Configuring 2-way SSL with Oracle Service Bus
Must set up Identity and trust.
Identity represents the server itself. This corresponds to the Servers private key. (Its public key is embedded in its certificate)
Trust is for when weblogic is communicating with clients over 2-way SSL. It must store a list of certificates it trusts. The client must then supply one of these as part of the handshaking protocol.
Server Side configuration (ie. For terminating 2 way SSL requests)
Enable X509 as an Identity Asserter type
Error if not present:
X.509 token identity assertion is not enabled in the security realm
Goto Security/ myrealm/ Providers/ Authentication/ DefaultIdentityAsserter
Add X509 to DefaultIdentityAsserter. (Note also that wsse.PasswordDigest is also present here for WS-Security UsernameToken. (Digest Replay Detection Enabled can be also be set here). Also to enable this you also must set “Enable Password Digests” in the DefaultAuthenticator.)
Restart Server
Next Step
Error
The X.509 username-mapper sub-plugin of the default identity asserter in not configured
HTTPS inbound endpoint inboundEndpoint specifies CLIENT-CERT authentication, therefore the username mapper properties of the default identity asserter must be configured (this is required to support 2-way SSL)
Action
Configure the username-mapper fields of the Default Identity Assertion provider in the security realm pages of the WebLogic Server console
Client
Configuring 2-way SSL with SoapUI (client)
A lot of these settings are configured in the Global Preferences table, so cannot be saved per project.
Firstly load the KeyStore (where the client certificate is stored) in the SSL tab of the Prferences.
Note: Requires Client Authentication box is part of the Mock definitions, and is not required for a client configuration.
You may also need to configure a proxy (I did) if your client is on the external web, and you use a proxy to access that.
Keytool commands
Initial Setup steps
In order to enable outbound two way SSL (i.e. MW making a two way SSL call out to a client) we need to create a Service Key Provider
To use a service key provider, you must configure a PKI credential mapping provider.
To use the PKI Credential Mapping provider, you need to:
- Configure keystores with appropriate keys and distribute the keystores on all machines in a WebLogic Server cluster. Setting up keystores is not a WebLogic Server function. For information about setting up keystores, see the help for the Java keytool utility at http://java.sun.com/j2se/1.4.2/docs/tooldocs/solaris/keytool.html. See alsoConfiguring Identity and Trust, for information about keystores and keys in WebLogic Server.
- Configure a PKI Credential Mapping provider. A PKI Credential Mapping provider is not already configured in the default security realm (
myrealm
). See PKI Credential Mapper Attributes and Configure Credential Mapping providers in the Administration Console online help. - Create credential mappings. See Create PKI Credential Mappings in the Administration Console online help.
Create Java Keystore in Domain
Create a Keystore. Import certificate (user identification certificate) into keystore.
See http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/security/model.html#wp1089312
(see step 6)
Configure each WebLogic Server instance to have access to its own copy of each keystore. All entries referred to by the PKI credential mapper must exist in all keystores (same entry with the same alias).
May have to convert certificate to format understood by keytool
keytool -importkeystore -srckeystore pki\GTMSWebUser.pfx -srcstoretype pkcs12 -destkeystore ./pkiKeystore
So I was able to directly import the pfx file containing the private key and certificate.
From OSB this was then accessible in the ServiceKey Provider. Not when selecting the Key, you must supply the private key password to access it (not the keystore password)
Create a PKI credential mapping Provider
Got security/ myrealm/ providers/ CredentialMapping
Select New.
Select PKICredentialMapper
Supply a name (e.g. PkiCredentialMapper)
Create Credential Mapping
Got security/ myrealm/ providers/ CredentialMapping
Select New.
Protocol= https
remoteHost= web3.bgegtms.ie
PrincipleName = GTMS
CredentialType = Cert
Create ServiceBus ServiceKeyProvider
Configure a PKI Credential Mapping provider
Goto Providers./ CredentialMapping. Select New/ PKICredentialMapper
Note a restart is required after this.
Create Credential Mappings
Configure a PKI Credential Mapping provider
Not sure if this is needed?
Restart server
Create a new PKI Credential mapper in the console
Click on new and create KeyStore
No comments:
Post a Comment