5/22/2013

How to Install/Renew an SSL Certificate

on a WebLogic 10.3.x Server
for PeopleTools 8.51+

Last Updated: May 2013

Copyright 2012 Oracle, Inc. All rights reserved.

 Table of Contents

INTRODUCTION: What is Covered in this Document? ........................................................................................... 3

CHAPTER 1: SSL Overview ....................................................................................................................................... 4

What is SSL? .................................................................................................................................................................. 4
What is an SSL Certificate? .......................................................................................................................................... 4
SSL on WebLogic........................................................................................................................................................... 7

CHAPTER 2: Planning Steps (For First Time Install of SSL) ................................................................................. 8

Validate whether SSL should be Installed on WebLogic Server or Proxy/Load Balancer ..................................... 8
Determine what Type of Certificate to Install and which Certificate Authority to Use .......................................... 9
Does SSL Need Installed on Other PeopleSoft Components? .................................................................................. 10

CHAPTER 3: Steps to Install/Renew SSL Certificate on WebLogic .................................................................... 11

PART #1: Preparation Steps....................................................................................................................................... 11
PART #2: Create Certificate Request (CSR) ............................................................................................................ 13
PART #3: Import Signed Certificate into WebLogic Keystore ............................................................................... 15
PART #4: Configure WebLogic to use the New Certificate ..................................................................................... 19
PART #5: Validate the SSL Installation .................................................................................................................... 22
PART #6: Verify that PeopleSoft Database Contains the Root/Intermediate CA for your Server Cert ............ 24

APPENDIX A: SSL Terminology.............................................................................................................................. 25

APPENDIX B: Troubleshooting Tips ...................................................................................................................... 27

Failure Importing Certificate using pskeymanager import ............................................................................... 27
Failure Accessing PeopleSoft Application after Configuring SSL........................................................................... 28

APPENDIX C: Where to Find more Information .................................................................................................... 29

Copyright 2012 Oracle, Inc. All rights reserved. 2

INTRODUCTION: WHAT IS COVERED IN THIS DOCUMENT?
This document provides details on installing SSL on your WebLogic Server in a PeopleSoft environment using
PeopleTools 8.51 or higher. The document also provides an overview of SSL and helps you determine exactly
how/where SSL should be installed in your environment

Below is an outline of each section presented in this document. Note that if you have installed SSL before,
and/or if you are familiar with the process, then you may wish to jump straight to Chapter 3 for instructions on
installing a certificate to WebLogic. However, if you are not familiar with SSL and/or you are converting your
PeopleSoft environment from non-SSL to SSL, then you may find it helpful to review Chapters 1 and 2 first.

Chapter 1 (SSL Overview): provides an overview of SSL, SSL certificate and SSL on WebLogic.
Chapter 2 (Planning Steps): contains points to consider when configuring SSL in your PeopleSoft
environment.
Chapter 3 (Steps to Install/Renew SSL Certificate on WebLogic): provides detailed instructions for
creating/installing/configuring a SSL Certificate on your WebLogic Server.
Appendix A: contains a list of common SSL terms
Appendix B: contains troubleshooting tips in the event that you encounter problems
installing/configuring SSL on WebLogic
Appendix C: contains resources for additional SSL information.

Copyright 2012 Oracle, Inc. All rights reserved. 3

CHAPTER 1: SSL OVERVIEW

This chapter provides an overview of SSL. Some of this information is complex and a bit confusing. It is not
necessary to review and/or fully understand this information in order to install a certificate on your WebLogic
server. However, you may find it helpful to review this and get a better understanding of SSL. You may also
find it helpful to review Appendix B which contains SSL terminology, just so that you can get more familiar
with some of the SSL terms you may see when installing/configuring your SSL certificate.

Also, note that My Oracle Support contains an SSL Information Center with links to our SSL knowledge
documents. You may find this helpful if this document does not cover a specific SSL topic/issue that you are
interested in:
Doc# 1549157.2: Information Center: SSL on PeopleSoft Web Servers for PeopleTools 8.5x

WHAT IS SSL?
SSL allows for encrypted communication between the browser and web server, thus providing a more secure
environment. When SSL is installed on the web server, the browser communicates with the web server using
https protocol (instead of http). In a nutshell, this is what occurs:
Browser sends request to web server for secure page (this is done by specifying https in browser url
instead of http)
Web server sends back its public key
The browser validates the certificate was issued by a trusted certificate authority (eg Verisign) and uses
the public key to encrypt all future requests to the web server.

SSL uses two keys

1. A private key: Installed on the web server
2. A public key known to everyone (eg browsers)

WHAT IS AN SSL CERTIFICATE?

The SSL Certificate is a file containing details about your company and the cryptographic key. Below is an
example of the contents of a certificate file:
-----BEGIN CERTIFICATE-----
MIIEnTCCBAagAwIBAgIKOAQ09AAAAAAOLzANBgkqhkiG9w0BAQUFADCBvjELMAkG
A1UEBhMCVVMxCzAJBkNBMRMwEQYDVQQHEwpQbGVhc2FudG9uMRcwFQYD
VQQKEw5QZW9wbGVTb2Z0IEluYzEgMB4GA1UECxMXUGVvcGxlVG9vbHMgRGV2ZWxv
cG1lbnQxEzARBgoJkiaJk/IsZAEZFgNjb20xGjAYBgoJkiaJk/IsZAEZFgpwZW9w
bGVzb2Z0MSEwHwYDVQQDExhQZW9wbGVUb29scyBURVNUIHJvb3QgQ0EwHhcNMDgw
NDI5MjIzMTM2WhcNMDkwNDI5MjI0MTM2WjB3MQswCQYDVQQGEwJVUzETMBEGA1UE
bV9QZW9wbGVUb29scyBURVNUIHJvb3QgQ0EuY3J0MA0GCSqGSIb3DQEBBQUAA4GB
ABaDCNVqfajVrU2PkdcYJB83Yhs74W0WYpji7dXKFRchsc3T6l1WqF58MP9yvOW7
ibF7ZXXmKHAdHJacTsMKyHcgXtlt7vnfFWpcDTrhoyNHhwvnif304RLdw4rUGdzT
a0tGGo46T6BMU03tPXTJbuapG+1FIJV88IlEcMYAeSGi
-----END CERTIFICATE-----

You need to install the SSL Certificate on your web server in order for the browser to communicate with the
web server using https.
The SSL certificate is signed by a Certificate Authority (CA) such as Verisign. This allows for the browser to
verify the identity of the site before sending private information. Note that you can use your own certificate
software which allows you to sign your own certificates.

Copyright 2012 Oracle, Inc. All rights reserved. 4

The SSL certificate has a root certificate associated with it, and also sometimes has an intermediate
certificate associated with it. The root and intermediate certificate are part of the public key and they identify
the certificate authority (eg Verisign) who signed your certificate.
The root and intermediate certificates, for well known Certificate Authorities such as Entrust and Versign, are
included in most web browsers. If you use your own certificate signing software, then users would be required
to install the root certificate, for your company, into their browser keystore.

You can easily view the SSL certificate for any secure site as follows:
a. Go to the site using https
b. Click padlock icon next to url (these instructions are for IE browser)
c. Then click view certificate hyperlink and you will be able to see the certificate details
d. For example, if you go to Oracle Software Delivery Cloud site using url https://edelivery.oracle.com/
and click the padlock icon to view the certificate, you will see the following:

In the above example, the certificate is issued to www.oracle.com and was signed by GeoTrust.
e. By clicking on the Certification Path tab, you can see the entire certificate chain including root
certificate, intermediate certificate(s) (if there is one) and the server certificate. For example, the
certificate tab for above certificate shows the following:

Copyright 2012 Oracle, Inc. All rights reserved. 5

 In this example, we see that there is a root certificate called GeoTrust Global CA and an
intermediate certificate called GeoTrust SSL CA, and the actual server certificate issued to
www.oracle.com

Copyright 2012 Oracle, Inc. All rights reserved. 6

SSL ON WEBLOGIC
When you create a WebLogic domain in a PeopleSoft environment, by default, it configures both an http and
https port. The https port is configured to use a demo certificate. If you choose to use SSL on the WebLogic
server, you will need to replace the demo certificate with a valid SSL certificate (as described in Chapter 3:
Steps to Install/Renew a Certificate on WebLogic)

The My Oracle Support SSL Information Center contains links to many Knowledge Documents pertaining to
installing, configuring and troubleshooting SSL on WebLogic:
Doc# 1549157.2: Information Center: SSL on PeopleSoft Web Servers for PeopleTools 8.5x

Copyright 2012 Oracle, Inc. All rights reserved. 7

CHAPTER 2: PLANNING STEPS (FOR FIRST TIME INSTALL OF SSL)

VALIDATE WHETHER SSL SHOULD BE INSTALLED ON WEBLOGIC SERVER OR

PROXY/LOAD BALANCER
If you have decided to install SSL in your PeopleSoft environment, the first thing you need to decide is exactly
what front-end component(s) should be configured to use SSL. Below are a few different examples of
PeopleSoft environments, showing different SSL configurations.

EXAMPLE 1 (browser directly accesses SSL-enabled Web server)

In this example, there are no load balancers or proxy servers installed in front of the WebLogic server. So if
you are installing SSL, you will need to install the SSL certificate on the web server (as per instructions in
Chapter 3)

EXAMPLE 2 (SSL terminated on the load balancer or RPS)

In this example, SSL is terminated at the load balancer. So you have encryption between the browser and load
balancer (which is typically the highest area of vulnerability). But there is no encryption from the load balancer
to web server (which is usually behind a firewall). This is the most common SSL configuration in environments
where there is a load balancer or proxy installed in front of the WebLogic server.
If you use this configuration, then there is no need to install a certificate on your Web server.

EXAMPLE 3 (SSL installed everywhere)

In this example, SSL is installed on both the load balancer and the web server. So the information is encrypted
all the way from the users browser to the web server. This configuration is typically used only by companies
who have a strict security requirement that https be used everywhere.
If you use this configuration, you will need to install SSL on the load balancer and the web server. But note that
you could use the same certificate for both the Load Balancer and the WebLogic Server(s). See Document
1087154.1 on how to copy an SSL certificate from an external device (such as load balancer) to WebLogic.

Copyright 2012 Oracle, Inc. All rights reserved. 8

DETERMINE WHAT TYPE OF CERTIFICATE TO INSTALL AND WHICH CERTIFICATE
AUTHORITY TO USE
What Type of Certificate To Install?
There are many different attributes associated with a certificate such as certificate size and hash algorithm.
There are standard attribute values used by the well known certificate authorities (such as Verisign, Entrust,
etc) and the standard values will work well in a PeopleSoft environment.
If you are interested in learning more about certificate attributes, refer to
Doc# 1552645.1: PeopleSoft SSL Certificate Requirements (Key Size, Hash Algorithm, Protocol) when
installing SSL Certificate on WebLogic

Which Certificate Authority To Use?

There are many certificate authorities you can use. We support the use of any certificate authority as long as
they can create a certificate with attributes we support (see What Type of Certificate to Install? above). Most
of our PeopleSoft customers use Verisign, Entrust, Thawte, or GoDaddy.
You also have the option of using your own certificate signing software, instead of using an external Certificate
Authority like VeriSign. However, note that if you sign your own certificate, then the PeopleSoft users will need
to load the root certificate (for your certificate) to their browser keystore. (browsers come pre-loaded with roots
for the well known certificate authorities such as Verisign, Entrust, etc, so there is no need to do this if you are
using a well known certificate authority). If the users browser keystore does not contain the root certificate that
the web server needs, then the user will still be able to access the PeopleSoft application, but they will get a
browser warning that the certificate is not trusted. Example:

Copyright 2012 Oracle, Inc. All rights reserved. 9

DOES SSL NEED INSTALLED ON OTHER PEOPLESOFT COMPONENTS?

If you are switching from http to https access for your WebLogic server, it is possible that you may also need to convert
other PeopleSoft components to use https. So you should review your PeopleSoft environment for other potential areas
that may need re-configured for https access. The requirements will vary depending on what component(s) you are using;
therefore we cannot provide a concise list of components to review. But below is a list of some common areas to
consider.
REN Server: If using this component, you are required to use https if you are accessing the PeopleSoft
application using https. See Document 1177643.1: Master Note for How to Configure SSL on REN Server

Report Server: If configuring SSL, refer to Document 617697.1: How to Configure HTTPS for Report
Distribution?

Integration Gateway: Refer to Document 1488269.1:How to enable PeopleTools 8.4x-8.5x Application Server to
use https Integration Gateway

Portal/Content Configuration: If you are using Enterprise Portal with other PeopleSoft applications, refer to
Document 784325.1:Content Provider Pagelet Shows "Unable To Get Document" Error On Portal Home Page
Using SSL

Note that the primary purpose of this document is to provide details on installing SSL on your WebLogic server, therefore
there is no in-depth coverage of other components. But we do want to make note of this since you may need to review
other components when preparing to install SSL on your web server.
If you have further questions and the information below does not help, then please open a Service Request for the
component you need help with (eg REN Server, Report Server, Integration Gateway, Portal)

Copyright 2012 Oracle, Inc. All rights reserved. 10

CHAPTER 3: STEPS TO INSTALL/RENEW SSL CERTIFICATE ON WEBLOGIC

PART #1: PREPARATION STEPS

1. Validate that you definitely need to create a certificate request.
Note that you dont need to create a new certificate request in these situations:
a. You are upgrading to a newer PeopleTools release: In this situation, you can simply copy the SSL certificate
from your current production environment to the newly upgraded environment, assuming:
1. You currently have SSL installed in the current production environment
2. The users will access the new environment using same url as the current environment
Follow the steps in document 659906.1 to copy an SSL certificate from your current environment to your
newly upgraded environment.
b. You already have an SSL certificate that is issued to the same name (aka common name) that you will be
using for your WebLogic server. For example, you have a load balancer or proxy, that will be installed in front
of the web server, which already has an SSL certificate installed. If this is the case for you, then follow the
steps in the following document in order to copy the SSL certificate to the WebLogic keystore:
Doc# 1087154.1: How to Copy an SSL Certificate from an External System to WebLogic

2. Backup your pskey keystore file and config.xml file :

Note that ALL of the certificate and SSL configuration information is stored in these two files:
a. pskey (located in <PS_CFG>/webserv/<DOMAIN_NAME>/piaconfig/keystore)
b. config.xml (located in <PS_CFG>/webserv/<DOMAIN_NAME>/config)
So we suggest you back up these two files so that you can easily get back to where you started in the event that
something goes wrong and you want to start over.

3. Decide what Environment to Use when Installing/Configuring/Testing the Certificate:

There is no need to install the certificate in the PeopleSoft environment where you will be ultimately using the
certificate. So if you are installing/renewing a certificate for your production system, you might find it easier and safer
to install/configure/test the certificate in a test environment. Then move it to production when you have successfully
configured/tested the certificate.
The keystore file contains all the certificate information. So if you choose to install certificate in a different
environment, all you need to do is this:
Copy pskey file (from environment where you will ultimately be using the certificate) to the test environment
where you will be installing the certificate. The pskey file is located in
<PS_CFG>/webserv/<DOMAIN_NAME>/piaconfig/keystore
Then carry on with install instructions (in this Chapter)
When you are ready to use the certificate in production (or wherever you will ultimately use the certificate):
o Copy pskey file from your test system back to production (so you will overwrite the old production
pskey file)
o Then repeat Part#4 (Configure WebLogic to use the New Certificate) and Part#5 (Validate SSL
Installation) on production WebLogic server.

4. Special Notes for Certificate Renewal:

If you are renewing your certificate, there are a few things to be aware of:
a. It is possible to renew a certificate without creating a new certificate request. So in other words, you can just
notify your certificate authority and ask them to send you an updated certificate using the same CSR you sent
them for the last certificate request. Then you can skip to Part#3 when the Certificate Authority sends you the
renewed certificate. However, there are sometimes problems when doing this, especially if the root or
intermediate certificate has changed. So we advise against this approach, but you can certainly try this if
there are pressing reasons for not creating a new certificate request. If you choose to do this, the next step
doesnt apply and you should move on to Part#3 of the instructions.

b. You need to decide if you are going to use the same keystore alias name for the renewed certificate or if you
are going to create a new alias name. There are advantages/disadvantages to each approach. Our
recommendation is to create a new alias as this should make it easier to switch over to the renewed

Copyright 2012 Oracle, Inc. All rights reserved. 11

 certificate when you are ready (and go back to the old certificate in the event there are issues with the
renewed certificate). Below are details on each approach:
If using a new alias name: Decide what alias name you will use for the renewed certificate. We
recommend you tack the year to the alias name, for the renewed certificate. So for example, if your
current alias is called PSOFTSVR, then call the new certificate PSOFTSVR2013. (dont put any
spaces in the name).
Note that there is no harm in leaving the old certificate in the keystore, even after you install the
renewed certificate. But if you want to delete it at a later date, you are welcome to do so using
pskeymanager delete command. But be sure to back up pskey file before doing this!
If using the same alias name:
a. Backup up the pskey file (as per step #2 above)
b. Delete the existing alias:
i. cd <PS_CFG>/webserv/<DOMAIN_NAME>/piabin
ii. pskeymanager delete (use ./pskeymanager.sh delete for Unix/Linux)
iii. Respond to prompts to delete the alias
iv. If you make this change directly in the production server, then you will need to
temporarily restore the old pskey file in the event that you need to restart the web server
before you have imported the renewed certificate into the keystore. This is necessary
because the webserver reloads the contents of pskey each time it is restarted.

Copyright 2012 Oracle, Inc. All rights reserved. 12

PART #2: CREATE CERTIFICATE REQUEST (CSR)

Follow the steps below to create a Certificate Signing Request (CSR).

1. Launch pskeymanager to create Certificate Request:

a. Go to a command line prompt on the web server and go to piabin directory:
cd <PS_CFG>/webserv/<DOMAIN_NAME>/piabin
b. Run this command:
For Unix/Linux platforms: ./pskeymanager.sh create
For Windows: pskeymanager create

2. Enter Keystore Password: You will be prompted for the keystore password. The default password is password. If
you are using PeopleTools 8.53 or newer release, then the first time you use pskeymanager, you will be forced to
change the password. Be sure to make note of the new password.

3. Enter Certificate Attributes: You will now be prompted for a series of information. Below is each field you are
prompted for, followed by a sample response along with details on what to enter:
i. Specify an alias for this certificate [PSOFTSRVR]? PSOFTSRVR
Note that the alias is merely a name that uniquely identifies each entry in the WebLogic keystore. You can use
any value, but dont put any spaces in the name. Many customers set alias name to the same value as the host
name. If you are renewing a certificate, make note of information in PART#1 Step 4.
ii. What is the common name for this certificate [PSOFTSRVR]? peoplesoft.mycompany.com
It is very important that you enter the proper value as the common name must match to the host name that the
user specifies in the browser url that they use to access the PeopleSoft application. For example, if user
accesses the application using https://peoplesoft.mycompany.com/mysite/signon.html, then the common
name must be set to peoplesoft.mycompany.com. (if names dont match, browser issues a warning message)
iii. What is the name of your organizational unit? Oracle
What you enter, is strictly up to you, and has no effect on WebLogic
iv. What is the name of your organization? Global Support Services
What you enter, is strictly up to you, and has no effect on WebLogic
v. What is the name of your City or Locality? Pleasanton
What you enter, is strictly up to you, and has no effect on WebLogic.
vi. What is the name of your State or Province? California
What you enter, is strictly up to you, and has no effect on WebLogic.
vii. What is the two-letter country code for this unit? US
What you enter, is strictly up to you, and has no effect on WebLogic.
viii. How many days should this certificate request be valid for [90]? 356
If you know how many days certificate should be valid, enter it here (your Certificate Authority can override this
value for you if it should be different)
ix. What key size would you like to use [1024]? 2048
Most customers use 2048 key sizes. If you are uncertain, check with your Certificate Authority (note that many
Certificate Authorities no longer support 1024 key sizes).
x. What key algorithm would you like to use (RSA or DSA) [RSA]?
You must use the default value of RSA
xi. What signing algorithm would you like to use (MD5withRSA or SHA1withDSA) [MD5withRSA]?
Use the default value of MD5withRSA (the Certificate Authority will override this value if needed)
xii. Please enter a private key password to specify the certificate. Passw0rd
Enter a password. Be sure you make note of the password value as it is unrecoverable! You may want to use
the same value that you used for the keystore password which is entered when you launch pskeymanager.

4. Get a screen shot of information you enter: this step is optional, but you may want to get a screen shot of the
information you entered, when creating the certificate request (just in case you forget password, etc)

5. Confirm Information is correct. After you enter the above info, you will need to respond Yes to this response:
Is the above information correct (yes/no/quit) [yes] ?yes
After you respond yes to the above request, two things happen:
a. A unique private key is created and placed in the keystore file (pskey)
b. The certificate request is created. It is displayed to the screen and also stored in file. The file name is
displayed. Example:

Copyright 2012 Oracle, Inc. All rights reserved. 13

 Generating Certificate Signing Request 'CSR'.

Certificate signing request has been written to "peoplesoft.mycompany.com_certreq.txt"

Provide this CSR to a Certificate Authority for signing.
Contents of Certificate signing request for "peoplesoft.mycompany.com"
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC+zCCAeMCAQAwgYUxCzAJBgNVBAYTAQIEwJDQTETBxMKUGxlYXNh
[some lines omitted]
LrYHvWf5FBs+gTYFq1D4YcO/cYws+S0I+sw=
-----END NEW CERTIFICATE REQUEST-----

6. Back up the pskey keystore file: Note that when you create the certificate request, a unique entry (called private
key) is stored in the pskey keystore file. It is very important to NOT lose this entry, as the signed certificate must
match up to the private key/certificate request that was submitted to the Certificate Authority. If you accidently
overwrite the private key entry, it cannot be recovered and you have to start over. So this step is very important and
we strongly encourage you to backup the keystore file. The file is located in:
<PS_CFG>/webserv/<DOMAIN_NAME>/piaconfig/keystore/pskey
So perhaps you could make a copy called pskey-after-CSR-request

7. Submit the request to your Certificate Authority (CA): Send the request to your CA. Note that you can use an
external CA (eg Verisign, Entrust, Thawte, GoDaddy) or if your company has its own certificate signing tool, you can
sign your own certificate. After the certificate has been signed, you can move on to Part#3 (Import Signed Certificate
into WebLogic keystore)

Copyright 2012 Oracle, Inc. All rights reserved. 14

PART #3: IMPORT SIGNED CERTIFICATE INTO WEBLOGIC KEYSTORE

At this point, you should have the signed certificate from your Certificate Authority. Follow the
steps below to import signed certificate into the WebLogic Keystore.

1. Verify that you backed up the pskey keystore file: You should have done this in part#2 after creating the
certificate request, but if not, be sure that youve backed up pskey (in case you accidentally overwrite the private key
entry when you import the signed certificate into keystore)

2. Get the Root and Intermediate certificates for your Signed Server Certificate:
When your Certificate Authority provided you with your signed certificate (aka Server Certificate), they should have
also given you the root certificate and any intermediate certificate(s) that are chained to the server certificate. You
need to make certain that you have all of this information. Sometimes the Certificate Authority does not provide all the
information and there are occasions where they may not give you the proper root and/or intermediate certificates for
your server certificate. But you can usually extract the information from your server certificate, to make certain you
are using the correct root and intermediate certificates. Even if you think you have all of the correct information, we
recommend you do the following:
a. Make certain, that the server certificate file, that your Certificate Authority provided, has extension .cer or
.crt
b. From Windows Explorer, double-click on the certificate file and it should display something like this:

Note: If you see a message like this (below) indicating there isnt enough info to verify the certificate, then you
will not be able to extract out the chain, as the root/intermediate(s) arent installed on your desktop. If this
happens, then assume that the Certificate Authority provided you the proper root and intermediate(s) and
move on to step #3

c. Next, go to the tab titled Certification Path. You will see the root certificate, intermediate certificate(s) (if
there are any) and the server certificate.
In the example below, the certificate has a root (VeriSign), an intermediate (VeriSign Class3 International
Server CA G3) and the actual server certificate (issued to *.oracle.com)

Copyright 2012 Oracle, Inc. All rights reserved. 15

 d. Now we are going to extract the root and intermediate certificate. Well start by extracting the root certificate
(which is the very top certificate). Do this as follows:
i. Double-Click on the top certificate (Verisign) in this example
ii. This will launch another window showing the root certificate. Example:

iii. Go to Details tab and click Copy to File button on bottom right.

iv. Click Next

v. When prompted for format choose Base-64 encoded

Copyright 2012 Oracle, Inc. All rights reserved. 16

 vi. Click Next
vii. When prompted for file name, enter root.cer (or whatever you wish to call the file)
viii. Click Finish then Ok
ix. At this point, the root certificate is in a file called root.cer
x. If you have intermediate certificate(s) repeat step d., but this time double-click on the second certificate
which is the intermediate certificate and extract it to file intermediate.cer. (if there are two intermediate
certificates then youll need to repeat yet again to extract the other intermediate certificate).

At the end of this step, you should know how many root and intermediate certificates the server certificate is using
and each certificate should be in a separate file

3. Create a Chain file which will contain the server certificate, root certificate and intermediate certificate(s) (if
there are any) into a single file
Using a text editor (eg Notepad or WordPad), create a single file that contains all of the certificates. The file should
contain the server certificate followed by intermediate certificate (if there is one) followed by root certificate. It is
very important to list the certificates in the right order.
If you have a server certificate, one intermediate certificate and a root certificate, the file will look something like this:
-------BEGIN CERTIFICATE---------
dfsfsdfdf
sfsdfwehdfhdf <---------server certificate
dgdfgfgfdg
--------END CERTIFICATE-----------
-------BEGIN CERTIFICATE---------
hghjgfjgj
sfsdfwejjhdfhdf <---------intermediate
dgdfgiuiyuiuiyufgfdg
--------END CERTIFICATE-----------
-------BEGIN CERTIFICATE---------
dfsfsmbvmvbmdfdf
sfsdetetrtyrfwehdfhdf <---------root CA
dgdfgnbnbvnvbfgfdg
--------END CERTIFICATE-----------

If you have a server certificate and a root certificate, the file will look something like this:
-------BEGIN CERTIFICATE---------
dfsfsdfdf
sfsdfwehdfhdf <---------server certificate
dgdfgfgfdg
--------END CERTIFICATE-----------
-------BEGIN CERTIFICATE---------
dfsfsmbvmvbmdfdf
sfsdetetrtyrfwehdfhdf <---------root CA
dgdfgnbnbvnvbfgfdg
--------END CERTIFICATE-----------

Make certain there are no extra carriage returns at beginning or end of the file! If there are, the import will fail!

4. Run pskeymanager import to Import the Root Certificate and any Intermediate Certificate(s):
a. Go to a command line prompt on the web server.
b. cd <PS_CFG>/webserv/<DOMAIN_NAME>/piabin
c. Run command pskeymanager import (for Unix/Linux use ./pskeymanager.sh import)
d. When prompted for an Alias, enter anything, such as RootCA
e. When prompted for the name of the certificate file, enter the name of the root certificate file (that you created
in step#2 above)
f. If asked if you want to trust this file, respond yes

Copyright 2012 Oracle, Inc. All rights reserved. 17

 g. If you have an intermediate certificate, repeat above steps (youll need to use a different alias name such as
IntermediateCA. If you have multiple intermediate certificates, then youll need to repeat the import for
each of the intermediate certificates

Note: The above step is typically not necessary. But we have found some situations where it is necessary to have the
root/intermediate certificates imported into the keystore as separate entries. So we suggest you complete the above
step just in case it is needed in your environment. It definitely does no harm to import these entries (even if they arent
needed)

5. Use pskeymanager import to import the Certificate Chain:

a. Go to a command line prompt on the web server
b. cd <PS_CFG>/webserv/<DOMAIN_NAME>/piabin
c. Run command pskeymanager import (for Unix/Linux, use ./pskeymanager.sh import)
d. When prompted for an Alias enter the same alias you specified when you created the CSR (in Part#1)
e. When prompted for the name of the certificate file, enter the name of the file created in step #3 above
f. When prompted for the key password, enter the password you specified when you created the CSR (in
Part#2)
g. If asked if you want to trust this file (eg "...is not trusted. Install reply anyway?"), respond yes.
h. If the install is successful, you will receive message Certificate reply was installed in keystore
If you receive any errors, then please refer to Appendix B of this document (see section Failure Importing
Certificate using pskeymanager import)

6. Validate keystore entry: This step is optional, but if you wish to view the new certificate entry in the WebLogic
keystore, you can do so using this command:
pskeymanager list verbose alias peoplesoft (replace peoplesoft with your alias name)
The above command will show detailed information for the certificate that you imported. The beginning of the output
will look something like this:
Alias name: peoplesoft
Creation date: May 20, 2013
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=peoplesoft.oracle.com, OU=Oracle Support, O=Oracle, L=Pleasanton, ST=California, C=US
Issuer: CN=PeopleTools TEST root CA, DC=peoplesoft, DC=com, OU=PeopleTools Development, O=PeopleSoft Inc,
L=Pleasanton, ST=CA, C=US
Serial number: 364c9410000000001f6d
Valid from: Mon May 20 09:54:10 PDT 2013 until: Tue May 20 10:04:10 PDT 2014
The main items to check are:
Entry type: Entry type should be value PrivateKeyEntry. If it shows another value such as
trustedCertEntry, then something went wrong and you need to restore pskey (to get back to where it was at
beginning of Part3 and start over
Certificate chain length: this should have a value of 2 or higher, depending on how many entries are in the
certificate chain. For the example above, there is just a server certificate and root certificate, thus value is 2.

7. At this point you are ready to move on to Part #4 which is to configure WebLogic to use your new certificate

Copyright 2012 Oracle, Inc. All rights reserved. 18

PART #4: CONFIGURE WEBLOGIC TO USE THE NEW CERTIFICATE

At this point, you should have the signed certificate in your WebLogic keystore. Follow the
steps below to configure WebLogic to use the signed certificate

1. Backup config.xml: If youve not already backed up the config.xml file, you may want to do so now, so that you can
go back to the original configuration if needed. The config.xml file is located in
<PS_CFG>/webserv/<DOMAIN_NAME>/config

2. Log into the WebLogic Console:

a. Use this browser url to access the WebLogic console: http://<hostname>:<admin_port>/console/
b. Enter username and password: For PeopleTools 8.51-8.52, the default username is system and default
password is Passw0rd. For PeopleTools 8.53, the password is whatever you set it to when you created the
WebLogic domain. If you forgot your password, refer to document 658081.1

3. Configure the WebLogic Keystore location and Keystore Password

a. Click the Lock & Edit button in section Change Center on top left page
b. In the Domain Structure section (left menu) , expand Environment and click the Servers hyperlink
c. Now click on PIA (or whatever managed server you are configuring SSL on)
d. Click the Configuration tab and the Keystores subtab
e. The Keystores section at top of page, should be set to Custom Identity and Custom Trust. If it does not have
this value, click the Change button and choose Custom Identity and Custom Trust from the dropdown menu.
Example:

f. In the bottom portion of the page, you will need to do the following:
i. Validate that the Custom Identity Keystore field and Custom Trust Keystore field are set to the correct
value (these values should NOT need to be changed, unless you chose to import certificate to a keystore
other than the standard pskey keystore delivered with PeopleSoft
ii. Enter the Keystore Passphrase in the Identity and Trust sections. Note that this is the keystore
password. In other words, it is the password you enter when using pskeymanager. Note that youll need to
enter the password in four fields:

Copyright 2012 Oracle, Inc. All rights reserved. 19

 g. Save the changes by clicking the Save button at bottom of page.
h. Stay logged into the WebLogic console for next step.

4. Configure the WebLogic Certificate

a. Now navigate to Configuration tab and SSL subtab
b. Enter the following information:
Private Key Alias: this is the alias value that you specified when you created the certificate request
Private Key Passphrase: this is the password that you specified for the alias, when you created the certificate
request (note that this is not the keystore password that you enter when using pskeymanager but rather it is
the private key password value that you entered when you created the certificate request (Part#2 Step 3). It
is possible that you used the same password value for both keystore and private key passphrase)
Confirm Private Key Passphrase: Re-enter value entered in step above

Example:

Copyright 2012 Oracle, Inc. All rights reserved. 20

 c. Click the Save button to save the above changes

5. Activate the WebLogic Configuration Changes: Click Activate Changes button on top left page. The WebLogic
PIA will immediately pick up the changes.

Copyright 2012 Oracle, Inc. All rights reserved. 21

PART #5: VALIDATE THE SSL INSTALLATION
At this point, the certificate is installed and configured. But in order to validate that the
install/configuration was successful, you need to test accessing your PeopleSoft environment
using https protocol. Below are instructions on how to do this:

1. Try to access the PeopleSoft environment using url https://myserver:<port#>/<sitename>/signon.html

Example: https://peoplesoft.oracle.com/mysite/signon.html (in this example, the WebLogic server is configured

to use port #443 for https. Therefore we dont need to specify port# since browser assumes port 443, if no port# is
specified)

Note the following regarding the port#:

-The browser url must specify the port# that WebLogic has configured for https (this is a different port# than the http
port#!). If you are unsure what port# is configured for https, do the following:
a. Go to <PS_CFG>/webserv/<DOMAIN_NAME>/config
b. Open file config.xml and check the ssl section under PIA server. In the example below, the PIA is
configured to use https port 8443
<server>
<name>PIA</name>
<ssl>
<name>PIA</name>
<enabled>true</enabled>
<listen-port>8443</listen-port>

2. If you get a browser pop-up warning and/or you get any sort of error such as cannot display the webpage then
please refer to Appendix B of this document (see section Failure Accessing PeopleSoft Application after Configuring
SSL). Note: if you are testing on a different environment than where you will ultimately be using the SSL certificate,
then it is ok if you get a browser pop-up warning as the certificate may not match to the host name in the browser url

3. If you are able to successfully access the PeopleSoft application, then this is a good indication that the certificate was
successfully installed. But you may still want to view the certificate just to validate that the application is using the
newly installed certificate. This can be done as follows:
a. Click padlock icon next to browser url (these instructions are for IE browser)
b. Then click view certificate hyperlink and you will be able to see the certificate details
c. You should then be able to verify certificate from these details. For example, the example below, this shows us
that WebLogic is using a certificate issued to driver-pc.us.oracle.com that is valid until 5/20/2014

Copyright 2012 Oracle, Inc. All rights reserved. 22

4. At this point, your certificate is fully installed and configured. It you have installed the certificate in a test environment,
then when you are ready to go-live with the new certificate, do the following:
a. Copy pskey file from your test system back to production (so you will overwrite the old production pskey
file)
b. Then repeat Part#4 (Configure WebLogic to use the New Certificate) and Part #5 (Validate the SSL
Installation).

Copyright 2012 Oracle, Inc. All rights reserved. 23

PART #6: VERIFY THAT PEOPLESOFT DATABASE CONTAINS THE
ROOT/INTERMEDIATE CA FOR YOUR SERVER CERT

The steps below are required only if there are situations where other PeopleSoft components, such as
Report Server are attempting to communicate with the web server using https protocol. If you are not
certain whether this situation exists in your environment, then we recommend you implement this step
as it does no harm to add the certificate to your PeopleSoft database (ie Digital Certs page) even if you
are not using it
1. Log into PeopleSoft Application
2. Go to PeopleTools -> Security -> Security Objects -> Digital Certificates page
3. If there is no entry for the root certificate that the WebLogic certificate is using, then do the following:
4. Press the + symbol to add the root certificate
5. Select Root CA from the dropdown menu
6. Fill in the Issuer and Alias fields (use any value. Example Thawte 2048 Root)
7. Import (or add) the certificate by pressing on the 'Add Root' hyperlink
8. Paste in the root certificate. Note that if your server certificate has both a root and intermediate certificate, then
you should import both the intermediate and root certificate in this order:
-----BEGIN CERTIFICATE-----
character string <------------ intermediate certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
character string <------------ root CA
-----END CERTIFICATE-----
9. Save changes
10. You may need to restart components (eg App Server, Process Scheduler) to pick up this change

Copyright 2012 Oracle, Inc. All rights reserved. 24

APPENDIX A: SSL TERMINOLOGY

This section contains many SSL terms along with their meaning
CA (Certificate Authority): This is the organization that issues (ie "Signs") your certificate.
Common CA's are VeriSign, Entrust, GoDaddy, Thawte. Note that you can also purchase a
certificate signing tool and sign your own certificates, therefore you are your own Certificate
Authority.

Chain Certificate: This term is sometimes used to refer to the entire SSL certificate which is
comprised of the following:
-Root Certificate
-Intermediate Certificate(s) (not all certificates contain an intermediate certificate)
-Server Certificate

Cipher Suite: a type of algorithm used to encrypt information. Refer to document 660309.1 if
you wish to change the cipher suites that your WebLogic server is using.

CN (Common Name) this is who the certificate is issued to. It needs to match to the hostname
that is used in the browser url when accessing the PeopleSoft application. So if you access the
PeopleSoft application using: https://peoplesoft.mycompany.com/ps/signon.html, then the
certificates common name is "peoplesoft.mycompany.com".

CSR (Certificate Signing Request): A CSR is a file sent to a certificate authority in order to apply
for a certificate. The CSR file includes information such as common name, organization, etc.
(you create the CSR using pskeymanager tool). The certificate is created from the CSR.

Demo Cert: This is a certificate that is delivered with the web server. It does not have a certificate
authority associated with it. You can use the certificate but browser will issue a warning stating
that it is not a trusted certificate. If you are unable to access the PeopleSoft environment using
the demo certificate, refer to document 1499938.1

Hash Algorithm: The algorithm used to secure the certificate. The most common is SHA. But
recently a new algorithm was released, called SHA2 (see doc 1225455.1 for more details)

Intermediate CA: This is an extra public key (in addition to the Root CA) to add an extra layer of
security. Most, but not all Certificate Authorities (CA's), issue an intermediate certificate. Some
CA's issue multiple intermediate certificates

One-way SSL: This is when a certificate is installed ONLY on the server (WebLogic). With one-
way SSL, the server passes its certificate and CA chain to the browser. The browser trusts the CA
that issued the server certificate. 99% of our customers use One-Way SSL, however a few use
Two-Way SSL (see description of "Two-Way" SSL below)

Private Key: this is a unique entry placed in the keystore when a CSR is created. (it is then
signed using the public key from the Certificate Authority). The SSL private key is used to decrypt
the data passed over the SSL connection

Protocols: This refers to the encryption protocol. There are different protocols including SSLv2,
SSLv3, TLS1.0, TLS1.1 and TLS 1.2. The most common protocols are "TLS1.0" and "SSLv3".
Copyright 2012 Oracle, Inc. All rights reserved. 25
 SSLv2 is an older protocol and usually not used anymore. TLS 1.1 and 1.2 are newer protocols
and are supported starting with PeopleTools 8.53. If you wish to change the protocols your web
server is using, refer to document 664126.1

pskeymanager.cmd/sh: This is an Oracle "Wrapper Script" to the java keytool. Note that it is not
necessary to use pskeymanager and you can use keytool instead. However, you may find
pskeymanager more user friendly as it builds the arguments for the keytool command after
prompting you for necessary information. Also, pskeymanager is configured to use the pskey
file to store keystore information, which is a PeopleSoft standard.

Root Certificate (aka "Root CA" or "Trusted CA"): This is a public version of the certificate
containing only the public key. The Root certificate is the top most portion of the certificate chain.
It is provided by the Certificate Authority.

SAN (Subject Alternative Name): This is a type of certificate that allows you to assign multiple
host names to a single certificate. A SAN Certificate is also sometimes referred to as a "Multi-
Domain" certificate or "Unified Communications Certificates (UCC)". These certificates are
currently not supported in PeopleSoft.

Self-Signed Certificate: A self-signed certificate is an identity certificate signed by its own

creator. In other words, there is no 'Certificate Authority' that signed the certificate. And there is no
'Root Certificate' associated with the server certificate. WebLogic does not support "self-signed"
certificates as they do not adhere to the RFC3280 specifications. Even though we don't support
self-signed certificates, they usually work ok, and some customers use them, especially in test
environments.

Signature Algorithm (aka Signing Algorithm): This is the algorithm used to sign the certificate.
DSA and RSA are different types of signing algorithms. We support RSA.

SSL Handshake: This term is often used to refer to the communication between client (eg
browser) and server (eg WebLogic) at initial communication when the client and server exchange
information and server authenticates itself to the client.

Two-way SSL: this is when a certificate is installed on both the client (browser) and the server
(WebLogic). BOTH sides (ie browser and WebLogic server) pass certificates to each other to
establish communication. So both sides know the identity of each other from their respective
certificates It is extremely rare to see PeopleSoft customers use two-way SSL. Typically, one-
way SSL is used.

Wildcard Certificate: A wild-card certificate allows you to secure multiple domains with the same
certificate. For example, you could use the same certificate for the following websites, by issuing
your certificate to *.mycompany.com
https://peoplesoft.mycompany.com
https://support.mycompany.com
https://sales.mycompany.com
Wildcard certificates were previously not supported with WebLogic, but they are supported starting
with WebLogic 10.3.6. Even though they aren't supported with older WebLogic versions, they
usually work fine in a PeopleSoft environment.

Copyright 2012 Oracle, Inc. All rights reserved. 26

APPENDIX B: TROUBLESHOOTING TIPS

FAILURE IMPORTING CERTIFICATE USING PSKEYMANAGER IMPORT

If you receive an error when running command pskeymanager import, start by checking the following:
Verify there are no extra carriage returns at beginning or end of the chain file that you are importing.
Verify that the chain certificate contains files in the correct order:
o The server certificate should be at top of file
o The intermediate certificate should be next (if there is one)
o The root certificate should be at end of file
Verify that the signed certificate that you are importing, was created for the certificate request that you
sent to your Certificate Authority.

If the above information doesnt help, refer to the Troubleshoot tab of the SSL Information Center:
Doc# 1549157.2: Information Center: SSL on PeopleSoft Web Servers for PeopleTools 8.5x
There is a section in the Troubleshoot tab called Issues using pskeymanager script and it contains a list of
common errors, when using pskeymanager, and how to correct the problem.

Copyright 2012 Oracle, Inc. All rights reserved. 27

FAILURE ACCESSING PEOPLESOFT APPLICATION AFTER CONFIGURING SSL

If you are unable to access the PeopleSoft application (using https) and/or if you get any sort of browser pop-
up warnings, then please check the following:

If you get a browser pop-up warning, refer to the following knowledge document:
Doc ID 652529.1: Browser Displays SSL Warning Messages when Logging into PeopleSoft Application.
Occurs after Installing SSL Certificate on Web Server
Note that it is ok if you get a browser pop-up warning if you are testing the certificate in another
environment (other than where the certificate will ultimately be installed), as the certificates common
name wont match the host name in browser url.

If you get a Cannot display the webpage error, then this means that WebLogic was unable to successfully
load the new certificate and bind to the https port. To get details on cause of problem, do the following:
1. Go to <PS_HOME>/webserv/<DOMAIN_NAME>/servers/PIA/logs
2. Open file PIA_weblogic.log
3. Go to end of file and check for errors when the WebLogic PIA was restarted (you might want to search for string
alias or string private key to get to the section where WebLogic attempts to load the certificate). Below are
some of the more common errors and what they mean. You may want to search your log to see if any of the
messages are present:
No identity key/certificate entry was found under alias: This error indicates that you configured the wrong
alias name (in the WebLogic console) or else the keystore entry is not recognized as a server certificate.
Refer to document 638359.1 for more details
Keystore was tampered with, or password was incorrect: This error indicates that you configured the
wrong keystore password (in the WebLogic console). Try re-entering the keystore password (following
instructions in Chapter 3, Part#4, Step 3) and then restart WebLogic PIA. If this doesnt fix the problem,
refer to document 843937.1 for more details.
Inconsistent security configuration: This message usually means that you configured the wrong private
key password (in the WebLogic console). Try re-entering the private key passphrase (following
instructions in Chapter 3, Part#4, Step 4) and then restart the WebLogic PIA. If this doesnt fix the
problem, refer to document 753709.1 for more details.

If the above information doesnt help, refer to the Troubleshoot tab of the SSL Information Center:
Doc# 1549157.2: Information Center: SSL on PeopleSoft Web Servers for PeopleTools 8.5x
There is a section in the Troubleshoot tab titled Issues Starting and/or Accessing WebLogic After
Configuring SSL and it contains a list of all known problems that may result in problems accessing the
PeopleSoft application after configuring SSL.

Copyright 2012 Oracle, Inc. All rights reserved. 28

APPENDIX C: WHERE TO FIND MORE INFORMATION
The SSL Information Center, available from My Oracle Support, contains links to our SSL knowledge
documents:
Doc# 1549157.2: Information Center: SSL on PeopleSoft Web Servers for PeopleTools 8.5x
The above document contains an Overview tab, an Install and Configure tab and Troubleshoot tab. So
this document should help you with any questions/issues when using SSL on a WebLogic server.

Copyright 2012 Oracle, Inc. All rights reserved. 29