By default, the https
port is configured to use a "Demo Certificate" that is placed in the
keystore during the WebLogic install. This demo certificate may be helpful in
testing your SSL configuration in test environments. But if you are using
WebLogic https protocol in production, then you should use a valid certificate
rather than the demo certificate.
Here is common list of Certificate
Authority (CA) that you may use with PeopleSoft
·
Verisign
·
Entrust
·
Thawte
·
GoDaddy
In-House
'certificate signing' tool
you may use Microsoft Certificate Services or OpenSSL as a inhouse signing tool as well. The only issue is when user hit your signon page, He/ She will get standard warring that certificate is not from trusted authority, but he/ she can continue or import in browser trusted certificate authority to avoid this message. Although it not supported by PeopleSoft because it has no root trusted certificate.
you may use Microsoft Certificate Services or OpenSSL as a inhouse signing tool as well. The only issue is when user hit your signon page, He/ She will get standard warring that certificate is not from trusted authority, but he/ she can continue or import in browser trusted certificate authority to avoid this message. Although it not supported by PeopleSoft because it has no root trusted certificate.
Consideration while generating certificate with PeopleSoft
·
Certificate
file must be in 'ascii' or 'pem' format in order to import it into keystore
·
The
Certificate "key algorithm" must be "RSA"
·
The
"hash algorithm" can be SHA1 or SHA2
·
You
may use 4096 bits size certificate from
Weblogic 9.2
·
'Extended
Validation' (EV) certificates is also supported for use with WebLogic.
Note:
·
I
know wildcard certificate allows you to secure many web sites within a single
domain, with the same certificate, But PeopleSoft WebLogic does not support
wild card certificates, you may still use it but PeopleSoft might not help you
if you get issue with wildcard certificate.
·
TLS
1.0 and SSL 3.0 are supported on WebLogic 10.3, WebLogic 9.2 and WebLogic 8.1
Create/ Renew new SSL Certificate
If you are creating a new key and CSR for the first time (first time setting up SSL on this Webserver domain), you can skip step# 2 of the "Generate new key and CSR" section. The rest of the steps should be done.
In PT8.49/PT8.50 as in prior versions of PeopleTools, we use pskeymanager to facilitate the SSL setup. This script is located under the following directory:
For PT8.49/8.50: <PS_HOME>/webserv/<DOMAIN>/bin.
For PT8.51+: <PS_HOME>/webserv/<DOMAIN>/piabin
To renew a certificate, the easier way is to delete the old key entry and generate a new one, since you will have to get a new certificate anyway. Here are the steps:
If you are creating a new key and CSR for the first time (first time setting up SSL on this Webserver domain), you can skip step# 2 of the "Generate new key and CSR" section. The rest of the steps should be done.
In PT8.49/PT8.50 as in prior versions of PeopleTools, we use pskeymanager to facilitate the SSL setup. This script is located under the following directory:
For PT8.49/8.50: <PS_HOME>/webserv/<DOMAIN>/bin.
For PT8.51+: <PS_HOME>/webserv/<DOMAIN>/piabin
To renew a certificate, the easier way is to delete the old key entry and generate a new one, since you will have to get a new certificate anyway. Here are the steps:
Step 1: Generate new key and CSR:
1. Backup your pskey keystore located under the following directory:
For PT 8.49/8.50: <PS_HOME>/webserv/<DOMAIN>/keystore.
For PT8.51+: <PS_HOME>/webserv/<DOMAIN>/piaconfig/keystore
If you are using a keystore other than pskey, that's the one you need to backup.
2. Delete the current key (this has to be done if you want to use the same alias you are currently using)
pskeymanager -delete
When prompted for an Alias enter the current alias.
3. Create a new key and CSR:
pskeymanager -create
1. Backup your pskey keystore located under the following directory:
For PT 8.49/8.50: <PS_HOME>/webserv/<DOMAIN>/keystore.
For PT8.51+: <PS_HOME>/webserv/<DOMAIN>/piaconfig/keystore
If you are using a keystore other than pskey, that's the one you need to backup.
2. Delete the current key (this has to be done if you want to use the same alias you are currently using)
pskeymanager -delete
When prompted for an Alias enter the current alias.
3. Create a new key and CSR:
pskeymanager -create
-When prompted for an
Alias enter the same alias you deleted in step# 2.
-Starting withWebLogic 9.2 the key size (ie certificate length) has a limitation of 4096 bits.
-Be sure to write down the key password as you will need to specify this in the Admin Console. This password is unrecoverable!
4. Submit the new CSR to your Certification Authority, a.k.a. CA (they will issue a new certificate for your server).
-Starting withWebLogic 9.2 the key size (ie certificate length) has a limitation of 4096 bits.
-Be sure to write down the key password as you will need to specify this in the Admin Console. This password is unrecoverable!
4. Submit the new CSR to your Certification Authority, a.k.a. CA (they will issue a new certificate for your server).
Step 2: Import new certificate:
In the email that your CA will send to you, there should be 2 links to their website, one to download the root CA and another one for the intermediate CA if there's any. You will have to go to their website and download them. Another way to obtain them is to double click on the certificate file and then go to the Certification Path tab. The first cert in the list is the root CA and the second one is the intermediate CA if there's any. If you highlight the root CA and then click on <View Certificate>, it will open up the Root CA certificate. Then you can go to the Details tab and click on <Copy to file>. Select Base 64 as the format and save the file. Repeat the same steps to copy the intermediate CA to a file.
In the email that your CA will send to you, there should be 2 links to their website, one to download the root CA and another one for the intermediate CA if there's any. You will have to go to their website and download them. Another way to obtain them is to double click on the certificate file and then go to the Certification Path tab. The first cert in the list is the root CA and the second one is the intermediate CA if there's any. If you highlight the root CA and then click on <View Certificate>, it will open up the Root CA certificate. Then you can go to the Details tab and click on <Copy to file>. Select Base 64 as the format and save the file. Repeat the same steps to copy the intermediate CA to a file.
Once you have the 3 files (root CA, intermediate and certificate), if you have an intermediate CA, edit it and do a <Select All>, and then <Copy>. Then edit your certificate file and paste the intermediate at the bottom of the server certificate. If you don't have an intermediate CA, you can skip this step. Then do the same with the root CA and paste it at the very bottom You will end up with a certificate that looks like this:
-------BEGIN CERTIFICATE---------
dfsfsdfdf
sfsdfwehdfhdf <---------certificate
dgdfgfgfdg
--------END CERTIFICATE-----------
-------BEGIN CERTIFICATE---------
hghjgfjgj
sfsdfwejjhdfhdf <---------intermediate
dgdfgiuiyuiuiyufgfdg
--------END CERTIFICATE-----------
-------BEGIN CERTIFICATE---------
dfsfsmbvmvbmdfdf
sfsdetetrtyrfwehdfhdf <---------root CA
dgdfgnbnbvnvbfgfdg
--------END CERTIFICATE-----------
The reason you have to do this is so you can import the intermediate along with the certificate to avoid having to import the intermediate to all of the users browsers.
1. Copy your new certificate file (concatenated file) and the root CA to to <PS_HOME>/webserv/<DOMAIN>. If your server is on Unix, make sure to ftp the files in ASCII mode. If you have an intermediate CA, you will also need to copy that one.
2. Import the Root CA first:
pskeymanager -import
When prompted for an Alias, enter anything, such as RootCA
When prompted for the name of the certificate file, enter RootCA.cer
If asked if you want to trust this file, say yes.
3. Import the server certificate (concatenated file):
pskeymanager -import
When prompted for an Alias, enter the same alias you specified when you created the CSR (step 3 of the above section).
When prompted for the name of the certificate file
When prompted for the key password, enter the password you specified when you created the key/CSR (this password is unrecoverable)
If asked if you want to trust this file, say yes.
4. Setup SSL in the Admin Console:
·
Log
into the Admin Console: http://hostname:admin_port/console
(The default userid is "system". For PeopleTools 8.50 and above, the default password is "Passw0rd". For PeopleTools 8.49 and below, the default password is "password")
(The default userid is "system". For PeopleTools 8.50 and above, the default password is "Passw0rd". For PeopleTools 8.49 and below, the default password is "password")
·
On
the Change Center (left menu), click the 'Lock & Edit' button (top left)
·
On
the left menu, in the 'Domain Structure' section, choose 'Environment ->
Servers'
·
Click
on PIA or the server you want to configure for SSL.
·
Go
to the "Configuration" tab and the "Keystores" sub-tab.
·
Select
'Custom Identity And Custom Trust' from the Keystores dropdown field
·
Verify
that the Custom Identity and Trust keystore and password are correct. The
default pskey keystore is "password". You'll need to enter this at
the following four fields:
-Custom Identity Keystore Passphrase (and 'Confirm Custom Identity Keystore Passphrase)
-Custom Trust Keystore Passphrase (and 'Confirm Custom Trust Keystore Passphrase)
-Custom Identity Keystore Passphrase (and 'Confirm Custom Identity Keystore Passphrase)
-Custom Trust Keystore Passphrase (and 'Confirm Custom Trust Keystore Passphrase)
·
Click
on the "Save" button.
·
Now
Go to the "SSL" tab
·
Select
"Keystores" from the "Identity and Trust Locations"
dropdown field (this is the default value)
·
Enter
the Private Key Alias: same alias as in the step 3 of the "Generate new
key" section..
·
Enter
the Private Key Password: same password as in the step 3 of the "Generate
new key" section..
·
Click
on the "Save" button.
·
Click
'Activate Changes' button on top left menu (for
PeopleTools 8.49 and above, the changes are automatically activated. For older
PeopleTools versions, you need to restart the WebLogic PIA)
Steps
for Migrating Certificate
·
Both
PeopleSoft environments must be using the same "hostname"
·
Same
Certificate can be used by multiple domains if they are all on same physical
machine
·
At
times you may wish to migrate SSL certificate when you do upgrade PeopleTools,
WebLogic 8.1, 9.2 and 10.3 all use the same keystore format.
Keystore
File
1. Backup the keystore file "pskey". (If you are using a keystore other than pskey, back that one up). The pskey file can be found in the following location:
For PeopleTools 8.50 and below: <PS_HOME>\webserv\<DOMAIN>\keystore
For PeopleTools 8.51 and above: <PS_HOME>\webserv\<DOMAIN>\piaconfig\keystore
2. Copy the pskey file (or the keystore file you are using) from 'old' domain to the 'new/upgrade' domain. The pskey file should be copied to the following directory in the 'new/upgrade' domain:
For PeopleTools 8.50 and below: <PS_HOME>\webserv\<DOMAIN>\keystore
For PeopleTools 8.51 and above: <PS_HOME>\webserv\<DOMAIN>\piaconfig\keystor
1. Backup the keystore file "pskey". (If you are using a keystore other than pskey, back that one up). The pskey file can be found in the following location:
For PeopleTools 8.50 and below: <PS_HOME>\webserv\<DOMAIN>\keystore
For PeopleTools 8.51 and above: <PS_HOME>\webserv\<DOMAIN>\piaconfig\keystore
2. Copy the pskey file (or the keystore file you are using) from 'old' domain to the 'new/upgrade' domain. The pskey file should be copied to the following directory in the 'new/upgrade' domain:
For PeopleTools 8.50 and below: <PS_HOME>\webserv\<DOMAIN>\keystore
For PeopleTools 8.51 and above: <PS_HOME>\webserv\<DOMAIN>\piaconfig\keystor
Web
Logic Steps
·
On
the left hand panel, click on 'Lock & Edit' to switch to Edit mode.
·
Under
the 'Environment' section, click on Servers
·
Click
the server (on right menu), that you wish to update (eg "PIA")
·
Click
the 'Keystores' subtab (under 'Configuration' tab)
·
From
the Keystores dropdown list select "Custom Identity and Custom Trust"
·
If
you are using a keystore other than the default pskey, specify the path and
name under 'Custom Identity Keystore' and 'Custom Trust Keystore'. Otherwise,
leave the rest of the fields as is.
·
Specify
the keystore password in the passphrase fields. (you will need to enter it four
places)
·
Click
on the Save button
·
Click
on the SSL tab
·
For
Identity and Trust Locations, select Keystores
·
Enter
the Private Key Alias: same alias you were using in the 'old' domain.
·
Also
enter the Private Key Password: same key password as in the 'old' domain. This
password is unrecoverable.
·
Click
on the Save button
·
On
the left hand panel, click on 'Activate Changes'
·
Restart
the Web server.
TroubleShoting
The web
server fails to listen on the SSL (HTTPS) port after setting up SSL <Jun 10, 2011 4:07:39 PM EDT> <Error> <Security>
<BEA-090133> <Could not load a JKS keystore from the file
<PS_HOME>\webserv\<DOMAIN>\keystore\pskey. Exception:
java.io.IOException: Keystore was tampered with, or password was incorrect> <Jun 10, 2011 4:07:39 PM EDT> <Notice> <Security>
<BEA-090170> <Loading the private key stored under the
alias <ALIAS> from the JKS keystore file
<PS_HOME>\webserv\<DOMAIN>\keystore\pskey.> <Jun 10,
2011 4:07:39 PM EDT> <Error>
<WebLogicServer> <BEA-000297> <Inconsistent security
configuration, java.security.UnrecoverableKeyException: Cannot recover key> <Jun 10,
2011 4:07:39 PM EDT>
<Emergency> <Security> <BEA-090034> <Not listening for
SSL, java.io.IOException: Inconsistent security configuration, Cannot recover
key.>
There
is an I/O or format problem with the keystore data.
Either the path to the keystore, the keystore type, or the password for the keystore that were specified in the Admin Console, is incorrect.
Either the path to the keystore, the keystore type, or the password for the keystore that were specified in the Admin Console, is incorrect.
Follow these steps to correct the problem:
WebLogic 9.2 and 10.3:
1. Log into the Admin Console: http://hostname:admin_port/console
2. On the Change Center, click 'Lock and Edit' button
3. Go to: Domain Structure > Environments > Servers
4. Click on PIA or the server you want to configure for SSL.
5. Go to the Keystores tab.
6. Select 'Custom Identity And Custom Trust' from the Keystores dropdown field
7. Verify that the Custom Identity and Trust keystore password are correct. The default pskey keystore is "password." Also verify the path to the keystore, the default is keystore\pskey. Lastly, the default keystore format is JKS. Make sure this is correct.
8. Click on the Save button.
9. Go to the SSL tab
10. Select Keystores from the Identity and Trust Locations dropdown field
11. Enter the Private Key Alias: same alias specified when the CSR was generated.
12. Enter the Private Key Password: same password specified when the CSR was generated.
13. Click on the Save button.
14. Activate Changes.
15. Restart the web server (optional)
16. Check the PIA_weblogic.log to make sure the key was loaded successfully.
If you looking for PeopleSoft and 3rd Party URL's Certificate at Application and Scheduler
http://www.mybasicknowledge.com/2012/08/peoplesoft-and-3rd-party-urls.html
