Beruflich Dokumente
Kultur Dokumente
Below is an outline of each section presented in this document. Note that if you have installed SSL before,
and/or if you are familiar with the process, then you may wish to jump straight to Chapter 3 for instructions on
installing a certificate to WebLogic. However, if you are not familiar with SSL and/or you are converting your
PeopleSoft environment from non-SSL to SSL, then you may find it helpful to review Chapters 1 and 2 first.
Chapter 1 (SSL Overview): provides an overview of SSL, SSL certificate and SSL on WebLogic.
Chapter 2 (Planning Steps): contains points to consider when configuring SSL in your PeopleSoft
environment.
Chapter 3 (Steps to Install/Renew SSL Certificate on WebLogic): provides detailed instructions for
creating/installing/configuring a SSL Certificate on your WebLogic Server.
Appendix A: contains a list of common SSL terms
Appendix B: contains troubleshooting tips in the event that you encounter problems
installing/configuring SSL on WebLogic
Appendix C: contains resources for additional SSL information.
This chapter provides an overview of SSL. Some of this information is complex and a bit confusing. It is not
necessary to review and/or fully understand this information in order to install a certificate on your WebLogic
server. However, you may find it helpful to review this and get a better understanding of SSL. You may also
find it helpful to review Appendix B which contains SSL terminology, just so that you can get more familiar
with some of the SSL terms you may see when installing/configuring your SSL certificate.
Also, note that My Oracle Support contains an SSL Information Center with links to our SSL knowledge
documents. You may find this helpful if this document does not cover a specific SSL topic/issue that you are
interested in:
Doc# 1549157.2: Information Center: SSL on PeopleSoft Web Servers for PeopleTools 8.5x
WHAT IS SSL?
SSL allows for encrypted communication between the browser and web server, thus providing a more secure
environment. When SSL is installed on the web server, the browser communicates with the web server using
https protocol (instead of http). In a nutshell, this is what occurs:
Browser sends request to web server for secure page (this is done by specifying https in browser url
instead of http)
Web server sends back its public key
The browser validates the certificate was issued by a trusted certificate authority (eg Verisign) and uses
the public key to encrypt all future requests to the web server.
You need to install the SSL Certificate on your web server in order for the browser to communicate with the
web server using https.
The SSL certificate is signed by a Certificate Authority (CA) such as Verisign. This allows for the browser to
verify the identity of the site before sending private information. Note that you can use your own certificate
software which allows you to sign your own certificates.
You can easily view the SSL certificate for any secure site as follows:
a. Go to the site using https
b. Click padlock icon next to url (these instructions are for IE browser)
c. Then click view certificate hyperlink and you will be able to see the certificate details
d. For example, if you go to Oracle Software Delivery Cloud site using url https://edelivery.oracle.com/
and click the padlock icon to view the certificate, you will see the following:
In the above example, the certificate is issued to www.oracle.com and was signed by GeoTrust.
e. By clicking on the Certification Path tab, you can see the entire certificate chain including root
certificate, intermediate certificate(s) (if there is one) and the server certificate. For example, the
certificate tab for above certificate shows the following:
The My Oracle Support SSL Information Center contains links to many Knowledge Documents pertaining to
installing, configuring and troubleshooting SSL on WebLogic:
Doc# 1549157.2: Information Center: SSL on PeopleSoft Web Servers for PeopleTools 8.5x
If you are switching from http to https access for your WebLogic server, it is possible that you may also need to convert
other PeopleSoft components to use https. So you should review your PeopleSoft environment for other potential areas
that may need re-configured for https access. The requirements will vary depending on what component(s) you are using;
therefore we cannot provide a concise list of components to review. But below is a list of some common areas to
consider.
REN Server: If using this component, you are required to use https if you are accessing the PeopleSoft
application using https. See Document 1177643.1: Master Note for How to Configure SSL on REN Server
Report Server: If configuring SSL, refer to Document 617697.1: How to Configure HTTPS for Report
Distribution?
Integration Gateway: Refer to Document 1488269.1:How to enable PeopleTools 8.4x-8.5x Application Server to
use https Integration Gateway
Portal/Content Configuration: If you are using Enterprise Portal with other PeopleSoft applications, refer to
Document 784325.1:Content Provider Pagelet Shows "Unable To Get Document" Error On Portal Home Page
Using SSL
Note that the primary purpose of this document is to provide details on installing SSL on your WebLogic server, therefore
there is no in-depth coverage of other components. But we do want to make note of this since you may need to review
other components when preparing to install SSL on your web server.
If you have further questions and the information below does not help, then please open a Service Request for the
component you need help with (eg REN Server, Report Server, Integration Gateway, Portal)
b. You need to decide if you are going to use the same keystore alias name for the renewed certificate or if you
are going to create a new alias name. There are advantages/disadvantages to each approach. Our
recommendation is to create a new alias as this should make it easier to switch over to the renewed
2. Enter Keystore Password: You will be prompted for the keystore password. The default password is password. If
you are using PeopleTools 8.53 or newer release, then the first time you use pskeymanager, you will be forced to
change the password. Be sure to make note of the new password.
3. Enter Certificate Attributes: You will now be prompted for a series of information. Below is each field you are
prompted for, followed by a sample response along with details on what to enter:
i. Specify an alias for this certificate [PSOFTSRVR]? PSOFTSRVR
Note that the alias is merely a name that uniquely identifies each entry in the WebLogic keystore. You can use
any value, but dont put any spaces in the name. Many customers set alias name to the same value as the host
name. If you are renewing a certificate, make note of information in PART#1 Step 4.
ii. What is the common name for this certificate [PSOFTSRVR]? peoplesoft.mycompany.com
It is very important that you enter the proper value as the common name must match to the host name that the
user specifies in the browser url that they use to access the PeopleSoft application. For example, if user
accesses the application using https://peoplesoft.mycompany.com/mysite/signon.html, then the common
name must be set to peoplesoft.mycompany.com. (if names dont match, browser issues a warning message)
iii. What is the name of your organizational unit? Oracle
What you enter, is strictly up to you, and has no effect on WebLogic
iv. What is the name of your organization? Global Support Services
What you enter, is strictly up to you, and has no effect on WebLogic
v. What is the name of your City or Locality? Pleasanton
What you enter, is strictly up to you, and has no effect on WebLogic.
vi. What is the name of your State or Province? California
What you enter, is strictly up to you, and has no effect on WebLogic.
vii. What is the two-letter country code for this unit? US
What you enter, is strictly up to you, and has no effect on WebLogic.
viii. How many days should this certificate request be valid for [90]? 356
If you know how many days certificate should be valid, enter it here (your Certificate Authority can override this
value for you if it should be different)
ix. What key size would you like to use [1024]? 2048
Most customers use 2048 key sizes. If you are uncertain, check with your Certificate Authority (note that many
Certificate Authorities no longer support 1024 key sizes).
x. What key algorithm would you like to use (RSA or DSA) [RSA]?
You must use the default value of RSA
xi. What signing algorithm would you like to use (MD5withRSA or SHA1withDSA) [MD5withRSA]?
Use the default value of MD5withRSA (the Certificate Authority will override this value if needed)
xii. Please enter a private key password to specify the certificate. Passw0rd
Enter a password. Be sure you make note of the password value as it is unrecoverable! You may want to use
the same value that you used for the keystore password which is entered when you launch pskeymanager.
4. Get a screen shot of information you enter: this step is optional, but you may want to get a screen shot of the
information you entered, when creating the certificate request (just in case you forget password, etc)
5. Confirm Information is correct. After you enter the above info, you will need to respond Yes to this response:
Is the above information correct (yes/no/quit) [yes] ?yes
After you respond yes to the above request, two things happen:
a. A unique private key is created and placed in the keystore file (pskey)
b. The certificate request is created. It is displayed to the screen and also stored in file. The file name is
displayed. Example:
6. Back up the pskey keystore file: Note that when you create the certificate request, a unique entry (called private
key) is stored in the pskey keystore file. It is very important to NOT lose this entry, as the signed certificate must
match up to the private key/certificate request that was submitted to the Certificate Authority. If you accidently
overwrite the private key entry, it cannot be recovered and you have to start over. So this step is very important and
we strongly encourage you to backup the keystore file. The file is located in:
<PS_CFG>/webserv/<DOMAIN_NAME>/piaconfig/keystore/pskey
So perhaps you could make a copy called pskey-after-CSR-request
7. Submit the request to your Certificate Authority (CA): Send the request to your CA. Note that you can use an
external CA (eg Verisign, Entrust, Thawte, GoDaddy) or if your company has its own certificate signing tool, you can
sign your own certificate. After the certificate has been signed, you can move on to Part#3 (Import Signed Certificate
into WebLogic keystore)
At this point, you should have the signed certificate from your Certificate Authority. Follow the
steps below to import signed certificate into the WebLogic Keystore.
1. Verify that you backed up the pskey keystore file: You should have done this in part#2 after creating the
certificate request, but if not, be sure that youve backed up pskey (in case you accidentally overwrite the private key
entry when you import the signed certificate into keystore)
2. Get the Root and Intermediate certificates for your Signed Server Certificate:
When your Certificate Authority provided you with your signed certificate (aka Server Certificate), they should have
also given you the root certificate and any intermediate certificate(s) that are chained to the server certificate. You
need to make certain that you have all of this information. Sometimes the Certificate Authority does not provide all the
information and there are occasions where they may not give you the proper root and/or intermediate certificates for
your server certificate. But you can usually extract the information from your server certificate, to make certain you
are using the correct root and intermediate certificates. Even if you think you have all of the correct information, we
recommend you do the following:
a. Make certain, that the server certificate file, that your Certificate Authority provided, has extension .cer or
.crt
b. From Windows Explorer, double-click on the certificate file and it should display something like this:
Note: If you see a message like this (below) indicating there isnt enough info to verify the certificate, then you
will not be able to extract out the chain, as the root/intermediate(s) arent installed on your desktop. If this
happens, then assume that the Certificate Authority provided you the proper root and intermediate(s) and
move on to step #3
c. Next, go to the tab titled Certification Path. You will see the root certificate, intermediate certificate(s) (if
there are any) and the server certificate.
In the example below, the certificate has a root (VeriSign), an intermediate (VeriSign Class3 International
Server CA G3) and the actual server certificate (issued to *.oracle.com)
iii. Go to Details tab and click Copy to File button on bottom right.
At the end of this step, you should know how many root and intermediate certificates the server certificate is using
and each certificate should be in a separate file
3. Create a Chain file which will contain the server certificate, root certificate and intermediate certificate(s) (if
there are any) into a single file
Using a text editor (eg Notepad or WordPad), create a single file that contains all of the certificates. The file should
contain the server certificate followed by intermediate certificate (if there is one) followed by root certificate. It is
very important to list the certificates in the right order.
If you have a server certificate, one intermediate certificate and a root certificate, the file will look something like this:
-------BEGIN CERTIFICATE---------
dfsfsdfdf
sfsdfwehdfhdf <---------server certificate
dgdfgfgfdg
--------END CERTIFICATE-----------
-------BEGIN CERTIFICATE---------
hghjgfjgj
sfsdfwejjhdfhdf <---------intermediate
dgdfgiuiyuiuiyufgfdg
--------END CERTIFICATE-----------
-------BEGIN CERTIFICATE---------
dfsfsmbvmvbmdfdf
sfsdetetrtyrfwehdfhdf <---------root CA
dgdfgnbnbvnvbfgfdg
--------END CERTIFICATE-----------
If you have a server certificate and a root certificate, the file will look something like this:
-------BEGIN CERTIFICATE---------
dfsfsdfdf
sfsdfwehdfhdf <---------server certificate
dgdfgfgfdg
--------END CERTIFICATE-----------
-------BEGIN CERTIFICATE---------
dfsfsmbvmvbmdfdf
sfsdetetrtyrfwehdfhdf <---------root CA
dgdfgnbnbvnvbfgfdg
--------END CERTIFICATE-----------
Make certain there are no extra carriage returns at beginning or end of the file! If there are, the import will fail!
4. Run pskeymanager import to Import the Root Certificate and any Intermediate Certificate(s):
a. Go to a command line prompt on the web server.
b. cd <PS_CFG>/webserv/<DOMAIN_NAME>/piabin
c. Run command pskeymanager import (for Unix/Linux use ./pskeymanager.sh import)
d. When prompted for an Alias, enter anything, such as RootCA
e. When prompted for the name of the certificate file, enter the name of the root certificate file (that you created
in step#2 above)
f. If asked if you want to trust this file, respond yes
Note: The above step is typically not necessary. But we have found some situations where it is necessary to have the
root/intermediate certificates imported into the keystore as separate entries. So we suggest you complete the above
step just in case it is needed in your environment. It definitely does no harm to import these entries (even if they arent
needed)
6. Validate keystore entry: This step is optional, but if you wish to view the new certificate entry in the WebLogic
keystore, you can do so using this command:
pskeymanager list verbose alias peoplesoft (replace peoplesoft with your alias name)
The above command will show detailed information for the certificate that you imported. The beginning of the output
will look something like this:
Alias name: peoplesoft
Creation date: May 20, 2013
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=peoplesoft.oracle.com, OU=Oracle Support, O=Oracle, L=Pleasanton, ST=California, C=US
Issuer: CN=PeopleTools TEST root CA, DC=peoplesoft, DC=com, OU=PeopleTools Development, O=PeopleSoft Inc,
L=Pleasanton, ST=CA, C=US
Serial number: 364c9410000000001f6d
Valid from: Mon May 20 09:54:10 PDT 2013 until: Tue May 20 10:04:10 PDT 2014
The main items to check are:
Entry type: Entry type should be value PrivateKeyEntry. If it shows another value such as
trustedCertEntry, then something went wrong and you need to restore pskey (to get back to where it was at
beginning of Part3 and start over
Certificate chain length: this should have a value of 2 or higher, depending on how many entries are in the
certificate chain. For the example above, there is just a server certificate and root certificate, thus value is 2.
7. At this point you are ready to move on to Part #4 which is to configure WebLogic to use your new certificate
At this point, you should have the signed certificate in your WebLogic keystore. Follow the
steps below to configure WebLogic to use the signed certificate
1. Backup config.xml: If youve not already backed up the config.xml file, you may want to do so now, so that you can
go back to the original configuration if needed. The config.xml file is located in
<PS_CFG>/webserv/<DOMAIN_NAME>/config
f. In the bottom portion of the page, you will need to do the following:
i. Validate that the Custom Identity Keystore field and Custom Trust Keystore field are set to the correct
value (these values should NOT need to be changed, unless you chose to import certificate to a keystore
other than the standard pskey keystore delivered with PeopleSoft
ii. Enter the Keystore Passphrase in the Identity and Trust sections. Note that this is the keystore
password. In other words, it is the password you enter when using pskeymanager. Note that youll need to
enter the password in four fields:
Example:
5. Activate the WebLogic Configuration Changes: Click Activate Changes button on top left page. The WebLogic
PIA will immediately pick up the changes.
2. If you get a browser pop-up warning and/or you get any sort of error such as cannot display the webpage then
please refer to Appendix B of this document (see section Failure Accessing PeopleSoft Application after Configuring
SSL). Note: if you are testing on a different environment than where you will ultimately be using the SSL certificate,
then it is ok if you get a browser pop-up warning as the certificate may not match to the host name in the browser url
3. If you are able to successfully access the PeopleSoft application, then this is a good indication that the certificate was
successfully installed. But you may still want to view the certificate just to validate that the application is using the
newly installed certificate. This can be done as follows:
a. Click padlock icon next to browser url (these instructions are for IE browser)
b. Then click view certificate hyperlink and you will be able to see the certificate details
c. You should then be able to verify certificate from these details. For example, the example below, this shows us
that WebLogic is using a certificate issued to driver-pc.us.oracle.com that is valid until 5/20/2014
The steps below are required only if there are situations where other PeopleSoft components, such as
Report Server are attempting to communicate with the web server using https protocol. If you are not
certain whether this situation exists in your environment, then we recommend you implement this step
as it does no harm to add the certificate to your PeopleSoft database (ie Digital Certs page) even if you
are not using it
1. Log into PeopleSoft Application
2. Go to PeopleTools -> Security -> Security Objects -> Digital Certificates page
3. If there is no entry for the root certificate that the WebLogic certificate is using, then do the following:
4. Press the + symbol to add the root certificate
5. Select Root CA from the dropdown menu
6. Fill in the Issuer and Alias fields (use any value. Example Thawte 2048 Root)
7. Import (or add) the certificate by pressing on the 'Add Root' hyperlink
8. Paste in the root certificate. Note that if your server certificate has both a root and intermediate certificate, then
you should import both the intermediate and root certificate in this order:
-----BEGIN CERTIFICATE-----
character string <------------ intermediate certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
character string <------------ root CA
-----END CERTIFICATE-----
9. Save changes
10. You may need to restart components (eg App Server, Process Scheduler) to pick up this change
This section contains many SSL terms along with their meaning
CA (Certificate Authority): This is the organization that issues (ie "Signs") your certificate.
Common CA's are VeriSign, Entrust, GoDaddy, Thawte. Note that you can also purchase a
certificate signing tool and sign your own certificates, therefore you are your own Certificate
Authority.
Chain Certificate: This term is sometimes used to refer to the entire SSL certificate which is
comprised of the following:
-Root Certificate
-Intermediate Certificate(s) (not all certificates contain an intermediate certificate)
-Server Certificate
Cipher Suite: a type of algorithm used to encrypt information. Refer to document 660309.1 if
you wish to change the cipher suites that your WebLogic server is using.
CN (Common Name) this is who the certificate is issued to. It needs to match to the hostname
that is used in the browser url when accessing the PeopleSoft application. So if you access the
PeopleSoft application using: https://peoplesoft.mycompany.com/ps/signon.html, then the
certificates common name is "peoplesoft.mycompany.com".
CSR (Certificate Signing Request): A CSR is a file sent to a certificate authority in order to apply
for a certificate. The CSR file includes information such as common name, organization, etc.
(you create the CSR using pskeymanager tool). The certificate is created from the CSR.
Demo Cert: This is a certificate that is delivered with the web server. It does not have a certificate
authority associated with it. You can use the certificate but browser will issue a warning stating
that it is not a trusted certificate. If you are unable to access the PeopleSoft environment using
the demo certificate, refer to document 1499938.1
Hash Algorithm: The algorithm used to secure the certificate. The most common is SHA. But
recently a new algorithm was released, called SHA2 (see doc 1225455.1 for more details)
Intermediate CA: This is an extra public key (in addition to the Root CA) to add an extra layer of
security. Most, but not all Certificate Authorities (CA's), issue an intermediate certificate. Some
CA's issue multiple intermediate certificates
One-way SSL: This is when a certificate is installed ONLY on the server (WebLogic). With one-
way SSL, the server passes its certificate and CA chain to the browser. The browser trusts the CA
that issued the server certificate. 99% of our customers use One-Way SSL, however a few use
Two-Way SSL (see description of "Two-Way" SSL below)
Private Key: this is a unique entry placed in the keystore when a CSR is created. (it is then
signed using the public key from the Certificate Authority). The SSL private key is used to decrypt
the data passed over the SSL connection
Protocols: This refers to the encryption protocol. There are different protocols including SSLv2,
SSLv3, TLS1.0, TLS1.1 and TLS 1.2. The most common protocols are "TLS1.0" and "SSLv3".
Copyright 2012 Oracle, Inc. All rights reserved. 25
SSLv2 is an older protocol and usually not used anymore. TLS 1.1 and 1.2 are newer protocols
and are supported starting with PeopleTools 8.53. If you wish to change the protocols your web
server is using, refer to document 664126.1
pskeymanager.cmd/sh: This is an Oracle "Wrapper Script" to the java keytool. Note that it is not
necessary to use pskeymanager and you can use keytool instead. However, you may find
pskeymanager more user friendly as it builds the arguments for the keytool command after
prompting you for necessary information. Also, pskeymanager is configured to use the pskey
file to store keystore information, which is a PeopleSoft standard.
Root Certificate (aka "Root CA" or "Trusted CA"): This is a public version of the certificate
containing only the public key. The Root certificate is the top most portion of the certificate chain.
It is provided by the Certificate Authority.
SAN (Subject Alternative Name): This is a type of certificate that allows you to assign multiple
host names to a single certificate. A SAN Certificate is also sometimes referred to as a "Multi-
Domain" certificate or "Unified Communications Certificates (UCC)". These certificates are
currently not supported in PeopleSoft.
Signature Algorithm (aka Signing Algorithm): This is the algorithm used to sign the certificate.
DSA and RSA are different types of signing algorithms. We support RSA.
SSL Handshake: This term is often used to refer to the communication between client (eg
browser) and server (eg WebLogic) at initial communication when the client and server exchange
information and server authenticates itself to the client.
Two-way SSL: this is when a certificate is installed on both the client (browser) and the server
(WebLogic). BOTH sides (ie browser and WebLogic server) pass certificates to each other to
establish communication. So both sides know the identity of each other from their respective
certificates It is extremely rare to see PeopleSoft customers use two-way SSL. Typically, one-
way SSL is used.
Wildcard Certificate: A wild-card certificate allows you to secure multiple domains with the same
certificate. For example, you could use the same certificate for the following websites, by issuing
your certificate to *.mycompany.com
https://peoplesoft.mycompany.com
https://support.mycompany.com
https://sales.mycompany.com
Wildcard certificates were previously not supported with WebLogic, but they are supported starting
with WebLogic 10.3.6. Even though they aren't supported with older WebLogic versions, they
usually work fine in a PeopleSoft environment.
If you receive an error when running command pskeymanager import, start by checking the following:
Verify there are no extra carriage returns at beginning or end of the chain file that you are importing.
Verify that the chain certificate contains files in the correct order:
o The server certificate should be at top of file
o The intermediate certificate should be next (if there is one)
o The root certificate should be at end of file
Verify that the signed certificate that you are importing, was created for the certificate request that you
sent to your Certificate Authority.
If the above information doesnt help, refer to the Troubleshoot tab of the SSL Information Center:
Doc# 1549157.2: Information Center: SSL on PeopleSoft Web Servers for PeopleTools 8.5x
There is a section in the Troubleshoot tab called Issues using pskeymanager script and it contains a list of
common errors, when using pskeymanager, and how to correct the problem.
If you are unable to access the PeopleSoft application (using https) and/or if you get any sort of browser pop-
up warnings, then please check the following:
If you get a browser pop-up warning, refer to the following knowledge document:
Doc ID 652529.1: Browser Displays SSL Warning Messages when Logging into PeopleSoft Application.
Occurs after Installing SSL Certificate on Web Server
Note that it is ok if you get a browser pop-up warning if you are testing the certificate in another
environment (other than where the certificate will ultimately be installed), as the certificates common
name wont match the host name in browser url.
If you get a Cannot display the webpage error, then this means that WebLogic was unable to successfully
load the new certificate and bind to the https port. To get details on cause of problem, do the following:
1. Go to <PS_HOME>/webserv/<DOMAIN_NAME>/servers/PIA/logs
2. Open file PIA_weblogic.log
3. Go to end of file and check for errors when the WebLogic PIA was restarted (you might want to search for string
alias or string private key to get to the section where WebLogic attempts to load the certificate). Below are
some of the more common errors and what they mean. You may want to search your log to see if any of the
messages are present:
No identity key/certificate entry was found under alias: This error indicates that you configured the wrong
alias name (in the WebLogic console) or else the keystore entry is not recognized as a server certificate.
Refer to document 638359.1 for more details
Keystore was tampered with, or password was incorrect: This error indicates that you configured the
wrong keystore password (in the WebLogic console). Try re-entering the keystore password (following
instructions in Chapter 3, Part#4, Step 3) and then restart WebLogic PIA. If this doesnt fix the problem,
refer to document 843937.1 for more details.
Inconsistent security configuration: This message usually means that you configured the wrong private
key password (in the WebLogic console). Try re-entering the private key passphrase (following
instructions in Chapter 3, Part#4, Step 4) and then restart the WebLogic PIA. If this doesnt fix the
problem, refer to document 753709.1 for more details.
If the above information doesnt help, refer to the Troubleshoot tab of the SSL Information Center:
Doc# 1549157.2: Information Center: SSL on PeopleSoft Web Servers for PeopleTools 8.5x
There is a section in the Troubleshoot tab titled Issues Starting and/or Accessing WebLogic After
Configuring SSL and it contains a list of all known problems that may result in problems accessing the
PeopleSoft application after configuring SSL.