2 Replies Latest reply on Sep 12, 2019 12:44 PM by 3985112

    OUD12c - how to set the admin server to use JKS key and trust stores.

    3985112

      OUD12c  - How to set the OUD admin server and the OUDSM WebLogic server to use JKS key and trust stores.

       

      I would like to know how to switch the OUD12c admin server from its default deployment of using self-signed SSL certs to using an existing JKS key store; and I would like to know how to get OUDSM's WebLogic server to also use the JKS key store too.

       

      Thanks!

        • 1. Re: OUD12c - how to set the admin server to use JKS key and trust stores.
          IDAM_EUS

          Configure SSL Certificates for 4444 Port (OUD Admin)

           

          • Go to OUD config folder

          Example: /apps/Oracle/Middleware/asinst_1/OUD/config/

          • Take back up of admin keystore related files.

          cp admin-keystore admin-keystore_original

          cp admin-keystore.pin admin-keystore.pin_original

          cp admin-truststore admin-truststore_original

           

          Change the admin store password

                      Admin keystore contains randomly generated password. It must be changed.

          cat /apps/Oracle/Middleware/asinst_1/OUD/config/admin-keystore.pin

          Output Would be something like D3b8G1bXMGxn5qJbRCLSO6QgnYKNGyDB5669fP1YuR8qROUWKY

          Note the same password is used for Admin Keystore and Truststore. So run below commands to change password for both of them.

          keytool -storepasswd -keystore /apps/Oracle/Middleware/asinst_1/OUD/config/admin-keystore -storepass D3b8G1bXMGxn5qJbRCLSO6QgnYKNGyDB5669fP1YuR8qROUWKY -new <new_password>

          keytool -storepasswd -keystore /apps/Oracle/Middleware/asinst_1/OUD/config/admin-truststore -storepass D3b8G1bXMGxn5qJbRCLSO6QgnYKNGyDB5669fP1YuR8qROUWKY -new <new_password>

           

          Update the admin store pin file

          New password must be added to admin keystore pin file.

          vi /apps/Oracle/Middleware/asinst_1/OUD/config/admin-keystore.pin

          Remove old entry and new password, save file.

          Delete the Self-Signed Admin cert of OUD

          Before importing new certificate old admin certificate must be removed with below commands.

          keytool -delete -alias admin-cert -keystore /apps/Oracle/Middleware/asinst_1/OUD/config/admin-keystore -storepass <new_password>

          keytool -delete -alias admin-cert -keystore /apps/Oracle/Middleware/asinst_1/OUD/config/admin-truststore -storepass <new_password>

           

           

          Import Your Organization certificate

          Admin port (4444) also uses same certificates as 1636 port. So Import certificate from 1636 port’s Keystore to Admin keystores.

          Command format:

          keytool -importkeystore -srckeystore <Source_Key_Store> -destkeystore <Admin_Keystore> -srcstorepass <Password> -deststorepass <Password> -srcalias oudserver1-cert -destalias admin-cert -srckeypass <Password> -destkeypass <Password>

          Actual Commands:

          keytool -importkeystore -srckeystore /apps/Oracle/Middleware/asinst_1/OUD/config/oudserver1-Keystore -destkeystore /apps/Oracle/Middleware/asinst_1/OUD/config/admin-keystore -srcstorepass <Password> -deststorepass <Password> -srcalias oudserver1-cert -destalias admin-cert -srckeypass <Password> -destkeypass <Password>

          keytool -importkeystore -srckeystore /apps/Oracle/Middleware/asinst_1/OUD/config/oudserver1-Keystore -destkeystore /apps/Oracle/Middleware/asinst_1/OUD/config/admin-truststore -srcstorepass <Password> -deststorepass <Password> -srcalias oudserver1-cert -destalias admin-cert -srckeypass <Password> -destkeypass <Password>

           

           

          Verify the content of Admin keystores

          keytool -v -list -keystore /apps/Oracle/Middleware/asinst_1/OUD/config/admin-keystore

          keytool -v -list -keystore /apps/Oracle/Middleware/asinst_1/OUD/config/admin-truststore

           

          1.1.1 Renew OUD 4444 Admin port – certificate

           

          When new certificates are imported for 1636 port, certs for 4444 port must also be changed.

          Go to OUD config folder

          Example: /apps/Oracle/Middleware/asinst_1/OUD/config/

          Take back up of admin keystore related files.

          cp admin-keystore admin-keystore_original

          cp admin-keystore.pin admin-keystore.pin_original

          cp admin-truststore admin-truststore_original

          Delete the Expired certificate

          keytool -delete -alias oudserver1-cert -keystore /apps/Oracle/Middleware/asinst_1/OUD/config/admin-keystore -storepass <Password>

          keytool -delete -alias oudserver1-cert -keystore /apps/Oracle/Middleware/asinst_1/OUD/config/admin-truststore -storepass <Password>


           

          Import Your Organization certificate

          Import new certs from new keystore of 1636 port to admin keystore of 4444 port.

          keytool -importkeystore -srckeystore /apps/Oracle/Middleware/asinst_1/OUD/config/<New_Keystore> -destkeystore /apps/Oracle/Middleware/asinst_1/OUD/config/admin-keystore -srcstorepass <Password> -deststorepass <Password> -srcalias oudserver1-cert -destalias admin-cert -srckeypass <Password> -destkeypass <Password>

          Import new certs from new keystore of 1636 port to admin keystore of 4444 port.

          keytool -importkeystore -srckeystore /apps/Oracle/Middleware/asinst_1/OUD/config/<New_Keystore> -destkeystore /apps/Oracle/Middleware/asinst_1/OUD/config/admin-truststore -srcstorepass <Password> -deststorepass <Password> -srcalias oudserver1-cert -destalias admin-cert -srckeypass <Password> -destkeypass <Password>

          Verify the content of Admin keystores

          keytool -v -list -keystore /apps/Oracle/Middleware/asinst_1/OUD/config/admin-keystore

          keytool -v -list -keystore /apps/Oracle/Middleware/asinst_1/OUD/config/admin-truststore

          Both commands must show new certificate with

          Restart OUD

          • 2. Re: OUD12c - how to set the admin server to use JKS key and trust stores.
            3985112

            And here is the Python script which sets the WebLogic server hosting OUDSM to usrer an external key and trust store:

             

            $ cat oudsm12c-addSSL.py
            connect('weblogic',Password!','t3://localhost:7001')
            dumpStack()
            edit()
            startEdit()
            cd('/Servers/AdminServer')
            cmo.setKeyStores('CustomIdentityAndCustomTrust')
            activate()

            startEdit()
            cmo.setCustomIdentityKeyStoreFileName("/usr/appl/oud/ssl/server-keystore")
            cmo.setCustomIdentityKeyStoreType('JKS')
            set('CustomIdentityKeyStorePassPhrase', 'Password!')
            cmo.setCustomTrustKeyStoreFileName("/usr/appl/oud/ssl/server-truststore")
            cmo.setCustomTrustKeyStoreType('JKS')
            set('CustomTrustKeyStorePassPhrase', 'Password!')
            activate()

            startEdit()
            cd('/Servers/AdminServer/SSL/AdminServer')
            cmo.setServerPrivateKeyAlias('server.alias.com')
            set('ServerPrivateKeyPassPhrase', 'Password!')
            cmo.setEnabled(true)
            cmo.setListenPort(7002)
            cmo.setJSSEEnabled(true)
            save()
            activate()
            dumpStack()
            disconnect()
            exit()