How SSL is configured in Peoplesoft

How SSL is configured in Peoplesoft- Here are the steps to configure SSL -

1. Generate webserver' s private key and certificate signing request (CSR).
2. Submit CSR to your CA for signing-
3. Download the root certificate and intermediate CA certificates.
4. Download SSL certificate.
5. Import certificates into keystore.
6. Configuring the Oracle WebLogic Server to use the keystore.
7. Configure the Peoplesoft certificates.

 

1. Generate webserver's private key  and certificate signing request (CSR) -

1) Backup the existing pskey file-
    PS_HOME/<webdomain>/piaconfig/keystore$cp -p pskey pskey_ori
2) Change directory to piabin, create or change the keystore password by issuing the command-

 

$./pskeymanager.sh -create -storepass password

$./pskeymanager.sh -changekeystorepassword -new pshr9152 -storepass password

 

provide values for - 

-Specify an alias for this certificate,

-Specify a common name for this certificate.

-Answer to organization specific information.

-What key size would you like to use - 2048

-What key algorithm would you like to use - RSA 

-What key signing algotithm would you like to use -MD5withRSA

-Enter a private key password - <your_password>

 

Generating private key... 

.... 

Generating Certificate signing request 'CSR'.

Certificate signing request also written to <alias>-certreq.txt 

 

* The Certificate Signing Request (CSR) text file generated above should not contain any blank or trailing spaces.

2. Submit CSR to your CA for signing- Before you purchase an SSL Certificate, you need to generate a Certificate Signing Request (CSR) for the server where the certificate will be installed. To enroll for any of Symantec’s SSL Certificate services, you will need the following information:
- The length of time for the certificate,
- The number of servers hosting a single domain (up to 5 servers),
- The server platform
- An email address where Symantec can reach you to validate the information, and
- The Challenge Phrase - <your_password>


3. Download the root certificate and intermediate CA certificates - Download these certificates from your CA site and store within PS_HOME/webserv/<webdomain>/piabin/ as -
- rootca.cer,
- primary_inter.cer and
- secondary_inter.cer.

Root Certificate: A VeriSign Root Certificate is self signed x.509 certificate that includes the signature from VeriSign as the Certificate Authority which vouches for correctness of the data contained within the certificate. Root CA's are implicitly trusted. They are pre-installed into web browsers and many web servers.

Intermediate Certificates: In certificate hierarchy, a subordinate Intermediate CA certificate will be issued by the Root CA to issue end-entity SSL certificate. This creates a chain of trust that begins at the Root CA, through the Intermediate CA and ending with the SSL certificate.


4. Download SSL certificate - Your CA will email you your certificate or download it from the designated server link. Save it as Cert.cer
 5. Import certificates into keystore -

Step 1 – Install Root Certificate and intermediate Certificates-
$./pskeymanager.sh -import -alias RootCA -storepass password -file rootca.cer
$./pskeymanager.sh -import -alias primaryintermedicate -storepass password -file primary_inter.cer
$./pskeymanager.sh -import -alias secondaryintermediate -storepass password -file secondary_inter.cer

Note: To delete an imported certificate, use below command-
./pskeymanager.sh -delete -alias secondaryintermediate -storepass password

Step 2 – install your SSL Certificate. Copy the SSL certificate to – PS_HOME/webserv/<webdomain>/piabin as cert.cer file.
$./pskeymanager.sh -import -alias <alias_name> -storepass password -file cert.cer

Configure the keystore for use in Weblogic -

1- On WebLogic server console, expand the Servers node and choose the server you will be configuring.
2- Next, go to Settings for PIA > Keystore (In Change Centre, activate Lock & Edit button)
3- Click on Change and choose Custom Identity and Custom Trust as your keystore configuration type, then click Save.
4- The "Custom Identity Keystore PassPhrase" should be the password you specified when the keystore was created. [password]
5- You will again be asked to enter your keystore password and confirm.
6- Enter and confirm Custom Trust Keystore Passphrase: password
7- Click Save.
8- Next, go to Settings for PIA > SSL.
9- Specify the Private Key Alias and Passphrase that were used when creating your keystore.
10- Click Save, and go to Advanced
11- Choose Hostname Verification as None and Save.
12- Click on Activate Changes.
13- Reboot the WebLogic server. Your keystore should now be installed and enabled.
14- Verify the SSL.