Sunday, September 25, 2011

Configuring 2-way SSL with Oracle Service Bus

Configuring 2-way SSL with Oracle Service Bus

Must set up Identity and trust.

Identity represents the server itself. This corresponds to the Servers private key. (Its public key is embedded in its certificate)

Trust is for when weblogic is communicating with clients over 2-way SSL. It must store a list of certificates it trusts. The client must then supply one of these as part of the handshaking protocol.

Server Side configuration (ie. For terminating 2 way SSL requests)

Enable X509 as an Identity Asserter type

Error if not present:

X.509 token identity assertion is not enabled in the security realm

Goto Security/ myrealm/ Providers/ Authentication/ DefaultIdentityAsserter

Add X509 to DefaultIdentityAsserter. (Note also that wsse.PasswordDigest is also present here for WS-Security UsernameToken. (Digest Replay Detection Enabled can be also be set here). Also to enable this you also must set “Enable Password Digests” in the DefaultAuthenticator.)

Restart Server

Next Step

Error

The X.509 username-mapper sub-plugin of the default identity asserter in not configured

HTTPS inbound endpoint inboundEndpoint specifies CLIENT-CERT authentication, therefore the username mapper properties of the default identity asserter must be configured (this is required to support 2-way SSL)

Action

Configure the username-mapper fields of the Default Identity Assertion provider in the security realm pages of the WebLogic Server console

Client

Configuring 2-way SSL with SoapUI (client)

A lot of these settings are configured in the Global Preferences table, so cannot be saved per project.

Firstly load the KeyStore (where the client certificate is stored) in the SSL tab of the Prferences.

Note: Requires Client Authentication box is part of the Mock definitions, and is not required for a client configuration.

You may also need to configure a proxy (I did) if your client is on the external web, and you use a proxy to access that.

Keytool commands

Command

Description

keytool -genkey -keystore keystorename -storepass keystorepassword

Generates a new private key entry and self-signed digital certificate in a keystore. If the keystore does not exist, it is created.

keytool -import -alias aliasforprivatekey
-file privatekeyfilename.pem
-keypass privatekeypassword
-keystore keystorename -storepass keystorepassword

Updates the self-signed digital certificate with one signed by a trusted CA.

keytool -import -alias aliasfortrustedca -trustcacerts -file trustedcafilename.pem -keystore keystorename -storepass keystorepassword

Loads a trusted CA certificate into a keystore. If the keystore does not exist, it is created.

keytool -certreq -alias alias
-sigalg
sigalg
-file
certreq_file
-keypass
privatekeypassword
-storetype
keystoretype
-keystore
keystorename
-storepass
keystorepassword

Generates a Certificate Signing Request (CSR), using the PKCS#10 format, and a self-signed certificate with a private key.

Stores the CSR in the specifiedcertreq_file, and the certificate/private key pair as a key entry in the specified keystore under the specified alias.

keytool -list -keystore keystorename

Displays what is in the keystore.

keytool -delete -keystore keystorename -storepass keystorepassword -alias privatekeyalias

Deletes the entry identified by the specified alias from the keystore.

keytool -help

Provides online help for keytool.

Initial Setup steps

In order to enable outbound two way SSL (i.e. MW making a two way SSL call out to a client) we need to create a Service Key Provider

Create a Service Key Provider

To use a service key provider, you must configure a PKI credential mapping provider.

To use the PKI Credential Mapping provider, you need to:

  1. Configure keystores with appropriate keys and distribute the keystores on all machines in a WebLogic Server cluster. Setting up keystores is not a WebLogic Server function. For information about setting up keystores, see the help for the Java keytool utility at http://java.sun.com/j2se/1.4.2/docs/tooldocs/solaris/keytool.html. See alsoConfiguring Identity and Trust, for information about keystores and keys in WebLogic Server.
  2. Configure a PKI Credential Mapping provider. A PKI Credential Mapping provider is not already configured in the default security realm (myrealm). See PKI Credential Mapper Attributes and Configure Credential Mapping providers in the Administration Console online help.
  3. Create credential mappings. See Create PKI Credential Mappings in the Administration Console online help.

Create Java Keystore in Domain

Create a Keystore. Import certificate (user identification certificate) into keystore.

See http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/security/model.html#wp1089312

(see step 6)

Configure each WebLogic Server instance to have access to its own copy of each keystore. All entries referred to by the PKI credential mapper must exist in all keystores (same entry with the same alias).

May have to convert certificate to format understood by keytool

keytool -importkeystore -srckeystore pki\GTMSWebUser.pfx -srcstoretype pkcs12 -destkeystore ./pkiKeystore

So I was able to directly import the pfx file containing the private key and certificate.

From OSB this was then accessible in the ServiceKey Provider. Not when selecting the Key, you must supply the private key password to access it (not the keystore password)

Create a PKI credential mapping Provider

Got security/ myrealm/ providers/ CredentialMapping

Select New.

Select PKICredentialMapper

Supply a name (e.g. PkiCredentialMapper)

Create Credential Mapping

Got security/ myrealm/ providers/ CredentialMapping

Select New.

Protocol= https

remoteHost= web3.bgegtms.ie

PrincipleName = GTMS

CredentialType = Cert

Create ServiceBus ServiceKeyProvider

Configure a PKI Credential Mapping provider

Goto Providers./ CredentialMapping. Select New/ PKICredentialMapper

Note a restart is required after this.

Create Credential Mappings

Configure a PKI Credential Mapping provider

Not sure if this is needed?

Restart server

PKI credential mapper provider

Create a new PKI Credential mapper in the console

Click on new and create KeyStore

There is no PKI credential mapper provider configured in your security realm. Service key provider management will be disabled. Configure a PKI credential mapper provider if you need service provider support. This is typically the case if you have Oracle Service Bus proxy services with web service security enabled or outbound 2-way SSL connections.