2 way SSL between SOA and OSB
By Johnny Shum on Sep 24, 2012
If you have a need to use 2 way SSL between SOA composite and external partner links, you can follow these steps.
- Create the identity keystores, trust keystores, and server certificates.
- Setup keystores and SSL on WebLogic
- Setup server to use 2 way SSL
- Configure your SOA composite's partner link to use 2 way SSL
- Configure SOA engine two ways SSL
In this case, I use SOA and OSB for the test. I started with a separate OSB and SOA domains. I deployed two soap based proxies on OSB and two composites on SOA. In SOA, one composite invokes a OSB proxy service, the other is invoked by the OSB. Similarly, in OSB, one proxy invokes a SOA composite and the other is invoked by SOA.
1. Create the identity keystores, trust keystores and the server certificates
Since this is a development environment, I use JDK's keytool to create the stores and use self signing certificate. For production environment, you should use certificates from a trusted certificate authority like Verisign. I created a script below to show what is needed in this step. The only requirement is when creating the SOA identity certificate, you MUST use the alias mykey.
SOA suite uses the JDK's SSL implementation for outbound traffic instead of the WebLogic's implementation. You will need to import the partner's public cert into the trusted keystore used by SOA. The default trusted keystore for SOA is DemoTrust.jks and it is located in $MW_HOME/wlserver_10.3/server/lib. (This is set in the startup script -Djavax.net.ssl.trustStore). If you use your own trusted keystore, then you will need to import it into your own trusted keystore.
|keytool -importcert -alias osbkey -keystore $MW_HOME/wlserver_10.3/server/lib/DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase -file osbcert.der -keypass $KEYPASS|
If you do not perform this step, you will encounter this exception in runtime when SOA invokes OSB service using 2 way SSL
Message send failed: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2. Setup keystores and SSL on WebLogic
First, you will need to login to the WebLogic console, navigate to the server's configuration->Keystore's tab. Change the Keystores type to Custom Identity and Custom Trust and enter the rest of the fields.
Then you navigate to the SSL tab, enter the fields in the identity section and expand the Advanced section. Since I am using self signing cert on my VM enviornment, I disabled Hostname verification. In real production system, this should not be the case. I also enabled the option "Use Server Certs", so that the application uses the server cert to initiate https traffic (it is important to enable this in OSB).
Last, you enable SSL listening port in the Server's configuration->General tab.
3. Setup server to use 2 way SSL
If you follow the screen shot in previous step, you can see in the Server->Configuration->SSL->Advanced section, there is an option for Two Way Client Cert Behavior, you should set this to
Client Certs Requested and Enforced.
Repeat step 2 and 3 done on OSB. After all these configurations, you have to restart all the servers.
4. Configure your SOA composite's partner link to use 2 way SSL
You do this by modifying the composite.xml in your project, locate the partner's link reference and add the property oracle.soa.two.way.ssl.enabled.
| <reference name="callosb" ui:wsdlLocation="helloword.wsdl">
In OSB, you should have checked the HTTPS required flag in the proxy's transport configuration. After this, rebuilt the composite jar file and ready to deploy in the EM console later.
5. Configure SOA engine two ways SSL
Oracle SOA Suite uses both Oracle WebLogic Server and Sun Secure Socket Layer (SSL) stacks for two-way SSL configurations.
- For the inbound web service bindings, Oracle SOA Suite uses the
Oracle WebLogic Server infrastructure and, therefore, the Oracle
WebLogic Server libraries for SSL. This is already done by step 2 and 3 in the previous section.
- For the outbound web service bindings, Oracle SOA Suite uses JRF HttpClient and, therefore, the Sun JDK libraries for SSL. You do this by configuring the SOA Engine in the Enterprise Manager Console, select soa-infra->SOA Administration->Common Properties