7-4 Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Business Intelligence Examples: HOST java utils.CertGen welcome1 HOST.mycompany.com_cert HOST.mycompany.com_key domestic HOST.mycompany.com HOST java utils.CertGen welcome1 VIP.mycompany.com_cert VIP.mycompany.com_key domestic VIP.mycompany.com Sample output for the command shown in the first example is: ...... Will generate certificate signed by CA from CertGenCA.der file ...... With Domestic Key Strength ...... Common Name will have Hostname HOST.mycompany.com ...... Issuer CA name is CN=CertGenCAB,OU=FOR TESTING ONLY,O=MyOrganization, L=MyTown,ST=MyState,C=US

7.3.2 Creating an Identity Keystore Using the utils.ImportPrivateKey Utility

Follow these steps to create an identity keystore on HOST: 1. Create a new identity keystore called appIdentityKeyStore using the utils.ImportPrivateKey utility. Create this keystore under the same directory as the certificates that is, ORACLE_BASEadmindomain_nameaserverdomain_name certs.

2. Import the certificate and private key for both HOST.mycompany.com and

VIP.mycompany.com into the identity store. Make sure that you use a different alias for each of the certificatekey pairs imported. Syntax all on a single line: java utils.ImportPrivateKey Keystore_File Keystore_Password Certificate_Alias_to_Use Private_Key_Passphrase Certificate_File Private_Key_File [Keystore_Type] Examples: HOST java utils.ImportPrivateKey appIdentityKeyStore.jks welcome1 appIdentity1 welcome1 ORACLE_BASEadmindomain_nameaserverdomain_name certsHOST.mycompany.com_cert.pem ORACLE_BASEadmindomain_name aserverdomain_namecertsHOST.mycompany.com_key.pem HOST java utils.ImportPrivateKey appIdentityKeyStore.jks welcome1 appIdentity2 welcome1 ORACLE_BASEadmindomain_nameaserver domain_name certsVIP.mycompany.com_cert.pem ORACLE_BASEadmin domain_name aserverdomain_namecertsVIP.mycompany.com_key.pem

7.3.3 Creating a Trust Keystore Using the Keytool Utility

You only need to perform the steps in this section for the first Managed Server. Follow these steps to create the trust keystore on HOST1: 1. Copy the standard Java keystore to create the new trust keystore because it already contains most of the root CA certificates needed. Oracle does not recommend Note: The identity store is created if none exists when you import a certificate and the corresponding key into the identity store using the utils.ImportPrivateKey utility. Setting Up Node Manager 7-5 modifying the standard Java trust keystore directly. Copy the standard Java keystore CA certificates located under the WL_HOMEserverlib directory to the same directory as the certificates. For example: HOST cp WL_HOMEserverlibcacerts ORACLE_BASEadmindomain_ name aserverdomain_namecertsappTrustKeyStore.jks 2. The default password for the standard Java keystore is changeit. Oracle recommends always changing the default password. Use the keytool utility to do this. The syntax is all on a single line: APPHOST1 keytool -storepasswd -new New_Password -keystore Trust_Keystore -storepass Original_Password For example: HOST keytool -storepasswd -new welcome1 -keystore appTrustKeyStore.jks -storepass changeit 3. The CA certificate CertGenCA.der is used to sign all certificates generated by the utils.CertGen tool. It is located in the WL_HOMEserverlib directory. This CA certificate must be imported into the appTrustKeyStore using the keytool utility. The syntax is all on a single line: HOST keytool -import -v -noprompt -trustcacerts -alias Alias_Name -file CA_File_Location -keystore Keystore_Location -storepass Keystore_Password For example: HOST keytool -import -v -noprompt -trustcacerts -alias clientCACert -file WL_HOME serverlibCertGenCA.der -keystore appTrustKeyStore.jks -storepass welcome1

7.3.4 Configuring Node Manager to Use the Custom Keystores