000038710 - How to configure WebLogic to use different certificates for browsers and AFX/Agents in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Apr 10, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038710
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle 
RSA Product/Service Type: Enterprise Software
RSA Version/Condition: 7.0.x, 7.1.x, 7.2.x
Platform/Application Server: WebLogic
IssueWhen using RSA Identity Governance & Lifecycle on WebLogic, SSL can be used for browser communication if desired; one for browser communication that is publicly signed, and another for the internal SSL communication for AFX and remote agents. The purpose of this RSA Knowledge Base Article is to provide instructions for configuring the two different certificates.

Keystore for browser communication

In the WebLogic Administration Console the server's certificate is specified under:

Environment > Servers > Instance Name > SSL tab > Private Key Alias field.


Keystore for internal SSL communication for AFX and remote agents

The certificate alias for AFX/Remote Agents is documented as being created with a channel named Aveksa8444 which can be edited under

Environment > Servers > Instance Name ProtocolsAveksa8444Security tabCustom Channel Private Key Alias.

Warning: The server.keystore uses the server alias server. If you import server.keystore into your WebLogic keystore, it is possible that there will be a conflict with the certificate alias server that is commonly used

If you have your own certificate that is currently in use in a WebLogic keystore and the server alias is server, run this command to rename the alias prior to importing server.keystore into your WebLogic keystore as instructed in RSA Identity Governance & Lifecycle Installation Guide. In the example below, server.jks is the name of your existing keystore.

keytool -changealias -keystore server.jks -alias server -destalias aveksa-server

What is important is that there are two different certificates in the WebLogic keystore both with different aliases that are known to you..


The following example shows screenshots of a configuration where the WebLogic keystore has two certificates one named weblogic-server and the other is aveksa-server:

  • WebLogic certificate for port 7004 SSL connections:

User-added image

  • RSA Identity Governance & Lifecycle port 8444 for SSL connections:

User-added image