一、配置步骤
1、使用默认的密钥库,按照下图所示,点击SSL中的高级
2、选中SSL中的“使用JSSE SSL”,点击保存
3、激活更改
4、如果有部署项目,需要重启项目
5、设置启用管理端口,如下图,勾选保存,激活更改。
6、为了方便,重启weblogic,日志如下
7、验证:https://ip:9002/console
管理端口:
应用端口:
二、解决疑问
1、为什么需要weblogic11g需要勾选“使用JSSE SSL”?
参考链接:https://docs.oracle.com/cd/E28280_01/web.1111/e13707/ssl.htm#SECMG621
2、怎么知道这个版本的weblogic不支持SHA-256呢?
在未开启JSSE SSL时,使用默认的密钥库,并且启用了管理端口,重新启动weblogic后,可以在日志中查看到以下信息:
<Jul 21, 2021 11:12:02 AM CST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=Entrust Root Certification Authority - G2,OU=(c) 2009 Entrust\, Inc. - for authorized use only,OU=See www.entrust.net/legal-terms,O=Entrust\, Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Jul 21, 2021 11:12:02 AM CST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=thawte Primary Root CA - G3,OU=(c) 2008 thawte\, Inc. - For authorized use only,OU=Certification Services Division,O=thawte\, Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Jul 21, 2021 11:12:02 AM CST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Jul 21, 2021 11:12:02 AM CST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Jul 21, 2021 11:12:02 AM CST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Jul 21, 2021 11:12:02 AM CST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "OU=Security Communication RootCA2,O=SECOM Trust Systems CO.\,LTD.,C=JP". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Jul 21, 2021 11:12:02 AM CST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=VeriSign Universal Root Certification Authority,OU=(c) 2008 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Jul 21, 2021 11:12:02 AM CST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=KEYNECTIS ROOT CA,OU=ROOT,O=KEYNECTIS,C=FR". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Jul 21, 2021 11:12:02 AM CST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
以上信息就是在使用默认密钥库
(/home/weblogic/Oracle/Middleware/wlserver_10.3/server/lib/DemoTrust.jks),并且使用了java的标准信任库(/usr/java/jdk1.6.0_45/jre/lib/security/cacerts),出现的错误。
经查询,以上9个错误中标红的信息,在cacerts中对应的签名算法是SHA256withRSA
而在上一个问题问题中,已说明有些版本的weblogic不支持SHA-256,因此在这里出现这些错误信息,表明此版本需要开启JSSE SSL功能。
如何查看上面的9个错误出现在cacerts中:
1、 在/usr/java/jdk1.6.0_45/bin
目录下,执行以下命令:
keytool -list -v -keystore ../jre/lib/security/cacerts-storepass weblogic > list.txt
2、 打开生成的list.txt
3、 搜索上面的红色字
CN=Entrust Root Certification Authority - G2
可以看到对应的签名算法是SHA256withRSA。
以此类推,其他八个对应的签名算法也是SHA256withRSA。
author:su1573
鄙人记录生活点滴,学习并分享,请多指教!!!
如需交流,请联系 sph1573@163.com,鄙人看到会及时回复