为支持SSL, 甲骨文WebLogic Server 缺省配置了如下keystores:
- DemoIdentity.jks—Contains a demonstration private key for WebLogic Server. This keystore contains the identity for WebLogic Server.
- DemoTrust.jks—Contains the trusted certificate authorities from the WL_HOME\server\lib\DemoTrust.jks and the JDK cacerts keystores. This keystore establishes trust for WebLogic Server.
These keystores are located in the WL_HOME\server\lib directory. For testing and development purposes, the keystore configuration is complete.
However, do not use the demonstration keystores in a production environment. Because the digital certificates and trusted CA certificates in the demonstration keystores are signed by a WebLogic Server demonstration certificate authority, a WebLogic Server installation using the demonstration keystores will trust any WebLogic Server installation that also uses the demonstration keystores.
本文讲述了怎么生成 DemoIdentity.jks and DemoTrust.jks keystores的方法.
重生成 DemoIdentity.jks
- Open a command prompt and run the following command to set environment:
<WL_HOME>\server\bin\setWLSEnv.cmd (Windows)
. <WL_HOME>/server/bin/setWLSEnv.sh (Unix) (use the 'dot' to run the script in the same shell)
. <WL_HOME>/server/bin/setWLSEnv.sh (Unix) (use the 'dot' to run the script in the same shell)
- Execute this command to generate identity entities (certificate plus key):
java utils.CertGen -keyfilepass DemoIdentityPassPhrase -certfile democert -keyfile demokey -strength 1024
Note: This would create the files in the present working directory.
Note: Please click
here to visit the
CertGen product documentation to see what all arguments can be passed to it.
- Execute this command to import the identiy entities into Java Keystore:
java utils.ImportPrivateKey -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase -keyfile demokey.pem -keyfilepass DemoIdentityPassPhrase -certfile democert.pem -alias demoidentity
NOTE: This would create "DemoIdentity.jks" in the present working directory.
- Confirm that the certificate (along with key) is imported:
keytool -list -v -keystore DemoIdentity.jks
NOTE: The following files can be cleaned from the present directory as they are no longer needed:
- democert.der
- democert.pem
- demokey.der
- demokey.pem
重生成 DemoTrust.jks
- Open a command prompt and run the following command to set environment(if not set already):
<WL_HOME>\server\bin\setWLSEnv.cmd (Windows)
. <WL_HOME>/server/bin/setWLSEnv.sh (Unix) (use the 'dot' to run the script in the same shell)
. <WL_HOME>/server/bin/setWLSEnv.sh (Unix) (use the 'dot' to run the script in the same shell)
- Execute following command to import the Demo CA into DemoTrust.jks:
keytool -importcert -trustcacerts -alias wlscertgencab -keystore DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase -file <WL_HOME>\server\lib\CertGenCA.der
NOTE: This would create "DemoTrust.jks" in the present working directory if there is no file named "DemoTrust.jks" present there. However, if there is any such keystore file already present in the present directory, then it would simply import the certificate as a trusted entry into this keystore file. A path can also be prefixed to the keystore name in the command argument "-keystore" above such that the keystore is created at the specified location instead of in present working directory.