WebLogic and SSL: supplying private key password upon startup

Hello,
Does BEA have an API I can use to customize the WebLogic Server startup? I have
a password callback function that I would like the WebLogic Server to call when
it needs the password for decrypting the server certificate private key...
-- POCO

nope.. till now..
thanks
kiran
"POC" <[email protected]> wrote in message
news:3e258885$[email protected]..
>
Hello,
Does BEA have an API I can use to customize the WebLogic Server startup? Ihave
a password callback function that I would like the WebLogic Server to callwhen
it needs the password for decrypting the server certificate private key...
-- POCO

Similar Messages

Does WLS 5.1 support private key passwords like WLS 6 does ?

WebLogic 6.0 supports private key passwords as described here http://e-docs.bea.com/wls/docs60/adminguide/cnfgsec.html#1053139,
summarized here;
"When using PKCS-8 encrypted private keys, you need to enable the Use Encrytped
Keys field on the SSL tab of the Server window in the Administration Console.",
plus you need to use this diraective -Dweblogic.management.pkpassword=
I can't find any support for this in WLS 5.1. Does 5.1 support this additional
level of security ?
Thanks.

In order to have the weblogic.mangement.pkpassword stuff work two other things need to have happened first:
1) you generated a protected private key rather than just a "regular" private key. In the Certificate Servlet this is done by typing characters into the password field of the form to generate the key and
then later passing those characters to the weblogic.management.pkpassword commandline attribute.
2) you set the KeyEncrypted attribute in the SSL page in the console
You can use protected/encrypted private keys or not but you need to make sure that you actually generated an encrypted private key and you've set SSL to use an encrypted private key and told the
server to start up with an encrypted private key.
Paul
On 24 Jul 2001 08:13:06 -0700, [email protected] (David Barrett) wrote:
Hello Dave,
Dave here.
I'm having some problems with the Weblogic SSL installation also. I
was able to set the weblogic.management.pkpassword, but I am recieving
the following error when attempting to start the server.
Jul 23, 2001 1:44:53 PM EDT> <Info> <Logging> <Only log messages of
severity "Error" or worse will be displayed in this window. This can
be changed at Admin Console> myserver> Servers> myserverpass> Logging>
General> Stdout severity threshold>
<Jul 23, 2001 1:44:57 PM EDT> <Alert> <WebLogicServer> <Security
configuration problem with certificate file config/myserver/mykey.der,
java.lang.NullPointerException>
java.lang.NullPointerException
at weblogic.security.PKCS5.setPassword(PKCS5.java:173)
at weblogic.security.RSAPrivateKeyPKCS8.<init>(RSAPrivateKeyPKCS8.java:124)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:387)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:297)
at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:942)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:403)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
at weblogic.Server.main(Server.java:35)
Please let me know if you know of any way to fix this issue.
Best,
David
"Dave Javu" <[email protected]> wrote in message news:<[email protected]>...
WebLogic 6.0 supports private key passwords as described here http://e-docs.bea.com/wls/docs60/adminguide/cnfgsec.html#1053139,
summarized here;
"When using PKCS-8 encrypted private keys, you need to enable the Use Encrytped
Keys field on the SSL tab of the Server window in the Administration Console.",
plus you need to use this diraective -Dweblogic.management.pkpassword=
I can't find any support for this in WLS 5.1. Does 5.1 support this additional
level of security ?
Thanks.

SSL CertGen & Private key import errors - 7.0

I am trying to install weblogic generated ssl certificate and because the private
key needs to be encrypted with a password, i am loading this in a new JDK keystore
and trying to configure WL.
I am running utils.CertGen from weblogic 7.0 sp3 on XP.
X:\SSLTest>java utils.CertGen testpassword testcert testkey
Creating Domestic Key Strength - 1024
..... Certificate CommonName will contain Hostname KUNDULA_M-DGS
Encoding
Created Private Key files - testkey.der and testkey.pem
com.rsa.certj.cert.CertificateException: Cannot build Cert Request Info: Unable
to encode X500Name.
at com.rsa.certj.cert.PKCS10CertRequest.getCertRequestInfoDEREncoding(PKCS10CertRequest.java:824)
at com.rsa.certj.cert.PKCS10CertRequest.signCertRequest(PKCS10CertRequest.java:1082)
at utils.CertGen.createCertificateRequest(CertGen.java:312)
at utils.CertGen.processCommand(CertGen.java:185)
at utils.CertGen.main(CertGen.java:170)
com.rsa.certj.cert.CertificateException: Cannot build Cert Request Info: Unable
to encode X500Name.
at com.rsa.certj.cert.PKCS10CertRequest.getCertRequestInfoDEREncoding(PKCS10CertRequest.java:824)
at com.rsa.certj.cert.PKCS10CertRequest.signCertRequest(PKCS10CertRequest.java:1082)
at utils.CertGen.createCertificateRequest(CertGen.java:312)
at utils.CertGen.processCommand(CertGen.java:185)
at utils.CertGen.main(CertGen.java:170)
I went ahead and ran the same CertGen on unix and got the certificate file and
the key file
to my box to check to see if i can install it. I created a new keystore with keytool,
loaded the private key with the alias and the password phrase, made this key store
the default keystore, supplied the management password, changed the files to read
the new cert file and key file.
Attached is the log for the SSL debug.
Do i need to import the private key stored in the JDK for weblogic ? I tried doing
that by running.
X:\>java utils.ImportPrivateKey X:\bea\user_projects\mydomain\mystore.jks mypass
myalias pvtPasswd X:\bea\user_projects\mydomain\localcert.pem X:\bea\user_projects\mydomain\localkey.pem
ImportPrivateKey will use existing X:\bea\user_projects\mydomain\mystore.jks
ImportPrivateKey failed, java.security.KeyManagementException: ASN.1: Unxpected
ASN.1 tag
java.security.KeyManagementException: ASN.1: Unxpected ASN.1 tag
at com.certicom.security.cert.internal.x509.SSLPlusSupport.getLocalIdentityPartial(Unknown
Source)
at com.certicom.net.ssl.CerticomContextWrapper.inputPrivateKey(Unknown
Source)
at utils.ImportPrivateKey.importKey(ImportPrivateKey.java:76)
at utils.ImportPrivateKey.importKey(ImportPrivateKey.java:44)
at utils.ImportPrivateKey.main(ImportPrivateKey.java:32)
X:\>
Attached log is SSL debug enabled and it cant see the private key.
Any help is appreciated.
thanks,
mallik
[ssldebuglog.txt]

"Mallik" <[email protected]> wrote in message
news:3f3274e9$[email protected]..
>
I am trying to install weblogic generated ssl certificate and because theprivate
key needs to be encrypted with a password, i am loading this in a new JDKkeystore
and trying to configure WL.
I am running utils.CertGen from weblogic 7.0 sp3 on XP.
X:\SSLTest>java utils.CertGen testpassword testcert testkey
Creating Domestic Key Strength - 1024
..... Certificate CommonName will contain Hostname KUNDULA_M-DGS
Encoding
Try this on 8.1 and see if it works. There was a bug fix with respect to "_"
in hostnames.

Private key password for Default DemoIdentity Keystore?

Hi
I am trying to Configure SSL in ALSB. I have created the PKI Credential mapping for the Default DemoIdentity Keystore
But it is asking for the password to access the Keypair.
The document states that i need to provide the password set during the creation of the keystore
but as i am using the default keystore i dont know where to look for the password.
Error :
[Security:090809|The key pair could not be retrieved from the keystore with the supplied alias demoidentity and its password
I tried using the KeyStorePassphrase but it didnt help me much ..
Can any one help me on this?
Regards
Anusha

Jay is right
To be more precise you can use something like
keytool -list -keystore ${wl_home}/server/lib/DemoTrust.jks -storepass DemoTrustKeyStorePassPhrasewhich leads to the following output
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 4 entries
certgenca, Mar 22, 2002, trustedCertEntry,
Certificate fingerprint (MD5): 8E:AB:55:50:A4:BC:06:F3:FE:C6:A9:72:1F:4F:D3:89
wlsdemocanew2, Jan 24, 2003, trustedCertEntry,
Certificate fingerprint (MD5): 5B:10:D5:3C:C8:53:ED:75:43:58:BF:D5:E5:96:1A:CF
wlsdemocanew1, Jan 24, 2003, trustedCertEntry,
Certificate fingerprint (MD5): A1:17:A1:73:9B:70:21:B9:72:85:4D:83:01:69:C8:37
wlscertgencab, Jan 24, 2003, trustedCertEntry,
Certificate fingerprint (MD5): A2:18:4C:E0:1C:AB:82:A7:65:86:86:03:D0:B3:D8:FEThe following list provides the location and passwords of the demo certificates:
Trust store location: ${WL_HOME}/server/lib/DemoTrust.jks
Trust store password: DemoTrustKeyStorePassPhrase
Key store location: ${WL_HOME}/server/lib/DemoIdentity.jks
Key store password: DemoIdentityKeyStorePassPhrase
Private key password: DemoIdentityPassPhrase

Recovering Private Key Password

I have a customer who is trying to load a private key from a file but can not remember the Private Key password. Does anyone have an idea of what the best way to recover this would be if its possible?

this is not possible since this is the most important part of the security protocol.
You have to created a new key and get a new certificate.
Regards,
Gilles.

I've had my iMac put away for about a year, now I can not remember the admin password upon startup. And I don't have the installation cd's (of course)! Is there any way to re-boot, re-do, get into my Mac to change it. I don't remember it even w/ the hint

I've had my iMac put away for about a year, now I can not remember the admin password upon startup. And I don't have the installation cd's (of course)! Is there any way to re-boot, re-do, get into my Mac to change it. I don't remember it even w/ the hint

Call Apple with the Serial and they will send you the ones that came with the Mac. Or search the Net.

IMac is asking for admin login password upon startup when it never did before, settings are still on auto login. Why is it doing this out of the blue?

iMac is asking for admin login password upon startup when it never did before, settings are still on auto login. Why is it doing this out of the blue?

Is sounds like it might for some reason booting into Safe Mode, which does prompt for a password.
Try a PRAM reset:
Shut down the computer.
Locate the following keys on the keyboard: Command, Option, P, and R. You will need to hold these keys down simultaneously in step 4.
Turn on the computer.
Press and hold the Command-Option-P-R keys. You must press this key combination before the gray screen appears.
Hold the keys down until the computer restarts and you hear the startup sound for the second time.
Release the keys.
If that doesn't help, restart holding down the option key which should take you to the startup manager. Select Macintosh HD (you may need to use the arrows on the keyboard if the kb is Bluetooth), tap 'enter'. Does it boot normally now?

NAC and SSL - fails to import password protected private key

I am attempting to import an SSL certificate on my CCA Manager and Server. I purchased a wild card SSL cert *.domain.com. The private key used to generate the certificate was created on an Cisco ACS 3.2 server and has a password. When attempting to import the private key into the CCA Manager the browser times out and no error is reported.
My guess is that it is waiting for the password to allow access to the private key. Unfortunately there is no place on the form and no pop-up to enter the password.
Is there a command line option for importing a private key that may work for me?
Thanks
Sherm

The best Possible way is to generate a CSR from the CCA server and then purchase a certificate using that CSR. Then you dont have problems with private keys.
Regards
sathappan

SSL private key password

Hello everyone,
I'm trying to upgrade a WLS 6.1 SP2 with WLP 4.0 SP2 instance to WLS 7.0 SP2
with WLP 7.0 SP2. Everythng is fine except for that we cannot use the same
SSL certificate. By defaul the private key is not encrypted with password
(SSL.KeyEncrypted = false by default, according to the documentations) in
both WLS 6.1 and WLS 7.0. But running WLS 7.0 startup script results the
following error:
<Sep 17, 2003 5:06:40 PM HST> <Alert> <WebLogicServer> <000297>
<Inconsistent se
curity configuration, java.lang.Exception: Cannot read private key from file
C:\
bea7\user_projects\agencyPortal\portal_islandinsurance_com-key.der. Make
sure pa
ssword specified in environment property weblogic.management.pkpassword is
valid
.>
java.lang.Exception: Cannot read private key from file
C:\bea7\user_projects\age
ncyPortal\portal_islandinsurance_com-key.der. Make sure password specified
in en
vironment property weblogic.management.pkpassword is valid.
at
weblogic.security.service.SSLManager.getServerPrivateKey(SSLManager.j
ava:434)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:153)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:122)
at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1513)
at weblogic.t3.srvr.T3Srvr.resume(T3Srvr.java:852)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:295)
at weblogic.Server.main(Server.java:32)
Is this happening because the private key is actually encrypted with the
password? It was working, although the KeyEncrypted is not set to true and
the startup script for WLS 6.1 instance did have a line
with -Dweblogic.management.pkpassword. Or could this error be result of
something else? The physical machine the instances are located is the same
and IP address and the DNS entry hasn't been changed, either.
Any insight will be greatly appreciated. Thanks!
Makoto

Thanks Tony - it worked!!
"Tony" <TonyV> wrote in message news:[email protected]...
It may be because the private key is both unprotected and in DER format.
There are some things to try:
1) Convert the private key file from a DER file to a PEM file and try
that:
a) Follow the for converting an unprotected private key at:
http://e-docs.bea.com/wls/docs70/adminguide/utils.html#1143743
b) Look at the resulting PEM file, it should look something like
this:
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
(Be sure there is no extra lines or whitespace after thefooter)
>
c) Change your configuration to point at the PEM file
If that doesn work, then you can try protecting the key with apassword
using
the wlkeytool utility (It should be in the server/bin directory). The
tool should prompt
for a password to use to protect it:
wlkeytool inputkey.pem outputkey.pem
Then change your configuration to use the protected private key, andset
the passwod to use.
Tony
"Makoto Suzuki" <[email protected]> wrote in message
news:[email protected]...
Hello everyone,
I'm trying to upgrade a WLS 6.1 SP2 with WLP 4.0 SP2 instance to WLS 7.0SP2
with WLP 7.0 SP2. Everythng is fine except for that we cannot use the
same
SSL certificate. By defaul the private key is not encrypted withpassword
(SSL.KeyEncrypted = false by default, according to the documentations)in
both WLS 6.1 and WLS 7.0. But running WLS 7.0 startup script resultsthe
following error:
<Sep 17, 2003 5:06:40 PM HST> <Alert> <WebLogicServer> <000297>
<Inconsistent se
curity configuration, java.lang.Exception: Cannot read private key fromfile
C:\
bea7\user_projects\agencyPortal\portal_islandinsurance_com-key.der. Make
sure pa
ssword specified in environment property weblogic.management.pkpassword
is
valid
.>
java.lang.Exception: Cannot read private key from file
C:\bea7\user_projects\age
ncyPortal\portal_islandinsurance_com-key.der. Make sure passwordspecified
in en
vironment property weblogic.management.pkpassword is valid.
at
weblogic.security.service.SSLManager.getServerPrivateKey(SSLManager.j
ava:434)
atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:153)
atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:122)
atweblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1513)
at weblogic.t3.srvr.T3Srvr.resume(T3Srvr.java:852)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:295)
at weblogic.Server.main(Server.java:32)
Is this happening because the private key is actually encrypted with the
password? It was working, although the KeyEncrypted is not set to true
and
the startup script for WLS 6.1 instance did have a line
with -Dweblogic.management.pkpassword. Or could this error be result of
something else? The physical machine the instances are located is thesame
and IP address and the DNS entry hasn't been changed, either.
Any insight will be greatly appreciated. Thanks!
Makoto

SSL & generated private key

I generated a CSR with the certificate servlet. I modified
config.xml in order to set the right files :
<SSL Enabled="true" ListenPort="7002" Name="test2" ServerCertificateChainFileName="config/mydomain/cacrt.pem"
ServerCertificateFileName="config/mydomain/servercert.pem"
ServerKeyFileName="config/mydomain/serverkey.der"/>
The serverkey.der is a copy of the file generated by the
certificate servlet.
At startup the following error occurs :
<30 juil. 01 20:23:26 CEST> <Alert> <WebLogicServer> <Security configuration problem
with certificate file config/mydomain/serverkey.der, java.io.EOFException>
java.io.EOFException
at weblogic.security.Utils.inputByte(Utils.java:133)
at weblogic.security.ASN1.ASN1Header.inputTag ASN1Header.java:125)
at weblogic.security.ASN1.ASN1Header.input(ASN1Header.java:119)
at weblogic.security.RSAPrivateKey.input(RSAPrivateKey.java:119)
at weblogic.security.RSAPrivateKey.<init>(RSAPrivateKey.java:91)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:397)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:300)
at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1028)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:475)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:197)
at weblogic.Server.main(Server.java:35)
More over the conversion of the serverkey.der in serverkey.pem
with openssl gives the following error :
openssl rsa -in serverkey.der -outform PEM -out serverkey.pem
read RSA key
unable to load key
1276:error:0906D06C:PEM routines:PEM_read_bio:no start line:./crypto/pem/pem_lib
.c:662:Expecting: ANY PRIVATE KEY
and reading the file by the default W2K reader gives an error too.
Need help !

Agree with S Guna, the ISP/Certificate Authority won't generate the private key, the request from your Lync server does. So the private key is already sitting on your Lync 2010 Server. Once you import the certificate generated by the certificate
authority, the private key and certificate should be paired and can be assigned to Lync.
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
SWC Unified Communications

How to remove Windows Sign-in with Password upon Startup

hi. Can anyone help me? Whenever we buy a new laptop, my husband always told me to "just leave it blank" , referring to the Microsoft Windows sign in with blank box for typing in a password. "This way you don't have to type your password everytime
you sign in." I am totally in agreement with this. Why do extra work everytime you open your laptop? So we have always done that. Last weekend a client made me skype with her. I had to download Skype. I was offered only two options for signing into skype:
either through Facebook or Microsoft Windows sign in, so I had to get a username and password at that point with Microsoft Windows. (Yes, there probably was some way to sign straight into Skype but the corporate relationship comes first, with Microsoft, so
they only provided me a screen with those two options. Nowhere else on the Skype screen did it say there was a third option.)
Now everytime I open my laptop I have to type my long Microsoft password. Right now I am in msconfig and reading every single running service under Startup, Services and Processes and cannot find the name of the authentication for Microsoft upon Startup,
to disable. What is the name of it? Under which category?
I use Windows 8.

On Fri, 31 Jan 2014 15:15:05 +0000, norqdo wrote:
hi. Can anyone help me? Whenever we buy a new laptop, my husband always told me to "just leave it blank"
This is not the correct forum for your question.
Please repost your question to one of the Windows 8 forums:
http://answers.microsoft.com
Paul Adare - FIM CM MVP
Q. How do you solve bus problems?
A. Shoot the driver.

How to force iOS to ask for S/MIME private key password every time?

Hi, I am using S/MIME signing and encryption on my iOS devices and I am very surprised that the system does not require password for encrypting, decrypting or signing a message when using my cell phone. Everyone with access to it (be it a thief who saw my unlock code or somebody I know personally) will be able to send/read all encrypted messages. That is a deal breaker for me and I hope I am not the only one.
So the question is: I need to be asked for a password everytime I (a) read encrypted message, (b) send a signed message or (c) send an encrypted message.
How can I do that?
I imported my key via iPhone configuration utility, but I was unable to find an option for that.

By revealing your unlock code your device is already compromised. Just like revealing your computers login password. Once the computer is compromised, any number of things can be done which render the certificate password useless. Keyloggers can be installed, the kernel can be patched to steal DPAPI keys, etc. Real software companies like Apple and Microsoft don't entertain security through obscurity.

How to setup a password upon startup?

Hello,
Is it possible to setup a password to come up upon login? If so I would appreciate any information on how to do this.
thanks,
Steve

Isn't it under system preferences/security "disable automatic login"? I'm running 10.4 on the Mac I'm at right now so I can't verify my statement.

My iphone 4 started making a sound like "boing" with a vibration/ wobbly sound. It does it at least once a day. I've reset my phone, used icloud to restore, and it made the sound again upon startup. Help! This is so annoying.

My iphone 4 started making a sound like a "boing" with a vibration/ wobbly sound. It does this at least once a day. It started about a month ago. Anyone got any ideas?

Mine does this also, seemingly randomly several times throughout the day. I do not have this sound as any of my alerts and it does not seem to denote anything like a message, reminder, etc. I do have "Trapster" on my phone and I went in and tweaked the settings there. Will repost if that has any efect.

HT200197 hi i just bought an Apple TV device and tried setting up the wireless but after i enter the 2WIRE Key Password the screen starts by saying connecting than the screen says Activating below says stting date & times and just sits there for an hour

Hi I just bought an Apple TV device i have detected the 2WIRE and entered the Product Key Password. It takes that okay the screen goes to Connecting followed by Activating below in small print it says Setting date and time but nevr leaves that screen it just clocks there for evr???

Welcome to the Apple Community.
Assuming this is not the first time you have used your Apple TV
You might try restarting the Apple TV by removing ALL the cables for 30 seconds.
Also try restarting the router. (Also try removing it’s power cord for at least 30 seconds)
If the problem persists, try a restore, you may want to try the previous procedures several times before doing this.
If restoring from the Apple TV doesn't help, try restoring from iTunes using a USB cable.
If this is a new Apple TV, in addition to trying the above, it may also be that your network router is not allowing access to the timeserver, check that your router allows access over port 123.

WebLogic and SSL: supplying private key password upon startup

Similar Messages

Maybe you are looking for