Configure Keystores: Weblogic 10

May 25, 2018 in Application Server

Before you begin

  • Obtain private keys and digital certificates from a reputable certificate authority such as Sectigo.
  • Create identity and trust keystores.
  • Load the private keys and trusted CAs into the keystores.

By default, WebLogic Server is configured with two keystores, to be used for development only.

  • DemoIdentity.jks: Contains a demonstration private key for WebLogic Server. This keystore establishes an identity for WebLogic Server.
  • DemoTrust.jks: Contains a list of certificate authorities trusted by WebLogic Server. This keystore establishes trust for WebLogic Server.

These keystores are located in the WL_HOME\\server\\lib directory and the JAVA_HOME\\jre\\lib\\security directory. For testing and development purposes, the keystore configuration is complete. Use the steps in this section to configure identity and trust keystores for production use.

To configure the identity and trust keystores:

  1. If you have not already done so, in the Change Center of the Administration Console, click Lock & Edit
  2. In the left pane of the Console, expand Environment and select Servers.
  3. Click the name of the server for which you want to configure the identity and trust keystores.
  4. Select Configuration > Keystores.
  5. In the Keystores field, select the method for storing and managing private keys/digital certificate pairs and trusted CA certificates. These options are available:
    1. Demo Identity and Demo Trust: The demonstration identity and trust keystores, located in the BEA_HOME\\server\\lib directory and the JDK cacerts keystore, are configured by default. Use for development only.
    2. Custom Identity and Java Standard Trust: A keystore you create and the trusted CAs defined in the cacerts file in the JAVA_HOME\\jre\\lib\\security directory.
    3. Custom Identity and Custom Trust: Identity and trust keystores you create.
    4. Custom Identity and Command Line Trust: An identity keystore you create and command-line arguments that specify the location of the trust keystore.
  6. In the Identity section, define attributes for the identity keystore.
    1. Custom Identity Keystore: The fully qualified path to the identity keystore.
    2. Custom Identity Keystore Type: The type of the keystore. Generally, this attribute is Java KeyStore (JKS); if left blank, it defaults to JKS.
    3. Custom Identity Keystore Passphrase: The password you will enter when reading or writing to the keystore. This attribute is optional or required depending on the type of keystore. All keystores require the passphrase in order to write to the keystore. However, some keystores do not require the passphrase to read from the keystore. WebLogic Server only reads from the keystore so whether or not you define this property depends on the requirements of the keystore.

      Note: The passphrase for the Demo Identity keystore is DemoIdentityKeyStorePassPhrase.

  7. In the Trust section, define properties for the trust keystore.

    If you chose Java Standard Trust as your keystore, specify the password defined when creating the keystore. Confirm the password.

    If you chose Custom Trust, define the following attributes:

    1. Custom Trust Keystore: The fully qualified path to the trust keystore.
    2. Custom Trust Keystore Type: The type of the keystore. Generally, this attribute is JKS; if left blank, it defaults to JKS.
    3. Custom Trust Keystore Passphrase: The password you will enter when reading or writing to the keystore. This attribute is optional or required depending on the type of keystore. All keystores require the passphrase in order to write to the keystore. However, some keystores do not require the passphrase to read from the keystore. WebLogic Server only reads from the keystore so whether or not you define this property depends on the requirements of the keystore.
  8. Click Save.
  9. To activate these changes, in the Change Center of the Administration Console, click Activate Changes.
    Not all changes take effect immediately—some require a restart).


After you finish
All the server SSL attributes are dynamic; when modified via the Console, they cause the corresponding SSL server or channel SSL server to restart and use the new settings for new connections. Old connections will continue to run with the old configuration. To ensure that all the SSL connections exist according to the specified configuration, you must reboot WebLogic Server.

Use the Restart SSL button on the Control: Start/Stop page to restart the SSL server when changes are made to the keystore files and need to be applied for subsequent connections without rebooting WebLogic Server. See Restart SSL: Weblogic.