Configuring MFT WebCenter Content (UCM) Endpoints with SSL for Fusion Applications

Executive Overview

Oracle MFT (Managed File Transfer) is a product component within Oracle Fusion Middleware Service Integration Platform. It can be effectively used to implement file-based use cases with HCM (Human Capital Management) application within Fusion Apps. Furthermore, MFT release 12.2.1 now has support for integrating Oracle Webcenter endpoints. This feature can be used for supporting document transfers to and from any Webcenter Content Server. Thus, a common use case for MFT is to manage such flow of documents in and out of Webcenter embedded in Oracle HCM (Human Capital Management) application within Fusion Apps.

It is desirable to establish SSL (Secure Socket Layer) communication between MFT and the HCM application. This post describes the configuration steps required within an MFT environment to enable SSL communication with a Webcenter Content Server within HCM in Fusion Apps. This exercise was carried out with on-prem instances of both MFT and HCM.

It must be noted that an HCM Cloud instance is configured with standard trusted certificates, which are already recognized in MFT 12.2.1 install base. Hence, no such import of certificate is necessary for SSL integration between MFT and HCM Cloud instances.

Solution Approach

Overview

The overall solution is described in the diagram shown here.

 

mftsslWeblogic server uses a trust certificate from the remote server to establish the SSL communication. Here we import the trust certificate from the Fusion Apps HCM instance into the DemoTrust keystore file and the cacerts file within the JDK used to run the MFT domain.

After the certifcate is imported, the Weblogic server startup parameter is modified to enable SSL over TLS V1. This completes the configuration required on the Weblogic server platform and a restart of the managed server is required to enable all the keystore changes.

Finally, a simple transfer is configured within MFT to test the SSL connectivity between MFT and HCM Webcenter. The transfer is described below.

mftflow

  • Source: Embedded FTP Server within MFT, referred to as myMFT
  • Transfer: Simple, one-way transfer of a PGP file over SSL using Webcenter Adapter, referred to as FASSL
  • Target: Webcenter Content Server within HCM component of Fusion Apps, referred to as myHCM

Summary of Steps

  • Obtain the certificate from the Webcenter instance of HCM, where SSL is enabled by default and requires no user intervention.
  • Test command-line SSL connectivity to HCM from MFT host using the certificate from previous step
  • Import certificate into GlobalTrust keystore file and cacerts file under JDK used for MFT domain
  • Include Weblogic startup parameter to enforce TLS V1 protocol instead of SSL. SSL protocol generates an error and hence this modification is necessary.
  • In MFT, configure an HCM Webcenter target using the SSL port tested earlier from command-line
  • Define a source (e,g, embedded FTP)
  • Create a transfer with the source and target created earlier
  • Deploy and test the MFT transfer

Task and Activity Details

The following section will walk through the details of individual steps. The environment consists of the following key machines:

  • Linux machine used for MFT (mymft) – Release 12.2.1.0
  • Remote Fusion Apps instance hosting HCM Webcenter (myhcm) – Version 11gR1-11.1.1.7.0-ucmbuild-150406T091859

I. Obtain the certificate of HCM instance

There are several ways to obtain the certificate. One of the simplest ways will be to enter the SSL URL for Webcenter in HCM (e.g. https://myhcm:12614/cs/idcplg) within a browser and export the certificate by following through the security exception pop-up windows as shown below.

  • After entering the SSL URL in the browser, an untrusted connection window shows upffcert1
  • Click on Add Exception button to acknowledge the security exception A Security Exception window pops up.

 

ffcert

  • Click on Get Certificate button to view the certificate. The certificate viewer window pops up.

 

ffcert2

  • Go to Details tab and click on Export button
  • Use the default type setting (X.509 PEM) to save the trust certificate in a local file (FACert)
  1. II. Test SSL connectivity from command-line

After saving the trust certificate from HCM instance, try a quick verification of the SSL connectivity to it from the command-line of the MFT server.

The first attempt in the session transcript shown below is made without the certificate. As a result, a certificate verification error is thrown.

[oracle@mymft ShubDocs]$ openssl s_client -connect myhcm:12614
[CONNECTED(00000003)
depth=0 C = US, ST = CA, L = REDWOODSHORES, O = ORACLE, OU = OAS, CN = “Self-Signed Certificate for ohs1 ”
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = CA, L = REDWOODSHORES, O = ORACLE, OU = OAS, CN = “Self-Signed Certificate for ohs1 ”
verify return:1

Subsequently, when we provide the trust certificate saved from Step I, the trust verification error goes away as seen below.

[oracle@mymft ShubDocs]$ openssl s_client -connect myhcm:12614 -CAfile ./FACert
CONNECTED(00000003)
depth=0 C = US, ST = CA, L = REDWOODSHORES, O = ORACLE, OU = OAS, CN = “Self-Signed Certificate for ohs1 ”
verify return:1

Certificate chain
0 s:/C=US/ST=CA/L=REDWOODSHORES/O=ORACLE/OU=OAS/CN=Self-Signed Certificate for ohs1
i:/C=US/ST=CA/L=REDWOODSHORES/O=ORACLE/OU=OAS/CN=Self-Signed Certificate for ohs1
—CONNECTED(00000003)

This step verifies that SSL connectivity between MFT server and Webcenter Content Server within HCM instance is now established. We will now configure MFT server to use this SSL connectivity.

III. Import certificate into GlobalTrust keystore file and cacerts file under JDK used for MFT domain

We use the command-line utility, keytool to import the certificate into keystores.

First, we import it into GlobalTrust.jks file under Weblogic server home (<Middleware_Home>/wlserver/server/lib) and verify with keytool again to confirm that the import has been successfully completed.

Import

[oracle@mymft ShubDocs]$ /home/oracle/jdk8/bin/keytool -import -alias fassl -keystore /app/oracle/mft/wlserver/server/lib/DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase -file ./FACert
Owner: CN=”Self-Signed Certificate for ohs1 “, OU=OAS, O=ORACLE, L=REDWOODSHORES, ST=CA, C=US
Issuer: CN=”Self-Signed Certificate for ohs1 “, OU=OAS, O=ORACLE, L=REDWOODSHORES, ST=CA, C=US
Serial number: 77060b171b15c3b241c9d021ee902aee
Valid from: Sun Jul 19 12:38:32 PDT 2015 until: Mon Jul 06 12:38:32 PDT 2065
Certificate fingerprints:
MD5:  80:A7:C6:71:F6:F1:EE:58:86:E6:1A:D7:F8:80:CB:AC
SHA1: DF:DC:6B:01:56:62:5E:51:5E:11:44:4D:81:05:72:00:E6:7C:30:A3
SHA256: 84:D1:4B:6E:99:83:FA:A2:88:FE:C3:0C:87:37:36:A4:1A:2E:AF:D6:85:C4:B2:D7:29:F5:58:E1:22:F5:D0:C3
Signature algorithm name: MD5withRSA
Version: 1
Trust this certificate? [no]:  yes
Certificate was added to keystore

[oracle@mymft ShubDocs]$
Verify
  1. [oracle@mymft ShubDocs]$ /home/oracle/jdk8/bin/keytool -list -alias fassl -keystore /app/oracle/mft/wlserver/server/lib/DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase
    fassl, Jan 27, 2016, trustedCertEntry,
    Certificate fingerprint (SHA1): DF:DC:6B:01:56:62:5E:51:5E:11:44:4D:81:05:72:00:E6:7C:30:A3
    [oracle@mymft ShubDocs]$

Similarly, we add the FA/HCM trust certificate to the cacerts file under JDK installation tree (<JAVA_HOME>/jre/lilb/security) that is used for running the MFT domain.

Import

[oracle@mymft ShubDocs]$ /home/oracle/jdk8/bin/keytool -import -alias fassl -keystore /home/oracle/jdk8/jre/lib/security/cacerts -storepass changeit -file ./FACert
Owner: CN=”Self-Signed Certificate for ohs1 “, OU=OAS, O=ORACLE, L=REDWOODSHORES, ST=CA, C=US
Issuer: CN=”Self-Signed Certificate for ohs1 “, OU=OAS, O=ORACLE, L=REDWOODSHORES, ST=CA, C=US
Serial number: 77060b171b15c3b241c9d021ee902aee
Valid from: Sun Jul 19 12:38:32 PDT 2015 until: Mon Jul 06 12:38:32 PDT 2065
Certificate fingerprints:
MD5:  80:A7:C6:71:F6:F1:EE:58:86:E6:1A:D7:F8:80:CB:AC
SHA1: DF:DC:6B:01:56:62:5E:51:5E:11:44:4D:81:05:72:00:E6:7C:30:A3
SHA256: 84:D1:4B:6E:99:83:FA:A2:88:FE:C3:0C:87:37:36:A4:1A:2E:AF:D6:85:C4:B2:D7:29:F5:58:E1:22:F5:D0:C3
Signature algorithm name: MD5withRSA
Version: 1
Trust this certificate? [no]:  yes
Certificate was added to keystore

[oracle@mymft ShubDocs]$

Verify

[oracle@mymft ShubDocs]$ /home/oracle/jdk8/bin/keytool -list -keystore /home/oracle/jdk8/jre/lib/security/cacerts -storepass changeit -alias fassl
fassl, Jan 27, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): DF:DC:6B:01:56:62:5E:51:5E:11:44:4D:81:05:72:00:E6:7C:30:A3
[oracle@content ShubDocs]$

IV. Include a Weblogic startup parameter to enable TLS V1 protocol

Modify setDomainEnv.sh in the <Domain_Home>/bin directory to include a line as shown below.

EXTRA_JAVA_PROPERTIES=”-Dweblogic.security.SSL.protocolVersion=TLS1 -Dhttps.protocols=TLSv1 $
{EXTRA_JAVA_PROPERTIES}”
export EXTRA_JAVA_PROPERTIES

It should be noted that Weblogic release for MFT is 12.x, whereas that for HCM Webcenter/UCM is 11.x. Hence this step is necessary to comply with the SSL protocol supported by the Webcenter instance within HCM[2]. Otherwise, an error is thrown at run-time during the MFT transfer.

Restart the MFT server so that all the changes made in the earlier steps so far, can be enabled.

V. Define a new MFT Target for Webcenter within HCM

This is a well-documented process within MFT documentation[3]. So, just the key parameters for the target definition are shown below:

  • User name: HCM_INTEGRATION_SPEC
  • Password: <Password to login to HCM Webcenter Content Server>
  • Connection URL: https://<HCM host>:<SSL port>/cs/idcplg (e.g. https://myHCM:12614/cs/idcplg)

Under Advanced Properties, fill in the following fields:

  • Document Type: Application
  • Security Group: FAFusionImportExport
  • Document Account: hcm$/dataloader$/import$
  • Author: HCM_INTEGRATION_SPEC
  • Additional Custom Tags: dSecurityGroup=FAFusionImportExport,dExtension=zip,dWebExtension=zip,dFormat=application/zip

 

mfthcm8

.

VI. Create an FTP Source in MFT

Refer to the MFT documentation[3] for details on how to create a source in MFT with embedded FTP server. A screen-shot with the key parameters defined for the test case is provided below.

  • Content Folder: /acme/HRDocs

mfthcm2

  • VII. Create an MFT Transfer

     

    Link the source and target created in Steps V and VI with a Transfer as shown below.

mfthcm9

This completes the set up of the test case.

VIII. Deploy and Test the MFT Transfer

The transfer can now be deployed and tested. The export of the transfer is also available for download.

To initiate the flow, a simple FTP client like FireFTP is launched and a file (PersonNew.pgp) is dropped in the polling directory, mentioned within the FTP Source.

After the file is picked up by MFT, the transfer to the target takes place via the Webcenter Adapter. The completed instance of the transfer can be then seen in the MFT console, as shown here.

mfthcm4

We can also verify the successful completion of the transfer from the HCM Webcenter console. The file will show up in the list of documents if a search is made within the Webcenter Content Server.

  1. mfthcm5

Summary

The test case described here is a quick way to demonstrate the procedure to connect MFT with HCM Webcenter over SSL. This method can be used to connect any Webcenter target, that could be on-premise or in the cloud. The details covered here are tested with MFT 12.2.1.0 and Webcenter 11.1.1.7.0. There can be other options available in future releases and they will be discussed as an addendum here or in a separate post.

Acknowledgements

Dave Berry from MFT Product Management and MFT Engineering team have been actively involved in the development of this solution for many months. It would not have been possible to deliver such a solution to the customers without their valuable contribution. Thanks to my team-mate, Jack Desai for providing initial guidance on getting this initiative started and Alan Maxwell (Oracle Consulting, UK) for providing valuable feedback. Finally, a huge note of appreciation to the security expert in our team, Chris Johnson, who is always available to demystify all the complexities within the vast domain of cyber-security.

References

  1. 1. How Weblogic Server Locates Trust – Oracle Documentation Set
  2. 2. Configuring SSL – Oracle Documentation Set
  3. 3. MFT User Guide – Oracle Documentation Set

Appendix

Weblogic Server can use a trust certificate from various sources. It follows an algorithm in scanning those locations[1]. The priority list from the Weblogic documentation set is shown below.

WebLogic Server uses the following algorithm when it loads its trusted CA certificates:

  • If the keystore is specified by the -Dweblogic.security.SSL.trustedCAkeystore command-line argument, load the trusted CA certificates from that keystore.
  • Else if the keystore is specified in the configuration file (config.xml), load trusted CA certificates from the specified keystore. If the server is configured with DemoTrust, trusted CA certificates will be loaded from the WL_HOME\server\lib\DemoTrust.jks and the JDK cacerts keystores.
  • Else if the trusted CA file is specified in the configuration file (config.xml), load trusted CA certificates from that file (this is only for compatibility with 6.x SSL configurations).
  • Else load trusted CA certificates from WL_HOME\server\lib\cacerts keystore.

The second option from the list above, has been used here in this post.

Comments

  1. Can you show an example going the other way by having Webcenter as the source and FTP as the target? I have not been able to successfully do that with MFT.

Add Your Comment