TechSupper - Oracle Cloud Integration Service

Enter your keyword

post

  • API CS

  • Apply SSL certificate on API CS physical Gateway node

Apply SSL certificate on API CS physical Gateway node

High level steps to configure SSL in API CS physical Gateway
  1. Create Java KeyStore (JKS) and generate key
  2. Generate a Certificate Signing Request (CSR)
  3. Send the CSR file to CA to issue the certificate
  4. Import Certificates (Root, Intermediate(if any) & Server)
  5. Import API CS Certificate into Keystore
  6. Configure SSL in WebLogic Server
    • Change KeyStore type in WebLogic Server
    • Specify path of Identity KeyStore and Trust KeyStore
    • Specify Private Key Alias in WebLogic Server
    • Enable SSL in WebLogic Server
  7. Update Hostname Verification property
  8. Update the https URL of Gateway in API CS management console
  9. Import backend Services certificate into Keystore (if backend service is https enabled)
  10. Test API
Create Java KeyStore (JKS) and generate key
Keytool utility is a Key and Certificate Management Tool and is available in $JAVA_HOME/bin. Before we start, set JAVA_HOME and PATH variables. Use below two command to set JAVA_HOME and PATH variables
 export JAVA_HOME=/usr/jdk1.8.0_171
 export PATH=$JAVA_HOME/bin:$PATH
 In this step, we’ll create Key Store and private key. Use below command to generate Key Store

keytool -genkey -alias <alias> -keyalg RSA -keysize 2048 -keypass <private_key_password> -keystore <keystore_name>.jks -storepass <keystore_password> -storetype pkcs12

Option
Description
genkey
Generate private keys
alias
Represent alias name of the keys
keyalg
Represent key algorithm. If not specified DSA algorithm will be used as default
keysize
Size of the private key
keypass
Represent the private key password
keystore 
Used to provide keystore name
storepass 
Used to provide keystore password
storetype 
Used to give key store type
For example:
 keytool -genkey -alias myweblogic -keyalg RSA -keysize 2048 -keypass welcome1 -keystore mystore.jks -storepass welcome1 storetype pkcs12
Note: When we’ll import signed certificate (issued by CA) in KeyStore then same alias myweblogic must be used.

Once we run the command, enter below information

  • First Name and Last Name (CN): It should be server name for which certificate is being generated. For example (techsupper.com)
  • Organization Unit (OU): Represent the Company organizational unit. For example (AnkurBlog)
  • Organization (O): Represent the Organization. For example (Techsupper)
  • City or Locality (L): Represent the organization city. For example (Delhi)
  • State or Province (ST): State of the organization. For example (Delhi)
  • Country (C): Represent of the organization country. For example (IN)
Generate a Certificate Signing Request (CSR)
Next step is to create a Certificate Signing Request (CSR). 
Use the same alias (myweblogic) which was used to generate keystore (mystore.jks)
keytool -certreq -alias <alias> -keystore <keystore_name>.jks  -storepass <keystore_password> -file <certificate_request>.csr
Option certreq signifies that we are generating certificate signing request (CSR) file.
For example:
 keytool -certreq -alias myweblogic -keystore mystore.jks  -storepass welcome1 -file myweblogiccsr.csr

mystore.jks is the kyestore which was created in the first step and welcome1 is the password which was used to create mystore.jks file


Send the CSR file (myweblogic.csr) to CA to issue the certificate
Send CSR file to certifying authority to issue the certificate.
Import Certificates (Root, Intermediate(if any) & Server)
Once we receive the certificate for the server then we must import certificate of Authority issued the certificate (before importing certificate issued by CA).
  • Use below command to import root certificate into Keystore file (mystore.jks)
 keytool -import -trustcacerts -alias <rootcacert_alias> -keystore <keystore_name>.jks -file <rootCA_file>.crt -storepass <keyStorePassword>
For example:
keytool -import -trustcacerts -alias rootcacert -keystore mystore.jks -file AddTrustExternalCARoot.crt -storepass welcome1
    • import is used to import the certificate in keystore
    • trustcacerts signifies that we are importing the trusted certificate
    • alias must be different as used while generating keystore file
    • file AddTrustExternalCARoot.crt is the file that contains the certificate of Root Certifying Authority
  • User below command to import intermediate certificate into Keystore file (mystore.jks)   if any
 keytool -import -trustcacerts -alias <intermediatecacert_alias> -keystore <keystore_name>.jks -file <intermediateCA_file>.crt -storepass <keyStorePassword>
For example:
 keytool -import -trustcacerts -alias intermediatecacert -keystore mystore.jks -file USERTrustRSAAddTrustCA.crt -storepass welcome1
  • Finally import server certificate. Below command will be used to import the server certificate 
 keytool -import -alias <myAlias> -keystore <keystore_name>.jks -file <servercert>.crt -keypass <keyPassword> -storepass <keyStorePassword>
For example:
 keytool -import -alias myweblogic -keystore mystore.jks -file techsupper_com.crt –  keypass welcome1 -storepass welcome1
alias myweblogic should match with Alias used during generation of Key file techsupper_com.crt is a file that contains the certificate of server issued by CA
The certificate chain has been added into the keystore file (mystore.jks). To list certificate stored in Keystore, use below command
 keytool -list -v -keystore mystore.jks -storepass welcome1

Import API CS Certificate into Keystore

API CS certificate should be imported into the keystore (mystore.jks) for the communication between API CS and GW node over SSL. Even if API CS is not SSL enabled even then API CS certificate should be imported into keystore. The same command wil be used to import API CS certificate as we imported intermediate / root certificate. First download the certificate from API CS management console and then import into mystore.jks

Note: Check the blog to see how to download certificate from browser
Configure SSL in WebLogic Server
In this blog, we have created a trust store and identity store in the same file (mystore.jks)
  • Change KeyStore type in WebLogic Server
Login into the Physical Gateway WebLogic Server and navigate to Servers -> managedServer1-> Configuration -> Keystore

Click on Change button and select Custom Identity and Custom Trust. Once selected Click on Save button
  • Specify path of Identity KeyStore and Trust KeyStore
In our case Trust Store (store containing Root and Intermediate CA) and Identity Store (store containing server certificate) are same i.e. <keystore_name>.jks (mystore.jks in our case).
Again Navigate to Servers -> managedServer1 -> Configuration -> Keystore tab
Enter below information and click on Save button
Custom Identity Keystore: Path of Keystore. In our case this  is /home/oracle/gateway/domain/gateway1/security/mystore.jks
Custom Identity Keystore Type: jks
Custom Identity Keystore Passphrase: Password of Keystore. In our case this is welcome1
Confirm Custom Identity Keystore Passphrase: Password of Keystore. In our case this is welcome1
Custom Trust Keystore: Path of Keystore. In our case this is /home/oracle/gateway/domain/gateway1/security/mystore.jks
Custom Trust Keystore Type: jks
Custom Trust Keystore Passphrase: Password of Keystore. In our case this is welcome1
Confirm Custom Trust Keystore Passphrase: Password of Keystore. In our case this is welcome1

  • Specify Private Key Alias in WebLogic Server
Navigate to Servers -> managedServer1 -> Configuration -> SSL tab
Enter below information and click on Save button
Private Key Alias: Alias of the Private key. In our case this is myweblogic
Private Key Passphrase: Password of Private Key. In our case this is welcome1
Confirm Private Key Passphrase: Password of Private Key. In our case this is welcome1

  • Enable SSL in WebLogic Server
Finally, enable SSL in WebLogic Server. Navigate to Servers -> managedServer1  -> Configuration -> General

Check the SSL Listen Port Enabled checkbox
Update Hostname Verification property

Login into the Physical Gateway WebLogic Server and navigate to  Servers -> managedServer1  -> Configuration -> SSL. Click on Advance and change the Hostname verification property to None

Update the https URL of Gateway in API CS management console


Follow below steps to change the https URL in logical gateway
  • Login into the API CS management portal
  • Navigate to the Gateways tab and click on the Gateway which need to be configured with https url
  • Select the nodes tab and enter the domain name in HTTPS text box

  • Click on Save button
Import backend Services certificate into Keystore (if backend service is https enabled)

This is optional step. It is required only if the service which is configured in API CS is https enabled. Hit the https service using browser and download the certificate from browser. Check how to download certificate from browser. Import the downloaded certificate in mystore.jk file.  The steps will be same as we imported root / intermediate certificate in previous step. 


Test API

Once all steps completed successfully, deploy the API with https protocol. Please see the blog how to configure and deploy API in API CS


Once API deployed successfully, it should be accessible over https protocol.
Post Views: 394

One Comment

  1. Aakash Dubey
    added on 13 Jul, 2018
    Reply

    thank you For Sharing This For Read About More
    Raashi Khanna
    Sridevi
    Sapna Chaudhary Biography
    Mira Rajput Biography
    mohsin khan
    Shivangi Joshi Biography

Leave a Reply

Your email address will not be published.