How To: Enable TLS on Weblogic 12c

Transport Layer Security is one of the most important data security protocols in use today and many organisations, including banks and e-commerce sites use it to provide private and confidential communications.  Thankfully, enabling TLS (server authentication) on Weblogic is a relatively straight-forward process, requiring only a security certificate and minimal server configuration.

Generating a Public-Private Key Pair (and X.509 Certificate)

Before we can enable TLS in Weblogic, we require a security certificate that includes our public key and domain information.  This certificate will be sent to a client by the server so it can verify that the server is legitimate.

One option is to acquire a certificate from an established Certificate Authority (CA) such as Thawte or Symantec (formerly Verisign).  While this is the recommended approach for production, public facing systems, it can be expensive for academic and internal applications.  Given that this is an academic blog, we can use another option which is to 'self-sign' our own certificate, free of charge.

To generate our own, self-signed certificate, we use can use the keytool utility that comes with the Java Development Kit (JDK) and the following command:

keytool -genkeypair -keyalg RSA -alias mydomain -keystore identitystore.jks -storepass password -validity 365 -keysize 2048

Configuring a Keystore in Weblogic and Enabling TLS

The next step is to configure the keystore created above (which contains the certificate) in Weblogic.

In summary, the steps required are:

A. Add the keystore created above to the Weblogic configuration
B. Provide credentials to Weblogic for the keystore and private key
C. Enable the SSL listen port
D. Modify the server start-up parameters to enforce the TLSv1 protocol (due to the POODLE attack in 2014, SSLv3 is no longer recommended)

In detail, the steps required are:

1. Log in to the Weblogic console at http://{host}:{port}/console
2. Navigate to the server 'Keystores' configuration screen and click the 'Change' button

3. Choose 'Custom Identity and Java Standard Trust' and click 'Save'

4. Provide the custom identity store location, keystore type, passphrase and click 'Save'

5. Navigate to the server 'SSL' configuration screen and provide the private key alias, passphrase and click 'Save'

6. Navigate to the server general configuration screen, enable the SSL listen port and click 'Save'

7. Navigate to the 'Server Start' configuration screen, add the following argument and click 'Save'.  This argument could also be provided in a server startup script such as setDomainEnv.sh.

8. Restart the server for the new protocol version to take effect.

This completes the TLS setup.

Verifying the Configuration

To confirm that the configuration has been applied correctly, open a web browser and navigate to the Weblogic console on the SSL listen port (7002 in the example above).  If your browser is configured appropriately and the Weblogic configuration is correct, then a warning should be displayed indicating that the server cannot be verified.  This is an expected result, confirming that the Weblogic configuration is correct.