In Fusion Middleware 11g/12c, user can very easily protect their services using OWSM policies. A number of these policies are message protection policies, And to invoke these services, client need to set up OPSS keystore service properly to be picked by owsm. Following is an attempt to automate the steps using DemoCA cert available with WLS installation.

The automated script executes the following steps:

1) java utils.CertGen -certfile ClientPublicCertificate -keyfile ClientPrivateKey -keyfilepass internalPassword -cn hostName 

2) Create client keystore with client key-certificate pair

java utils.ImportPrivateKey -keystore suppliedLocation -storepass suppliedPassword -certfile ClientPublicCertificate.der -keyfile ClientPrivateKey.der -keyfilepass internalPassword -alias suppliedAlias -keypass suppliedPassword 

3) Now add the root CA to the client keystore

keytool -importcert -file ${rootca.location}/CertGenCA.der -keystore default-keystore.jks -storepass welcome1 -alias wlsdemoca

4) Add the service’s public certificate to the client keystore.

keytool -importcert -file ServerPublicCertificate.der -alias serverkey -keystore default-keystore.jks -storepass welcome1


Latest version of OWSM can expose public certificate of service directly in the service WSDL through its Service Identity Certificate Extension 

Hence, this step is optional depending on your settings.
In older releases, the service’s public certificate had to be added to the client keystore; If the recipient alias property (keystore.recipient.alias) on the client was not explicitly set, then this certificate would need to have be added under the the alias “orakey”.

5) Add options to credential store (CWALLET.SSO) so as to access keys/certificates from keystore

createCred(map="", key="keystore-csf-key", user="n/a", password="welcome1", desc="keystore access password")
createCred(map="", key="sign-csf-key", user="clientkey", password="welcome1", desc="signing key alias and password")
createCred(map="", key="enc-csf-key", user="clientkey", password="welcome1", desc="encryption key alias and password")

Following ant file uses, and a python file, all the three should be located in same folder:

<?xml version="1.0" encoding="US-ASCII" ?>

  <property file=""/>
  <property name="tmp.folder" value="tmp"/>
   <pathelement path="${certgen.classpath}"/>
   <pathelement path="${java.class.path}"/>
   <pathelement path="${ORACLE_COMMON}/modules/oracle.jrf_11.1.1/jrf-wlstman.jar"/>
    <delete dir="${tmp.folder}" failonerror="false"/>
    <mkdir dir="${tmp.folder}"/>
    <delete file="${client.keystore.location}" failonerror="false"/>
    <!-- 1) java utils.CertGen -certfile ClientPublicCertificate -keyfile -->
           <!-- ClientPrivateKey -keyfilepass internalPassword -->
      <classpath refid="client.class.path"/>
      <arg line="-certfile ${tmp.folder}/ClientPublicCertificate                           
                -keyfile ${tmp.folder}/ClientPrivateKey                                    
                -keyfilepass internalPassword -cn ${}">
  <!-- 2) java utils.ImportPrivateKey -keystore suppliedLocation -->
  <!-- -storepass suppliedPassword -alias suppliedAlias -->
  <!-- -keyfile ClientPrivateKey.der -keyfilepass internalPassword -->
  <!-- -keypass suppliedPassword -certfile ClientPublicCertificate.der -->
      <classpath refid="client.class.path"/>
      <arg line="-certfile ${tmp.folder}/ClientPublicCertificate.der
                -keyfile ${tmp.folder}/ClientPrivateKey.der
                -keyfilepass internalPassword
                -keystore ${client.keystore.location}
                -storepass ${client.keystore.password}
                -alias ${client.privatekey.alias} 
                -keypass ${client.privatekey.password}"/>
<!-- 3) Add the root CA to jks - keytool -importcert  -storepass welcome1 -->
    <!-- -file ${rootca.location}/CertGenCA.der -keystore default-keystore.jks  -->
      <arg line="-importcert -file ${rootca.location}/CertGenCA.der
                    -keystore ${client.keystore.location}
                    -storepass ${client.keystore.password}
                    -noprompt -trustcacerts -alias wlsdemoca"/>
    <antcall target="import-public-key-from-server"/>
    <delete dir="${tmp.folder}" failonerror="false"/>
    <echo message="Adding server public key to keystore"/>
      <arg line="-importcert -file ${server.publickey.file}
                -keystore ${client.keystore.location}
                -storepass ${client.keystore.password} -alias ${server.publickey.alias}"/>
      <classpath refid="client.class.path"/>
      <arg line="./
                ${wls.username} ${wls.password} ${wls.server}
                ${keystore-csf-key} ${sign-csf-key} ${enc-csf-key}
                ${client.keystore.password} ${client.privatekey.alias}
                <jvmarg line="-DORACLE_HOME=${WLS_HOME}

Properties Adapt as per your Fusion MW installation directory.

#Mon Oct 22 03:05:44 PDT 2012

#CN Is required specially when authentication is x509 based.

#Important : If you change this name, you need to change the entry in jps-config.xml
#This file needs to be copied to your systemxxx/DefaultDomain/config/fmwconfig 
#if running in integrated wls
#Or copy it to your domain/config/fmwconfig folder

#Change this to your jdev installation 
# e.g on D:/jdev/6492
# Don't forget to check wls_home if you shift between two release of jdev.
# ORACLE_HOME=/jdev_ps7/oracle

#If you are using an latest MAIN version of jdeveloper, this should be changed to wlserver

#Not required if not using identity from wsdl

# Provide this information after overriding keystore.recipient.alias property 
# If you do not want to use default keystore.recipient.alias then 
# change below from orakey to your value.
# Override the keystore.recipient.alias in requestContext with this value.
# In case of ADF WS connection, override this value in by editing the datacontrol.
# This key works /isrequired only when server.publickey.file is provided

#WLST values
#Change below to connect to your server instance
wls.server= t3://localhost:7101

#Do not change the following if csf keys are not overridden on client side.

#Used internally.
#Not required changes unless there is change in structure.
#directory of CertGenCA.der to be imported to $client.keystore.location 
#for certificate chaining

    createCred(map="", key=keystoreCSFKey, user="n/a", 
                    password=keystorePass, desc="Keystore key")
    updateCred(map="", key=keystoreCSFKey, user="n/a", 
                    password=keystorePass, desc="Keystore key")
    createCred(map="", key=signCSFKey, user=privateKey, 
    updateCred(map="", key=signCSFKey, user=privateKey, 
    createCred(map="", key=encCSFKey, user=privateKey, 
    updateCred(map="", key=encCSFKey, user=privateKey, 

print '----------------------------------'
print 'Listing credential for key:'+encCSFKey
listCred(map="", key=encCSFKey)
print ''
print '----------------------------------'
print 'Listing credential for key:'+signCSFKey
listCred(map="", key=signCSFKey)
print ''
print '----------------------------------'
print 'Listing credential for key:'+keystoreCSFKey
listCred(map="", key=keystoreCSFKey)

If you are running web services as well on a different server, you can set up keystore for server following the similar steps as well. Or if you can use the DemoIdentity available with default installation of WLS server as well. Following steps, will let you use DemoIdenity.jks at server side.

1) Copy DemoIdentity.jks to /config/fmwconfig and rename it to default-keystore.jks Why rename? (owsm reads the keystore from the keystore service defined in jps-config.xml located at same location). If you want to use different name, modify the entry in jps-config.xml.

You will need to modify the keystore name in following entry of jps-config.xml

      <property name="keystore.type" value="JKS"/>
      <property name="" value=""/>
      <property name="keystore.pass.csf.key" value="keystore-csf-key"/>
      <property name="keystore.sig.csf.key" value="sign-csf-key"/>
      <property name="keystore.enc.csf.key" value="enc-csf-key"/>

2) DemoIdentity.jks will have a privatekey, and public certificate. It does not have CA certificate in it. Import the same.

keytool -importcert -file $WL_HOME/server/lib/CertGenCA.der -keystore default-keystore.jks -storepass DemoIdentityKeyStorePassPhrase

DemoIdentityKeyStorePassPhrase is the password of DemoIdentity.jks

3) Restart the server.

3) Create entries into the domain wallet (cwallet.sso) as below using wlst command:

createCred(map="", key="keystore-csf-key", user="n/a", password="DemoIdentityKeyStorePassPhrase", desc="Keystore key.Password will be used to open the keystore")
createCred(map="", key="sign-csf-key", user="demoidentity", password="DemoIdentityPassPhrase",desc="demoidentity is the private key in your keystore")
createCred(map="", key="enc-csf-key", user="demoidentity", password="DemoIdentityPassPhrase",desc="") 

DemoIdentityPassPhrase is the password of private key in DemoIdentity.jks

DemoIdentityPassPhrase is the password of private key in DemoIdentity.jks

4) Export the public key of the certificate for clients to use.