Brief
extract from an issue encountered recently when we renewed SSL Certificates.
Normal
process we follow is use openssl ->
Create CSR -> Get verisign cert -> Convert to Oracle Wallet -> Convert
to keystore.
In Fusion
Middleware 11g for creating Oracle Wallet from openssl we need to follow Oracle
Note 184701.1. Because of a bug I was not able to see the wallet in OWM. So the below new process is used
create OWM Cert -> Get Verisign Cert
-> Import into OWM -> Extract priv.key -> Convert to java keystore
Following
are the brief steps
1) Generate
CSR using OWM executable using "owm"
binary from Fusion Middleware Home
2) Submit
the CSR to Verisign and after you get the user certificate, import into OWM and
select Auto Login and save
3) Use the ewallet.p12 cwallet.sso (From Step 2) in
Fusion Middleware OHS,
4) From ewallet.p12 extract the priv.key
openssl pkcs12 -in
/tmp/SSL_2014/oraclewallet_dir/ewallet.p12 -nocerts -out private_key.pem
The first
password that openssl asks (Enter Import Password) is the wallet password, the
other password (Enter PEM pass phrase) is used to protect the exported key.
openssl rsa -in
private_key.pem -out priv.key
5) Use the
SSL Cert and priv.key in Apache
6) Create
Java Keystore from Oracle Wallet
export
PATH=$PATH:$MW_HOME/oracle_common/bin/
orapki wallet
pkcs12_to_jks -wallet ewallet.p12 -jksKeyStoreLoc ewallet.jks -jksKeyStorepwd
-pwd
7) Use the
JKS in Oracle Weblogic Server.
8) Which
File and where it is used
ewallet.jks -- is Used in Oracle
Weblogic Server.
ewallet.p12 and cwallet.sso -- is used in
Fusion Middleware OHS
server.crt and priv.key -- is used in Apache
9) Useful
verification commands
Verify CSR
openssl
req -in fsplifm1.csr -noout -text
Verify private.key
openssl
rsa -in private.key -check
Verify Oracle Wallet
orapki
wallet display -wallet oraclewallet_dir -pwd
Verify Java Keystore
keytool
-list -keystore ewallet.jks -storepass
No comments:
Post a Comment