Create a new Identity Keystore

By default, WebLogic Server is configured with two keystores:

  • DemoIdentity.jks - Contains a demonstration private key for WebLogic Server. This keystore contains the identity for WebLogic Server.

  • DemoTrust.jks - Contains the trusted certificate authorities from the WL_HOME\server\lib\DemoTrust.jks and the JDK cacerts keystores. This keystore establishes trust for WebLogic Server.

In WebLogic, DemoIdentity.jks is located in the WL_DOMAIN/security directory and DemoTrust.jks is located in the WL_HOME/server/lib directory. For testing and development purposes, the keystore configuration is complete. However, do not use the demonstration keystores in a production environment. Because the digital certificates and trusted CA certificates in the demonstration keystores are signed by a WebLogic Server demonstration certificate authority, a WebLogic Server installation using the demonstration keystores will trust any WebLogic Server installation that also uses the demonstration keystores.

This example uses GoDaddy for the certificate signing authority...

Let's create a 'certs' folder in $WL_DOMAIN/config

cd $WL_DOMAIN
mkdir certs

Use Linux openssl command to create a temporary keystore:

openssl pkcs12 \
-export -in server.crt \
-inkey server.key \
-out server.p12 \
-name gensip \
-CAfile ca.crt \
-chain \
-caname root 

Use 'changeit' for the password... Or, something else.

Use the Java keytool to create the final keystore:

keytool \
  -importkeystore \
  -deststorepass changeit \
  -destkeypass changeit \
  -destkeystore identity.pkcs12 \
  -srckeystore server.p12 \
  -srcstoretype PKCS12 \
  -srcstorepass changeit \
  -alias gensip

Securing OCCAS to Genesys Cloud

Genesys provides public certs to be loaded into OCCAS.

Download them from here:

https://help.mypurecloud.com/articles/tls-trunk-transport-protocol-specification/

Download the certificates in the DER (CRT) format.

Import the certificates into the identity keystore.

keytool -import \
-alias DigiCertHighAssuranceEVRootCA \
-file DigiCertHighAssuranceEVRootCA.crt \
-storetype pkcs12 \
-keystore identity.pkcs12

keytool -import \
-alias DigiCertGlobalRootG2 \
-file DigiCertGlobalRootG2.crt \
-storetype pkcs12 \
-keystore identity.pkcs12

keytool -import \
-alias DigiCertGlobalRootG3 \
-file DigiCertGlobalRootG3.crt \
-storetype pkcs12 \
-keystore identity.pkcs12

Securing WebLogic

Enable SSL

If you haven't already done so, enable SSL on each server under "Configuration / General".

Adding the Keystore

On each server, navigate to Configuration >> Keystores.

Change the "Keystores" from Demo Identity and Demo Trust to: Custom Identity and Java Standard Trust.

Custom Identity Keystore: ./config/certs/identity.pkcs12

Custom Identity Keystore Type: pkcs12

Custom Identity Keystore Passphrase: changeit

Confirm Custom Identity Keystore Passphrase: changeit

Java Standard Trust Keystore: /usr/lib/jvm/jdk-11.0.25-oracle-x64/lib/security/cacerts

Java Standard Trust Keystore Type: jks

Java Standard Trust Keystore Passphrase: changeit

Confirm Java Standard Trust Keystore Passphrase: changeit

SSL

Under the Configuration / SSL tab, provide:

Private Key Alias: gensip

Private Key Passphrase: changeit

Confirm Private Key Passphrase: changeit

Advanced Hostname Verification: None

Securing Node Manager

Under development...

Securing Coherence

Under development...

Securing SIP

By default, the Securing WebLogic section above will also configure SIPS (port 5061).

However, additional configurations can be made via the Server >> Protocols tab in the admin console.

Congratulations, you are now ready to move on to: BLADE Installation.