2011年12月14日星期三

Weblogic’s config of trust keystore and identity keystore to call https service

 

When access a https service in the web browser, the service provider should provide some certificate on its site which proves it’s the authorized service provider. Sure, in production environment, the certificate should be certificated/provided by well-known certification providers like Verisign. The browser has build-in verify/accept abilities if the certification is from big players like Verisign.

So actually, during https access, the service provider sends something to the browser. If it’s a mutal https access, the browser’s machine really also sends something to the server.

First Scenario: With single Java program

use the following statement to claim the certificates related:

//tells the JVM that I trusted the certificates stored in the trust store.

//usually in the JRE/lib/security/cacerts

System.setProperty("javax.net.ssl.trustStore", trustStorePath); 

//tells the JVM that when I connect the https service

//I will using certificate like below. This contains my identify information.

System.setProperty("javax.net.ssl.keyStore", keyStorePath);

//keystore password, used to extract my identity.

System.setProperty("javax.net.ssl.keyStorePassword", keyStorePassword);

Second Scenario: Program within Weblogic server

First attention: the accesing url should be in a DNS format, don’t use the ip address.

Second Attention: the DNS of the url should be the same as in the keystore’s entry’s CN value. otherwise, hostname verification should be ignored or customized in the server’s SSL configuration console. 

Beside the code above, following configuration are needed.

In the server’s keystore configuration console.

Configure the trust keystore and identify keystore.

Sometimes, both trust keystore and identity keystore are provided with keystore file extension.

Trust keystore tells that the weblogic trusted the one who provides certificate like in the keystore. 

While the identity keystore tells others should trust the weblogic server(as a client) as the one presented in the identity keystore.

In the SSL console, the identity keystore’s alias should be configured. Also, sometimes, it works if you configure ‘using the server’s certificate’ checkbox, and configure the mutual SSL options.

The keystore files provided by the service providers sometimes should be merged with the existing ones, like JRE/lib/security/cacerts.  The command is as below:

First export the certificate stored in the keystore by using the keytool:

keytool –export –alias testserver –file testserver.crt –keystore testtrust.keystore

password of the testtrust.keystore is needed.

Then import the exported certificate to the cacerts file:

keytool –import –alias testserver –file testserver.crt –keystore cacerts

password of the cacerts is needed.

Attention: the testtrust.keystore is generated by the service provider maybe by using the keytool command.