We had a requirement of configuring two way SSL between the SOA composite and the external services and below are the steps used to import the partner's public cert into the trusted keystore used by SOA.
The default trusted keystore for SOA is DemoTrust.jks which is located in $MW_HOME/wlserver_10.3/server/lib directory.
For generating a custom keystore use the below command from $MW_HOME/wlserver_10.3/server/lib or the default JKS can be used.
keytool -genkey -alias mykey -keyalg "RSA" -sigalg "SHA1withRSA" -dname "CN=soa, C=AE" -keystore customcerts.jks -storepass xxxxx
The default trusted keystore for SOA is DemoTrust.jks which is located in $MW_HOME/wlserver_10.3/server/lib directory.
For generating a custom keystore use the below command from $MW_HOME/wlserver_10.3/server/lib or the default JKS can be used.
keytool -genkey -alias mykey -keyalg "RSA" -sigalg "SHA1withRSA" -dname "CN=soa, C=AE" -keystore customcerts.jks -storepass xxxxx
Download the security certificate from the below URL and Save as type “X.509 Certificate(PEM)” and name the file as “xxxxx.crt”
Import the public certificate into your own trusted keystore using the below command.
-bash-4.1$ keytool -import -alias taleo -keystore customcerts.jks -file ../cert/xxxx.crt
Enter keystore password: ****
Re-enter new password: *****
Owner: CN=*.taleo.net, OU=Comodo PremiumSSL Wildcard, OU=Web, O=Taleo Inc., STREET=4140 Dublin Boulevard, STREET=Suite 400, L=Dublin, ST=CA, OID.2.5.4.17=94568, C=US
Issuer: CN=COMODO High-Assurance Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
Serial number: 99faa8037a4eb2faef84eb5e55d5b8c8
Valid from: Wed May 04 04:00:00 GST 2011 until: Tue Jul 05 03:59:59 GST 2016
Certificate fingerprints:
MD5: D3:27:02:09:99:85:0B:7C:C2:36:3D:36:21:45:DC:02
SHA1: 33:67:A1:82:4A:60:13:C0:2A:3E:25:BB:E4:DA:86:33:87:FA:F1:34
SHA256: 95:CB:44:39:34:BE:DA:97:62:76:88:54:61:91:AB:1D:39:89:A8:35:59:2C:EB:DD:24:34:F9:AD:41:32:4C:E1
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: http://crt.comodoca.com/COMODOHigh-AssuranceSecureServerCA.crt
,
accessMethod: ocsp
accessLocation: URIName: http://ocsp.comodoca.com
]
]
#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 3F D5 B5 D0 D6 44 79 50 4A 17 A3 9B 8C 4A DC B8 ?....DyPJ....J..
0010: B0 22 64 6B ."dk
]
]
#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
]]
#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [1.3.6.1.4.1.6449.1.2.1.3.4]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1D 68 74 74 70 73 3A 2F 2F 73 65 63 75 72 65 ..https://secure
0010: 2E 63 6F 6D 6F 64 6F 2E 63 6F 6D 2F 43 50 53 .comodo.com/CPS
]] ]
]
#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
#7: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
#8: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: *.taleo.net
DNSName: taleo.net
]
#9: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A2 76 09 20 A8 40 FD A1 AC C8 E9 35 B9 11 A6 61 .v. .@.....5...a
0010: FF 8C FF A3 ....
]
]
Trust this certificate? [no]: y
Certificate was added to keystore.
If default DemoTrust.jks is not used add the generated keystore file(.jks) and the property named "-DUseSunHttpHandler=true" to "setDomainEnv.sh" as mentioned in the below sample:
set EXTRA_JAVA_PROPERTIES=%EXTRA_JAVA_PROPERTIES% -Dsoa.archives.dir=%SOA_ORACLE_HOME%\soa -Dsoa.oracle.home=%SOA_ORACLE_HOME% -Dsoa.instance.home=%DOMAIN_HOME% -Dtangosol.coherence.clusteraddress=227.7.7.9 -Dtangosol.coherence.clusterport=9778 -Dtangosol.coherence.log=jdk -Djavax.xml.soap.MessageFactory=oracle.j2ee.ws.saaj.soap.MessageFactoryImpl -Dweblogic.transaction.blocking.commit=true -Dweblogic.transaction.blocking.rollback=true -Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.webservice.client.ssl.strictcertchecking=false -Dweblogic.security.SSL.enforceConstraints=off -Dssl.debug=true -Djavax.net.ssl.trustStore=%WL_HOME%\server\lib\opinionmeter.jks -Djavax.net.ssl.trustStorePassword=opinionmeter -Dweblogic.security.SSL.verbose=true -DUseSunHttpHandler=true
set EXTRA_JAVA_PROPERTIES=%EXTRA_JAVA_PROPERTIES% -Dem.oracle.home=C:\Wls_10.3.6\Middleware\oracle_common -Djava.awt.headless=true -DUseSunHttpHandler=true
set JAVA_OPTIONS=%JAVA_OPTIONS% %JAVA_PROPERTIES% -Dwlw.iterativeDev=%iterativeDevFlag% -Dwlw.testConsole=%testConsoleFlag% -Dwlw.logErrorsToConsole=%logErrorsToConsoleFlag% -DUseSunHttpHandler=true
Restart the servers.
Below are the commands to delete the existing certificate and import again.
keytool -list -keystore opinionmeter.jks -storepass *****
keytool -delete -alias xxx -keystore v.jks -storepass *****
keytool -import -alias xxx -file xxxx.cer -keystore c.jks -storepass *****
If the certificate is not imported properly below error will be seen.
Message send failed: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
To route the request through proxy server and use ssl set the below in the service reference in composite.xml
<property name="oracle.webservices.proxyHost" type="xs:string"
many="false">10.xxx.xx.x</property>
<property name="oracle.webservices.proxyPort" type="xs:string"
many="false">80</property>
<property name="oracle.soa.two.way.ssl.enabled">true</property>
That worked for us..Thank you.
ReplyDelete