In Fusion Middleware 11g/12c, user can very easily protect their services using OWSM policies. A number of these policies are message protection policies, And to invoke these services, client need to set up OPSS keystore service properly to be picked by owsm. Following is an attempt to automate the steps using DemoCA cert available with WLS installation.
The automated script executes the following steps:
1) java utils.CertGen -certfile ClientPublicCertificate -keyfile ClientPrivateKey -keyfilepass internalPassword -cn hostName
2) Create client keystore with client key-certificate pair
java utils.ImportPrivateKey -keystore suppliedLocation -storepass suppliedPassword -certfile ClientPublicCertificate.der -keyfile ClientPrivateKey.der -keyfilepass internalPassword -alias suppliedAlias -keypass suppliedPassword
3) Now add the root CA to the client keystore
keytool -importcert -file ${rootca.location}/CertGenCA.der -keystore default-keystore.jks -storepass welcome1 -alias wlsdemoca
4) Add the service’s public certificate to the client keystore.
keytool -importcert -file ServerPublicCertificate.der -alias serverkey -keystore default-keystore.jks -storepass welcome1
(Note)
Latest version of OWSM can expose public certificate of service directly in the service WSDL through its Service Identity Certificate Extension
Hence, this step is optional depending on your settings.
In older releases, the service’s public certificate had to be added to the client keystore; If the recipient alias property (keystore.recipient.alias) on the client was not explicitly set, then this certificate would need to have be added under the the alias “orakey”.
5) Add options to credential store (CWALLET.SSO) so as to access keys/certificates from keystore
%MW_HOME%/oracle_common/common/bin/.wlst.sh connect('weblogic','weblogic1','t3://localhost:7101') createCred(map="oracle.wsm.security", key="keystore-csf-key", user="n/a", password="welcome1", desc="keystore access password") createCred(map="oracle.wsm.security", key="sign-csf-key", user="clientkey", password="welcome1", desc="signing key alias and password") createCred(map="oracle.wsm.security", key="enc-csf-key", user="clientkey", password="welcome1", desc="encryption key alias and password")
Following ant file uses build.properties, and a python file, all the three should be located in same folder:
<?xml version="1.0" encoding="US-ASCII" ?> <property file="build.properties"/> <property name="tmp.folder" value="tmp"/> <pathelement path="${certgen.classpath}"/> <pathelement path="${java.class.path}"/> <pathelement path="${ORACLE_COMMON}/modules/oracle.jrf_11.1.1/jrf-wlstman.jar"/> <delete dir="${tmp.folder}" failonerror="false"/> <mkdir dir="${tmp.folder}"/> <tstamp/> <delete file="${client.keystore.location}" failonerror="false"/> <!-- 1) java utils.CertGen -certfile ClientPublicCertificate -keyfile --> <!-- ClientPrivateKey -keyfilepass internalPassword --> <classpath refid="client.class.path"/> <arg line="-certfile ${tmp.folder}/ClientPublicCertificate -keyfile ${tmp.folder}/ClientPrivateKey -keyfilepass internalPassword -cn ${client.privatekey.cn.name}"> <!-- 2) java utils.ImportPrivateKey -keystore suppliedLocation --> <!-- -storepass suppliedPassword -alias suppliedAlias --> <!-- -keyfile ClientPrivateKey.der -keyfilepass internalPassword --> <!-- -keypass suppliedPassword -certfile ClientPublicCertificate.der --> <classpath refid="client.class.path"/> <arg line="-certfile ${tmp.folder}/ClientPublicCertificate.der -keyfile ${tmp.folder}/ClientPrivateKey.der -keyfilepass internalPassword -keystore ${client.keystore.location} -storepass ${client.keystore.password} -alias ${client.privatekey.alias} -keypass ${client.privatekey.password}"/> <!-- 3) Add the root CA to jks - keytool -importcert -storepass welcome1 --> <!-- -file ${rootca.location}/CertGenCA.der -keystore default-keystore.jks --> <arg line="-importcert -file ${rootca.location}/CertGenCA.der -keystore ${client.keystore.location} -storepass ${client.keystore.password} -noprompt -trustcacerts -alias wlsdemoca"/> <antcall target="import-public-key-from-server"/> <delete dir="${tmp.folder}" failonerror="false"/> <echo message="Adding server public key to keystore"/> <arg line="-importcert -file ${server.publickey.file} -keystore ${client.keystore.location} -storepass ${client.keystore.password} -alias ${server.publickey.alias}"/> <classpath refid="client.class.path"/> <arg line="./createOrUpdateWsmCred.py ${wls.username} ${wls.password} ${wls.server} ${keystore-csf-key} ${sign-csf-key} ${enc-csf-key} ${client.keystore.password} ${client.privatekey.alias} ${client.privatekey.password}"/> <jvmarg line="-DORACLE_HOME=${WLS_HOME} -Dweblogic.wlstHome=${ORACLE_COMMON}/common/wlst:${WLS_HOME}/common/wlst -DCOMMON_COMPONENTS_HOME=${ORACLE_COMMON}/"/>
Properties file:build.properties. Adapt as per your Fusion MW installation directory.
#Mon Oct 22 03:05:44 PDT 2012 build.owner=Aminur client.privatekey.alias=clientkey client.privatekey.password=clientKeypassword #CN Is required specially when authentication is x509 based. client.privatekey.cn.name=weblogic #Important : If you change this name, you need to change the entry in jps-config.xml #This file needs to be copied to your systemxxx/DefaultDomain/config/fmwconfig #if running in integrated wls #Or copy it to your domain/config/fmwconfig folder client.keystore.location=default-keystore.jks client.keystore.password=PasswordForKeyStore #Change this to your jdev installation # e.g on D:/jdev/6492 # Don't forget to check wls_home if you shift between two release of jdev. # ORACLE_HOME=/jdev_ps7/oracle ORACLE_HOME=/jdev_main/oracle #If you are using an latest MAIN version of jdeveloper, this should be changed to wlserver #WLS_HOME=${ORACLE_HOME}/wlserver_10.3 WLS_HOME=${ORACLE_HOME}/wlserver #Not required if not using identity from wsdl server.publickey.file=/folder-where-server-key-is-located/serverCert.der # Provide this information after overriding keystore.recipient.alias property # If you do not want to use default keystore.recipient.alias then # change below from orakey to your value. # Override the keystore.recipient.alias in requestContext with this value. # In case of ADF WS connection, override this value in by editing the datacontrol. # # This key works /isrequired only when server.publickey.file is provided server.publickey.alias=orakey #WLST values wls.username=weblogic wls.password=weblogicpassword #Change below to connect to your server instance wls.server= t3://localhost:7101 #Do not change the following if csf keys are not overridden on client side. keystore-csf-key=keystore-csf-key sign-csf-key=sign-csf-key enc-csf-key=enc-csf-key #Used internally. #Not required changes unless there is change in structure. #directory of CertGenCA.der to be imported to $client.keystore.location #for certificate chaining rootca.location=${WLS_HOME}/server/lib certgen.classpath=${rootca.location}/weblogic.jar ORACLE_COMMON=${ORACLE_HOME}/oracle_common
createOrUpdateWsmCred.py
adminUser=sys.argv[1] adminPassword=sys.argv[2] adminUrl=sys.argv[3] keystoreCSFKey=sys.argv[4] signCSFKey=sys.argv[5] encCSFKey=sys.argv[6] keystorePass=sys.argv[7] privateKey=sys.argv[8] privateKeyPasswd=sys.argv[9] connect(adminUser,adminPassword,adminUrl) try: createCred(map="oracle.wsm.security", key=keystoreCSFKey, user="n/a", password=keystorePass, desc="Keystore key") except: updateCred(map="oracle.wsm.security", key=keystoreCSFKey, user="n/a", password=keystorePass, desc="Keystore key") try: createCred(map="oracle.wsm.security", key=signCSFKey, user=privateKey, password=privateKeyPasswd,desc="") except: updateCred(map="oracle.wsm.security", key=signCSFKey, user=privateKey, password=privateKeyPasswd,desc="") try: createCred(map="oracle.wsm.security", key=encCSFKey, user=privateKey, password=privateKeyPasswd,desc="") except: updateCred(map="oracle.wsm.security", key=encCSFKey, user=privateKey, password=privateKeyPasswd,desc="") print '----------------------------------' print 'Listing credential for key:'+encCSFKey listCred(map="oracle.wsm.security", key=encCSFKey) print '' print '----------------------------------' print 'Listing credential for key:'+signCSFKey listCred(map="oracle.wsm.security", key=signCSFKey) print '' print '----------------------------------' print 'Listing credential for key:'+keystoreCSFKey listCred(map="oracle.wsm.security", key=keystoreCSFKey)
If you are running web services as well on a different server, you can set up keystore for server following the similar steps as well. Or if you can use the DemoIdentity available with default installation of WLS server as well. Following steps, will let you use DemoIdenity.jks at server side.
1) Copy DemoIdentity.jks to /config/fmwconfig and rename it to default-keystore.jks Why rename? (owsm reads the keystore from the keystore service defined in jps-config.xml located at same location). If you want to use different name, modify the entry in jps-config.xml.
You will need to modify the keystore name in following entry of jps-config.xml
<property name="keystore.type" value="JKS"/> <property name="keystore.csf.map" value="oracle.wsm.security"/> <property name="keystore.pass.csf.key" value="keystore-csf-key"/> <property name="keystore.sig.csf.key" value="sign-csf-key"/> <property name="keystore.enc.csf.key" value="enc-csf-key"/>
2) DemoIdentity.jks will have a privatekey, and public certificate. It does not have CA certificate in it. Import the same.
keytool -importcert -file $WL_HOME/server/lib/CertGenCA.der -keystore default-keystore.jks -storepass DemoIdentityKeyStorePassPhrase
DemoIdentityKeyStorePassPhrase is the password of DemoIdentity.jks
3) Restart the server.
3) Create entries into the domain wallet (cwallet.sso) as below using wlst command:
createCred(map="oracle.wsm.security", key="keystore-csf-key", user="n/a", password="DemoIdentityKeyStorePassPhrase", desc="Keystore key.Password will be used to open the keystore") createCred(map="oracle.wsm.security", key="sign-csf-key", user="demoidentity", password="DemoIdentityPassPhrase",desc="demoidentity is the private key in your keystore") createCred(map="oracle.wsm.security", key="enc-csf-key", user="demoidentity", password="DemoIdentityPassPhrase",desc="")
DemoIdentityPassPhrase is the password of private key in DemoIdentity.jks
DemoIdentityPassPhrase is the password of private key in DemoIdentity.jks
4) Export the public key of the certificate for clients to use.
Related posts
Feed
- India
- World
- Live
- Cricket News
To find out more, including how to control cookies, see here Cookie Policy