10-14 Oracle Fusion Middleware Security and Administrators Guide for Web Services ■ homeOracleMiddlewareoracle_commoncommonbinwlst.sh UNIX ■ C:\Oracle\Middleware\oracle_common\common\bin\wlst.cmd Windows When executed, these commands start WLST in offline mode. To use the credential store WLST commands, you must use WLST in online mode. 3. Start Oracle WebLogic Server. For more information, see Start and stop servers in the Oracle WebLogic Server Administration Console Online Help. 4. Connect to the running WebLogic Server instance using the connect command. For example, the following command connects WLST to the Administration Server at the URL myAdminServer.oracle.com:7001 using the usernamepassword credentials weblogicwelcome1: connectweblogic,welcome1,t3:myAdminServer.oracle.com:7001 5. Enter the createCred command to create an entry in the credential store for the keystore name and password as follows: createCredmap=oracle.wsm.security, key=keystore-csf-key, user=owsm, password=welcome1, desc=Keystore key Note that you can enter any value for user. This field is ignored for the keystore-csf-key entry. The value of password must match the password that you specified when you created the keystore as described in Generating Private Keys and Creating the Java Keystore on page 10-9 in this example welcome1. 6. Enter the createCred command to create an entry in the credential store for the signature key alias and password as follows: createCredmap=oracle.wsm.security, key=sign-csf-key, user=orakey, password=welcome1, desc=Signing key The values of user and password must match the alias name and password for the signature key in the keystore that you specified when you created the keystore as described in Generating Private Keys and Creating the Java Keystore on page 10-9. In this example, the values are orakey and welcome1.. 7. Enter the createCred command to create an entry in the credential store for the encryption key alias and password as follows: createCredmap=oracle.wsm.security, key=enc-csf-key, user=orakey, password=welcome1, desc=Encryption key The values of user and password must match the alias name and password for the encryption key in the keystore that you specified when you created the keystore as described in Generating Private Keys and Creating the Java Keystore on page 10-9. In this example, the values are orakey and welcome1.. 8. View the details about a key in the credential store using the listCred command as shown in the following example: listCredmap=oracle.wsm.security, key=enc-csf-key Setting Up Your Environment for Policies 10-15 Obtaining a Trusted Certificate and Importing it into the Keystore You can obtain a certificate from a Certificate Authority CA, such as Verisign or Entrust.net, and include it in the keystore. To get the certificate, you must create a Certificate Request and submit it to the CA. The CA will authenticate the certificate requestor and create a digital certificate based on the request. To obtain a trusted certificate and import the certificate into the keystore:

1. Generate the private key and self-signed certificate. The self-signed certificate will

be replaced by the trusted certificate. Use the keytool -genkeypair command to generate the key pair for a specified alias, in this example orakey. It will create the keystore if it did not exist. keytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystore.jks -storepass welcome1 -validity 3600

2. Generate the certificate request.

Use the keytool -certreq command to generate the request. The following command generates a certificate request for the orakey alias and a Certificate Signing Request CSR named certreq_file. keytool -certreq -alias orakey -sigalg SHA1withRSA -file certreq_file -storetype jks -keystore default-keystore.jks

3. Submit the CSR file to a CA such as VeriSign, for example. The CA will

authenticate the request and return a certificate or a certificate chain.

4. Import the CA root certificate which authenticates the CA’s public key.

Use the keytool -importcert command to import the trusted CA root certificate named VerisignCAcert.cer in this example, using the alias verisignca into the default-keystore.jks keystore. The keytool utility prompts for the needed password. keytool -importcert -alias verisignca -trustcacerts -file VerisignCAcert.cer -keystore default-keystore.jks

5. Replace the self-signed certificate with the trusted CA certificate issued by the CA

in response to the certificate request. Use the keytool -importcert command. The following command replaces the self-signed certificate for the alias orakey with the trusted CA certificate named, in this example, MyCertIssuedByVerisign.cer. The keytool utility prompts for the needed password. keytool -importcert -trustcacerts -alias orakey -file MyCertIssuedByVerisign.cer -keystore default-keystore.jks Note: If your keystore already contains a self-signed certificate that you created previously, as described in Generating Private Keys and Creating the Java Keystore on page 10-9, you can ignore this step and proceed to step 2.