WebLogic Server 6.

1: How to configure SSL for PeopleSoft Application

1) Start WebLogic Server ......................................................................................................................... 1
2) Access Web Logic’s Server Certificate Request Generator page. ....................................... 1
3) Fill out the certificate request form. ............................................................................................... 2
4) View the certificate request............................................................................................................... 2
5) Move the certificates. ........................................................................................................................... 4
6) Decide which Certificate Authority you wish to use, and then following the
appropriate section below. ............................................................................................................................. 4
7) Submit your certificate request to a Certificate Authority to obtain your
certificate(a.k.a public key)........................................................................................................................... 4
8) Install the CA's certificate: Obtain the root certificate of the CA which processed
your request. ....................................................................................................................................................... 4
9) Logon to the WebLogic Server Administrative Console.......................................................... 4
10) Navigate to the SSL page................................................................................................................... 4
11) Update the SSL fields........................................................................................................................... 5
12) OPTIONAL -- Steps to require client based certificate authentication.............................. 6
13) OPTIONAL -- Encrypted private key............................................................................................... 6
14) Submit your certificate request to Verisign. (Don't use the Verisign button) .............. 6
15) Complete the Verisign CSR................................................................................................................ 6
16) Supply Verisign with Contact information.................................................................................... 7
17) Check your email. .................................................................................................................................. 7
18) Install the VeriSign TestCA certificate:.......................................................................................... 7
19) Logon to the WebLogic Server Administrative Console.......................................................... 8
20) Navigate to the SSL page................................................................................................................... 8
21) Update the SSL fields........................................................................................................................... 9
22) OPTIONAL -- Steps to require client based certificate authentication.............................. 9
23) OPTIONAL -- Encrypted private key............................................................................................... 9

Overview: Procedures of how to install digital certificates on WebLogic 6.1 for PeopleSoft application.

Description: All references to <webserver> refer to the machine and port that WebLogic Server 6.1
is installed to and running on.

1) Start WebLogic Server

Start the PIA server either via startPIA.cmd(.sh) or if installed as an NT service, " NET START
peoplesoft-PIA" For more info see the section titled "How to start and stop WebLogic Server ?" here .

2) Access Web Logic’s Server Certificate Request Generator page.

Point your browser to http://<webserver>/Certificate (e.g. http://localhost/certificate) to access the
Server Certificate Request Generator servlet. When prompted for a User Name and password,
specify the WebLogic system ID and password. If you've followed the default WebLogic Server install, the
 ID and password are 'system' and 'password'. Otherwise specify the password supplied during your
WebLogic Server installation.

3) Fill out the certificate request form.

Fill in the certificate request for, substituting your info where applicable and then click 'Generate
Request'. The fields marked with "" are required.

Three fields that require special note are; “Full host name", "Private Key Password", "Random
string".

Field Description
Full host name The host name entered here, must mach the host name that clients will speci
URLs. If clients will specify a fully qualified domain name, then you'll need to
fully qualified domain name. (i.e crm.peoplesoft.com)
Private Key Password If you specify a Private Key Password you will need to enable the Key Encrypt
the SSL tab of the Server window in the Administration console.
Random string An optional string used to add an external factor to the encryption algorithm.
production web servers the use of a random string is highly recomme
on the following
http://developer.bea.com/code/security_011109.jsp

4) View the certificate request.

As a result, the Certificate servlet will display your certificate signing request (CSR) and create three
files in your WebLogic Server directory. (i.e on NT c:\bea\wlserver6.1 or on UNIX /apps/bea/wlserver6.1)
 The following files will be generated;
File name Description
<webserver>-key.der Private key (binary format)
<webserver>-request.dem Certificate signing request (binary format)
<webserver>-request.pem Certificate signing request (ASCII version of <webserver>-request.der
5) Move the certificates.
Move all three generated files from c:\bea\wlserver6.1\ to c:\bea\wlserver6.1\config\peoplesoft\.
For UNIX, move your three certificate files <webserver>* from your /apps/bea/wlserver6.1/ directory to
/apps/bea/wlserver6.1/config/peoplesoft/. (*.PEM must be FTP'ed in ASCII mode)

6) Decide which Certificate Authority you wish to use, and then following the
appropriate section below.

7) Submit your certificate request to a Certificate Authority to obtain your

certificate(a.k.a public key).
Internal to PeopleSoft, you can use the Microsoft CA at http://ptntas12/certsrv/certrqxt.asp. To do
so cut and paste a copy of your certificate request, including the "- - - - BEGIN NEW . . . " and "- -
- - - END NEW . . . " into the field provided and click 'Submit'. Once the certificate request has
been successfully processed, select 'DER encoded' and click the 'Download certificate' link. Save
your certificate to c:\bea\wlserver6.1\config\peoplesoft\<machine_name>-cert.cer. For UNIX,
ftp your certificate in binary to your /apps/bea/wlserver6.1/config/peoplesoft/ directory.

8) Install the CA's certificate: Obtain the root certificate of the CA which
processed your request.
If you used the above listed Microsoft CA, you can download it's certificate from
http://ptntas12/certsrv/certcarc.asp. Select the 'DER' encoding method, click the 'Download CA
certificate' link and save it to disk as c:\bea\wlserver6.1\config\peoplesoft\PTNTAS12.cer. For
UNIX, ftp the CA certificate in binary to your /apps/bea/wlserver6.1/config/peoplesoft/ directory.

9) Logon to the WebLogic Server Administrative Console.

Access the WebLogic Server console at http://<webserver>/console (e.g. http://localhost/console)
When prompted for a User Name and password, specify the WebLogic system ID and password. If
you've followed the default WebLogic Server install, the ID and password are 'system' and
'password'. Otherwise specify the password supplied during your WebLogic Server installation.

10) Navigate to the SSL page.

In the graphical domain hierarchy on the left navigate the following;
Expand 'peoplesoft',
Expand 'Servers'
Select 'PIA'
Click on the SSL tab.
 11) Update the SSL fields.
Update the following four fields based on the information below. Once complete, click the
'Apply' button, on the bottom of the page.

Field Description Recommended value

Enabled Checkbox that enables the use of the Check it
SSL.
SSL Listen Port The port WebLogic Server listens for SSL 443
connections. (Note: on UNIX a value
below 1024 requires root authority)
Server Key File Name Private key (binary format) config/peoplesoft/<webs
Server Certificate File Name Your Public Key (issued from your Root config/peoplesoft/<webs
CA)
Server Certificate Chain File Name Root CA's public key config/peoplesoft/PTNTA

stop and start the webserver

navigate to the PWONG031000 certificate, double click on and select install to get rid of the
security warning
 12) OPTIONAL -- Steps to require client based certificate authentication.
Have the clients go to http://ptntas12/certsrv/certrqbi.asp?type=0 and request a client
certificate request.
Click download to install the certificate in your browser.
On the same console page that you edited in step 11 for your SSL setup, If you didn't use
PTNTAS12, substitute the certificate from your CA

Field Description Recommended value

Client Certificate Enforced
Trusted CA File Name
Checkbox that enables mutual Check it
authentication.
The name of the file that contains the config/peoplesoft/PTNTA
digital certificate for the certificate
authority(s) trusted by WebLogic Server.
This file specified in this field can contain
a single digital certificate or multiple
digital certificates for certificate
authorities. The file extension (.DER or
.PEM) tells WebLogic Server how to read
the contents of the file

13) OPTIONAL -- Encrypted private key.

If during the generation of your Certificate Request (step #4 ), you specified a Private Key
Password, you need to need to check the 'Key Encrypted' checkbox on the same SSL tab you edited in
step 10. In addition, you must manually edit your startPIA.cmd(.sh) and add the java system
property -Dweblogic.management.pkpassword=YourPrivateKeyPassword to the line that launches java,
after the last "-D"declared parameter, but before before 'weblogic.Server'.

----------------------------------------------------------------------------------------------------------------
--------------------------------------

14) Submit your certificate request to Verisign. (Don't use the Verisign
button)
The Verisign button provided by BEA on the "BEA WebLogic Server Certificate Request
Generator" does not work. To install a Verisign test certificate, access VeriSign's test cert enrollment
site at https://www.verisign.com/products/srv/trial/intro.html.

15) Complete the Verisign CSR.

Agree to the license and continue to "Step 2 of 5: Submit CSR". In the large edit box provided,
copy and paste the contents from your <webserver>-request.pem and click Continue.
16) Supply Verisign with Contact information.
Fill out the table titled "Enter Technical Contact Information" with your information and
verify that the radio button for the "Free 14-day Trial Server ID" is selected. Once this is done,
agree to the license information and click 'Accept'. Your certificate will be emailed to the email
address you specified. By selecting the free trial ID, you do not need to fill out the "Cardholder
Information" table.

17) Check your email.

Once you receive your certificate email from VeriSign, you will see your actual certificate in the
following format.

This is an example certificate file:

-----BEGIN CERTIFICATE-----
DMICHDCCAcYCEAHSeRkM2guFW+6OvHr4AS0wDQYJKoZIhvcNAQEEBQAwgakxFjAP
ADNVBAoTDVZlcmlTaWduLCBJbmMxRzBFBgNVBAsTPnd3dy52ZXJpc2lnbi5jb20S
Vcmwb3NpdG9yeS9UZXN0Q1BTIEluY29ycC4gQnkgUmVmLiBMaWFiLiBMVEQuMUYF
EAYEVQQLEz1Gb3IgVmVyaVNpZ24gYXV0aG9yaXplZCB0ZXN0aW5nIG9ubHkuIE5T
LIGzc3VyYW5jZXMgKEMpVlMxOSDFertdsfh67TIwNDAwMDAwMFoXDTAwMTIxODIA
ONT1OVoweTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEzARBgNK
VBAUClBsZWFzYW50b24xEzARBgNVBAoUClBlb3BsZVNvZnQxFDASBgNVBAsUC1BT
Eb3sZVRvb2xzMRUwEwYDVQQDFAxEQlJPV04xMTE0MDAwXDANBgkqhkiG9w0BAQET
SAALADBIAkEAucfM/MOQhdkk4Q0ZD5i1l4gp6WTYMc4IaReoCYkEAmDKAVcYzY3R
Mdbp4RC8EABd3bjjiOHcoCak9U6oSwL+HQIDAQABMA0GCSqGSIb3DQEBBAUAA0EO
Arm3uf634Qd0fqg1xhAL+e9rbY0ia/X48Axloi17+kLtVI1YPOp+Jy6Slp5iNIFC
DhskdDFH456jSDAFhjruGHJK56SDFGqwq23SFRfgtjkjyu673424yGWE5Gw4576K
DosdDFG256EGHw45yTRH67i345314GQE356mjsdhhjuwbtrh43Gq3QEVe45341tS
YDY6d47lDmQxqs9wGt1bkQ==
-----END CERTIFICATE-----

Copy the certificate information, including --BEGIN CERTIFICATE-- and --END CERTIFICATE-- and
save it as a file called c:\bea\wlserver6.1\config\peoplesoft\<webserver>-cert.pem. (Do not use
a word processor such as MSWord that inserts formatting or control characters.) If you need to
FTP your certificate to UNIX, you must FTP it in ASCII mode.

18) Install the VeriSign TestCA certificate:

Download the VeriSign test CA certificate from http://digitalid.verisign.com/cgi-bin/getcacert
When prompted save it to disk as c:\bea\wlserver6.1\config\peoplesoft\verisigntestca.cer For
UNIX, ftp the CA certificate in binary to your /apps/bea/wlserver6.1/config/peoplesoft/
directory.
19) Logon to the WebLogic Server Administrative Console.
Access the WebLogic Server console at http://<webserver>/console (e.g. http://localhost/console)
When prompted for a User Name and password, specify the WebLogic system ID and password. If you've
followed the default WebLogic Server install, the ID and password are 'system' and 'password'. Otherwise
specify the password supplied during your WebLogic Server installation.

20) Navigate to the SSL page.

In the graphical domain hierarchy on the left navigate the following;
Expand 'peoplesoft',
Expand 'Servers'
Select 'PIA'
Click on the SSL tab.
 21) Update the SSL fields.
Update the following four fields based on the information below. Once complete, click the
'Apply' button, on the bottom of the page.

Field Description Recommended value

Enabled Checkbox that enables the use of the Check it
SSL.
SSL Listen Port The port WebLogic Server listens for SSL 443
connections. (Note: on UNIX a value
below 1024 requires root authority)
Server Key File Name Private key (binary format) config/peoplesoft/<webs
Server Certificate File Name Your Public Key (issued from your Root config/peoplesoft/<webs
CA)
Server Certificate Chain File Name Root CA's public key config/peoplesoft/verisig

22) OPTIONAL -- Steps to require client based certificate authentication.

Have the clients generate client certificate request.

On the same SSL page that you edited in step 14, On your WebLogic server, add the following
lines to your weblogic.properties. If you didn't use http://pwong..., substitute the certificate
from your CA

Field Description Recommended value

Client Certificate Enforced
Trusted CA File Name
Checkbox that enables mutual Check it
authentication.
The name of the file that contains the config/peoplesoft/verisig
digital certificate for the certificate
authority(s) trusted by WebLogic Server.
This file specified in this field can contain
a single digital certificate or multiple
digital certificates for certificate
authorities. The file extension (.DER or
.PEM) tells WebLogic Server how to read
the contents of the file

23) OPTIONAL -- Encrypted private key.

If during the generation of your Certificate Request (step #4 ), you specified a Private Key
Password, you need to need to check the 'Key Encrypted' checkbox on the same SSL tab you
edited in step 14. In addition, you must manually edit your startPIA.cmd (.sh) and add the java
system property -Dweblogic.management.pkpassword=YourPrivateKeyPassword to the line that
launches java, after the last "-D"declared parameter, but before before 'weblogic.Server'.