Breadcrumbs

For OpenJDK11 with EC Key

  1. Generate an EC keypair on Utimaco HSM.

›_ Console 

# keytool -genkeypair -alias weblogiceckey -keyalg EC -keystore NONE - storetype CryptoServer -storepass 12345678 -providerpath "/opt/utimaco/lib/CryptoServerJCE.jar" -providerclass CryptoServerJCE.CryptoServerProvider -J-Djava.library.path=/opt/utimaco/lib/ -J-cp - J/opt/utimaco/lib/CryptoServerJCE.jar -providername CryptoServer -v

Provide information when prompted.

Here:

  • EC is the key algorithm.

  • NONE is the keystore for HSM.

  • CryptoServer is the storetype.

  • 12345678 is the slot PIN.

  • CryptoServer is the provider name.

  • weblogiceckey is the key name that will be generated on Utimaco HSM.

tmp1bb121_5.png

Key generation using keytool command

For OpenJDK 11 RSA key algorithm is not supported with Utimaco HSM.

2. Verify that the keys have been generated.

›_ Console 

# keytool -list -keystore NONE -storetype CryptoServer -storepass 12345678 -providerpath "/opt/utimaco/lib/CryptoServerJCE.jar" - providerclass CryptoServerJCE.CryptoServerProvider -J-Djava.library.path=/opt/utimaco/lib/ -J-cp - J/opt/utimaco/lib/CryptoServerJCE.jar -providername CryptoServer -v

Here:

  • NONE is the keystore for HSM.

  • CryptoServer is the storetype.

  • 12345678 is the slot PIN.

  • CryptoServer is the provider’s name.

tmpms_m1hza.jpg

Listkeys output

  1. List the keys using cxitool.

›_ Console 

# /opt/utimaco/bin/cxitool Dev=3001@127.0.0.1 Logonpass=weblogic,12345678 Group=Cryptoserver Listkeys
tmpjtkvn5s4.jpg

List keys output using cxitool

  1. Generate a CSR using keytool command.

›_ Console 

# keytool -certreq -alias weblogiceckey -file webec.csr -keystore NONE - storetype CryptoServer -providerpath "/opt/utimaco/lib/CryptoServerJCE.jar" -providerclass CryptoServerJCE.CryptoServerProvider -J-Djava.library.path=/opt/utimaco/lib -J-cp - J/opt/utimaco/lib/CryptoServerJCE.jar/opt/utimaco/lib/CryptoServerJCE.jar

-providername CryptoServer -v

Provide the keystore password when prompted.

Here:

  • NONE is the keystore for HSM.

  • CryptoServer is the storetype.

  • CryptoServer is the provider name.

  • weblogiceckey is the key name.

  • webec.csr is the CSR file name that will be generated.

  1. Get this CSR signed by CA.

  2. Copy the signed certificate on the WebLogic server.

  3. Import the Root certificate into the HSM keystore.

›_ Console 

# keytool -importcert -alias RootCA -file /home/LAbCA-Root.crt -storetype CryptoServer -keystore NONE -providerpath "/opt/utimaco/lib/CryptoServerJCE.jar" -providerclass CryptoServerJCE.CryptoServerProvider -J-Djava.library.path=/opt/utimaco/lib -J-cp - J/opt/utimaco/lib/CryptoServerJCE.jar -providername CryptoServer - storepass 12345678


tmp1me0wtqf.jpg
tmppvtwssxo.png

Importing root certificate into keystore

  1. Import the signed certificate reply using the command below.

›_ Console 

# keytool -importcert -alias weblogiceckey -file /home/weblogic_demo.pem

-storetype CryptoServer -keystore NONE -providerpath "/opt/utimaco/lib/CryptoServerJCE.jar" -providerclass CryptoServerJCE.CryptoServerProvider -J-Djava.library.path=/opt/utimaco/lib -J-cp - J/opt/utimaco/lib/CryptoServerJCE.jar -providername CryptoServer - storepass 12345678
tmpqsxubav6.jpg

Import certificate reply into keystore

  1. List the keystore entries.

›_ Console 

# keytool -list -keystore NONE -storetype CryptoServer -storepass 12345678 -providerpath "/opt/utimaco/lib/CryptoServerJCE.jar" - providerclass CryptoServerJCE.CryptoServerProvider -J-Djava.library.path=/opt/utimaco/lib/ -J-cp - J/opt/utimaco/lib/CryptoServerJCE.jar -providername CryptoServer -v
tmpcklwpa92.jpg
tmplg1czbgq.png

Listkeys output