When using RSA Identity Governance & Lifecycle on WebLogic, SSL can be used for browser communication if desired; one for browser communication that is publicly signed, and another for the internal SSL communication for AFX and remote agents. The purpose of this RSA Knowledge Base Article is to provide instructions for configuring the two different certificates.
Keystore for browser communication
In the WebLogic Administration Console the server's certificate is specified under:
Environment > Servers > Instance Name > SSL tab > Private Key Alias field.
Keystore for internal SSL communication for AFX and remote agents
The certificate alias for AFX/Remote Agents is documented as being created with a channel named Aveksa8444 which can be edited under
Warning: The server.keystore uses the server alias server. If you import server.keystore into your WebLogic keystore, it is possible that there will be a conflict with the certificate alias server that is commonly used
If you have your own certificate that is currently in use in a WebLogic keystore and the server alias is server, run this command to rename the alias prior to importing server.keystore into your WebLogic keystore as instructed in RSA Identity Governance & Lifecycle Installation Guide. In the example below, server.jks is the name of your existing keystore.
keytool -changealias -keystore server.jks -alias server -destalias aveksa-server
What is important is that there are two different certificates in the WebLogic keystore both with different aliases that are known to you..
The following example shows screenshots of a configuration where the WebLogic keystore has two certificates one named weblogic-server and the other is aveksa-server:
WebLogic certificate for port 7004 SSL connections:
RSA Identity Governance & Lifecycle port 8444 for SSL connections: