Configuring SSL on Weblogic

set path to 
C:\j2sdk1.4.2_04\bin;    for java
C:\j2sdk1.4.2_04\jre\bin;  for keytool
C:\Program Files\GnuWin32\bin  for openssl


Weblogic server uses SSL on its defaulf port of 7002.
Using ssl is comprehensive overhead for the server, not feasible to use in dev envs.However always use in prod enviornments.
To Setup SSL:
1) For an ssl creation we need two things one is identity(private keys and Digital Certificates) other is trust(trusted root CA ceritificates). By default weblogic server kit ie certgen and java keytool will provide identity and trust stores, we can get those by thrid party vendors like verisign, thawte.
2) Store the private key and trusted CA certificates in to keystore.
3) Configure the identiry and trust in  the admin console with the password of the keystore.
We can get privatekeys digitalcertificates and Trustedroot using:
         To use SSL the server needs privatekey, digitalcertificate containing matching publickey and one trusted certificate. By default all these are avialble in /wl_home/server/lib. 
         We can create those by using javakeytool which is used to generate privatekey, self-signed digitalcertificate, CSR, if you need a third party certificate we can produce a CSR and sent to CA they will provide the certificate.
        We can also get by using certgen which is used for demonstrative purpose. The demonstration digital certificate provided by the weblogic server uses the hostname as default machine hostname.
Using CertgenUtility:
       The certgen utility which is used to generate privatekey and digital certificate which is used for demo purpose. CertGenCA.der and CertGenCAkey.der are the default key and certificate used by certgen.
       In order to use certgen we need to set the classpath to \weblogic_homm\server\lib then execute the commands for different purpose
1) To generate the certificate we need to execute the following command.
$ java utils.CertGen

[-cacert <ca_cert_file-name>] [-cakey <ca_key_filename>]
[-cakeypass <ca_key_password>] [-selfsigned]
[-certfile <certfile>] [-keyfile <privatekeyfile>]
[-keyfilepass <keyfilepassword>] [-strength <keystrength>]
[-cn <commonname>] [-ou <orgunit>] [-o <organization>]
[-l <locality>] [-s <state>] [-c <countrycode>]
[-subjectkeyid <subjectkeyidentifier>]
[-subjectkeyidformat UTF-8|BASE64]

If you mention selfsigned no need to mention cacert cakey as those are used when you taken from CA.

2)Use ImportPrivateKey utility to load the digitalcertificate and privatekey into keystore.

        We already discussed that the certgen default takes the hostname as common name it uses the jdk1.3  InetAddress.getLocalHost().getHostname() takes the hostname and placed in the place of commonname by default.

         When we entered hostname in command prompt it takes tha FullyQualifiedDomainName from /etc/hosts, when you enter java.net.InetAddress.getHostname() it searches the hostname for /etc/nsswitch.conf

http://download.oracle.com/docs/cd/E13222_01/wls/docs81/secmanage/ssl.html

Install SSL Certificate BEA WebLogic Server 8 & 9 Download and copy your certificate files to your server Download your SSL certificate and support files by clicking on the download link in your fulfillment email or from your GeoCerts SSL Manager account. Download the PKCS#7 formatted version of your certificate. Use the following command to install the PKCS#7 certificate into your keystore. You MUST use the same keystore used for your private key and CSR. keytool -import -trustcacerts -alias tomcat -file your_site_name.p7b -keystore mykeystore.jksYou MUST you the same alias used when the keystore was created, in this case the alias used was tomcat Enter your keystore password You should get the follow response: ... is not trusted. Install reply anyway? [no]:  yes Enter 'yes' and hit Enter. You should get the following response: Certificate reply was installed in keystore The SSL Certificate and intermeidate cert are now installed into your keystore. Configure the Identity and Trust keystores Expand the Servers node and select the name of the server for which you want to configure keystores. Select the button 'Keystores and SSL tab' to configure the keystore for the domain. By default, WebLogic ships with demo certificates for testing purposes. Click the 'Change' link in the upper-right portion of the configuration items. This will display the drop-down list of options for configuration. Choose 'Custom Identity and Java Standard Trust' from the list.  Specify the identity keystore information: [Custom identity] Custom Identity key store file Name: c:\full\path\to\mykeystore.jks (The fully-qualified-path to your keystore) Custom Identity key Store Type: jks (Generally, this attribute is jks) Custom Identity key Store Pass Phrase: keystore password (The password defined when creating the keystore. If you don't know the password you have to start over.) Confirm Customer Identity key Store Pass Phrase: Keystore_password (same as above) [Java Standard Trust] Java standard Trust Key Store Pass Phrase: changeit (unless your system admin changed it the password for the cacerts keystore is "changeit") Confirm Java Standard Trust Key Store Pass Phrase: changeit Click Continue [Review SSL Private Key Settings] Private key Alias: keyEntry_friendly_name (If you followed our instructions to generate the private key the alias will be 'tomcat'. The alias is the friendly name for your keyEntry (private key), if you do not remember it please run the following command on your keystore to confirm the alias: keytool -list -keystore [keystore_friendly_name] -v) Passphrase: keyEntry_password (specify the keyEntry (private key) password. The password for the private key may differ from the one for the keystore) Confirm Passphrase Click Continue Click Finish Reboot WebLogic Server.