0

We have a clustered weblogic instance which needs to be setup with 2 way ssl . (One of the third party client is asking us to setup 2 way ssl). Currently when i checked the weblogic SSL configuration - i found that it has Demo Identity and demo trust as a default keystore. Now if i want to setup a 2 way SSL - can i reuse the existing demo trust and demo identity ?

I could see some options in the dropdown weblogic@ssl admin page like custom trust and java keystore , custom trust and custom keystore . What is the best option - if i reusing of demo trust and demo identity is not recommended.

Also let me know how to do regression testing for a such a scenario where i am changing the weblogic's default truststore (demoidentity)

Improve this question

1 Answer 1

Reset to default
1

If you use the demo identity and trust store, it should only be for testing purposes. You do NOT want to use the demo identity and trust store for a secure production system.

Create your own identity and either self-sign it, or get a CA to sign it. Then give the CA cert to the clients to trust. (If it's a commercial CA, they probably already have it in their trust mechanism.)

Create your own trust store and place the CA cert/s of your clients into it.

Now, your app will know who to trust, and will have a unique identity that your clients can trust.

Here are some basic ways to test it:

  • Try connecting as a client without an identity (1-way SSL) to make sure 2-way SSL is being enforced. (It should not connect.)
  • Try connecting as a client with an identity that is not trusted by the server. (It should not connect.)
  • Temporarily remove the server's CA cert from the client's trust list and try to connect. (It should not connect.)
  • Finally, try the normal scenario where client trusts server and server trusts client. (It SHOULD connect.)

This SO question should give you some more details on setting up 2-way SSL with WebLogic.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks for the detailed information. If i am implmenting new custom trust and identity stores for weblogic instances, will it affect the existing partners who are connected to us ? I mean do i need to copy all the certs/key within demo identity and trust stores to my own custom identity and custom stores - so that i dont lose any existing SSL partner connections. Correct me i am wrong.
I'm assuming you are only doing 1-way SSL right now. When you switch to 2-way, all your clients will need to present valid certs (signed by CA/s you have in your custom trust list) in order to connect. And if the clients do not already trust the CA that signed your new identity cert, then they will need to add that CA to their trusted list. If you want a unique, secure identity, then you do not want to copy the demo identity. And as far as the demo trust, you don't want to trust any more certs than you have to.
If all your clients get their certs signed by the same CA, then you only need to trust that one CA. I don't know if you have control over issuing the clients' certs or not. If not, then you'll probably have to include more CAs into your trust...perhaps you can use a current Java cacerts file as a starting point for trusted commercial CA certs.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.