SSL证书安装指南 - BEA Weblogic 6.0
To install a Certificate on BEA Weblogic follow the instructions below:
Fetch your certificate and the WoSogn root CA
1. You will receive an email when your certificate is issued.
2. Copy and Paste your Certificate (First certificate) and Intermediate CA (second certificate) to 2 Notepad files.
- If you have a PEM format private key Copy and Paste your WoSign certificate to Notepad and save as a cert.pem
- If you have a DER format private key, you need to save the SSL Certificate, Intermediate Certificate and the Root certificate in DER format.
-
- To convert a certificate in DER format
-
- Copy & paste the certificate in a notepad file.
- Save the certificate with a .cer extension on a Windows 2000 and later versions.
- Double click on the .cer file, choose Details Tab>Copy To File> to convert the certificate to a DER Format (DER Encoded binary X509).
- The resulting file will have a .cer extension, you can rename it to .der and use it with Weblogic.
Please store your issued certificate and the Intermediate CA Intermediate Certificate in the \wlserver6.0\config\mydomain directory.
Note : If you obtain a private key file from a source other than the Certificate Request Generator servlet, verify that the private key file is in PKCS#5/PKCS#8 PEM format.
1. Configure WebLogic Server to use the SSL protocol, you need to enter the following information on the SSL tab in the Server Configuration window:
In the Server Certificate File Name field, enter the full directory location and name of the thawte issued certificate.
In the Trusted CA File Name field, enter the full directory location and name of the Intermediate CA Intermediate Certificate.
In the Server Key File Name field, enter the full directory location and name of the corresponding private key for your certificate. Defining Fields for the SSL Protocol.
2. Use the following command-line option to start WebLogic Server. -Dweblogic.management.pkpassword=password where password is the password defined when requesting the digital certificate.
Storing Private Keys and Digital Certificates
Once you have a private key and digital certificate, copy the private key file generated by the Certificate Request Generator servlet and the digital certificate you received from thawte into the \wlserver6.0\config\mydomain directory. Private key files and digital certificates are generated in either PEM or Definite Encoding Rules (DER) format. The filename extension identifies the format of the digital certificate file. A PEM (.pem) format private key file begins and ends with the following lines, respectively:
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----
A PEM(.pem) format digital certificate begins and ends with the following lines, respectively:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Note: Your digital certificate may be one of several digital certificates in the file, each of which is bounded by the BEGIN CERTIFICATE and END CERTIFICATE lines. Typically, the digital certificate file for a WebLogic Server is in one file, with either a .pem or .der extension, and the WebLogic Server certificate chain is in another file. Two files are used because different WebLogic Servers may share the same certificate chain.
The first digital certificate in the certificate authority file is the first digital certificate in the WebLogic Server's certificate chain. The next certificates in the file are the next digital certificates in the certificate chain. The last certificate in the file is a self-signed digital certificate that ends the certificate chain.
A DER (.der) format file contains binary data. WebLogic Server requires that the file extension match the contents of the certificate file so be sure to save the file you receive from Thawte with the correct file extension.
Assign protections to the private key file and digital certificates so that only the system User of WebLogic Server has read privileges and all other users have no privileges to access the private key file or digital certificate. If you are creating a file with the digital certificates of multiple certificate authorities or a file that contains a certificate chain, you must use PEM format. WebLogic Server provides a tool to for converting DER-format files to PEM format, and visa versa.
Defining Trusted Certificate Authorities
When establishing an SSL connection, WebLogic Server checks the identity of the certificate authority against a list of trusted certificate authorities to ensure the certificate authority currently being used is trusted. Copy Intermediate CA into the \wlserver6.0\config\mydomain directory of your WebLogic Server and set the fields described in Defining Fields for the SSL Protocol. This is the Intermediate CA. The last digital certificate in the file chain will be Thawte?s digital certificate that is self-signed (that is, the rootCA certificate).
Open the Administration Console.
Open the Server Configuration window.
Select the SSL tab. Define the fields on this tab by entering values and checking the required checkboxes. (For details, see the following table.)
Click the Apply button to save your changes.
Reboot WebLogic Server.
The following table describes each field on the SSL tab of the Server Configuration window. Note: Remember if you are using a PKCS-8 protected private key, you need to specify the password for the private key on the command line when you start WebLogic Server.
SSL Protocol Fields |
Description |
Enabled |
Checkbox that enables the use of the SSL protocol. By default, this field is enabled. |
SSL Listen Port |
The number of the dedicated port on which WebLogic Server listens for SSL connections. The default is 7002. |
Server Key File Name |
The full directory location and name of the private key file for WebLogic Server. The file extension (.DER or .PEM) indicates the method that should be used by WebLogic Server to read the contents of the file. |
Server Certificate File Name |
The full directory location and name of the digital certificate file for WebLogic Server. The file extension (.DER or .PEM) indicates the method that should be used by WebLogic Server to read the contents of the file. |
Server Certificate Chain File Name |
The full directory location of the rest of the digital certificates for WebLogic Server. The file extension (.DER or .PEM) indicates the method that should be used by WebLogic Server to read the contents of the file. |
Client Certificate Enforced |
Checkbox that enables mutual authentication. |
Trusted CA File Name |
The name of the file that contains the digital certificate for the certificate authority(s) trusted by WebLogic Server. This file specified in this field can contain a single digital certificate or multiple digital certificates for certificate authorities. The file extension (.DER or .PEM) tells WebLogic Server how to read the contents of the file |
CertAuthenticator |
The name of the Java class that implements the CertAuthenticator interface. |
Use Java |
Checkbox that enables the use of native Java libraries. WebLogic Server provides a pure-Java implementation of the SSL protocol: native Java libraries enhance the performance for SSL operations on theSolaris, Windows NT, and IBM AIXplatforms. By default, this field is not enabled. |
Use Encrypted Keys |
Field that specifies that the private key for the WebLogic Server has been encyrpted with a password. The default is false. |
Handler Enabled |
Field that specifies whether or not WebLogic Server rejects SSL connections that fail client authentication for one of the following reasons: The requested client digital certificate was not furnished. The client did not submit a digital certificate The digital certificate from the client was not issued by a certificate authority specified by the Trusted CA Filename field. By default, the SSL Handler allows one WebLogic Server to make outgoing SSL connections to another WebLogic Server. For example, an EJB in WebLogic Server may open an HTTPS stream on another Web server. With the HandlerEnabled field enabled, the WebLogic Server acts as a client in an SSL connection. By default this field is enabled. |
Export Key Lifespan |
The number of times WebLogic Server uses an exportable key between a domestic server and an exportable client before generating a new one. The more secure you want WebLogic Server to be the fewer times the key should be used before a new one is generated. The default is to use it 500 times. |
Login Timeout Millis |
The number of milliseconds that WebLogic Server should wait for an SSL connection before timing out. The default value is 25,000 milliseconds. SSL connections take longer to negotiate than regular connections. If clients are connecting over the Internet, raise the default number to accommodate additional network latency. |
Certificate Cache Size |
The number of digital certificates that are tokenized and stored by WebLogic Server. The default is 3. |