2 way SSL between SOA and OSB

Posted by Johnny Shum on Oracle Blogs See other posts from Oracle Blogs or by Johnny Shum
Published on Mon, 24 Sep 2012 18:24:51 +0000 Indexed on 2012/09/24 21:44 UTC
Read the original article Hit count: 527

Filed under:

If you have a need to use 2 way SSL between SOA composite and external partner links, you can follow these steps.

  1. Create the identity keystores, trust keystores, and server certificates.
  2. Setup keystores and SSL on WebLogic
  3. Setup server to use 2 way SSL
  4. Configure your SOA composite's partner link to use 2 way SSL
  5. Configure SOA engine two ways SSL

In this case,  I use SOA and OSB for the test.  I started with a separate OSB and SOA domains.  I deployed two soap based proxies on OSB and two composites on SOA.  In SOA, one composite invokes a OSB proxy service, the other is invoked by the OSB.  Similarly,  in OSB,  one proxy invokes a SOA composite and the other is invoked by SOA.

1. Create the identity keystores, trust keystores and the server certificates

Since this is a development environment, I use JDK's keytool to create the stores and use self signing certificate.  For production environment, you should use certificates from a trusted certificate authority like Verisign.    I created a script below to show what is needed in this step.  The only requirement is when creating the SOA identity certificate, you MUST use the alias mykey.


# generate identity keystore for soa and osb.  Note: For SOA, you MUST use alias mykey

echo "creating stores"

keytool -genkey -alias mykey -keyalg "RSA" -sigalg "SHA1withRSA" -dname "CN=soa, C=US" -keystore soa-default-keystore.jks -storepass $STOREPASS -keypass $KEYPASS

keytool -genkey -alias osbkey -keyalg "RSA" -sigalg "SHA1withRSA" -dname "CN=osb, C=US" -keystore osb-default-keystore.jks -storepass $STOREPASS -keypass $KEYPASS

# listing keystore contents

echo "listing stores contents"

keytool -list -alias mykey -keystore soa-default-keystore.jks -storepass $STOREPASS
keytool -list -alias osbkey -keystore osb-default-keystore.jks -storepass $STOREPASS

# exporting certs from stores

echo "export certs from  stores"

keytool -exportcert -alias mykey -keystore soa-default-keystore.jks -storepass $STOREPASS -file soacert.der
keytool -exportcert -alias osbkey -keystore osb-default-keystore.jks -storepass $STOREPASS -file osbcert.der

# import certs to trust stores

echo "import certs"

keytool -importcert -alias osbkey -keystore soa-trust-keystore.jks -storepass $STOREPASS -file osbcert.der -keypass $KEYPASS
keytool -importcert -alias mykey -keystore osb-trust-keystore.jks -storepass $STOREPASS -file soacert.der  -keypass $KEYPASS

SOA suite uses the JDK's SSL implementation for outbound traffic instead of the WebLogic's implementation.  You will need to import the partner's public cert into the trusted keystore used by SOA.  The default trusted keystore for SOA is DemoTrust.jks and it is located in $MW_HOME/wlserver_10.3/server/lib.   (This is set in the startup script -Djavax.net.ssl.trustStore).   If you use your own trusted keystore, then you will need to import it into your own trusted keystore.

keytool -importcert -alias osbkey -keystore $MW_HOME/wlserver_10.3/server/lib/DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase  -file osbcert.der -keypass $KEYPASS

If you do not perform this step, you will encounter this exception in runtime when SOA invokes OSB service using 2 way SSL

Message send failed: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 2.  Setup keystores and SSL on WebLogic

First, you will need to login to the WebLogic console, navigate to the server's configuration->Keystore's tab.   Change the Keystores type to Custom Identity and Custom Trust and enter the rest of the fields.

Then you navigate to the SSL tab, enter the fields in the identity section and expand the Advanced section.  Since I am using self signing cert on my VM enviornment, I disabled Hostname verification.  In real production system, this should not be the case.   I also enabled the option "Use Server Certs", so that the application uses the server cert to initiate https traffic (it is important to enable this in OSB).

Last, you enable SSL listening port in the Server's configuration->General tab.

3.  Setup server to use 2 way SSL

If you follow the screen shot in previous step, you can see in the Server->Configuration->SSL->Advanced section, there is an option for Two Way Client Cert Behavior,  you should set this to

Client Certs Requested and Enforced.

Repeat step 2 and 3 done on OSB.  After all these configurations,  you have to restart all the servers.

4.  Configure your SOA composite's partner link to use 2 way SSL

You do this by modifying the composite.xml in your project, locate the partner's link reference and add the property oracle.soa.two.way.ssl.enabled.

  <reference name="callosb" ui:wsdlLocation="helloword.wsdl">
    <interface.wsdl interface="http://www.examples.com/wsdl/HelloService.wsdl#wsdl.interface(Hello_PortType)"/>
    <binding.ws port="http://www.examples.com/wsdl/HelloService.wsdl#wsdl.endpoint(Hello_Service/Hello_Port)"
                location="helloword.wsdl" soapVersion="1.1">
      <property name="weblogic.wsee.wsat.transaction.flowOption"
                type="xs:string" many="false">WSDLDriven</property>
  <property name="oracle.soa.two.way.ssl.enabled">true</property>

In OSB, you should have checked the HTTPS required flag in the proxy's transport configuration.  After this,  rebuilt the composite jar file and ready to deploy in the EM console later.

5.  Configure SOA engine two ways SSL

Oracle SOA Suite uses both Oracle WebLogic Server and Sun Secure Socket Layer (SSL) stacks for two-way SSL configurations.

  • For the inbound web service bindings, Oracle SOA Suite uses the Oracle WebLogic Server infrastructure and, therefore, the Oracle WebLogic Server libraries for SSL.  This is already done by step 2 and 3 in the previous section.
  • For the outbound web service bindings, Oracle SOA Suite uses JRF HttpClient and, therefore, the Sun JDK libraries for SSL.  You do this by configuring the SOA Engine in the Enterprise Manager Console, select soa-infra->SOA Administration->Common Properties