How to Install SSL Certificate on BEA WebLogic?

1 Star2 Stars3 Stars4 Stars5 Stars (12 votes, average: 5.00 out of 5)
Loading...
Securing WebLogic Server with SSL

When it comes to transferring data securely between clients and servers, SSL is absolutely essential when installing SSL on BEA WebLogic (Oracle WebLogic).

This article shows a step-by-step process – from prerequisites to SSL installation – and will help you deploy an SSL-enabled BEA WebLogic Server flawlessly.

It’s important to know if you’re using keystores or PEM files, as well as the necessary information about WebLogic’s SSL architecture for appropriately fortifying server security.

Prerequisites for Installing SSL on BEA WebLogic

Prior to beginning the installation of SSL, it is important to ensure that the environment is prepared. We will discuss all prerequisites in substantive detail in the following section so you will be able to install SSL without any obstacles.

  • WebLogic Server Installation and Configuration
  • Administrative Access to WebLogic Console
  • SSL Certificate from CA
  • Java Development Kit (JDK) Compatibility
  • Access to the OpenSSL or Equivalent Utility
  • A Valid Domain and Hostname
  • File System Security and Access
  • Firewall and Port Configuration
  • Synchronizing Time with System Clock
  • Backup of Existing Configuration
  • Using Keystore Requirements (Optional)
  • Knowledge of WebLogic Logging Mechanism
  • Prepared to Restart Services

How to Set up SSL on BEA WebLogic?

Installing SSL on BEA WebLogic Server (now Oracle WebLogic) is one of the few steps to take in order to secure data transfer between clients and servers.

WebLogic has a flexible SSL infrastructure, which allows one-way and two-way SSL authentication, with potential to use either PEM or DER formatted certificates and private keys.

Step 1: Get Familiar with WebLogic SSL Infrastructure

WebLogic uses the Java Secure Socket Extension (JSSE) and/or Certicom SSL implementations in order to secure communication from a client to a server.

WebLogic properly supports SSL protocols such as TLS 1.2 and TLS 1.3, and utilizes digital certificates to authenticate and encrypt data.

WebLogic allows the administrators to configure two separate keystores, namely identity and trust, which are used to store private keys and certificate chains.

Step 2: Creating a Private Key and Certificate Signing Request (CSR)

If there is not a certificate already, creating a private key and CSR can be done with a few different tools, either by using OpenSSL or the Certificate Request Generator servlet packaged with WebLogic.

For example, a possible OpenSSL command would be:

openssl req -newkey rsa:2048 -nodes -keyout private.key -out request.csr

The CSR file (request.csr) will be sent to a Certificate Authority (CA) for signing. The private key file (private.key) must be kept secure and stored in the directory where WebLogic can access it.

Step 3: Submit the CSR to a Certificate Authority (CA)

Submit your CSR to a trusted CA or your SSL Provider. After validating your identity, the CA will provide your SSL certificate files.

These usually include:

  • Server Certificate
  • One or more Intermediate Certificates
  • Root Certificate

These certificates will establish the SSL certificate chain that WebLogic will use to identify itself to clients.

Step 4: Store Certificates in the WebLogic Domain Directory

Once you obtain your certificates, store them in a secure waiting room, typically in your WebLogic domain directory (e.g. mydomain).

This directory must hold:

  • Your server certificate (e.g. server-cert.pem).
  • One or more Intermediate certificates.
  • Root certificate.
  • Private key (e.g. private-key.pem) (is this the same as the keystore?)

Ensure file names and directory hierarchy are recorded for consistency and debugging purposes.

Step 5: Build Certificate Chain File in PEM Format

When using a certificate chain with WebLogic, you must combine any intermediate or root certificates into a single PEM file.

The certificate chain must begin with an intermediate certificate and finish with the root certificate, which is self-signed.

A certificate chain might look like this:

—–BEGIN CERTIFICATE—–

… Intermediate Certificate …

—–END CERTIFICATE—–

—–BEGIN CERTIFICATE—–

… Root Certificate …

—–END CERTIFICATE—–

This PEM file permits WebLogic to validate the server certificate through the trust path found in the chain to the root certificate.

Step 6: Ensure Certificates and Keys are PEM Format

All files must be PEM format in order to work with WebLogic. A PEM certificate starts with  —–BEGIN CERTIFICATE—– and ends with —–END CERTIFICATE—–.

Similarly, private keys begin with —–BEGIN ENCRYPTED PRIVATE KEY—–.

If you have certificates or keys in DER format (binary format), you can convert to PEM using OpenSSL:

openssl x509 -in certificate.der -inform DER -out certificate.pem -outform PEM

WebLogic has built-in utilities for this also. It will be important to verify the file format matches the file extension (i.e. .pem for PEM).

Step 7: Set Up WebLogic SSL Settings

Log into the WebLogic Admin Console and configure SSL for your server:

  • Proceed to Environment > Servers > [Server Name] > Configuration > SSL.
  • Then specify the following:
    • In the Private Key File Name field specify the path to your PEM formatted private key file.
    • In the Server Certificate File Name field specify the path to your PEM formatted server certificate.
  • In the Trusted CA File Name field specify the path to your certificate chain file.
  • Save and activate changes.

These configurations tell WebLogic how to locate and use your SSL resources.

Step 8: Define the Private Key Password

To set your private key password, you must include an option when starting WebLogic Server. The option is:

-Dweblogic.management.pkpassword=yourpassword

This option gives WebLogic the proper credentials to decrypt and use the private key.

Step 9: Configure SSL on the Server

In the Admin Console:

  • Go to Environment > Servers > [Server Name] > Configuration > General.
  • Select Enable SSL Listen Port Enabled checkbox.
  • Choose an SSL Listen port (e.g., 7002 or 443), which means a secure port.
  • Save and restart the server.

You are now configured for the SSL port allowing customers to connect to WebLogic securely using HTTPS and other secure communication methods.

Step 10: Restart the WebLogic Server

Once you have completed all of the configuration for SSL, you will want to restart the WebLogic Server to allow the changes to be applied.

Restarting the WebLogic Server helps to ensure the initialization of SSL occurs with the correct certificates and key files. Watch the logs for SSL related errors such as file path issues, password fails, handshake fails, etc.

Step 11: Verify SSL Installation

To verify your SSL installation, you can either use a graphical browser or verify via command line utilities such as openssl or curl:

openssl s_client -connect yourdomain.com:7002

You should see a certificate chain, the cipher suite, and protocol version. Verify as well that you have a valid certificate, with a complete trust chain. You can also verify as well that the padlock icon appears when you access your site through a browser via HTTPS.

Step 12: Optional – Set up Two-way SSL

If you wish to have mutual authentication, you can set up two-way SSL in the following way:

  • Navigate to Environment > Servers > [Server Name] > SSL.
  • Choose Client Certificate Enforcement and set it to either Need or Want.
  • Import client CA certificates in Trust keystore.
  • Set up the client to present its certificate.

Two-way SSL makes it more complicated to spoof the identifying party, making it well-suited for API endpoint security and internal applications.

Step 13: Keep an Eye on SSL Settings

Verify SSL certificates for expiration and renew them in advance to prevent service downtime. Use a calendar reminder or monitoring software to track expiration dates.

Test your SSL setup occasionally with SSL Labs or Certera to ensure you’re using security best practices.

Step 14: Troubleshooting Common SSL Issues

Some common SSL issues in WebLogic include:

  • Invalid Certificate Chain: Ensure all intermediate and root certificates are correctly ordered.
  • Password Errors: Re-enter the – Dweblogic.management.pkpassword option.
  • Unsupported Format: Convert keys or certificates to PEM format.
  • Permission Issues: Ensure WebLogic read access to the key and certificate files.

Re-examine the WebLogic logs for data and include verbosity as needed using:

-Dweblogic.StdoutDebugEnabled=true

-Dweblogic.security.SSL.verbose=true

Conclusion

Your WebLogic Server can be secured and your sensitive data protected very easily when you obtain your SSL certificate from CheapSSLWeb! We offer low prices, top-tier Certificate Authorities, and support that is available 24/7, and will help you through every step of the way.

Secure your Site Now

Enable HTTPs on your Website by Purchasing SSL, Generate CSR and Install on your Web Server.

Starts at Just $3.99/Yr
Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast having 7+ years of experience and knowledge about Encryption, Digital Certificates and Online Security, She helps online users to stay safe and protect their online presence. Explore SSL Errors, Installation Guide and Security Tutorials for Safe Browsing and Web Security Experience.