In this article I want to share you some useful statements that for creating SSL connection on the Oracle Application Server, this is the Weblogic Server. But can also be applied on others app servers.
To create an outgoing SSL connection, you need the public certificate from the external party you want to connect. This can be obtained via your browser; enter the https://servername:443/query/end/point?WSDL in your browser.
Click on the icon in the location bar to show the certificate. Now you can export this public certificate to a ".cer" file. This file you need to apply on your application server.
On the application server, in my example a Java Application Server; such as Weblogic, the public certificate must be loaded into the "keystore". The keystore is a file that contains all the public certificates which you application server is using to connect to secure sites. To control your keystore, use the following statements;
- By default in java, the default keystore is named 'cacerts' and has the default password 'changeit'
- The cacerts file is located in your $JAVA_HOME/jre/lib/security directory.
- Make a copy of your cacerts file before making any changes.
List all the public certificates
keytool -list -v -keystore ./cacerts -storepass changeit keytool -list -v -alias www.thawte.com -keystore ./cacerts -storepass changeit
Delete a public certificate based on an alias:
keytool -delete -alias www.thawte.com -keystore ./cacerts -storepass changeit
Add a public certificate with an alias:
keytool -import -alias www.thawte.com -keystore ./cacerts -file public_thawte_com.cer -storepass changeit
Add a public certificate with an alias and trust all the CA's:
keytool -import -v -trustcacerts -alias staatdernederlandenrootca -file staatdernederlandenrootca.crt -keystore ./cacerts -storepass changeit
Export a public certificate from the keystore:
keytool -export -alias www.thawte.com -keystore ./cacerts -file public_thawte_com.cer -storepass changeit
Certificates come in different formats; p7b, p12, pem and cer. Each format has its own purpose. In general, a p7b file contains only the public certificate. The p12 contains the public certificate and the private key. The p12 file is used to for exchanging client certificates.
To convert file formats for your keystore, you should use OpenSSL. This is by default the best tool, available on any platform. The tool is command line based, but there is also various GUI tools available.
Converting a p7b file to p12 format:
openssl pkcs7 -print_certs -in vijfhuizen.com.p7b > vijfhuizen.com.cer
Change the vijfhuizen.com.cer file: remove any chain certificates:
-----BEGIN CERTIFICATE----- d2bmW4werweNSIdV7qXEntvJILc519AHJJDePHrT9SjavljmK0lTRfM1awv5n4355 HUsvvi3c0AEsjypd3bIcm4fXY6IF34cuRVpb++fzASVO8Bwl3LOE9PqnHr9zIRtlv .... MIIsE2zCCA8OgAwIBAgIEATFjtjANBgkqhkiG9w0BAQUFADBZMQswCQYDVQQGwwJO Rmh3IrH60ylbuqmeGRnJM8qYBHzVyOWAT2ruVhNKMcXD+TnUEU2QZDfmcnNKOIM -----END CERTIFICATE----
openssl pkcs12 -export -in vijfhuizen.com.cer -inkey vijfhuizen.com.private.key -out vijfhuizen.com.p12 -name vijfhuizen.com.name
Convert PEM format in to DER format:
openssl x509 -in vijfhuizen.com.pem -inform PEM -out vijfhuizen.com.crt -outform DER
After you have created your SSL certificates, key, keystores, you want to test if the SSL configuration is valid. Here is a nice tool to do:
#!/bin/bassh export ORACLE_HOME=/opt/weblogic/Middleware export PATH=.:$PATH:$ORACLE_HOME/jdk/bin EXEC_DIR=`dirname $0` STOR_DIR=$ORACLE_HOMEjdk/jre/lib/security java -cp $EXEC_DIR -Djavax.net.ssl.trustStore=$STOR_DIR/cacerts -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.debug=ssl,handshake -Djavax.net.ssl.keyStore=$STOR_DIR/vijfhuizen.com.p12 -Djavax.net.ssl.keyStoreType=pkcs12 -Djavax.net.ssl.keyStorePassword=changeit Client https://www.thawte.com/roots
The Client class can be downloaded here.
If the test is not working, you could get an error such as:
"unable to find valid certification path to requested target"
This due to the fact, that the certificate in your keystore is not complete, or the certificate is not available at all. A very cool solution is written here. This tool will automatic download the public certificate from the website and load this into a copy of your existing keystore (cacerts) into a file named jsscacerts. De java code for this tool is here.
The only thing you have to do, is to use this jsscacerts file to replace the existing keystore, or export the public certificate from this keystore, based on the alias, and import this in the keystore.