Important: If you are deploying an Endeca Server cluster,
make sure to generate SSL certificates after you have installed the Endeca
Server on the Admin Server and before you have cloned the Admin Server to
create Managed Servers in the WebLogic domain configured for the Endeca Server
application.
To generate SSL certificates:
The
generate_ssl_keys utility creates these SSL
certificates in the
$DOMAIN_HOME/config/ssl directory:
- dgraphCA.pem —
Certificate authority file used by all clients and servers to authenticate the
other endpoint of a communication channel with the Endeca Server. Used with the
Dgraph
--sslcafile flag.
- dgraphCert.pem —
Certificate file used by all clients and servers to specify their identity when
using SSL to connect to the Oracle Endeca Server. This certificate should be
thought of as the identity of the system powered by the Dgraph, or as the
identity of all components of the system. Used with the Dgraph
--sslcertfile flag.
- endecaServerCerts.ks
— Java identity keystore.
- endecaServerClientCert.ks
— Java keystore used for Endeca Server clients. Used for the
keystore parameter of
EndecaCmd.properties.
- endecaServerTrustStore.ks
— Java truststore used for Endeca Server clients. Used for the
truststore parameter of
EndecaCmd.properties.
- esClientCert.p12
— Personal Information Exchange (PKCS12-format) key file. Note that this client
key has its own password, which is the user-entered passphrase plus "clientkey"
appended.
Besides generating the SSL keys, the utility also:
- Updates the
EndecaServer.properties and
EndecaCmd.properties files (in the
$DOMAIN_HOME/config directory) with the
pathnames of the key files.
- Enables the SSL Listen
Port of 7002 in WebLogic Server, and sets 7002 as the port on which Endeca
Server is started.
- For the Admin Server, sets
endecaServerCerts.ks as the custom identity
keystore and
endecaServerTrustStore.ks as the custom trust
keystore. Both settings are visible from the Admin Server's Keystores tab.
- For the Admin Server, sets
Oracle Endeca Server Certificate as the Private Key
Alias. This setting is visible from the Admin Server's SSL tab.
Note that although the SSL port 7002 is enabled, the non-SSL (HTTP)
port 7001 is still enabled, so that you can connect to the Administration
Console.