Apply SSL certificate on API CS physical Gateway node
High level steps to configure SSL in API CS physical Gateway
- Create Java KeyStore (JKS) and generate key
- Generate a Certificate Signing Request (CSR)
- Send the CSR file to CA to issue the certificate
- Import Certificates (Root, Intermediate(if any) & Server)
- Import API CS Certificate into Keystore
- Configure SSL in WebLogic Server
- Change KeyStore type in WebLogic Server
- Specify path of Identity KeyStore and Trust KeyStore
- Specify Private Key Alias in WebLogic Server
- Enable SSL in WebLogic Server
- Update Hostname Verification property
- Update the https URL of Gateway in API CS management console
- Import backend Services certificate into Keystore (if backend service is https enabled)
- Test API
Create Java KeyStore (JKS) and generate key
Keytool utility is a Key and Certificate Management Tool and is available in $JAVA_HOME/bin. Before we start, set JAVA_HOME and PATH variables. Use below two command to set JAVA_HOME and PATH variables
export JAVA_HOME=/usr/jdk1.8.0_171
export PATH=$JAVA_HOME/bin:$PATH
In this step, we’ll create Key Store and private key. Use below command to generate Key Store
keytool -genkey -alias <alias> -keyalg RSA -keysize 2048 -keypass <private_key_password> -keystore <keystore_name>.jks -storepass <keystore_password> -storetype pkcs12
Option
|
Description
|
genkey
|
Generate private keys
|
alias
|
Represent alias name of the keys
|
keyalg
|
Represent key algorithm. If not specified DSA algorithm will be used as default
|
keysize
|
Size of the private key
|
keypass
|
Represent the private key password
|
keystore
|
Used to provide keystore name
|
storepass
|
Used to provide keystore password
|
storetype
|
Used to give key store type
|
For example:
keytool -genkey -alias myweblogic -keyalg RSA -keysize 2048 -keypass welcome1 -keystore mystore.jks -storepass welcome1 storetype pkcs12
Note: When we’ll import signed certificate (issued by CA) in KeyStore then same alias myweblogic must be used.
Once we run the command, enter below information
- First Name and Last Name (CN): It should be server name for which certificate is being generated. For example (techsupper.com)
- Organization Unit (OU): Represent the Company organizational unit. For example (AnkurBlog)
- Organization (O): Represent the Organization. For example (Techsupper)
- City or Locality (L): Represent the organization city. For example (Delhi)
- State or Province (ST): State of the organization. For example (Delhi)
- Country (C): Represent of the organization country. For example (IN)
Generate a Certificate Signing Request (CSR)
Next step is to create a Certificate Signing Request (CSR).
Use the same alias (myweblogic) which was used to generate keystore (mystore.jks)
keytool -certreq -alias <alias> -keystore <keystore_name>.jks -storepass <keystore_password> -file <certificate_request>.csr
Option certreq signifies that we are generating certificate signing request (CSR) file.
For example:
keytool -certreq -alias myweblogic -keystore mystore.jks -storepass welcome1 -file myweblogiccsr.csr
mystore.jks is the kyestore which was created in the first step and welcome1 is the password which was used to create mystore.jks file
Send the CSR file (myweblogic.csr) to CA to issue the certificate
Send CSR file to certifying authority to issue the certificate.
Import Certificates (Root, Intermediate(if any) & Server)
Once we receive the certificate for the server then we must import certificate of Authority issued the certificate (before importing certificate issued by CA).
- Use below command to import root certificate into Keystore file (mystore.jks)
keytool -import -trustcacerts -alias <rootcacert_alias> -keystore <keystore_name>.jks -file <rootCA_file>.crt -storepass <keyStorePassword>
For example:
keytool -import -trustcacerts -alias rootcacert -keystore mystore.jks -file AddTrustExternalCARoot.crt -storepass welcome1
- import is used to import the certificate in keystore
- trustcacerts signifies that we are importing the trusted certificate
- alias must be different as used while generating keystore file
- file AddTrustExternalCARoot.crt is the file that contains the certificate of Root Certifying Authority
- User below command to import intermediate certificate into Keystore file (mystore.jks) if any
keytool -import -trustcacerts -alias <intermediatecacert_alias> -keystore <keystore_name>.jks -file <intermediateCA_file>.crt -storepass <keyStorePassword>
For example:
keytool -import -trustcacerts -alias intermediatecacert -keystore mystore.jks -file USERTrustRSAAddTrustCA.crt -storepass welcome1
- Finally import server certificate. Below command will be used to import the server certificate
keytool -import -alias <myAlias> -keystore <keystore_name>.jks -file <servercert>.crt -keypass <keyPassword> -storepass <keyStorePassword>
For example:
keytool -import -alias myweblogic -keystore mystore.jks -file techsupper_com.crt – keypass welcome1 -storepass welcome1
alias myweblogic should match with Alias used during generation of Key file techsupper_com.crt is a file that contains the certificate of server issued by CA
The certificate chain has been added into the keystore file (mystore.jks). To list certificate stored in Keystore, use below command
keytool -list -v -keystore mystore.jks -storepass welcome1
Import API CS Certificate into Keystore
API CS certificate should be imported into the keystore (mystore.jks) for the communication between API CS and GW node over SSL. Even if API CS is not SSL enabled even then API CS certificate should be imported into keystore. The same command wil be used to import API CS certificate as we imported intermediate / root certificate. First download the certificate from API CS management console and then import into mystore.jks
Note: Check the blog to see how to download certificate from browser
Note: Check the blog to see how to download certificate from browser
Configure SSL in WebLogic Server
In this blog, we have created a trust store and identity store in the same file (mystore.jks)
- Change KeyStore type in WebLogic Server
Login into the Physical Gateway WebLogic Server and navigate to Servers -> managedServer1-> Configuration -> Keystore
Click on Change button and select Custom Identity and Custom Trust. Once selected Click on Save button
- Specify path of Identity KeyStore and Trust KeyStore
In our case Trust Store (store containing Root and Intermediate CA) and Identity Store (store containing server certificate) are same i.e. <keystore_name>.jks (mystore.jks in our case).
Again Navigate to Servers -> managedServer1 -> Configuration -> Keystore tab
Enter below information and click on Save button
Custom Identity Keystore: Path of Keystore. In our case this is /home/oracle/gateway/domain/gateway1/security/mystore.jks
Custom Identity Keystore Type: jks
Custom Identity Keystore Passphrase: Password of Keystore. In our case this is welcome1
Confirm Custom Identity Keystore Passphrase: Password of Keystore. In our case this is welcome1
Custom Trust Keystore: Path of Keystore. In our case this is /home/oracle/gateway/domain/gateway1/security/mystore.jks
Custom Trust Keystore Type: jks
Custom Trust Keystore Passphrase: Password of Keystore. In our case this is welcome1
Confirm Custom Trust Keystore Passphrase: Password of Keystore. In our case this is welcome1
- Specify Private Key Alias in WebLogic Server
Navigate to Servers -> managedServer1 -> Configuration -> SSL tab
Enter below information and click on Save button
Private Key Alias: Alias of the Private key. In our case this is myweblogic
Private Key Passphrase: Password of Private Key. In our case this is welcome1
Confirm Private Key Passphrase: Password of Private Key. In our case this is welcome1
- Enable SSL in WebLogic Server
Finally, enable SSL in WebLogic Server. Navigate to Servers -> managedServer1 -> Configuration -> General
Check the SSL Listen Port Enabled checkbox
Update Hostname Verification property
Login into the Physical Gateway WebLogic Server and navigate to Servers -> managedServer1 -> Configuration -> SSL. Click on Advance and change the Hostname verification property to None
Login into the Physical Gateway WebLogic Server and navigate to Servers -> managedServer1 -> Configuration -> SSL. Click on Advance and change the Hostname verification property to None
Update the https URL of Gateway in API CS management console
Follow below steps to change the https URL in logical gateway
- Login into the API CS management portal
- Navigate to the Gateways tab and click on the Gateway which need to be configured with https url
- Select the nodes tab and enter the domain name in HTTPS text box
- Click on Save button
Import backend Services certificate into Keystore (if backend service is https enabled)
This is optional step. It is required only if the service which is configured in API CS is https enabled. Hit the https service using browser and download the certificate from browser. Check how to download certificate from browser. Import the downloaded certificate in mystore.jk file. The steps will be same as we imported root / intermediate certificate in previous step.
Test API
Once all steps completed successfully, deploy the API with https protocol. Please see the blog how to configure and deploy API in API CS
Once API deployed successfully, it should be accessible over https protocol.
thank you For Sharing This For Read About More
Raashi Khanna
Sridevi
Sapna Chaudhary Biography
Mira Rajput Biography
mohsin khan
Shivangi Joshi Biography