2 way SSL between SOA and OSB
- by Johnny Shum
If you have a need to use 2 way SSL between SOA composite and external partner links, you can follow these steps.
Create the identity keystores, trust keystores, and server certificates.
Setup keystores and SSL on WebLogic
Setup server to use 2 way SSL
Configure your SOA composite's partner link to use 2 way SSL
Configure SOA engine two ways SSL
In this case, I use SOA and OSB for the test. I started with a separate OSB and SOA domains. I deployed two soap based proxies on OSB and two composites on SOA. In SOA, one composite invokes a OSB proxy service, the other is invoked by the OSB. Similarly, in OSB, one proxy invokes a SOA composite and the other is invoked by SOA.
1. Create the identity keystores, trust keystores and the server certificates
Since this is a development environment, I use JDK's keytool to create the stores and use self signing certificate. For production environment, you should use certificates from a trusted certificate authority like Verisign. I created a script below to show what is needed in this step. The only requirement is when creating the SOA identity certificate, you MUST use the alias mykey.
STOREPASS=welcome1KEYPASS=welcome1# generate identity keystore for soa and osb. Note: For SOA, you MUST use alias mykeyecho "creating stores"keytool
-genkey -alias mykey -keyalg "RSA" -sigalg "SHA1withRSA" -dname
"CN=soa, C=US" -keystore soa-default-keystore.jks -storepass $STOREPASS
-keypass $KEYPASS keytool -genkey -alias osbkey -keyalg "RSA"
-sigalg "SHA1withRSA" -dname "CN=osb, C=US" -keystore
osb-default-keystore.jks -storepass $STOREPASS -keypass $KEYPASS# listing keystore contentsecho "listing stores contents"keytool -list -alias mykey -keystore soa-default-keystore.jks -storepass $STOREPASSkeytool -list -alias osbkey -keystore osb-default-keystore.jks -storepass $STOREPASS# exporting certs from storesecho "export certs from stores"keytool -exportcert -alias mykey -keystore soa-default-keystore.jks -storepass $STOREPASS -file soacert.derkeytool -exportcert -alias osbkey -keystore osb-default-keystore.jks -storepass $STOREPASS -file osbcert.der
# import certs to trust storesecho "import certs"keytool -importcert -alias osbkey -keystore soa-trust-keystore.jks -storepass $STOREPASS -file osbcert.der -keypass $KEYPASSkeytool -importcert -alias mykey -keystore osb-trust-keystore.jks -storepass $STOREPASS -file soacert.der -keypass $KEYPASS
SOA suite uses the JDK's SSL implementation for outbound traffic instead of the WebLogic's implementation. You will need to import the partner's public cert into the trusted keystore used by SOA. The default trusted keystore for SOA is DemoTrust.jks and it is located in $MW_HOME/wlserver_10.3/server/lib. (This is set in the startup script -Djavax.net.ssl.trustStore). If you use your own trusted keystore, then you will need to import it into your own trusted keystore.
keytool -importcert -alias osbkey -keystore $MW_HOME/wlserver_10.3/server/lib/DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase -file osbcert.der -keypass $KEYPASS
If you do not perform this step, you will encounter this exception in runtime when SOA invokes OSB service using 2 way SSL
Message send failed:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
2. Setup keystores and SSL on WebLogic
First, you will need to login to the WebLogic console, navigate to the server's configuration->Keystore's tab. Change the Keystores type to Custom Identity and Custom Trust and enter the rest of the fields.
Then you navigate to the SSL tab, enter the fields in the identity section and expand the Advanced section. Since I am using self signing cert on my VM enviornment, I disabled Hostname verification. In real production system, this should not be the case. I also enabled the option "Use Server Certs", so that the application uses the server cert to initiate https traffic (it is important to enable this in OSB).
Last, you enable SSL listening port in the Server's configuration->General tab.
3. Setup server to use 2 way SSL
If you follow the screen shot in previous step, you can see in the Server->Configuration->SSL->Advanced section, there is an option for Two Way Client Cert Behavior, you should set this to
Client Certs Requested and Enforced.
Repeat step 2 and 3 done on OSB. After all these configurations, you have to restart all the servers.
4. Configure your SOA composite's partner link to use 2 way SSL
You do this by modifying the composite.xml in your project, locate the partner's link reference and add the property oracle.soa.two.way.ssl.enabled.
<reference name="callosb" ui:wsdlLocation="helloword.wsdl"> <interface.wsdl interface="http://www.examples.com/wsdl/HelloService.wsdl#wsdl.interface(Hello_PortType)"/> <binding.ws port="http://www.examples.com/wsdl/HelloService.wsdl#wsdl.endpoint(Hello_Service/Hello_Port)" location="helloword.wsdl" soapVersion="1.1"> <property name="weblogic.wsee.wsat.transaction.flowOption" type="xs:string" many="false">WSDLDriven</property> <property name="oracle.soa.two.way.ssl.enabled">true</property> </binding.ws> </reference>
In OSB, you should have checked the HTTPS required flag in the proxy's transport configuration. After this, rebuilt the composite jar file and ready to deploy in the EM console later.
5. Configure SOA engine two ways SSL
Oracle SOA Suite uses both Oracle WebLogic Server and Sun Secure Socket Layer (SSL) stacks for two-way SSL configurations.
For the inbound web service bindings, Oracle SOA Suite uses the
Oracle WebLogic Server infrastructure and, therefore, the Oracle
WebLogic Server libraries for SSL. This is already done by step 2 and 3 in the previous section.
For the outbound web service bindings, Oracle SOA Suite uses JRF HttpClient and, therefore, the Sun JDK libraries for SSL. You do this by configuring the SOA Engine in the Enterprise Manager Console, select soa-infra->SOA Administration->Common Properties
Then click at the link at the bottom of the page: "More SOA Infra Advances Infrastructure Configuration Properties" and then enter the full path of soa identity keystore in the value field of the KeyStoreLocation attribute.
Click Apply and Return then navigate to the domain->security->credential.
Here, you provide the password to the keystore. Note: the alias of the certficate must be mykey as described in step 1, so you only need to provide the password to the identity keystore. You accomplish this by:
Click Create Map
In the Map Name field, enter SOA, and click OK
Click Create Key
Enter the following details where the password is the password for the SOA identity keystore.
6. Test and Trouble Shooting
Once the setup is complete and server restarted, you can deploy the composite in the EM console and test it. In case of error, you can read the server log file to determine the cause of the error.
For example,
If you have not setup step 5 and test 2 way SSL, you will see this in the log when invoking OSB from BPEL:
java.lang.Exception:
oracle.sysman.emSDK.webservices.wsdlapi.SoapTestException:
oracle.fabric.common.FabricInvocationException: Unable to access the following
endpoint(s): https://localhost.localdomain:7002/default/helloword
####<Sep 22, 2012 2:07:37 PM CDT> <Error>
<oracle.soa.bpel.engine.ws> <rhel55> <AdminServer>
<[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default
(self-tuning)'> <<anonymous>> <BEA1-0AFDAEF20610F8FD89C5>
............
<11d1def534ea1be0:-4034173:139ef56d9f0:-8000-00000000000002ec>
<1348340857956> <BEA-000000> <got FabricInvocationException
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
If you have not enable WebLogic SSL to use server certificate in the console and invoke SOA composite from OSB using two ways SSL, you will see this error:
####<Sep 22, 2012 2:07:37 PM CDT> <Warning>
<Security> <rhel55> <AdminServer> <[ACTIVE] ExecuteThread:
'6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS
Kernel>> <> <11d1def534ea1be0:-51f5c76a:139ef5e1e1a:-8000-00000000000000e2>
<1348340857776> <BEA-090485> <CERTIFICATE_UNKNOWN alert was
received from localhost.localdomain - 127.0.0.1. The peer has an unspecified
issue with the certificate. SSL debug tracing should be enabled on the peer to
determine what the issue is.>
####<Sep 22, 2012 2:07:37 PM CDT> <Warning>
<Security> <rhel55> <AdminServer> <[ACTIVE] ExecuteThread:
'6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS
Kernel>> <> <11d1def534ea1be0:-51f5c76a:139ef5e1e1a:-8000-00000000000000e4>
<1348340857786> <BEA-090485> <CERTIFICATE_UNKNOWN alert was
received from localhost.localdomain - 127.0.0.1. The peer has an unspecified
issue with the certificate. SSL debug tracing should be enabled on the peer to
determine what the issue is.> ####<Sep 22, 2012 2:27:21 PM CDT>
<Warning> <Security> <rhel55> <AdminServer>
<[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default
(self-tuning)'> <<anonymous>> <>
<11d1def534ea1be0:-51f5c76a:139ef5e1e1a:-8000-0000000000000124>
<1348342041926> <BEA-090497> <HANDSHAKE_FAILURE alert received
from localhost - 127.0.0.1. Check both sides of the SSL configuration for
mismatches in supported ciphers, supported protocol versions, trusted CAs, and
hostname verification settings.>
References
http://docs.oracle.com/cd/E23943_01/admin.1111/e10226/soacompapp_secure.htm#CHDCFABB Section 5.6.4
http://docs.oracle.com/cd/E23943_01/web.1111/e13707/ssl.htm#i1200848
