![]() ![]() ![]() ![]() |
Servers: Configuration: Keystores
Configuration Options Related Tasks Related Topics
Keystores ensure the secure storage and management of private keys and trusted certificate authorities (CAs). This page lets you view and define various keystore configurations. These settings help you to manage the security of message transmissions.
WebLogic Server is configured with a default keystore configuration. Depending on the domain's security configuration, it either uses KSS demo identity and trust keystores or it uses JKS demo identity and trust keystores a well as the standard java trust JKS keystore. The default keystore configuration is appropriate for testing and development purposes. However, these keystores should not be used in a production environment.
After you configure identity and trust keystores for a WebLogic Server instance, you can configure its SSL attributes. These attributes include information about the identity and trust location for particular server instances. Use the Configuration: SSL page to specify this information.
For purposes of backward compatibility, WebLogic Server lets you store private keys and trusted certificates authorities in files or in a keystore provider. If you use either of these mechanisms for identity and trust, choose the Files or Keystore Providers (Deprecated) option on the Configuration: SSL page.
Configuration Options
Name Description Keystores Which configuration rules should be used for finding the server's identity and trust keystores?
MBean Attribute:
ServerMBean.KeyStores
Custom Identity Keystore The source of the identity keystore. For a JKS or PKCS12 keystore, the source is the path and file name. For an Oracle Key Store Service (KSS) keystore, the source is the KSS URI.
If using a JKS or PKCS12 keystore, the keystore path name must either be absolute or relative to where the server was booted.
If using a KSS keystore, the keystore URI must be of the form:
kss://system/keystorename
where
keystorename
is the name of the keystore registered in KSS.The value in this attribute is only used if
KeyStores
isCUSTOM_IDENTITY_AND_JAVA_STANDARD_TRUST
,CUSTOM_IDENTITY_AND_CUSTOM_TRUST
orCUSTOM_IDENTITY_AND_COMMAND_LINE_TRUST
.MBean Attribute:
ServerMBean.CustomIdentityKeyStoreFileName
Custom Identity Keystore Type The type of the keystore. Generally, this is
JKS
orPKCS12
. If using the Oracle Key Store Service, this isKSS
If empty or null, then the JDK's default keystore type (specified in
java.security
) is used. The custom identity key store type is only used ifKeyStores
isCUSTOM_IDENTITY_AND_JAVA_STANDARD_TRUST
,CUSTOM_IDENTITY_AND_CUSTOM_TRUST
orCUSTOM_IDENTITY_AND_COMMAND_LINE_TRUST
.MBean Attribute:
ServerMBean.CustomIdentityKeyStoreType
Custom Identity Keystore Passphrase The encrypted custom identity keystore's passphrase. If empty or null, then the keystore will be opened without a passphrase.
This attribute is only used if KeyStores is
CUSTOM_IDENTITY_AND_JAVA_STANDARD_TRUST
,CUSTOM_IDENTITY_AND_CUSTOM_TRUST
orCUSTOM_IDENTITY_AND_COMMAND_LINE_TRUST
.When you get the value of this attribute, WebLogic Server does the following:
Retrieves the value of the
CustomIdentityKeyStorePassPhraseEncrypted
attribute.Decrypts the value and returns the unencrypted password as a String.
When you set the value of this attribute, WebLogic Server does the following:
Encrypts the value.
Sets the value of the
CustomIdentityKeyStorePassPhraseEncrypted
attribute to the encrypted value.Using this attribute (
CustomIdentityKeyStorePassPhrase
) is a potential security risk because the String object (which contains the unencrypted password) remains in the JVM's memory until garbage collection removes it and the memory is reallocated. Depending on how memory is allocated in the JVM, a significant amount of time could pass before this unencrypted data is removed from memory.Instead of using this attribute, use
CustomIdentityKeyStorePassPhraseEncrypted
.MBean Attribute:
ServerMBean.CustomIdentityKeyStorePassPhrase
Changes take effect after you redeploy the module or restart the server.
Custom Trust Keystore The source of the custom trust keystore. For a JKS or PKCS12 keystore, the source is the path and file name. For an Oracle Key Store Service (KSS) keystore, the source is the KSS URI.
If using a JKS or PKCS12 keystore, the keystore path name must either be absolute or relative to where the server was booted.
If using a KSS keystore, the keystore URI must be of the form:
kss://system/keystorename
where
keystorename
is the name of the keystore registered in KSS.The value in this attribute is only used if
KeyStores
isCUSTOM_IDENTITY_AND_CUSTOM_TRUST
.MBean Attribute:
ServerMBean.CustomTrustKeyStoreFileName
Custom Trust Keystore Type The type of the keystore. Generally, this is
JKS
orPKCS12
. If using the Oracle Key Store Service, this isKSS
If empty or null, then the JDK's default keystore type (specified in
java.security
) is used. This keystore type is only used if KeyStores is CUSTOM_IDENTITY_AND_CUSTOM_TRUST.MBean Attribute:
ServerMBean.CustomTrustKeyStoreType
Custom Trust Keystore Passphrase The custom trust keystore's passphrase. If empty or null, then the keystore will be opened without a passphrase.
This attribute is only used if KeyStores is CUSTOM_IDENTITY_AND_CUSTOM_TRUST.
When you get the value of this attribute, WebLogic Server does the following:
Retrieves the value of the
CustomTrustKeyStorePassPhraseEncrypted
attribute.Decrypts the value and returns the unencrypted password as a String.
When you set the value of this attribute, WebLogic Server does the following:
Encrypts the value.
Sets the value of the
CustomTrustKeyStorePassPhraseEncrypted
attribute to the encrypted value.Using this attribute (
CustomTrustKeyStorePassPhrase
) is a potential security risk because the String object (which contains the unencrypted password) remains in the JVM's memory until garbage collection removes it and the memory is reallocated. Depending on how memory is allocated in the JVM, a significant amount of time could pass before this unencrypted data is removed from memory.Instead of using this attribute, use
CustomTrustKeyStorePassPhraseEncrypted
.MBean Attribute:
ServerMBean.CustomTrustKeyStorePassPhrase
Changes take effect after you redeploy the module or restart the server.
Java Standard Trust Keystore The location of the java standard trust keystore.
Java Standard Trust Keystore Type The type of the java standard trust keystore. Generally, this is
JKS
.Java Standard Trust Keystore Passphrase The password for the Java Standard Trust keystore. This password is defined when the keystore is created.
If empty or null, then the keystore will be opened without a passphrase.
This attribute is only used if KeyStores is CUSTOM_IDENTITY_AND_JAVA_STANDARD_TRUST or DEMO_IDENTITY_AND_DEMO_TRUST.
When you get the value of this attribute, WebLogic Server does the following:
Retrieves the value of the
JavaStandardTrustKeyStorePassPhraseEncrypted
attribute.Decrypts the value and returns the unencrypted password as a String.
When you set the value of this attribute, WebLogic Server does the following:
Encrypts the value.
Sets the value of the
JavaStandardTrustKeyStorePassPhraseEncrypted
attribute to the encrypted value.Using this attribute (
JavaStandardTrustKeyStorePassPhrase
) is a potential security risk because the String object (which contains the unencrypted password) remains in the JVM's memory until garbage collection removes it and the memory is reallocated. Depending on how memory is allocated in the JVM, a significant amount of time could pass before this unencrypted data is removed from memory.Instead of using this attribute, use
JavaStandardTrustKeyStorePassPhraseEncrypted
.MBean Attribute:
ServerMBean.JavaStandardTrustKeyStorePassPhrase
Changes take effect after you redeploy the module or restart the server.
Demo Identity Keystore The location of the demo identity keystore.
Demo Identity Keystore Type The type of the demo identity keystore. Generally, this is
JKS
orKSS
.Demo Identity Keystore Passphrase The demo identity keystore's encrypted passphrase. This is readonly and changes will not be applied.
Demo Trust Keystore The location of the demo trust keystore.
Demo Trust Keystore Type The type of the demo trust keystore. Generally, this is
JKS
orKSS
.Demo Trust Keystore Passphrase The demo trust keystore's encrypted passphrase. This is read only and changes will not be applied.
![]() |