Since you are configuring SSL for managed servers that are on different machines, I assume that the listen address also is different for these servers.
So you need to create ssl certificate for each machine (each listen address)
CN is nothing but the actual listen address being used by that particular managed server.
Your server name may server.company.com but common name is a full qualified domain name (FQDN)
server.company.com can server.company.com and you need to generate certificate for this name - this is actual hostname of the SERVER
server.company.com= <anyname>.domain.com ...eg. erp.company.com and geenrate certificate for this new name but erp.company.com should be registered in the DNS so that it will resolve to reach the server.company.com
If your system is external facing syststem your should register this erp.company.com with Service providers so that they wil route to your server. If its intranet, you need to register in the company DNS
1. Define what hash algorithm, ciphers will you use. Define where do you want to have encrypted data exchange, what servers do you want to have encryption.
2. Update java policies to be able to use high-bit keys on all hosts.
3. Create CA if you do not have your root certificate. Create root certificate and self sign it. Generate public certificate.
4. On each host create identity keystore and (depending on your needs) trust keystore.
5. Issue on each host certificate request for sign (crs).
6. Sign host's crs with your root certificate. Copy signed certificate with root public certificate to each corresponding host.
7. For each app server define keystores model. Configure location, type, passphrase for identity and (possibly) trust stores.
8. Configure SSL.
9. Configure ports to be used for SSL.
10. Define ciphers to be used.
11. Configure nodemanager to possibly use SSL.
12. Configure wlst to use SSL.
13. Configure AdminServer to use SSL.
14. Test app servers, AdminServer, nodemanager, wlst.
We do not have a node manager. In that case can we run the Admin server alone in http and all other manager servers in https. Aslo when i submitted the csr to authority i got two certificates.
2. one certificate chain with trusted certificate.
So advice me which certificate should import to identity and trust keystore.
1. You may specify which servers will use ssl and which will not. But keep in mind that setting SSL Listen Port Enabled without disabling Listen Port Enabled will result in listening both secure and unsecure ports.
2. As for the names domainname.cer is expected to contain your domain certificate (root for your organization) signed by CA. The other one probably has a list of the public trust certificates.
You may list the context with openssl or keytool:
openssl x509 -in domainname.cer -noout -text
keytool -printcert -v -file domainname.cer
Another option would be to use wild card certificates.
How To Configure WebLogic Server To Support Wildcard Certificates (Doc ID 1474989.1)
Instead of having a certificate for each host you have one for the whole domain.
I have two certificate got from authority.
1. mydomains certificate
2.root and intermediate certificate.
Which one should i should pass to the clients which are accessing my application.? client applications are facing ssl handshake issue
Normally no certificates are sent to clients.
1. Strictly protect your mydomains certificate. This is your domain identity key.
2. On your servers you should create keystores (java) or wallets (db, ohs) for storing server identity.
3. Issue on each server certificate sign request (CSR).
4. Copy this CSR to your company certificate authority (CA) server.
5. Sign CSR with your mydomain certificate. You will get CRS -- signed certificate for a server. Because your mydomain certificate is verified by external authority and you signing server's certificate with such verified certificate your server's certificates will also be verified.
6. Copy each signed CRS together with root and intermediate certificate(s) to corresponding server.
7. Import CRS into your identity store and place it in the directory with restricted access. It is hosts (and apps) digital identity that is verified by your mydomain, by intermediate, by root. If everything is ok you may delete CRS.
8. Import you root and intermediate certificates into your trust store -- store that holds public certificates of well known CA.
9. Customize your weblogic servers to use your identity and trust and created certificates.
10. Check with external tools that your ssl connections are using strong encryption.
11. Configure Admin console, wlst, scripts to use ssl connection. Check it.
12. If necessary configure weblogic-db encryption.
Keep in mind that encrypting results in more system resources in comparison with non-encrypted connections.
But there are some other java processes(clients) are connecting the application servers.They were getting the ssl connection exception.Once i configured the root and intermediate certificate which i got in their trusted keystore issue got resolved,
To verify server identity clients should have access to the chain of signing public certificates. Trust store is used for this. Or you may directly import intermediate and root certificates to clients stores.
Even if java clients does not explicitly use sores java uses there own store in $JAVA_HOME/jre/lib/security/cacerts
Thanks! Finally i have enabled the SSL in my managed servers. But i am getting the below warning message in managed servers logs.
<Invalid/unknown SSL header was received from peer strapp20.apis.dhl.com - during SSL handshake.>. I have noticed that this is coming from Admin server. because when i stopped admin server. this warning message is not coming in the logs.
Please help to resolve this issue.
If you are using linux please issue:
5556 is a default nodemanager port, 7001/2 -- default ports of admin server.