Docstoc

Download using BEA Weblogic - _n_Code Solutions

Document Sample
Download using BEA Weblogic - _n_Code Solutions Powered By Docstoc
					                   (n)Code Solutions CA
         A DIVISION OF GUJARAT NARMADA VALLEY FERTILIZERS COMPANY LIMITED



                PROCEDURE FOR DOWNLOADING
              a Class IIIc SSL Certificate using BEA Weblogic



                                       VERSION 1.0




                  In support of The (n)Code Solutions CA’s Public Certification Services
Page 1 of 8
    Procedure for downloading a Class IIIc SSL Certificate using BEA Weblogic

              Configuring the SSL Protocol
              The Secure Sockets Layer (SSL) protocol provides secure connections by allowing two
              applications connecting over a network connection to authenticate the other's identity and by
              encrypting the data exchanged between the applications. The SSL protocol provides server
              authentication and optionally client authentication, confidentiality, and data integrity.

              To configure the SSL protocol, perform the following steps:
              1.   Obtain a private key and digital certificate for WebLogic Server. You need a digital
                   certificate and private key for each WebLogic Server that will use the SSL protocol.

              2.   Store the private key and digital certificate for WebLogic Server.

              3.   Through the Administration Console, set fields for the SSL protocol and the private key,
                   digital certificate, and certificate authorities trusted by WebLogic Server. These fields are
                   defined on a per-server basis; you must define them on any WebLogic Server that will use
                   the SSL protocol.

              The following sections describe these steps in detail.

              Requesting a Private Key and Digital Certificate
              To acquire a digital certificate from (n)Code Solutions, you must submit your request in a
              particular format called a Certificate Signature Request (CSR). WebLogic Server includes a
              Certificate Request Generator servlet that creates a CSR. The Certificate Request Generator
              servlet collects information from you and generates a private key file and a certificate request
              file. You must then submit the CSR to (n)Code Solutions. Before you can use the Certificate
              Request Generator servlet, WebLogic Server must be installed and running.

              To generate a CSR, perform the following steps:
              1.   Start the Certificate Request Generator servlet. The .war file for the servlet is located in the
                   \wlserver6.0\config\mydomain\applications directory. The .war file is automatically installed
                   when you start WebLogic Server.

              2.   In a Web browser, enter the URL for the Certificate Request Generator servlet as follows:

                   https://hostname:port/Certificate

                   The components of this URL are defined as follows:

                    o    hostname is the DNS name of the machine running WebLogic Server.

                    o    port is the number of the port at which WebLogic Server listens for SSL connections.
                         The default is 7002.

                         For example, if WebLogic Server is running on a machine named ogre and it is
                         configured to listen for SSL communications at the default port 7002 to run the
                         Certificate Request Generator servlet, you must enter the following URL in your Web
                         browser:

                         https://ogre:7002/certificate
                          In support of The (n)Code Solutions CA’s Public Certification Services
Page 2 of 8
              3.   The Certificate Request Generator servlet loads a form in your web browser.

                   Complete the form displayed in your browser, using the information in the following table:

         Table 12-19 Fields        Description
         on the Certificate
         Request Generator
         Form Field
         Country code              The two-letter ISO code for your country. The code for the United States is
                                   US.
         Organizational unit       The name of your division, department, or other operational unit of your
         name                      organization.
         Organization name         The name of your organization. (n)Code Solutions may require any host
                                   names entered in this field belong to a domain registered to this
                                   organization.
         E-mail address            The e-mail address of the administrator. The digital certificate is mail to
                                   this e-mail address.
         Full host name            The fully-qualified name of the WebLogic Server on which the digital
                                   certificate will be installed. This name is the one used for DNS lookups of
                                   the WebLogic Server, for example, node.mydomain.com. Web browsers
                                   compare the host name in the URL to the name in the digital certificate. If
                                   you change the host name later, you must request a new digital certificate.
         Locality name (city)      The name of your city or town. If you operate with a license granted by a
                                   city, this field is required; you must enter the name of the city that granted
                                   your license.
         State name                The name of the State or Province in which your organization operates if
                                   your organization is in India. Do not abbreviate.
         Private Key Password      The password used to encrypt the private key. If you don't not specify a
                                   password, you will get an unencyrpted RSA private key. If you specify a
                                   password, you will get a PKCS-8 encrypted private key. When using PKCS-8
                                   encrypted private keys, you need to enable the Use Encrytped Keys field on
                                   the SSL tab of the Server window in the Administration Console.
         Random String             A string of characters to be used by the encryption algorithm. You do not
                                   have to remember this string in the future. It is used to add an external
                                   factor to the encryption algorithm, making it more difficult for anyone to
                                   break the encryption. For this reason, you should enter a string that is not
                                   likely to be guessed. A long string with a good mixture of uppercase and
                                   lowercase letters, digits, spaces, and punctuation characters enhances
                                   encryption. (This field is optional.)
         Strength                  The length (in bits) of the keys to be generated. The longer the key, the
                                   more difficult it is for someone to break the encryption. If you have the
                                   domestic version of WebLogic Server, you can choose 512-, 768-, or 1024-
                                   bit keys. We recommend the 1024-bit key.

              4.   Click the Generate Request button.


                         In support of The (n)Code Solutions CA’s Public Certification Services
Page 3 of 8
                     The Certificate Request Generator servlet displays messages informing you if any required
                     fields are empty or if any fields contain invalid values. Click the Back button in your browser
                     and correct any errors. When all fields have been accepted, the Certificate Request
                     Generator servlet generates the following files in the startup directory of your WebLogic
                     Server:
                      o www_mydomain_com-key.der-The private key file. The name of this file should go into
                        the Server Key File Name field on the SSL tab in the Administration Console.

                      o www_mydomain_com-request.dem-The certificate request file, in binary format.

                      o www_mydomain_com-request.pem-The CSR file that you submit to (n)Code Solutions.
                        It contains the same data as the .dem file but is encoded in ASCII so that you can copy
                        it into email or paste it into a Web form.

              5.     When you are instructed to select a server type, choose BEA WebLogic Server to ensure
                     that you receive a digital certificate that is compatible with WebLogic Server.

              6.     When you receive your digital certificate from (n)Code Solutions, you need to store it in the
                     \wlserver6.0\config\mydomain directory.

                     Note: If you obtain a private key file from a source other than the Certificate Request
                     Generator servlet, verify that the private key file is in PKCS#5/PKCS#8 PEM format.

              7.     Configure WebLogic Server to use the SSL protocol, you need to enter the following
                     information on the SSL tab in the Server Configuration window:

                      o In the Server Certificate File Name field, enter the full directory location and name of
                        the digital certificate for WebLogic Server.

                      o In the Trusted CA File Name field, enter the full directory location and name of the
                        digital certificate for (n)Code Solutions who signed the digital certificate of WebLogic
                        Server.

                      o In the Server Key File Name field, enter the full directory location and name of the
                        private key file for WebLogic Server. Defining Fields for the SSL Protocol.

              8.     Use   the    following    command-line   option to start WebLogic   Server.   -
                     Dweblogic.management.pkpassword=password where password is the password defined
                     when requesting the digital certificate.

              <>Storing               Private            Keys             and            Digital      Certificates

              Once you have a private key and digital certificate, copy the private key file generated by the
              Certificate Request Generator servlet and the digital certificate you received from (n)Code
              Solutions into the \wlserver6.0\config\mydomain directory. Private key files and digital
              certificates are generated in either PEM or Definite Encoding Rules (DER) format. The filename
              extension identifies the format of the digital certificate file. A PEM (.pem) format private key file
              begins and ends with the following lines, respectively:
                -----BEGIN ENCRYPTED PRIVATE KEY-----

                   -----END ENCRYPTED PRIVATE KEY-----


                            In support of The (n)Code Solutions CA’s Public Certification Services
Page 4 of 8
              A PEM(.pem) format digital certificate begins and ends with the following lines, respectively:
                -----BEGIN CERTIFICATE-----

                   -----END CERTIFICATE-----
              Note: Your digital certificate may be one of several digital certificates in the file, each of which is
              bounded by the BEGIN CERTIFICATE and END CERTIFICATE lines. Typically, the digital certificate
              file for a WebLogic Server is in one file, with either a .pem or .der extension, and the WebLogic
              Server certificate chain is in another file. Two files are used because different WebLogic Servers
              may share the same certificate chain.

              The first digital certificate in the certificate authority file is the first digital certificate in the
              WebLogic Server's certificate chain. The next certificates in the file are the next digital
              certificates in the certificate chain. The last certificate in the file is a self-signed digital certificate
              that ends the certificate chain.

              A DER (.der) format file contains binary data. WebLogic Server requires that the file extension
              match the contents of the certificate file so be sure to save the file you receive from (n)Code
              Solutions with the correct file extension.

              Assign protections to the private key file and digital certificates so that only the system User of
              WebLogic Server has read privileges and all other users have no privileges to access the private
              key file or digital certificate. If you are creating a file with the digital certificates of multiple
              certificate authorities or a file that contains a certificate chain, you must use PEM format.
              WebLogic Server provides a tool to for converting DER-format files to PEM format, and visa
              versa.

              Defining Trusted Certificate Authorities
              When establishing an SSL connection, WebLogic Server checks the identity of the certificate
              authority against a list of trusted certificate authorities to ensure the certificate authority
              currently being used is trusted. Copy (n)Code Solutions's root certificate into the
              \wlserver6.0\config\mydomain directory of your WebLogic Server and set the fields described in
              Defining Fields for the SSL Protocol. If you want to use a certificate chain (Global Certificate for
              example), append the additional PEM-encoded digital certificate to the digital certificate that
              (n)Code Solutions issued for WebLogic Server. This is the intermediate CA. The last digital
              certificate in the file chain will be (n)Code Solutions's digital certificate that is self-signed (that is,
              the rootCA certificate).

              If you want to use mutual authentication, take the root certificates for the certificate authorities
              you want to accept and include them to the trusted CA file. Defining Fields for the SSL Protocol
              To define fields for the SSL protocol, perform the following steps:
              1.     Open the Administration Console.

              2.     Open the Server Configuration window.

              3.     Select the SSL tab. Define the fields on this tab by entering values and checking the
                     required checkboxes. (For details, see the following table.)

              4.     Click the Apply button to save your changes.

              5.     Reboot WebLogic Server.



                           In support of The (n)Code Solutions CA’s Public Certification Services
Page 5 of 8
              The following table describes each field on the SSL tab of the Server Configuration window.
              Note: Remember if you are using a PKCS-8 protected private key, you need to specify the
              password for the private key on the command line when you start WebLogic Server.

                            Description
  Table 12-20 SSL
  Protocol Fields
  Field
  Enabled                   Checkbox that enables the use of the SSL protocol. By default, this field is
                            enabled.
  SSL Listen Port           The number of the dedicated port on which WebLogic Server listens for SSL
                            connections. The default is 7002.
  Server Key File           The full directory location and name of the private key file for WebLogic Server.
  Name                      The file extension (.DER or .PEM) indicates the method that should be used by
                            WebLogic Server to read the contents of the file.
  Server Certificate File   The full directory location and name of the digital certificate file for WebLogic
  Name                      Server. The file extension (.DER or .PEM) indicates the method that should be
                            used by WebLogic Server to read the contents of the file.
  Server Certificate        The full directory location of the rest of the digital certificates for WebLogic
  Chain File Name           Server. The file extension (.DER or .PEM) indicates the method that should be
                            used by WebLogic Server to read the contents of the file.
  Client Certificate        Checkbox that enables mutual authentication.
  Enforced
  Trusted CA File Name      The name of the file that contains the digital certificate for the certificate
                            authority(s) trusted by WebLogic Server. This file specified in this field can
                            contain a single digital certificate or multiple digital certificates for certificate
                            authorities. The file extension (.DER or .PEM) tells WebLogic Server how to read
                            the contents of the file
  CertAuthenticator         The name of the Java class that implements the CertAuthenticator interface.
  Use Java                  Checkbox that enables the use of native Java libraries. WebLogic Server provides
                            a pure-Java implementation of the SSL protocol: native Java libraries enhance
                            the performance for SSL operations on the Solaris, Windows NT, and IBM AIX
                            platforms. By default, this field is not enabled.
  Use Encrypted Keys        Field that specifies that the private key for the WebLogic Server has been
                            encyrpted with a password. The default is false.
  Handler Enabled           Field that specifies whether or not WebLogic Server rejects SSL connections that
                            fail client authentication for one of the following reasons:
                                  The requested client digital certificate was not furnished.

                                  The client did not submit a digital certificate

                                  The digital certificate from the client was not issued by a certificate
                            authority specified by the Trusted CA Filename field. By default, the SSL Handler
                            allows one WebLogic Server to make outgoing SSL connections to another
                            WebLogic Server. For example, an EJB in WebLogic Server may open an HTTPS
                            stream on another Web server. With the HandlerEnabled field enabled, the

                        In support of The (n)Code Solutions CA’s Public Certification Services
Page 6 of 8
                             WebLogic Server acts as a client in an SSL connection. By default this field is
                             enabled.

                             Disable this field only if you want to provide your own implementation for
                             outgoing SSL connections.

                             Note: The SSL Handler has no effect on the ability of WebLogic Server to
                             manage incoming SSL connections.

  Export Key Lifespan        The number of times WebLogic Server uses an exportable key between a
                             domestic server and an exportable client before generating a new one. The more
                             secure you want WebLogic Server to be the fewer times the key should be used
                             before a new one is generated. The default is to use it 500 times.
  Login Timeout Millis       The number of milliseconds that WebLogic Server should wait for an SSL
                             connection before timing out. The default value is 25,000 milliseconds. SSL
                             connections take longer to negotiate than regular connections. If clients are
                             connecting over the Internet, raise the default number to accommodate
                             additional network latency.
  Certificate Cache          The number of digital certificates that are tokenized and stored by WebLogic
  Size                       Server. The default is 3.




                         In support of The (n)Code Solutions CA’s Public Certification Services
Page 7 of 8
              In support of The (n)Code Solutions CA’s Public Certification Services
Page 8 of 8

				
DOCUMENT INFO
Shared By:
Tags: WebLogic
Stats:
views:17
posted:8/6/2011
language:English
pages:8
Description: Bea WebLogic is the American company produced exactly one application server is a middleware architecture based on Javaee, BEA WebLogic is used to develop, integrate, deploy and manage large-scale distributed Web applications, network applications and database applications, Java application server. The dynamic capabilities of Java and the Java Enterprise standard security to introduce large-scale Web application development, integration, deployment and management.