2 way SSL between SOA and OSB
September 25, 2012 | 6 minute readIntroduction
If you have a need to use 2 way SSL between a SOA composite and external partner links, you can follow these steps.
- Create the identity keystores, trust keystores, and server certificates.
- Setup keystores and SSL on WebLogic
- Setup server to use 2 way SSL
- Configure your SOA composite's partner link to use 2 way SSL
- Configure SOA engine two ways SSL
In this case, I used SOA and OSB for the test. I started with separate OSB and SOA domains. I deployed two soap based proxies on OSB and two composites on SOA. In SOA, one composite invokes a OSB proxy service, the other is invoked by the OSB. Similarly, in OSB, one proxy invokes a SOA composite and the other is invoked by SOA.
Main Article
1. Create the identity keystores, trust keystores and the server certificates
Since this is a development environment, I used the JDK's keytool to create the stores and use self signing certificate. For production environments you should use certificates from a trusted certificate authority like Verisign. I created a script below to show what is needed in this step. The only requirement is when creating the SOA identity certificate, you MUST use the alias mykey.
| STOREPASS=welcome1 KEYPASS=welcome1# generate identity keystore for soa and osb. Note: For SOA, you MUST use alias mykeyecho "creating stores"keytool -genkey -alias mykey -keyalg "RSA" -sigalg "SHA1withRSA" -dname "CN=soa, C=US" -keystore soa-default-keystore.jks -storepass $STOREPASS -keypass $KEYPASSkeytool -genkey -alias osbkey -keyalg "RSA" -sigalg "SHA1withRSA" -dname "CN=osb, C=US" -keystore osb-default-keystore.jks -storepass $STOREPASS -keypass $KEYPASS# listing keystore contentsecho "listing stores contents"keytool -list -alias mykey -keystore soa-default-keystore.jks -storepass $STOREPASS keytool -list -alias osbkey -keystore osb-default-keystore.jks -storepass $STOREPASS# exporting certs from storesecho "export certs from stores"keytool -exportcert -alias mykey -keystore soa-default-keystore.jks -storepass $STOREPASS -file soacert.der keytool -exportcert -alias osbkey -keystore osb-default-keystore.jks -storepass $STOREPASS -file osbcert.der# import certs to trust stores echo "import certs" keytool -importcert -alias osbkey -keystore soa-trust-keystore.jks -storepass $STOREPASS -file osbcert.der -keypass $KEYPASS |
SOA suite uses the JDK's SSL implementation for outbound traffic instead of the WebLogic's implementation. You will need to import the partner's public cert into the trusted keystore used by SOA. The default trusted keystore for SOA is DemoTrust.jks and it is located in $MW_HOME/wlserver_10.3/server/lib. (This is set in the startup script -Djavax.net.ssl.trustStore). If you use your own trusted keystore, then you will need to import it into your own trusted keystore.
| keytool -importcert -alias osbkey -keystore $MW_HOME/wlserver_10.3/server/lib/DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase -file osbcert.der -keypass $KEYPASS |
If you do not perform this step, you will encounter this exception in runtime when SOA invokes OSB service using 2 way SSL
| Message send failed: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target |
2. Setup keystores and SSL on WebLogic
First, you will need to login to the WebLogic console, navigate to the server's configuration->Keystore's tab. Change the Keystores type to Custom Identity and Custom Trust and enter the rest of the fields.
Then you navigate to the SSL tab, enter the fields in the identity section and expand the Advanced section. Since I am using self signing cert on my VM enviornment, I disabled Hostname verification. On a production system, this should not be the case. I also enabled the option "Use Server Certs", so that the application uses the server cert to initiate https traffic (it is important to enable this in OSB).
Last, you enable SSL listening port in the Server's configuration->General tab.
3. Setup server to use 2 way SSL
If you follow the screen shot in previous step, you can see in the Server->Configuration->SSL->Advanced section, there is an option for Two Way Client Cert Behavior, you should set this to
Client Certs Requested and Enforced.
Repeat step 2 and 3 done on OSB. After all these configurations, you need to restart all the servers.
4. Configure your SOA composite's partner link to use 2 way SSL
You do this by modifying the composite.xml in your project, locate the partner's link reference and add the property oracle.soa.two.way.ssl.enabled
| <reference name="callosb" ui:wsdlLocation="helloword.wsdl"> <interface.wsdl interface="http://www.examples.com/wsdl/HelloService.wsdl#wsdl.interface(Hello_PortType)"/> <binding.ws port="http://www.examples.com/wsdl/HelloService.wsdl#wsdl.endpoint(Hello_Service/Hello_Port)" location="helloword.wsdl" soapVersion="1.1"> <property name="weblogic.wsee.wsat.transaction.flowOption" type="xs:string" many="false">WSDLDriven</property> <property name="oracle.soa.two.way.ssl.enabled">true</property> </binding.ws> </reference> |
In OSB, you should have checked the HTTPS required flag in the proxy's transport configuration. After this, rebuild the composite jar file and prepare to deploy in the EM console later.
5. Configure SOA engine two ways SSL
Oracle SOA Suite uses both Oracle WebLogic Server and Sun Secure Socket Layer (SSL) stacks for two-way SSL configurations.
- For the inbound web service bindings, Oracle SOA Suite uses the
Oracle WebLogic Server infrastructure and, therefore, the Oracle
WebLogic Server libraries for SSL. This is already done by step 2 and 3 in the previous section. - For the outbound web service bindings, Oracle SOA Suite uses JRF HttpClient and, therefore, the Sun JDK libraries for SSL. You do this by configuring the SOA Engine in the Enterprise Manager Console, select soa-infra->SOA Administration->Common Properties
Then click at the link at the bottom of the page: "More SOA Infra Advances Infrastructure Configuration Properties" and then enter the full path of soa identity keystore in the value field of the KeyStoreLocation attribute.
Click Apply and Return then navigate to the domain->security->credential.
Here, you provide the password to the keystore. Note: the alias of the certficate must be mykey as described in step 1, so you only need to provide the password to the identity keystore. You accomplish this by:
- Click Create Map
- In the Map Name field, enter SOA, and click OK
- Click Create Key
- Enter the following details where the password is the password for the SOA identity keystore.
6. Test and Trouble Shooting
Once the setup is complete and server restarted, you can deploy the composite usng the EM console and test it. In case of any errors, you should read the server log file to determine the cause of the error.
For example,
If you have not setup step 5 and test 2 way SSL, you will see this in the log when invoking OSB from BPEL:
| java.lang.Exception: oracle.sysman.emSDK.webservices.wsdlapi.SoapTestException: oracle.fabric.common.FabricInvocationException: Unable to access the following endpoint(s): https://localhost.localdomain:7002/default/helloword ####<Sep 22, 2012 2:07:37 PM CDT> <Error> <oracle.soa.bpel.engine.ws> <rhel55> <AdminServer> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <BEA1-0AFDAEF20610F8FD89C5> ............<11d1def534ea1be0:-4034173:139ef56d9f0:-8000-00000000000002ec> <1348340857956> <BEA-000000> <got FabricInvocationExceptionsun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target |
If you have not enable WebLogic SSL to use server certificate in the console and invoke SOA composite from OSB using two ways SSL, you will see this error:
| ####<Sep 22, 2012 2:07:37 PM CDT> <Warning> <Security> <rhel55> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <11d1def534ea1be0:-51f5c76a:139ef5e1e1a:-8000-00000000000000e2> <1348340857776> <BEA-090485> <CERTIFICATE_UNKNOWN alert was received from localhost.localdomain - 127.0.0.1. The peer has an unspecified issue with the certificate. SSL debug tracing should be enabled on the peer to determine what the issue is.> ####<Sep 22, 2012 2:07:37 PM CDT> <Warning> <Security> <rhel55> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <11d1def534ea1be0:-51f5c76a:139ef5e1e1a:-8000-00000000000000e4> <1348340857786> <BEA-090485> <CERTIFICATE_UNKNOWN alert was received from localhost.localdomain - 127.0.0.1. The peer has an unspecified issue with the certificate. SSL debug tracing should be enabled on the peer to determine what the issue is.> ####<Sep 22, 2012 2:27:21 PM CDT> <Warning> <Security> <rhel55> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <11d1def534ea1be0:-51f5c76a:139ef5e1e1a:-8000-0000000000000124> <1348342041926> <BEA-090497> <HANDSHAKE_FAILURE alert received from localhost - 127.0.0.1. Check both sides of the SSL configuration for mismatches in supported ciphers, supported protocol versions, trusted CAs, and hostname verification settings.> |
References
- http://docs.oracle.com/cd/E23943_01/admin.1111/e10226/soacompapp_secure.htm#CHDCFABB Section 5.6.4
- http://docs.oracle.com/cd/E23943_01/web.1111/e13707/ssl.htm#i1200848
Andy Knight
Principal Solution Architect
Next Post