To ensure a successful SSL handshake among the Administration Server, Managed Servers, and Node Manager, you should configure Node Manager to use the custom keystores and the SSL certificate.

1. Connect to the Administration Server node with a secure shell (SSH) client, and then switch to the oracle user.

   sudo su - oracle

2. Edit the nodemanager.properties file located in the Domain Home directory.

   vi $DOMAIN_HOME/nodemanager/nodemanager.properties

3. Add the following lines to the end of the file.

   KeyStores=CustomIdentityAndCustomTrust
   CustomIdentityKeystoreType=jks
   CustomIdentityKeyStoreFileName=path_to_identity_keystore
   CustomIdentityKeyStorePassPhrase=keystore_password
   CustomIdentityPrivateKeyPassPhrase=server_cert_password
   CustomIdentityAlias=server_cert
   CustomTrustKeyStoreType=jks
   CustomTrustKeyStoreFileName=path_to_trust_keystore
   CustomTrustKeyStorePassPhrase=keystore_password

   For example:

   KeyStores=CustomIdentityAndCustomTrust
   CustomIdentityKeystoreType=jks
   CustomIdentityKeyStoreFileName=/u01/data/keystores/identity.jks
   CustomIdentityKeyStorePassPhrase=keystore_password
   CustomIdentityPrivateKeyPassPhrase=server_cert_password
   CustomIdentityAlias=server_cert
   CustomTrustKeyStoreType=jks
   CustomTrustKeyStoreFileName=/u01/data/keystores/trust.jks
   CustomTrustKeyStorePassPhrase=keystore_password

4. Regenerate the Node Manager startup files.
   1. Launch the WebLogic Scripting Tool (WLST).

      $MIDDLEWARE_HOME/oracle_common/common/bin/wlst.sh

   2. Connect to the Administration Server.

      connect('admin_user','password','t3://admin_server_host:9071')

      For example:

      connect('weblogic','password','t3://myinstance-wls-1:9071')

   3. Generate the boot.properties and startup.properties files for the server(s) on this node.

      nmGenBootStartupProps('server_name')

      Both the Administration Server and the first Managed Server run on the first node in the service instance. For example:

      nmGenBootStartupProps('myinstance_adminserver')

      nmGenBootStartupProps('myinstance_server_1')

   4. Exit WLST.

      exit()

5. Run the restart script as the oracle user.

   /opt/scripts/restart_domain.sh

   Note:

   If your instance was created before 23.3.2 (end of August 2023) you should edit the setEnv.sh file located in /opt/scripts:

   vi /opt/scripts/setEnv.sh

   Add the following properties to the WLST_PROPERTIES variable set in the file:

   -Dweblogic.security.TrustKeyStore=CustomTrust
   -Dweblogic.security.CustomTrustKeyStoreFileName=path_to_trust_keystore
   -Dweblogic.security.CustomTrustKeyStoreType=JKS

   For example, after adding the properties, WLST_PROPERTIES would be:

   export WLST_PROPERTIES="${WLST_PROPERTIES}
   -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2 -Dpython.path=${PYTHONPATH} 
   -Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.security.TrustKeyStore=DemoTrust 
   -Djava.security.egd=file:///dev/urandom -Doracle.jdbc.fanEnabled=false -Dweblogic.ssl.JSSEEnabled=true 
   -Dweblogic.security.SSL.enableJSSE=true -Dweblogic.security.TrustKeyStore=CustomTrust 
   -Dweblogic.security.CustomTrustKeyStoreFileName=/u01/data/keystores/trust.jks 
   -Dweblogic.security.CustomTrustKeyStoreType=JKS"

6. Repeat from Step 1 for any other nodes in service instance for which you want to configure SSL.