{"id":3234,"date":"2018-06-27T10:46:35","date_gmt":"2018-06-27T15:46:35","guid":{"rendered":"http:\/\/lisa.rushworth.us\/?p=3234"},"modified":"2018-06-27T10:52:40","modified_gmt":"2018-06-27T15:52:40","slug":"updating-weblogic-certificate-for-oud-management-utility","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=3234","title":{"rendered":"Updating Weblogic Certificate For OUD Management Utility"},"content":{"rendered":"

This is the process I use to update the WebLogic SSL certificate for our OUD management web interface.\u00a0<\/span><\/p>\n


\n<\/span># PRE-CHANGE VERIFICATION
\n<\/span># There are two environment variables set to allow this to work:
\n#\u00a0WLSTOREPASS=Wh@t3v3rY0uU53d # WLSTOREPASS is set to whatever is used for the keystore and truststore password<\/span>
\n<\/span># OUDINST=\/path\/to\/OUD\/installation (root into which both java and OUD were installed — if you are using an OS package
\n<\/span># for java, your paths will be different)
\n#Log into https:\/\/hostname.domain.gTLD:7002\/console<\/a> (or whatever your WL console URL is)
\n# As my WebLogic instance auths users via LDAP, I log in with my UID & pwd … you may have a generic account like ‘admin’
\n<\/span>#
\n<\/span>#Navigate to Domain Structure => Environment => Servers
\n<\/span>#Select “AdminServer”
\n<\/span>#
\n<\/span>#Keystores tab — will tell you the name of the keystore and trust store
\n<\/span>#SSL tab — will tell you the friendly name of the certificate
\n<\/span># Verify the keystore and truststore are $OUDINST\/Oracle\/Middleware\/${HOSTNAME%%.*}.jks,
\n<\/span># Verify the friendly name of the certificate is the short hostname
\n<\/span>#
\n<\/span># Verify the keystore is using the normal keystore password
\n<\/span>#[ldap@dell115 ~]$ $OUDINST\/java\/jdk\/bin\/keytool -v -list -keystore $OUDINST\/Oracle\/Middleware\/dell115.jks –storepass $WLSTOREPASS| grep Alias
\n<\/span>#Alias name: dell115
\n<\/span>#Alias name: win-we
\n<\/span>#Alias name: win-root
\n<\/span>#Alias name: winca1-root
\n<\/span>#Alias name: winca1-issuing
\n<\/span># *** If you do not get any output, remove the ” | grep Alias” part and check for errors. “keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect” means the password is different.
\n<\/span># *** either try to guess the password (company name or ‘a’ are good guesses, along with the java-typical default of changeit)
\n<\/span># *** to continue using the existing password or you’ll need to update the keystore and truststore passwords in the web GUI.
\n<\/span># *** Since the keystores are generated using the process below … 99% of the time, the password matches.
\n<\/span>#
\n<\/span># Generate a cert with appropriate info, export public\/private key as a PFX file named with the short hostname of the server (i.e. dell115.pfx here) and, as the keystore password, use whatever you’ve set in\u00a0$WLSTOREPASS<\/span><\/span><\/p>\n

\u00a0<\/span># DURING THE CHANGE,\u00a0as the ldap service account on the server:<\/span><\/p>\n

mkdir \/tmp\/ssl<\/span><\/p>\n

# Put base 64 public keys for our root and web CA in \/tmp\/ssl as Win-Root-CA.b64.cer and Win-Web-CA.b64.cer
\n<\/span># Put public\/private key export from above\u00a0in \/tmp\/ssl<\/span>\u00a0<\/span><\/p>\n

# Import the keychain for your certificate
\n$OUDINST\/java\/jdk\/bin\/keytool -import -v -trustcacerts -alias WIN-ROOT -file \/tmp\/ssl\/Win-Root-CA.b64.cer -keystore \/tmp\/ssl\/${HOSTNAME%%.*}.jks -keypass $WLSTOREPASS<\/span> -storepass $WLSTOREPASS<\/span><\/span><\/p>\n

$OUDINST\/java\/jdk\/bin\/keytool -import -v -trustcacerts -alias WIN-WEB -file \/tmp\/ssl\/Win-Web-CA.b64.cer -keystore \/tmp\/ssl\/${HOSTNAME%%.*}.jks -keypass $WLSTOREPASS<\/span> -storepass $WLSTOREPASS<\/span><\/span>\u00a0<\/span><\/p>\n

# get GUID for cert within PFX file
\n<\/span>HOSTCERTALIAS=”$($OUDINST\/java\/jdk\/bin\/keytool -v -list -storetype pkcs12 -keystore \/tmp\/ssl\/${HOSTNAME%%.*}.pfx –storepass $WLSTOREPASS\u00a0<\/span>| grep Alias | cut -d: -f2-)”<\/span>\u00a0<\/span><\/p>\n

# Import the private key
\n$OUDINST\/java\/jdk\/bin\/keytool -importkeystore -srckeystore \/tmp\/ssl\/${HOSTNAME%%.*}.pfx -destkeystore \/tmp\/ssl\/${HOSTNAME%%.*}.jks -srcstoretype pkcs12 -deststoretype JKS -alias $HOSTCERTALIAS -storepass $WLSTOREPASS\u00a0<\/span>-srcstorepass Ra1n1ng1<\/span><\/p>\n

# Change the alias to match what is configured in the web GUI
\n$OUDINST\/java\/jdk\/bin\/keytool -changealias -alias $HOSTCERTALIAS -destalias ${HOSTNAME%%.*} -keypass $WLSTOREPASS<\/span>-keystore \/tmp\/ssl\/${HOSTNAME%%.*}.jks -storepass $WLSTOREPASS<\/span><\/span>\u00a0<\/span><\/p>\n

# Verify you have a WIN-ROOT, WIN-WEB, and hostname record<\/span><\/p>\n

$OUDINST\/java\/jdk\/bin\/keytool -v -list -keystore \/tmp\/ssl\/${HOSTNAME%%.*}.jks –storepass $WLSTOREPASS<\/span> | grep Alias<\/span><\/p>\n

# Stop the weblogic server<\/span><\/p>\n

# Back up current keystore file and move new one into place
\nCURRENTDATE=”$(date +%Y%m%d)”
\n<\/span>mv $OUDINST\/Oracle\/Middleware\/${HOSTNAME%%.*}.jks $OUDINST\/Oracle\/Middleware\/$CURRENTDATE.jks
\n<\/span>cp \/tmp\/ssl\/${HOSTNAME%%.*}.jks $OUDINST\/Oracle\/Middleware\/${HOSTNAME%%.*}.jks<\/span><\/p>\n

# Start the weblogic server in the screen session, then disconnect from the screen session <\/span><\/p>\n

# Assuming success
\n<\/span>rm -rf \/tmp\/ssl<\/span><\/p>\n

# Backout is
\n<\/span># stop weblogic
\n<\/span>mv $OUDINST\/Oracle\/Middleware\/$CURRENTDATE.jks\u00a0\u00a0$OUDINST\/Oracle\/Middleware\/${HOSTNAME%%.*}.jks
\n<\/span># start weblogic<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

This is the process I use to update the WebLogic SSL certificate for our OUD management web interface.\u00a0 # PRE-CHANGE VERIFICATION # There are two environment variables set to allow this to work: #\u00a0WLSTOREPASS=Wh@t3v3rY0uU53d # WLSTOREPASS is set to whatever is used for the keystore and truststore password # OUDINST=\/path\/to\/OUD\/installation (root into which both java …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[591,236,523],"class_list":["post-3234","post","type-post","status-publish","format-standard","hentry","category-system-administration","tag-oud","tag-ssl","tag-weblogic"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/3234","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3234"}],"version-history":[{"count":2,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/3234\/revisions"}],"predecessor-version":[{"id":3238,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/3234\/revisions\/3238"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3234"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3234"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3234"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}