Search code examples
javajakarta-eesslweblogicibm-mq

Using Weblogic keystores for Websphere MQ

I configured a Custom Identity Keystore and a Custom Trust Keystore. The configuration is correct since in the log I can see:

Loading the identity certificate and private key stored under the alias wlserver from the jks keystore file C:\home\dev\keystore
Loading trusted certificates from the jks keystore file C:\home\dev\truststore

In a deployed app I have a MDB that reads message in MQ using a secure channel via JMS. The SSL debug log shows that the wrong keystores are used when establishing the connection.

<Jul 5, 2013 5:04:01 PM CEST> <Notice> <Stdout> <BEA-000000> <trustStore provider is :>
<Jul 5, 2013 5:04:01 PM CEST> <Notice> <Stdout> <BEA-000000> <trustStore type is : jks>
<Jul 5, 2013 5:04:01 PM CEST> <Notice> <Stdout> <BEA-000000> <init truststore>
<Jul 5, 2013 5:04:01 PM CEST> <Notice> <Stdout> <BEA-000000> <trustStore is: C:\home\projects\jdk\jre\lib\security\cacerts>
<Jul 5, 2013 5:04:01 PM CEST> <Notice> <Stdout> <BEA-000000> <init keymanager of type SunX509>
<Jul 5, 2013 5:04:01 PM CEST> <Notice> <Stdout> <BEA-000000> <init keystore>
<Jul 5, 2013 5:04:01 PM CEST> <Notice> <Stdout> <BEA-000000> <keyStore provider is :>

If I start weblogic by specifying -Djavax.net.ssl.trustStore -Djavax.net.ssl.keyStore -Djavax.net.ssl.keyStorePassword, the secure MDB connection works.

How should I configure Weblogic so my deployed app use Weblogic keystores?

Solution

  • From the perspective of server setup:

    If the keystore is specified by the -Dweblogic.security.SSL.trustedCAKeyStore command-line argument, trusted CA certificates will always be loaded from that keystore. This argument is checked first by weblogic. We put this in our startWebLogic.cmd file.

    Are you running with managed servers and an admin server or just the admin server? Make sure all of your servers have the identity and trust paths set on the Keystores tab (Custom Identity, Custom Trust).

    The incorrect keystore that is being loaded is the default "demo" provided by the JRE.

    From the perspective of an app running on the server:

    You can do what you did on the command line or by setting them in the app via

    System.setProperty("javax.net.ssl.trustStore", trustPath)

    You can also set up an ssl.properties file and then feed it to your app like:

    -Dssl.properties=$HOME/.keystore/ssl.properties

    You can find an example ssl.properties file here: http://rundeck.org/docs/administration/ssl.html but I am sure there are plenty more/better examples out there.