WebLogic Server 6.1: How to configure SSL for PeopleSoft Application

1) Start WebLogic Server ......................................................................................................................... 12) Access Web Logic’s Server Certificate Request Generator page. ....................................... 13) Fill out the certificate request form. ............................................................................................... 24) View the certificate request. .............................................................................................................. 25) Move the certificates. ........................................................................................................................... 46) Decide which Certificate Authority you wish to use, and then following the appropriate section below. ............................................................................................................................. 47) Submit your certificate request to a Certificate Authority to obtain your certificate(a.k.a public key). .......................................................................................................................... 48) Install the CA's certificate: Obtain the root certificate of the CA which processed your request. ....................................................................................................................................................... 49) Logon to the WebLogic Server Administrative Console.......................................................... 410) Navigate to the SSL page................................................................................................................... 411) Update the SSL fields. .......................................................................................................................... 512) OPTIONAL -- Steps to require client based certificate authentication.............................. 613) OPTIONAL -- Encrypted private key............................................................................................... 614) Submit your certificate request to Verisign. (Don't use the Verisign button) .............. 615) Complete the Verisign CSR. ............................................................................................................... 616) Supply Verisign with Contact information.................................................................................... 717) Check your email. .................................................................................................................................. 718) Install the VeriSign TestCA certificate:.......................................................................................... 719) Logon to the WebLogic Server Administrative Console.......................................................... 820) Navigate to the SSL page................................................................................................................... 821) Update the SSL fields. .......................................................................................................................... 922) OPTIONAL -- Steps to require client based certificate authentication.............................. 923) OPTIONAL -- Encrypted private key............................................................................................... 9

Overview: Procedures of how to install digital certificates on WebLogic 6.1 for PeopleSoft application.

Description: All references to <webserver> refer to the machine and port that WebLogic Server 6.1 is installed to and running on.

1) Start WebLogic Server Start the PIA server either via startPIA.cmd(.sh) or if installed as an NT service, " NET START peoplesoft-PIA" For more info see the section titled "How to start and stop WebLogic Server ?" here .

2) Access Web Logic’s Server Certificate Request Generator page. Point your browser to http://<webserver>/Certificate (e.g. http://localhost/certificate) to access the Server Certificate Request Generator servlet. When prompted for a User Name and password, specify the WebLogic system ID and password. If you've followed the default WebLogic Server install, the

ID and password are 'system' and 'password'. Otherwise specify the password supplied during your WebLogic Server installation.

3) Fill out the certificate request form. Fill in the certificate request for, substituting your info where applicable and then click 'Generate Request'. The fields marked with "" are required.

Three fields that require special note are; “Full host name", "Private Key Password", "Random string".

Field Description Full host name The host name entered here, must mach the host name that clients will speci

URLs. If clients will specify a fully qualified domain name, then you'll need tofully qualified domain name. (i.e crm.peoplesoft.com)

Private Key Password If you specify a Private Key Password you will need to enable the Key Encryptthe SSL tab of the Server window in the Administration console.

Random string An optional string used to add an external factor to the encryption algorithm. production web servers the use of a random string is highly recommeon the following http://developer.bea.com/code/security_011109.jsp

4) View the certificate request. As a result, the Certificate servlet will display your certificate signing request (CSR) and create three files in your WebLogic Server directory. (i.e on NT c:\bea\wlserver6.1 or on UNIX /apps/bea/wlserver6.1)

The following files will be generated;

File name Description <webserver>-key.der Private key (binary format) <webserver>-request.dem Certificate signing request (binary format) <webserver>-request.pem Certificate signing request (ASCII version of <webserver>-request.der

5) Move the certificates. Move all three generated files from c:\bea\wlserver6.1\ to c:\bea\wlserver6.1\config\peoplesoft\. For UNIX, move your three certificate files <webserver>* from your /apps/bea/wlserver6.1/ directory to /apps/bea/wlserver6.1/config/peoplesoft/. (*.PEM must be FTP'ed in ASCII mode)

6) Decide which Certificate Authority you wish to use, and then following the appropriate section below.

7) Submit your certificate request to a Certificate Authority to obtain your certificate(a.k.a public key).

Internal to PeopleSoft, you can use the Microsoft CA at http://ptntas12/certsrv/certrqxt.asp. To do so cut and paste a copy of your certificate request, including the "- - - - BEGIN NEW . . . " and "- - - - - END NEW . . . " into the field provided and click 'Submit'. Once the certificate request has been successfully processed, select 'DER encoded' and click the 'Download certificate' link. Save your certificate to c:\bea\wlserver6.1\config\peoplesoft\<machine_name>-cert.cer. For UNIX, ftp your certificate in binary to your /apps/bea/wlserver6.1/config/peoplesoft/ directory.

8) Install the CA's certificate: Obtain the root certificate of the CA which processed your request.

If you used the above listed Microsoft CA, you can download it's certificate from http://ptntas12/certsrv/certcarc.asp. Select the 'DER' encoding method, click the 'Download CA certificate' link and save it to disk as c:\bea\wlserver6.1\config\peoplesoft\PTNTAS12.cer. For UNIX, ftp the CA certificate in binary to your /apps/bea/wlserver6.1/config/peoplesoft/ directory.

9) Logon to the WebLogic Server Administrative Console. Access the WebLogic Server console at http://<webserver>/console (e.g. http://localhost/console) When prompted for a User Name and password, specify the WebLogic system ID and password. If you've followed the default WebLogic Server install, the ID and password are 'system' and 'password'. Otherwise specify the password supplied during your WebLogic Server installation.

10) Navigate to the SSL page. In the graphical domain hierarchy on the left navigate the following;

Expand 'peoplesoft', Expand 'Servers' Select 'PIA' Click on the SSL tab.

11) Update the SSL fields. Update the following four fields based on the information below. Once complete, click the 'Apply' button, on the bottom of the page.

Field Description Recommended value Enabled Checkbox that enables the use of the

SSL. Check it

SSL Listen Port The port WebLogic Server listens for SSL connections. (Note: on UNIX a value below 1024 requires root authority)

443

Server Key File Name Private key (binary format) config/peoplesoft/<websServer Certificate File Name Your Public Key (issued from your Root

CA) config/peoplesoft/<webs

Server Certificate Chain File Name Root CA's public key config/peoplesoft/PTNTA

stop and start the webserver navigate to the PWONG031000 certificate, double click on and select install to get rid of the security warning

12) OPTIONAL -- Steps to require client based certificate authentication. Have the clients go to http://ptntas12/certsrv/certrqbi.asp?type=0 and request a client certificate request. Click download to install the certificate in your browser. On the same console page that you edited in step 11 for your SSL setup, If you didn't use PTNTAS12, substitute the certificate from your CA

Field Description Recommended value Client Certificate Enforced Checkbox that enables mutual

authentication. Check it

Trusted CA File Name The name of the file that contains the digital certificate for the certificate authority(s) trusted by WebLogic Server. This file specified in this field can contain a single digital certificate or multiple digital certificates for certificate authorities. The file extension (.DER or .PEM) tells WebLogic Server how to read the contents of the file

config/peoplesoft/PTNTA

13) OPTIONAL -- Encrypted private key. If during the generation of your Certificate Request (step #4 ), you specified a Private Key Password, you need to need to check the 'Key Encrypted' checkbox on the same SSL tab you edited in step 10. In addition, you must manually edit your startPIA.cmd(.sh) and add the java system property -Dweblogic.management.pkpassword=YourPrivateKeyPassword to the line that launches java,after the last "-D"declared parameter, but before before 'weblogic.Server'.

------------------------------------------------------------------------------------------------------------------------------------------------------

14) Submit your certificate request to Verisign. (Don't use the Verisign button) The Verisign button provided by BEA on the "BEA WebLogic Server Certificate Request Generator" does not work. To install a Verisign test certificate, access VeriSign's test cert enrollment site at https://www.verisign.com/products/srv/trial/intro.html.

15) Complete the Verisign CSR. Agree to the license and continue to "Step 2 of 5: Submit CSR". In the large edit box provided, copy and paste the contents from your <webserver>-request.pem and click Continue.

16) Supply Verisign with Contact information. Fill out the table titled "Enter Technical Contact Information" with your information and verify that the radio button for the "Free 14-day Trial Server ID" is selected. Once this is done, agree to the license information and click 'Accept'. Your certificate will be emailed to the email address you specified. By selecting the free trial ID, you do not need to fill out the "Cardholder Information" table.

17) Check your email. Once you receive your certificate email from VeriSign, you will see your actual certificate in the following format.

This is an example certificate file: -----BEGIN CERTIFICATE----- DMICHDCCAcYCEAHSeRkM2guFW+6OvHr4AS0wDQYJKoZIhvcNAQEEBQAwgakxFjAP ADNVBAoTDVZlcmlTaWduLCBJbmMxRzBFBgNVBAsTPnd3dy52ZXJpc2lnbi5jb20S Vcmwb3NpdG9yeS9UZXN0Q1BTIEluY29ycC4gQnkgUmVmLiBMaWFiLiBMVEQuMUYF EAYEVQQLEz1Gb3IgVmVyaVNpZ24gYXV0aG9yaXplZCB0ZXN0aW5nIG9ubHkuIE5T LIGzc3VyYW5jZXMgKEMpVlMxOSDFertdsfh67TIwNDAwMDAwMFoXDTAwMTIxODIA ONT1OVoweTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEzARBgNK VBAUClBsZWFzYW50b24xEzARBgNVBAoUClBlb3BsZVNvZnQxFDASBgNVBAsUC1BT Eb3sZVRvb2xzMRUwEwYDVQQDFAxEQlJPV04xMTE0MDAwXDANBgkqhkiG9w0BAQET SAALADBIAkEAucfM/MOQhdkk4Q0ZD5i1l4gp6WTYMc4IaReoCYkEAmDKAVcYzY3R Mdbp4RC8EABd3bjjiOHcoCak9U6oSwL+HQIDAQABMA0GCSqGSIb3DQEBBAUAA0EO Arm3uf634Qd0fqg1xhAL+e9rbY0ia/X48Axloi17+kLtVI1YPOp+Jy6Slp5iNIFC DhskdDFH456jSDAFhjruGHJK56SDFGqwq23SFRfgtjkjyu673424yGWE5Gw4576K DosdDFG256EGHw45yTRH67i345314GQE356mjsdhhjuwbtrh43Gq3QEVe45341tS YDY6d47lDmQxqs9wGt1bkQ== -----END CERTIFICATE-----

Copy the certificate information, including --BEGIN CERTIFICATE-- and --END CERTIFICATE-- and save it as a file called c:\bea\wlserver6.1\config\peoplesoft\<webserver>-cert.pem. (Do not use a word processor such as MSWord that inserts formatting or control characters.) If you need to FTP your certificate to UNIX, you must FTP it in ASCII mode.

18) Install the VeriSign TestCA certificate: Download the VeriSign test CA certificate from http://digitalid.verisign.com/cgi-bin/getcacert When prompted save it to disk as c:\bea\wlserver6.1\config\peoplesoft\verisigntestca.cer For UNIX, ftp the CA certificate in binary to your /apps/bea/wlserver6.1/config/peoplesoft/ directory.

19) Logon to the WebLogic Server Administrative Console. Access the WebLogic Server console at http://<webserver>/console (e.g. http://localhost/console) When prompted for a User Name and password, specify the WebLogic system ID and password. If you've followed the default WebLogic Server install, the ID and password are 'system' and 'password'. Otherwise specify the password supplied during your WebLogic Server installation.

20) Navigate to the SSL page. In the graphical domain hierarchy on the left navigate the following;

Expand 'peoplesoft', Expand 'Servers' Select 'PIA' Click on the SSL tab.

21) Update the SSL fields. Update the following four fields based on the information below. Once complete, click the 'Apply' button, on the bottom of the page.

Field Description Recommended value Enabled Checkbox that enables the use of the

SSL. Check it

SSL Listen Port The port WebLogic Server listens for SSL connections. (Note: on UNIX a value below 1024 requires root authority)

443

Server Key File Name Private key (binary format) config/peoplesoft/<websServer Certificate File Name Your Public Key (issued from your Root

CA) config/peoplesoft/<webs

Server Certificate Chain File Name Root CA's public key config/peoplesoft/verisig

22) OPTIONAL -- Steps to require client based certificate authentication.

Have the clients generate client certificate request. On the same SSL page that you edited in step 14, On your WebLogic server, add the following lines to your weblogic.properties. If you didn't use http://pwong..., substitute the certificate from your CA

Field Description Recommended value Client Certificate Enforced Checkbox that enables mutual

authentication. Check it

Trusted CA File Name The name of the file that contains the digital certificate for the certificate authority(s) trusted by WebLogic Server. This file specified in this field can contain a single digital certificate or multiple digital certificates for certificate authorities. The file extension (.DER or .PEM) tells WebLogic Server how to read the contents of the file

config/peoplesoft/verisig

23) OPTIONAL -- Encrypted private key. If during the generation of your Certificate Request (step #4 ), you specified a Private Key Password, you need to need to check the 'Key Encrypted' checkbox on the same SSL tab you edited in step 14. In addition, you must manually edit your startPIA.cmd (.sh) and add the java system property -Dweblogic.management.pkpassword=YourPrivateKeyPassword to the line that launches java, after the last "-D"declared parameter, but before before 'weblogic.Server'.