Source: http://theheat.dk/blog/?p=474
With little modification I have posted below one way ssl configuration for Oracle SOA for my reference.
Oneway SSL configuration:
Requirment is to setup the MW client to call the secured server through SSL. One way SSL means client will make sure that it is calling the correct server ie., server identification is enforced in oneway ssl. Eg is acceing Bank Online Site from broswer, we make sure that we are calling the exact Bank website instead of fradulent one.
What Happens When a Client Encounters SSL
- The client requests that the server identify itself.
- The server sends the client a copy of its SSL Certificate.
- The client checks whether it trusts the SSL Certificate. If so, it sends a message to the server.
- The server sends back a digitally signed acknowledgement to start an SSL encrypted session.
- Encrypted data is shared between the browser and the server and https appears.
You have to configure 3 things in Oracle SOA EM:
1. Djavax.net.ssl.trustStore
Djavax.net.ssl.trustStore must point to your truststore in setDomainEnv.sh.
For example:
-Djavax.net.ssl.trustStore=/u01/app/oracle/domains/my_domain/keystores/soa_trust.jks
I don’t know why this is necessary since we also set this in the next step but it does not work if you don’t.
2. Set Keystore location in the SOA SuiteStart the FMW Control EM and navigate to the SOA Suites Managed Server. Right click and select SOA Administration and then Common Properties.
Choose “More SOA Infra Advanced Configuration Properties” at the bottom.
Press the “KeystoreLocation” link.
Input the path to the keystore and press Apply.
3. Set Keystore password in the SOA SuiteNavigate to Weblogic Domain and select your SOA Suite Domain. Right click and select Security and then Credentials.
Press Create Map and input SOA. It must be SOA to work.
Press Create Key and input:
For example:
-Djavax.net.ssl.trustStore=/u01/app/oracle/domains/my_domain/keystores/soa_trust.jks
I don’t know why this is necessary since we also set this in the next step but it does not work if you don’t.
2. Set Keystore location in the SOA SuiteStart the FMW Control EM and navigate to the SOA Suites Managed Server. Right click and select SOA Administration and then Common Properties.
Choose “More SOA Infra Advanced Configuration Properties” at the bottom.Press the “KeystoreLocation” link.Input the path to the keystore and press Apply.3. Set Keystore password in the SOA SuiteNavigate to Weblogic Domain and select your SOA Suite Domain. Right click and select Security and then Credentials.Press Create Map and input SOA. It must be SOA to work.Press Create Key and input:- Map: SOA
- Key: KeystorePassword
- User Name: KeystorePassword
- Password: Password for the soa_trust.jks keystore.
Additional Point:Create map with name SOA, into this map create key
with name KeystorePassword, user KeystorePassword and the
password of the keystore. Create a 2nd Key KeyPassword, user KeyPassword
with password and the keystore password.
TestWhen you start the Managed Server the .out log file should look like this:INFO: SSLSocketFactoryManagerImpl.getKeystoreLocation SOA Keystore location: /u01/app/oracle/domains/my_domain/keystores/soa_trust.jks
INFO: SSLSocketFactoryManagerImpl.getKeystorePassword Obtained valid keystore password
INFO: SSLSocketFactoryManagerImpl.getKeyPassword Obtained null or empty key password
We have only input the password for the keystore not the key so it is OK that it cannot find this.
If you have input something wrong it looks like this:
INFO: SSLSocketFactoryManagerImpl.getKeystoreLocation SOA Keystore location: /u01/app/oracle/domains/my_domain/keystores/soa_trust.jks
INFO: SSLSocketFactoryManagerImpl.getKeystorePassword Obtained null or empty keystore password
INFO: SSLSocketFactoryManagerImpl.getKeyPassword Obtained null or empty key password
INFO: SSLSocketFactoryManagerImpl.getSSLSocketFactory Could not obtain keystore location or password
You can find more information here. This is for Two-way SSL but the steps are the same.
No comments:
Post a Comment