Inc. Server User Manual
Upgrading Security
BEA WebLogic Server 7.0 Upgrade Guide 1-13
keytool -import -trustcacerts -alias <some alias name> -file <the
file that contains the trusted CA>
-keystore <the trusted CA keystore>
-storepass <your trusted CA Keystore password>
The trusted certificate authority shipped with WebLogic Server is located in
WL_HOME/server/lib/cacerts. Use the following command to add the trusted
certificate authority that is shipped with WebLogic Server to a keystore:
keytool -import -trustcacerts -alias <some alias name> -file <the
file that contains the trusted CA>
-keystore WL_HOME/server/lib/cacerts
-storepass changeit
For more information about keytool, see SUN's website at
http://java.sun.com/products/jdk/1.2/docs/tooldocs/solaris/keytool.html.
The
trustedCAKeyStore command-line argument defaults to the JDK's
jre/lib/security/cacerts keystore for clients. You can add your CAs to the
JDK's trusted CA keystore and not specify the command-line argument, or you can
create your own trusted CA keystore and point to it with the argument.
For two-way SSL or mutual authentication, in addition to performing the previous two
steps on the client side, do either of the following steps on the server side:
Add -Dweblogic.security.SSL.trustedCAKeyStore=absoluteFilename
to the server command line.
where
absoluteFilename is the name of the trusted CA Keystore
OR
Set the RootCAKeyStoreLocation attribute when configuring a Keystore
provider.
If you do not load the trusted CA certificate into the trusted CA Keystore, you may
have problems using the secure port.
Using CertAuthenticator in Compatibility Security
In WebLogic Server 7.0, the CertAuthenticator is called first, before any
username/password authentication. Because this is a change in behavior from
WebLogic Server 6.x, a CertAuthenticator written for WebLogic Server 6.x may need
to change if clients used both two-way SSL and they supplied a username and
password for security credentials.