RSS

Tag Archives: Security

Cloud integration using federation between Microsoft Office 365 Azure Active Directory (AAD) and Amazon Web Service (AWS)

Not an Oracle blog for a change, but when an organization uses both Amazon Web Services (AWS) and Microsoft Office 365 it is possible to allow single sign-on with the internal LDAP Microsoft uses (Azure AD). Since RubiX uses both cloud products since day 1, I decided to look into integration between both products when Microsoft recently allowed SAML federation.

In this blog I will demonstrate how to connect Amazon Web Services (AWS) to the internal Azure Active Directory (AAD) that is used by Microsoft. As a result of this blog your users should be able to login to AWS from the Office 365 menu.

RESULT

1. Configure Microsoft Office 365 / Azure Active Directory (AAD)

Go to your Administration console and select Azure AD from ADMIN

AZURE000_01

In the Azure AD console select “Active Direcory”, click on your Office 365 domain name and the AD menu should open. Click on “Applications” from the top menu

AZURE000

By defaut you will see a lot of Microsoft web applications, so we click on “Add+” on the bottom menu. Then select “Add application from the gallery”

AZURE000-2

The AWS application will be added to your list. Select Configure Single Sign-On next.

AZURE001

We will select the 1st option (MS AAD SSO) to establish federation between AAD & AWS. The Federated Single Sign-On enables the users in your organization to be automatically signed in to a third-party application like AWS by using the AAD user account information. In this scenario, when you have already been logged into Office 365 the federation eliminates the need for you to login again to AWS.

AZURE002

In this case, we don’t need to perform any extra advanced settings. So NEXT

AZURE003

Download the metadata XML and store it for future use and make sure to accept the checkbox

AZURE004

Go to the users tab and assign (bottom button) your users that are allowed to login to AWS

AZURE011

Before we can finalize our SSO from AAD, we first need to setup AWS.

2. Configure Amazon Web Service (AWS)

Login to your AWS account and select the Identity & Access Management

EC2001

First we will create an Identity Provider for AAD.
Select SAML as Provider Type and choose a logical name (I use “Office365” in my example).
Browse to the exported metadata we downloaded from the AAD console earlier.

Important: check your metadata xml file

  • The exported metadata XML file from Azure might be encoded as UTF-8 with byte order mark (BOM). Make sure to convert it to UTF-8 without BOM otherwise the AWS console will not be able to import it.
  • Make sure to remove the <?xml version=”1.0″?> on line 1, otherwise AWS will not be able to parse the file

EC2001_provider

As a result we now have a SAML provider configured, so time to set some roles.
Select Roles in the IAM menu, select “Create New Role” and give your role a logical name (I use “RubixUsers” here)
In the Role Type select “Grant Web Single Sign-On (WebSSO) access to SAML providers“.

EC2004

  • Select the SAML provider we trust, so we use the earlier created “Office365” provider here.
  • Next step we can customize the policy, which we won’t do so next.
  • In the next step we can select the policy you want to attach to your SSO users.
    You can go fine grained with policies, but for now I will use the default PowerUser policy
  • The last screen you will receive a review of the configuration, make sure to note down the Role ARN and Thrusted Entities
    Role ARN = arn:aws:iam::[customerID]:role/[RoleName]
    Trust = arn:aws:iam::[customerID]:saml-provider/[ProviderName]

EC2001_review

 

3. Configure Microsoft Office 365 / Azure Active Directory (AAD) – part 2

Go back to the AAD management console (https://manage.windowsazure.com).
Select applications -> Amazon Web Services (AWS) -> Attributes

Add the following 2 attributes:

EC2_attributes

 

4. Result

With these configuration steps you are now able to login to AWS from your Office 365 apps tile.

RESULT

 
Leave a comment

Posted by on 16-10-2015 in Uncategorized

 

Tags: , , , , , , ,

Using the Oracle Credential Store Framework (CSF) in your Oracle BPM / ADF project

In our Oracle BPM/SOA project we initially started with 1 process which had a service call out to Oracle UCM/WCC. Since WCC uses basic authentication by default we enabled an OWSM policy on the external reference and made sure the username and password were set in the composite.xml. With the help of Oracle config plans we were able to transfer the SCA through the different OTAP environments.


<interface.wsdl interface="http://www.stellent.com/CheckIn/#wsdl.interface(CheckInSoap)"/>
<binding.ws port="http://www.stellent.com/CheckIn/#wsdl.endpoint(CheckIn/CheckInSoap)" location="oramds:/apps/rubix/references/UCM.wsdl" soapVersion="1.1">
<wsp:PolicyReference URI="oracle/wss_http_token_client_policy" orawsp:category="security" orawsp:status="enabled"/>
<property name="oracle.webservices.auth.password" type="xs:string" many="false" override="may">welcome2</property>
<property name="oracle.webservices.auth.username" type="xs:string" many="false" override="may">ucmuser</property>

However when there became more and more processes, with increased complexity and all with numberous callouts to backends with authentication enabled, the delivey of our release through the OTAP environment became more complex as well.Besides that, our Oracle ADF task screens needed connection to many of the same endpoints as well so we ended up with username and password properties in that deployment as well.

So to centralize the username and password in our environment we decided to use the full potential of the Oracle Credential Store Framework (CSF) for both BPM and ADF. Oracle CSF is part of the Oracle Platform Security Services (OPSS).

Since Oracle BPM relies heavily on the SOA-INFRA structure used by Oracle SOA Suite the functionality works identical. Lucky for us Edwin Biemond already blogged about this feature regarding Oracle SOA Suite which we could simple re-use for Oracle BPM.

Oracle Credential Store Framework

Next step was Oracle ADF where our task has functionality to call web services which have the same basic authentication. Again we have a quick start by using this blogpost from Wilfred van der Deijl. In this blogpost he explains how to use a key to the credential store and how to retrieve it from your ADF application.

ADF and Oracle Credential Store

With the help of these 2 fellow Dutch Oracle techies blogs this turned out to be the smoothest user story in our last sprint ;-)

References:

 
2 Comments

Posted by on 19-11-2013 in ADF, BPM, Oracle, SOA Suite

 

Tags: , , , , , ,

Using basic authentication for Oracle BPM service call

In our Oracle BPM 11.1.1.6 process we need some calls to Oracle UCM/WCC. Since UCM requires basic authentication we need to make sure the BPM process sends a token.

So in our composite we right-click the UCM webservice reference, select configure WS policies,

Composite

We select the oracle/wss_http_token_client_policy from the security list.

ConfigurePolicies

Now there are multiple ways options to configure the username + password:

  • In JDeveloper we can configure the default value (handy for quick DEV deployments)

We need to configure a binding property, however the thing is that the oracle.webservices.auth properties are not there in the LOV.

ConfigurePolicies_LOV

However if we go to the composite source we can just manually add both
oracle.webservices.auth.username
oracle.webservices.auth.password


  <reference name="sourceUCM" ui:wsdlLocation="CheckIn.wsdl">
    <interface.wsdl interface="http://www.stellent.com/CheckIn/#wsdl.interface(CheckInSoap)"/>
    <binding.ws port="http://www.stellent.com/CheckIn/#wsdl.endpoint(CheckIn/CheckInSoap)"
                location="CheckIn.wsdl" soapVersion="1.1">
      <wsp:PolicyReference URI="oracle/wss_http_token_client_policy"
                           orawsp:category="security" orawsp:status="enabled"/>
      <property name="oracle.webservices.auth.username" type="xs:string" many="false" override="may">weblogic</property>
      <property name="oracle.webservices.auth.password" type="xs:string" many="false" override="may">welcome1</property>
    </binding.ws>
  </reference>

When deploying the project the settings are automatically set.

  • Through Enterprise Manager (can be used to override the default)

If we navigate to our SOA Composite -> Dashboard tab ->  Services and References you can find a list of all webservice references.Click on it and go to the properties tab

Check the HTTP Basic Authentication segment and use this to override any DEV default settings (if necessary)

EM_Properties

 
Leave a comment

Posted by on 18-01-2013 in BPM, Oracle, SOA Suite, UCM, WCC

 

Tags: , , , , , ,

“Buffer underflow in doHandshake” SSL error in Oracle Service Bus

We are using Oracle Service Bus for SSL communication to an external party. Due to security regulations we use a proxy server configuration (note: not proxy service, but proxy server) on these specific business services.

After upgrading our OSB to 11g PS4 we wanted to use the JSSE implementation for SSL because in the near future we will need to implement SHA2 certificates. After enabling JSSE (weblogic console -> managed server -> SSL -> Advanced) the outgoing connections still seem to work. However when we send a large message (in our case > 20kb) we receive the following error in our logging:


<Debug> <Socket> <someHostname> <someManagedServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <3fe931....> <13...> <BEA-000400> <buffer underflow in doHandshake>

The source of all knowlegde Wikipedia tells us that:
In computing buffer underrun or buffer underflow is a state occurring when a buffer used to communicate between two devices or processes is fed with data at a lower speed than the data is being read from it. This requires the program or device reading from the buffer to pause its processing while the buffer refills. This can cause undesired and sometimes serious side effects because the data being buffered is generally not suited to stop-start access of this kind.

After enabling Weblogic SSL logging we see the below output (simplified) in the logfiles when sending a small message. The SSLEngine both shows wrap and unwrap methods.


<Debug> <SecurityCertPath> <BEA-000000> <CertPathTrustManagerUtils.doCertPathValidation: >
<Debug> <SecurityCertPath> <BEA-000000> <CertPathTrustManagerUtils.doCertPathValidation: configured to defer to the admin>
<Debug> <SecurityCertPath> <BEA-000000> <CertPathTrustManagerUtils.doCertPathValidation: outbound = true>
<Debug> <SecurityCertPath> <BEA-000000> <CertPathTrustManagerUtils.doCertPathValidation: style = BuiltinSSLValidationOnly>
<Debug> <SecurityCertPath> <BEA-000000> <CertPathTrustManagerUtils.doCertPathValidation: returning false>
<Debug> <SecurityCertPath> <BEA-000000> <CertPathTrustManagerUtils.certificateCallback: returning true because the CertPathValidators should not be called>
<Debug> <SecuritySSL> <BEA-000000> <weblogic user specified trustmanager validation status 0>
<Debug> <SecuritySSL> <BEA-000000> <SSLTrustValidator returns: 0>
<Debug> <SecuritySSL> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]...SSLENGINE: No trust failure, validateErr=0.>
<Debug> <SecuritySSL> <BEA-000000> <Performing hostname validation checks: remote.website.nl>
<Debug> <SecuritySSL> <BEA-000000> <Proxying through ourDMZproxyserver.local>
<Debug> <SecuritySSL> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]...SSLENGINE: Successfully completed post-handshake processing.>
<Debug> <SecuritySSL> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]...SSLENGINE: SSLEngine.wrap(ByteBuffer,ByteBuffer) called: result=Status = OK HandshakeStatus = NOT_HANDSHAKING bytesConsumed = 304 bytesProduced = 325.>
<Debug> <SecuritySSL> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]...SSLENGINE: SSLEngine.wrap(ByteBuffer,ByteBuffer) called: result=Status = OK HandshakeStatus = NOT_HANDSHAKING bytesConsumed = 2167 bytesProduced = 2188.>
<Debug> <SecuritySSL> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]...SSLENGINE: SSLEngine.unwrap(ByteBuffer,ByteBuffer) called: result=Status = OK HandshakeStatus = NOT_HANDSHAKING bytesConsumed = 164 bytesProduced = 143.>
<Debug> <SecuritySSL> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]...SSLENGINE: SSLEngine.unwrap(ByteBuffer,ByteBuffer) called: result=Status = OK HandshakeStatus = NOT_HANDSHAKING bytesConsumed = 1036 bytesProduced = 1015.>

When sending a larger message the logging seems identical, however the logging stops after the outbound communication (wrap method) and no inbound traphic seems to return (unwrap method).


<Debug> <SecurityCertPath> <BEA-000000> <CertPathTrustManagerUtils.doCertPathValidation: >
<Debug> <SecurityCertPath> <CertPathTrustManagerUtils.doCertPathValidation: configured to defer to the admin>
<Debug> <SecurityCertPath> <CertPathTrustManagerUtils.doCertPathValidation: outbound = true>
<Debug> <SecurityCertPath> <CertPathTrustManagerUtils.doCertPathValidation: style = BuiltinSSLValidationOnly>
<Debug> <SecurityCertPath> <CertPathTrustManagerUtils.doCertPathValidation: returning false>
<Debug> <SecurityCertPath> <CertPathTrustManagerUtils.certificateCallback: returning true because the CertPathValidators should not be called>
<Debug> <SecuritySSL> <weblogic user specified trustmanager validation status 0>
<Debug> <SecuritySSL> <SSLTrustValidator returns: 0>
<Debug> <SecuritySSL> <[Thread[[ACTIVE] ExecuteThread: '8' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]...SSLENGINE: No trust failure, validateErr=0.>
<Debug> <SecuritySSL> <Performing hostname validation checks: remote.website.nl>
<Debug> <SecuritySSL> <Proxying through ourDMZproxyserver.local>
<Debug> <SecuritySSL> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '8' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]...SSLENGINE: Successfully completed post-handshake processing.>
<Debug> <SecuritySSL> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '8' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]...SSLENGINE: SSLEngine.wrap(ByteBuffer,ByteBuffer) called: result=Status = OK HandshakeStatus = NOT_HANDSHAKING bytesConsumed = 306 bytesProduced = 327.>
<Debug> <SecuritySSL> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '8' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]...SSLENGINE: SSLEngine.wrap(ByteBuffer,ByteBuffer) called: result=Status = OK HandshakeStatus = NOT_HANDSHAKING bytesConsumed = 16384 bytesProduced = 16405.>

At a very high level, the SSLEngine works like this (source: Class SSLEngine @ Oracle):

                |           ^
                |     |     |
                v     |     |
           +----+-----|-----+----+
           |          |          |
           |       SSL|Engine    |
   wrap()  |          |          |  unwrap()
           | OUTBOUND | INBOUND  |
           |          |          |
           +----+-----|-----+----+
                |     |     ^
                |     |     |
                v           |

Remember when we disable JSSE and use the Certicom implementation the process still works perfectly. So everything pointed to the direction of a combination: JSSE + large message = error. Sadly the .log and .out didn’t help in the problem solving here so experimenting with a few tuning parameters did the trick for us.

After configuring the Business Service to use Chunked Streaming Mode the problem was solved and we again succeeded in sending out messages of multiple MB’s to our external trading partners.

When I initially used Google and Oracle Knowledge base to look for the “BEA-000400 buffer underflow in doHandshake” error this was not very helpfull. So hopefully this blogpost is helpfull for others in the future when they have the same problem as us.

 
14 Comments

Posted by on 11-06-2012 in Oracle, OSB, Security, SSL

 

Tags: , , ,

Using UserName information in the Oracle Service Bus

I was debugging a OSB 11.1.1.5 proxy service which had a OWSM UserName token policy attached to it (read this blogpost how to configure your OSB). When I noticed the $inbound variable had some interesting information which I never noticed before.

The $inbound variable holds a big data-set regarding transport and usually a small data-set regarding security. In a “normal” unsecured proxy services this would result in something like this:

<inbound>
 <con:endpoint name="mySomething" xmlns:con="http://www.bea.com/wli/sb/context">
 <con:service>
 <con:operation>getEmployeeDetails</con:operation>
 </con:service>
<con:transport>
........
</con:transport>
 <con:security>
 <con:transportClient>
 <con:username>anonymous></con:username>
 </con:transportClient>
 </con:security>
 </con:endpoint>
</inbound>

So there is just a transportClient reference which normally just contains the value “anonymous”. Not really interesting.

However in the situation where the proxy service uses the OWSM policy it contains a new messageLevelClient element:

<inbound>
 <con:endpoint name="mySomething" xmlns:con="http://www.bea.com/wli/sb/context">
 <con:service>
 <con:operation>getEmployeeDetails</con:operation>
 </con:service>
<con:transport>
........
</con:transport>
 <con:security>
 <con:transportClient>
 <con:username>anonymous></con:username>
 </con:transportClient>
 <con:messageLevelClient>
 <con:username>weblogic</con:username>
 <con:principals>
 <con:group>AdminChannelUsers</con:group>
 <con:group>Administrators</con:group>
 <con:group>IntegrationAdministrators</con:group>
 </con:principals>
 </con:messageLevelClient>
 </con:security>
 </con:endpoint>
</inbound>

Pretty good information for tracing/logging your service calls.

 
1 Comment

Posted by on 13-01-2012 in OSB, Security, WS-Security

 

Tags: , , ,

Using OWSM UsernameToken for authentication and authorisation of OSB services

With the use of Oracle Web Service Manager (OWSM) we can easily configure Oracle Service Bus (OSB) services with different message security polices. This configuration can be done from Eclipse (OEPE), OSB SBConsole or the Enterprise Manager. One of the most common WS-Security mechanismes and therefor also OWSM policies is the UsernameToken where a username and password are send along with the message.

In this blog we will:

  • part I: how to enable authentication of users against the list of all known users
  • part II: how to enable authorisation of only a specific subset of users to access a service

First we configure a proxy service in OEPE with the OWSM UsernameToken policy oracle/wss_username_token_service_policy:


And make sure we process the WS-Security header:


After deployment we call the service with a request that is missing the WS-Security to test the result.


<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Body>
      <GreetingRequestMessage>
         <in>I say hello ...</in>
      <GreetingRequestMessage>
   </soapenv:Body>
</soapenv:Envelope>

As expected the result is an error because the OWSM policy requires a WS-Security segment in the SOAP-header which contains a username and password:


<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Body>
      <soapenv:Fault>
         <faultcode>soapenv:Server</faultcode>
         <faultstring>BEA-386200: General web service security error</faultstring>
         <detail>
            <con:fault xmlns:con="http://www.bea.com/wli/sb/context">
               <con:errorCode>BEA-386200</con:errorCode>
               <con:reason>General web service security error</con:reason>
               <con:location>
                  <con:path>request-pipeline</con:path>
               </con:location>
            </con:fault>
         </detail>
      </soapenv:Fault>
   </soapenv:Body>
</soapenv:Envelope>

So to make sure we can send a UsernameToken we add 2 users to the Weblogic security realm called userA and userB.

The request to the proxy service containing the WS-Security UsernameToken for userA


<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Header>
      <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
         <wsse:UsernameToken wsu:Id="UsernameToken-4" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <wsse:Username>userA</wsse:Username>
            <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">welcomeA1</wsse:Password>
         </wsse:UsernameToken>
      </wsse:Security>
   </soapenv:Header>
   <soapenv:Body>
      <GreetingRequestMessage>
         <in>I say hello ...</in>
      </GreetingRequestMessage>
   </soapenv:Body>
</soapenv:Envelope>

This results in a successfull response from the proxy service:


<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Body>
      <GreetingResponseMessage>
         <out>HelloWorld</out>
      </GreetingResponseMessage>
   </soapenv:Body>
</soapenv:Envelope>

So part 1 is complete, we succesfully implemented a proxy service that requires a WS-Security UsernameToken and authenticates these users against the Weblogic security realm. But in our case we have a tight security requirement and need to make sure the user is not only authenticated, but also authorized to access this specific service.

The result from part 1 means this is not the case, both userA and userB would be able to access this service. So let’s start part 2 where we will limit the access to the proxy service to only userB. For this we have to login to the sbconsole, since the OEPE does not allow you to make Message (or Transport) Access Control settings.

  • Login the sbconsole
  • Select Project Explorer
  • Select the the proxy service
  • Go to the Security Tab

  • Click on Message Access Control option (either for the whole service or just a single operation).
  • Click on Add Condition
  • Select User from predicate list
  • Type userB at the User Argument Name
  • Click on Add and Finish
  • Click on Save and Activate to finish the OSB session
Next thing we can call the service again and this time with userB and we still receive a succesfull result.
However if we call the service again with a UsernameToken containing userA we get the following SoapFault:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Body>
      <soapenv:Fault>
         <faultcode>soapenv:Server</faultcode>
         <faultstring>BEA-386102: Message-level authorization denied</faultstring>
         <detail>
            <con:fault xmlns:con="http://www.bea.com/wli/sb/context">
               <con:errorCode>BEA-386102</con:errorCode>
               <con:reason>Message-level authorization denied</con:reason>
               <con:location>
                  <con:path>request-pipeline</con:path>
               </con:location>
            </con:fault>
         </detail>
      </soapenv:Fault>
   </soapenv:Body>
</soapenv:Envelope>

Part 2 is completed and we finished with a proxy service that has both Authentication and Authorization enabled.

Remarks:

  • You can also use groups and roles (rather than users) to authorize access to services.
  • If you implement and configure an external LDAP (like Oracle Internet Directory) in Weblogic you can control ACL with groups central in your company LDAP instead of in each Weblogic security realm.
  • The SOAP fault for Message Level Authorization denied (BEA-386102) contains a faultcode value of “Server” which is not correct if you look at the w3c definition. This should be the value “Client” because: “….. the message could lack the proper authentication or payment information. It is generally an indication that the message should not be resent without change”

Update 2011-08-10:
Added 3rd remark regarding the SOAP Fault code

Update 2012-01-13:
Using the OWSM username token policies you get some additional information on runtime in you $inbound variable. See this blogpost for more details.
References:


 
25 Comments

Posted by on 09-08-2011 in OSB, WS-Security

 

Tags: , , ,

Weblogic and OSB various keystore reminders

Default Weblogic DemoIdentity and DemoTrust keystore:

I always forget the default passwords, so a quick reminder:

Location: %WL_HOME%/server/lib
File = DemoIdentity.jks

  • keystore password = DemoIdentityKeyStorePassPhrase
  • key password = DemoIdentityPassPhrase
  • keytool -list -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase
    

File = DemoTrust.jks

  • keystore password = DemoTrustKeyStorePassPhrase
  • 	keytool -list -keystore DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase
    
Generate a new private key:

Go to the security folder in your domain (the SerializedSystemIni.dat is also located here, so you already need to secure this folder):
%DOMAIN_HOME%\security

keytool -genkey -keysize 2048 -keyalg RSA -alias myhostname01 -keystore myhostname01_identity.jks

Generate a Certificate Request:

keytool -certreq -alias myhostname01 -file myhostname01.csr -keystore myhostname01_identity.jks

Send this CSR file to your Certificate Authority

Import signed response:

keytool -importcert -trustcacerts -alias rootCA -file rootCA.cer -keystore myhostname01_identity.jks -storepass mySecretPassword
keytool -importcert -alias chaincert1 -file chaincert1.cer -keystore myhostname01_identity.jks -storepass mySecretPassword
keytool -importcert -alias myhostname01 -file myhostname01.cer -keystore myhostname01_identity.jks -storepass mySecretPassword

import P12 into JKS:

keytool -v -importkeystore -srckeystore somecert.p12 -srcstoretype PKCS12 -destkeystore mytruststore.jks -deststoretype JKS

Configure Eclipse OEPE with custom keystore:

  • Right-click OSB Configuration in Project Explorer
  • Select Oracle Service Bus Configuration
  • Configure the keystore file and the storepassword
  • You can now add a ServiceKeyProvider to your project to act as a SSL-client
 
Leave a comment

Posted by on 04-08-2011 in OSB, Security, Weblogic

 

Tags: , ,

 
Follow

Get every new post delivered to your Inbox.

Join 458 other followers