Create a new Identity Keystore

By default, WebLogic Server is configured with two keystores:

  • DemoIdentity.jks - Contains a demonstration private key for WebLogic Server. This keystore contains the identity for WebLogic Server.

  • DemoTrust.jks - Contains the trusted certificate authorities from the WL_HOME\server\lib\DemoTrust.jks and the JDK cacerts keystores. This keystore establishes trust for WebLogic Server.

In WebLogic, DemoIdentity.jks is located in the DOMAIN_HOME\security directory and DemoTrust.jks is located in the WL_HOME\server\lib directory. For testing and development purposes, the keystore configuration is complete. However, do not use the demonstration keystores in a production environment. Because the digital certificates and trusted CA certificates in the demonstration keystores are signed by a WebLogic Server demonstration certificate authority, a WebLogic Server installation using the demonstration keystores will trust any WebLogic Server installation that also uses the demonstration keystores.

Use Linux openssl command to create a temporary keystore:

openssl pkcs12 \
-export -in server.crt \
-inkey server.key \
-out server.p12 \
-name gensip \
-CAfile ca.crt \
-chain \
-caname root 

Use the Java keytool to create the final keystore:

keytool \
  -importkeystore \
  -deststorepass changeit \
  -destkeypass changeit \
  -destkeystore identity.pkcs12 \
  -srckeystore server.p12 \
  -srcstoretype PKCS12 \
  -srcstorepass changeit \
  -alias gensip

Securing OCCAS to Genesys Cloud

Genesys provides public certs to be loaded into OCCAS.

Download them from here:

https://help.mypurecloud.com/articles/tls-trunk-transport-protocol-specification/

Download the certificates in the DER (CRT) format.

Import the certificates into the identity keystore.

keytool -import \
 -alias DigiCertHighAssuranceEVRootCA \
 -file DigiCertHighAssuranceEVRootCA.crt \
  -storetype pkcs12 \
  -keystore identity.pkcs12

keytool -import \
  -alias DigiCertGlobalRootG2 \
  -file DigiCertGlobalRootG2.crt \
  -storetype pkcs12 \
  -keystore identity.pkcs12

keytool -import \
  -alias DigiCertGlobalRootG3 \
  -file DigiCertGlobalRootG3.crt \
  -storetype pkcs12 \
  -keystore identity.pkcs12

Securing WebLogic

Adding the Keystore

On each server, navigate to Configuration >> Keystores.

Change the "Keystores" from Demo Identity and Demo Trust to: Custom Identity and Java Standard Trust.

Custom Identity Keystore: ./config/_certs/identity.jks

Custom Identity Keystore Type: jks

Custom Identity Keystore Passphrase: *****

Confirm Custom Identity Keystore Passphrase: *****

Java Standard Trust Keystore: /usr/lib/jvm/jdk-11.0.25-oracle-x64/lib/security/cacerts

Java Standard Trust Keystore Type: jks

Java Standard Trust Keystore Passphrase: changeit

Confirm Java Standard Trust Keystore Passphrase: changeit

Disable Hostname Verification

The certificate is likely configured to resolve to the hostname of the external load-balancer. For inter-cluster communication, disable hostname verification.

This can be done within the Admin Console by navigating to:

Server >> SSL / Advanced

Turn off hostname verification:

Hostname Verification: None

Or, you can disable hostname verification from the command-line:

-Dweblogic.security.SSL.ignoreHostnameVerification=true

Securing Node Manager

Under development...

Securing Coherence

Under development...

Securing SIP

By default, the Securing WebLogic section above will also configure SIPS (port 5061).

However, additional configurations can be made via the Server >> Protocols tab in the admin console.

Congratulations, you are now ready to move on to: BLADE Installation.