enabling SSL on weblogic

Question

Is this enough to enable SSL on weblogic server?

Open console > Environment > Servers > open a managed server where your application is deployed > check 'SSL Listen Port Enabled' checkbox.

Once I did that, I could open my application on HTTPS using HTTPS port.

Why I am asking this question because on this page: http://docs.oracle.com/cd/E13222_01/wls/docs81/secmanage/ssl.html

In section - Configuring SSL, they're not suggesting this simple step.

I understand that by enabling SSL using the way I did, I am using weblogic's default certificate, but for testing I don't mind that.

Please confirm.

Thanks.

Answer 1

The short answer is yes. As you've said, you certainly don't want to use the demo certificate in production.

The reason why that simple step isn't mentioned is that it's covered in the "Configure Listen Ports" page. Turning on the SSL listen port is comparable to adding "Listen 443" in an apache config. It means you can communicate over SSL, but doesn't force it or stop listening for HTTP.

One other thing - the Weblogic version in the documentation you posted was 8.1. I'm not sure if you intended it to be such an old version, so here's the same page for 11g: http://docs.oracle.com/cd/E23943_01/web.1111/e13707/ssl.htm

Answer 2

Yes...you can enable SSL in that way...If you do like that it will load demo trustedstore and keystore and validates whenever client hits the url via ssl then these demo certs will be validated....

It's good practice to have a customized certs for your applications...

Answer 3

You might want rather to script that using wlst:

connect('${username}','${password}','t3://${hostname}:${port}')
edit()
cd('/Servers/${server}/SSL/${server}')
cmo.setEnabled(true)
cmo.setListenPort(${port})
save()
activate(block="true")
disconnect()

The ${server} value can be found as folder name under your domain home, e.q. AdminServer

Answer 4

Yes, it worked for me... Until I had my browsers updated. Now the latest versions of browsers won't allow this anymore and you will get something like:

Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) in Firefox

Unable to connect securely to the server. This website may have worked previously, but there is a problem with the server. Connecting to such sites weakens security for all users and thus has been disabled. in Chrome

So now you need to generate those certificates. By the way, make sure to generate 2048 bit keys because otherwise you will get some other errors like too weak keys.