Steps for Implementing SSL for OpenPages 5.x

Technote (troubleshooting)


Problem(Abstract)

What are the steps an OpenPages IT administrator can follow to implement SSL?

Resolving the problem

Summary: Steps for implementing SSL with OpenPages/BEA WebLogic 8.1:

####### Overview: ########

Create a "keystore" to hold certificates, both public and private.

Within this keystore is a key entry, based on parameters used when generating the keystore.

From this unique keystore file, generate a request file to send to a Certificate Authority (CA), such as VeriSign.

Receive a valid certificate back from the CA.

Import 'root' and 'intermediate' (Verisign) certificates, then import the returned CA certificate. This will match against the original key entry in the keystore, and will validate that both public and private keys match.

Update the BEA configuration to point to the keystore file to enable SSL

########################

1. Generate a local keystore containing a public/private key pair e.g. keytool -genkey -dname "cn=www.openpages.com, ou=SOX, o=Openpages, c=US" -keyalg RSA -alias business -keypass Kpassword -keystore BEAKeyStore.jks -storepass Spassword -validity 365

This should be executed via commandline from the '\bea\weblogic81\config\OpenPagesDomain' directory. Here the section "cn=www.openpages.com, ou=SOX, o=Openpages, c=US" would change from organization to organization and the IT security team should be able to provide additional details.

'-keyalg RSA' is used specifically for WebLogic.

Another example of how this could look:

"CN = servername.abc.com,OU = Departmental Systems Group,O = ABC,L = NYC,S = New York,C = US"

This command creates the keystore named "BEAKeyStore.jks" in the same directory where the keytool was executed (OpenPagesDomain).

The "keystore" password in the example is 'Spassword' - this is used when accessing or updating the BEAKeyStore.jks file.

The other password (-keypass Kpassword) is used when importing the final CA cert into the keystore.

After generating the above command, the keystore now contains a self-signed certificate.

To view details of the keystore, use the following command:

keytool -list -keystore BEAKeyStore.jks

You are prompted for the keystore password.

This would be 'Spassword' in our example. On viewing the results, you will see an entry for 'business'.

**Note:**

Make a copy of the BEAKeyStore.jks file (the keystore) and store it in a different directory for safe keeping.

Certificates will be loaded into this keystore, and if the BEAKeyStore file needs to be regenerated for any reason, a new certificate request will need to be made to the CA.

It is important to have a backup of the original file.

See note in step 5 below for additional details

2. Generate a Certificate Signing Request, again using keytool: keytool -certreq -alias business -keystore BEAKeyStore.jks -sigalg "MD5withRSA" -file ca_cert_request.csr

You will be prompted for both passwords:

Enter keystore password: Spassword

Enter key password for : Kpassword

This generates a request using the identity/alias "business", matching the alias used in the keystore creation process, in a file named ca_cert_request.csr in OpenPagesDomain.

This file needs to be submitted to a CA, specifying that the certificate is for a BEA WebLogic81 web server.

The CA will authenticate this request and will send back a certificate, authenticating your public key.

3. Import the root certificate for the CA.

This needs to be done before your authenticated certificate can be imported.

The root-certificate.crt is the root level certificate from your CA. This is usually available either from the CA or in some cases like VeriSign you can get it from your local browser by going to Internet Options -> Content -> Certificates (button) -> Trusted Root Certification Authority (tab) and then selecting the certificate and click on the "Export" button and saving it as root-certificate.crt.

In case of VeriSign you need to export a certificate called "Class 3 Public Primary Certification Authority" with and expiration date of 2028. keytool -import -alias root-certificate -keystore BEAKeyStore.jks -trustcacerts -file root-certificate.crt

If prompted to confirm addition of this certificate to the keystore, say 'yes'.

4. Next, import the intermediate certificate, if applicable

(This is a requirement for VeriSign - http://www.verisign.com/support/verisign-intermediate-ca/index.html).

The CA should be able to provide this information.

keytool -import -alias intermediate-certificate -trustcacerts -keystore BEAKeyStore.jks -file intermediate-certificate.crt

If you run the list command now (keytool -list -keystore BEAKeyStore.jks) you should see 3 entries: root-certificate, intermediate-certificate, and business

5. Importing your CA certificate (which should have returned after being authenticated).

The "cert_from_ca.cer" file below is the file that you receive from the CA after providing them with the CSR generated in step 2 above.

Please ensure that the alias used below and in step 1 (value against -alias ) are exactly the same.

This is required to confirm that the public and private keys match. keytool -import -alias business -keystore BEAKeyStore.jks -trustcacerts -file cert_from_ca.cer

You will be prompted for both the keystore password (Spassword) as well as the private key password (keypass = 'Kpassword')

**Note: Entries in the keystore can be removed using the following command, specifying the alias (root-certificate, intermediate-certificate) to be deleted: keytool -delete -alias aliasToBeDeleted -keystore BEAKeystore

The 'business' alias should never be deleted. This is the original entry in the keystore and must remain. If you need to remove the CA certificate alias (which is required to be identical to the original entry in the keystore), you will need to revert to the saved BEAKeyStore.jks file, backed up in step 1. If the 'business' alias is deleted, thereby deleting the original entry as well, the CA cert will import, but the certificate will not be properly authenticated in a browser.

6. Now you need to set the BEA console to make it look at this keystore

i> Log into http://localhost:7001/console as "system" (contact support for the default password, or your IT group if the default has been changed).

ii> Click on "Servers -> OpenpagesServer -> Configuration (tab) -> Keystores and SSL

iii> Click on "Change" hyperlink next to the "KeyStore Configuration" and select "Custom Identity and Custom Trust" and click on Continue

iv> In the following page enter the following values Custom Identity Key Store File Name = \BEAKeyStore.jks

Custom Identity Key Store Type=JKS Custom Identity Key Store

Pass Phrase=Spassword

Confirm Custom Identity Key Store Pass Phrase=Spassword

Custom Trust Key Store File Name= \BEAKeyStore.jks

Custom Trust Key Store Type=JKS

Custom Trust Key Store Pass Phrase=Spassword

Confirm Custom Trust Key Store Pass Phrase=Spassword

Click on Continue and on the subsequent page enter the following:

Private Key Alias=business

Passphrase=Kpassword

Confirm Passphrase=Kpassword

Click Apply, then Finish.

7. Repeat Step 6 above for each of the server that you want to access through SSL, the only change in the instruction would be in (ii) For http://localhost:7003/console it would be Click on "Servers -> PublishWebServer -> Configuration (tab) -> Keystores and SSL

For http://localhost:7005/console it would be Click on "Servers -> OPWebAppServer -> Configuration (tab) -> Keystores and SSL

For http://localhost:7009/console it would be Click on "Servers -> SOXServer -> Configuration (tab) -> Keystores and SSL

8. Restart all the services and once the application comes back up go to https://localhost:7010/sox and ensure that there are no pop-up screens with certificate errors.

Also double click on the yellow lock icon on the bottom on the IE screen and check the details to ensure that you are using the right one.

Note: You may receive a message regarding secure and unsecure content.

This is due to CommandCenter path references in aurora.properties being used. By default, these access 'http' links. If SSL is to be enabled on the CommandCenter server (IIS), the references in aurora.properties will need to be updated as well, and the secure/unsecure pop-up will no longer appear.

Related: SSO/SiteMinder with SSL - see http://e-docs.bea.com/wls/docs81/plugins/isapi.html#114841 Attached is a document describing the steps for Weblogic 9.1

Historical Number

00000946

Rate this page:

(0 users)Average rating

Document information


More support for:

OpenPages GRC Platform

Software version:

5.1, 5.5, 5.5.2, 5.5.3

Operating system(s):

Windows

Software edition:

All Editions

Reference #:

1513475

Modified date:

2013-09-06

Translate my page

Machine Translation

Content navigation