How to configure WebLogic to use SSL with Apache.docx
- 文档编号:17927566
- 上传时间:2023-08-05
- 格式:DOCX
- 页数:17
- 大小:339.28KB
How to configure WebLogic to use SSL with Apache.docx
《How to configure WebLogic to use SSL with Apache.docx》由会员分享,可在线阅读,更多相关《How to configure WebLogic to use SSL with Apache.docx(17页珍藏版)》请在冰点文库上搜索。
HowtoconfigureWebLogictouseSSLwithApache
HowtoconfigureWebLogictouseSSLwithApache?
Wewillstartthisexamplefromtheverybeginning.
We'llcreateacertificate,akeystoreandwillperformallthedifferentstepsneededtogetusstarted(usingKeytool&OpenSSL)
Thenwe'llconfigureWebLogictousethatkeystore.
OnceabrowserisabletoaccessWebLogic,wewillconfigureApachetouseSSLwithWebLogic.
1-CreateaCSR&akeystore
Inordertocreatethesecomponents,thetoolusedisKeytoolfromSun.YouhaveitinanyJVMinstall:
Formeit's:
%BEA_HOME%\jdk160_05\bin\keytool.exe
Forthisexample,asI'mlazysometimes,I'mgoingtouseKeytoolIUI,whichisagraphicalversionofkeytool,asitsnametells.
First,let'screateasampleandemptyJKS.(JKSstandsforJavaKeyStore)
Inthisexample,thepasswordusedis"weblogic".
ThenjustcreateaCSR(CertificateSigningRequest)
SpecifythepreviouslycreatedJKSandthealgorithmtouse:
Fillinthedifferentfields,asyouwouldwithKeytool:
Thecreationshouldresultinasmallpopup:
Viewingthecontentofthekeystore
Iusedthefollowingfortheprivatekey:
alias:
privatekey
password:
weblogic
2-ConfigureWebLogictousethepreviouslycreatedkeystore
That'stheeasypart:
)
StartyourserverandcheckthatyouhaveSSLenabled.
Thenjustchangetheidentityoftheservertopointtowardsourkeystore.
Herearethedifferentoptionsproposed.Inourexample,theoptionthatbestfitsourneedis"Customidentity&JavaStandardTrust".
"CustomIdentity"meanswe'reusingourownkeystoreand"JavaStandardTrust"meansweusethetruststorefromtheJDK.
(%BEA_HOME%\jdk160_05\jre\lib\security\cacerts)
Atruststoreisakeystorecontainingallthetrustedcertificates.
Youmayprintthetruststore,justtoseewhat'sinside:
YoucanseethatVerisign,ThawteandmanyotherCA(CertificateAuthorities)arelisted.
Weonlyhavetospecifythekeystorewecreated,thetypewhichisJKSandthepassword.
AsfortheTrust,justtypethedefaultpassword,whichis"changeit".
AquicklookintheWLSconsoleshows:
<10nov.200823h47CET>
CannotretrieveidentitycertificateandprivatekeyonserverAdminServer,becausethekeystoreentryaliasisnotspecified.> <10nov.200823h47CET> andprivatekeyonserverAdminServer,becausethekeystoreentryaliasisnotspecified.".> It'sbecausewedidn'tsupplytheprivatekeyalias. Justtypethealias(privatekey)andthepassword(weblogic)andsave. Thistime,WLSseemstobehappier: <10nov.200823h52CET> fileD: \BEA_ROOT\user_projects\domains\essex\ssl\blog\mbutton.jks.> <10nov.200823h52CET> \BEA_ROOT\WLS_10.3\JDK160~1\jre\lib\security\cacerts.> <10nov.200823h52CET> 7002forprotocolsiiops,t3s, CLUSTER-BROADCAST-SECURE,ldaps,https.> <10nov.200823h52CET> 7002forprotocolsiiops,t3s, CLUSTER-BROADCAST-SECURE,ldaps,https.> Let'strytoaccesstheconsoleusingthesecureport(7002). Apopupshowsup: JustsomewarningmessagesayingthatthecertificatehasbeenemittedbysomeoneIdon'ttrust andthatthecertificatenamedoesn'tmatchthesitename. Itworks. 3-DisplaythecertificatepresentedbyWebLogic Todisplaythecertificate,we'vegottwopossibilities: Clickthelockinthebrowserwindowandusethebuilt-infunctionalitytodisplaythecertificates. OruseOpenSSL,whichisthemethodIprefer. C: \DocumentsandSettings\mbutton>openssls_client -connectlocalhost: 7002 Loading'screen'intorandomstate-done CONNECTED(00000728) depth=0/emailAddress=mbutton@ verifyerror: num=18: selfsignedcertificate verifyreturn: 1 depth=0/emailAddress=mbutton@ verifyreturn: 1 --- Certificatechain 0s: /emailAddress=mbutton@ i: /emailAddress=mbutton@ --- Servercertificate -----BEGINCERTIFICATE----- MIICtzCCAiCgAwIBAgIESRixbTANBgkqhkiG9w0BAQUFADCBnzEeMBwGCSqGSIb3 DQEJARYPbWJ1dHRvbkBiZWEuY29tMQswCQYDVQQGEwJGUjEXMBUGA1UECAwOSGF1 dHMtZGUtc2VpbmUxEzARBgNVBAcMCkNvdXJiZXZvaWUxEzARBgNVBAoMCk9yYWNs ZS1CRUExEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD2ZyLm1idXR0b24u YmxvZzAeFw0wODExMTAyMjEwNTNaFw0xMTExMTAyMjEwNTNaMIGfMR4wHAYJKoZI hvcNAQkBFg9tYnV0dG9uQGJlYS5jb20xCzAJBgNVBAYTAkZSMRcwFQYDVQQIDA5I YXV0cy1kZS1zZWluZTETMBEGA1UEBwwKQ291cmJldm9pZTETMBEGA1UECgwKT3Jh Y2xlLUJFQTETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwPZnIubWJ1dHRv bi5ibG9nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCE4Eu/kWbTfjFQNWzm YEGLEO8Mp7SY9R2d4MpZTCAPdS7DSjY1AsJMlTDxomsWAKdU/UaQuf0quyuO4oiM 7IxFMTHXEZ1TgXMUgHGgNYnkQIivcbskUFJuPUoYHW6mR9rlIkkVSkTPUVWaGvzt gubEQhUvc1ndt8bpQRmnnOkZgQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAEEpAwNF Fa21wGzoBk7WzQkHuWKfY3D2mCuON+u9GWHxrQoDG+u6i4LyY/5DK9IMrs5tzq7u 9htJAryKJVMpHH05Nb0Bq9ZENylHLb8nIeAZP6A8w1WVb4xfRC1KAz7HLcA3xlBw 9+RanPitwglr9GX6teINf8te3m7hVS1wC3Hg -----ENDCERTIFICATE----- subject=/emailAddress=mbutton@ issuer=/emailAddress=mbutton@ --- NoclientcertificateCAnamessent --- SSLhandshakehasread829bytesandwritten306bytes --- New,TLSv1/SSLv3,CipherisRC4-MD5 Serverpublickeyis1024bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-MD5 Session-ID: 48076FBB49156AD46E8B1DE5C6761319 Session-ID-ctx: Master-Key: 0FE8F6A1A4A498FBE9832D7BE2FD999C2DA9C697F1311F6DE39A461293AD643E12DB8089828082581352D8FD5FF8E310 Key-Arg : None StartTime: 1226358012 Timeout : 300(sec) Verifyreturncode: 18(selfsignedcertificate) --- Thesectioninredrepresentsthecertificatepresentedbytheserver. ASCIIdelimitedby"-----BEGINCERTIFICATE-----"&"-----ENDCERTIFICATE-----"meansit'saPEM. Weneedtoisolateit.Thenjustcopyitinafileandnameit"server.pem"forinstance. 4-ConfigureApacheSSLtoaccessWebLogic First,copytheapachepluginintheapachemodulesdirectory. %BEA_ROOT%\wlserver_10.3\server\plugin\win\32\mod_wl_22.so towards%APACHE_HOME%\modules Inyourhttpd.conf,addthefollowinglinestohaveacleanandseparateconfigurationforWebLogic. ##############WLS10ProxyPlugin mod_weblogic.c> LoadModuleweblogic_modulemodules/mod_wl_22.so #ConfigfileforWebLogicServerthatdefinestheparameters Includeconf/weblogic.conf Thesefewlinesincludethefileweblogic.conf. Thisfilelookslike: SetHandlerweblogic-handler WebLogicHostlocalhost WebLogicPort7002 #SSL SecureProxyON WLProxySSLON RequireSSLHostMatchfalse TrustedCAFileD: \BEA_ROOT\user_projects\domains\essex\ssl\blog\server.pem EnforceBasicConstraintsfalse #DEBUG WLLogFileD: \BEA_ROOT\user_projects\domains\essex\ssl\blog\wlproxy.log DebugALL DebugConfigInfoON Asyoumayhavenoticed,the"TrustedCAFile"isthefullpathtowardsourservercertificate(theonewegotfromOpenSSL! ) FormoreinformationaboutconfiguringWebLogicplugin, ThenaccessingtheconsolethroughthefollowingURL: http: //localhost/consoleshowsinthewlproxy.log: TueNov1100: 08: 432008<502412263585231> ================NewRequest: [GET/consoleHTTP/1.1]================= TueNov1100: 08: 432008<502412263585231>INFO: SSLisconfigured TueNov1100: 08: 432008<502412263585231>SSLMainContextnotset.CallingInitSSL TueNov1100: 08: 432008<502412263585231>INFO: SSLconfiguredsuccessfully TueNov1100: 08: 432008<502412263585231>UsingUri/console TueNov1100: 08: 432008<502412263585231>Aftertrimmingpath: '/console' TueNov1100: 08: 432008<502412263585231>Thefinalrequeststringis'/console' TueNov1100: 08: 432008<502412263585231>Hostextractedfromserverlistis[localhost] TueNov1100: 08: 432008<502412263585231>InitializinglastIndex=0foralistoflength=1 TueNov1100: 08: 432008<502412263585231>getListNode: createdanewservernode: id='localhost: 7002'server_name='localhost',port='80' TueNov1100: 08: 432008<502412263585231>attempt#0outofamaxof5 TueNov1100: 08: 432008<502412263585231>Tryingapooledconnectionfor'127.0.0.1/7002/7002' TueNov1100: 08: 432008<502412263585231>getPooledConn: NomoreconnectionsinthepoolforHost[127.0.0.1]Port[7002]SecurePort[7002] TueNov1100: 08: 432008<5024122635852
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- How to configure WebLogic use SSL with Apache
链接地址:https://www.bingdoc.com/p-17927566.html