What are the steps an OpenPages IT administrator can follow to implement SSL?
Resolving the problem
Summary: Steps for implementing SSL with OpenPages/BEA WebLogic 8.1:
A flash demo of the general process can be found at the BEA Website: http://support.bea.com/askbea_soln/attachments/S-22841/Configure_Keystore_SSL_WLS81_viewlet_swf.html
####### Overview: ########
Create a "keystore" to hold certificates, both public and private.
Within this keystore is a key entry, based on parameters used when generating the keystore.
From this unique keystore file, generate a request file to send to a Certificate Authority (CA), such as VeriSign.
Receive a valid certificate back from the CA.
Import 'root' and 'intermediate' (Verisign) certificates, then import the returned CA certificate. This will match against the original key entry in the keystore, and will validate that both public and private keys match.
Update the BEA configuration to point to the keystore file to enable SSL
1. Generate a local keystore containing a public/private key pair e.g. keytool -genkey -dname "cn=www.openpages.com, ou=SOX, o=Openpages, c=US" -keyalg RSA -alias business -keypass Kpassword -keystore BEAKeyStore.jks -storepass Spassword -validity 365
This should be executed via commandline from the '\bea\weblogic81\config\OpenPagesDomain' directory. Here the section "cn=www.openpages.com, ou=SOX, o=Openpages, c=US" would change from organization to organization and the IT security team should be able to provide additional details.
'-keyalg RSA' is used specifically for WebLogic.
Another example of how this could look:
"CN = servername.abc.com,OU = Departmental Systems Group,O = ABC,L = NYC,S = New York,C = US"
This command creates the keystore named "BEAKeyStore.jks" in the same directory where the keytool was executed (OpenPagesDomain).
The "keystore" password in the example is 'Spassword' - this is used when accessing or updating the BEAKeyStore.jks file.
The other password (-keypass Kpassword) is used when importing the final CA cert into the keystore.
After generating the above command, the keystore now contains a self-signed certificate.
To view details of the keystore, use the following command:
keytool -list -keystore BEAKeyStore.jks
You are prompted for the keystore password.
This would be 'Spassword' in our example. On viewing the results, you will see an entry for 'business'.
Make a copy of the BEAKeyStore.jks file (the keystore) and store it in a different directory for safe keeping.
Certificates will be loaded into this keystore, and if the BEAKeyStore file needs to be regenerated for any reason, a new certificate request will need to be made to the CA.
It is important to have a backup of the original file.
See note in step 5 below for additional details
2. Generate a Certificate Signing Request, again using keytool: keytool -certreq -alias business -keystore BEAKeyStore.jks -sigalg "MD5withRSA" -file ca_cert_request.csr
You will be prompted for both passwords:
Enter keystore password: Spassword
Enter key password for : Kpassword
This generates a request using the identity/alias "business", matching the alias used in the keystore creation process, in a file named ca_cert_request.csr in OpenPagesDomain.
This file needs to be submitted to a CA, specifying that the certificate is for a BEA WebLogic81 web server.
The CA will authenticate this request and will send back a certificate, authenticating your public key.
3. Import the root certificate for the CA.
This needs to be done before your authenticated certificate can be imported.
The root-certificate.crt is the root level certificate from your CA. This is usually available either from the CA or in some cases like VeriSign you can get it from your local browser by going to Internet Options -> Content -> Certificates (button) -> Trusted Root Certification Authority (tab) and then selecting the certificate and click on the "Export" button and saving it as root-certificate.crt.
In case of VeriSign you need to export a certificate called "Class 3 Public Primary Certification Authority" with and expiration date of 2028. keytool -import -alias root-certificate -keystore BEAKeyStore.jks -trustcacerts -file root-certificate.crt
If prompted to confirm addition of this certificate to the keystore, say 'yes'.
4. Next, import the intermediate certificate, if applicable
(This is a requirement for VeriSign - http://www.verisign.com/support/verisign-intermediate-ca/index.html).
The CA should be able to provide this information.
keytool -import -alias intermediate-certificate -trustcacerts -keystore BEAKeyStore.jks -file intermediate-certificate.crt
If you run the list command now (keytool -list -keystore BEAKeyStore.jks) you should see 3 entries: root-certificate, intermediate-certificate, and business
5. Importing your CA certificate (which should have returned after being authenticated).
The "cert_from_ca.cer" file below is the file that you receive from the CA after providing them with the CSR generated in step 2 above.
Please ensure that the alias used below and in step 1 (value against -alias ) are exactly the same.
This is required to confirm that the public and private keys match. keytool -import -alias business -keystore BEAKeyStore.jks -trustcacerts -file cert_from_ca.cer
You will be prompted for both the keystore password (Spassword) as well as the private key password (keypass = 'Kpassword')
**Note: Entries in the keystore can be removed using the following command, specifying the alias (root-certificate, intermediate-certificate) to be deleted: keytool -delete -alias aliasToBeDeleted -keystore BEAKeystore
The 'business' alias should never be deleted. This is the original entry in the keystore and must remain. If you need to remove the CA certificate alias (which is required to be identical to the original entry in the keystore), you will need to revert to the saved BEAKeyStore.jks file, backed up in step 1. If the 'business' alias is deleted, thereby deleting the original entry as well, the CA cert will import, but the certificate will not be properly authenticated in a browser.
6. Now you need to set the BEA console to make it look at this keystore
i> Log into http://localhost:7001/console as "system" (contact support for the default password, or your IT group if the default has been changed).
ii> Click on "Servers -> OpenpagesServer -> Configuration (tab) -> Keystores and SSL
iii> Click on "Change" hyperlink next to the "KeyStore Configuration" and select "Custom Identity and Custom Trust" and click on Continue
iv> In the following page enter the following values Custom Identity Key Store File Name = \BEAKeyStore.jks
Custom Identity Key Store Type=JKS Custom Identity Key Store
Confirm Custom Identity Key Store Pass Phrase=Spassword
Custom Trust Key Store File Name= \BEAKeyStore.jks
Custom Trust Key Store Type=JKS
Custom Trust Key Store Pass Phrase=Spassword
Confirm Custom Trust Key Store Pass Phrase=Spassword
Click on Continue and on the subsequent page enter the following:
Private Key Alias=business
Click Apply, then Finish.
7. Repeat Step 6 above for each of the server that you want to access through SSL, the only change in the instruction would be in (ii) For http://localhost:7003/console it would be Click on "Servers -> PublishWebServer -> Configuration (tab) -> Keystores and SSL
For http://localhost:7005/console it would be Click on "Servers -> OPWebAppServer -> Configuration (tab) -> Keystores and SSL
For http://localhost:7009/console it would be Click on "Servers -> SOXServer -> Configuration (tab) -> Keystores and SSL
8. Restart all the services and once the application comes back up go to https://localhost:7010/sox and ensure that there are no pop-up screens with certificate errors.
Also double click on the yellow lock icon on the bottom on the IE screen and check the details to ensure that you are using the right one.
Note: You may receive a message regarding secure and unsecure content.
This is due to CommandCenter path references in aurora.properties being used. By default, these access 'http' links. If SSL is to be enabled on the CommandCenter server (IIS), the references in aurora.properties will need to be updated as well, and the secure/unsecure pop-up will no longer appear.
Related: SSO/SiteMinder with SSL - see http://e-docs.bea.com/wls/docs81/plugins/isapi.html#114841 Attached is a document describing the steps for Weblogic 9.1