Import certificate - Weblogic

This is a discussion on Import certificate - Weblogic ; I'm using two-way ssl communication in my system, and I'd like to have a registration form which allows users to upload their certificates. I can load the certificates in the certificate store, but I don't know how to reload it ...

+ Reply to Thread
Results 1 to 10 of 10

Thread: Import certificate

  1. Import certificate

    I'm using two-way ssl communication in my system, and I'd like to have a registration form which allows users to upload their certificates. I can load the certificates in the certificate store, but I don't know how to reload it in the WLS. WLS loads them in at startup.
    Does anyone know a way to manage this?
    Thanks in advance!
    Mike

  2. Re: Import certificate


    In 810 and earlier if you modify the keystore, you need to reboot the server in
    order for the changes to affect the SSL server, or SSL clients running on WLS.
    The next version will allow changes to SSL config to take effect dynamically without
    the server reboot.
    If you need this to change the trust of your SSL clients running on server you
    might be able to work around this with a custom TrustManager.

    Pavel.

    Mike Hamilton wrote:
    >I'm using two-way ssl communication in my system, and I'd like to have
    >a registration form which allows users to upload their certificates.
    >I can load the certificates in the certificate store, but I don't know
    >how to reload it in the WLS. WLS loads them in at startup.
    >Does anyone know a way to manage this?
    >Thanks in advance!
    >Mike



  3. Re: Import certificate


    Thanks! My problem is that I need to update somehow not the client's but the WLS
    servers truststore, without restarting the server. Is it possible to define a
    custom TrustManager for the server?
    Mike

    "Pavel" wrote:
    >
    >In 810 and earlier if you modify the keystore, you need to reboot the
    >server in
    >order for the changes to affect the SSL server, or SSL clients running
    >on WLS.
    >The next version will allow changes to SSL config to take effect dynamically
    >without
    >the server reboot.
    >If you need this to change the trust of your SSL clients running on server
    >you
    >might be able to work around this with a custom TrustManager.
    >
    >Pavel.
    >
    >Mike Hamilton wrote:
    >>I'm using two-way ssl communication in my system, and I'd like to have
    >>a registration form which allows users to upload their certificates.
    >>I can load the certificates in the certificate store, but I don't know
    >>how to reload it in the WLS. WLS loads them in at startup.
    >>Does anyone know a way to manage this?
    >>Thanks in advance!
    >>Mike

    >



  4. Re: Import certificate


    No, defining custom TrustManager for the WLS SSL server is not supported in 810.

    Pavel.

    "Mike Hamilton" wrote:
    >
    >Thanks! My problem is that I need to update somehow not the client's
    >but the WLS
    >servers truststore, without restarting the server. Is it possible to
    >define a
    >custom TrustManager for the server?
    >Mike
    >
    >"Pavel" wrote:
    >>
    >>In 810 and earlier if you modify the keystore, you need to reboot the
    >>server in
    >>order for the changes to affect the SSL server, or SSL clients running
    >>on WLS.
    >>The next version will allow changes to SSL config to take effect dynamically
    >>without
    >>the server reboot.
    >>If you need this to change the trust of your SSL clients running on

    >server
    >>you
    >>might be able to work around this with a custom TrustManager.
    >>
    >>Pavel.
    >>
    >>Mike Hamilton wrote:
    >>>I'm using two-way ssl communication in my system, and I'd like to have
    >>>a registration form which allows users to upload their certificates.
    >>>I can load the certificates in the certificate store, but I don't know
    >>>how to reload it in the WLS. WLS loads them in at startup.
    >>>Does anyone know a way to manage this?
    >>>Thanks in advance!
    >>>Mike

    >>

    >



  5. Re: Import certificate


    Thanks, meanwhile I realized it.
    Our customer really would like to have two-way ssl in his environment, with the
    feature of client registration with certificates.
    Do you have an idea which version of WLS will provide the dymamically handled
    keystores?
    Thanks for all!
    Mike


    "Pavel" wrote:
    >
    >No, defining custom TrustManager for the WLS SSL server is not supported
    >in 810.
    >
    >Pavel.
    >
    >"Mike Hamilton" wrote:
    >>
    >>Thanks! My problem is that I need to update somehow not the client's
    >>but the WLS
    >>servers truststore, without restarting the server. Is it possible to
    >>define a
    >>custom TrustManager for the server?
    >>Mike
    >>
    >>"Pavel" wrote:
    >>>
    >>>In 810 and earlier if you modify the keystore, you need to reboot the
    >>>server in
    >>>order for the changes to affect the SSL server, or SSL clients running
    >>>on WLS.
    >>>The next version will allow changes to SSL config to take effect dynamically
    >>>without
    >>>the server reboot.
    >>>If you need this to change the trust of your SSL clients running on

    >>server
    >>>you
    >>>might be able to work around this with a custom TrustManager.
    >>>
    >>>Pavel.
    >>>
    >>>Mike Hamilton wrote:
    >>>>I'm using two-way ssl communication in my system, and I'd like to

    >have
    >>>>a registration form which allows users to upload their certificates.
    >>>>I can load the certificates in the certificate store, but I don't

    >know
    >>>>how to reload it in the WLS. WLS loads them in at startup.
    >>>>Does anyone know a way to manage this?
    >>>>Thanks in advance!
    >>>>Mike
    >>>

    >>

    >



  6. Re: Import certificate


    The next 9.x version will have a way to restart SSL server and make it reload SSL
    config without rebooting WLS.

    Do you intend to add client certs one by one to the server trust keystore? Seems
    like an unconventional way of doing this. You might be able to simply configure
    the server to trust CAs that issued clients certs, and do additional certificate
    checks in the IdentityAsserter. You could plug in a custom IdentityAsserter if
    necessary.

    Pavel.

    "Mike Hamilton" wrote:
    >
    >Thanks, meanwhile I realized it.
    >Our customer really would like to have two-way ssl in his environment,
    >with the
    >feature of client registration with certificates.
    >Do you have an idea which version of WLS will provide the dymamically
    >handled
    >keystores?
    >Thanks for all!
    >Mike
    >
    >
    >"Pavel" wrote:
    >>
    >>No, defining custom TrustManager for the WLS SSL server is not supported
    >>in 810.
    >>
    >>Pavel.
    >>
    >>"Mike Hamilton" wrote:
    >>>
    >>>Thanks! My problem is that I need to update somehow not the client's
    >>>but the WLS
    >>>servers truststore, without restarting the server. Is it possible to
    >>>define a
    >>>custom TrustManager for the server?
    >>>Mike
    >>>
    >>>"Pavel" wrote:
    >>>>
    >>>>In 810 and earlier if you modify the keystore, you need to reboot

    >the
    >>>>server in
    >>>>order for the changes to affect the SSL server, or SSL clients running
    >>>>on WLS.
    >>>>The next version will allow changes to SSL config to take effect dynamically
    >>>>without
    >>>>the server reboot.
    >>>>If you need this to change the trust of your SSL clients running on
    >>>server
    >>>>you
    >>>>might be able to work around this with a custom TrustManager.
    >>>>
    >>>>Pavel.
    >>>>
    >>>>Mike Hamilton wrote:
    >>>>>I'm using two-way ssl communication in my system, and I'd like to

    >>have
    >>>>>a registration form which allows users to upload their certificates.
    >>>>>I can load the certificates in the certificate store, but I don't

    >>know
    >>>>>how to reload it in the WLS. WLS loads them in at startup.
    >>>>>Does anyone know a way to manage this?
    >>>>>Thanks in advance!
    >>>>>Mike
    >>>>
    >>>

    >>

    >



  7. Re: Import certificate


    I decided to import client certs in the store beacuse I don't have information
    about the CAs that issued the client certs. So you advise to use the 'cacerts'
    trusted CA store instead of a custom store? In that case, if a client connects
    with a cert issed by e.g. Verisign, will the handshake go properly?
    Thanks, Mike!

    "Pavel" wrote:
    >
    >The next 9.x version will have a way to restart SSL server and make it
    >reload SSL
    >config without rebooting WLS.
    >
    >Do you intend to add client certs one by one to the server trust keystore?
    >Seems
    >like an unconventional way of doing this. You might be able to simply
    >configure
    >the server to trust CAs that issued clients certs, and do additional
    >certificate
    >checks in the IdentityAsserter. You could plug in a custom IdentityAsserter
    >if
    >necessary.
    >
    >Pavel.
    >
    >"Mike Hamilton" wrote:
    >>
    >>Thanks, meanwhile I realized it.
    >>Our customer really would like to have two-way ssl in his environment,
    >>with the
    >>feature of client registration with certificates.
    >>Do you have an idea which version of WLS will provide the dymamically
    >>handled
    >>keystores?
    >>Thanks for all!
    >>Mike
    >>
    >>
    >>"Pavel" wrote:
    >>>
    >>>No, defining custom TrustManager for the WLS SSL server is not supported
    >>>in 810.
    >>>
    >>>Pavel.
    >>>
    >>>"Mike Hamilton" wrote:
    >>>>
    >>>>Thanks! My problem is that I need to update somehow not the client's
    >>>>but the WLS
    >>>>servers truststore, without restarting the server. Is it possible

    >to
    >>>>define a
    >>>>custom TrustManager for the server?
    >>>>Mike
    >>>>
    >>>>"Pavel" wrote:
    >>>>>
    >>>>>In 810 and earlier if you modify the keystore, you need to reboot

    >>the
    >>>>>server in
    >>>>>order for the changes to affect the SSL server, or SSL clients running
    >>>>>on WLS.
    >>>>>The next version will allow changes to SSL config to take effect

    >dynamically
    >>>>>without
    >>>>>the server reboot.
    >>>>>If you need this to change the trust of your SSL clients running

    >on
    >>>>server
    >>>>>you
    >>>>>might be able to work around this with a custom TrustManager.
    >>>>>
    >>>>>Pavel.
    >>>>>
    >>>>>Mike Hamilton wrote:
    >>>>>>I'm using two-way ssl communication in my system, and I'd like to
    >>>have
    >>>>>>a registration form which allows users to upload their certificates.
    >>>>>>I can load the certificates in the certificate store, but I don't
    >>>know
    >>>>>>how to reload it in the WLS. WLS loads them in at startup.
    >>>>>>Does anyone know a way to manage this?
    >>>>>>Thanks in advance!
    >>>>>>Mike
    >>>>>
    >>>>
    >>>

    >>

    >



  8. Re: Import certificate


    Yes, you only need to configure your server to trust to a list of trusted CAs.
    During the handshake client can submit a chain of one or more certs, and SSL impl
    will try to complete it until it includes a trusted CA.
    Importing end certificates into trust keystore for every trusted client does not
    scale.

    Pavel.

    "Mike Hamilton" wrote:
    >
    >I decided to import client certs in the store beacuse I don't have information
    >about the CAs that issued the client certs. So you advise to use the
    >'cacerts'
    >trusted CA store instead of a custom store? In that case, if a client
    >connects
    >with a cert issed by e.g. Verisign, will the handshake go properly?
    >Thanks, Mike!
    >
    >"Pavel" wrote:
    >>
    >>The next 9.x version will have a way to restart SSL server and make

    >it
    >>reload SSL
    >>config without rebooting WLS.
    >>
    >>Do you intend to add client certs one by one to the server trust keystore?
    >>Seems
    >>like an unconventional way of doing this. You might be able to simply
    >>configure
    >>the server to trust CAs that issued clients certs, and do additional
    >>certificate
    >>checks in the IdentityAsserter. You could plug in a custom IdentityAsserter
    >>if
    >>necessary.
    >>
    >>Pavel.
    >>
    >>"Mike Hamilton" wrote:
    >>>
    >>>Thanks, meanwhile I realized it.
    >>>Our customer really would like to have two-way ssl in his environment,
    >>>with the
    >>>feature of client registration with certificates.
    >>>Do you have an idea which version of WLS will provide the dymamically
    >>>handled
    >>>keystores?
    >>>Thanks for all!
    >>>Mike
    >>>
    >>>
    >>>"Pavel" wrote:
    >>>>
    >>>>No, defining custom TrustManager for the WLS SSL server is not supported
    >>>>in 810.
    >>>>
    >>>>Pavel.
    >>>>
    >>>>"Mike Hamilton" wrote:
    >>>>>
    >>>>>Thanks! My problem is that I need to update somehow not the client's
    >>>>>but the WLS
    >>>>>servers truststore, without restarting the server. Is it possible

    >>to
    >>>>>define a
    >>>>>custom TrustManager for the server?
    >>>>>Mike
    >>>>>
    >>>>>"Pavel" wrote:
    >>>>>>
    >>>>>>In 810 and earlier if you modify the keystore, you need to reboot
    >>>the
    >>>>>>server in
    >>>>>>order for the changes to affect the SSL server, or SSL clients running
    >>>>>>on WLS.
    >>>>>>The next version will allow changes to SSL config to take effect

    >>dynamically
    >>>>>>without
    >>>>>>the server reboot.
    >>>>>>If you need this to change the trust of your SSL clients running

    >>on
    >>>>>server
    >>>>>>you
    >>>>>>might be able to work around this with a custom TrustManager.
    >>>>>>
    >>>>>>Pavel.
    >>>>>>
    >>>>>>Mike Hamilton wrote:
    >>>>>>>I'm using two-way ssl communication in my system, and I'd like

    >to
    >>>>have
    >>>>>>>a registration form which allows users to upload their certificates.
    >>>>>>>I can load the certificates in the certificate store, but I don't
    >>>>know
    >>>>>>>how to reload it in the WLS. WLS loads them in at startup.
    >>>>>>>Does anyone know a way to manage this?
    >>>>>>>Thanks in advance!
    >>>>>>>Mike
    >>>>>>
    >>>>>
    >>>>
    >>>

    >>

    >



  9. Re: Import certificate


    Thanks for your answers!
    Where can I find something about two-way ssl in a clustered environment? Do we
    need extra security configs?
    Mike.

    "Pavel" wrote:
    >
    >Yes, you only need to configure your server to trust to a list of trusted
    >CAs.
    >During the handshake client can submit a chain of one or more certs,
    >and SSL impl
    >will try to complete it until it includes a trusted CA.
    >Importing end certificates into trust keystore for every trusted client
    >does not
    >scale.
    >
    >Pavel.
    >
    >"Mike Hamilton" wrote:
    >>
    >>I decided to import client certs in the store beacuse I don't have information
    >>about the CAs that issued the client certs. So you advise to use the
    >>'cacerts'
    >>trusted CA store instead of a custom store? In that case, if a client
    >>connects
    >>with a cert issed by e.g. Verisign, will the handshake go properly?
    >>Thanks, Mike!
    >>
    >>"Pavel" wrote:
    >>>
    >>>The next 9.x version will have a way to restart SSL server and make

    >>it
    >>>reload SSL
    >>>config without rebooting WLS.
    >>>
    >>>Do you intend to add client certs one by one to the server trust keystore?
    >>>Seems
    >>>like an unconventional way of doing this. You might be able to simply
    >>>configure
    >>>the server to trust CAs that issued clients certs, and do additional
    >>>certificate
    >>>checks in the IdentityAsserter. You could plug in a custom IdentityAsserter
    >>>if
    >>>necessary.
    >>>
    >>>Pavel.
    >>>
    >>>"Mike Hamilton" wrote:
    >>>>
    >>>>Thanks, meanwhile I realized it.
    >>>>Our customer really would like to have two-way ssl in his environment,
    >>>>with the
    >>>>feature of client registration with certificates.
    >>>>Do you have an idea which version of WLS will provide the dymamically
    >>>>handled
    >>>>keystores?
    >>>>Thanks for all!
    >>>>Mike
    >>>>
    >>>>
    >>>>"Pavel" wrote:
    >>>>>
    >>>>>No, defining custom TrustManager for the WLS SSL server is not supported
    >>>>>in 810.
    >>>>>
    >>>>>Pavel.
    >>>>>
    >>>>>"Mike Hamilton" wrote:
    >>>>>>
    >>>>>>Thanks! My problem is that I need to update somehow not the client's
    >>>>>>but the WLS
    >>>>>>servers truststore, without restarting the server. Is it possible
    >>>to
    >>>>>>define a
    >>>>>>custom TrustManager for the server?
    >>>>>>Mike
    >>>>>>
    >>>>>>"Pavel" wrote:
    >>>>>>>
    >>>>>>>In 810 and earlier if you modify the keystore, you need to reboot
    >>>>the
    >>>>>>>server in
    >>>>>>>order for the changes to affect the SSL server, or SSL clients

    >running
    >>>>>>>on WLS.
    >>>>>>>The next version will allow changes to SSL config to take effect
    >>>dynamically
    >>>>>>>without
    >>>>>>>the server reboot.
    >>>>>>>If you need this to change the trust of your SSL clients running
    >>>on
    >>>>>>server
    >>>>>>>you
    >>>>>>>might be able to work around this with a custom TrustManager.
    >>>>>>>
    >>>>>>>Pavel.
    >>>>>>>
    >>>>>>>Mike Hamilton wrote:
    >>>>>>>>I'm using two-way ssl communication in my system, and I'd like

    >>to
    >>>>>have
    >>>>>>>>a registration form which allows users to upload their certificates.
    >>>>>>>>I can load the certificates in the certificate store, but I don't
    >>>>>know
    >>>>>>>>how to reload it in the WLS. WLS loads them in at startup.
    >>>>>>>>Does anyone know a way to manage this?
    >>>>>>>>Thanks in advance!
    >>>>>>>>Mike
    >>>>>>>
    >>>>>>
    >>>>>
    >>>>
    >>>

    >>

    >



  10. Re: Import certificate


    Here is a link to docs about SSL configuration in 8.1: http://bernal/stage/wls/docs81/secma...l.html#1185171

    Pavel.

    "Mike Hamilton" wrote:
    >
    >Thanks for your answers!
    >Where can I find something about two-way ssl in a clustered environment?
    >Do we
    >need extra security configs?
    >Mike.
    >
    >"Pavel" wrote:
    >>
    >>Yes, you only need to configure your server to trust to a list of trusted
    >>CAs.
    >>During the handshake client can submit a chain of one or more certs,
    >>and SSL impl
    >>will try to complete it until it includes a trusted CA.
    >>Importing end certificates into trust keystore for every trusted client
    >>does not
    >>scale.
    >>
    >>Pavel.
    >>
    >>"Mike Hamilton" wrote:
    >>>
    >>>I decided to import client certs in the store beacuse I don't have

    >information
    >>>about the CAs that issued the client certs. So you advise to use the
    >>>'cacerts'
    >>>trusted CA store instead of a custom store? In that case, if a client
    >>>connects
    >>>with a cert issed by e.g. Verisign, will the handshake go properly?
    >>>Thanks, Mike!
    >>>
    >>>"Pavel" wrote:
    >>>>
    >>>>The next 9.x version will have a way to restart SSL server and make
    >>>it
    >>>>reload SSL
    >>>>config without rebooting WLS.
    >>>>
    >>>>Do you intend to add client certs one by one to the server trust keystore?
    >>>>Seems
    >>>>like an unconventional way of doing this. You might be able to simply
    >>>>configure
    >>>>the server to trust CAs that issued clients certs, and do additional
    >>>>certificate
    >>>>checks in the IdentityAsserter. You could plug in a custom IdentityAsserter
    >>>>if
    >>>>necessary.
    >>>>
    >>>>Pavel.
    >>>>
    >>>>"Mike Hamilton" wrote:
    >>>>>
    >>>>>Thanks, meanwhile I realized it.
    >>>>>Our customer really would like to have two-way ssl in his environment,
    >>>>>with the
    >>>>>feature of client registration with certificates.
    >>>>>Do you have an idea which version of WLS will provide the dymamically
    >>>>>handled
    >>>>>keystores?
    >>>>>Thanks for all!
    >>>>>Mike
    >>>>>
    >>>>>
    >>>>>"Pavel" wrote:
    >>>>>>
    >>>>>>No, defining custom TrustManager for the WLS SSL server is not supported
    >>>>>>in 810.
    >>>>>>
    >>>>>>Pavel.
    >>>>>>
    >>>>>>"Mike Hamilton" wrote:
    >>>>>>>
    >>>>>>>Thanks! My problem is that I need to update somehow not the client's
    >>>>>>>but the WLS
    >>>>>>>servers truststore, without restarting the server. Is it possible
    >>>>to
    >>>>>>>define a
    >>>>>>>custom TrustManager for the server?
    >>>>>>>Mike
    >>>>>>>
    >>>>>>>"Pavel" wrote:
    >>>>>>>>
    >>>>>>>>In 810 and earlier if you modify the keystore, you need to reboot
    >>>>>the
    >>>>>>>>server in
    >>>>>>>>order for the changes to affect the SSL server, or SSL clients

    >>running
    >>>>>>>>on WLS.
    >>>>>>>>The next version will allow changes to SSL config to take effect
    >>>>dynamically
    >>>>>>>>without
    >>>>>>>>the server reboot.
    >>>>>>>>If you need this to change the trust of your SSL clients running
    >>>>on
    >>>>>>>server
    >>>>>>>>you
    >>>>>>>>might be able to work around this with a custom TrustManager.
    >>>>>>>>
    >>>>>>>>Pavel.
    >>>>>>>>
    >>>>>>>>Mike Hamilton wrote:
    >>>>>>>>>I'm using two-way ssl communication in my system, and I'd like
    >>>to
    >>>>>>have
    >>>>>>>>>a registration form which allows users to upload their certificates.
    >>>>>>>>>I can load the certificates in the certificate store, but I don't
    >>>>>>know
    >>>>>>>>>how to reload it in the WLS. WLS loads them in at startup.
    >>>>>>>>>Does anyone know a way to manage this?
    >>>>>>>>>Thanks in advance!
    >>>>>>>>>Mike
    >>>>>>>>
    >>>>>>>
    >>>>>>
    >>>>>
    >>>>
    >>>

    >>

    >



+ Reply to Thread