SSL证书安装指南 - BEA Weblogic 7.0
To install a certificate on BEA Weblogic follow the instructions below:
Fetch your certificate and the intermediate CA
1. You will receive an email when your certificate is issued.
2. Copy and Paste your WoSign certificate (first certificate) to Notepad and save as a cert.cer
5. Copy and Paste the intermediate CA (second certificate) to Notepad and save as a intermediate.cer
Note: If you are installing the certificate as a .pem file please download the certificate in standard format. If you are going to import the certificate into a keystore please download in PKCS#7 format.
To install your Certificate on BEA Weblogic follow the instructions below:
Certificates on BEA Weblogic 7.0 can be installed as a .pem file or in a keystore accessed via the Weblogic keystore provider. Please use option A if you are installing the certificate as a .pem file and option B if you are installing the certificate in a keystore.
Install your WoSign certificate
Please store your issued certificate and the Intermediate Certificate in the \wlserver7.0\config\mydomain directory.
Note : If you obtain a private key file from a source other than the Certificate Request Generator servlet, verify that the private key file is in PKCS#5/PKCS#8 PEM format.
1. Configure WebLogic Server to use the SSL protocol, you need to enter the following information on the SSL tab in the Server Configuration window:
In the Server Certificate File Name field, enter the full directory location and name of the thawte issued certificate.
In the Trusted CA File Name field, enter the full directory location and name of Intermediate Certificate.
In the Server Key File Name field, enter the full directory location and name of the corresponding private key for your certificate. Defining Fields for the SSL Protocol.
2. Use the following command-line option to start WebLogic Server. -Dweblogic.management.pkpassword=password where password is the password defined when requesting the digital certificate.
Storing Private Keys and Digital Certificates
Once you have a private key and digital certificate, copy the private key file generated by the Certificate Request Generator servlet and the digital certificate you received from thawte into the \wlserver7.0\config\mydomain directory. Private key files and digital certificates are generated in either PEM or Definite Encoding Rules (DER) format. The filename extension identifies the format of the digital certificate file. A PEM (.pem) format private key file begins and ends with the following lines, respectively:
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----
A PEM(.pem) format digital certificate begins and ends with the following lines, respectively:
Note: Your digital certificate may be one of several digital certificates in the file, each of which is bounded by the BEGIN CERTIFICATE and END CERTIFICATE lines. Typically, the digital certificate file for a WebLogic Server is in one file, with either a .pem or .der extension, and the WebLogic Server certificate chain is in another file. Two files are used because different WebLogic Servers may share the same certificate chain.
The first digital certificate in the certificate authority file is the first digital certificate in the WebLogic Server's certificate chain. The next certificates in the file are the next digital certificates in the certificate chain. The last certificate in the file is a self-signed digital certificate that ends the certificate chain.
A DER (.der) format file contains binary data. WebLogic Server requires that the file extension match the contents of the certificate file so be sure to save the file you receive from Thawte with the correct file extension.
Assign protections to the private key file and digital certificates so that only the system User of WebLogic Server has read privileges and all other users have no privileges to access the private key file or digital certificate. If you are creating a file with the digital certificates of multiple certificate authorities or a file that contains a certificate chain, you must use PEM format. WebLogic Server provides a tool to for converting DER-format files to PEM format, and visa versa.
Defining Trusted Certificate Authorities
When establishing an SSL connection, WebLogic Server checks the identity of the certificate authority against a list of trusted certificate authorities to ensure the certificate authority currently being used is trusted. Copy thawte SGC CA into the \wlserver6.0\config\mydomain directory of your WebLogic Server and set the fields described in Defining Fields for the SSL Protocol. This is the thawte SGC CA. The last digital certificate in the file chain will be Thawte?s digital certificate that is self-signed (that is, the rootCA certificate).
Open the Administration Console.
Open the Server Configuration window.
Select the SSL tab. Define the fields on this tab by entering values and checking the required checkboxes. (For details, see the following table.)
Click the Apply button to save your changes.
Reboot WebLogic Server.
The following table describes each field on the SSL tab of the Server Configuration window. Note: Remember if you are using a PKCS-8 protected private key, you need to specify the password for the private key on the command line when you start WebLogic Server.
Server Private Key Alias
The alias specified when loading the private key for WebLogic Server into the keystore. Define this attribute only if you stored the private key for WebLogic Server in a keystore.You must have the WebLogic Keystore provider configured to use this attribute.
All private key keystore entries are accessed via unique aliases. You specify the alias when loading the private key into the keystore. Aliases are case-insensitive; the aliases Hugo and hugo would refer to the same keystore entry.
Server Private Key Passphrase
The password specified when loading the private key for WebLogic Server into the keystore. Define this attribute only if you stored the private key for WebLogic Server in a keystore.You must have the WebLogic Keystore provider configured to use this attribute.
Server Certificate File Name
The directory location of the digital certificate for WebLogic Server.
If you are using a certificate chain that is deeper than two certificates, you need to include the entire chain in PEM format in the certificate file.
Server Key File Name
The directory location of the private key for WebLogic Server. Specify this attribute only if you stored the private key for WebLogic Server in a file.
If you protected the private key file with a password, specify the weblogic.management.pkpassword command-line argument when starting the server.
Trusted CA File Name
The name of the file containing the PEM-encoded trusted certificate authorities.
Install your certificate
Import the certificate into the keystore you created using the following command:
keytool -import -alias [keyEntry_friendly_name] -file certificate.crt -keystore [keystore_friendly_name]
Configure the Weblogic keystore provider
1. In the WebLogic Server Administration Console, expand the Security > Realms nodes.
2. Click the name of the realm you are configuring
3. Expand the Providers node.
4. Click Key Stores.
The Keystore tab appears. This tab displays the name keystore configured for the security realm. By default, the WebLogic Keystore provider is configured.
Note: The WebLogic Server Administration Console refers to the WebLogic Keystore provider as the DefaultKeystore.
5. Click DefaultKeystore.
6. On the General tab, enter the directory location of the keystore in the Private Key Store Location attribute.
This attribute requires both a directory and filename location that is either absolute or relative to root directory (that is, the domain directory) of the server.
Warning : On all supported operating systems, the keystore has to be located in the same place for all servers in the domain. Otherwise, WebLogic Server will not locate the keystore.
7. Enter the directory location of the keystore that contains trusted CA certificates in the Root CA Key Store Location attribute. (cacerts)
This attribute requires both a directory and filename location that is either absolute or relative to root directory (that is, the domain directory) of the server. This step is not required if both private keys and trusted CA certificates are stored in the same keystore.
8. Enter the password you specified when you created in the trusted CA keystore in the Private Keystore Pass Phrase attribute.
9. Click Apply to save your changes.
10. Reboot the WebLogic Server.