Steps for configuring Inbound SSL in FMW
Scenario:
We have a Development Environment which has One Admin Server and three managed Server.
Admin
Server runs on port 7001.
Managed
Server1 (soa_server1) listens on port 8001
Managed
Server2 (osb_server1) listens on port 8011
Managed
Server3 (bam_server1) listens on port 9001
We need to configure osb_server1 to listen on ssl
port 8012 using Custom Certificate to secure our webservices.
This certificate will be sent to business
providers who will import it in their trusted Keystore.
Only the business partners who have this
certificate imported in their trust store should be successfully able to invoke
the webservice else they should get SSLHandshakeException
Steps Followed to generate a web
service certificate:
1. CREATING A PRIVATE KEY IN KEY STORE:
<JAVA_HOME>\bin\keytool.exe -keystore <Path to a (new) key store> -storepass
<(New) key store
password>
-genkey -alias <Arbitrary Name> -keyalg
RSA -dname <DN of certificate>
Concrete
Example:
$ keytool -keystore
“/Oracle/Middleware/wlserver_10.3/server/lib/server_keystore.jks"
-storepass "weblogic1" -genkey -alias "webservice_nexus"
-keyalg RSA –dname "CN=fus@isdev,OU=webServices,OU=pkiObjects,DC=Nexus,DC=com"
2. CREATING A CERTIFICATE SIGNING
REQUEST (CSR):
<JAVA_HOME>\bin\keytool.exe -keystore <Path to the key store> -storepass
<Key store password>
-certreq
-alias <Alias name from private key> -keypass <Password of
private key> -file <Path
to CSR file
to be created>
Concrete
Example:
$ keytool –keystore
"/Oracle/Middleware/wlserver_10.3/server/lib/server_keystore.jks
" -storepass "weblogic1" -certreq -alias
"webservice_nexus" -keypass "weblogic1" -file
"/Oracle/Middleware/wlserver_10.3/server/lib
/webService.csr"
3. GENERATING A CERTIFICATE:
Submit the CSR file created in the last step to any of the trusted Certificate Authority.A certificate authority will use a CSR to create your SSL certificate, but it does not need your private key. You need to keep your private key secret.
Download the certificate on the local hard drive.
Submit the CSR file created in the last step to any of the trusted Certificate Authority.A certificate authority will use a CSR to create your SSL certificate, but it does not need your private key. You need to keep your private key secret.
Download the certificate on the local hard drive.
4. INSTALLING WEB SERVICE CERTIFICATE
IN KEY STORE:
<JAVA_HOME>\bin\keytool.exe -keystore <Path to the key store> -storepass
<Key store password>
-import -alias
<Alias name from private key> -keypass <Password of private
key> -file <Path to
CER file
containing the WSC>
Concrete
Example:
$ keytool -keystore
"/Oracle/Middleware/wlserver_10.3/server/lib/server_keystore.jks"
-storepass "weblogic1" -import -alias "webservice_nexus"
-keypass "weblogic1" -file "/Oracle/Middleware/wlserver_10.3/server/lib/Certificates/webservice_nexus.cer"
After Adding
the certificate in the keystore, you can list the certificate by giving the
following command:
5. LISTING THE CERTIFICATE:
<JAVA_HOME>\bin\keytool.exe –v –list -keystore <Path to the key
store> -storepass <Key store password>
Concrete
Example:
$ keytool –v –list –keystore
server_keystore.jks
After successful creating and adding the certificate in the keystore, we
need to configure the server to use the custom keystore which we created.
- Login to the admin Console.
- Enter admin usename and password
- In the Home Page, go to Servers --> osb_server1
- Go to keystores in the Configuration tab
o
Change the keystore to Custom Identity and
Standard Java Trust
o
Enter the following details for Identity
Keystore:
§ Custom Identity Keystore : /Oracle/Middleware/wlserver_10.3/server/lib/server_keystore.jks
§ Custom Identity Keystore Type: JKS
§
Custom
Identity Keystore Passphrase: <password for keystore>
§
Confirm
Custom Identity Keystore Passphrase: <password for keystore>
o
Save
all the configurations.
- Now go to SSL in Configuration Tab
o
Enter the details for Private Key Alias :
webservice_nexus
o
Enter the passphrase : <password for private
key>
o
Go to advance, In hostname verificate make it
NONE(if not already so).
o
Save all the changes made.
- Now go to General in Configuration Tab.
- Check the SSL Listen Port Enabled box
- SSL Listen Port should be 8012, if not enter it.
- Save all the changes.
- Finally restart the osb_server1.
No comments:
Post a Comment