Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Replacing the demo cert and key files

24 views
Skip to first unread message

Brian Wantuch

unread,
Aug 14, 2003, 3:49:12 PM8/14/03
to
Can someone please provide me with detailed, step-by-step instructions on replacing the demo key, cert and keystore files that ship with WLS 7.0 with ones either self-signed via OpenSSL or the WLS Tools or purchased via a third party signer (Verisign). There are plenty of links off of the BEA Support site on SSL and certificates but there is no ONE document detailing all the steps.

Much thanks!

Peter

unread,
Aug 18, 2003, 9:22:36 PM8/18/03
to

"Brian Wantuch" <Brian_C...@fleet.com> wrote in message
news:3f3be7b8$1...@newsgroups.bea.com...

http://e-docs.bea.com/wls/docs81/secmanage/ssl.html#1166878

The link above lists the steps. If you have suggestions on improving
it, post a reply and we will get them into the docs.


PremS

unread,
Aug 19, 2003, 10:50:08 PM8/19/03
to

Peter
I dont know what to suggest but I can say following the instructions provided
did not work for me when I had a certificate from Verisign.

I am also using a proxy plugin and I have searched all of bea site with no
luck.

it works with what is configured by default but not with my cert from verisign
that needs the intermediate CA

so .. any help on that front would really help !

Prem

Pavel

unread,
Aug 20, 2003, 6:30:08 PM8/20/03
to

To set up the WL server's identity, you will need to import your certificate and
private key into a keystore with utils.ImportPrivateKey tool, and then use the
server administration console to specify the kestore file name, its password,
and the alias and password of the key entry.
Now in order for an SSL client to connect to the server over SSL it needs its
trust configured so that it would trust the Verisign CA that issued server's certificate.

With which of these steps do you need help?

Pavel.

PremS

unread,
Aug 22, 2003, 12:39:25 AM8/22/03
to

the trust piece. whichever keystore i put it in .. it doesnt recognize the intermediate
CA from verisign

Pavel

unread,
Aug 22, 2003, 10:25:41 AM8/22/03
to

To configure the client's trust you'll need to import the Verisign CA self-signed
certificate that signed your server identity certificate into a keystore, and
then configure the client to trust certificates from that keystore.

Trusted certificates can be imported using keytool command:
keytool -import -trustcacerts ...

If you are using a Weblogic client, you can specify the trusted CA keystore with
this command line option:
-Dweblogic.security.SSL.trustedCAKeyStore=keystorefile
Or look at "Specify Trust for weblogic.Admin" at
http://e-docs.bea.com/wls/docs81/secmanage/ssl.html#1191603
for more command line options.

Pavel.

klai

unread,
Oct 10, 2003, 11:15:37 AM10/10/03
to
Well, I used openSSL with self-signed CA. I couldn't get it to work either. (import
and keytool - both failed) The doc. in
ssl.html was not clear on what should be
imported into keystore. In my case,
do I need to import 4 entries?
1. openSSL self-signed CA
2. CA's private key
3. server certificated signed by the above
CA
4. Private key for the server

Also, do I need to specify the private key
password in import command?

Another question, how can you tell a keystore was generated properly by
reading the stdout of keytool -list ....
cmd?

Thanks.

-kl
ps. Suggest to add detailed steps in ssl.html to include an example
of importing CA from Verisign or openSSL
with detailed steps. So customer can simply
cut and paste those cmds and worked.

Pavel

unread,
Oct 10, 2003, 12:54:56 PM10/10/03
to

As a minimum to connect from a client to the server over SSL you need to configure
server's identity and client's trust.
- For the server's identity you'll need to import the server identity certificate
and the corresponding private key into the server identity keystore. You should
use the utils.ImportPrivateKey tool for that. It will create one keyEntry in this
keystore which will contain both.
- For the client trust you'll need to import the CA certificate that issued the
server's identity certificate into the client's trust keystore. You can use keytool
-import option for that, and will need to specify the private key password. It
should create a trustedCertEntry in the keystore.

Run keytool -list on each keystore and check that entries are there and have the
correct type.

Pavel.

Greg Murray

unread,
Oct 10, 2003, 10:45:34 PM10/10/03
to
I've been trying to follow all of the above steps for a number of days
using a CA we have at my company, and with SSL debugging on, on
startup I continually get:

-------------------------
####<Oct 10, 2003 9:57:39 AM MDT> <Info> <WebLogicServer>
<gregmur2ksv> <portalServer> <main> <<WLS Kernel>> <> <BEA-000307>
<Exportable key maximum lifespan set to 500 uses.>

####<Oct 10, 2003 9:57:39 AM MDT> <Error> <WebLogicServer>
<gregmur2ksv> <portalServer> <main> <<WLS Kernel>> <> <BEA-000297>
<Inconsistent security configuration, java.lang.NullPointerException>

####<Oct 10, 2003 9:57:39 AM MDT> <Debug> <TLS> <gregmur2ksv>
<portalServer> <main> <<WLS Kernel>> <> <000000> <SSLListenThread:
inconsistent configuration

java.lang.NullPointerException
at weblogic.security.RSAKey.toString(RSAKey.java:212)
at java.lang.String.valueOf(String.java:2177)
at java.lang.StringBuffer.append(StringBuffer.java:361)
at weblogic.security.X509.toString(X509.java:287)
at java.lang.String.valueOf(String.java:2177)
at java.lang.StringBuffer.append(StringBuffer.java:361)
at weblogic.security.SSL.SSLCertificate.toString(SSLCertificate.java:436)
at weblogic.t3.srvr.SSLListenThread.initSSLContext(SSLListenThread.java:199)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:139)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:125)
at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1613)
at weblogic.t3.srvr.T3Srvr.resume(T3Srvr.java:1020)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:359)
at weblogic.Server.main(Server.java:32)
>
####<Oct 10, 2003 9:57:39 AM MDT> <Emergency> <Security> <gregmur2ksv>
<portalServer> <main> <<WLS Kernel>> <> <BEA-090034> <Not listening
for SSL, java.io.IOException: Inconsistent security configuration,
null.>
-------------------------

Interestingly, the X509 class and the SSLCertificate classes were
deprecated in WLS 7.0. A successful startup using the demo keys
produces:

-------------------------
####<Oct 10, 2003 9:39:34 AM MDT> <Info> <WebLogicServer>
<gregmur2ksv> <portalServer> <main> <<WLS Kernel>> <> <BEA-000307>
<Exportable key maximum lifespan set to 500 uses.>

####<Oct 10, 2003 9:39:35 AM MDT> <Info> <WebLogicServer>
<gregmur2ksv> <portalServer> <main> <<WLS Kernel>> <> <BEA-000300>
<Certificate contents: 1 certificate(s):

fingerprint = a25c6c96fa2617b5fa0a3771aae4e755, not before = Tue Jul
22 12:10:23 MDT 2003, not after = Mon Jul 23 12:10:23 MDT 2018, holder
= C=US SP=MyState L=MyTown O=MyOrganization OU=FOR TESTING ONLY
CN=gregmur2ksv , issuer = C=US SP=MyState L=MyTown O=MyOrganization
OU=FOR TESTING ONLY CN=CertGenCAB , key = modulus length=65 exponent
length=3

>
-------------------------

I'm not sure what I'm missing, but I'm guessing it's something to do
with my identity cert - I just don't know what. Any ideas?

Thanks!

GM

0 new messages