity and CustomTrust’ option in the ‘Keystores’ pull down menu
Enter ‘D:\Oracle\Middleware\user_projects\domains\SSL\vendorTrust.jks in the ‘Custom Trust Keystore’ field.
Enter ‘JKS’ in the ‘Custom Trust Keystore Type’ field.
Enter ‘srinfosolutions’ in the ‘Custom Trust Keystore Passphrase’ and ‘Confirm Custom Trust Keystore Passphrase’ fields.
Click on the ‘Save’ button.
Click on ‘SSL’ tab and select ‘Keystores’ in the ‘Identity and Trust Locations’ pull down menu.
Enter [FQDN WLS2 Server] in Private Key Alias
Enter ‘srinfosolutions’ in the ‘Private Key Passphrase’ and ‘Confirm Private Key Passphrase’ fields.
Click on ‘Advanced’ link and
Select ‘None’ in the ‘Host Name Verification’ pull down menu.
Click on check box ‘USE JSSE SSL’
Click on the ‘Save’ button
Click on ‘Activate Changes’ link
Click on ‘Home’ link
Click ‘Clusters’ link in the ‘Environment’ section.
Click on ‘WLSCluster’ link
Click on ‘Control’ tab
At the bottom of the screen select the checkbox to the left of ‘Servers’ and click on the ‘Shutdown’ button and then click on ‘Force Shutdown Now’
Click ‘Yes’ button in Cluster Life Cycle Assistant Screen.
At the bottom of the screen select the checkbox to the left of ‘Servers’ and click on the ‘Start’ button
Click ‘Yes’ button in Cluster Life Cycle Assistant Screen.
to check validation of certificates
keytool -list -v -keystore vendorTrust.jks
keytool -delete -alias <> -keystore vendorTrust.jks
#Create new Certs for
# create keystore in home directory
Login to [Server Long Name] with RDP
Open the command prompt
Navigate to D:\Oracle\Middleware\user_projects\domains\SSL
type 'keytool -genkey -keystore vendorTrust.jks -storepass srinfosolutions -alias [Server Long Name] -validity 3650 -keyalg RSA -keysize 2048' and press 'Enter'
When prompted, 'What is your first and last name?' type '[Server Long Name]' and press 'Enter'
When prompted, 'What is the name of your organizational unit?', type 'Global Solutions' and press 'Enter'
When prompted, 'What is the name of your organization?', type 'srinfosolutions' and press 'Enter'
When prompted, 'What is then name of your City or Locality?, type 'chennai' and press 'Enter'
When prompted, 'What is the name of your State or Province?', type 'TN' and press 'Enter'
When prompted, 'What is the two-letter country code for this unit?', type IN and press 'Enter'
When prompted if entries are correct, verify and type 'yes' and press 'Enter'
When prompted to 'Enter key password for <[Server Long Name]> press ENTER.
keytool -certreq -alias 127.0.0.1 -storepass srinfosolutions -keyalg RSA -file certreq.csr -keystore vendorTrust.jks
#Download Certificate Authority files
https://uskan-secsa01.srinfosolutions.net/certsrv/
Click on Download a CA certificate, certificate chain, or CRL
Select 'Base64' encoding method and click on 'Download CA Certificate chain'
When prompted, 'Do you want to open or save this file?' click Save.
Save in a location for later
When 'Download Complete' dialog appears, click 'Open'
When 'certificates' application appears drill down to 'certificates' folder
Right-click [Portal Server Long name], select 'All Tasks->Export'
On Welcome screen, click 'Next'
On 'Export File Format' screen, click 'Base-64 encoded X.509(.CER) and click 'Next'
Right-click uskan-secs02, select 'All Tasks->Export'
On Welcome screen, click 'Next'
On 'Export File Format' screen, click 'Base-64 encoded X.509(.CER) and click 'Next'
On File to Export screen, type '[Directory]\s02.cer' as 'File name', click 'Next' where [Directory] is desired save location directory
On Completing the Certificate Export Wizard, click 'Finish'
On 'The export was successful' message, click 'Ok'
Right-click uskan-secsa01, select 'All Tasks->Export'
On Welcome screen, click 'Next'
On 'Export File Format' screen, click 'Base-64 encoded X.509(.CER) and click 'Next'
On File to Export screen, type '[Directory]\a01.cer' as 'File name', click 'Next' where [Directory] is desired save location directory
On Completing the Certificate Export Wizard, click 'Finish'
On 'The export was successful' message, click 'Ok'
#copy s02.cer and a01.cer from [Directory] to D:\Oracle\Middleware\user_projects\domains\SSL
# Import the Chain Certificate into the keystore as follows (need three different files (Cert Authority1, Cert Authority2):
Login to [Server Long Name] with RDP
Open the command prompt
Navigate to D:\Oracle\Middleware\user_projects\domains\SSL
Type 'keytool -import -alias uskan-secs02 -keystore vendorTrust.jks -trustcacerts -storepass srinfosolutions -file sec.cer' and press 'Enter'
If prompted 'Trust this certificate?', type 'yes' and press 'Enter'
Type 'keytool -import -alias USKAN-SECSA01 -keystore vendorTrust.jks -trustcacerts -storepass srinfosolutions -file a01.cer' and press 'Enter'
#Download Third Party certificates from TFS
Download the Trusted Certificates (ca.webcrf, GoDaddyClass2CA, GoDaddySecureCA, usadc-vsab8p01.srinfosolutions.net
) from D:\5_Setup\SSL to D:\Oracle\Middleware\user_projects\domains\SSL
# Import the Trusted Certificates into the keystore
Type “keytool -import -keystore vendorTrust.jks -storepass srinfosolutions -alias usadc-vsab8p01.srinfosolutions.net -file usadc-vsab8p01.srinfosolutions.net.cer” and press 'Enter'
Type “keytool -import -keystore vendorTrust.jks -storepass srinfosolutions -alias GoDaddyClass2CA -file GoDaddyClass2CA.cer” and press 'Enter'
Type “keytool -import -keystore vendorTrust.jks -storepass srinfosolutions -alias GoDaddySecureCA -file GoDaddySecureCA.cer” and press 'Enter'
Type “keytool -import -keystore vendorTrust.jks -storepass srinfosolutions -alias ca.webcrf -file ca.webcrf.cer” and press 'Enter'
Repeat above steps for each Server
#Manual steps for SSL Configuration on WLS Servers
#WLS1 Managed Server
Logon to the server [FQDN Admin Server] with administrator privileges with terminal emulator using SSH.
Launch browser, go to ‘http://[FQDN Admin Server]:7001/console’, type valid username and password and click ‘Login’
Click ‘Servers’ link in the ‘Environment’ section.
Click on ‘WLS1’ link.
Click on ‘Keystores’ tab.
Click on ’Lock & Edit’ link in Change Center.
Select ‘Custom Identity and Custom Trust’ option in the ‘Keystores’ pull down menu
Enter ‘ D:\Oracle\Middleware\user_projects\domains\SSL\vendorTrust.jks in the ‘ Custom Trust Keystore field.
Enter ‘JKS’ in the ‘Custom Trust Keystore Type’ field.
Enter ‘srinfosolutions’ in the ‘Custom Trust Keystore Passphrase’ and ‘Confirm Custom Trust Keystore Passphrase’ fields.
Click on the ‘Save’ button.
Click on ‘SSL’ tab and select ‘Keystores’ in the ‘Identity and Trust Locations’ pull down menu.
Enter [FQDN WLS1 Server] in Private Key Alias
Enter ‘srinfosolutions’ in the ‘Private Key Passphrase’, ‘Confirm Private Key Passphrase’ fields and click ‘Save’.
Click on ‘Advanced’ link and
Select ‘None’ in the ‘Host Name Verification’ pull down menu.
Click on check box ‘USE JSSE SSL’
Click on the ‘Save’ button
#WLS2 Managed Server
Click ‘Home’ link
Click ‘Servers’ link in the ‘Environment’ section.
Click on ‘WLS2’ link.
Click on ‘Keystores’ tab.
Select ‘Custom Identity and CustomTrust’ option in the ‘Keystores’ pull down menu
Enter ‘D:\Oracle\Middleware\user_projects\domains\SSL\vendorTrust.jks in the ‘Custom Trust Keystore’ field.
Enter ‘JKS’ in the ‘Custom Trust Keystore Type’ field.
Enter ‘srinfosolutions’ in the ‘Custom Trust Keystore Passphrase’ and ‘Confirm Custom Trust Keystore Passphrase’ fields.
Click on the ‘Save’ button.
Click on ‘SSL’ tab and select ‘Keystores’ in the ‘Identity and Trust Locations’ pull down menu.
Enter [FQDN WLS2 Server] in Private Key Alias
Enter ‘srinfosolutions’ in the ‘Private Key Passphrase’ and ‘Confirm Private Key Passphrase’ fields.
Click on ‘Advanced’ link and
Select ‘None’ in the ‘Host Name Verification’ pull down menu.
Click on check box ‘USE JSSE SSL’
Click on the ‘Save’ button
Click on ‘Activate Changes’ link
Click on ‘Home’ link
Click ‘Clusters’ link in the ‘Environment’ section.
Click on ‘WLSCluster’ link
Click on ‘Control’ tab
At the bottom of the screen select the checkbox to the left of ‘Servers’ and click on the ‘Shutdown’ button and then click on ‘Force Shutdown Now’
Click ‘Yes’ button in Cluster Life Cycle Assistant Screen.
At the bottom of the screen select the checkbox to the left of ‘Servers’ and click on the ‘Start’ button
Click ‘Yes’ button in Cluster Life Cycle Assistant Screen.
to check validation of certificates
keytool -list -v -keystore vendorTrust.jks
keytool -delete -alias <> -keystore vendorTrust.jks
No comments:
Post a Comment