SOLUTION

The steps involved are as follows:

Step I: Configure WebLogic Server for SSL
Step II: Disable the HTTP Port
Step III: Configure the Admin Server Trust Keystore


Step I: Configure WebLogic Server for SSL

1. If you haven't already done so, configure WebLogic to listen on SSL. See Note 1235653.1 Configuring Oracle WebLogic Server (10.3.X) to use SSL in Fusion Middleware 11g (11.1.1.X)
2. Before moving on make sure you can access WLS via https.


Step II: Disable the HTTP Port

1. Access the WLS Console:

Navigate to: <Domain> -> Environment -> Servers -> <Managed_Server> -> General tab

Uncheck the "Listen Port enabled" box

Click "Save"

2. Test you can access the Managed Server via HTTPS only, and not HTTP

Step III: Configure the Admin Server Trust Keystore

At this point we also need to configure the Admin Server Trust Store to verify the certificate in the Managed Server keystore. Failure to do this will result in errors in the Admin Server console, and cause problems when the Managed Server and Admin Server communicate. (See Note 1268324.1 Certificate Errors in Admin Console and Logs After Disabling HTTP for Managed Server).

The instructions below make the following assumptions:

The Admin Server is using the default Java Standard Trust Keystore

The Managed Server is using a self signed certificate (if using a self- signed certificate see the Addendum at the end of this note and then continue at point 2 below). 

If your Admin Server is using a different Trust, then the instructions are the same, but make sure you specify the correct Trust store when importing the certificate.

1. Export the Trusted Certficate(s) that signed the certificate in the Managed Server's keystore:

keytool -export -alias <trust_alias> -file <filename> -keystore <path_to_managed_server_keystore_file>

For example:

keytool -export -alias rootcacert -file rootca.cer -keystore $MIDDLEWARE_HOME/keystores/mykeystore.jks

2.  Find the current AdminServer Trust Keystore location. In the WLS Console navigate to: <Domain> -> Environment -> Servers -> AdminServer -> Keystores tab , and make note of the Java Standard Trust Keystore:

For example: 
$MIDDLEWARE_HOME/jdk160_18/jre/lib/security/cacerts

3. Import the trusted certificate exported above into this Trust keystore:

keytool -import -trustcacerts -alias <trust_alias> -file <filename> -keystore <path_to_admin_server_truststore_file> -storepass <password>

For example:

keytool -import -trustcacerts -alias rootcacert -file rootca.cer -keystore $MIDDLEWARE_HOME/jdk160_18/jre/lib/security/cacerts 
-storepass changeit

4. At this point the configuration is complete. Restart both the Admin Server and Managed Server, and make sure no errors occur relating to SSL or certificates in the logs and AdminServer console.




Addendum for Self-Signed Certificates
 

Only follow this section if your Managed Server uses a self-signed certificate.

If a self-signed certificate was used in Step 1, then it is possible that the Managed Server keystore does not contain the Trusted CA entry, and only a Certificate entry. In which case an extra step is needed:

1. Export the certificate from the Managed Server Identity Keystore:

keytool -export -alias <selfsigned_alias> -file <filename> -keystore <path_to_keystore_file>

For example:

keytool -export -alias selfsigned -file selfsigned.cer -keystore $MIDDLEWARE_HOME/keystores/mykeystore.jks

2. Import the certificate as a trusted certificate into the same keystore:

keytool -import -trustcacerts -alias <alias> -file <filename> -keystore <keystore> -storepass <password>

For example:

keytool -import -trustcacerts -alias rootcacert -file selfsigned.cer -keystore $MIDDLEWARE_HOME/keystores/mykeystore.jks