For updating the OIM server certificates, well it's fairly straight forward :
Set the environment variables before proceeding with the activity :
cd $MIDDLEWARE_HOME/user_projects/domains/<domain>/bin
> . ./setDomainEnv.sh
1. Find out your identity and trust store (a.ka. keystore and cacerts) location by logging into admin weblogic console > Home page > Servers > OIM _server1 > kesytore tab > Custom Identity Keystore and Java Standard Trust Keystore fields.
2. Go to the keytool location (/java/jdk version/jre/bin) and create a new keystore :
Set the environment variables before proceeding with the activity :
cd $MIDDLEWARE_HOME/user_projects/domains/<domain>/bin
> . ./setDomainEnv.sh
1. Find out your identity and trust store (a.ka. keystore and cacerts) location by logging into admin weblogic console > Home page > Servers > OIM _server1 > kesytore tab > Custom Identity Keystore and Java Standard Trust Keystore fields.
2. Go to the keytool location (/java/jdk version/jre/bin) and create a new keystore :
./keytool -genkey -alias SERVER_HOST -keyalg RSA -keysize
2048 -sigalg SHA256withRSA -dname "CN=server.uk.oracle.com,OU=Support,O=Oracle,L=Reading,ST=Berkshire,C=GB" -keypass xxxxx -keystore keystore.jks -storepass
We're using SHA256withRSA for hashing/encryption, and notice we're creating a keystore.jks in the same location under /jre/bin later we need to replace it in the correct path after taking the current keystore.jks backup.
3. List down the keystore using : ./keytool –list –v –keystore keystore.jks
4.Generate a certification request CSR :
./keytool -certreq -v -alias SERVER_HOST -file SERVER_HOST .csr -sigalg SHA256withRSA -keypass xxxxx -storepass xxxxx -keystore
keystore.jks
It's always a good practice to check if the csr is properly generated or not, for the same , use any online csr decoder such as : https://www.sslshopper.com/csr-decoder.html
5. You'll receive a .cer / .crt file in return of the CSR generated from your organization CA authority.
Import the ROOTCA and SUBCA cert first in your keystore and then add you r server identity cert to build the trust chain.
./keytool -import -v -noprompt -trustcacerts -alias rootca -file ROOTCA.cer -keystore keystore.jks -storepass
Do the above mentioned steps for each oim servers in your enviornment.
Trust store certs renewal :
Now that each cluster oim servers have their own new identity certificate, it's important that each server trust the other servers for ssl connection, for the same :
1. List down the cacert store, and check the alias and old certificates
2. delete the old certificates :
./keytool -import -alias SERVER_HOST -file SERVER_HOST .cer -keystore
cacerts
3. Import the new certs with same alias .
For a detailed view on keytool utility, please refer to :
Oracle master document for SSL set-up in Fusion middleware :
As always, Thanks for reading !
No comments:
Post a Comment