How to configure WebLogic to use different certificates for browsers and AFX/Agents in RSA Identity Governance & Lifecycle
Originally Published: 2020-04-09
Article Number
Applies To
RSA Product/Service Type: Enterprise Software
RSA Version/Condition: 7.0.x, 7.1.x, 7.2.x
Platform/Application Server: WebLogic
Issue
Resolution
Keystore for browser communication
In the WebLogic Administration Console the server's certificate is specified under:Environment > Servers > Instance Name > SSL tab > Private Key Alias field.
Keystore for internal SSL communication for AFX and remote agents
The certificate alias for AFX/Remote Agents is documented as being created with a channel named Aveksa8444 which can be edited underEnvironment > Servers > Instance Name > Protocols > Aveksa8444 > Security tab > Custom Channel Private Key Alias.
Warning: The server.keystore uses the server alias server. If you import server.keystore into your WebLogic keystore, it is possible that there will be a conflict with the certificate alias server that is commonly used
If you have your own certificate that is currently in use in a WebLogic keystore and the server alias is server, run this command to rename the alias prior to importing server.keystore into your WebLogic keystore as instructed in RSA Identity Governance & Lifecycle Installation Guide. In the example below, server.jks is the name of your existing keystore.
keytool -changealias -keystore server.jks -alias server -destalias aveksa-serverWhat is important is that there are two different certificates in the WebLogic keystore both with different aliases that are known to you..
EXAMPLE:
The following example shows screenshots of a configuration where the WebLogic keystore has two certificates one named weblogic-server and the other is aveksa-server:
- WebLogic certificate for port 7004 SSL connections:
- RSA Identity Governance & Lifecycle port 8444 for SSL connections:
