Obtain the Identity Store

3.1 Create Identity Store with Self-Signed Certificates

This topic provides the information to create the identity store with self-signed certificates.

Self-signed certificates are acceptable for use in a testing or development environment. Oracle Financial Services does not recommend the use of self-signed certificates in a production environment

To create a self-signed certificate, the genkeypair option provided by the keytool utility of Sun Java 6 needs to be utilized.

Create Self-Signed Certificate

This section provides information for creating the identity store with self-signed certificates.

Browse to the bin folder of JRE from the command prompt and type the following command. The items highlighted are placeholders, and should be replaced with suitable values when running the command.

keytool -genkeypair -alias alias -keyalg RSA -keysize 1024 -sigalg SHA1withRSA -validity 365 -keystore keystore

Table 3-1 Keyword Description

Keyword	Description
`alias`	Used to identify the public and private key pair created. This alias is required later when configuring the SSL attributes for the managed servers in Oracle Weblogic Server.
`keystore`	It is used to specify the location of the JKS file. If no JKS file is present in the path provided, one will be created.

The command prompts for the following attributes of the certificate and keystore:

Table 3-2 Attributes Details

Attributes	Description
Keystore Password	Specify a password used to access the Keystore. This password needs to be specified later when configuring the identity store in Oracle Weblogic Server.
Key Password	Specify a password used to access the private key stored in the Keystore. This password needs to be specified later, when configuring the SSL attributes of the managed server(s) in Oracle Weblogic Server.
First and Last Name (CN)	Enter the domain name of the machine used to access Oracle Banking Virtual Account Management. For example, www.example.com.
Name of your Organizational Unit	The name of the department or unit making the request. For example, BDP. Use this field to further identify the SSL Certificate for creating. For example, by department or by physical server.
Name of your Organization	The name of the organization making the certificate request. For example, Oracle Financial Services. It is recommended to use the company or organization's formal name, and this name entered here must match the name found in official records.
Name of your City or Locality	The city in which your organization is physically located. For example, Mumbai.
Name of your State or Province	The state/province in which your organization is physically located. For example, Maharashtra.
Two-letter Country Code for this Unit	The country in which your organization is physically located. For example, US, UK, IN, etc.

The key generation algorithm has been specified as RSA, the key size as 1024 bits, the signature algorithm as SHA1withRSA,and the validity days as 365. These can be changed to suitable values if the need arises. For further details, please refer to the documentation of the keytool utility in the JDK utilized by Oracle WebLogic Server.

The sample execution command is listed below:

D:\Oracle\weblogic11g\jrockit_160_05_R27.6.2-20\bin>keytool -genkeypair -alias selfcert -keyalg RSA -keysize 1024 -sigalg SHA1withRSA -validity 365 -keystore D:\keystores\AdminOBVAMKeyStore.jks
Enter keystore password: <Enter a password to protect the keystore>
Re-enter new password: <Confirm the password keyed above>
What is your first and last
  name? [Unknown]:
  cvrhp0729.oracle.com
What is the name of your organizational
  unit? [Unknown]: BPD
What is the name of your
  organization? [Unknown]: Oracle
  Financial Services
What is the name of your City or
  Locality? [Unknown]: Mumbai
What is the name of your State or Province?
  [Unknown]: Maharashtra
What is the two-letter country code for this
  unit? [Unknown]: IN
Is CN=cvrhp0729.i-flex.com, OU=BPD, O=Oracle Financial Services, L=Mumbai, ST=Maharashtra, C=IN correct?
  [no]: yes
Enter key password for <selfcert>
RETURN if same as keystore password): <Enter a password to protect the key>
Re-enter new password: <Confirm the password keyed above>

Parent topic: Obtain the Identity Store

3.2 Keystore Creation

This topic provides the information to create the keystore.

keytool -genkeypair -keystore <keystore_name.jks> -alias <alias_name> -dname 
"CN=<hostname>, OU=<Organization Unit>, O=<Organization>, L=<Location>, ST=<State>, 
C=<Country_Code>" -keyalg <Key Algorithm> -sigalg <Signature Algorithm> -keysize <key size> 
-validity <Number of Days> -keypass <Private key Password> -storepass <Store Password>

Example:

keytool -genkeypair -keystore AdminOBVAMKeyStore.jks -alias OBVAMCert -dname 
"CN=ofss00001.in.example.com, OU=OFSS, O=OFSS, L=Chennai, ST=TN, C=IN" -keyalg "RSA" 
-sigalg "SHA1withRSA" -keysize 2048 -validity 3650 -keypass Password@123 -storepass Password@123

Note:

CN=ofss00001.in.example.com is the Host Name of the weblogic server

Parent topic: Obtain the Identity Store

3.3 Create Identity Store with Trusted Certificates Issued by CA

This topic provides the information to create Identity Store with Trusted Certificates Issued by CA.

Create Public and Private Key Pair

Browse to the bin folder of JRE from the command prompt and type the following command. The items highlighted are placeholders, and should be replaced with suitable values when running the command.

keytool -genkeypair -alias alias -keyalg keyalg -keysize keysize - sigalg sigalg -validity valDays -keystore keystore

Table 3-3 Keyword Description

Keyword	Description
`alias`	Used to identify the public and private key pair created. This alias is required later when configuring the SSL attributes for the managed servers in Oracle Weblogic Server.
`keyalg`	It is a key algorithm used to generate the public and private key pair. The RSA key algorithm is recommended.
`keysize`	It is the size of the public and private key pairs generated. A key size of 1024 or more is recommended. Please consult with your CA on the key size support for different types of certificates.
`sigalg`	It is the algorithm used to generate the signature. This algorithm should be compatible with the key algorithm and should be one of the values specified in the Java Cryptography API Specification and Reference.
`valdays`	It is the number of days for which the certificate is to be considered valid. Please consult with your CA on this period.
`keystore`	It is used to specify the location of the JKS file. If no JKS file is present in the path provided, one will be created.

The command prompts for the following attributes of the certificate and keystore:

Table 3-4 Attribute Details

Attributes	Description
Keystore Password	Specify a password used to access the Keystore. This password needs to be specified later, when configuring the identity store in Kafka server.
Key Password	Specify a password used to access the private key stored in the Keystore. This password needs to be specified later, when configuring the SSL attributes of the managed server(s) in Oracle Weblogic Server.
First and Last Name (CN)	Enter the domain name of the machine used to access Oracle Banking Virtual Account Management. For example, www.example.com.
Name of your Organizational Unit	The name of the department or unit making the request. For example, BDP. Use this field to further identify the SSL Certificate for creating. For example, by department or by physical server.
Name of your Organization	The name of the organization making the certificate request. For example, Oracle Financial Services. It is recommended to use the company or organization's formal name, and this name entered here must match the name found in official records.
Name of your City or Locality	The city in which your organization is physically located. For example, Mumbai.
Name of your State or Province	The state/province in which your organization is physically located. For example, Maharashtra.
Two-letter Country Code for this Unit	The country in which your organization is physically located. For example, US, UK, IN, etc.

The sample execution of the command is listed below:

D:\Oracle\weblogic11g\jrockit_160_05_R27.6.2-20\bin>keytool -genkeypair -alias cvrhp0729 -keyalg RSA -keysize 1024 -sigalg SHA1withRSA -validity 365 -keystore
D:\keystores\AdminOBVAMKeyStore.jks
Enter keystore password: <Enter a password to protect the keystore>
Re-enter new password: <Confirm the password keyed above>
What is your first and last name? 
  [Unknown]: cvrhp0729.i-flex.com
What is the name of your organizational unit? 
  [Unknown]: BPD
What is the name of your organization? 
  [Unknown]: Oracle Financial Services
What is the name of your City or Locality? 
  [Unknown]: Mumbai
What is the name of your State or Province?
  [Unknown]: Maharashtra
What is the two-letter country code for this unit? 
  [Unknown]: IN
Is CN=cvrhp0729.i-flex.com, OU=BPD, O=Oracle Financial Services, L=Mumbai, ST=Maharashtra, C=IN correct? [no]: yes
Enter key password for <cvrhp0729>
RETURN if same as keystore password): <Enter a password to protect the key>
Re-enter new password: <Confirm the password keyed above>

Generate CSR

To purchase an SSL certificate, the user must generate the CSR for the server where the certificate will be installed.

A CSR is generated from the server and is the server's unique fingerprint. The CSR includes the server's public key, which enables server authentication and secure communication. If the keystore file or the password is lost and a new one is generated, the SSL certificate and the private key will no longer match. A new SSL Certificate will have to be requested.

The CSR is created by running the following command in the bin directory of the JRE:

keytool -certreq -alias alias –file certreq_file -keystore keystore

Table 3-5 Keyword Description

Keyword	Description
`alias`	Used to identify the public and private key pair created. The private key associated with the alias will be utilized to create the CSR. Specify the alias of the key pair created in the previous step.
`certreq_file`	It is the file in which the CSR will be stored.
`keystore`	It is the location of the keystore containing the public and private key pair.

The sample execution command is listed below:

D:\Oracle\Weblogic11g\jrockit_160_05_R27.6.2-20\bin>keytool -certreq -alias cvrhp0729 -file D:\keystores\certreq.csr -keystore
D:\keystores\AdminOBVAMKeyStore.jks
Enter keystore password: <Enter a password to protect the keystore>
Enter key password for <cvrhp0729>[Enter the password used to access the key in the keystore]

Parent topic: Obtain the Identity Store

3.4 Export Private Key as Certificate

This topic provides the information to export private key as certificate.

keytool -export -v -alias <alias_name> -file <export_certificate_file_name_with_location.cer> 
-keystore <keystore_name.jks> > -keypass <Private key Password> -storepass <Store Password>

Example:

keytool -export -v -alias OBVAMCert -file AdminOBVAMCert.cer -keystore AdminOBVAMKeyStore.jks 
-keypass Oracle123 -storepass Oracle123

If successful, the following message is displayed:

Certificate stored in file < AdminOBVAMCert.cer>

Obtain Trusted Certificate from CA
This topic provides the information to obtain the trusted certificate from CA.
Convert .crt and .key file to PKC12 file
This topic provides the systematic instruction to convert .crt and .key file to PKC12 file.
Import Certificate into Identity Store
This topic provides information to import the certificate into identify store.

Parent topic: Obtain the Identity Store

3.4.1 Obtain Trusted Certificate from CA

This topic provides the information to obtain the trusted certificate from CA.

The processes of obtaining a trusted certificate vary from one CA to another. The CA might perform additional offline verification. Consult the CA issuing the certificate for details on the process to be followed for submission of the CSR and for obtaining the certificate.

Parent topic: Export Private Key as Certificate

3.4.2 Convert .crt and .key file to PKC12 file

This topic provides the systematic instruction to convert .crt and .key file to PKC12 file.

Once CA signed certificate is generated, you will be notified on email to download it from the portal, once zip is downloaded from portal it will contain .crt & .key file for requested server.

Convert this .crt and .key file to PKC12 file using openssl command (openssl.exe file could be found under Git installation directory. In my case, “C:\Program Files\Git\usr\bin\openssl.exe”)

Sample command:

openssl pkcs12 -export -in <crt_file> -inkey <key_file> -out <p12_file>
 -name <alias_name>

Sample command with values:

openssl pkcs12 -export -in whf00pfl.in.example.com.crt -inkey
 whf00pfl.in.example.com.key -out whf00pfl.in.example.com.p12 -name whf00pfl.in.example.com

Import PKCS12 file into Java Keystore using the keytool (keytool can be found under $JAVA_HOME/bin)

Sample Command:

keytool -importkeystore -deststorepass <password> -destkeystore
 <jks_file> -srckeystore <p12_file> -srcstoretype PKCS12

Sample command with values:

keytool -importkeystore -deststorepass Oracle@123 -destkeystore
 whf00pfl_keystore.jks -srckeystore whf00pfl.in.example.com.p12 -
 srcstoretype PKCS12

Parent topic: Export Private Key as Certificate

3.4.3 Import Certificate into Identity Store

This topic provides information to import the certificate into identify store.

Store the certificate obtained from the CA in the previous step, in a file, preferably in PEM format. Other formats like the p7b file format would require conversion to the PEM format. Details on performing the conversion are not listed here.

Note:

Refer to the Oracle WebLogic Server documentation on Securing Oracle WebLogic Server for details on converting a Microsoft p7b file to the PEM format.

The command to be executed for importing a certificate into the identity store depend on whether the trust store chosen (Refer to section Choose the Identity and Trust Stores). It is highly recommended to verify the trust path when importing a certificate into the identity store. The commands provided below assume the use of the Java Standard Trust store.

Import the public certificate into the keystore using the private key alias. Then do the actual import of the certificate:

Sample command:

keytool -importcert -v -alias <alias_name> -file
 <consolidate_certs_file> -keystore <keystore path> -keypass <Password>
 -storepass <Password>

Sample command with values:

keytool -importcert -v -alias whf00pfl.in.example.com -file
 consolidate_cert.pem -keystore whf00pfl_keystore.jks -keypass
 Oracle@123 -storepass Oracle@123

To confirm your keystore is created correctly, you can look at the keystore using the following command:
Sample command:
```
keytool -list -v -keystore <keystore path> -storepass <Password>
```
Sample command with values:
```
keytool -list -v -keystore whf00pfl_keystore.jks -storepass Oracle@123
```

Import the Intermediate CA Certificate

Most Certificate Authorities do not use the root CA certificates to issue identity certificates for use by customers. Instead, Intermediate CAs issue identity certificates in response to the submitted CSRs.

If the Intermediate CA certificate is absent in the Java Standard Trust store, the trust path for the certificate will be incomplete for the certificate, resulting in warnings issued by WebLogic Server during runtime. To avoid this, the intermediate CA certificate should be imported into the identity keystore. Although the intermediate CA certificate can be imported into the Java Standard Trust store, this is not recommended unless the intermediate CA can be trusted. The following command must be executed to import the intermediate CA certificate into the keystore.

keytool -importcert -alias alias -file cert_file -trustcacerts -keystore keystore

Table 3-6 Keyword Description

Keyword	Description
`alias`	Used to identify the public and private key pair. Specify the alias of the key pair used to create the CSR in the earlier step.
`certreq_file`	It is the location of the file containing the intermediate CA certificate in a PKCS#7 format (PEM or DER file).
`keystore`	It is the location of the keystore containing the public and private key pair.

The trustcacerts flag is used to consider other certificates (higher intermediaries and the root CA) in the chain of trust. If no chain of trust is established during verification, the certificate will be displayed and one would be prompted to verify it. It is recommended that due diligence be observed, when the prompt is displayed to verify a certificate when a chain of trust is absent.

The sample execution command is listed below:

D:\Oracle\weblogic11g\jrockit_160_05_R27.6.2-20\bin>keytool - importcert -alias verisigntrialintermediateca -file
D:\keystores\VerisignIntermediateCA.cer -trustcacerts -keystore D:\keystoreworkarea\AdminOBVAMKeyStore.jks
Enter keystore password:<Enter the password used to access the keystore>
Certificate was added to keystore

Import the Identity Certificate

The following command should be executed to import the identity certificate into the keystore.

keytool -importcert -alias alias -file cert_file -trustcacerts -keystore keystore

Table 3-7 Keyword Description

Keyword	Description
`alias`	Used to identify the public and private key pair. Specify the alias of the key pair used to create the CSR in the earlier step.
`certreq_file`	It is the location of the file containing the PKCS#7 formatted reply from the CA, containing the signed certificate.
`keystore`	It is the location of the keystore containing the public and private key pair.

The trustcacerts flag is used to consider other certificates (intermediate CAs and the root CA) in the chain of trust. If no chain of trust is established during verification, the certificate will be displayed and one would be prompted to verify it. It is recommended that due diligence be observed, when the prompt is displayed to verify a certificate when a chain of trust is absent.

The sample execution command is listed below:

D:\Oracle\weblogic11g\jrockit_160_05_R27.6.2-20\bin>keytool - importcert -alias cvrhp0729 -file
D:\keystores\cvrhp0729.cer - trustcacerts -keystore
D:\keystoreworkarea\AdminOBVAMKeyStore.jks
Enter keystore password: <Enter the password used to access the keystore>
Enter key password for <cvrhp0729>: <Enter the password used to access the private key>
Certificate reply was installed in keystore

The previous set of commands assumed the presence of the appropriate root CA certificate (in the chain of trust) in the Java Standard Trust store, i.e. in the cacerts file. If the CA issuing the identity certificate (for the WebLogic Server) does not have the root CA certificate in the Java Standard Trust store, one can opt to import the root CA certificate into cacerts, or into the identity store, depending on factors including trustworthiness of the CA, necessity of transporting the trust store across machine, among others.

Parent topic: Export Private Key as Certificate

3.5 Import Trust Certificate

This topic provides the information to import as trusted certificate.

keytool -import -v -trustcacerts -alias rootcacert -file <export_certificate_file_name_with_location.cer> 
-keystore <keystore_name.jks> > -keypass <Private key Password> -storepass <Store Password>

Example:

keytool -import -v -trustcacerts -alias rootcacert -file AdminOBVAMCert.cer 
-keystore AdminOBVAMKeyStore.jks -keypass Oracle123 -storepass Oracle123

Parent topic: Obtain the Identity Store