WebLogic配置自己定义密钥库和SSL的操作手冊
(定制标识和定制信任&Keytool&TLS1.0)
1、启用SSLport
保存。重新启动受管Server
IE浏览器訪问
谷歌浏览器訪问
2、查看密钥库和SSL配置
密钥库
SSL
3、手动制作identity.jks和trust.jks
新建jks文件夹
[weblogic@Weblogic201 ~]$ mkdir jksHL
[weblogic@Weblogic201 ~]$ cd jksHL/
生成标识identity.jks密钥库
例如以下标黄色背景部分的说明:
weblogicHL为“SSL—私有密钥别名”。
keypass123为“SSL—私有密钥password短语”;
storepass123为“密钥—标识(identity)—定制标识密钥库password短语”。
storepass123为“密钥库—信任(trust)—定制标识密钥库password短语”。
3650为自己定义证书的有效期,单位为天;
[weblogic@Weblogic201 jksHL]$ keytool -genkey -alias weblogicHL -keyalg RSA -keypass keypass123 -keystoreidentity.jks -storepass storepass123-validity 3650
What is your first and last name?
[Unknown]: HaiLang
What is the name of your organizationalunit?
[Unknown]: GZCSS
What is the name of your organization?
[Unknown]: GZCSS
What is the name of your City or Locality?
[Unknown]: GZ
What is the name of your State or Province?
[Unknown]: GD
What is the two-letter country code forthis unit?
[Unknown]: CN
Is CN=HaiLang, OU=GZCSS, O=GZCSS, L=GZ,ST=GD, C=CN correct?
[no]: yes
导出公钥证书的cer文件
[weblogic@Weblogic201 jksHL]$ keytool -export -alias weblogicHL -file root.cer -keystore identity.jks
Enter keystore password: storepass123
Certificate stored in file <root.cer>
生成信任trust.jks密钥库
将上一步生成的root.cer公钥证书导入并生成trust.jks密钥库
[weblogic@Weblogic201 jksHL]$ keytool -import -alias weblogicHL -trustcacerts -file root.cer -keystoretrust.jks
Enter keystore password: storepass123
Re-enter new password: storepass123
Owner: CN=HaiLang, OU=GZCSS, O=GZCSS, L=GZ,ST=GD, C=CN
Issuer: CN=HaiLang, OU=GZCSS, O=GZCSS,L=GZ, ST=GD, C=CN
Serial number: 559a5ac9
Valid from: Mon Jul 06 18:39:05 HKT 2015until: Thu Jul 03 18:39:05 HKT 2025
Certificate fingerprints:
MD5: 04:F2:4F:97:5B:8B:32:23:AB:69:D0:6A:42:1D:C7:77
SHA1:A0:B3:6F:90:08:0D:6B:55:6F:A6:13:C6:3B:C0:F4:CE:E1:B5:72:F9
Signature algorithm name: SHA1withRSA
Version: 3
Trust this certificate? [no]: yes
Certificate was added to keystore
至此identity.jks和trust.jks制作完毕!
4、在Console配置新的密钥库和SSL
改动默认的Demo密钥库
“密钥库—更改”
选择“定制标识和定制信任”—“保存”
填写密钥库的配置
定制标识密钥库:/home/weblogic/jksHL/identity.jks
定制信任密钥库:/home/weblogic/jksHL/trust.jks
定制标识/信任密钥类型:jks
点击“保存”。设置完毕。
SSL的配置
私有密钥别名:weblogicHL
私有密钥password短语:keypass123
点击“保存”;重新启动Server。密钥库和SSL配置完毕。
5、浏览器验证
Server启动日志
[weblogic@Weblogic201 bin]$./startManagedWebLogic.sh appSrv02 http://Weblogic201:7001
.
.
JAVA Memory arguments: -Xms1024m -Xmx1024m-XX:CompileThreshold=8000 -XX:PermSize=128m -XX:MaxPermSize=256m
.
WLS Start Mode=Development
.
CLASSPATH=/home/weblogic/Oracle/Middleware/patch_wls1035/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/home/weblogic/Oracle/Middleware/patch_ocp360/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/home/weblogic/jdk1.6.0_45/lib/tools.jar:/home/weblogic/Oracle/Middleware/wlserver_10.3/server/lib/weblogic_sp.jar:/home/weblogic/Oracle/Middleware/wlserver_10.3/server/lib/weblogic.jar:/home/weblogic/Oracle/Middleware/modules/features/weblogic.server.modules_10.3.5.0.jar:/home/weblogic/Oracle/Middleware/wlserver_10.3/server/lib/webservices.jar:/home/weblogic/Oracle/Middleware/modules/org.apache.ant_1.7.1/lib/ant-all.jar:/home/weblogic/Oracle/Middleware/modules/net.sf.antcontrib_1.1.0.0_1-0b2/lib/ant-contrib.jar:/home/weblogic/Oracle/Middleware/wlserver_10.3/common/derby/lib/derbyclient.jar:/home/weblogic/Oracle/Middleware/wlserver_10.3/server/lib/xqrl.jar:.:/home/weblogic/jdk1.6.0_45$/lib:/home/weblogic/jdk1.6.0_45$/lib/tools.jar
.
PATH=/home/weblogic/Oracle/Middleware/wlserver_10.3/server/bin:/home/weblogic/Oracle/Middleware/modules/org.apache.ant_1.7.1/bin:/home/weblogic/jdk1.6.0_45/jre/bin:/home/weblogic/jdk1.6.0_45/bin:/home/weblogic/jdk1.6.0_45/bin:/home/weblogic/jdk1.6.0_45/jre/bin:/usr/lib64/qt-3.3/bin:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/home/weblogic/bin
.
***************************************************
* Tostart WebLogic Server, use a username and *
* password assigned to an admin-level user. For *
* server administration, use the WebLogic Server *
* console at http://hostname:port/console *
***************************************************
starting weblogic with Java version:
java version "1.6.0_45"
Java(TM) SE Runtime Environment (build1.6.0_45-b06)
Java HotSpot(TM) 64-Bit Server VM (build20.45-b01, mixed mode)
Starting WLS with line:
/home/weblogic/jdk1.6.0_45/bin/java-client -Xms1024m -Xmx1024m-XX:CompileThreshold=8000 -XX:PermSize=128m -XX:MaxPermSize=256m -Dweblogic.Name=appSrv02-Djava.security.policy=/home/weblogic/Oracle/Middleware/wlserver_10.3/server/lib/weblogic.policy-Dweblogic.security.SSL.trustedCAKeyStore=/home/weblogic/Oracle/Middleware/wlserver_10.3/server/lib/cacerts -Xverify:none -da -Dplatform.home=/home/weblogic/Oracle/Middleware/wlserver_10.3-Dwls.home=/home/weblogic/Oracle/Middleware/wlserver_10.3/server-Dweblogic.home=/home/weblogic/Oracle/Middleware/wlserver_10.3/server -Dweblogic.management.discover=false -Dweblogic.management.server=http://Weblogic201:7001 -Dwlw.iterativeDev=false-Dwlw.testConsole=false -Dwlw.logErrorsToConsole=false-Dweblogic.ext.dirs=/home/weblogic/Oracle/Middleware/patch_wls1035/profiles/default/sysext_manifest_classpath:/home/weblogic/Oracle/Middleware/patch_ocp360/profiles/default/sysext_manifest_classpath weblogic.Server
<Jul 6, 2015 7:20:17 PM HKT><Info> <Security> <BEA-090905> <Disabling CryptoJ JCEProvider self-integrity check for better startup performance. To enable thischeck, specify -Dweblogic.security.allowCryptoJDefaultJCEVerification=true>
<Jul 6, 2015 7:20:18 PM HKT><Info> <Security> <BEA-090906> <Changing the defaultRandom Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG. To disablethis change, specify -Dweblogic.security.allowCryptoJDefaultPRNG=true>
<Jul 6, 2015 7:20:18 PM HKT><Info> <WebLogicServer> <BEA-000377> <Starting WebLogicServer with Java HotSpot(TM) 64-Bit Server VM Version 20.45-b01 from SunMicrosystems Inc.>
<Jul 6, 2015 7:20:19 PM HKT><Info> <Security> <BEA-090065> <Getting boot identity fromuser.>
Enter username to boot WebLogicserver:weblogic
Enter password to boot WebLogic server:
<Jul 6, 2015 7:20:24 PM HKT><Info> <Management> <BEA-141107> <Version: WebLogic Server10.3.5.0.7 PSU Patch for BUG16088411 Mon Apr 01 15:13:52 IST 2013
WebLogic Server 10.3.5.0 Fri Apr 1 20:20:06 PDT 2011 1398638 >
<Jul 6, 2015 7:20:26 PM HKT><Notice> <WebLogicServer> <BEA-000365> <Server statechanged to STARTING>
<Jul 6, 2015 7:20:26 PM HKT><Info> <WorkManager> <BEA-002900> <Initializingself-tuning thread pool>
<Jul 6, 2015 7:20:26 PM HKT><Notice> <LoggingService> <BEA-320400> <The log file/home/weblogic/Oracle/Middleware/user_projects/domains/myDomain/servers/appSrv02/logs/appSrv02.logwill be rotated. Reopen the log file if tailing has stopped. This can happen onsome platforms like Windows.>
<Jul 6, 2015 7:20:26 PM HKT><Notice> <LoggingService> <BEA-320401> <The log file hasbeen rotated to/home/weblogic/Oracle/Middleware/user_projects/domains/myDomain/servers/appSrv02/logs/appSrv02.log00018.Log messages will continue to be logged in/home/weblogic/Oracle/Middleware/user_projects/domains/myDomain/servers/appSrv02/logs/appSrv02.log.>
<Jul 6, 2015 7:20:26 PM HKT><Notice> <Log Management> <BEA-170019> <The server log file/home/weblogic/Oracle/Middleware/user_projects/domains/myDomain/servers/appSrv02/logs/appSrv02.logis opened. All server side log events will be written to this file.>
<Jul 6, 2015 7:20:29 PM HKT><Notice> <Security> <BEA-090082> <Security initializingusing security realm myrealm.>
<Jul 6, 2015 7:20:30 PM HKT><Notice> <LoggingService> <BEA-320400> <The log file/home/weblogic/Oracle/Middleware/user_projects/domains/myDomain/servers/appSrv02/logs/access.logwill be rotated. Reopen the log file if tailing has stopped. This can happen onsome platforms like Windows.>
<Jul 6, 2015 7:20:30 PM HKT><Notice> <LoggingService> <BEA-320401> <The log file hasbeen rotated to/home/weblogic/Oracle/Middleware/user_projects/domains/myDomain/servers/appSrv02/logs/access.log00012.Log messages will continue to be logged in/home/weblogic/Oracle/Middleware/user_projects/domains/myDomain/servers/appSrv02/logs/access.log.>
<Jul 6, 2015 7:20:31 PM HKT><Notice> <WebLogicServer> <BEA-000365> <Server statechanged to STANDBY>
<Jul 6, 2015 7:20:31 PM HKT><Notice> <WebLogicServer> <BEA-000365> <Server statechanged to STARTING>
<Jul 6, 2015 7:20:33 PM HKT><Notice> <Log Management> <BEA-170027> <The Server hasestablished connection with the Domain level Diagnostic Servicesuccessfully.>
<Jul 6, 2015 7:20:33 PM HKT><Notice> <Cluster> <BEA-000197> <Listening forannouncements from cluster using unicast cluster messaging>
<Jul 6, 2015 7:20:33 PM HKT><Notice> <Cluster> <BEA-000133> <Waiting to synchronizewith other running members of Cluster1.>
<Jul 6, 2015 7:20:46 PM HKT><Notice> <Cluster> <BEA-000142> <Trying to downloadcluster JNDI tree from server appSrv04.>
<Jul 6, 2015 7:20:46 PM HKT><Notice> <Cluster> <BEA-000164> <Synchronized cluster JNDItree from server appSrv04.>
<Jul 6, 2015 7:20:46 PM HKT><Notice> <WebLogicServer> <BEA-000365> <Server statechanged to ADMIN>
<Jul 6, 2015 7:20:46 PM HKT><Notice> <WebLogicServer> <BEA-000365> <Server statechanged to RESUMING>
<Jul 6, 2015 7:20:46 PM HKT><Notice> <Cluster> <BEA-000162> <Starting"async" replication service with remote cluster address"150.18.23.201:8001,150.18.23.201:8002,150.18.23.202:8001,150.18.23.202:8002">
<Jul 6, 2015 7:20:47PM HKT> <Notice> <Security> <BEA-090171> <Loading theidentity certificate and private key stored under the alias weblogicHL from thejks keystore file /home/weblogic/jksHL/identity.jks.>
<Jul 6, 2015 7:20:47PM HKT> <Notice> <Security> <BEA-090169> <Loadingtrusted certificates from the jks keystore file /home/weblogic/jksHL/trust.jks.>
<Jul 6, 2015 7:20:47 PM HKT><Notice> <Server> <BEA-002613> <Channel"DefaultSecure" is now listening on 150.18.23.201:8012 for protocolsiiops, t3s, CLUSTER-BROADCAST-SECURE, ldaps, https.>
<Jul 6, 2015 7:20:47 PM HKT><Notice> <Server> <BEA-002613> <Channel"Default" is now listening on 150.18.23.201:8002 for protocols iiop,t3, CLUSTER-BROADCAST, ldap, snmp, http.>
<Jul 6, 2015 7:20:47 PM HKT><Notice> <WebLogicServer> <BEA-000332> <Started WebLogicManaged Server "appSrv02" for domain "myDomain" running inDevelopment Mode>
<Jul 6, 2015 7:20:48 PM HKT><Notice> <WebLogicServer> <BEA-000365> <Server statechanged to RUNNING>
<Jul 6, 2015 7:20:48 PM HKT><Notice> <WebLogicServer> <BEA-000360> <Server started inRUNNING mode>
说明自己定义的密钥库载入成功!
IE浏览器訪问
继续浏览此站点,訪问成功!
查看证书信息
从有效期和证书颁发者信息可知。该证书正是我们之前制作的:
What is your first and last name?
[Unknown]: HaiLang
What is the name of your organizationalunit?
[Unknown]: GZCSS
What is the name of your organization?
[Unknown]: GZCSS
What is the name of your City or Locality?
[Unknown]: GZ
What is the name of your State or Province?
[Unknown]: GD
What is the two-letter country code forthis unit?
[Unknown]: CN
Is CN=HaiLang, OU=GZCSS, O=GZCSS, L=GZ,ST=GD, C=CN correct?
谷歌浏览器訪问
相同会提示证书不安全
继续前往
查看证书信息
至此。配置自己定义密钥库和SSL的操作已完毕!
---------------------------------------------------------------------------------------------------------------------------------
12306的SSL证书加密技术: