000033069 - How to configure WebLogic to use different certificates for browsers and AFX / Agents for RSA Via Lifecycle and Governance

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000033069
Applies ToRSA Product Set: Identity Management and Governance
RSA Product/Service Type: Enterprise Software
RSA Version/Condition: 6.9.1
Platform: WebLogic
Product Description: Access Certification Manager
IssueThe WebLogic installation guide that is included with RSA Via Lifecycle and Governance mentions that SSL can be used for browser communication if desired, but no instruction is given on how to configure the server to use two different certificates.  One for browser communication that is publicly signed, and another for the internal SSL communication for AFX and remote agents.
CauseIf you import our server.keystore into your WebLogic keystore it is possible that their will be a conflict with the certificate alias "server" that is commonly used.
WorkaroundIf you have your own certificate that is currently in use, in a WebLogic Keystore and the server alias is "server" run this command to rename the alias prior to importing our server.keystore into your WebLogic keystore/jks as instructed in our RSA Via Lifecycle and Governance Installation Guide V7.0:
keytool -changealias -keystore server.jks -alias server -destalias aveksa-server

What is important is that there are two different certificates in the JKS both with different aliases that are known to you..
In the WebLogic Administration Console the server's certificate is specified under Environment > Servers > Instance Name > SSL tab > Private Key Alias field.
The certificate alias for AFX/Remote Agents is documented as being created with a channel named Aveksa8444 which can be edited under:
Environment > Servers > Instance Name ProtocolsAveksa8444Security tabCustom Channel Private Key Alias.
Here are screenshots of a configuration where the WebLogic's JKS has two certificates one named weblogic-server and the other is aveksa-server:
  • WebLogic's certificate for port 7004 SSL connections:
User-added image

  • RSA Via Lifecycle and Governance port 8444 for SSL connections:
User-added image