Step by step – HowTo implement encryption for Weblogic 6.1 (WLS6.1)

Problem

You want to implement encryption between the web server and the backend Weblogic server.



Solution

Save yourself the 8 hours it took me to debug this one! 🙂

Handed to you on a plate – clear simple and proven. 😉

Generate a self signed cert as describe in my Generating a self signed cert with openssl

One gotcha is if your WLS has only an export license, which then requires a maximum of 56bits encryption via a 512 byte cert.



Example


Therefore you need to generate the cert like this (2 years):

openssl req -newkey rsa:512 -days 730 -keyout newreq.pem -out newreq.pem

To check if you have an export license,

grep -i export /opt/bea/license.xml

– will show something like this:

license component="SSL/Export" expiration="never …

Another suggested tip by BEA is to ensure the files (cert, key and ca cert) should all end with the extension .pem.

Once you have the new key, cert and your CA cert (default demoCA/cacert.pem), copy it into /opt/bea/wlserver6.1/config/bpmdomain/myserver (or the location where you have Weblogic installed).

In our version we use wlintegration – so our path is /opt/bea/wlintegration2.1/config/bpmdomain/myserver



Reference

Subsequently these files are referenced from config.xml as explain below(replace file names with the ones you created and your ca):

ServerCertificateChainFileName="./config/bpmdomain/myserver/ca…..pem"ServerCertificateFileName="./config/bpmdomain/myserver/…crt…..pem"ServerKeyFileName="./config/bpmdomain/myserver/…key….pem"TrustedCAFileName="./config/bpmdomain/myserver/ca…..pem"/>

For apache to work, need to modify configs to look something like this (after copying your cacert file to location designated below):

...IfModule mod_weblogic.c...WebLogicHost hostnameWebLogicPort 7002SecureProxy OntrustedCAFile yourcafile.pemRequireSSLHostMatch falseConnectTimeoutSecs 60Debug OffErrorPage https://xxxx/outage.html.../IfModule...

Notice the different port (7002) – default Weblogic SSL port. You need to ensure this is open from the firewall.

See my perl perl network connectivity checking tips here
You can use listenport code as well to listen on 7002 on application server, then scanport code to attempt to connect from the web server.

Therefore ensure it will work, even before entering change control! 🙂

– WebLogic Forum at Tek-Tips



Leave a Reply

Your email address will not be published. Required fields are marked *