Set up SSL in OAM 11.1.2.3 (11gR2 PS3), When integrating with 12.2

1. Demo Certificates

The below messages in your Web logic Log indicates that your web logic domain holds a risk.

Whilst you do not want SSL communication for your web services or applications. The internal (administrative) processes in your Weblogic domain still relies on the default demotrust and with this everyone can access your domain

2. Generate the identity java keystore

keytool -genkey -keysize 2048 -keyalg RSA -alias hostname -keystore hostname_identity.jks

Subject:   CN=host.domain.com,OU=OraFinHR,O=Becker,L=SF,ST=CA,C=US

3. Generate signing request

keytool -certreq -alias hostname -file certnew.csr -keystore hostname_identity.jks

4. Certificate Authority (CA)

Certificate Authority to sign your certificate requests (the .CSR files you generated).

You can create your own CA and self-sign them, Shall use an external Internet CA provider,

Since this becomes expensive and time prone when you need such an external provider to sign every SSL enabled server in your landscape.

The best situation for us would be if the current organization already has an internal CA provider,  especially when the rootCA is trusted by the servers and machines in your landscape.

5. Convert .p7b file to Readable Format#

$ openssl pkcs7 -print_certs -in certnew.p7b -out cert_chain.cer

6. Importing the CA response

Import the certificates in your keystore, starting with the rootCA, then the intermediateCA, then the specific server alias

keytool -importcert -trustcacerts -alias rootca -file ca.crt -keystore hostname_identity.jks

keytool -importcert -alias intermediateca -file initca.crt -keystore hostname_identity.jks

keytool -importcert -alias server01 -file certnew.cer -keystore hostname_identity.jks

keytool -importcert -trustcacerts -alias rootca -file ca.crt -keystore hostname_trust.jks

keytool -importcert -alias intermediateca -file initca.crt -keystore hostname_trust.jks

7. Change Settings in Weblogic Server

NB: Make sure you take a back up of config.xml, before you proceed to Enable SSL.
Location: $MW_HOME/user_projects/domains/<DOMAIN>/config/config.xml

By Preserving this at any point you can roll back changes, and resume services with the old settings.

Login into the Weblogic Console

Go to Domain Structure > IDMDomain >>Environment >> Servers

Make sure SSL Listen Port should be checked.

Click on Keystores Tab & Click on Keystores::Change >> Select “Custom Identity and Custom Trust”

Custom Identity Keystore <Give full keystore path>

Custom Identity Keystore Type <JKS>

Custom Identity Keystore Passphrase <anything>

Same for Custom Trust Keystore: You can give keystore path or CACERTS path.

Click on SSL tab >

Private Key Alias > Give the alias name what you given while you generating keystore file and PassPhrase.

Click Save.

Goto Change Centre >> Activate Changes.

Restart the Admin Server. The Admin log should like below.
NB: Also make sure "JSSE" check box is checked, Under SSL> Advanced tab.

NB: Repeat these steps for intended Managed Servers

Verify your URL:
https://host.domain:sslport/console

8. Change the OAM protocol

NB: Make sure you take a back up of oam-config.xml, before you proceed to Enable Protocol.

Location: $MW_HOME/user_projects/domains/<DOMAIN>/config/fmwconfig/oam-config.xml

By Preserving this at any point you can roll back changes, and resume services with the old settings.

After Enable SSL, Change in (11gR2 PS3 OAM). Login into the "oamconsole" and change the Protocol to SSL

Goto Access Manager Settings > Change OAM Server Port to SSL Port & OAM Server Protocol to “https”

Restart the OAM Managed Server

Login into the EBS and Test whether your URL is redirecting to the oam SSL url.

Cheers!! 

Srikanth